ipsec: allow registering random ports in tests

We add the possibility to bind the destination UDP port of a Scapy SA
to the ESP layer in the IPsec tunnel protection tests, even if it is not
the default port for ESP (4500).

This allows to test IPSec tunnel protection with ports other than 4500
in the UDP header, without hardcoding them in the Scapy patch (ex: 4545)

Type: improvement

Change-Id: I1eea3d4660ed1b59d827250a419af6b7b41c4a72
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>

1 files changed, 17 insertions, 25 deletions

diff --git a/test/patches/scapy-2.4.3/ipsec.patch b/test/patches/scapy-2.4.3/ipsec.patch
index 12c24e5057f..196b78fe592 100644
--- a/test/patches/scapy-2.4.3/ipsec.patch
+++ b/test/patches/scapy-2.4.3/ipsec.patch
@@ -1,5 +1,5 @@
 diff --git a/scapy/layers/ipsec.py b/scapy/layers/ipsec.py
-index ae057ee1..d7a21e8b 100644
+index ae057ee1..55d0dd53 100644
 --- a/scapy/layers/ipsec.py
 +++ b/scapy/layers/ipsec.py
 @@ -56,6 +56,7 @@ from scapy.fields import ByteEnumField, ByteField, IntField, PacketField, \
@@ -10,15 +10,7 @@ index ae057ee1..d7a21e8b 100644
  import scapy.modules.six as six
  from scapy.modules.six.moves import range
  from scapy.layers.inet6 import IPv6, IPv6ExtHdrHopByHop, IPv6ExtHdrDestOpt, \
-@@ -138,6 +139,7 @@ bind_layers(IP, ESP, proto=socket.IPPROTO_ESP)
- bind_layers(IPv6, ESP, nh=socket.IPPROTO_ESP)
- bind_layers(UDP, ESP, dport=4500)  # NAT-Traversal encapsulation
- bind_layers(UDP, ESP, sport=4500)  # NAT-Traversal encapsulation
-+bind_layers(UDP, ESP, dport=4545)  # NAT-Traversal encapsulation - random port
- 
- ###############################################################################
- 
-@@ -359,11 +361,8 @@ class CryptAlgo(object):
+@@ -359,11 +360,8 @@ class CryptAlgo(object):
              encryptor = cipher.encryptor()
  
              if self.is_aead:
@@ -32,7 +24,7 @@ index ae057ee1..d7a21e8b 100644
                  data = encryptor.update(data) + encryptor.finalize()
                  data += encryptor.tag[:self.icv_size]
              else:
-@@ -400,12 +399,7 @@ class CryptAlgo(object):
+@@ -400,12 +398,7 @@ class CryptAlgo(object):
  
              if self.is_aead:
                  # Tag value check is done during the finalize method
@@ -46,7 +38,7 @@ index ae057ee1..d7a21e8b 100644
              try:
                  data = decryptor.update(data) + decryptor.finalize()
              except InvalidTag as err:
-@@ -445,6 +439,7 @@ if algorithms:
+@@ -445,6 +438,7 @@ if algorithms:
      CRYPT_ALGOS['AES-CTR'] = CryptAlgo('AES-CTR',
                                         cipher=algorithms.AES,
                                         mode=modes.CTR,
@@ -54,7 +46,7 @@ index ae057ee1..d7a21e8b 100644
                                         iv_size=8,
                                         salt_size=4,
                                         format_mode_iv=_aes_ctr_format_mode_iv)
-@@ -452,6 +447,7 @@ if algorithms:
+@@ -452,6 +446,7 @@ if algorithms:
      CRYPT_ALGOS['AES-GCM'] = CryptAlgo('AES-GCM',
                                         cipher=algorithms.AES,
                                         mode=modes.GCM,
@@ -62,7 +54,7 @@ index ae057ee1..d7a21e8b 100644
                                         salt_size=4,
                                         iv_size=8,
                                         icv_size=16,
-@@ -460,6 +456,7 @@ if algorithms:
+@@ -460,6 +455,7 @@ if algorithms:
          CRYPT_ALGOS['AES-CCM'] = CryptAlgo('AES-CCM',
                                             cipher=algorithms.AES,
                                             mode=modes.CCM,
@@ -70,7 +62,7 @@ index ae057ee1..d7a21e8b 100644
                                             iv_size=8,
                                             salt_size=3,
                                             icv_size=16,
-@@ -544,7 +541,7 @@ class AuthAlgo(object):
+@@ -544,7 +540,7 @@ class AuthAlgo(object):
          else:
              return self.mac(key, self.digestmod(), default_backend())
  
@@ -79,7 +71,7 @@ index ae057ee1..d7a21e8b 100644
          """
          Sign an IPsec (ESP or AH) packet with this algo.
  
-@@ -560,16 +557,20 @@ class AuthAlgo(object):
+@@ -560,16 +556,20 @@ class AuthAlgo(object):
  
          if pkt.haslayer(ESP):
              mac.update(raw(pkt[ESP]))
@@ -101,7 +93,7 @@ index ae057ee1..d7a21e8b 100644
          """
          Check that the integrity check value (icv) of a packet is valid.
  
-@@ -600,6 +601,8 @@ class AuthAlgo(object):
+@@ -600,6 +600,8 @@ class AuthAlgo(object):
              clone = zero_mutable_fields(pkt.copy(), sending=False)
  
          mac.update(raw(clone))
@@ -110,7 +102,7 @@ index ae057ee1..d7a21e8b 100644
          computed_icv = mac.finalize()[:self.icv_size]
  
          # XXX: Cannot use mac.verify because the ICV can be truncated
-@@ -788,7 +791,7 @@ class SecurityAssociation(object):
+@@ -788,7 +790,7 @@ class SecurityAssociation(object):
      This class is responsible of "encryption" and "decryption" of IPsec packets.  # noqa: E501
      """
  
@@ -119,7 +111,7 @@ index ae057ee1..d7a21e8b 100644
  
      def __init__(self, proto, spi, seq_num=1, crypt_algo=None, crypt_key=None,
                   auth_algo=None, auth_key=None, tunnel_header=None, nat_t_header=None, esn_en=False, esn=0):   # noqa: E501
-@@ -862,6 +865,23 @@ class SecurityAssociation(object):
+@@ -862,6 +864,23 @@ class SecurityAssociation(object):
                  raise TypeError('nat_t_header must be %s' % UDP.name)
          self.nat_t_header = nat_t_header
  
@@ -143,7 +135,7 @@ index ae057ee1..d7a21e8b 100644
      def check_spi(self, pkt):
          if pkt.spi != self.spi:
              raise TypeError('packet spi=0x%x does not match the SA spi=0x%x' %
-@@ -875,7 +895,8 @@ class SecurityAssociation(object):
+@@ -875,7 +894,8 @@ class SecurityAssociation(object):
              if len(iv) != self.crypt_algo.iv_size:
                  raise TypeError('iv length must be %s' % self.crypt_algo.iv_size)  # noqa: E501
  
@@ -153,7 +145,7 @@ index ae057ee1..d7a21e8b 100644
  
          if self.tunnel_header:
              tunnel = self.tunnel_header.copy()
-@@ -899,7 +920,7 @@ class SecurityAssociation(object):
+@@ -899,7 +919,7 @@ class SecurityAssociation(object):
                                        esn_en=esn_en or self.esn_en,
                                        esn=esn or self.esn)
  
@@ -162,7 +154,7 @@ index ae057ee1..d7a21e8b 100644
  
          if self.nat_t_header:
              nat_t_header = self.nat_t_header.copy()
-@@ -926,7 +947,8 @@ class SecurityAssociation(object):
+@@ -926,7 +946,8 @@ class SecurityAssociation(object):
  
      def _encrypt_ah(self, pkt, seq_num=None):
  
@@ -172,7 +164,7 @@ index ae057ee1..d7a21e8b 100644
                  icv=b"\x00" * self.auth_algo.icv_size)
  
          if self.tunnel_header:
-@@ -966,7 +988,8 @@ class SecurityAssociation(object):
+@@ -966,7 +987,8 @@ class SecurityAssociation(object):
          else:
              ip_header.plen = len(ip_header.payload) + len(ah) + len(payload)
  
@@ -182,7 +174,7 @@ index ae057ee1..d7a21e8b 100644
  
          # sequence number must always change, unless specified by the user
          if seq_num is None:
-@@ -1003,11 +1026,12 @@ class SecurityAssociation(object):
+@@ -1003,11 +1025,12 @@ class SecurityAssociation(object):
  
      def _decrypt_esp(self, pkt, verify=True, esn_en=None, esn=None):
  
@@ -196,7 +188,7 @@ index ae057ee1..d7a21e8b 100644
  
          esp = self.crypt_algo.decrypt(self, encrypted, self.crypt_key,
                                        self.crypt_algo.icv_size or
-@@ -1048,9 +1072,10 @@ class SecurityAssociation(object):
+@@ -1048,9 +1071,10 @@ class SecurityAssociation(object):
  
      def _decrypt_ah(self, pkt, verify=True):