From ece2ae0fa27a11d25fff6ea27263d5c5ba5c9dbc Mon Sep 17 00:00:00 2001
From: Neale Ranns <nranns@cisco.com>
Date: Fri, 21 Jun 2019 12:44:11 +0000
Subject: [PATCH] ipsec: return error if the engine backend has no handler for
 the requested alogrithm.

Type: feature

Change-Id: I19a9c14b2bb52ba2fc66246845b7ada73d5095d1
Signed-off-by: Neale Ranns <nranns@cisco.com>
---
 src/vnet/crypto/crypto.c |  8 ++++++++
 src/vnet/crypto/crypto.h |  1 +
 src/vnet/ipsec/ipsec.c   | 24 +++++++++++++++++++++++-
 3 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/src/vnet/crypto/crypto.c b/src/vnet/crypto/crypto.c
index bad3970f419..4da8a14a14b 100644
--- a/src/vnet/crypto/crypto.c
+++ b/src/vnet/crypto/crypto.c
@@ -129,6 +129,14 @@ vnet_crypto_set_handler (char *alg_name, char *engine)
   return 0;
 }
 
+int
+vnet_crypto_is_set_handler (vnet_crypto_alg_t alg)
+{
+  vnet_crypto_main_t *cm = &crypto_main;
+
+  return (NULL != cm->ops_handlers[alg]);
+}
+
 void
 vnet_crypto_register_ops_handler (vlib_main_t * vm, u32 engine_index,
 				  vnet_crypto_op_id_t opt,
diff --git a/src/vnet/crypto/crypto.h b/src/vnet/crypto/crypto.h
index 89af8535c52..9c15d53a6c1 100644
--- a/src/vnet/crypto/crypto.h
+++ b/src/vnet/crypto/crypto.h
@@ -205,6 +205,7 @@ u32 vnet_crypto_process_ops (vlib_main_t * vm, vnet_crypto_op_t ops[],
 			     u32 n_ops);
 
 int vnet_crypto_set_handler (char *ops_handler_name, char *engine);
+int vnet_crypto_is_set_handler (vnet_crypto_alg_t alg);
 
 u32 vnet_crypto_key_add (vlib_main_t * vm, vnet_crypto_alg_t alg,
 			 u8 * data, u16 length);
diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c
index 84f0809954e..4caae4840fb 100644
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@@ -30,15 +30,37 @@ ipsec_main_t ipsec_main;
 static clib_error_t *
 ipsec_check_ah_support (ipsec_sa_t * sa)
 {
+  ipsec_main_t *im = &ipsec_main;
+
   if (sa->integ_alg == IPSEC_INTEG_ALG_NONE)
     return clib_error_return (0, "unsupported none integ-alg");
+
+  if (!vnet_crypto_is_set_handler (im->integ_algs[sa->integ_alg].alg))
+    return clib_error_return (0, "No crypto engine support for %U",
+			      format_ipsec_integ_alg, sa->integ_alg);
+
   return 0;
 }
 
 static clib_error_t *
 ipsec_check_esp_support (ipsec_sa_t * sa)
 {
-  return 0;
+  ipsec_main_t *im = &ipsec_main;
+
+  if (IPSEC_INTEG_ALG_NONE != sa->integ_alg)
+    {
+      if (!vnet_crypto_is_set_handler (im->integ_algs[sa->integ_alg].alg))
+	return clib_error_return (0, "No crypto engine support for %U",
+				  format_ipsec_integ_alg, sa->integ_alg);
+    }
+  if (IPSEC_CRYPTO_ALG_NONE != sa->crypto_alg)
+    {
+      if (!vnet_crypto_is_set_handler (im->crypto_algs[sa->crypto_alg].alg))
+	return clib_error_return (0, "No crypto engine support for %U",
+				  format_ipsec_crypto_alg, sa->crypto_alg);
+    }
+
+  return (0);
 }
 
 clib_error_t *
-- 
2.16.6