ipsec: fix ipsec_sa_v5_details

Re-add the anti-replay window size in the SA dump API and add tests.

Type: fix

Change-Id: Iacecdf5df796a0a6353491f8160c878751c6039b
Signed-off-by: Maxime Peim <[email protected]>
Signed-off-by: Benoît Ganne <[email protected]>

diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 2dd9b9f..262a8cb 100644 (file)
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -1357,8 +1357,12 @@ send_ipsec_sa_v5_details (ipsec_sa_t *sa, void *arg)
   mp->last_seq_inbound = clib_host_to_net_u64 (ipsec_sa_get_inb_seq (sa));
 
   if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa) && irt)
-    mp->replay_window =
-      clib_host_to_net_u64 (ipsec_sa_anti_replay_get_64b_window (irt));
+    {
+      mp->replay_window =
+       clib_host_to_net_u64 (ipsec_sa_anti_replay_get_64b_window (irt));
+      mp->entry.anti_replay_window_size =
+       clib_host_to_net_u32 (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE (irt));
+    }
 
   if (ort)
     thread_index = ort->thread_index;

diff --git a/test/test_ipsec_api.py b/test/test_ipsec_api.py
index 7208d28..158cb6b 100644 (file)
--- a/test/test_ipsec_api.py
+++ b/test/test_ipsec_api.py
@@ -4,6 +4,7 @@ from framework import VppTestCase
 from asfframework import VppTestRunner
 from template_ipsec import IPsecIPv4Params
 from vpp_papi import VppEnum
+from ipaddress import IPv4Address
 
 from vpp_ipsec import VppIpsecSA
 
@@ -120,20 +121,15 @@ class IpsecApiTestCase(VppTestCase):
         )
         self.vapi.ipsec_select_backend(protocol=self.vpp_ah_protocol, index=0)
 
-    def __check_sa_binding(self, sa_id, thread_index):
-        found_sa = False
+    def __sa_dump(self, sa):
         sa_dumps = self.vapi.ipsec_sa_v5_dump()
         for dump in sa_dumps:
-            if dump.entry.sad_id == sa_id:
-                self.assertEqual(dump.thread_index, thread_index)
-                found_sa = True
-                break
+            if dump.entry.sad_id == sa.id:
+                return dump
+        self.fail("SA not found in VPP")
 
-        if not found_sa:
-            self.fail("SA not found in VPP")
-
-    def test_sa_worker_bind(self):
-        """Bind an SA to a worker"""
+    def test_sa_basic(self):
+        """basic SA API tests"""
         sa = VppIpsecSA(
             self,
             self.ipv4_params.scapy_tun_sa_id,
@@ -143,14 +139,51 @@ class IpsecApiTestCase(VppTestCase):
             self.ipv4_params.crypt_algo_vpp_id,
             self.ipv4_params.crypt_key,
             VppEnum.vl_api_ipsec_proto_t.IPSEC_API_PROTO_ESP,
+            flags=VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY
+            | VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_IS_INBOUND,
         )
         sa.add_vpp_config()
 
-        self.__check_sa_binding(sa.id, 0xFFFF)
-
+        # check general SA dump
+        dump = self.__sa_dump(sa)
+        self.assertEqual(dump.entry.sad_id, sa.id)
+        self.assertEqual(dump.entry.spi, sa.spi)
+        self.assertEqual(dump.entry.protocol, sa.proto)
+        self.assertEqual(dump.entry.crypto_algorithm, sa.crypto_alg)
+        self.assertEqual(
+            dump.entry.crypto_key.data[: dump.entry.crypto_key.length], sa.crypto_key
+        )
+        self.assertEqual(dump.entry.integrity_algorithm, sa.integ_alg)
+        self.assertEqual(
+            dump.entry.integrity_key.data[: dump.entry.integrity_key.length],
+            sa.integ_key,
+        )
+        self.assertEqual(dump.entry.flags, sa.flags)
+        self.assertEqual(dump.entry.tunnel.instance, 0)
+        self.assertEqual(dump.entry.tunnel.src, IPv4Address("0.0.0.0"))
+        self.assertEqual(dump.entry.tunnel.dst, IPv4Address("0.0.0.0"))
+        self.assertEqual(dump.entry.tunnel.sw_if_index, 0)
+        self.assertEqual(dump.entry.tunnel.table_id, sa.table_id)
+        self.assertEqual(dump.entry.tunnel.encap_decap_flags, sa.tun_flags)
+        self.assertEqual(dump.entry.tunnel.mode, 0)
+        self.assertEqual(dump.entry.tunnel.flags, 0)
+        self.assertEqual(dump.entry.tunnel.dscp, 0)
+        self.assertEqual(dump.entry.tunnel.hop_limit, 0)
+        self.assertEqual(dump.entry.salt, 0)
+        self.assertEqual(dump.entry.udp_src_port, 0)
+        self.assertEqual(dump.entry.udp_dst_port, 0)
+        self.assertEqual(dump.entry.anti_replay_window_size, 64)
+        self.assertEqual(dump.sw_if_index, 0xFFFFFFFF)
+        self.assertEqual(dump.seq_outbound, 0)
+        self.assertEqual(dump.last_seq_inbound, 0)
+        self.assertEqual(dump.replay_window, 0xFFFFFFFFFFFFFFFF)
+        self.assertEqual(dump.thread_index, 0xFFFF)
+        self.assertEqual(dump.stat_index, 0)
+
+        # check SA binding API
         self.vapi.ipsec_sad_bind(sa_id=sa.id, worker=1)
-
-        self.__check_sa_binding(sa.id, 2)
+        dump = self.__sa_dump(sa)
+        self.assertEqual(dump.thread_index, 2)
 
         sa.remove_vpp_config()