ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ikev2: better packet parsing functions

Browse Source 
Ticket: VPP-1918
Type: improvement

Change-Id: I2bc3e30121697404dcd54f1c2127bd85ccc1029e
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
This commit is contained in:
Filip Tehlar
2020-07-16 07:25:56 +00:00
committed by Beno�t Ganne
parent 90690f1e8f
commit 558607dc3a
8 changed files with 621 additions and 275 deletions
Download Patch File Download Diff File Expand all files Collapse all files

544
src/plugins/ikev2/ikev2.c
View File

File diff suppressed because it is too large Load Diff

15
src/plugins/ikev2/ikev2.h
View File

@@ -45,13 +45,14 @@ typedef CLIB_PACKED (struct {
/* *INDENT-ON* */
/* *INDENT-OFF* */
typedef CLIB_PACKED (struct
{
u8 nextpayload;
u8 flags;
u16 length;
u16 dh_group;
u8 reserved[2]; u8 payload[0];}) ike_ke_payload_header_t;
typedef CLIB_PACKED (struct {
u8 nextpayload;
u8 flags;
u16 length;
u16 dh_group;
u8 reserved[2];
u8 payload[0];
}) ike_ke_payload_header_t;
/* *INDENT-ON* */
/* *INDENT-OFF* */

47
src/plugins/ikev2/ikev2_crypto.c
View File

@@ -349,10 +349,11 @@ ikev2_init_gcm_nonce (u8 * nonce, u8 * salt, u8 * iv)
clib_memcpy (nonce + IKEV2_GCM_SALT_SIZE, iv, IKEV2_GCM_IV_SIZE);
}
u8 *
int
ikev2_decrypt_aead_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
ikev2_sa_transform_t * tr_encr, u8 * data,
int data_len, u8 * aad, u32 aad_len, u8 * tag)
int data_len, u8 * aad, u32 aad_len, u8 * tag,
u32 * out_len)
{
EVP_CIPHER_CTX *ctx = ptd->evp_ctx;
int len = 0;
@@ -369,34 +370,33 @@ ikev2_decrypt_aead_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
data += IKEV2_GCM_IV_SIZE;
data_len -= IKEV2_GCM_IV_SIZE;
v8 *r = vec_new (u8, data_len);
EVP_DecryptInit_ex (ctx, tr_encr->cipher, 0, 0, 0);
EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, 12, 0);
EVP_DecryptInit_ex (ctx, 0, 0, key, nonce);
EVP_DecryptUpdate (ctx, 0, &len, aad, aad_len);
EVP_DecryptUpdate (ctx, r, &len, data, data_len);
EVP_DecryptUpdate (ctx, data, &len, data, data_len);
EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_TAG, IKEV2_GCM_ICV_SIZE, tag);
if (EVP_DecryptFinal_ex (ctx, r + len, &len) > 0)
if (EVP_DecryptFinal_ex (ctx, data + len, &len) > 0)
{
/* remove padding */
_vec_len (r) -= r[vec_len (r) - 1] + 1;
return r;
*out_len = data_len - data[data_len - 1] - 1;
return 1;
}
vec_free (r);
return 0;
}
v8 *
int
ikev2_decrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
ikev2_sa_transform_t * tr_encr, u8 * data, int len)
ikev2_sa_transform_t * tr_encr, u8 * data, int len,
u32 * out_len)
{
EVP_CIPHER_CTX *ctx = ptd->evp_ctx;
int out_len = 0, block_size;
int tmp_len = 0, block_size;
u8 *key = sa->is_initiator ? sa->sk_er : sa->sk_ei;
block_size = tr_encr->block_size;
u8 *iv = data;
/* check if data is multiplier of cipher block size */
if (len % block_size)
@@ -404,15 +404,20 @@ ikev2_decrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
ikev2_elog_error ("wrong data length");
return 0;
}
data += block_size;
len -= block_size;
v8 *r = vec_new (u8, len - block_size);
EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, data);
EVP_DecryptUpdate (ctx, r, &out_len, data + block_size, len - block_size);
EVP_DecryptFinal_ex (ctx, r + out_len, &out_len);
/* remove padding */
_vec_len (r) -= r[vec_len (r) - 1] + 1;
EVP_DecryptInit_ex (ctx, tr_encr->cipher, NULL, key, iv);
EVP_CIPHER_CTX_set_padding (ctx, 0);
EVP_DecryptUpdate (ctx, data, &tmp_len, data, len);
return r;
if (EVP_DecryptFinal_ex (ctx, data + tmp_len, &tmp_len) > 0)
{
*out_len = len - data[len - 1] - 1;
return 1;
}
return 0;
}
int
@@ -424,6 +429,8 @@ ikev2_encrypt_aead_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
int out_len = 0, len = 0;
u8 nonce[IKEV2_GCM_NONCE_SIZE];
u8 *key = sa->is_initiator ? sa->sk_ei : sa->sk_er;
if (!key)
return 0;
/* generate IV; its length must be 8 octets for aes-gcm (rfc5282) */
RAND_bytes (dst, IKEV2_GCM_IV_SIZE);
@@ -452,6 +459,8 @@ ikev2_encrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
int out_len = 0, len = 0;
int bs = tr_encr->block_size;
u8 *key = sa->is_initiator ? sa->sk_ei : sa->sk_er;
if (!key)
return 0;
/* generate IV */
u8 *iv = dst;

76
src/plugins/ikev2/ikev2_payload.c
View File

@@ -327,22 +327,27 @@ ikev2_payload_chain_add_padding (ikev2_payload_chain_t * c, int bs)
}
ikev2_sa_proposal_t *
ikev2_parse_sa_payload (ike_payload_header_t * ikep)
ikev2_parse_sa_payload (ike_payload_header_t * ikep, u32 rlen)
{
ikev2_sa_proposal_t *v = 0;
ikev2_sa_proposal_t *proposal;
ikev2_sa_transform_t *transform;
u32 plen = clib_net_to_host_u16 (ikep->length);
ike_sa_proposal_data_t *sap;
int proposal_ptr = 0;
if (sizeof (*ikep) > rlen)
return 0;
rlen -= sizeof (*ikep);
do
{
if (proposal_ptr + sizeof (*sap) > rlen)
goto data_corrupted;
sap = (ike_sa_proposal_data_t *) & ikep->payload[proposal_ptr];
int i;
int transform_ptr;
int i, transform_ptr;
/* IKE proposal should not have SPI */
if (sap->protocol_id == IKEV2_PROTOCOL_IKE && sap->spi_size != 0)
@@ -353,6 +358,8 @@ ikev2_parse_sa_payload (ike_payload_header_t * ikep)
goto data_corrupted;
transform_ptr = proposal_ptr + sizeof (*sap) + sap->spi_size;
if (transform_ptr > rlen)
goto data_corrupted;
vec_add2 (v, proposal, 1);
proposal->proposal_num = sap->proposal_num;
@@ -366,7 +373,9 @@ ikev2_parse_sa_payload (ike_payload_header_t * ikep)
for (i = 0; i < sap->num_transforms; i++)
{
ike_sa_transform_data_t *tr =
(ike_sa_transform_data_t *) & ikep->payload[transform_ptr];
(ike_sa_transform_data_t *) & ikep->payload[transform_ptr];
if (transform_ptr + sizeof (*tr) > rlen)
goto data_corrupted;
u16 tlen = clib_net_to_host_u16 (tr->transform_len);
if (tlen < sizeof (*tr))
@@ -376,9 +385,11 @@ ikev2_parse_sa_payload (ike_payload_header_t * ikep)
transform->type = tr->transform_type;
transform->transform_id = clib_net_to_host_u16 (tr->transform_id);
if (transform_ptr + tlen > rlen)
goto data_corrupted;
if (tlen > sizeof (*tr))
vec_add (transform->attrs, tr->attributes, tlen - sizeof (*tr));
transform_ptr += tlen;
transform_ptr += tlen;
}
proposal_ptr += clib_net_to_host_u16 (sap->proposal_len);
@@ -398,12 +409,18 @@ data_corrupted:
}
ikev2_ts_t *
ikev2_parse_ts_payload (ike_payload_header_t * ikep)
ikev2_parse_ts_payload (ike_payload_header_t * ikep, u32 rlen)
{
ike_ts_payload_header_t *tsp = (ike_ts_payload_header_t *) ikep;
ikev2_ts_t *r = 0, *ts;
u8 i;
if (sizeof (*tsp) > rlen)
return 0;
if (sizeof (*tsp) + tsp->num_ts * sizeof (ikev2_ts_payload_entry_t) > rlen)
return 0;
for (i = 0; i < tsp->num_ts; i++)
{
if (tsp->ts[i].ts_type != 7) /* TS_IPV4_ADDR_RANGE */
@@ -425,19 +442,25 @@ ikev2_parse_ts_payload (ike_payload_header_t * ikep)
}
ikev2_notify_t *
ikev2_parse_notify_payload (ike_payload_header_t * ikep)
ikev2_parse_notify_payload (ike_payload_header_t * ikep, u32 rlen)
{
ike_notify_payload_header_t *n = (ike_notify_payload_header_t *) ikep;
u32 plen = clib_net_to_host_u16 (ikep->length);
u32 plen = clib_net_to_host_u16 (n->length);
ikev2_notify_t *r = 0;
u32 spi;
if (sizeof (*n) > rlen)
return 0;
r = vec_new (ikev2_notify_t, 1);
r->msg_type = clib_net_to_host_u16 (n->msg_type);
r->protocol_id = n->protocol_id;
if (n->spi_size == 4)
{
if (sizeof (spi) + sizeof (*n) > rlen)
goto cleanup;
clib_memcpy (&spi, n->payload, n->spi_size);
r->spi = clib_net_to_host_u32 (spi);
}
@@ -448,15 +471,22 @@ ikev2_parse_notify_payload (ike_payload_header_t * ikep)
else
{
clib_warning ("invalid SPI Size %d", n->spi_size);
goto cleanup;
}
if (plen > (sizeof (*n) + n->spi_size))
{
vec_add (r->data, n->payload + n->spi_size,
plen - sizeof (*n) - n->spi_size);
}
if (plen <= sizeof (*n) + n->spi_size)
goto cleanup;
u32 data_len = plen - sizeof (*n) - n->spi_size;
vec_add (r->data, n->payload + n->spi_size, data_len);
}
return r;
cleanup:
vec_free (r);
return 0;
}
void
@@ -467,13 +497,16 @@ ikev2_parse_vendor_payload (ike_payload_header_t * ikep)
}
ikev2_delete_t *
ikev2_parse_delete_payload (ike_payload_header_t * ikep)
ikev2_parse_delete_payload (ike_payload_header_t * ikep, u32 rlen)
{
ike_delete_payload_header_t *d = (ike_delete_payload_header_t *) ikep;
ike_delete_payload_header_t * d = (ike_delete_payload_header_t *) ikep;
ikev2_delete_t *r = 0, *del;
u16 num_of_spi = clib_net_to_host_u16 (d->num_of_spi);
u16 i = 0;
u16 i, num_of_spi;
if (rlen < sizeof (*d))
return 0;
num_of_spi = clib_net_to_host_u16 (d->num_of_spi);
if (d->protocol_id == IKEV2_PROTOCOL_IKE)
{
r = vec_new (ikev2_delete_t, 1);
@@ -481,11 +514,14 @@ ikev2_parse_delete_payload (ike_payload_header_t * ikep)
}
else
{
r = vec_new (ikev2_delete_t, num_of_spi);
vec_foreach (del, r)
if (sizeof (*d) + num_of_spi * sizeof (u32) > rlen)
return 0;
for (i = 0; i < num_of_spi; i++)
{
del->protocol_id = d->protocol_id;
del->spi = clib_net_to_host_u32 (d->spi[i++]);
vec_add2 (r, del, 1);
del->protocol_id = d->protocol_id;
del->spi = clib_net_to_host_u32 (d->spi[i]);
}
}

20
src/plugins/ikev2/ikev2_priv.h
View File

@@ -522,18 +522,19 @@ u8 *ikev2_calc_prfplus (ikev2_sa_transform_t * tr, u8 * key, u8 * seed,
int len);
v8 *ikev2_calc_integr (ikev2_sa_transform_t * tr, v8 * key, u8 * data,
int len);
v8 *ikev2_decrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
ikev2_sa_transform_t * tr_encr, u8 * data, int len);
int ikev2_decrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
ikev2_sa_transform_t * tr_encr, u8 * data, int len,
u32 * out_len);
int ikev2_encrypt_data (ikev2_main_per_thread_data_t * ptd, ikev2_sa_t * sa,
ikev2_sa_transform_t * tr_encr, v8 * src, u8 * dst);
int ikev2_encrypt_aead_data (ikev2_main_per_thread_data_t * ptd,
ikev2_sa_t * sa, ikev2_sa_transform_t * tr_encr,
v8 * src, u8 * dst, u8 * aad,
u32 aad_len, u8 * tag);
u8 *ikev2_decrypt_aead_data (ikev2_main_per_thread_data_t * ptd,
int ikev2_decrypt_aead_data (ikev2_main_per_thread_data_t * ptd,
ikev2_sa_t * sa, ikev2_sa_transform_t * tr_encr,
u8 * data, int data_len, u8 * aad, u32 aad_len,
u8 * tag);
u8 * tag, u32 * out_len);
void ikev2_generate_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t);
void ikev2_complete_dh (ikev2_sa_t * sa, ikev2_sa_transform_t * t);
int ikev2_verify_sign (EVP_PKEY * pkey, u8 * sigbuf, u8 * data);
@@ -573,10 +574,13 @@ void ikev2_payload_add_ts (ikev2_payload_chain_t * c, ikev2_ts_t * ts,
void ikev2_payload_add_delete (ikev2_payload_chain_t * c, ikev2_delete_t * d);
void ikev2_payload_chain_add_padding (ikev2_payload_chain_t * c, int bs);
void ikev2_parse_vendor_payload (ike_payload_header_t * ikep);
ikev2_sa_proposal_t *ikev2_parse_sa_payload (ike_payload_header_t * ikep);
ikev2_ts_t *ikev2_parse_ts_payload (ike_payload_header_t * ikep);
ikev2_delete_t *ikev2_parse_delete_payload (ike_payload_header_t * ikep);
ikev2_notify_t *ikev2_parse_notify_payload (ike_payload_header_t * ikep);
ikev2_sa_proposal_t *ikev2_parse_sa_payload (ike_payload_header_t * ikep,
u32 rlen);
ikev2_ts_t *ikev2_parse_ts_payload (ike_payload_header_t * ikep, u32 rlen);
ikev2_delete_t *ikev2_parse_delete_payload (ike_payload_header_t * ikep,
u32 rlen);
ikev2_notify_t *ikev2_parse_notify_payload (ike_payload_header_t * ikep,
u32 rlen);
int ikev2_set_log_level (ikev2_log_level_t log_level);
static_always_inline ikev2_main_per_thread_data_t *

162
src/plugins/ikev2/test/test_ikev2.py
View File

@@ -114,7 +114,7 @@ class CryptoAlgo(object):
def pad(self, data):
pad_len = (len(data) // self.bs + 1) * self.bs - len(data)
data = data + b'\x00' * (pad_len - 1)
return data + bytes([pad_len])
return data + bytes([pad_len - 1])
class AuthAlgo(object):
@@ -167,6 +167,7 @@ class IKEv2SA(object):
else:
self.sport = 500
self.dport = 500
self.msg_id = 0
self.dh_params = None
self.test = test
self.priv_key = priv_key
@@ -190,6 +191,10 @@ class IKEv2SA(object):
self.r_nonce = None
self.child_sas = [IKEv2ChildSA(local_ts, remote_ts)]
def new_msg_id(self):
self.msg_id += 1
return self.msg_id
def dh_pub_key(self):
return self.i_dh_data
@@ -502,10 +507,35 @@ class TemplateResponder(VppTestCase):
def tearDown(self):
super(TemplateResponder, self).tearDown()
if self.sa.is_initiator:
self.initiate_del_sa()
r = self.vapi.ikev2_sa_dump()
self.assertEqual(len(r), 0)
self.p.remove_vpp_config()
self.assertIsNone(self.p.query_vpp_config())
def create_ike_msg(self, src_if, msg, sport=500, dport=500, natt=False):
def verify_del_sa(self, packet):
ih = self.get_ike_header(packet)
self.assertEqual(ih.id, self.sa.msg_id)
self.assertEqual(ih.exch_type, 37) # exchange informational
def initiate_del_sa(self):
header = ikev2.IKEv2(init_SPI=self.sa.ispi, resp_SPI=self.sa.rspi,
flags='Initiator', exch_type='INFORMATIONAL',
id=self.sa.new_msg_id())
del_sa = ikev2.IKEv2_payload_Delete(proto='IKEv2')
ike_msg = self.encrypt_ike_msg(header, del_sa, 'Delete')
packet = self.create_packet(self.pg0, ike_msg,
self.sa.sport, self.sa.dport,
self.sa.natt)
self.pg0.add_stream(packet)
self.pg0.enable_capture()
self.pg_start()
capture = self.pg0.get_capture(1)
self.verify_del_sa(capture[0])
def create_packet(self, src_if, msg, sport=500, dport=500, natt=False):
res = (Ether(dst=src_if.local_mac, src=src_if.remote_mac) /
IP(src=src_if.remote_ip4, dst=src_if.local_ip4) /
UDP(sport=sport, dport=dport))
@@ -552,15 +582,49 @@ class TemplateResponder(VppTestCase):
load=src_nat)
self.sa.init_req_packet = self.sa.init_req_packet / nat_detection
ike_msg = self.create_ike_msg(self.pg0, self.sa.init_req_packet,
self.sa.sport, self.sa.dport,
self.sa.natt)
ike_msg = self.create_packet(self.pg0, self.sa.init_req_packet,
self.sa.sport, self.sa.dport,
self.sa.natt)
self.pg0.add_stream(ike_msg)
self.pg0.enable_capture()
self.pg_start()
capture = self.pg0.get_capture(1)
self.verify_sa_init(capture[0])
def encrypt_ike_msg(self, header, plain, first_payload):
if self.sa.ike_crypto == 'AES-GCM-16ICV':
data = self.sa.ike_crypto_alg.pad(raw(plain))
plen = len(data) + GCM_IV_SIZE + GCM_ICV_SIZE +\
len(ikev2.IKEv2_payload_Encrypted())
tlen = plen + len(ikev2.IKEv2())
# prepare aad data
sk_p = ikev2.IKEv2_payload_Encrypted(next_payload=first_payload,
length=plen)
header.length = tlen
res = header / sk_p
encr = self.sa.encrypt(raw(plain), raw(res))
sk_p = ikev2.IKEv2_payload_Encrypted(next_payload=first_payload,
length=plen, load=encr)
res = header / sk_p
else:
encr = self.sa.encrypt(raw(plain))
trunc_len = self.sa.ike_integ_alg.trunc_len
plen = len(encr) + len(ikev2.IKEv2_payload_Encrypted()) + trunc_len
tlen = plen + len(ikev2.IKEv2())
sk_p = ikev2.IKEv2_payload_Encrypted(next_payload=first_payload,
length=plen, load=encr)
header.length = tlen
res = header / sk_p
integ_data = raw(res)
hmac_data = self.sa.compute_hmac(self.sa.ike_integ_alg.mod(),
self.sa.my_authkey, integ_data)
res = res / Raw(hmac_data[:trunc_len])
assert(len(res) == tlen)
return res
def send_sa_auth(self):
tr_attr = self.sa.esp_crypto_attr()
trans = (ikev2.IKEv2_payload_Transform(transform_type='Encryption',
@@ -595,48 +659,14 @@ class TemplateResponder(VppTestCase):
traffic_selector=tsr) /
ikev2.IKEv2_payload_Notify(type='INITIAL_CONTACT'))
if self.sa.ike_crypto == 'AES-GCM-16ICV':
data = self.sa.ike_crypto_alg.pad(raw(plain))
plen = len(data) + GCM_IV_SIZE + GCM_ICV_SIZE +\
len(ikev2.IKEv2_payload_Encrypted())
tlen = plen + len(ikev2.IKEv2())
header = ikev2.IKEv2(
init_SPI=self.sa.ispi,
resp_SPI=self.sa.rspi, id=self.sa.new_msg_id(),
flags='Initiator', exch_type='IKE_AUTH')
# prepare aad data
sk_p = ikev2.IKEv2_payload_Encrypted(next_payload='IDi',
length=plen)
sa_auth = (ikev2.IKEv2(init_SPI=self.sa.ispi,
resp_SPI=self.sa.rspi, id=1,
length=tlen, flags='Initiator', exch_type='IKE_AUTH'))
sa_auth /= sk_p
encr = self.sa.encrypt(raw(plain), raw(sa_auth))
sk_p = ikev2.IKEv2_payload_Encrypted(next_payload='IDi',
length=plen, load=encr)
sa_auth = (ikev2.IKEv2(init_SPI=self.sa.ispi,
resp_SPI=self.sa.rspi, id=1,
length=tlen, flags='Initiator', exch_type='IKE_AUTH'))
sa_auth /= sk_p
else:
encr = self.sa.encrypt(raw(plain))
trunc_len = self.sa.ike_integ_alg.trunc_len
plen = len(encr) + len(ikev2.IKEv2_payload_Encrypted()) + trunc_len
tlen = plen + len(ikev2.IKEv2())
sk_p = ikev2.IKEv2_payload_Encrypted(next_payload='IDi',
length=plen, load=encr)
sa_auth = (ikev2.IKEv2(init_SPI=self.sa.ispi,
resp_SPI=self.sa.rspi, id=1,
length=tlen, flags='Initiator', exch_type='IKE_AUTH'))
sa_auth /= sk_p
integ_data = raw(sa_auth)
hmac_data = self.sa.compute_hmac(self.sa.ike_integ_alg.mod(),
self.sa.my_authkey, integ_data)
sa_auth = sa_auth / Raw(hmac_data[:trunc_len])
assert(len(sa_auth) == tlen)
packet = self.create_ike_msg(self.pg0, sa_auth, self.sa.sport,
self.sa.dport, self.sa.natt)
ike_msg = self.encrypt_ike_msg(header, plain, 'IDi')
packet = self.create_packet(self.pg0, ike_msg, self.sa.sport,
self.sa.dport, self.sa.natt)
self.pg0.add_stream(packet)
self.pg0.enable_capture()
self.pg_start()
@@ -656,6 +686,7 @@ class TemplateResponder(VppTestCase):
def verify_sa_init(self, packet):
ih = self.get_ike_header(packet)
self.assertEqual(ih.id, self.sa.msg_id)
self.assertEqual(ih.exch_type, 34)
self.assertTrue('Response' in ih.flags)
self.assertEqual(ih.init_SPI, self.sa.ispi)
@@ -691,6 +722,7 @@ class TemplateResponder(VppTestCase):
ike = self.get_ike_header(packet)
udp = packet[UDP]
self.verify_udp(udp)
self.assertEqual(ike.id, self.sa.msg_id)
plain = self.sa.hmac_and_decrypt(ike)
self.sa.calc_child_keys()
@@ -1123,5 +1155,43 @@ class Test_IKE_AES_GCM_16_256(TemplateResponder, Ikev2Params):
'ike-dh': '2048MODPgr'})
class TestMalformedMessages(TemplateResponder, Ikev2Params):
""" malformed packet test """
def tearDown(self):
pass
def config_tc(self):
self.config_params()
def assert_counter(self, count, name):
node_name = '/err/ikev2/' + name
self.assertEqual(count, self.statistics.get_err_counter(node_name))
def create_ike_init_msg(self, length=None, payload=None):
msg = ikev2.IKEv2(length=length, init_SPI='\x11' * 8,
flags='Initiator', exch_type='IKE_SA_INIT')
if payload is not None:
msg /= payload
return self.create_packet(self.pg0, msg, self.sa.sport,
self.sa.dport)
def verify_bad_packet_length(self):
ike_msg = self.create_ike_init_msg(length=0xdead)
self.send_and_assert_no_replies(self.pg0, ike_msg * self.pkt_count)
self.assert_counter(self.pkt_count, 'Bad packet length')
def verify_bad_sa_payload_length(self):
p = ikev2.IKEv2_payload_SA(length=0xdead)
ike_msg = self.create_ike_init_msg(payload=p)
self.send_and_assert_no_replies(self.pg0, ike_msg * self.pkt_count)
self.assert_counter(self.pkt_count, 'Malformed packet')
def test_responder(self):
self.pkt_count = 254
self.verify_bad_packet_length()
self.verify_bad_sa_payload_length()
if __name__ == '__main__':
unittest.main(testRunner=VppTestRunner)

8
src/plugins/ikev2/test/vpp_ikev2.py
View File

@@ -115,19 +115,19 @@ class Profile(VppObject):
**self.remote_id)
if hasattr(self, 'local_ts'):
self.vapi.ikev2_profile_set_ts(name=self.profile_name,
ts={**self.local_ts})
ts=self.local_ts)
if hasattr(self, 'remote_ts'):
self.vapi.ikev2_profile_set_ts(name=self.profile_name,
ts={**self.remote_ts})
ts=self.remote_ts)
if hasattr(self, 'responder'):
self.vapi.ikev2_set_responder(name=self.profile_name,
responder={**self.responder})
responder=self.responder)
if hasattr(self, 'ike_transforms'):
self.vapi.ikev2_set_ike_transforms(name=self.profile_name,
tr={**self.ike_transforms})
tr=self.ike_transforms)
if hasattr(self, 'esp_transforms'):
self.vapi.ikev2_set_esp_transforms(name=self.profile_name,

24
test/patches/scapy-2.4.3/ikev2.patch Normal file
View File

@@ -0,0 +1,24 @@
diff --git a/scapy/contrib/ikev2.py b/scapy/contrib/ikev2.py
index 60b20480..a071ffc7 100644
--- a/scapy/contrib/ikev2.py
+++ b/scapy/contrib/ikev2.py
@@ -608,13 +608,16 @@ class IKEv2_payload_TSr(IKEv2_class):
class IKEv2_payload_Delete(IKEv2_class):
- name = "IKEv2 Vendor ID"
+ name = "IKEv2 delete payload"
overload_fields = {IKEv2: {"next_payload": 42}}
fields_desc = [
ByteEnumField("next_payload", None, IKEv2_payload_type),
ByteField("res", 0),
- FieldLenField("length", None, "vendorID", "H", adjust=lambda pkt, x:x + 4), # noqa: E501
- StrLenField("vendorID", "", length_from=lambda x:x.length - 4),
+ FieldLenField("length", None, "SPIs", "H", adjust=lambda pkt, x:x + 8), # noqa: E501
+ ByteEnumField("proto", 1, {1: "IKEv2", 2: "AH", 3: "ESP"}),
+ ByteField("SPIsize", 0),
+ ShortField("SPInum", 0),
+ StrLenField("SPIs", "", length_from=lambda x: x.length - 8),
]