Installing NULL encryption IPSec SAs works using the .compat name

"cipher_null", but fails with the .name "ecp(cipher_null)" due the

missing check in key length verification.



Signed-off-by: Martin Willi <martin@strongswan.org>
--- a/net/xfrm/xfrm_user.c 2008-05-21 11:34:56.000000000 -0500

+++ b/net/xfrm/xfrm_user.c 2008-05-21 11:20:08.000000000 -0500

@@ -57,6 +57,7 @@
        case XFRMA_ALG_CRYPT:

                if (!algp->alg_key_len &&

+                   strcmp(algp->alg_name, "ecb(cipher_null)") != 0 &&

                    strcmp(algp->alg_name, "cipher_null") != 0)

                        return -EINVAL;

                break;
--

From: Martin Willi <martin@strongswan.org>
Herbert does this look Ok to you?
Thanks.

I think we should get rid of the zero check altogether as a

zero-length key will fail on setkey of a real algorithm anyway

because of the min_keysize/max_keysize checks in the crypto API.
Cheers,

--

Visit Openswan at http://www.openswan.org/

Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>

Home Page: http://gondor.apana.org.au/~herbert/

PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

--

From: Herbert Xu <herbert@gondor.apana.org.au>
Ok, how does this look?
xfrm_user: Remove zero length key checks.
The crypto layer will determine whether that is valid

or not.
Suggested by Herbert Xu, based upon a report and patch

by Martin Willi.
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c

index a1b0fbe..b976d9e 100644

--- a/net/xfrm/xfrm_user.c

+++ b/net/xfrm/xfrm_user.c

@@ -50,19 +50,8 @@ static int verify_one_alg(struct nlattr **attrs, enum xfrm_attr_type_t type)
 	switch (type) {

 	case XFRMA_ALG_AUTH:

-		if (!algp->alg_key_len &&

-		    strcmp(algp->alg_name, "digest_null") != 0)

-			return -EINVAL;

-		break;

-

 	case XFRMA_ALG_CRYPT:

-		if (!algp->alg_key_len &&

-		    strcmp(algp->alg_name, "cipher_null") != 0)

-			return -EINVAL;

-		break;

-

 	case XFRMA_ALG_COMP:

-		/* Zero length keys are legal.  */

 		break;
 	default:

--

Looks good to me!
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Thanks,

--

Visit Openswan at http://www.openswan.org/

Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>

Home Page: http://gondor.apana.org.au/~herbert/

PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

--

From: Herbert Xu <herbert@gondor.apana.org.au>
Thanks for reviewing.

--