ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ipsec: fix SA names consistency in tests

Browse Source 
In some IPsec tests, the SA called scapy_sa designs the SA that
encrypts Scapy packets and decrypts them in VPP, and the one
called vpp_sa the SA that encrypts VPP packets and decrypts them
with Scapy. However, this pattern is not consistent across all
tests. Some tests use the opposite logic. Others even mix both
correlating scapy_tra_spi with vpp_tra_sa_id and vice-versa.

Because of that, sometimes, the SA called vpp_sa_in is used as an
outbound SA and vpp_sa_out as an inbound one.

This patch forces all the tests to follow the same following logic:
- scapy_sa is the SA used to encrypt Scapy packets and decrypt
them in VPP. It matches the VPP inbound SA.
- vpp_sa is the SA used to encrypt VPP packets and decrypt them in
Scapy. It matches the VPP outbound SA.

Type: fix
Signed-off-by: Arthur de Kerhor <arthurdekerhor@gmail.com>
Change-Id: Iadccdccbf98e834add13b5f4ad87af57e2ea3c2a
This commit is contained in:
Arthur de Kerhor
2022-11-16 18:45:24 +01:00
committed by Neale Ranns
parent ab412cdc07
commit 0df06b6e95
5 changed files with 127 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files
test/template_ipsec.py
+12 -12
View File
@@ -138,7 +138,7 @@ def config_tun_params(p, encryption_type, tun_if):
crypt_key = mk_scapy_crypt_key(p)
p.scapy_tun_sa = SecurityAssociation(
encryption_type,
spi=p.vpp_tun_spi,
spi=p.scapy_tun_spi,
crypt_algo=p.crypt_algo,
crypt_key=crypt_key,
auth_algo=p.auth_algo,
@@ -149,7 +149,7 @@ def config_tun_params(p, encryption_type, tun_if):
)
p.vpp_tun_sa = SecurityAssociation(
encryption_type,
spi=p.scapy_tun_spi,
spi=p.vpp_tun_spi,
crypt_algo=p.crypt_algo,
crypt_key=crypt_key,
auth_algo=p.auth_algo,
@@ -167,7 +167,7 @@ def config_tra_params(p, encryption_type):
crypt_key = mk_scapy_crypt_key(p)
p.scapy_tra_sa = SecurityAssociation(
encryption_type,
spi=p.vpp_tra_spi,
spi=p.scapy_tra_spi,
crypt_algo=p.crypt_algo,
crypt_key=crypt_key,
auth_algo=p.auth_algo,
@@ -177,7 +177,7 @@ def config_tra_params(p, encryption_type):
)
p.vpp_tra_sa = SecurityAssociation(
encryption_type,
spi=p.scapy_tra_spi,
spi=p.vpp_tra_spi,
crypt_algo=p.crypt_algo,
crypt_key=crypt_key,
auth_algo=p.auth_algo,
@@ -708,7 +708,7 @@ class IpsecTra4(object):
# a packet that does not decrypt does not move the window forward
bogus_sa = SecurityAssociation(
self.encryption_type,
p.vpp_tra_spi,
p.scapy_tra_spi,
crypt_algo=p.crypt_algo,
crypt_key=mk_scapy_crypt_key(p)[::-1],
auth_algo=p.auth_algo,
@@ -728,7 +728,7 @@ class IpsecTra4(object):
# a malformed 'runt' packet
# created by a mis-constructed SA
if ESP == self.encryption_type and p.crypt_algo != "NULL":
bogus_sa = SecurityAssociation(self.encryption_type, p.vpp_tra_spi)
bogus_sa = SecurityAssociation(self.encryption_type, p.scapy_tra_spi)
pkt = Ether(
src=self.tra_if.remote_mac, dst=self.tra_if.local_mac
) / bogus_sa.encrypt(
@@ -788,7 +788,7 @@ class IpsecTra4(object):
# causes the TX seq number to wrap; unless we're using extened sequence
# numbers.
#
self.vapi.cli("test ipsec sa %d seq 0xffffffff" % p.scapy_tra_sa_id)
self.vapi.cli("test ipsec sa %d seq 0xffffffff" % p.vpp_tra_sa_id)
self.logger.info(self.vapi.ppcli("show ipsec sa 0"))
self.logger.info(self.vapi.ppcli("show ipsec sa 1"))
@@ -924,7 +924,7 @@ class IpsecTra4(object):
]
self.send_and_expect(self.tra_if, pkts, self.tra_if)
self.assertEqual(p.tra_sa_out.get_lost(), 0)
self.assertEqual(p.tra_sa_in.get_lost(), 0)
# skip a sequence number
pkts = [
@@ -939,7 +939,7 @@ class IpsecTra4(object):
]
self.send_and_expect(self.tra_if, pkts, self.tra_if)
self.assertEqual(p.tra_sa_out.get_lost(), 0)
self.assertEqual(p.tra_sa_in.get_lost(), 0)
# the lost packet are counted untill we get up past the first
# sizeof(replay_window) packets
@@ -955,7 +955,7 @@ class IpsecTra4(object):
]
self.send_and_expect(self.tra_if, pkts, self.tra_if)
self.assertEqual(p.tra_sa_out.get_lost(), 1)
self.assertEqual(p.tra_sa_in.get_lost(), 1)
# lost of holes in the sequence
pkts = [
@@ -982,7 +982,7 @@ class IpsecTra4(object):
]
self.send_and_expect(self.tra_if, pkts, self.tra_if)
self.assertEqual(p.tra_sa_out.get_lost(), 51)
self.assertEqual(p.tra_sa_in.get_lost(), 51)
# a big hole in the seq number space
pkts = [
@@ -997,7 +997,7 @@ class IpsecTra4(object):
]
self.send_and_expect(self.tra_if, pkts, self.tra_if)
self.assertEqual(p.tra_sa_out.get_lost(), 151)
self.assertEqual(p.tra_sa_in.get_lost(), 151)
def verify_tra_basic4(self, count=1, payload_size=54):
"""ipsec v4 transport basic test"""
test/test_gso.py
+12 -12
View File
@@ -847,8 +847,8 @@ class TestGSO(VppTestCase):
self.tun_sa_in_v4 = VppIpsecSA(
self,
self.ipv4_params.vpp_tun_sa_id,
self.ipv4_params.vpp_tun_spi,
self.ipv4_params.scapy_tun_sa_id,
self.ipv4_params.scapy_tun_spi,
self.ipv4_params.auth_algo_vpp_id,
self.ipv4_params.auth_key,
self.ipv4_params.crypt_algo_vpp_id,
@@ -859,8 +859,8 @@ class TestGSO(VppTestCase):
self.tun_sa_out_v4 = VppIpsecSA(
self,
self.ipv4_params.scapy_tun_sa_id,
self.ipv4_params.scapy_tun_spi,
self.ipv4_params.vpp_tun_sa_id,
self.ipv4_params.vpp_tun_spi,
self.ipv4_params.auth_algo_vpp_id,
self.ipv4_params.auth_key,
self.ipv4_params.crypt_algo_vpp_id,
@@ -897,7 +897,7 @@ class TestGSO(VppTestCase):
self.assertEqual(rx[IP].src, self.pg0.local_ip4)
self.assertEqual(rx[IP].dst, self.pg0.remote_ip4)
self.assertEqual(rx[IP].proto, 50) # ESP
self.assertEqual(rx[ESP].spi, self.ipv4_params.scapy_tun_spi)
self.assertEqual(rx[ESP].spi, self.ipv4_params.vpp_tun_spi)
inner = self.ipv4_params.vpp_tun_sa.decrypt(rx[IP])
self.assertEqual(inner[IP].src, self.pg2.remote_ip4)
self.assertEqual(inner[IP].dst, "172.16.10.3")
@@ -935,7 +935,7 @@ class TestGSO(VppTestCase):
self.assertEqual(rx[IP].src, self.pg0.local_ip4)
self.assertEqual(rx[IP].dst, self.pg0.remote_ip4)
self.assertEqual(rx[IP].proto, 50) # ESP
self.assertEqual(rx[ESP].spi, self.ipv4_params.scapy_tun_spi)
self.assertEqual(rx[ESP].spi, self.ipv4_params.vpp_tun_spi)
inner = self.ipv4_params.vpp_tun_sa.decrypt(rx[IP])
self.assertEqual(inner[IPv6].src, self.pg2.remote_ip6)
self.assertEqual(inner[IPv6].dst, "fd01:10::3")
@@ -986,8 +986,8 @@ class TestGSO(VppTestCase):
config_tun_params(self.ipv6_params, self.encryption_type, self.ipip6)
self.tun_sa_in_v6 = VppIpsecSA(
self,
self.ipv6_params.vpp_tun_sa_id,
self.ipv6_params.vpp_tun_spi,
self.ipv6_params.scapy_tun_sa_id,
self.ipv6_params.scapy_tun_spi,
self.ipv6_params.auth_algo_vpp_id,
self.ipv6_params.auth_key,
self.ipv6_params.crypt_algo_vpp_id,
@@ -998,8 +998,8 @@ class TestGSO(VppTestCase):
self.tun_sa_out_v6 = VppIpsecSA(
self,
self.ipv6_params.scapy_tun_sa_id,
self.ipv6_params.scapy_tun_spi,
self.ipv6_params.vpp_tun_sa_id,
self.ipv6_params.vpp_tun_spi,
self.ipv6_params.auth_algo_vpp_id,
self.ipv6_params.auth_key,
self.ipv6_params.crypt_algo_vpp_id,
@@ -1032,7 +1032,7 @@ class TestGSO(VppTestCase):
self.assertEqual(rx[IPv6].src, self.pg0.local_ip6)
self.assertEqual(rx[IPv6].dst, self.pg0.remote_ip6)
self.assertEqual(ipv6nh[rx[IPv6].nh], "ESP Header")
self.assertEqual(rx[ESP].spi, self.ipv6_params.scapy_tun_spi)
self.assertEqual(rx[ESP].spi, self.ipv6_params.vpp_tun_spi)
inner = self.ipv6_params.vpp_tun_sa.decrypt(rx[IPv6])
self.assertEqual(inner[IP].src, self.pg2.remote_ip4)
self.assertEqual(inner[IP].dst, "172.16.10.3")
@@ -1071,7 +1071,7 @@ class TestGSO(VppTestCase):
self.assertEqual(rx[IPv6].src, self.pg0.local_ip6)
self.assertEqual(rx[IPv6].dst, self.pg0.remote_ip6)
self.assertEqual(ipv6nh[rx[IPv6].nh], "ESP Header")
self.assertEqual(rx[ESP].spi, self.ipv6_params.scapy_tun_spi)
self.assertEqual(rx[ESP].spi, self.ipv6_params.vpp_tun_spi)
inner = self.ipv6_params.vpp_tun_sa.decrypt(rx[IPv6])
self.assertEqual(inner[IPv6].src, self.pg2.remote_ip6)
self.assertEqual(inner[IPv6].dst, "fd01:10::3")
test/test_ipsec_ah.py
+8 -8
View File
@@ -154,8 +154,8 @@ class ConfigIpsecAH(TemplateIpsec):
crypt_algo_vpp_id,
crypt_key,
self.vpp_ah_protocol,
self.tun_if.local_addr[addr_type],
self.tun_if.remote_addr[addr_type],
self.tun_if.local_addr[addr_type],
tun_flags=tun_flags,
flags=flags,
dscp=params.dscp,
@@ -170,8 +170,8 @@ class ConfigIpsecAH(TemplateIpsec):
crypt_algo_vpp_id,
crypt_key,
self.vpp_ah_protocol,
self.tun_if.remote_addr[addr_type],
self.tun_if.local_addr[addr_type],
self.tun_if.remote_addr[addr_type],
tun_flags=tun_flags,
flags=flags,
dscp=params.dscp,
@@ -208,7 +208,7 @@ class ConfigIpsecAH(TemplateIpsec):
e1 = VppIpsecSpdEntry(
self,
self.tun_spd,
vpp_tun_sa_id,
scapy_tun_sa_id,
remote_tun_if_host,
remote_tun_if_host,
self.pg1.remote_addr[addr_type],
@@ -221,7 +221,7 @@ class ConfigIpsecAH(TemplateIpsec):
e2 = VppIpsecSpdEntry(
self,
self.tun_spd,
scapy_tun_sa_id,
vpp_tun_sa_id,
self.pg1.remote_addr[addr_type],
self.pg1.remote_addr[addr_type],
remote_tun_if_host,
@@ -233,7 +233,7 @@ class ConfigIpsecAH(TemplateIpsec):
e3 = VppIpsecSpdEntry(
self,
self.tun_spd,
vpp_tun_sa_id,
scapy_tun_sa_id,
remote_tun_if_host,
remote_tun_if_host,
self.pg0.local_addr[addr_type],
@@ -246,7 +246,7 @@ class ConfigIpsecAH(TemplateIpsec):
e4 = VppIpsecSpdEntry(
self,
self.tun_spd,
scapy_tun_sa_id,
vpp_tun_sa_id,
self.pg0.local_addr[addr_type],
self.pg0.local_addr[addr_type],
remote_tun_if_host,
@@ -336,7 +336,7 @@ class ConfigIpsecAH(TemplateIpsec):
VppIpsecSpdEntry(
self,
self.tra_spd,
vpp_tra_sa_id,
scapy_tra_sa_id,
self.tra_if.local_addr[addr_type],
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
@@ -351,7 +351,7 @@ class ConfigIpsecAH(TemplateIpsec):
VppIpsecSpdEntry(
self,
self.tra_spd,
scapy_tra_sa_id,
vpp_tra_sa_id,
self.tra_if.local_addr[addr_type],
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
test/test_ipsec_esp.py
+15 -15
View File
@@ -145,8 +145,8 @@ class ConfigIpsecESP(TemplateIpsec):
crypt_algo_vpp_id,
crypt_key,
self.vpp_esp_protocol,
self.tun_if.local_addr[addr_type],
self.tun_if.remote_addr[addr_type],
self.tun_if.local_addr[addr_type],
tun_flags=tun_flags,
dscp=params.dscp,
flags=flags,
@@ -162,8 +162,8 @@ class ConfigIpsecESP(TemplateIpsec):
crypt_algo_vpp_id,
crypt_key,
self.vpp_esp_protocol,
self.tun_if.remote_addr[addr_type],
self.tun_if.local_addr[addr_type],
self.tun_if.remote_addr[addr_type],
tun_flags=tun_flags,
dscp=params.dscp,
flags=flags,
@@ -201,7 +201,7 @@ class ConfigIpsecESP(TemplateIpsec):
VppIpsecSpdEntry(
self,
self.tun_spd,
vpp_tun_sa_id,
scapy_tun_sa_id,
remote_tun_if_host,
remote_tun_if_host,
self.pg1.remote_addr[addr_type],
@@ -216,7 +216,7 @@ class ConfigIpsecESP(TemplateIpsec):
VppIpsecSpdEntry(
self,
self.tun_spd,
scapy_tun_sa_id,
vpp_tun_sa_id,
self.pg1.remote_addr[addr_type],
self.pg1.remote_addr[addr_type],
remote_tun_if_host,
@@ -230,7 +230,7 @@ class ConfigIpsecESP(TemplateIpsec):
VppIpsecSpdEntry(
self,
self.tun_spd,
vpp_tun_sa_id,
scapy_tun_sa_id,
remote_tun_if_host,
remote_tun_if_host,
self.pg0.local_addr[addr_type],
@@ -245,7 +245,7 @@ class ConfigIpsecESP(TemplateIpsec):
VppIpsecSpdEntry(
self,
self.tun_spd,
scapy_tun_sa_id,
vpp_tun_sa_id,
self.pg0.local_addr[addr_type],
self.pg0.local_addr[addr_type],
remote_tun_if_host,
@@ -332,7 +332,7 @@ class ConfigIpsecESP(TemplateIpsec):
VppIpsecSpdEntry(
self,
self.tra_spd,
vpp_tra_sa_id,
scapy_tra_sa_id,
self.tra_if.local_addr[addr_type],
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
@@ -347,7 +347,7 @@ class ConfigIpsecESP(TemplateIpsec):
VppIpsecSpdEntry(
self,
self.tra_spd,
scapy_tra_sa_id,
vpp_tra_sa_id,
self.tra_if.local_addr[addr_type],
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
@@ -447,7 +447,7 @@ class TestIpsecEsp1(
VppIpsecSpdEntry(
self,
self.tun_spd,
p6.scapy_tun_sa_id,
p6.vpp_tun_sa_id,
self.pg1.remote_addr[p4.addr_type],
self.pg1.remote_addr[p4.addr_type],
p6.remote_tun_if_host4,
@@ -482,7 +482,7 @@ class TestIpsecEsp1(
VppIpsecSpdEntry(
self,
self.tun_spd,
p4.scapy_tun_sa_id,
p4.vpp_tun_sa_id,
self.pg1.remote_addr[p6.addr_type],
self.pg1.remote_addr[p6.addr_type],
p4.remote_tun_if_host6,
@@ -746,10 +746,10 @@ class TestIpsecEspAsync(TemplateIpsecEsp):
self.assertEqual(len(rxs), len(pkts))
for rx in rxs:
if rx[ESP].spi == p.scapy_tun_spi:
if rx[ESP].spi == p.vpp_tun_spi:
decrypted = p.vpp_tun_sa.decrypt(rx[IP])
elif rx[ESP].spi == self.p_sync.vpp_tun_spi:
decrypted = self.p_sync.scapy_tun_sa.decrypt(rx[IP])
decrypted = self.p_sync.vpp_tun_sa.decrypt(rx[IP])
else:
rx.show()
self.assertTrue(False)
@@ -807,12 +807,12 @@ class TestIpsecEspAsync(TemplateIpsecEsp):
self.assertEqual(len(rxs), len(pkts))
for rx in rxs:
if rx[ESP].spi == p.scapy_tun_spi:
if rx[ESP].spi == p.vpp_tun_spi:
decrypted = p.vpp_tun_sa.decrypt(rx[IP])
elif rx[ESP].spi == self.p_sync.vpp_tun_spi:
decrypted = self.p_sync.scapy_tun_sa.decrypt(rx[IP])
decrypted = self.p_sync.vpp_tun_sa.decrypt(rx[IP])
elif rx[ESP].spi == self.p_async.vpp_tun_spi:
decrypted = self.p_async.scapy_tun_sa.decrypt(rx[IP])
decrypted = self.p_async.vpp_tun_sa.decrypt(rx[IP])
else:
rx.show()
self.assertTrue(False)
test/test_ipsec_tun_if_esp.py
+80 -80
View File
File diff suppressed because it is too large Load Diff