ikev2: check for valid cipher + integrity

Type: improvement Change-Id: Ic09b2c777a7c82e8d7074164280f817f9141529b Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-12-14 19:31:16 +01:00
parent 844e94f815
commit 1eaaba4198
2 changed files with 7 additions and 7 deletions
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@ -4103,15 +4103,15 @@ ikev2_set_profile_ike_transforms (vlib_main_t * vm, u8 * name,
 				  u32 crypto_key_size)
 {
  ikev2_profile_t *p;
-  clib_error_t *r;

  p = ikev2_profile_index_by_name (name);
-
  if (!p)
-    {
-      r = clib_error_return (0, "unknown profile %v", name);
-      return r;
-    }
+    return clib_error_return (0, "unknown profile %v", name);
+
+  if ((IKEV2_TRANSFORM_INTEG_TYPE_NONE != integ_alg) +
+	(IKEV2_TRANSFORM_ENCR_TYPE_AES_GCM_16 == crypto_alg) !=
+      1)
+    return clib_error_return (0, "invalid cipher + integrity algorithm");

  p->ike_ts.crypto_alg = crypto_alg;
  p->ike_ts.integ_alg = integ_alg;
--- a/test/test_ikev2.py
+++ b/test/test_ikev2.py
@ -1546,7 +1546,7 @@ class TestApi(VppTestCase):
                'ike_ts': {
                        'crypto_alg': 20,
                        'crypto_key_size': 32,
-                        'integ_alg': 1,
+                        'integ_alg': 0,
                        'dh_group': 1},
                'esp_ts': {
                        'crypto_alg': 13,