summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-03-21 16:36:28 +0000
committerDamjan Marion <dmarion@me.com>2019-03-22 13:05:39 +0000
commit00a442068d353fd60cbd743f2dfb42ee7407d267 (patch)
treef7c1c34d920039499f7ce52b41ba297f0965c994
parentc39a93a83c66f3162ff2aeca809cf825c444fe80 (diff)
IPSEC: test for packet drop on sequence number wrap
Change-Id: Id546c56a4904d13d4278055f3c5a5e4548e2efd0 Signed-off-by: Neale Ranns <nranns@cisco.com>
-rw-r--r--src/plugins/unittest/CMakeLists.txt1
-rw-r--r--src/plugins/unittest/ipsec_test.c75
-rw-r--r--src/vnet/ipsec/ipsec_format.c3
-rw-r--r--test/template_ipsec.py16
4 files changed, 94 insertions, 1 deletions
diff --git a/src/plugins/unittest/CMakeLists.txt b/src/plugins/unittest/CMakeLists.txt
index 81db615da0f..74bcef3c208 100644
--- a/src/plugins/unittest/CMakeLists.txt
+++ b/src/plugins/unittest/CMakeLists.txt
@@ -21,6 +21,7 @@ add_vpp_plugin(unittest
crypto/rfc2202_hmac_md5.c
crypto/rfc4231.c
fib_test.c
+ ipsec_test.c
interface_test.c
mfib_test.c
session_test.c
diff --git a/src/plugins/unittest/ipsec_test.c b/src/plugins/unittest/ipsec_test.c
new file mode 100644
index 00000000000..ec39a2e9042
--- /dev/null
+++ b/src/plugins/unittest/ipsec_test.c
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2018 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <vnet/ipsec/ipsec.h>
+#include <vnet/ipsec/ipsec_sa.h>
+
+static clib_error_t *
+test_ipsec_command_fn (vlib_main_t * vm,
+ unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+ u64 seq_num;
+ u32 sa_id;
+
+ sa_id = ~0;
+ seq_num = 0;
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "sa %d", &sa_id))
+ ;
+ else if (unformat (input, "seq 0x%llx", &seq_num))
+ ;
+ else
+ break;
+ }
+
+ if (~0 != sa_id)
+ {
+ ipsec_main_t *im = &ipsec_main;
+ ipsec_sa_t *sa;
+ u32 sa_index;
+
+ sa_index = ipsec_get_sa_index_by_sa_id (sa_id);
+ sa = pool_elt_at_index (im->sad, sa_index);
+
+ sa->seq = seq_num & 0xffffffff;
+ sa->seq_hi = seq_num >> 32;
+ }
+ else
+ {
+ return clib_error_return (0, "unknown SA `%U'",
+ format_unformat_error, input);
+ }
+
+ return (NULL);
+}
+
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (test_ipsec_command, static) =
+{
+ .path = "test ipsec",
+ .short_help = "test ipsec sa <ID> seq-num <VALUE>",
+ .function = test_ipsec_command_fn,
+};
+/* *INDENT-ON* */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index 3659a7a897f..e682386eee1 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -262,7 +262,8 @@ format_ipsec_sa (u8 * s, va_list * args)
sa->udp_encap ? " udp-encap-enabled" : "",
sa->use_anti_replay ? " anti-replay" : "",
sa->use_esn ? " extended-sequence-number" : "");
- s = format (s, "\n last-seq %u last-seq-hi %u window %U",
+ s = format (s, "\n seq %u seq-hi %u", sa->seq, sa->seq_hi);
+ s = format (s, "\n last-seq %u last-seq-hi %u window %U",
sa->last_seq, sa->last_seq_hi,
format_ipsec_replay_window, sa->replay_window);
s = format (s, "\n crypto alg %U%s%U",
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index 1b9a3796c15..78d75844d5d 100644
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -307,7 +307,23 @@ class IpsecTra4Tests(object):
seq_num=234))
self.send_and_expect(self.tra_if, [pkt], self.tra_if)
+ # move VPP's SA to just before the seq-number wrap
+ self.vapi.cli("test ipsec sa %d seq 0xffffffff" % p.scapy_tra_sa_id)
+
+ # then fire in a packet that VPP should drop becuase it causes the
+ # seq number to wrap
+ pkt = (Ether(src=self.tra_if.remote_mac,
+ dst=self.tra_if.local_mac) /
+ p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+ dst=self.tra_if.local_ip4) /
+ ICMP(),
+ seq_num=236))
+ self.send_and_assert_no_replies(self.tra_if, [pkt])
+ self.assert_packet_counter_equal(
+ '/err/%s/sequence number cycled' % self.tra4_encrypt_node_name, 1)
+
# move the security-associations seq number on to the last we used
+ self.vapi.cli("test ipsec sa %d seq 0x15f" % p.scapy_tra_sa_id)
p.scapy_tra_sa.seq_num = 351
p.vpp_tra_sa.seq_num = 351