lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 10 Jan 2023 17:50:17 +0100
From:   Jiri Pirko <jiri@...nulli.us>
To:     ehakim@...dia.com
Cc:     sd@...asysnail.net, dsahern@...nel.org, netdev@...r.kernel.org
Subject: Re: [PATCH main v2 1/1] macsec: Fix Macsec replay protection


But iproute2 into the subject []'s so it is clear where this patch is targeted.

Tue, Jan 10, 2023 at 03:49:01PM CET, ehakim@...dia.com wrote:
>From: Emeel Hakim <ehakim@...dia.com>
>
>Currently when configuring macsec with replay protection,
>replay protection and window gets a default value of -1,
>the above is leading to passing replay protection and
>replay window attributes to the kernel while replay is
>explicitly set to off, leading for an invalid argument
>error when configured with extended packet number (XPN).
>since the default window value which is 0xFFFFFFFF is
>passed to the kernel and while XPN is configured the above
>value is an invalid window value.
>
>Example:
>ip link add link eth2 macsec0 type macsec sci 1 cipher
>gcm-aes-xpn-128 replay off
>
>RTNETLINK answers: Invalid argument
>
>Fix by passing the window attribute to the kernel only if replay is on
>
>Fixes: b26fc590ce62 ("ip: add MACsec support")
>Signed-off-by: Emeel Hakim <ehakim@...dia.com>
>---
>V1 -> V2: - Dont use boolean variable for replay protect since it will
>            silently break disabling replay protection on an existing device.
>          - Update commit message.
> ip/ipmacsec.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
>index 6dd73827..d96d69f1 100644
>--- a/ip/ipmacsec.c
>+++ b/ip/ipmacsec.c
>@@ -1517,7 +1517,8 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
> 			  &cipher.icv_len, sizeof(cipher.icv_len));
> 
> 	if (replay_protect != -1) {
>-		addattr32(n, MACSEC_BUFLEN, IFLA_MACSEC_WINDOW, window);
>+		if (replay_protect)
>+			addattr32(n, MACSEC_BUFLEN, IFLA_MACSEC_WINDOW, window);
> 		addattr8(n, MACSEC_BUFLEN, IFLA_MACSEC_REPLAY_PROTECT,
> 			 replay_protect);
> 	}
>-- 
>2.21.3
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ