IPSEC: test for packet drop on sequence number wrap

Change-Id: Id546c56a4904d13d4278055f3c5a5e4548e2efd0
Signed-off-by: Neale Ranns <nranns@cisco.com>

src/plugins/unittest/CMakeLists.txt

@@ -21,6 +21,7 @@ add_vpp_plugin(unittest
   crypto/rfc2202_hmac_md5.c
   crypto/rfc4231.c
   fib_test.c
+  ipsec_test.c
   interface_test.c
   mfib_test.c
   session_test.c

src/plugins/unittest/ipsec_test.c

@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2018 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <vnet/ipsec/ipsec.h>
+#include <vnet/ipsec/ipsec_sa.h>
+
+static clib_error_t *
+test_ipsec_command_fn (vlib_main_t * vm,
+		       unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+  u64 seq_num;
+  u32 sa_id;
+
+  sa_id = ~0;
+  seq_num = 0;
+
+  while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+    {
+      if (unformat (input, "sa %d", &sa_id))
+	;
+      else if (unformat (input, "seq 0x%llx", &seq_num))
+	;
+      else
+	break;
+    }
+
+  if (~0 != sa_id)
+    {
+      ipsec_main_t *im = &ipsec_main;
+      ipsec_sa_t *sa;
+      u32 sa_index;
+
+      sa_index = ipsec_get_sa_index_by_sa_id (sa_id);
+      sa = pool_elt_at_index (im->sad, sa_index);
+
+      sa->seq = seq_num & 0xffffffff;
+      sa->seq_hi = seq_num >> 32;
+    }
+  else
+    {
+      return clib_error_return (0, "unknown SA `%U'",
+				format_unformat_error, input);
+    }
+
+  return (NULL);
+}
+
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (test_ipsec_command, static) =
+{
+  .path = "test ipsec",
+  .short_help = "test ipsec sa <ID> seq-num <VALUE>",
+  .function = test_ipsec_command_fn,
+};
+/* *INDENT-ON* */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */

src/vnet/ipsec/ipsec_format.c

@@ -262,7 +262,8 @@ format_ipsec_sa (u8 * s, va_list * args)
 	      sa->udp_encap ? " udp-encap-enabled" : "",
 	      sa->use_anti_replay ? " anti-replay" : "",
 	      sa->use_esn ? " extended-sequence-number" : "");
-  s = format (s, "\n   last-seq %u last-seq-hi %u  window %U",
+  s = format (s, "\n   seq %u seq-hi %u", sa->seq, sa->seq_hi);
+  s = format (s, "\n   last-seq %u last-seq-hi %u window %U",
 	      sa->last_seq, sa->last_seq_hi,
 	      format_ipsec_replay_window, sa->replay_window);
   s = format (s, "\n   crypto alg %U%s%U",

test/template_ipsec.py

@@ -307,7 +307,23 @@ class IpsecTra4Tests(object):
                                       seq_num=234))
         self.send_and_expect(self.tra_if, [pkt], self.tra_if)
 
+        # move VPP's SA to just before the seq-number wrap
+        self.vapi.cli("test ipsec sa %d seq 0xffffffff" % p.scapy_tra_sa_id)
+
+        # then fire in a packet that VPP should drop becuase it causes the
+        # seq number to wrap
+        pkt = (Ether(src=self.tra_if.remote_mac,
+                     dst=self.tra_if.local_mac) /
+               p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4,
+                                         dst=self.tra_if.local_ip4) /
+                                      ICMP(),
+                                      seq_num=236))
+        self.send_and_assert_no_replies(self.tra_if, [pkt])
+        self.assert_packet_counter_equal(
+            '/err/%s/sequence number cycled' % self.tra4_encrypt_node_name, 1)
+
         # move the security-associations seq number on to the last we used
+        self.vapi.cli("test ipsec sa %d seq 0x15f" % p.scapy_tra_sa_id)
         p.scapy_tra_sa.seq_num = 351
         p.vpp_tra_sa.seq_num = 351