ipsec: GCM, Anti-replay and ESN fixess

Type: fix Several Fixes: 1 - Anti-replay did not work with GCM becuase it overwrote the sequence number in the ESP header. To fix i added the seq num to the per-packet data so it is preserved 2 - The high sequence number was not byte swapped during ESP encrypt. 3 - openssl engine was the only one to return FAIL_DECRYPT for bad GCM the others return BAD_HMAC. removed the former 4 - improved tracing to show the low and high seq numbers 5 - documented the anti-replay window checks 6 - fixed scapy patch for ESN support for GCM 7 - tests for anti-reply (w/ and w/o ESN) for each crypto algo Change-Id: Id65d96b6d1d4dd821b2ab557e87468fff6d70e5b Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-07-17 15:07:14 +00:00
parent ae3eaacaf1
commit 6afaae156a
10 changed files with 347 additions and 127 deletions
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@ -486,6 +486,14 @@ class TestIpsecEspAll(ConfigIpsecESP,
                    #
                    self.unconfig_network()

+                    #
+                    # reconfigure the network and SA to run the
+                    # anti replay tests
+                    #
+                    self.config_network(self.params.values())
+                    self.verify_tra_anti_replay()
+                    self.unconfig_network()
+

 if __name__ == '__main__':
    unittest.main(testRunner=VppTestRunner)