ipsec: Fix NULL encryption algorithm

Type: fix Ticket: VPP-1756 the block-size was set to 0 resulting in incorrect placement of the ESP footer. add tests for NULL encrypt + integ. Change-Id: I8ab3afda8e68f9ff649540cba3f2cac68f12bbba Signed-off-by: Neale Ranns <nranns@cisco.com> (cherry picked from commit 2cdcd0cf4004b2c0d1d3b891e381aac5735c21f1)
2019-08-27 12:26:14 +00:00
parent 53616f5caf
commit 17b7a067a2
5 changed files with 26 additions and 2 deletions
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@ -320,6 +320,13 @@ ipsec_init (vlib_main_t * vm)

  vec_validate (im->crypto_algs, IPSEC_CRYPTO_N_ALG - 1);

+  a = im->crypto_algs + IPSEC_CRYPTO_ALG_NONE;
+  a->enc_op_id = VNET_CRYPTO_OP_NONE;
+  a->dec_op_id = VNET_CRYPTO_OP_NONE;
+  a->alg = VNET_CRYPTO_ALG_NONE;
+  a->iv_size = 0;
+  a->block_size = 1;
+
  a = im->crypto_algs + IPSEC_CRYPTO_ALG_DES_CBC;
  a->enc_op_id = VNET_CRYPTO_OP_DES_CBC_ENC;
  a->dec_op_id = VNET_CRYPTO_OP_DES_CBC_DEC;
--- a/src/vnet/ipsec/ipsec_if.c
+++ b/src/vnet/ipsec/ipsec_if.c
@ -238,7 +238,8 @@ ipsec_tunnel_feature_set (ipsec_main_t * im, ipsec_tunnel_if_t * t, u8 enable)
  ipsec_sa_t *sa;

  sa = ipsec_sa_get (t->output_sa_index);
-  if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE)
+  if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE &&
+      sa->integ_alg == IPSEC_INTEG_ALG_NONE)
    {
      esp4_feature_index = im->esp4_no_crypto_tun_feature_index;
      esp6_feature_index = im->esp6_no_crypto_tun_feature_index;
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@ -379,7 +379,7 @@ class IpsecTra4(object):

        # a malformed 'runt' packet
        #  created by a mis-constructed SA
-        if (ESP == self.encryption_type):
+        if (ESP == self.encryption_type and p.crypt_algo != "NULL"):
            bogus_sa = SecurityAssociation(self.encryption_type,
                                           p.vpp_tra_spi)
            pkt = (Ether(src=self.tra_if.remote_mac,
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@ -424,6 +424,14 @@ class TestIpsecEspAll(ConfigIpsecESP,
                  'scapy-crypto': "3DES",
                  'scapy-integ': "HMAC-SHA1-96",
                  'salt': 0,
+                  'key': "JPjyOWBeVEQiMe7h00112233"},
+                 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+                                 IPSEC_API_CRYPTO_ALG_NONE),
+                  'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+                                IPSEC_API_INTEG_ALG_SHA1_96),
+                  'scapy-crypto': "NULL",
+                  'scapy-integ': "HMAC-SHA1-96",
+                  'salt': 0,
                  'key': "JPjyOWBeVEQiMe7h00112233"}]

        # with and without ESN
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@ -411,6 +411,14 @@ class TestIpsec4TunIfEspAll(TemplateIpsec, IpsecTun4):
                  'scapy-crypto': "AES-CBC",
                  'scapy-integ': "HMAC-SHA1-96",
                  'salt': 0,
+                  'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"},
+                 {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+                                 IPSEC_API_CRYPTO_ALG_NONE),
+                  'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+                                IPSEC_API_INTEG_ALG_SHA1_96),
+                  'scapy-crypto': "NULL",
+                  'scapy-integ': "HMAC-SHA1-96",
+                  'salt': 0,
                  'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}]

        for engine in engines: