aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDamjan Marion <damarion@cisco.com>2025-01-16 11:20:12 +0000
committerDamjan Marion <damarion@cisco.com>2025-01-16 11:22:13 +0000
commit2f0061ba3f8206734637a80b52a7b20ceac8809b (patch)
tree69d69626fbcbe4385b8e01ad5f4ec673758278a2
parent8e3d549a8fe3e10638d3756e1d44dfba8ff4807b (diff)
ipsec: don't add crypto key if cipher is NONE
Type: fix Change-Id: I0c418fe71b579febc4ca02e8ad0aeba24df1945d Signed-off-by: Damjan Marion <damarion@cisco.com>
Diffstat
-rw-r--r--src/vnet/ipsec/ipsec_sa.c16
1 files changed, 10 insertions, 6 deletions
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index 1d5195ec793..dfa2bf6b23f 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -383,12 +383,15 @@ ipsec_sa_add_and_lock (u32 id, u32 spi, ipsec_protocol_t proto,
clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
- sa->crypto_sync_key_index = vnet_crypto_key_add (
- vm, im->crypto_algs[crypto_alg].alg, (u8 *) ck->data, ck->len);
- if (~0 == sa->crypto_sync_key_index)
+ if (crypto_alg != IPSEC_CRYPTO_ALG_NONE)
{
- pool_put (ipsec_sa_pool, sa);
- return VNET_API_ERROR_KEY_LENGTH;
+ sa->crypto_sync_key_index = vnet_crypto_key_add (
+ vm, im->crypto_algs[crypto_alg].alg, (u8 *) ck->data, ck->len);
+ if (~0 == sa->crypto_sync_key_index)
+ {
+ pool_put (ipsec_sa_pool, sa);
+ return VNET_API_ERROR_KEY_LENGTH;
+ }
}
if (integ_alg != IPSEC_INTEG_ALG_NONE)
@@ -536,7 +539,8 @@ ipsec_sa_del (ipsec_sa_t * sa)
if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
dpo_reset (&sa->dpo);
- vnet_crypto_key_del (vm, sa->crypto_sync_key_index);
+ if (sa->crypto_alg != IPSEC_CRYPTO_ALG_NONE)
+ vnet_crypto_key_del (vm, sa->crypto_sync_key_index);
if (sa->integ_alg != IPSEC_INTEG_ALG_NONE)
vnet_crypto_key_del (vm, sa->integ_sync_key_index);
if (ipsec_sa_is_set_ANTI_REPLAY_HUGE (sa))