IPSEC: Pass the algorithm salt (used in GCM) over the API

Change-Id: Ia8cea13f7b937294e6a080a55fb2ceff30063acf Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-04-16 02:41:34 +00:00
parent d8cfbebce7
commit 80f6fd53fe
12 changed files with 80 additions and 42 deletions
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@ -1,5 +1,6 @@
 import unittest
 import socket
+import struct

 from scapy.layers.inet import IP, ICMP, TCP, UDP
 from scapy.layers.ipsec import SecurityAssociation
@ -42,7 +43,7 @@ class IPsecIPv4Params(object):
                                  IPSEC_API_CRYPTO_ALG_AES_CBC_128)
        self.crypt_algo = 'AES-CBC'  # scapy name
        self.crypt_key = 'JPjyOWBeVEQiMe7h'
-        self.crypt_salt = ''
+        self.salt = 0
        self.flags = 0
        self.nat_header = None

@ -78,7 +79,7 @@ class IPsecIPv6Params(object):
                                  IPSEC_API_CRYPTO_ALG_AES_CBC_128)
        self.crypt_algo = 'AES-CBC'  # scapy name
        self.crypt_key = 'JPjyOWBeVEQiMe7h'
-        self.crypt_salt = ''
+        self.salt = 0
        self.flags = 0
        self.nat_header = None

@ -87,9 +88,14 @@ def config_tun_params(p, encryption_type, tun_if):
    ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
    use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
                              IPSEC_API_SAD_FLAG_USE_ESN))
+    if p.crypt_algo == "AES-GCM":
+        crypt_key = p.crypt_key + struct.pack("!I", p.salt)
+    else:
+        crypt_key = p.crypt_key
    p.scapy_tun_sa = SecurityAssociation(
        encryption_type, spi=p.vpp_tun_spi,
-        crypt_algo=p.crypt_algo, crypt_key=p.crypt_key + p.crypt_salt,
+        crypt_algo=p.crypt_algo,
+        crypt_key=crypt_key,
        auth_algo=p.auth_algo, auth_key=p.auth_key,
        tunnel_header=ip_class_by_addr_type[p.addr_type](
            src=tun_if.remote_addr[p.addr_type],
@ -98,7 +104,8 @@ def config_tun_params(p, encryption_type, tun_if):
        use_esn=use_esn)
    p.vpp_tun_sa = SecurityAssociation(
        encryption_type, spi=p.scapy_tun_spi,
-        crypt_algo=p.crypt_algo, crypt_key=p.crypt_key + p.crypt_salt,
+        crypt_algo=p.crypt_algo,
+        crypt_key=crypt_key,
        auth_algo=p.auth_algo, auth_key=p.auth_key,
        tunnel_header=ip_class_by_addr_type[p.addr_type](
            dst=tun_if.remote_addr[p.addr_type],
@ -110,11 +117,15 @@ def config_tun_params(p, encryption_type, tun_if):
 def config_tra_params(p, encryption_type):
    use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
                              IPSEC_API_SAD_FLAG_USE_ESN))
+    if p.crypt_algo == "AES-GCM":
+        crypt_key = p.crypt_key + struct.pack("!I", p.salt)
+    else:
+        crypt_key = p.crypt_key
    p.scapy_tra_sa = SecurityAssociation(
        encryption_type,
        spi=p.vpp_tra_spi,
        crypt_algo=p.crypt_algo,
-        crypt_key=p.crypt_key + p.crypt_salt,
+        crypt_key=crypt_key,
        auth_algo=p.auth_algo,
        auth_key=p.auth_key,
        nat_t_header=p.nat_header,
@ -123,7 +134,7 @@ def config_tra_params(p, encryption_type):
        encryption_type,
        spi=p.scapy_tra_spi,
        crypt_algo=p.crypt_algo,
-        crypt_key=p.crypt_key + p.crypt_salt,
+        crypt_key=crypt_key,
        auth_algo=p.auth_algo,
        auth_key=p.auth_key,
        nat_t_header=p.nat_header,