CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	John Baldwin <jhb@FreeBSD.org>
	Sat, 2 May 2020 01:00:29 +0000 (01:00 +0000)
committer	John Baldwin <jhb@FreeBSD.org>
	Sat, 2 May 2020 01:00:29 +0000 (01:00 +0000)
commit	897e43124e23eeff0a93c9f48f1b1dfa36ebbc1d
tree	5f98a228238fdd09ffbf7dca0616df935a9764fb	tree \| snapshot
parent	a9d9cfff0151d27ef220bae6fe1eba9f88a92792	commit \| diff

Don't pass bogus keys down for NULL algorithms.

The changes in r359374 added various sanity checks in sessions and
requests created by crypto consumers in part to permit backend drivers
to make assumptions instead of duplicating checks for various edge
cases. One of the new checks was to reject sessions which provide a
pointer to a key while claiming the key is zero bits long.

IPsec ESP tripped over this as it passes along whatever key is
provided for NULL, including a pointer to a zero-length key when an
empty string ("") is used with setkey(8). One option would be to
teach the IPsec key layer to not allocate keys of zero length, but I
went with a simpler fix of just not passing any keys down and always
using a key length of zero for NULL algorithms.

PR: 245832
Reported by: CI

sys/netipsec/xform_ah.c		diff \| blob \| history
sys/netipsec/xform_esp.c		diff \| blob \| history