diff options
-rw-r--r-- | src/vnet/ipsec/esp_encrypt.c | 8 | ||||
-rw-r--r-- | test/test_ipsec_tun_if_esp.py | 53 |
2 files changed, 58 insertions, 3 deletions
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index e06babd92ef..4793fddcd5a 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -463,6 +463,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, u8 *l2_hdr, l2_len, *ip_hdr, ip_len; ip6_ext_header_t *ext_hdr; udp_header_t *udp = 0; + u16 udp_len = 0; u8 *old_ip_hdr = vlib_buffer_get_current (b[0]); ip_len = is_ip6 ? @@ -537,7 +538,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, if (udp) { esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, 1); - esp_fill_udp_hdr (sa0, udp, len - ip_len); + udp_len = len - ip_len; } else esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, 0); @@ -545,6 +546,11 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, clib_memcpy_le64 (ip_hdr, old_ip_hdr, ip_len); + if (udp) + { + esp_fill_udp_hdr (sa0, udp, udp_len); + } + if (!is_tun) next[0] = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT; } diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index 55e85b1a4b2..3cd2521e04d 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -133,16 +133,42 @@ class TemplateIpsec4TunIfEspUdp(TemplateIpsec): def tearDownClass(cls): super(TemplateIpsec4TunIfEspUdp, cls).tearDownClass() + def verify_encrypted(self, p, sa, rxs): + for rx in rxs: + try: + # ensure the UDP ports are correct before we decrypt + # which strips them + self.assertTrue(rx.haslayer(UDP)) + self.assert_equal(rx[UDP].sport, 4500) + self.assert_equal(rx[UDP].dport, 4500) + + pkt = sa.decrypt(rx[IP]) + if not pkt.haslayer(IP): + pkt = IP(pkt[Raw].load) + + self.assert_packet_checksums_valid(pkt) + self.assert_equal(pkt[IP].dst, "1.1.1.1") + self.assert_equal(pkt[IP].src, self.pg1.remote_ip4) + except (IndexError, AssertionError): + self.logger.debug(ppp("Unexpected packet:", rx)) + try: + self.logger.debug(ppp("Decrypted packet:", pkt)) + except: + pass + raise + def setUp(self): super(TemplateIpsec4TunIfEspUdp, self).setUp() - self.tun_if = self.pg0 - p = self.ipv4_params p.flags = (VppEnum.vl_api_ipsec_sad_flags_t. IPSEC_API_SAD_FLAG_UDP_ENCAP) p.nat_header = UDP(sport=5454, dport=4500) + def config_network(self): + + self.tun_if = self.pg0 + p = self.ipv4_params p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi, p.scapy_tun_spi, p.crypt_algo_vpp_id, p.crypt_key, p.crypt_key, @@ -204,11 +230,34 @@ class TestIpsec4TunIfEspUdp(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests): tun4_input_node = "ipsec4-tun-input" + def setUp(self): + super(TemplateIpsec4TunIfEspUdp, self).setUp() + self.config_network() + def test_keepalive(self): """ IPSEC NAT Keepalive """ self.verify_keepalive(self.ipv4_params) +class TestIpsec4TunIfEspUdpGCM(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests): + """ Ipsec ESP UDP GCM tests """ + + tun4_input_node = "ipsec4-tun-input" + + def setUp(self): + super(TemplateIpsec4TunIfEspUdp, self).setUp() + p = self.ipv4_params + p.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t. + IPSEC_API_INTEG_ALG_NONE) + p.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t. + IPSEC_API_CRYPTO_ALG_AES_GCM_256) + p.crypt_algo = "AES-GCM" + p.auth_algo = "NULL" + p.crypt_key = b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h" + p.salt = 0 + self.config_network() + + class TestIpsec4TunIfEsp2(TemplateIpsec4TunIfEsp, IpsecTcpTests): """ Ipsec ESP - TCP tests """ pass |