diff options
author | Dave Wallace <dwallacelf@gmail.com> | 2024-07-23 01:28:19 -0400 |
---|---|---|
committer | Beno�t Ganne <bganne@cisco.com> | 2024-08-07 09:15:17 +0000 |
commit | cf9356d642ce131c6562fcd281c01e51af888ec3 (patch) | |
tree | 8a57da79b102ee9a6c4fa3d8c834591ddfdbaff0 /test/patches | |
parent | 0a3b0b231d8d2978c3322cc5ba8e1d2746a6d730 (diff) |
tests: update scapy to version 2.4.5
- Required for Ubuntu 24.04 LTS jobs
- temporarily disable TestIpsecEsp1 and
TestIpsecAhAll tests until a patch can
be added to fix them
Type: test
Change-Id: I1ae7b170117182c3252629bbbb770775e2c496c9
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Diffstat (limited to 'test/patches')
-rw-r--r-- | test/patches/scapy-2.4.5/cdp.patch | 14 | ||||
-rw-r--r-- | test/patches/scapy-2.4.5/ikev2.patch | 22 | ||||
-rw-r--r-- | test/patches/scapy-2.4.5/ipsec.patch | 212 | ||||
-rw-r--r-- | test/patches/scapy-2.4.5/ppp.patch | 45 |
4 files changed, 293 insertions, 0 deletions
diff --git a/test/patches/scapy-2.4.5/cdp.patch b/test/patches/scapy-2.4.5/cdp.patch new file mode 100644 index 00000000000..8fa9f69cc80 --- /dev/null +++ b/test/patches/scapy-2.4.5/cdp.patch @@ -0,0 +1,14 @@ +diff --git a/scapy/contrib/cdp.py b/scapy/contrib/cdp.py +index a1532b78..83963ff4 100644 +--- a/scapy/contrib/cdp.py ++++ b/scapy/contrib/cdp.py +@@ -392,7 +392,7 @@ class _CDPChecksum: + This padding is only used for checksum computation. The original + packet should not be altered.""" + if len(pkt) % 2: +- last_chr = orb(pkt[-1]) ++ last_chr = orb(pkt[len(pkt)-1:]) + if last_chr <= 0x80: + return pkt[:-1] + b'\x00' + chb(last_chr) + else: + diff --git a/test/patches/scapy-2.4.5/ikev2.patch b/test/patches/scapy-2.4.5/ikev2.patch new file mode 100644 index 00000000000..a1dd45ad661 --- /dev/null +++ b/test/patches/scapy-2.4.5/ikev2.patch @@ -0,0 +1,22 @@ +diff --git a/scapy/contrib/ikev2.py b/scapy/contrib/ikev2.py +index 7799fd1e..f81af7ac 100644 +--- a/scapy/contrib/ikev2.py ++++ b/scapy/contrib/ikev2.py +@@ -607,12 +607,16 @@ class IKEv2_payload_TSr(IKEv2_class): + + class IKEv2_payload_Delete(IKEv2_class): + name = "IKEv2 Vendor ID" ++ name = "IKEv2 delete payload" + overload_fields = {IKEv2: {"next_payload": 42}} + fields_desc = [ + ByteEnumField("next_payload", None, IKEv2_payload_type), + ByteField("res", 0), +- FieldLenField("length", None, "vendorID", "H", adjust=lambda pkt, x:x + 4), # noqa: E501 +- StrLenField("vendorID", "", length_from=lambda x:x.length - 4), ++ FieldLenField("length", None, "SPIs", "H", adjust=lambda pkt, x:x + 8), # noqa: E501 ++ ByteEnumField("proto", 1, {1: "IKEv2", 2: "AH", 3: "ESP"}), ++ ByteField("SPIsize", 0), ++ ShortField("SPInum", 0), ++ StrLenField("SPIs", "", length_from=lambda x: x.length - 8), + ] + diff --git a/test/patches/scapy-2.4.5/ipsec.patch b/test/patches/scapy-2.4.5/ipsec.patch new file mode 100644 index 00000000000..5cc197a01b4 --- /dev/null +++ b/test/patches/scapy-2.4.5/ipsec.patch @@ -0,0 +1,212 @@ +diff --git a/scapy/layers/ipsec.py b/scapy/layers/ipsec.py +index 8251dc14..a8390fc5 100644 +--- a/scapy/layers/ipsec.py ++++ b/scapy/layers/ipsec.py +@@ -60,7 +60,7 @@ import scapy.modules.six as six + from scapy.modules.six.moves import range + from scapy.layers.inet6 import IPv6, IPv6ExtHdrHopByHop, IPv6ExtHdrDestOpt, \ + IPv6ExtHdrRouting +- ++from scapy.contrib.mpls import MPLS + + ############################################################################### + class AH(Packet): +@@ -360,13 +360,16 @@ class CryptAlgo(object): + encryptor = cipher.encryptor() + + if self.is_aead: +- if esn_en: +- aad = struct.pack('!LLL', esp.spi, esn, esp.seq) +- else: +- aad = struct.pack('!LL', esp.spi, esp.seq) ++ aad = sa.build_aead(esp) ++ if self.name == 'AES-NULL-GMAC': ++ aad = aad + esp.iv + data ++ aes_null_gmac_data = data ++ data = b'' + encryptor.authenticate_additional_data(aad) + data = encryptor.update(data) + encryptor.finalize() + data += encryptor.tag[:self.icv_size] ++ if self.name == 'AES-NULL-GMAC': ++ data = aes_null_gmac_data + data + else: + data = encryptor.update(data) + encryptor.finalize() + +@@ -402,16 +405,18 @@ class CryptAlgo(object): + + if self.is_aead: + # Tag value check is done during the finalize method +- if esn_en: +- decryptor.authenticate_additional_data( +- struct.pack('!LLL', esp.spi, esn, esp.seq)) +- else: +- decryptor.authenticate_additional_data( +- struct.pack('!LL', esp.spi, esp.seq)) ++ aad = sa.build_aead(esp) ++ if self.name == 'AES-NULL-GMAC': ++ aad = aad + iv + data ++ aes_null_gmac_data = data ++ data = b'' ++ decryptor.authenticate_additional_data(aad) + try: + data = decryptor.update(data) + decryptor.finalize() + except InvalidTag as err: + raise IPSecIntegrityError(err) ++ if self.name == 'AES-NULL-GMAC': ++ data = aes_null_gmac_data + data + + # extract padlen and nh + padlen = orb(data[-2]) +@@ -458,6 +463,13 @@ if algorithms: + iv_size=8, + icv_size=16, + format_mode_iv=_salt_format_mode_iv) ++ CRYPT_ALGOS['AES-NULL-GMAC'] = CryptAlgo('AES-NULL-GMAC', ++ cipher=algorithms.AES, ++ mode=modes.GCM, ++ salt_size=4, ++ iv_size=8, ++ icv_size=16, ++ format_mode_iv=_salt_format_mode_iv) + if hasattr(modes, 'CCM'): + CRYPT_ALGOS['AES-CCM'] = CryptAlgo('AES-CCM', + cipher=algorithms.AES, +@@ -546,7 +558,7 @@ class AuthAlgo(object): + else: + return self.mac(key, self.digestmod(), default_backend()) + +- def sign(self, pkt, key, esn_en=False, esn=0): ++ def sign(self, pkt, key, trailer=None, esn_en=False, esn=0): + """ + Sign an IPsec (ESP or AH) packet with this algo. + +@@ -565,6 +577,8 @@ class AuthAlgo(object): + + if pkt.haslayer(ESP): + mac.update(raw(pkt[ESP])) ++ if trailer: ++ mac.update(trailer) + pkt[ESP].data += mac.finalize()[:self.icv_size] + + elif pkt.haslayer(AH): +@@ -574,11 +588,13 @@ class AuthAlgo(object): + else: + temp = raw(clone) + mac.update(temp) ++ if trailer: ++ mac.update(trailer) + pkt[AH].icv = mac.finalize()[:self.icv_size] + + return pkt + +- def verify(self, pkt, key, esn_en=False, esn=0): ++ def verify(self, pkt, key, trailer, esn_en=False, esn=0): + """ + Check that the integrity check value (icv) of a packet is valid. + +@@ -617,6 +633,8 @@ class AuthAlgo(object): + temp = raw(clone) + + mac.update(temp) ++ if trailer: ++ mac.update(trailer) # bytearray(4)) #raw(trailer)) + computed_icv = mac.finalize()[:self.icv_size] + + # XXX: Cannot use mac.verify because the ICV can be truncated +@@ -805,7 +823,7 @@ class SecurityAssociation(object): + This class is responsible of "encryption" and "decryption" of IPsec packets. # noqa: E501 + """ + +- SUPPORTED_PROTOS = (IP, IPv6) ++ SUPPORTED_PROTOS = (IP, IPv6, MPLS) + + def __init__(self, proto, spi, seq_num=1, crypt_algo=None, crypt_key=None, + auth_algo=None, auth_key=None, tunnel_header=None, nat_t_header=None, esn_en=False, esn=0): # noqa: E501 +@@ -880,6 +898,23 @@ class SecurityAssociation(object): + raise TypeError('nat_t_header must be %s' % UDP.name) + self.nat_t_header = nat_t_header + ++ def build_aead(self, esp): ++ if self.esn_en: ++ return (struct.pack('!LLL', esp.spi, self.seq_num >> 32, esp.seq)) ++ else: ++ return (struct.pack('!LL', esp.spi, esp.seq)) ++ ++ def build_seq_num(self, num): ++ # only lower order bits are transmitted ++ # higher order bits are used in the ICV ++ lower = num & 0xffffffff ++ upper = num >> 32 ++ ++ if self.esn_en: ++ return lower, struct.pack("!I", upper) ++ else: ++ return lower, None ++ + def check_spi(self, pkt): + if pkt.spi != self.spi: + raise TypeError('packet spi=0x%x does not match the SA spi=0x%x' % +@@ -893,7 +928,8 @@ class SecurityAssociation(object): + if len(iv) != self.crypt_algo.iv_size: + raise TypeError('iv length must be %s' % self.crypt_algo.iv_size) # noqa: E501 + +- esp = _ESPPlain(spi=self.spi, seq=seq_num or self.seq_num, iv=iv) ++ low_seq_num, high_seq_num = self.build_seq_num(seq_num or self.seq_num) ++ esp = _ESPPlain(spi=self.spi, seq=low_seq_num, iv=iv) + + if self.tunnel_header: + tunnel = self.tunnel_header.copy() +@@ -917,7 +953,7 @@ class SecurityAssociation(object): + esn_en=esn_en or self.esn_en, + esn=esn or self.esn) + +- self.auth_algo.sign(esp, self.auth_key) ++ self.auth_algo.sign(esp, self.auth_key, high_seq_num) + + if self.nat_t_header: + nat_t_header = self.nat_t_header.copy() +@@ -944,7 +980,8 @@ class SecurityAssociation(object): + + def _encrypt_ah(self, pkt, seq_num=None, esn_en=False, esn=0): + +- ah = AH(spi=self.spi, seq=seq_num or self.seq_num, ++ low_seq_num, high_seq_num = self.build_seq_num(seq_num or self.seq_num) ++ ah = AH(spi=self.spi, seq=low_seq_num, + icv=b"\x00" * self.auth_algo.icv_size) + + if self.tunnel_header: +@@ -985,7 +1022,7 @@ class SecurityAssociation(object): + ip_header.plen = len(ip_header.payload) + len(ah) + len(payload) + + signed_pkt = self.auth_algo.sign(ip_header / ah / payload, +- self.auth_key, ++ self.auth_key, high_seq_num, + esn_en=esn_en or self.esn_en, + esn=esn or self.esn) + +@@ -1025,11 +1062,12 @@ class SecurityAssociation(object): + + def _decrypt_esp(self, pkt, verify=True, esn_en=None, esn=None): + ++ low_seq_num, high_seq_num = self.build_seq_num(self.seq_num) + encrypted = pkt[ESP] + + if verify: + self.check_spi(pkt) +- self.auth_algo.verify(encrypted, self.auth_key) ++ self.auth_algo.verify(encrypted, self.auth_key, high_seq_num) + + esp = self.crypt_algo.decrypt(self, encrypted, self.crypt_key, + self.crypt_algo.icv_size or +@@ -1070,9 +1108,10 @@ class SecurityAssociation(object): + + def _decrypt_ah(self, pkt, verify=True, esn_en=None, esn=None): + ++ low_seq_num, high_seq_num = self.build_seq_num(self.seq_num) + if verify: + self.check_spi(pkt) +- self.auth_algo.verify(pkt, self.auth_key, ++ self.auth_algo.verify(pkt, self.auth_key, high_seq_num, + esn_en=esn_en or self.esn_en, + esn=esn or self.esn) + diff --git a/test/patches/scapy-2.4.5/ppp.patch b/test/patches/scapy-2.4.5/ppp.patch new file mode 100644 index 00000000000..a3680bfee08 --- /dev/null +++ b/test/patches/scapy-2.4.5/ppp.patch @@ -0,0 +1,45 @@ +# NOTE: This patch copied from https://github.com/secdev/scapy +# commit 3e6900776698cd5472c5405294414d5b672a3f18 +# +diff --git a/scapy/layers/ppp.py b/scapy/layers/ppp.py +index b5cd42b4..e0f4c593 100644 +--- a/scapy/layers/ppp.py ++++ b/scapy/layers/ppp.py +@@ -292,6 +292,14 @@ class _PPPProtoField(EnumField): + + See RFC 1661 section 2 + <https://tools.ietf.org/html/rfc1661#section-2> ++ ++ The generated proto field is two bytes when not specified, or when specified ++ as an integer or a string: ++ PPP() ++ PPP(proto=0x21) ++ PPP(proto="Internet Protocol version 4") ++ To explicitly forge a one byte proto field, use the bytes representation: ++ PPP(proto=b'\x21') + """ + def getfield(self, pkt, s): + if ord(s[:1]) & 0x01: +@@ -304,12 +312,18 @@ class _PPPProtoField(EnumField): + return super(_PPPProtoField, self).getfield(pkt, s) + + def addfield(self, pkt, s, val): +- if val < 0x100: +- self.fmt = "!B" +- self.sz = 1 ++ if isinstance(val, bytes): ++ if len(val) == 1: ++ fmt, sz = "!B", 1 ++ elif len(val) == 2: ++ fmt, sz = "!H", 2 ++ else: ++ raise TypeError('Invalid length for PPP proto') ++ val = struct.Struct(fmt).unpack(val)[0] + else: +- self.fmt = "!H" +- self.sz = 2 ++ fmt, sz = "!H", 2 ++ self.fmt = fmt ++ self.sz = sz + self.struct = struct.Struct(self.fmt) + return super(_PPPProtoField, self).addfield(pkt, s, val) |