diff options
author | Neale Ranns <nranns@cisco.com> | 2019-08-27 12:26:14 +0000 |
---|---|---|
committer | Dave Barach <openvpp@barachs.net> | 2019-08-27 13:49:55 +0000 |
commit | 2cdcd0cf4004b2c0d1d3b891e381aac5735c21f1 (patch) | |
tree | 5efcdd7cd73e7d1da4ba6aede88908df93f460c2 | |
parent | 8e9e0eccb280619f10d287dad3f79541ade03adc (diff) |
ipsec: Fix NULL encryption algorithm
Type: fix
Ticket: VPP-1756
the block-size was set to 0 resulting in incorrect placement of the ESP
footer.
add tests for NULL encrypt + integ.
Change-Id: I8ab3afda8e68f9ff649540cba3f2cac68f12bbba
Signed-off-by: Neale Ranns <nranns@cisco.com>
-rw-r--r-- | src/vnet/ipsec/ipsec.c | 7 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_if.c | 3 | ||||
-rw-r--r-- | test/template_ipsec.py | 2 | ||||
-rw-r--r-- | test/test_ipsec_esp.py | 8 | ||||
-rw-r--r-- | test/test_ipsec_tun_if_esp.py | 8 |
5 files changed, 26 insertions, 2 deletions
diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c index 388179976c7..9f3e1d36507 100644 --- a/src/vnet/ipsec/ipsec.c +++ b/src/vnet/ipsec/ipsec.c @@ -320,6 +320,13 @@ ipsec_init (vlib_main_t * vm) vec_validate (im->crypto_algs, IPSEC_CRYPTO_N_ALG - 1); + a = im->crypto_algs + IPSEC_CRYPTO_ALG_NONE; + a->enc_op_id = VNET_CRYPTO_OP_NONE; + a->dec_op_id = VNET_CRYPTO_OP_NONE; + a->alg = VNET_CRYPTO_ALG_NONE; + a->iv_size = 0; + a->block_size = 1; + a = im->crypto_algs + IPSEC_CRYPTO_ALG_DES_CBC; a->enc_op_id = VNET_CRYPTO_OP_DES_CBC_ENC; a->dec_op_id = VNET_CRYPTO_OP_DES_CBC_DEC; diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c index 0b8f997dbd0..f7f8ec79323 100644 --- a/src/vnet/ipsec/ipsec_if.c +++ b/src/vnet/ipsec/ipsec_if.c @@ -238,7 +238,8 @@ ipsec_tunnel_feature_set (ipsec_main_t * im, ipsec_tunnel_if_t * t, u8 enable) ipsec_sa_t *sa; sa = ipsec_sa_get (t->output_sa_index); - if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE) + if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE && + sa->integ_alg == IPSEC_INTEG_ALG_NONE) { esp4_feature_index = im->esp4_no_crypto_tun_feature_index; esp6_feature_index = im->esp6_no_crypto_tun_feature_index; diff --git a/test/template_ipsec.py b/test/template_ipsec.py index c3fc8bd434f..a4f998ee84e 100644 --- a/test/template_ipsec.py +++ b/test/template_ipsec.py @@ -379,7 +379,7 @@ class IpsecTra4(object): # a malformed 'runt' packet # created by a mis-constructed SA - if (ESP == self.encryption_type): + if (ESP == self.encryption_type and p.crypt_algo != "NULL"): bogus_sa = SecurityAssociation(self.encryption_type, p.vpp_tra_spi) pkt = (Ether(src=self.tra_if.remote_mac, diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py index 26f83f16b92..77d22b95a33 100644 --- a/test/test_ipsec_esp.py +++ b/test/test_ipsec_esp.py @@ -424,6 +424,14 @@ class TestIpsecEspAll(ConfigIpsecESP, 'scapy-crypto': "3DES", 'scapy-integ': "HMAC-SHA1-96", 'salt': 0, + 'key': "JPjyOWBeVEQiMe7h00112233"}, + {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. + IPSEC_API_CRYPTO_ALG_NONE), + 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t. + IPSEC_API_INTEG_ALG_SHA1_96), + 'scapy-crypto': "NULL", + 'scapy-integ': "HMAC-SHA1-96", + 'salt': 0, 'key': "JPjyOWBeVEQiMe7h00112233"}] # with and without ESN diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index 5cf311ec9c5..00c1d143c30 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -411,6 +411,14 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4): 'scapy-crypto': "AES-CBC", 'scapy-integ': "HMAC-SHA1-96", 'salt': 0, + 'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}, + {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. + IPSEC_API_CRYPTO_ALG_NONE), + 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t. + IPSEC_API_INTEG_ALG_SHA1_96), + 'scapy-crypto': "NULL", + 'scapy-integ': "HMAC-SHA1-96", + 'salt': 0, 'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}] for engine in engines: |