IPSEC: some CLI fixes

Change-Id: I45618347e37440263270baf07b2f82f653f754a5
Signed-off-by: Neale Ranns <nranns@cisco.com>

src/vnet/api_errno.h

@@ -147,7 +147,8 @@ _(NON_ETHERNET, -151, "Interface is not an Ethernet interface")         \
 _(BD_ALREADY_HAS_BVI, -152, "Bridge domain already has a BVI interface") \
 _(INVALID_PROTOCOL, -153, "Invalid Protocol")                           \
 _(INVALID_ALGORITHM, -154, "Invalid Algorithm")                         \
-_(RSRC_IN_USE, -155, "Resource In Use")
+_(RSRC_IN_USE, -155, "Resource In Use")                                 \
+_(KEY_LENGTH, -156, "invalid Key Length")
 
 typedef enum
 {

src/vnet/crypto/crypto.c

@@ -180,7 +180,8 @@ vnet_crypto_key_len_check (vnet_crypto_alg_t alg, u16 length)
 #define _(n, s, l) \
       case VNET_CRYPTO_ALG_##n: \
         if ((l) == length) \
-          return 1;
+          return 1;        \
+        break;
       foreach_crypto_cipher_alg foreach_crypto_aead_alg
 #undef _
 	/* HMAC allows any key length */
@@ -203,7 +204,6 @@ vnet_crypto_key_add (vlib_main_t * vm, vnet_crypto_alg_t alg, u8 * data,
   vnet_crypto_engine_t *engine;
   vnet_crypto_key_t *key;
 
-  ASSERT (vnet_crypto_key_len_check (alg, length));
   if (!vnet_crypto_key_len_check (alg, length))
     return ~0;
 

src/vnet/crypto/crypto.h

@@ -23,7 +23,7 @@
 /* CRYPTO_ID, PRETTY_NAME, KEY_LENGTH_IN_BYTES */
 #define foreach_crypto_cipher_alg \
   _(DES_CBC,     "des-cbc", 7) \
-  _(3DES_CBC,    "3des-cbc", 14) \
+  _(3DES_CBC,    "3des-cbc", 24) \
   _(AES_128_CBC, "aes-128-cbc", 16) \
   _(AES_192_CBC, "aes-192-cbc", 24) \
   _(AES_256_CBC, "aes-256-cbc", 32) \

src/vnet/ipsec/ipsec_cli.c

@@ -91,6 +91,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
   is_add = 0;
   flags = IPSEC_SA_FLAG_NONE;
   proto = IPSEC_PROTOCOL_ESP;
+  integ_alg = IPSEC_INTEG_ALG_NONE;
+  crypto_alg = IPSEC_CRYPTO_ALG_NONE;
 
   if (!unformat_user (input, unformat_line_input, line_input))
     return 0;
@@ -149,7 +151,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
     rv = ipsec_sa_del (id);
 
   if (rv)
-    clib_error_return (0, "failed");
+    error = clib_error_return (0, "failed");
 
 done:
   unformat_free (line_input);
@@ -233,9 +235,6 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm,
 
   clib_memset (&p, 0, sizeof (p));
   p.lport.stop = p.rport.stop = ~0;
-  p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0;
-  p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0;
-  p.raddr.stop.ip6.as_u64[0] = p.raddr.stop.ip6.as_u64[1] = (u64) ~ 0;
   is_outbound = 0;
 
   if (!unformat_user (input, unformat_line_input, line_input))

src/vnet/ipsec/ipsec_sa.c

@@ -171,13 +171,19 @@ ipsec_sa_add (u32 id,
 					      im->crypto_algs[crypto_alg].alg,
 					      (u8 *) ck->data, ck->len);
   if (~0 == sa->crypto_key_index)
-    return VNET_API_ERROR_INVALID_VALUE;
+    {
+      pool_put (im->sad, sa);
+      return VNET_API_ERROR_KEY_LENGTH;
+    }
 
   sa->integ_key_index = vnet_crypto_key_add (vm,
 					     im->integ_algs[integ_alg].alg,
 					     (u8 *) ik->data, ik->len);
   if (~0 == sa->integ_key_index)
-    return VNET_API_ERROR_INVALID_VALUE;
+    {
+      pool_put (im->sad, sa);
+      return VNET_API_ERROR_KEY_LENGTH;
+    }
 
   err = ipsec_check_support_cb (im, sa);
   if (err)

test/test_crypto.py

@@ -0,0 +1,28 @@
+#!/usr/bin/env python
+
+import unittest
+
+from framework import VppTestCase, VppTestRunner
+
+
+class TestCrypto(VppTestCase):
+    """ Crypto Test Case """
+
+    @classmethod
+    def setUpClass(cls):
+        super(TestCrypto, cls).setUpClass()
+
+    @classmethod
+    def tearDownClass(cls):
+        super(TestCrypto, cls).tearDownClass()
+
+    def test_crypto(self):
+        """ Crypto Unit Tests """
+        error = self.vapi.cli("test crypto")
+
+        if error:
+            self.logger.critical(error)
+        self.assertNotIn("FAIL", error)
+
+if __name__ == '__main__':
+    unittest.main(testRunner=VppTestRunner)