crypto: enforce per-alg crypto key length

Crypto algorithms have different requirements on key length. As we do not support key stretching (eg. PBKDF2), user must provide the exact key length used by the algorithm. Failing that means low-level crypto functions might read garbage (eg. aes128_key_expand() will read 16-bytes, regardless of the key provided by the user). Change-Id: I347a1ea7a59720a1ed07ceaad8b00a31f78458c9 Signed-off-by: Benoît Ganne <bganne@cisco.com>
author: Benoît Ganne <bganne@cisco.com> 2019-04-29 16:05:46 +0200
committer: Damjan Marion <dmarion@me.com> 2019-04-30 15:33:53 +0000
commit: be95444fbb31b875c2ab98cd330fdcb36027ced8 (patch)
tree: cdd489306a290cff918b954be950eca0fb4b61bd /src/vnet/ipsec/ipsec_sa.c
parent: d577e1f578182d7f663e0f8519dadc81f21cb7a6 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index 324e7a4db2f..46c3b6d3821 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -170,9 +170,14 @@ ipsec_sa_add (u32 id,
   sa->crypto_key_index = vnet_crypto_key_add (vm,
 					      im->crypto_algs[crypto_alg].alg,
 					      (u8 *) ck->data, ck->len);
+  if (~0 == sa->crypto_key_index)
+    return VNET_API_ERROR_INVALID_VALUE;
+
   sa->integ_key_index = vnet_crypto_key_add (vm,
 					     im->integ_algs[integ_alg].alg,
 					     (u8 *) ik->data, ik->len);
+  if (~0 == sa->integ_key_index)
+    return VNET_API_ERROR_INVALID_VALUE;
 
   err = ipsec_check_support_cb (im, sa);
   if (err)
author	Benoît Ganne <bganne@cisco.com>	2019-04-29 16:05:46 +0200
committer	Damjan Marion <dmarion@me.com>	2019-04-30 15:33:53 +0000
commit	be95444fbb31b875c2ab98cd330fdcb36027ced8 (patch)
tree	cdd489306a290cff918b954be950eca0fb4b61bd /src/vnet/ipsec/ipsec_sa.c
parent	d577e1f578182d7f663e0f8519dadc81f21cb7a6 (diff)