aboutsummaryrefslogtreecommitdiff
path: root/sys/netipsec
diff options
context:
space:
mode:
authorJohn Baldwin <jhb@FreeBSD.org>2020-05-02 01:00:29 +0000
committerJohn Baldwin <jhb@FreeBSD.org>2020-05-02 01:00:29 +0000
commit897e43124e23eeff0a93c9f48f1b1dfa36ebbc1d (patch)
tree5f98a228238fdd09ffbf7dca0616df935a9764fb /sys/netipsec
parenta9d9cfff0151d27ef220bae6fe1eba9f88a92792 (diff)
downloadsrc-897e43124e23eeff0a93c9f48f1b1dfa36ebbc1d.tar.gz
src-897e43124e23eeff0a93c9f48f1b1dfa36ebbc1d.zip
Don't pass bogus keys down for NULL algorithms.
The changes in r359374 added various sanity checks in sessions and requests created by crypto consumers in part to permit backend drivers to make assumptions instead of duplicating checks for various edge cases. One of the new checks was to reject sessions which provide a pointer to a key while claiming the key is zero bits long. IPsec ESP tripped over this as it passes along whatever key is provided for NULL, including a pointer to a zero-length key when an empty string ("") is used with setkey(8). One option would be to teach the IPsec key layer to not allocate keys of zero length, but I went with a simpler fix of just not passing any keys down and always using a key length of zero for NULL algorithms. PR: 245832 Reported by: CI
Notes
Notes: svn path=/head/; revision=360560
Diffstat (limited to 'sys/netipsec')
-rw-r--r--sys/netipsec/xform_ah.c6
-rw-r--r--sys/netipsec/xform_esp.c8
2 files changed, 9 insertions, 5 deletions
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index 9c6026481ddf..456ba7e85865 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -215,8 +215,10 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp,
/* Initialize crypto session. */
csp->csp_auth_alg = sav->tdb_authalgxform->type;
- csp->csp_auth_klen = _KEYBITS(sav->key_auth) / 8;
- csp->csp_auth_key = sav->key_auth->key_data;
+ if (csp->csp_auth_alg != CRYPTO_NULL_HMAC) {
+ csp->csp_auth_klen = _KEYBITS(sav->key_auth) / 8;
+ csp->csp_auth_key = sav->key_auth->key_data;
+ };
csp->csp_auth_mlen = AUTHSIZE(sav);
return 0;
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index 22ffc92f5cb9..ba1cb7044390 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -220,9 +220,11 @@ esp_init(struct secasvar *sav, struct xformsw *xsp)
/* Initialize crypto session. */
csp.csp_cipher_alg = sav->tdb_encalgxform->type;
- csp.csp_cipher_key = sav->key_enc->key_data;
- csp.csp_cipher_klen = _KEYBITS(sav->key_enc) / 8 -
- SAV_ISCTRORGCM(sav) * 4;
+ if (csp.csp_cipher_alg != CRYPTO_NULL_CBC) {
+ csp.csp_cipher_key = sav->key_enc->key_data;
+ csp.csp_cipher_klen = _KEYBITS(sav->key_enc) / 8 -
+ SAV_ISCTRORGCM(sav) * 4;
+ };
csp.csp_ivlen = txform->ivsize;
error = crypto_newsession(&sav->tdb_cryptoid, &csp, V_crypto_support);