diff options
author | Arthur de Kerhor <arthurdekerhor@gmail.com> | 2022-01-04 15:53:43 +0100 |
---|---|---|
committer | Beno�t Ganne <bganne@cisco.com> | 2022-01-05 08:18:03 +0000 |
commit | ce04e3b038070204e4e3b5ad4f973add278e2349 (patch) | |
tree | bc38acfb3d04c5695c94c3d159e804b06e515cdb | |
parent | a121ac599aae8dd9c1344e6f835866b4b03c7d5c (diff) |
ipsec: allow registering random ports in tests
We add the possibility to bind the destination UDP port of a Scapy SA
to the ESP layer in the IPsec tunnel protection tests, even if it is not
the default port for ESP (4500).
This allows to test IPSec tunnel protection with ports other than 4500
in the UDP header, without hardcoding them in the Scapy patch (ex: 4545)
Type: improvement
Change-Id: I1eea3d4660ed1b59d827250a419af6b7b41c4a72
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
-rw-r--r-- | test/patches/scapy-2.4.3/ipsec.patch | 42 | ||||
-rw-r--r-- | test/test_ipsec_tun_if_esp.py | 35 |
2 files changed, 47 insertions, 30 deletions
diff --git a/test/patches/scapy-2.4.3/ipsec.patch b/test/patches/scapy-2.4.3/ipsec.patch index 12c24e5057f..196b78fe592 100644 --- a/test/patches/scapy-2.4.3/ipsec.patch +++ b/test/patches/scapy-2.4.3/ipsec.patch @@ -1,5 +1,5 @@ diff --git a/scapy/layers/ipsec.py b/scapy/layers/ipsec.py -index ae057ee1..d7a21e8b 100644 +index ae057ee1..55d0dd53 100644 --- a/scapy/layers/ipsec.py +++ b/scapy/layers/ipsec.py @@ -56,6 +56,7 @@ from scapy.fields import ByteEnumField, ByteField, IntField, PacketField, \ @@ -10,15 +10,7 @@ index ae057ee1..d7a21e8b 100644 import scapy.modules.six as six from scapy.modules.six.moves import range from scapy.layers.inet6 import IPv6, IPv6ExtHdrHopByHop, IPv6ExtHdrDestOpt, \ -@@ -138,6 +139,7 @@ bind_layers(IP, ESP, proto=socket.IPPROTO_ESP) - bind_layers(IPv6, ESP, nh=socket.IPPROTO_ESP) - bind_layers(UDP, ESP, dport=4500) # NAT-Traversal encapsulation - bind_layers(UDP, ESP, sport=4500) # NAT-Traversal encapsulation -+bind_layers(UDP, ESP, dport=4545) # NAT-Traversal encapsulation - random port - - ############################################################################### - -@@ -359,11 +361,8 @@ class CryptAlgo(object): +@@ -359,11 +360,8 @@ class CryptAlgo(object): encryptor = cipher.encryptor() if self.is_aead: @@ -32,7 +24,7 @@ index ae057ee1..d7a21e8b 100644 data = encryptor.update(data) + encryptor.finalize() data += encryptor.tag[:self.icv_size] else: -@@ -400,12 +399,7 @@ class CryptAlgo(object): +@@ -400,12 +398,7 @@ class CryptAlgo(object): if self.is_aead: # Tag value check is done during the finalize method @@ -46,7 +38,7 @@ index ae057ee1..d7a21e8b 100644 try: data = decryptor.update(data) + decryptor.finalize() except InvalidTag as err: -@@ -445,6 +439,7 @@ if algorithms: +@@ -445,6 +438,7 @@ if algorithms: CRYPT_ALGOS['AES-CTR'] = CryptAlgo('AES-CTR', cipher=algorithms.AES, mode=modes.CTR, @@ -54,7 +46,7 @@ index ae057ee1..d7a21e8b 100644 iv_size=8, salt_size=4, format_mode_iv=_aes_ctr_format_mode_iv) -@@ -452,6 +447,7 @@ if algorithms: +@@ -452,6 +446,7 @@ if algorithms: CRYPT_ALGOS['AES-GCM'] = CryptAlgo('AES-GCM', cipher=algorithms.AES, mode=modes.GCM, @@ -62,7 +54,7 @@ index ae057ee1..d7a21e8b 100644 salt_size=4, iv_size=8, icv_size=16, -@@ -460,6 +456,7 @@ if algorithms: +@@ -460,6 +455,7 @@ if algorithms: CRYPT_ALGOS['AES-CCM'] = CryptAlgo('AES-CCM', cipher=algorithms.AES, mode=modes.CCM, @@ -70,7 +62,7 @@ index ae057ee1..d7a21e8b 100644 iv_size=8, salt_size=3, icv_size=16, -@@ -544,7 +541,7 @@ class AuthAlgo(object): +@@ -544,7 +540,7 @@ class AuthAlgo(object): else: return self.mac(key, self.digestmod(), default_backend()) @@ -79,7 +71,7 @@ index ae057ee1..d7a21e8b 100644 """ Sign an IPsec (ESP or AH) packet with this algo. -@@ -560,16 +557,20 @@ class AuthAlgo(object): +@@ -560,16 +556,20 @@ class AuthAlgo(object): if pkt.haslayer(ESP): mac.update(raw(pkt[ESP])) @@ -101,7 +93,7 @@ index ae057ee1..d7a21e8b 100644 """ Check that the integrity check value (icv) of a packet is valid. -@@ -600,6 +601,8 @@ class AuthAlgo(object): +@@ -600,6 +600,8 @@ class AuthAlgo(object): clone = zero_mutable_fields(pkt.copy(), sending=False) mac.update(raw(clone)) @@ -110,7 +102,7 @@ index ae057ee1..d7a21e8b 100644 computed_icv = mac.finalize()[:self.icv_size] # XXX: Cannot use mac.verify because the ICV can be truncated -@@ -788,7 +791,7 @@ class SecurityAssociation(object): +@@ -788,7 +790,7 @@ class SecurityAssociation(object): This class is responsible of "encryption" and "decryption" of IPsec packets. # noqa: E501 """ @@ -119,7 +111,7 @@ index ae057ee1..d7a21e8b 100644 def __init__(self, proto, spi, seq_num=1, crypt_algo=None, crypt_key=None, auth_algo=None, auth_key=None, tunnel_header=None, nat_t_header=None, esn_en=False, esn=0): # noqa: E501 -@@ -862,6 +865,23 @@ class SecurityAssociation(object): +@@ -862,6 +864,23 @@ class SecurityAssociation(object): raise TypeError('nat_t_header must be %s' % UDP.name) self.nat_t_header = nat_t_header @@ -143,7 +135,7 @@ index ae057ee1..d7a21e8b 100644 def check_spi(self, pkt): if pkt.spi != self.spi: raise TypeError('packet spi=0x%x does not match the SA spi=0x%x' % -@@ -875,7 +895,8 @@ class SecurityAssociation(object): +@@ -875,7 +894,8 @@ class SecurityAssociation(object): if len(iv) != self.crypt_algo.iv_size: raise TypeError('iv length must be %s' % self.crypt_algo.iv_size) # noqa: E501 @@ -153,7 +145,7 @@ index ae057ee1..d7a21e8b 100644 if self.tunnel_header: tunnel = self.tunnel_header.copy() -@@ -899,7 +920,7 @@ class SecurityAssociation(object): +@@ -899,7 +919,7 @@ class SecurityAssociation(object): esn_en=esn_en or self.esn_en, esn=esn or self.esn) @@ -162,7 +154,7 @@ index ae057ee1..d7a21e8b 100644 if self.nat_t_header: nat_t_header = self.nat_t_header.copy() -@@ -926,7 +947,8 @@ class SecurityAssociation(object): +@@ -926,7 +946,8 @@ class SecurityAssociation(object): def _encrypt_ah(self, pkt, seq_num=None): @@ -172,7 +164,7 @@ index ae057ee1..d7a21e8b 100644 icv=b"\x00" * self.auth_algo.icv_size) if self.tunnel_header: -@@ -966,7 +988,8 @@ class SecurityAssociation(object): +@@ -966,7 +987,8 @@ class SecurityAssociation(object): else: ip_header.plen = len(ip_header.payload) + len(ah) + len(payload) @@ -182,7 +174,7 @@ index ae057ee1..d7a21e8b 100644 # sequence number must always change, unless specified by the user if seq_num is None: -@@ -1003,11 +1026,12 @@ class SecurityAssociation(object): +@@ -1003,11 +1025,12 @@ class SecurityAssociation(object): def _decrypt_esp(self, pkt, verify=True, esn_en=None, esn=None): @@ -196,7 +188,7 @@ index ae057ee1..d7a21e8b 100644 esp = self.crypt_algo.decrypt(self, encrypted, self.crypt_key, self.crypt_algo.icv_size or -@@ -1048,9 +1072,10 @@ class SecurityAssociation(object): +@@ -1048,9 +1071,10 @@ class SecurityAssociation(object): def _decrypt_ah(self, pkt, verify=True): diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index 763aeddda7b..6865c9050a9 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -4,7 +4,7 @@ import copy from scapy.layers.ipsec import SecurityAssociation, ESP from scapy.layers.l2 import Ether, GRE, Dot1Q -from scapy.packet import Raw +from scapy.packet import Raw, bind_layers from scapy.layers.inet import IP, UDP from scapy.layers.inet6 import IPv6 from scapy.contrib.mpls import MPLS @@ -40,6 +40,18 @@ def config_tun_params(p, encryption_type, tun_if, src=None, dst=None): p.tun_dst = dst p.tun_src = src + if p.nat_header: + is_default_port = (p.nat_header.dport == 4500) + else: + is_default_port = True + + if is_default_port: + outbound_nat_header = p.nat_header + else: + outbound_nat_header = UDP(sport=p.nat_header.dport, + dport=p.nat_header.sport) + bind_layers(UDP, ESP, dport=p.nat_header.dport) + p.scapy_tun_sa = SecurityAssociation( encryption_type, spi=p.vpp_tun_spi, crypt_algo=p.crypt_algo, @@ -48,7 +60,7 @@ def config_tun_params(p, encryption_type, tun_if, src=None, dst=None): tunnel_header=ip_class_by_addr_type[p.addr_type]( src=p.tun_dst, dst=p.tun_src), - nat_t_header=p.nat_header, + nat_t_header=outbound_nat_header, esn_en=esn_en) p.vpp_tun_sa = SecurityAssociation( encryption_type, spi=p.scapy_tun_spi, @@ -69,13 +81,26 @@ def config_tra_params(p, encryption_type, tun_if): crypt_key = mk_scapy_crypt_key(p) p.tun_dst = tun_if.remote_ip p.tun_src = tun_if.local_ip + + if p.nat_header: + is_default_port = (p.nat_header.dport == 4500) + else: + is_default_port = True + + if is_default_port: + outbound_nat_header = p.nat_header + else: + outbound_nat_header = UDP(sport=p.nat_header.dport, + dport=p.nat_header.sport) + bind_layers(UDP, ESP, dport=p.nat_header.dport) + p.scapy_tun_sa = SecurityAssociation( encryption_type, spi=p.vpp_tun_spi, crypt_algo=p.crypt_algo, crypt_key=crypt_key, auth_algo=p.auth_algo, auth_key=p.auth_key, esn_en=esn_en, - nat_t_header=p.nat_header) + nat_t_header=outbound_nat_header) p.vpp_tun_sa = SecurityAssociation( encryption_type, spi=p.scapy_tun_spi, crypt_algo=p.crypt_algo, @@ -1354,8 +1379,8 @@ class TestIpsecGreTebUdpIfEspTra(TemplateIpsec, flags=(p.flags | VppEnum.vl_api_ipsec_sad_flags_t. IPSEC_API_SAD_FLAG_IS_INBOUND), - udp_src=5454, - udp_dst=4545) + udp_src=4545, + udp_dst=5454) p.tun_sa_in.add_vpp_config() p.tun_if = VppGreInterface(self, |