1 files changed, 22 insertions, 1 deletions

diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py
index 03a010086..870049a88 100755
--- a/src/conf_mode/interfaces-macsec.py
+++ b/src/conf_mode/interfaces-macsec.py
@@ -22,6 +22,7 @@ from sys import exit
 from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configdict import is_node_changed
+from vyos.configdict import is_source_interface
 from vyos.configverify import verify_vrf
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
@@ -56,7 +57,7 @@ def get_config(config=None):
 
     # Check if interface has been removed
     if 'deleted' in macsec:
-        source_interface = conf.return_effective_value(['source-interface'])
+        source_interface = conf.return_effective_value(base + [ifname, 'source-interface'])
         macsec.update({'source_interface': source_interface})
 
     if is_node_changed(conf, base + [ifname, 'security']):
@@ -65,6 +66,10 @@ def get_config(config=None):
     if is_node_changed(conf, base + [ifname, 'source_interface']):
         macsec.update({'shutdown_required': {}})
 
+    if 'source_interface' in macsec:
+        tmp = is_source_interface(conf, macsec['source_interface'], 'macsec')
+        if tmp and tmp != ifname: macsec.update({'is_source_interface' : tmp})
+
     return macsec
 
 
@@ -87,6 +92,22 @@ def verify(macsec):
         if dict_search('security.mka.cak', macsec) == None or dict_search('security.mka.ckn', macsec) == None:
             raise ConfigError('Missing mandatory MACsec security keys as encryption is enabled!')
 
+        cak_len = len(dict_search('security.mka.cak', macsec))
+
+        if dict_search('security.cipher', macsec) == 'gcm-aes-128' and cak_len != 32:
+            # gcm-aes-128 requires a 128bit long key - 32 characters (string) = 16byte = 128bit
+            raise ConfigError('gcm-aes-128 requires a 128bit long key!')
+
+        elif dict_search('security.cipher', macsec) == 'gcm-aes-256' and cak_len != 64:
+            # gcm-aes-128 requires a 128bit long key - 64 characters (string) = 32byte = 256bit
+            raise ConfigError('gcm-aes-128 requires a 256bit long key!')
+
+    if 'is_source_interface' in macsec:
+        tmp = macsec['is_source_interface']
+        src_ifname = macsec['source_interface']
+        raise ConfigError(f'Can not use source-interface "{src_ifname}", it already ' \
+                          f'belongs to interface "{tmp}"!')
+
     if 'source_interface' in macsec:
         # MACsec adds a 40 byte overhead (32 byte MACsec + 8 bytes VLAN 802.1ad
         # and 802.1q) - we need to check the underlaying MTU if our configured