aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-06-04 15:37:34 +0000
committerDamjan Marion <dmarion@me.com>2019-06-05 11:29:46 +0000
commite6be702362299566990678f505512b1b74b49112 (patch)
treeb00f992b21664c7bd4861e27a99d76fa9cbb735e /src/vnet
parent4b58a86da48a5bb861e0e329a60c3876a990f63e (diff)
IPSEC: some CLI fixes
Change-Id: I45618347e37440263270baf07b2f82f653f754a5 Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/vnet')
-rw-r--r--src/vnet/api_errno.h3
-rw-r--r--src/vnet/crypto/crypto.c4
-rw-r--r--src/vnet/crypto/crypto.h2
-rw-r--r--src/vnet/ipsec/ipsec_cli.c7
-rw-r--r--src/vnet/ipsec/ipsec_sa.c10
5 files changed, 16 insertions, 10 deletions
diff --git a/src/vnet/api_errno.h b/src/vnet/api_errno.h
index e59f3cb1325..be42086e668 100644
--- a/src/vnet/api_errno.h
+++ b/src/vnet/api_errno.h
@@ -147,7 +147,8 @@ _(NON_ETHERNET, -151, "Interface is not an Ethernet interface") \
_(BD_ALREADY_HAS_BVI, -152, "Bridge domain already has a BVI interface") \
_(INVALID_PROTOCOL, -153, "Invalid Protocol") \
_(INVALID_ALGORITHM, -154, "Invalid Algorithm") \
-_(RSRC_IN_USE, -155, "Resource In Use")
+_(RSRC_IN_USE, -155, "Resource In Use") \
+_(KEY_LENGTH, -156, "invalid Key Length")
typedef enum
{
diff --git a/src/vnet/crypto/crypto.c b/src/vnet/crypto/crypto.c
index eecbd5f49a4..b447ffbfd5e 100644
--- a/src/vnet/crypto/crypto.c
+++ b/src/vnet/crypto/crypto.c
@@ -180,7 +180,8 @@ vnet_crypto_key_len_check (vnet_crypto_alg_t alg, u16 length)
#define _(n, s, l) \
case VNET_CRYPTO_ALG_##n: \
if ((l) == length) \
- return 1;
+ return 1; \
+ break;
foreach_crypto_cipher_alg foreach_crypto_aead_alg
#undef _
/* HMAC allows any key length */
@@ -203,7 +204,6 @@ vnet_crypto_key_add (vlib_main_t * vm, vnet_crypto_alg_t alg, u8 * data,
vnet_crypto_engine_t *engine;
vnet_crypto_key_t *key;
- ASSERT (vnet_crypto_key_len_check (alg, length));
if (!vnet_crypto_key_len_check (alg, length))
return ~0;
diff --git a/src/vnet/crypto/crypto.h b/src/vnet/crypto/crypto.h
index 5af0822812f..7267e06aaa0 100644
--- a/src/vnet/crypto/crypto.h
+++ b/src/vnet/crypto/crypto.h
@@ -23,7 +23,7 @@
/* CRYPTO_ID, PRETTY_NAME, KEY_LENGTH_IN_BYTES */
#define foreach_crypto_cipher_alg \
_(DES_CBC, "des-cbc", 7) \
- _(3DES_CBC, "3des-cbc", 14) \
+ _(3DES_CBC, "3des-cbc", 24) \
_(AES_128_CBC, "aes-128-cbc", 16) \
_(AES_192_CBC, "aes-192-cbc", 24) \
_(AES_256_CBC, "aes-256-cbc", 32) \
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 694e4018d0d..36ea6145993 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -91,6 +91,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
is_add = 0;
flags = IPSEC_SA_FLAG_NONE;
proto = IPSEC_PROTOCOL_ESP;
+ integ_alg = IPSEC_INTEG_ALG_NONE;
+ crypto_alg = IPSEC_CRYPTO_ALG_NONE;
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
@@ -149,7 +151,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
rv = ipsec_sa_del (id);
if (rv)
- clib_error_return (0, "failed");
+ error = clib_error_return (0, "failed");
done:
unformat_free (line_input);
@@ -233,9 +235,6 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm,
clib_memset (&p, 0, sizeof (p));
p.lport.stop = p.rport.stop = ~0;
- p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0;
- p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0;
- p.raddr.stop.ip6.as_u64[0] = p.raddr.stop.ip6.as_u64[1] = (u64) ~ 0;
is_outbound = 0;
if (!unformat_user (input, unformat_line_input, line_input))
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index 4248c2e0e8e..8e8546985ec 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -171,13 +171,19 @@ ipsec_sa_add (u32 id,
im->crypto_algs[crypto_alg].alg,
(u8 *) ck->data, ck->len);
if (~0 == sa->crypto_key_index)
- return VNET_API_ERROR_INVALID_VALUE;
+ {
+ pool_put (im->sad, sa);
+ return VNET_API_ERROR_KEY_LENGTH;
+ }
sa->integ_key_index = vnet_crypto_key_add (vm,
im->integ_algs[integ_alg].alg,
(u8 *) ik->data, ik->len);
if (~0 == sa->integ_key_index)
- return VNET_API_ERROR_INVALID_VALUE;
+ {
+ pool_put (im->sad, sa);
+ return VNET_API_ERROR_KEY_LENGTH;
+ }
err = ipsec_check_support_cb (im, sa);
if (err)