diff options
| author |   Neale Ranns <nranns@cisco.com> | 2019-04-16 02:41:34 +0000 |
|---|---|---|
| committer |   Damjan Marion <dmarion@me.com> | 2019-04-17 13:05:07 +0000 |
| commit | 80f6fd53feaa10b4a798582100724075897c0944 (patch) | |
| tree | 1cd1a7f4b910cf5fbf32aa4b4e2c1028c6c980b7 /test | |
| parent | d8cfbebce78e26a6ef7f6693e7c90dc3c6435d51 (diff) | |
IPSEC: Pass the algorithm salt (used in GCM) over the API
Change-Id: Ia8cea13f7b937294e6a080a55fb2ceff30063acf
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'test')
| -rw-r--r-- | test/template_ipsec.py | 23 | ||||
| -rw-r--r-- | test/test_ipsec_esp.py | 35 | ||||
| -rw-r--r-- | test/test_ipsec_tun_if_esp.py | 18 | ||||
| -rw-r--r-- | test/vpp_ipsec.py | 6 | ||||
| -rw-r--r-- | test/vpp_ipsec_tun_interface.py | 7 | ||||
| -rw-r--r-- | test/vpp_papi_provider.py | 7 |
6 files changed, 64 insertions, 32 deletions
diff --git a/test/template_ipsec.py b/test/template_ipsec.py index 6e42ac7f9f4..d6641c45dd1 100644 --- a/test/template_ipsec.py +++ b/test/template_ipsec.py @@ -1,5 +1,6 @@ import unittest import socket +import struct from scapy.layers.inet import IP, ICMP, TCP, UDP from scapy.layers.ipsec import SecurityAssociation @@ -42,7 +43,7 @@ class IPsecIPv4Params(object): IPSEC_API_CRYPTO_ALG_AES_CBC_128) self.crypt_algo = 'AES-CBC' # scapy name self.crypt_key = 'JPjyOWBeVEQiMe7h' - self.crypt_salt = '' + self.salt = 0 self.flags = 0 self.nat_header = None @@ -78,7 +79,7 @@ class IPsecIPv6Params(object): IPSEC_API_CRYPTO_ALG_AES_CBC_128) self.crypt_algo = 'AES-CBC' # scapy name self.crypt_key = 'JPjyOWBeVEQiMe7h' - self.crypt_salt = '' + self.salt = 0 self.flags = 0 self.nat_header = None @@ -87,9 +88,14 @@ def config_tun_params(p, encryption_type, tun_if): ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6} use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t. IPSEC_API_SAD_FLAG_USE_ESN)) + if p.crypt_algo == "AES-GCM": + crypt_key = p.crypt_key + struct.pack("!I", p.salt) + else: + crypt_key = p.crypt_key p.scapy_tun_sa = SecurityAssociation( encryption_type, spi=p.vpp_tun_spi, - crypt_algo=p.crypt_algo, crypt_key=p.crypt_key + p.crypt_salt, + crypt_algo=p.crypt_algo, + crypt_key=crypt_key, auth_algo=p.auth_algo, auth_key=p.auth_key, tunnel_header=ip_class_by_addr_type[p.addr_type]( src=tun_if.remote_addr[p.addr_type], @@ -98,7 +104,8 @@ def config_tun_params(p, encryption_type, tun_if): use_esn=use_esn) p.vpp_tun_sa = SecurityAssociation( encryption_type, spi=p.scapy_tun_spi, - crypt_algo=p.crypt_algo, crypt_key=p.crypt_key + p.crypt_salt, + crypt_algo=p.crypt_algo, + crypt_key=crypt_key, auth_algo=p.auth_algo, auth_key=p.auth_key, tunnel_header=ip_class_by_addr_type[p.addr_type]( dst=tun_if.remote_addr[p.addr_type], @@ -110,11 +117,15 @@ def config_tun_params(p, encryption_type, tun_if): def config_tra_params(p, encryption_type): use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t. IPSEC_API_SAD_FLAG_USE_ESN)) + if p.crypt_algo == "AES-GCM": + crypt_key = p.crypt_key + struct.pack("!I", p.salt) + else: + crypt_key = p.crypt_key p.scapy_tra_sa = SecurityAssociation( encryption_type, spi=p.vpp_tra_spi, crypt_algo=p.crypt_algo, - crypt_key=p.crypt_key + p.crypt_salt, + crypt_key=crypt_key, auth_algo=p.auth_algo, auth_key=p.auth_key, nat_t_header=p.nat_header, @@ -123,7 +134,7 @@ def config_tra_params(p, encryption_type): encryption_type, spi=p.scapy_tra_spi, crypt_algo=p.crypt_algo, - crypt_key=p.crypt_key + p.crypt_salt, + crypt_key=crypt_key, auth_algo=p.auth_algo, auth_key=p.auth_key, nat_t_header=p.nat_header, diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py index 566ed347418..eb21c58ae91 100644 --- a/test/test_ipsec_esp.py +++ b/test/test_ipsec_esp.py @@ -1,6 +1,5 @@ import socket import unittest -import struct from scapy.layers.ipsec import ESP from scapy.layers.inet import UDP @@ -102,6 +101,7 @@ class ConfigIpsecESP(TemplateIpsec): addr_bcast = params.addr_bcast e = VppEnum.vl_api_ipsec_spd_action_t flags = params.flags + salt = params.salt objs = [] params.tun_sa_in = VppIpsecSA(self, scapy_tun_sa_id, scapy_tun_spi, @@ -110,14 +110,16 @@ class ConfigIpsecESP(TemplateIpsec): self.vpp_esp_protocol, self.tun_if.local_addr[addr_type], self.tun_if.remote_addr[addr_type], - flags=flags) + flags=flags, + salt=salt) params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi, auth_algo_vpp_id, auth_key, crypt_algo_vpp_id, crypt_key, self.vpp_esp_protocol, self.tun_if.remote_addr[addr_type], self.tun_if.local_addr[addr_type], - flags=flags) + flags=flags, + salt=salt) objs.append(params.tun_sa_in) objs.append(params.tun_sa_out) @@ -185,18 +187,21 @@ class ConfigIpsecESP(TemplateIpsec): IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY) e = VppEnum.vl_api_ipsec_spd_action_t flags = params.flags | flags + salt = params.salt objs = [] params.tra_sa_in = VppIpsecSA(self, scapy_tra_sa_id, scapy_tra_spi, auth_algo_vpp_id, auth_key, crypt_algo_vpp_id, crypt_key, self.vpp_esp_protocol, - flags=flags) + flags=flags, + salt=salt) params.tra_sa_out = VppIpsecSA(self, vpp_tra_sa_id, vpp_tra_spi, auth_algo_vpp_id, auth_key, crypt_algo_vpp_id, crypt_key, self.vpp_esp_protocol, - flags=flags) + flags=flags, + salt=salt) objs.append(params.tra_sa_in) objs.append(params.tra_sa_out) @@ -371,7 +376,15 @@ class TestIpsecEspAll(ConfigIpsecESP, 'scapy-crypto': "AES-GCM", 'scapy-integ': "NULL", 'key': "JPjyOWBeVEQiMe7h", - 'salt': struct.pack("!L", 0)}, + 'salt': 0}, + {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. + IPSEC_API_CRYPTO_ALG_AES_GCM_192), + 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t. + IPSEC_API_INTEG_ALG_NONE), + 'scapy-crypto': "AES-GCM", + 'scapy-integ': "NULL", + 'key': "JPjyOWBeVEQiMe7h01234567", + 'salt': 1010}, {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. IPSEC_API_CRYPTO_ALG_AES_GCM_256), 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t. @@ -379,14 +392,14 @@ class TestIpsecEspAll(ConfigIpsecESP, 'scapy-crypto': "AES-GCM", 'scapy-integ': "NULL", 'key': "JPjyOWBeVEQiMe7h0123456787654321", - 'salt': struct.pack("!L", 0)}, + 'salt': 2020}, {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. IPSEC_API_CRYPTO_ALG_AES_CBC_128), 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t. IPSEC_API_INTEG_ALG_SHA1_96), 'scapy-crypto': "AES-CBC", 'scapy-integ': "HMAC-SHA1-96", - 'salt': '', + 'salt': 0, 'key': "JPjyOWBeVEQiMe7h"}, {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. IPSEC_API_CRYPTO_ALG_AES_CBC_192), @@ -394,7 +407,7 @@ class TestIpsecEspAll(ConfigIpsecESP, IPSEC_API_INTEG_ALG_SHA1_96), 'scapy-crypto': "AES-CBC", 'scapy-integ': "HMAC-SHA1-96", - 'salt': '', + 'salt': 0, 'key': "JPjyOWBeVEQiMe7hJPjyOWBe"}, {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. IPSEC_API_CRYPTO_ALG_AES_CBC_256), @@ -402,7 +415,7 @@ class TestIpsecEspAll(ConfigIpsecESP, IPSEC_API_INTEG_ALG_SHA1_96), 'scapy-crypto': "AES-CBC", 'scapy-integ': "HMAC-SHA1-96", - 'salt': '', + 'salt': 0, 'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}] # with and without ESN @@ -437,7 +450,7 @@ class TestIpsecEspAll(ConfigIpsecESP, p.crypt_algo = algo['scapy-crypto'] p.auth_algo = algo['scapy-integ'] p.crypt_key = algo['key'] - p.crypt_salt = algo['salt'] + p.salt = algo['salt'] p.flags = p.flags | flag # diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index 833bbd47bb3..018e00bc25e 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -1,7 +1,6 @@ import unittest import socket import copy -import struct from scapy.layers.ipsec import ESP from scapy.layers.l2 import Ether, Raw, GRE @@ -218,7 +217,8 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4): p.crypt_algo_vpp_id, p.crypt_key, p.crypt_key, p.auth_algo_vpp_id, p.auth_key, - p.auth_key) + p.auth_key, + salt=p.salt) p.tun_if.add_vpp_config() p.tun_if.admin_up() p.tun_if.config_ip4() @@ -257,7 +257,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4): 'scapy-crypto': "AES-GCM", 'scapy-integ': "NULL", 'key': "JPjyOWBeVEQiMe7h", - 'salt': struct.pack("!L", 0)}, + 'salt': 3333}, {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. IPSEC_API_CRYPTO_ALG_AES_GCM_192), 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t. @@ -265,7 +265,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4): 'scapy-crypto': "AES-GCM", 'scapy-integ': "NULL", 'key': "JPjyOWBeVEQiMe7hJPjyOWBe", - 'salt': struct.pack("!L", 0)}, + 'salt': 0}, {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. IPSEC_API_CRYPTO_ALG_AES_GCM_256), 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t. @@ -273,14 +273,14 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4): 'scapy-crypto': "AES-GCM", 'scapy-integ': "NULL", 'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h", - 'salt': struct.pack("!L", 0)}, + 'salt': 9999}, {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. IPSEC_API_CRYPTO_ALG_AES_CBC_128), 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t. IPSEC_API_INTEG_ALG_SHA1_96), 'scapy-crypto': "AES-CBC", 'scapy-integ': "HMAC-SHA1-96", - 'salt': '', + 'salt': 0, 'key': "JPjyOWBeVEQiMe7h"}, {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. IPSEC_API_CRYPTO_ALG_AES_CBC_192), @@ -288,7 +288,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4): IPSEC_API_INTEG_ALG_SHA1_96), 'scapy-crypto': "AES-CBC", 'scapy-integ': "HMAC-SHA1-96", - 'salt': '', + 'salt': 0, 'key': "JPjyOWBeVEQiMe7hJPjyOWBe"}, {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t. IPSEC_API_CRYPTO_ALG_AES_CBC_256), @@ -296,7 +296,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4): IPSEC_API_INTEG_ALG_SHA1_96), 'scapy-crypto': "AES-CBC", 'scapy-integ': "HMAC-SHA1-96", - 'salt': '', + 'salt': 0, 'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}] for engine in engines: @@ -314,7 +314,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4): p.crypt_algo = algo['scapy-crypto'] p.auth_algo = algo['scapy-integ'] p.crypt_key = algo['key'] - p.crypt_salt = algo['salt'] + p.salt = algo['salt'] self.config_network(p) diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py index 278ff36f1e4..77a9d74edf3 100644 --- a/test/vpp_ipsec.py +++ b/test/vpp_ipsec.py @@ -178,7 +178,7 @@ class VppIpsecSA(VppObject): crypto_alg, crypto_key, proto, tun_src=None, tun_dst=None, - flags=None): + flags=None, salt=0): e = VppEnum.vl_api_ipsec_sad_flags_t self.test = test self.id = id @@ -188,6 +188,7 @@ class VppIpsecSA(VppObject): self.crypto_alg = crypto_alg self.crypto_key = crypto_key self.proto = proto + self.salt = salt self.tun_src = tun_src self.tun_dst = tun_dst @@ -214,7 +215,8 @@ class VppIpsecSA(VppObject): self.proto, (self.tun_src if self.tun_src else []), (self.tun_dst if self.tun_dst else []), - flags=self.flags) + flags=self.flags, + salt=self.salt) self.stat_index = r.stat_index self.test.registry.register(self, self.test.logger) diff --git a/test/vpp_ipsec_tun_interface.py b/test/vpp_ipsec_tun_interface.py index 1a41244a0c5..bc689b321f0 100644 --- a/test/vpp_ipsec_tun_interface.py +++ b/test/vpp_ipsec_tun_interface.py @@ -8,7 +8,8 @@ class VppIpsecTunInterface(VppTunnelInterface): def __init__(self, test, parent_if, local_spi, remote_spi, crypto_alg, local_crypto_key, remote_crypto_key, - integ_alg, local_integ_key, remote_integ_key, is_ip6=False): + integ_alg, local_integ_key, remote_integ_key, salt=0, + is_ip6=False): super(VppIpsecTunInterface, self).__init__(test, parent_if) self.local_spi = local_spi self.remote_spi = remote_spi @@ -18,6 +19,7 @@ class VppIpsecTunInterface(VppTunnelInterface): self.integ_alg = integ_alg self.local_integ_key = local_integ_key self.remote_integ_key = remote_integ_key + self.salt = salt if is_ip6: self.local_ip = self.parent_if.local_ip6 self.remote_ip = self.parent_if.remote_ip6 @@ -30,7 +32,8 @@ class VppIpsecTunInterface(VppTunnelInterface): self.local_ip, self.remote_ip, self.remote_spi, self.local_spi, self.crypto_alg, self.local_crypto_key, self.remote_crypto_key, - self.integ_alg, self.local_integ_key, self.remote_integ_key) + self.integ_alg, self.local_integ_key, self.remote_integ_key, + salt=self.salt) self.set_sw_if_index(r.sw_if_index) self.generate_remote_hosts() self.test.registry.register(self, self.test.logger) diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py index 260e6b28d0b..62175e2310d 100644 --- a/test/vpp_papi_provider.py +++ b/test/vpp_papi_provider.py @@ -2357,6 +2357,7 @@ class VppPapiProvider(object): tunnel_src_address='', tunnel_dst_address='', flags=0, + salt=0, is_add=1): """ IPSEC SA add/del :param sad_id: security association ID @@ -2395,6 +2396,7 @@ class VppPapiProvider(object): 'data': crypto_key, }, 'flags': flags, + 'salt': salt, } }) @@ -2472,7 +2474,7 @@ class VppPapiProvider(object): def ipsec_tunnel_if_add_del(self, local_ip, remote_ip, local_spi, remote_spi, crypto_alg, local_crypto_key, remote_crypto_key, integ_alg, local_integ_key, - remote_integ_key, is_add=1, esn=0, + remote_integ_key, is_add=1, esn=0, salt=0, anti_replay=1, renumber=0, show_instance=0): return self.api( self.papi.ipsec_tunnel_if_add_del, @@ -2495,7 +2497,8 @@ class VppPapiProvider(object): 'esn': esn, 'anti_replay': anti_replay, 'renumber': renumber, - 'show_instance': show_instance + 'show_instance': show_instance, + 'salt': salt }) def ipsec_gre_tunnel_add_del(self, local_ip, remote_ip, |