diff options
author | Neale Ranns <nranns@cisco.com> | 2019-06-04 15:37:34 +0000 |
---|---|---|
committer | Damjan Marion <dmarion@me.com> | 2019-06-05 11:29:46 +0000 |
commit | e6be702362299566990678f505512b1b74b49112 (patch) | |
tree | b00f992b21664c7bd4861e27a99d76fa9cbb735e /src/vnet | |
parent | 4b58a86da48a5bb861e0e329a60c3876a990f63e (diff) |
IPSEC: some CLI fixes
Change-Id: I45618347e37440263270baf07b2f82f653f754a5
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/vnet')
-rw-r--r-- | src/vnet/api_errno.h | 3 | ||||
-rw-r--r-- | src/vnet/crypto/crypto.c | 4 | ||||
-rw-r--r-- | src/vnet/crypto/crypto.h | 2 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_cli.c | 7 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.c | 10 |
5 files changed, 16 insertions, 10 deletions
diff --git a/src/vnet/api_errno.h b/src/vnet/api_errno.h index e59f3cb1325..be42086e668 100644 --- a/src/vnet/api_errno.h +++ b/src/vnet/api_errno.h @@ -147,7 +147,8 @@ _(NON_ETHERNET, -151, "Interface is not an Ethernet interface") \ _(BD_ALREADY_HAS_BVI, -152, "Bridge domain already has a BVI interface") \ _(INVALID_PROTOCOL, -153, "Invalid Protocol") \ _(INVALID_ALGORITHM, -154, "Invalid Algorithm") \ -_(RSRC_IN_USE, -155, "Resource In Use") +_(RSRC_IN_USE, -155, "Resource In Use") \ +_(KEY_LENGTH, -156, "invalid Key Length") typedef enum { diff --git a/src/vnet/crypto/crypto.c b/src/vnet/crypto/crypto.c index eecbd5f49a4..b447ffbfd5e 100644 --- a/src/vnet/crypto/crypto.c +++ b/src/vnet/crypto/crypto.c @@ -180,7 +180,8 @@ vnet_crypto_key_len_check (vnet_crypto_alg_t alg, u16 length) #define _(n, s, l) \ case VNET_CRYPTO_ALG_##n: \ if ((l) == length) \ - return 1; + return 1; \ + break; foreach_crypto_cipher_alg foreach_crypto_aead_alg #undef _ /* HMAC allows any key length */ @@ -203,7 +204,6 @@ vnet_crypto_key_add (vlib_main_t * vm, vnet_crypto_alg_t alg, u8 * data, vnet_crypto_engine_t *engine; vnet_crypto_key_t *key; - ASSERT (vnet_crypto_key_len_check (alg, length)); if (!vnet_crypto_key_len_check (alg, length)) return ~0; diff --git a/src/vnet/crypto/crypto.h b/src/vnet/crypto/crypto.h index 5af0822812f..7267e06aaa0 100644 --- a/src/vnet/crypto/crypto.h +++ b/src/vnet/crypto/crypto.h @@ -23,7 +23,7 @@ /* CRYPTO_ID, PRETTY_NAME, KEY_LENGTH_IN_BYTES */ #define foreach_crypto_cipher_alg \ _(DES_CBC, "des-cbc", 7) \ - _(3DES_CBC, "3des-cbc", 14) \ + _(3DES_CBC, "3des-cbc", 24) \ _(AES_128_CBC, "aes-128-cbc", 16) \ _(AES_192_CBC, "aes-192-cbc", 24) \ _(AES_256_CBC, "aes-256-cbc", 32) \ diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 694e4018d0d..36ea6145993 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -91,6 +91,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, is_add = 0; flags = IPSEC_SA_FLAG_NONE; proto = IPSEC_PROTOCOL_ESP; + integ_alg = IPSEC_INTEG_ALG_NONE; + crypto_alg = IPSEC_CRYPTO_ALG_NONE; if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -149,7 +151,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, rv = ipsec_sa_del (id); if (rv) - clib_error_return (0, "failed"); + error = clib_error_return (0, "failed"); done: unformat_free (line_input); @@ -233,9 +235,6 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm, clib_memset (&p, 0, sizeof (p)); p.lport.stop = p.rport.stop = ~0; - p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0; - p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0; - p.raddr.stop.ip6.as_u64[0] = p.raddr.stop.ip6.as_u64[1] = (u64) ~ 0; is_outbound = 0; if (!unformat_user (input, unformat_line_input, line_input)) diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c index 4248c2e0e8e..8e8546985ec 100644 --- a/src/vnet/ipsec/ipsec_sa.c +++ b/src/vnet/ipsec/ipsec_sa.c @@ -171,13 +171,19 @@ ipsec_sa_add (u32 id, im->crypto_algs[crypto_alg].alg, (u8 *) ck->data, ck->len); if (~0 == sa->crypto_key_index) - return VNET_API_ERROR_INVALID_VALUE; + { + pool_put (im->sad, sa); + return VNET_API_ERROR_KEY_LENGTH; + } sa->integ_key_index = vnet_crypto_key_add (vm, im->integ_algs[integ_alg].alg, (u8 *) ik->data, ik->len); if (~0 == sa->integ_key_index) - return VNET_API_ERROR_INVALID_VALUE; + { + pool_put (im->sad, sa); + return VNET_API_ERROR_KEY_LENGTH; + } err = ipsec_check_support_cb (im, sa); if (err) |