summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-04-16 02:41:34 +0000
committerDamjan Marion <dmarion@me.com>2019-04-17 13:05:07 +0000
commit80f6fd53feaa10b4a798582100724075897c0944 (patch)
tree1cd1a7f4b910cf5fbf32aa4b4e2c1028c6c980b7
parentd8cfbebce78e26a6ef7f6693e7c90dc3c6435d51 (diff)
IPSEC: Pass the algorithm salt (used in GCM) over the API
Change-Id: Ia8cea13f7b937294e6a080a55fb2ceff30063acf Signed-off-by: Neale Ranns <nranns@cisco.com>
-rw-r--r--src/vnet/ipsec/esp_decrypt.c4
-rw-r--r--src/vnet/ipsec/ipsec.api4
-rw-r--r--src/vnet/ipsec/ipsec_api.c4
-rw-r--r--src/vnet/ipsec/ipsec_cli.c7
-rw-r--r--src/vnet/ipsec/ipsec_format.c3
-rw-r--r--src/vnet/ipsec/ipsec_sa.h4
-rw-r--r--test/template_ipsec.py23
-rw-r--r--test/test_ipsec_esp.py35
-rw-r--r--test/test_ipsec_tun_if_esp.py18
-rw-r--r--test/vpp_ipsec.py6
-rw-r--r--test/vpp_ipsec_tun_interface.py7
-rw-r--r--test/vpp_papi_provider.py7
12 files changed, 80 insertions, 42 deletions
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index d2365fce2d8..e74c1bb908a 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -239,7 +239,6 @@ esp_decrypt_inline (vlib_main_t * vm,
esp_header_t *esp0;
esp_aead_t *aad;
u8 *scratch;
- u32 salt;
/*
* construct the AAD and the nonce (Salt || IV) in a scratch
@@ -258,9 +257,8 @@ esp_decrypt_inline (vlib_main_t * vm,
* can overwrite it with the salt and use the IV where it is
* to form the nonce = (Salt + IV)
*/
- salt = clib_host_to_net_u32 (sa0->salt);
op->iv -= sizeof (sa0->salt);
- clib_memcpy_fast (op->iv, &salt, sizeof (sa0->salt));
+ clib_memcpy_fast (op->iv, &sa0->salt, sizeof (sa0->salt));
op->iv_len = cpd.iv_sz + sizeof (sa0->salt);
op->tag = payload + len;
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index bc407f1d272..3a2c993f99c 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -262,6 +262,7 @@ typedef key
@param tunnel_src_address - IPsec tunnel source address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
@param tunnel_dst_address - IPsec tunnel destination address IPv6 if is_tunnel_ipv6 is non-zero, else IPv4. Only valid if is_tunnel is non-zero
@param tx_table_id - the FIB id used for encapsulated packets
+ @param salt - for use with counter mode ciphers
*/
typedef ipsec_sad_entry
{
@@ -282,6 +283,7 @@ typedef ipsec_sad_entry
vl_api_address_t tunnel_src;
vl_api_address_t tunnel_dst;
u32 tx_table_id;
+ u32 salt;
};
/** \brief IPsec: Add/delete Security Association Database entry
@@ -374,6 +376,7 @@ define ipsec_spd_interface_details {
@param show_instance - instance to display for intf if renumber is set
@param udp_encap - enable UDP encapsulation for NAT traversal
@param tx_table_id - the FIB id used after packet encap
+ @param salt - for use with counter mode ciphers
*/
define ipsec_tunnel_if_add_del {
u32 client_index;
@@ -399,6 +402,7 @@ define ipsec_tunnel_if_add_del {
u32 show_instance;
u8 udp_encap;
u32 tx_table_id;
+ u32 salt;
};
/** \brief Add/delete IPsec tunnel interface response
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 767cd2fb076..4a15beb6631 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -385,12 +385,11 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
ip_address_decode (&mp->entry.tunnel_src, &tun_src);
ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);
-
if (mp->is_add)
rv = ipsec_sa_add (id, spi, proto,
crypto_alg, &crypto_key,
integ_alg, &integ_key, flags,
- 0, 0, &tun_src, &tun_dst, &sa_index);
+ 0, mp->entry.salt, &tun_src, &tun_dst, &sa_index);
else
rv = ipsec_sa_del (id);
@@ -644,6 +643,7 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
tun.remote_integ_key_len = mp->remote_integ_key_len;
tun.udp_encap = mp->udp_encap;
tun.tx_table_id = ntohl (mp->tx_table_id);
+ tun.salt = mp->salt;
itype = ip_address_decode (&mp->local_ip, &tun.local_ip);
itype = ip_address_decode (&mp->remote_ip, &tun.remote_ip);
tun.is_ip6 = (IP46_TYPE_IP6 == itype);
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 096060865e9..b6bdc40fd1a 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -84,8 +84,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
clib_error_t *error;
ipsec_key_t ck = { 0 };
ipsec_key_t ik = { 0 };
+ u32 id, spi, salt;
int is_add, rv;
- u32 id, spi;
error = NULL;
is_add = 0;
@@ -103,6 +103,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
is_add = 0;
else if (unformat (line_input, "spi %u", &spi))
;
+ else if (unformat (line_input, "salt %u", &salt))
+ ;
else if (unformat (line_input, "esp"))
proto = IPSEC_PROTOCOL_ESP;
else if (unformat (line_input, "ah"))
@@ -141,7 +143,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
if (is_add)
rv = ipsec_sa_add (id, spi, proto, crypto_alg,
&ck, integ_alg, &ik, flags,
- 0, 0, &tun_src, &tun_dst, NULL);
+ 0, clib_host_to_net_u32 (salt),
+ &tun_src, &tun_dst, NULL);
else
rv = ipsec_sa_del (id);
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index 93b1efd6902..44f064d6112 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -290,7 +290,7 @@ format_ipsec_sa (u8 * s, va_list * args)
if (!(flags & IPSEC_FORMAT_DETAIL))
goto done;
- s = format (s, "\n salt 0x%x", sa->salt);
+ s = format (s, "\n salt 0x%x", clib_net_to_host_u32 (sa->salt));
s = format (s, "\n seq %u seq-hi %u", sa->seq, sa->seq_hi);
s = format (s, "\n last-seq %u last-seq-hi %u window %U",
sa->last_seq, sa->last_seq_hi,
@@ -303,6 +303,7 @@ format_ipsec_sa (u8 * s, va_list * args)
format_ipsec_integ_alg, sa->integ_alg);
if (sa->integ_alg)
s = format (s, " key %U", format_ipsec_key, &sa->integ_key);
+
vlib_get_combined_counter (&ipsec_sa_counters, sai, &counts);
s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes);
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index f87e12e0204..d1b44c3165f 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -160,9 +160,9 @@ typedef struct
u32 sibling;
u32 tx_fib_index;
- u32 salt;
- /* runtime */
+ /* Salt used in GCM modes - stored in network byte order */
+ u32 salt;
} ipsec_sa_t;
STATIC_ASSERT_OFFSET_OF (ipsec_sa_t, cacheline1, CLIB_CACHE_LINE_BYTES);
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index 6e42ac7f9f4..d6641c45dd1 100644
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -1,5 +1,6 @@
import unittest
import socket
+import struct
from scapy.layers.inet import IP, ICMP, TCP, UDP
from scapy.layers.ipsec import SecurityAssociation
@@ -42,7 +43,7 @@ class IPsecIPv4Params(object):
IPSEC_API_CRYPTO_ALG_AES_CBC_128)
self.crypt_algo = 'AES-CBC' # scapy name
self.crypt_key = 'JPjyOWBeVEQiMe7h'
- self.crypt_salt = ''
+ self.salt = 0
self.flags = 0
self.nat_header = None
@@ -78,7 +79,7 @@ class IPsecIPv6Params(object):
IPSEC_API_CRYPTO_ALG_AES_CBC_128)
self.crypt_algo = 'AES-CBC' # scapy name
self.crypt_key = 'JPjyOWBeVEQiMe7h'
- self.crypt_salt = ''
+ self.salt = 0
self.flags = 0
self.nat_header = None
@@ -87,9 +88,14 @@ def config_tun_params(p, encryption_type, tun_if):
ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
IPSEC_API_SAD_FLAG_USE_ESN))
+ if p.crypt_algo == "AES-GCM":
+ crypt_key = p.crypt_key + struct.pack("!I", p.salt)
+ else:
+ crypt_key = p.crypt_key
p.scapy_tun_sa = SecurityAssociation(
encryption_type, spi=p.vpp_tun_spi,
- crypt_algo=p.crypt_algo, crypt_key=p.crypt_key + p.crypt_salt,
+ crypt_algo=p.crypt_algo,
+ crypt_key=crypt_key,
auth_algo=p.auth_algo, auth_key=p.auth_key,
tunnel_header=ip_class_by_addr_type[p.addr_type](
src=tun_if.remote_addr[p.addr_type],
@@ -98,7 +104,8 @@ def config_tun_params(p, encryption_type, tun_if):
use_esn=use_esn)
p.vpp_tun_sa = SecurityAssociation(
encryption_type, spi=p.scapy_tun_spi,
- crypt_algo=p.crypt_algo, crypt_key=p.crypt_key + p.crypt_salt,
+ crypt_algo=p.crypt_algo,
+ crypt_key=crypt_key,
auth_algo=p.auth_algo, auth_key=p.auth_key,
tunnel_header=ip_class_by_addr_type[p.addr_type](
dst=tun_if.remote_addr[p.addr_type],
@@ -110,11 +117,15 @@ def config_tun_params(p, encryption_type, tun_if):
def config_tra_params(p, encryption_type):
use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
IPSEC_API_SAD_FLAG_USE_ESN))
+ if p.crypt_algo == "AES-GCM":
+ crypt_key = p.crypt_key + struct.pack("!I", p.salt)
+ else:
+ crypt_key = p.crypt_key
p.scapy_tra_sa = SecurityAssociation(
encryption_type,
spi=p.vpp_tra_spi,
crypt_algo=p.crypt_algo,
- crypt_key=p.crypt_key + p.crypt_salt,
+ crypt_key=crypt_key,
auth_algo=p.auth_algo,
auth_key=p.auth_key,
nat_t_header=p.nat_header,
@@ -123,7 +134,7 @@ def config_tra_params(p, encryption_type):
encryption_type,
spi=p.scapy_tra_spi,
crypt_algo=p.crypt_algo,
- crypt_key=p.crypt_key + p.crypt_salt,
+ crypt_key=crypt_key,
auth_algo=p.auth_algo,
auth_key=p.auth_key,
nat_t_header=p.nat_header,
diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py
index 566ed347418..eb21c58ae91 100644
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@@ -1,6 +1,5 @@
import socket
import unittest
-import struct
from scapy.layers.ipsec import ESP
from scapy.layers.inet import UDP
@@ -102,6 +101,7 @@ class ConfigIpsecESP(TemplateIpsec):
addr_bcast = params.addr_bcast
e = VppEnum.vl_api_ipsec_spd_action_t
flags = params.flags
+ salt = params.salt
objs = []
params.tun_sa_in = VppIpsecSA(self, scapy_tun_sa_id, scapy_tun_spi,
@@ -110,14 +110,16 @@ class ConfigIpsecESP(TemplateIpsec):
self.vpp_esp_protocol,
self.tun_if.local_addr[addr_type],
self.tun_if.remote_addr[addr_type],
- flags=flags)
+ flags=flags,
+ salt=salt)
params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
self.vpp_esp_protocol,
self.tun_if.remote_addr[addr_type],
self.tun_if.local_addr[addr_type],
- flags=flags)
+ flags=flags,
+ salt=salt)
objs.append(params.tun_sa_in)
objs.append(params.tun_sa_out)
@@ -185,18 +187,21 @@ class ConfigIpsecESP(TemplateIpsec):
IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
e = VppEnum.vl_api_ipsec_spd_action_t
flags = params.flags | flags
+ salt = params.salt
objs = []
params.tra_sa_in = VppIpsecSA(self, scapy_tra_sa_id, scapy_tra_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
self.vpp_esp_protocol,
- flags=flags)
+ flags=flags,
+ salt=salt)
params.tra_sa_out = VppIpsecSA(self, vpp_tra_sa_id, vpp_tra_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
self.vpp_esp_protocol,
- flags=flags)
+ flags=flags,
+ salt=salt)
objs.append(params.tra_sa_in)
objs.append(params.tra_sa_out)
@@ -371,7 +376,15 @@ class TestIpsecEspAll(ConfigIpsecESP,
'scapy-crypto': "AES-GCM",
'scapy-integ': "NULL",
'key': "JPjyOWBeVEQiMe7h",
- 'salt': struct.pack("!L", 0)},
+ 'salt': 0},
+ {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_AES_GCM_192),
+ 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_NONE),
+ 'scapy-crypto': "AES-GCM",
+ 'scapy-integ': "NULL",
+ 'key': "JPjyOWBeVEQiMe7h01234567",
+ 'salt': 1010},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_GCM_256),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
@@ -379,14 +392,14 @@ class TestIpsecEspAll(ConfigIpsecESP,
'scapy-crypto': "AES-GCM",
'scapy-integ': "NULL",
'key': "JPjyOWBeVEQiMe7h0123456787654321",
- 'salt': struct.pack("!L", 0)},
+ 'salt': 2020},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_128),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-SHA1-96",
- 'salt': '',
+ 'salt': 0,
'key': "JPjyOWBeVEQiMe7h"},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_192),
@@ -394,7 +407,7 @@ class TestIpsecEspAll(ConfigIpsecESP,
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-SHA1-96",
- 'salt': '',
+ 'salt': 0,
'key': "JPjyOWBeVEQiMe7hJPjyOWBe"},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_256),
@@ -402,7 +415,7 @@ class TestIpsecEspAll(ConfigIpsecESP,
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-SHA1-96",
- 'salt': '',
+ 'salt': 0,
'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}]
# with and without ESN
@@ -437,7 +450,7 @@ class TestIpsecEspAll(ConfigIpsecESP,
p.crypt_algo = algo['scapy-crypto']
p.auth_algo = algo['scapy-integ']
p.crypt_key = algo['key']
- p.crypt_salt = algo['salt']
+ p.salt = algo['salt']
p.flags = p.flags | flag
#
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
index 833bbd47bb3..018e00bc25e 100644
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@@ -1,7 +1,6 @@
import unittest
import socket
import copy
-import struct
from scapy.layers.ipsec import ESP
from scapy.layers.l2 import Ether, Raw, GRE
@@ -218,7 +217,8 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
p.crypt_algo_vpp_id,
p.crypt_key, p.crypt_key,
p.auth_algo_vpp_id, p.auth_key,
- p.auth_key)
+ p.auth_key,
+ salt=p.salt)
p.tun_if.add_vpp_config()
p.tun_if.admin_up()
p.tun_if.config_ip4()
@@ -257,7 +257,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
'scapy-crypto': "AES-GCM",
'scapy-integ': "NULL",
'key': "JPjyOWBeVEQiMe7h",
- 'salt': struct.pack("!L", 0)},
+ 'salt': 3333},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_GCM_192),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
@@ -265,7 +265,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
'scapy-crypto': "AES-GCM",
'scapy-integ': "NULL",
'key': "JPjyOWBeVEQiMe7hJPjyOWBe",
- 'salt': struct.pack("!L", 0)},
+ 'salt': 0},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_GCM_256),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
@@ -273,14 +273,14 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
'scapy-crypto': "AES-GCM",
'scapy-integ': "NULL",
'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h",
- 'salt': struct.pack("!L", 0)},
+ 'salt': 9999},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_128),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-SHA1-96",
- 'salt': '',
+ 'salt': 0,
'key': "JPjyOWBeVEQiMe7h"},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_192),
@@ -288,7 +288,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-SHA1-96",
- 'salt': '',
+ 'salt': 0,
'key': "JPjyOWBeVEQiMe7hJPjyOWBe"},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_256),
@@ -296,7 +296,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-SHA1-96",
- 'salt': '',
+ 'salt': 0,
'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}]
for engine in engines:
@@ -314,7 +314,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
p.crypt_algo = algo['scapy-crypto']
p.auth_algo = algo['scapy-integ']
p.crypt_key = algo['key']
- p.crypt_salt = algo['salt']
+ p.salt = algo['salt']
self.config_network(p)
diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py
index 278ff36f1e4..77a9d74edf3 100644
--- a/test/vpp_ipsec.py
+++ b/test/vpp_ipsec.py
@@ -178,7 +178,7 @@ class VppIpsecSA(VppObject):
crypto_alg, crypto_key,
proto,
tun_src=None, tun_dst=None,
- flags=None):
+ flags=None, salt=0):
e = VppEnum.vl_api_ipsec_sad_flags_t
self.test = test
self.id = id
@@ -188,6 +188,7 @@ class VppIpsecSA(VppObject):
self.crypto_alg = crypto_alg
self.crypto_key = crypto_key
self.proto = proto
+ self.salt = salt
self.tun_src = tun_src
self.tun_dst = tun_dst
@@ -214,7 +215,8 @@ class VppIpsecSA(VppObject):
self.proto,
(self.tun_src if self.tun_src else []),
(self.tun_dst if self.tun_dst else []),
- flags=self.flags)
+ flags=self.flags,
+ salt=self.salt)
self.stat_index = r.stat_index
self.test.registry.register(self, self.test.logger)
diff --git a/test/vpp_ipsec_tun_interface.py b/test/vpp_ipsec_tun_interface.py
index 1a41244a0c5..bc689b321f0 100644
--- a/test/vpp_ipsec_tun_interface.py
+++ b/test/vpp_ipsec_tun_interface.py
@@ -8,7 +8,8 @@ class VppIpsecTunInterface(VppTunnelInterface):
def __init__(self, test, parent_if, local_spi,
remote_spi, crypto_alg, local_crypto_key, remote_crypto_key,
- integ_alg, local_integ_key, remote_integ_key, is_ip6=False):
+ integ_alg, local_integ_key, remote_integ_key, salt=0,
+ is_ip6=False):
super(VppIpsecTunInterface, self).__init__(test, parent_if)
self.local_spi = local_spi
self.remote_spi = remote_spi
@@ -18,6 +19,7 @@ class VppIpsecTunInterface(VppTunnelInterface):
self.integ_alg = integ_alg
self.local_integ_key = local_integ_key
self.remote_integ_key = remote_integ_key
+ self.salt = salt
if is_ip6:
self.local_ip = self.parent_if.local_ip6
self.remote_ip = self.parent_if.remote_ip6
@@ -30,7 +32,8 @@ class VppIpsecTunInterface(VppTunnelInterface):
self.local_ip, self.remote_ip,
self.remote_spi, self.local_spi,
self.crypto_alg, self.local_crypto_key, self.remote_crypto_key,
- self.integ_alg, self.local_integ_key, self.remote_integ_key)
+ self.integ_alg, self.local_integ_key, self.remote_integ_key,
+ salt=self.salt)
self.set_sw_if_index(r.sw_if_index)
self.generate_remote_hosts()
self.test.registry.register(self, self.test.logger)
diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py
index 260e6b28d0b..62175e2310d 100644
--- a/test/vpp_papi_provider.py
+++ b/test/vpp_papi_provider.py
@@ -2357,6 +2357,7 @@ class VppPapiProvider(object):
tunnel_src_address='',
tunnel_dst_address='',
flags=0,
+ salt=0,
is_add=1):
""" IPSEC SA add/del
:param sad_id: security association ID
@@ -2395,6 +2396,7 @@ class VppPapiProvider(object):
'data': crypto_key,
},
'flags': flags,
+ 'salt': salt,
}
})
@@ -2472,7 +2474,7 @@ class VppPapiProvider(object):
def ipsec_tunnel_if_add_del(self, local_ip, remote_ip, local_spi,
remote_spi, crypto_alg, local_crypto_key,
remote_crypto_key, integ_alg, local_integ_key,
- remote_integ_key, is_add=1, esn=0,
+ remote_integ_key, is_add=1, esn=0, salt=0,
anti_replay=1, renumber=0, show_instance=0):
return self.api(
self.papi.ipsec_tunnel_if_add_del,
@@ -2495,7 +2497,8 @@ class VppPapiProvider(object):
'esn': esn,
'anti_replay': anti_replay,
'renumber': renumber,
- 'show_instance': show_instance
+ 'show_instance': show_instance,
+ 'salt': salt
})
def ipsec_gre_tunnel_add_del(self, local_ip, remote_ip,