From ce04e3b038070204e4e3b5ad4f973add278e2349 Mon Sep 17 00:00:00 2001 From: Arthur de Kerhor Date: Tue, 4 Jan 2022 15:53:43 +0100 Subject: [PATCH] ipsec: allow registering random ports in tests We add the possibility to bind the destination UDP port of a Scapy SA to the ESP layer in the IPsec tunnel protection tests, even if it is not the default port for ESP (4500). This allows to test IPSec tunnel protection with ports other than 4500 in the UDP header, without hardcoding them in the Scapy patch (ex: 4545) Type: improvement Change-Id: I1eea3d4660ed1b59d827250a419af6b7b41c4a72 Signed-off-by: Arthur de Kerhor --- test/patches/scapy-2.4.3/ipsec.patch | 42 +++++++++++++++--------------------- test/test_ipsec_tun_if_esp.py | 35 +++++++++++++++++++++++++----- 2 files changed, 47 insertions(+), 30 deletions(-) diff --git a/test/patches/scapy-2.4.3/ipsec.patch b/test/patches/scapy-2.4.3/ipsec.patch index 12c24e5057f..196b78fe592 100644 --- a/test/patches/scapy-2.4.3/ipsec.patch +++ b/test/patches/scapy-2.4.3/ipsec.patch @@ -1,5 +1,5 @@ diff --git a/scapy/layers/ipsec.py b/scapy/layers/ipsec.py -index ae057ee1..d7a21e8b 100644 +index ae057ee1..55d0dd53 100644 --- a/scapy/layers/ipsec.py +++ b/scapy/layers/ipsec.py @@ -56,6 +56,7 @@ from scapy.fields import ByteEnumField, ByteField, IntField, PacketField, \ @@ -10,15 +10,7 @@ index ae057ee1..d7a21e8b 100644 import scapy.modules.six as six from scapy.modules.six.moves import range from scapy.layers.inet6 import IPv6, IPv6ExtHdrHopByHop, IPv6ExtHdrDestOpt, \ -@@ -138,6 +139,7 @@ bind_layers(IP, ESP, proto=socket.IPPROTO_ESP) - bind_layers(IPv6, ESP, nh=socket.IPPROTO_ESP) - bind_layers(UDP, ESP, dport=4500) # NAT-Traversal encapsulation - bind_layers(UDP, ESP, sport=4500) # NAT-Traversal encapsulation -+bind_layers(UDP, ESP, dport=4545) # NAT-Traversal encapsulation - random port - - ############################################################################### - -@@ -359,11 +361,8 @@ class CryptAlgo(object): +@@ -359,11 +360,8 @@ class CryptAlgo(object): encryptor = cipher.encryptor() if self.is_aead: @@ -32,7 +24,7 @@ index ae057ee1..d7a21e8b 100644 data = encryptor.update(data) + encryptor.finalize() data += encryptor.tag[:self.icv_size] else: -@@ -400,12 +399,7 @@ class CryptAlgo(object): +@@ -400,12 +398,7 @@ class CryptAlgo(object): if self.is_aead: # Tag value check is done during the finalize method @@ -46,7 +38,7 @@ index ae057ee1..d7a21e8b 100644 try: data = decryptor.update(data) + decryptor.finalize() except InvalidTag as err: -@@ -445,6 +439,7 @@ if algorithms: +@@ -445,6 +438,7 @@ if algorithms: CRYPT_ALGOS['AES-CTR'] = CryptAlgo('AES-CTR', cipher=algorithms.AES, mode=modes.CTR, @@ -54,7 +46,7 @@ index ae057ee1..d7a21e8b 100644 iv_size=8, salt_size=4, format_mode_iv=_aes_ctr_format_mode_iv) -@@ -452,6 +447,7 @@ if algorithms: +@@ -452,6 +446,7 @@ if algorithms: CRYPT_ALGOS['AES-GCM'] = CryptAlgo('AES-GCM', cipher=algorithms.AES, mode=modes.GCM, @@ -62,7 +54,7 @@ index ae057ee1..d7a21e8b 100644 salt_size=4, iv_size=8, icv_size=16, -@@ -460,6 +456,7 @@ if algorithms: +@@ -460,6 +455,7 @@ if algorithms: CRYPT_ALGOS['AES-CCM'] = CryptAlgo('AES-CCM', cipher=algorithms.AES, mode=modes.CCM, @@ -70,7 +62,7 @@ index ae057ee1..d7a21e8b 100644 iv_size=8, salt_size=3, icv_size=16, -@@ -544,7 +541,7 @@ class AuthAlgo(object): +@@ -544,7 +540,7 @@ class AuthAlgo(object): else: return self.mac(key, self.digestmod(), default_backend()) @@ -79,7 +71,7 @@ index ae057ee1..d7a21e8b 100644 """ Sign an IPsec (ESP or AH) packet with this algo. -@@ -560,16 +557,20 @@ class AuthAlgo(object): +@@ -560,16 +556,20 @@ class AuthAlgo(object): if pkt.haslayer(ESP): mac.update(raw(pkt[ESP])) @@ -101,7 +93,7 @@ index ae057ee1..d7a21e8b 100644 """ Check that the integrity check value (icv) of a packet is valid. -@@ -600,6 +601,8 @@ class AuthAlgo(object): +@@ -600,6 +600,8 @@ class AuthAlgo(object): clone = zero_mutable_fields(pkt.copy(), sending=False) mac.update(raw(clone)) @@ -110,7 +102,7 @@ index ae057ee1..d7a21e8b 100644 computed_icv = mac.finalize()[:self.icv_size] # XXX: Cannot use mac.verify because the ICV can be truncated -@@ -788,7 +791,7 @@ class SecurityAssociation(object): +@@ -788,7 +790,7 @@ class SecurityAssociation(object): This class is responsible of "encryption" and "decryption" of IPsec packets. # noqa: E501 """ @@ -119,7 +111,7 @@ index ae057ee1..d7a21e8b 100644 def __init__(self, proto, spi, seq_num=1, crypt_algo=None, crypt_key=None, auth_algo=None, auth_key=None, tunnel_header=None, nat_t_header=None, esn_en=False, esn=0): # noqa: E501 -@@ -862,6 +865,23 @@ class SecurityAssociation(object): +@@ -862,6 +864,23 @@ class SecurityAssociation(object): raise TypeError('nat_t_header must be %s' % UDP.name) self.nat_t_header = nat_t_header @@ -143,7 +135,7 @@ index ae057ee1..d7a21e8b 100644 def check_spi(self, pkt): if pkt.spi != self.spi: raise TypeError('packet spi=0x%x does not match the SA spi=0x%x' % -@@ -875,7 +895,8 @@ class SecurityAssociation(object): +@@ -875,7 +894,8 @@ class SecurityAssociation(object): if len(iv) != self.crypt_algo.iv_size: raise TypeError('iv length must be %s' % self.crypt_algo.iv_size) # noqa: E501 @@ -153,7 +145,7 @@ index ae057ee1..d7a21e8b 100644 if self.tunnel_header: tunnel = self.tunnel_header.copy() -@@ -899,7 +920,7 @@ class SecurityAssociation(object): +@@ -899,7 +919,7 @@ class SecurityAssociation(object): esn_en=esn_en or self.esn_en, esn=esn or self.esn) @@ -162,7 +154,7 @@ index ae057ee1..d7a21e8b 100644 if self.nat_t_header: nat_t_header = self.nat_t_header.copy() -@@ -926,7 +947,8 @@ class SecurityAssociation(object): +@@ -926,7 +946,8 @@ class SecurityAssociation(object): def _encrypt_ah(self, pkt, seq_num=None): @@ -172,7 +164,7 @@ index ae057ee1..d7a21e8b 100644 icv=b"\x00" * self.auth_algo.icv_size) if self.tunnel_header: -@@ -966,7 +988,8 @@ class SecurityAssociation(object): +@@ -966,7 +987,8 @@ class SecurityAssociation(object): else: ip_header.plen = len(ip_header.payload) + len(ah) + len(payload) @@ -182,7 +174,7 @@ index ae057ee1..d7a21e8b 100644 # sequence number must always change, unless specified by the user if seq_num is None: -@@ -1003,11 +1026,12 @@ class SecurityAssociation(object): +@@ -1003,11 +1025,12 @@ class SecurityAssociation(object): def _decrypt_esp(self, pkt, verify=True, esn_en=None, esn=None): @@ -196,7 +188,7 @@ index ae057ee1..d7a21e8b 100644 esp = self.crypt_algo.decrypt(self, encrypted, self.crypt_key, self.crypt_algo.icv_size or -@@ -1048,9 +1072,10 @@ class SecurityAssociation(object): +@@ -1048,9 +1071,10 @@ class SecurityAssociation(object): def _decrypt_ah(self, pkt, verify=True): diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index 763aeddda7b..6865c9050a9 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -4,7 +4,7 @@ import copy from scapy.layers.ipsec import SecurityAssociation, ESP from scapy.layers.l2 import Ether, GRE, Dot1Q -from scapy.packet import Raw +from scapy.packet import Raw, bind_layers from scapy.layers.inet import IP, UDP from scapy.layers.inet6 import IPv6 from scapy.contrib.mpls import MPLS @@ -40,6 +40,18 @@ def config_tun_params(p, encryption_type, tun_if, src=None, dst=None): p.tun_dst = dst p.tun_src = src + if p.nat_header: + is_default_port = (p.nat_header.dport == 4500) + else: + is_default_port = True + + if is_default_port: + outbound_nat_header = p.nat_header + else: + outbound_nat_header = UDP(sport=p.nat_header.dport, + dport=p.nat_header.sport) + bind_layers(UDP, ESP, dport=p.nat_header.dport) + p.scapy_tun_sa = SecurityAssociation( encryption_type, spi=p.vpp_tun_spi, crypt_algo=p.crypt_algo, @@ -48,7 +60,7 @@ def config_tun_params(p, encryption_type, tun_if, src=None, dst=None): tunnel_header=ip_class_by_addr_type[p.addr_type]( src=p.tun_dst, dst=p.tun_src), - nat_t_header=p.nat_header, + nat_t_header=outbound_nat_header, esn_en=esn_en) p.vpp_tun_sa = SecurityAssociation( encryption_type, spi=p.scapy_tun_spi, @@ -69,13 +81,26 @@ def config_tra_params(p, encryption_type, tun_if): crypt_key = mk_scapy_crypt_key(p) p.tun_dst = tun_if.remote_ip p.tun_src = tun_if.local_ip + + if p.nat_header: + is_default_port = (p.nat_header.dport == 4500) + else: + is_default_port = True + + if is_default_port: + outbound_nat_header = p.nat_header + else: + outbound_nat_header = UDP(sport=p.nat_header.dport, + dport=p.nat_header.sport) + bind_layers(UDP, ESP, dport=p.nat_header.dport) + p.scapy_tun_sa = SecurityAssociation( encryption_type, spi=p.vpp_tun_spi, crypt_algo=p.crypt_algo, crypt_key=crypt_key, auth_algo=p.auth_algo, auth_key=p.auth_key, esn_en=esn_en, - nat_t_header=p.nat_header) + nat_t_header=outbound_nat_header) p.vpp_tun_sa = SecurityAssociation( encryption_type, spi=p.scapy_tun_spi, crypt_algo=p.crypt_algo, @@ -1354,8 +1379,8 @@ class TestIpsecGreTebUdpIfEspTra(TemplateIpsec, flags=(p.flags | VppEnum.vl_api_ipsec_sad_flags_t. IPSEC_API_SAD_FLAG_IS_INBOUND), - udp_src=5454, - udp_dst=4545) + udp_src=4545, + udp_dst=5454) p.tun_sa_in.add_vpp_config() p.tun_if = VppGreInterface(self, -- 2.16.6