Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / e6be702362299566990678f505512b1b74b49112^! / . / src / vnet
commite6be702362299566990678f505512b1b74b49112[log] [tgz]
authorNeale Ranns <nranns@cisco.com>Tue Jun 04 15:37:34 2019 +0000
committerDamjan Marion <dmarion@me.com>Wed Jun 05 11:29:46 2019 +0000
treeb00f992b21664c7bd4861e27a99d76fa9cbb735e
parent4b58a86da48a5bb861e0e329a60c3876a990f63e [diff]
IPSEC: some CLI fixes

Change-Id: I45618347e37440263270baf07b2f82f653f754a5
Signed-off-by: Neale Ranns <nranns@cisco.com>

diff --git a/src/vnet/api_errno.h b/src/vnet/api_errno.h
index e59f3cb..be42086 100644
--- a/src/vnet/api_errno.h
+++ b/src/vnet/api_errno.h

@@ -147,7 +147,8 @@
 _(BD_ALREADY_HAS_BVI, -152, "Bridge domain already has a BVI interface") \
 _(INVALID_PROTOCOL, -153, "Invalid Protocol")                           \
 _(INVALID_ALGORITHM, -154, "Invalid Algorithm")                         \
-_(RSRC_IN_USE, -155, "Resource In Use")
+_(RSRC_IN_USE, -155, "Resource In Use")                                 \
+_(KEY_LENGTH, -156, "invalid Key Length")
 
 typedef enum
 {

diff --git a/src/vnet/crypto/crypto.c b/src/vnet/crypto/crypto.c
index eecbd5f..b447ffb 100644
--- a/src/vnet/crypto/crypto.c
+++ b/src/vnet/crypto/crypto.c

@@ -180,7 +180,8 @@
 #define _(n, s, l) \
       case VNET_CRYPTO_ALG_##n: \
         if ((l) == length) \
-          return 1;
+          return 1;        \
+        break;
       foreach_crypto_cipher_alg foreach_crypto_aead_alg
 #undef _
 	/* HMAC allows any key length */
@@ -203,7 +204,6 @@
   vnet_crypto_engine_t *engine;
   vnet_crypto_key_t *key;
 
-  ASSERT (vnet_crypto_key_len_check (alg, length));
   if (!vnet_crypto_key_len_check (alg, length))
     return ~0;
 

diff --git a/src/vnet/crypto/crypto.h b/src/vnet/crypto/crypto.h
index 5af0822..7267e06 100644
--- a/src/vnet/crypto/crypto.h
+++ b/src/vnet/crypto/crypto.h

@@ -23,7 +23,7 @@
 /* CRYPTO_ID, PRETTY_NAME, KEY_LENGTH_IN_BYTES */
 #define foreach_crypto_cipher_alg \
   _(DES_CBC,     "des-cbc", 7) \
-  _(3DES_CBC,    "3des-cbc", 14) \
+  _(3DES_CBC,    "3des-cbc", 24) \
   _(AES_128_CBC, "aes-128-cbc", 16) \
   _(AES_192_CBC, "aes-192-cbc", 24) \
   _(AES_256_CBC, "aes-256-cbc", 32) \

diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 694e401..36ea614 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c

@@ -91,6 +91,8 @@
   is_add = 0;
   flags = IPSEC_SA_FLAG_NONE;
   proto = IPSEC_PROTOCOL_ESP;
+  integ_alg = IPSEC_INTEG_ALG_NONE;
+  crypto_alg = IPSEC_CRYPTO_ALG_NONE;
 
   if (!unformat_user (input, unformat_line_input, line_input))
     return 0;
@@ -149,7 +151,7 @@
     rv = ipsec_sa_del (id);
 
   if (rv)
-    clib_error_return (0, "failed");
+    error = clib_error_return (0, "failed");
 
 done:
   unformat_free (line_input);
@@ -233,9 +235,6 @@
 
   clib_memset (&p, 0, sizeof (p));
   p.lport.stop = p.rport.stop = ~0;
-  p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0;
-  p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0;
-  p.raddr.stop.ip6.as_u64[0] = p.raddr.stop.ip6.as_u64[1] = (u64) ~ 0;
   is_outbound = 0;
 
   if (!unformat_user (input, unformat_line_input, line_input))

diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index 4248c2e..8e85469 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c

@@ -171,13 +171,19 @@
 					      im->crypto_algs[crypto_alg].alg,
 					      (u8 *) ck->data, ck->len);
   if (~0 == sa->crypto_key_index)
-    return VNET_API_ERROR_INVALID_VALUE;
+    {
+      pool_put (im->sad, sa);
+      return VNET_API_ERROR_KEY_LENGTH;
+    }
 
   sa->integ_key_index = vnet_crypto_key_add (vm,
 					     im->integ_algs[integ_alg].alg,
 					     (u8 *) ik->data, ik->len);
   if (~0 == sa->integ_key_index)
-    return VNET_API_ERROR_INVALID_VALUE;
+    {
+      pool_put (im->sad, sa);
+      return VNET_API_ERROR_KEY_LENGTH;
+    }
 
   err = ipsec_check_support_cb (im, sa);
   if (err)