From 827d4e568b7fc91f5c14dbce9a1a568c57a01c9c Mon Sep 17 00:00:00 2001 From: Klement Sekera Date: Wed, 30 Jan 2019 11:11:23 +0100 Subject: [PATCH] ipsec: fix check support functions Change-Id: If94c57fbb07a7376a9f2873e1489c00b28152620 Signed-off-by: Klement Sekera (cherry picked from commit 4fd5a9d3e6abdf61f266da8400a299fe5b0eb0ed) --- src/vnet/ipsec/ipsec.c | 20 +++++++++++++++----- src/vnet/ipsec/ipsec_if.c | 2 ++ 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c index fdd18c2f8fa..7b79af2d902 100644 --- a/src/vnet/ipsec/ipsec.c +++ b/src/vnet/ipsec/ipsec.c @@ -533,12 +533,22 @@ ipsec_rand_seed (void) } static clib_error_t * -ipsec_check_support (ipsec_sa_t * sa) +ipsec_check_ah_support (ipsec_sa_t * sa) +{ + if (sa->integ_alg == IPSEC_INTEG_ALG_NONE) + return clib_error_return (0, "unsupported none integ-alg"); + return 0; +} + +static clib_error_t * +ipsec_check_esp_support (ipsec_sa_t * sa) { if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128) return clib_error_return (0, "unsupported aes-gcm-128 crypto-alg"); - if (sa->integ_alg == IPSEC_INTEG_ALG_NONE) - return clib_error_return (0, "unsupported none integ-alg"); + if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_192) + return clib_error_return (0, "unsupported aes-gcm-192 crypto-alg"); + if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_256) + return clib_error_return (0, "unsupported aes-gcm-256 crypto-alg"); return 0; } @@ -730,7 +740,7 @@ ipsec_init (vlib_main_t * vm) "ah4-decrypt", "ah6-encrypt", "ah6-decrypt", - ipsec_check_support, + ipsec_check_ah_support, NULL); im->ah_default_backend = idx; @@ -743,7 +753,7 @@ ipsec_init (vlib_main_t * vm) "esp4-decrypt", "esp6-encrypt", "esp6-decrypt", - ipsec_check_support, NULL); + ipsec_check_esp_support, NULL); im->esp_default_backend = idx; rv = ipsec_select_esp_backend (im, idx); diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c index e8b1a4e041a..0dfb6909e42 100644 --- a/src/vnet/ipsec/ipsec_if.c +++ b/src/vnet/ipsec/ipsec_if.c @@ -299,6 +299,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, pool_get (im->sad, sa); clib_memset (sa, 0, sizeof (*sa)); t->input_sa_index = sa - im->sad; + sa->protocol = IPSEC_PROTOCOL_ESP; sa->spi = args->remote_spi; sa->tunnel_src_addr.ip4.as_u32 = args->remote_ip.as_u32; sa->tunnel_dst_addr.ip4.as_u32 = args->local_ip.as_u32; @@ -325,6 +326,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, pool_get (im->sad, sa); clib_memset (sa, 0, sizeof (*sa)); t->output_sa_index = sa - im->sad; + sa->protocol = IPSEC_PROTOCOL_ESP; sa->spi = args->local_spi; sa->tunnel_src_addr.ip4.as_u32 = args->local_ip.as_u32; sa->tunnel_dst_addr.ip4.as_u32 = args->remote_ip.as_u32;