aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/vnet/ipsec/esp_encrypt.c8
-rw-r--r--test/test_ipsec_tun_if_esp.py53
2 files changed, 58 insertions, 3 deletions
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index e06babd92ef..4793fddcd5a 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -463,6 +463,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
u8 *l2_hdr, l2_len, *ip_hdr, ip_len;
ip6_ext_header_t *ext_hdr;
udp_header_t *udp = 0;
+ u16 udp_len = 0;
u8 *old_ip_hdr = vlib_buffer_get_current (b[0]);
ip_len = is_ip6 ?
@@ -537,7 +538,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
if (udp)
{
esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, 1);
- esp_fill_udp_hdr (sa0, udp, len - ip_len);
+ udp_len = len - ip_len;
}
else
esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, 0);
@@ -545,6 +546,11 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
clib_memcpy_le64 (ip_hdr, old_ip_hdr, ip_len);
+ if (udp)
+ {
+ esp_fill_udp_hdr (sa0, udp, udp_len);
+ }
+
if (!is_tun)
next[0] = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT;
}
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
index 55e85b1a4b2..3cd2521e04d 100644
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@@ -133,16 +133,42 @@ class TemplateIpsec4TunIfEspUdp(TemplateIpsec):
def tearDownClass(cls):
super(TemplateIpsec4TunIfEspUdp, cls).tearDownClass()
+ def verify_encrypted(self, p, sa, rxs):
+ for rx in rxs:
+ try:
+ # ensure the UDP ports are correct before we decrypt
+ # which strips them
+ self.assertTrue(rx.haslayer(UDP))
+ self.assert_equal(rx[UDP].sport, 4500)
+ self.assert_equal(rx[UDP].dport, 4500)
+
+ pkt = sa.decrypt(rx[IP])
+ if not pkt.haslayer(IP):
+ pkt = IP(pkt[Raw].load)
+
+ self.assert_packet_checksums_valid(pkt)
+ self.assert_equal(pkt[IP].dst, "1.1.1.1")
+ self.assert_equal(pkt[IP].src, self.pg1.remote_ip4)
+ except (IndexError, AssertionError):
+ self.logger.debug(ppp("Unexpected packet:", rx))
+ try:
+ self.logger.debug(ppp("Decrypted packet:", pkt))
+ except:
+ pass
+ raise
+
def setUp(self):
super(TemplateIpsec4TunIfEspUdp, self).setUp()
- self.tun_if = self.pg0
-
p = self.ipv4_params
p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
IPSEC_API_SAD_FLAG_UDP_ENCAP)
p.nat_header = UDP(sport=5454, dport=4500)
+ def config_network(self):
+
+ self.tun_if = self.pg0
+ p = self.ipv4_params
p.tun_if = VppIpsecTunInterface(self, self.pg0, p.vpp_tun_spi,
p.scapy_tun_spi, p.crypt_algo_vpp_id,
p.crypt_key, p.crypt_key,
@@ -204,11 +230,34 @@ class TestIpsec4TunIfEspUdp(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
tun4_input_node = "ipsec4-tun-input"
+ def setUp(self):
+ super(TemplateIpsec4TunIfEspUdp, self).setUp()
+ self.config_network()
+
def test_keepalive(self):
""" IPSEC NAT Keepalive """
self.verify_keepalive(self.ipv4_params)
+class TestIpsec4TunIfEspUdpGCM(TemplateIpsec4TunIfEspUdp, IpsecTun4Tests):
+ """ Ipsec ESP UDP GCM tests """
+
+ tun4_input_node = "ipsec4-tun-input"
+
+ def setUp(self):
+ super(TemplateIpsec4TunIfEspUdp, self).setUp()
+ p = self.ipv4_params
+ p.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_NONE)
+ p.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_AES_GCM_256)
+ p.crypt_algo = "AES-GCM"
+ p.auth_algo = "NULL"
+ p.crypt_key = b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"
+ p.salt = 0
+ self.config_network()
+
+
class TestIpsec4TunIfEsp2(TemplateIpsec4TunIfEsp, IpsecTcpTests):
""" Ipsec ESP - TCP tests """
pass