diff options
author | Neale Ranns <nranns@cisco.com> | 2019-03-21 16:36:28 +0000 |
---|---|---|
committer | Damjan Marion <dmarion@me.com> | 2019-03-22 13:05:39 +0000 |
commit | 00a442068d353fd60cbd743f2dfb42ee7407d267 (patch) | |
tree | f7c1c34d920039499f7ce52b41ba297f0965c994 | |
parent | c39a93a83c66f3162ff2aeca809cf825c444fe80 (diff) |
IPSEC: test for packet drop on sequence number wrap
Change-Id: Id546c56a4904d13d4278055f3c5a5e4548e2efd0
Signed-off-by: Neale Ranns <nranns@cisco.com>
-rw-r--r-- | src/plugins/unittest/CMakeLists.txt | 1 | ||||
-rw-r--r-- | src/plugins/unittest/ipsec_test.c | 75 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_format.c | 3 | ||||
-rw-r--r-- | test/template_ipsec.py | 16 |
4 files changed, 94 insertions, 1 deletions
diff --git a/src/plugins/unittest/CMakeLists.txt b/src/plugins/unittest/CMakeLists.txt index 81db615da0f..74bcef3c208 100644 --- a/src/plugins/unittest/CMakeLists.txt +++ b/src/plugins/unittest/CMakeLists.txt @@ -21,6 +21,7 @@ add_vpp_plugin(unittest crypto/rfc2202_hmac_md5.c crypto/rfc4231.c fib_test.c + ipsec_test.c interface_test.c mfib_test.c session_test.c diff --git a/src/plugins/unittest/ipsec_test.c b/src/plugins/unittest/ipsec_test.c new file mode 100644 index 00000000000..ec39a2e9042 --- /dev/null +++ b/src/plugins/unittest/ipsec_test.c @@ -0,0 +1,75 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <vnet/ipsec/ipsec.h> +#include <vnet/ipsec/ipsec_sa.h> + +static clib_error_t * +test_ipsec_command_fn (vlib_main_t * vm, + unformat_input_t * input, vlib_cli_command_t * cmd) +{ + u64 seq_num; + u32 sa_id; + + sa_id = ~0; + seq_num = 0; + + while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (input, "sa %d", &sa_id)) + ; + else if (unformat (input, "seq 0x%llx", &seq_num)) + ; + else + break; + } + + if (~0 != sa_id) + { + ipsec_main_t *im = &ipsec_main; + ipsec_sa_t *sa; + u32 sa_index; + + sa_index = ipsec_get_sa_index_by_sa_id (sa_id); + sa = pool_elt_at_index (im->sad, sa_index); + + sa->seq = seq_num & 0xffffffff; + sa->seq_hi = seq_num >> 32; + } + else + { + return clib_error_return (0, "unknown SA `%U'", + format_unformat_error, input); + } + + return (NULL); +} + +/* *INDENT-OFF* */ +VLIB_CLI_COMMAND (test_ipsec_command, static) = +{ + .path = "test ipsec", + .short_help = "test ipsec sa <ID> seq-num <VALUE>", + .function = test_ipsec_command_fn, +}; +/* *INDENT-ON* */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c index 3659a7a897f..e682386eee1 100644 --- a/src/vnet/ipsec/ipsec_format.c +++ b/src/vnet/ipsec/ipsec_format.c @@ -262,7 +262,8 @@ format_ipsec_sa (u8 * s, va_list * args) sa->udp_encap ? " udp-encap-enabled" : "", sa->use_anti_replay ? " anti-replay" : "", sa->use_esn ? " extended-sequence-number" : ""); - s = format (s, "\n last-seq %u last-seq-hi %u window %U", + s = format (s, "\n seq %u seq-hi %u", sa->seq, sa->seq_hi); + s = format (s, "\n last-seq %u last-seq-hi %u window %U", sa->last_seq, sa->last_seq_hi, format_ipsec_replay_window, sa->replay_window); s = format (s, "\n crypto alg %U%s%U", diff --git a/test/template_ipsec.py b/test/template_ipsec.py index 1b9a3796c15..78d75844d5d 100644 --- a/test/template_ipsec.py +++ b/test/template_ipsec.py @@ -307,7 +307,23 @@ class IpsecTra4Tests(object): seq_num=234)) self.send_and_expect(self.tra_if, [pkt], self.tra_if) + # move VPP's SA to just before the seq-number wrap + self.vapi.cli("test ipsec sa %d seq 0xffffffff" % p.scapy_tra_sa_id) + + # then fire in a packet that VPP should drop becuase it causes the + # seq number to wrap + pkt = (Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=236)) + self.send_and_assert_no_replies(self.tra_if, [pkt]) + self.assert_packet_counter_equal( + '/err/%s/sequence number cycled' % self.tra4_encrypt_node_name, 1) + # move the security-associations seq number on to the last we used + self.vapi.cli("test ipsec sa %d seq 0x15f" % p.scapy_tra_sa_id) p.scapy_tra_sa.seq_num = 351 p.vpp_tra_sa.seq_num = 351 |