summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
authorKlement Sekera <ksekera@cisco.com>2019-01-30 11:11:23 +0100
committerAndrew Yourtchenko <ayourtch@gmail.com>2019-01-30 20:36:33 +0000
commit827d4e568b7fc91f5c14dbce9a1a568c57a01c9c (patch)
tree1c88a284de9514762bc04dad6ab006e86dd814e2 /src/vnet/ipsec
parentb659e2821993b4b4aad21074be9eb16657139e9c (diff)
ipsec: fix check support functions
Change-Id: If94c57fbb07a7376a9f2873e1489c00b28152620 Signed-off-by: Klement Sekera <ksekera@cisco.com> (cherry picked from commit 4fd5a9d3e6abdf61f266da8400a299fe5b0eb0ed)
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/ipsec.c20
-rw-r--r--src/vnet/ipsec/ipsec_if.c2
2 files changed, 17 insertions, 5 deletions
diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c
index fdd18c2f8fa..7b79af2d902 100644
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@@ -533,12 +533,22 @@ ipsec_rand_seed (void)
}
static clib_error_t *
-ipsec_check_support (ipsec_sa_t * sa)
+ipsec_check_ah_support (ipsec_sa_t * sa)
{
- if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128)
- return clib_error_return (0, "unsupported aes-gcm-128 crypto-alg");
if (sa->integ_alg == IPSEC_INTEG_ALG_NONE)
return clib_error_return (0, "unsupported none integ-alg");
+ return 0;
+}
+
+static clib_error_t *
+ipsec_check_esp_support (ipsec_sa_t * sa)
+{
+ if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128)
+ return clib_error_return (0, "unsupported aes-gcm-128 crypto-alg");
+ if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_192)
+ return clib_error_return (0, "unsupported aes-gcm-192 crypto-alg");
+ if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_256)
+ return clib_error_return (0, "unsupported aes-gcm-256 crypto-alg");
return 0;
}
@@ -730,7 +740,7 @@ ipsec_init (vlib_main_t * vm)
"ah4-decrypt",
"ah6-encrypt",
"ah6-decrypt",
- ipsec_check_support,
+ ipsec_check_ah_support,
NULL);
im->ah_default_backend = idx;
@@ -743,7 +753,7 @@ ipsec_init (vlib_main_t * vm)
"esp4-decrypt",
"esp6-encrypt",
"esp6-decrypt",
- ipsec_check_support, NULL);
+ ipsec_check_esp_support, NULL);
im->esp_default_backend = idx;
rv = ipsec_select_esp_backend (im, idx);
diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c
index e8b1a4e041a..0dfb6909e42 100644
--- a/src/vnet/ipsec/ipsec_if.c
+++ b/src/vnet/ipsec/ipsec_if.c
@@ -299,6 +299,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
pool_get (im->sad, sa);
clib_memset (sa, 0, sizeof (*sa));
t->input_sa_index = sa - im->sad;
+ sa->protocol = IPSEC_PROTOCOL_ESP;
sa->spi = args->remote_spi;
sa->tunnel_src_addr.ip4.as_u32 = args->remote_ip.as_u32;
sa->tunnel_dst_addr.ip4.as_u32 = args->local_ip.as_u32;
@@ -325,6 +326,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
pool_get (im->sad, sa);
clib_memset (sa, 0, sizeof (*sa));
t->output_sa_index = sa - im->sad;
+ sa->protocol = IPSEC_PROTOCOL_ESP;
sa->spi = args->local_spi;
sa->tunnel_src_addr.ip4.as_u32 = args->local_ip.as_u32;
sa->tunnel_dst_addr.ip4.as_u32 = args->remote_ip.as_u32;