packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
- packet[Raw].load += b" mac:%s" % scapy.compat.raw(src_mac)
+ packet[Raw].load += b" mac:%s" % src_mac.encode('utf-8')
size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
if isinstance(src_if, VppSubInterface):
from scapy.layers.dhcp6 import DHCP6, DHCP6_Solicit, DHCP6_RelayForward, \
DHCP6_RelayReply, DHCP6_Advertise, DHCP6OptRelayMsg, DHCP6OptIfaceId, \
DHCP6OptStatusCode, DHCP6OptVSS, DHCP6OptClientLinkLayerAddr, DHCP6_Request
-from socket import AF_INET, AF_INET6
-from scapy.utils import inet_pton, inet_ntop
+from socket import AF_INET, AF_INET6, inet_pton, inet_ntop
from scapy.utils6 import in6_ptop
from vpp_papi import mac_pton, VppEnum
from vpp_sub_interface import VppDot1QSubint
-from socket import AF_INET6
+from socket import AF_INET6, inet_ntop, inet_pton
from scapy.layers.dhcp6 import DHCP6_Advertise, DHCP6OptClientId, \
DHCP6OptStatusCode, DHCP6OptPref, DHCP6OptIA_PD, DHCP6OptIAPrefix, \
DHCP6OptIAAddress
from scapy.layers.inet6 import IPv6, Ether, UDP
from scapy.utils6 import in6_mactoifaceid
-from scapy.utils import inet_ntop, inet_pton
from framework import VppTestCase
from vpp_papi import VppEnum
#!/usr/bin/env python3
-from socket import AF_INET, AF_INET6
+from socket import AF_INET, AF_INET6, inet_pton, inet_ntop
import unittest
from ipaddress import ip_address, IPv4Network, IPv6Network
from scapy.utils6 import in6_getnsma, in6_getnsmac
from scapy.layers.vxlan import VXLAN
from scapy.data import ETH_P_IP, ETH_P_IPV6, ETH_P_ARP
-from scapy.utils import inet_pton, inet_ntop
from framework import VppTestCase, VppTestRunner
from vpp_object import VppObject
from framework import VppTestCase, VppTestRunner
from template_bd import BridgeDomain
-from scapy.layers.l2 import Ether, Raw
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw
from scapy.layers.inet import IP, UDP
from scapy.layers.inet6 import IPv6
from scapy.contrib.gtp import GTP_U_Header
import unittest
-from scapy.layers.l2 import Ether, Raw
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw
from scapy.layers.inet import IP, IPOption
from scapy.contrib.igmpv3 import IGMPv3, IGMPv3gr, IGMPv3mq, IGMPv3mr
from util import fragment_rfc791, fragment_rfc8200
import scapy.compat
-from scapy.layers.l2 import Ether, Raw
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw
from scapy.layers.inet import IP, UDP, ICMP, TCP, fragment
from scapy.layers.inet6 import IPv6, ICMPv6TimeExceeded
from scapy.layers.inet6 import IPv6, UDP, IPv6ExtHdrSegmentRouting
from scapy.layers.inet import IP, UDP
-from scapy.utils import inet_pton, inet_ntop
-
from util import ppp
from scapy.layers.inet6 import IPv6, UDP, IPv6ExtHdrSegmentRouting
from scapy.layers.inet import IP, UDP
-from scapy.utils import inet_pton, inet_ntop
-
from util import ppp
from scapy.layers.inet6 import IPv6, UDP, IPv6ExtHdrSegmentRouting
from scapy.layers.inet import IP, UDP
-from scapy.utils import inet_pton, inet_ntop
-
from util import ppp
$(PIP_PATCH_DONE): $(PIP_INSTALL_DONE)
@echo --- patching ---
@sleep 1 # Ensure python recompiles patched *.py files -> *.pyc
- for f in $(CURDIR)/patches/scapy-2.4/*.patch ; do \
+ for f in $(CURDIR)/patches/scapy-2.4.3/*.patch ; do \
echo Applying patch: $$(basename $$f) ; \
patch --forward -p1 -d $(SCAPY_SOURCE) < $$f ; \
retCode=$$?; \
--- /dev/null
+diff --git a/scapy/contrib/cdp.py b/scapy/contrib/cdp.py
+index c8b7f106..7b1ff64d 100644
+--- a/scapy/contrib/cdp.py
++++ b/scapy/contrib/cdp.py
+@@ -102,7 +102,8 @@ def _CDPGuessPayloadClass(p, **kargs):
+ class CDPMsgGeneric(Packet):
+ name = "CDP Generic Message"
+ fields_desc = [ XShortEnumField("type", None, _cdp_tlv_types),
+- FieldLenField("len", None, "val", "!H"),
++ FieldLenField("len", None, "val", "!H",
++ adjust=lambda pkt, x: x + 4),
+ StrLenField("val", "", length_from=lambda x:x.len - 4) ]
+
+
+@@ -178,5 +179,6 @@ class CDPMsgAddr(CDPMsgGeneric):
+ class CDPMsgPortID(CDPMsgGeneric):
+ name = "Port ID"
+ fields_desc = [ XShortEnumField("type", 0x0003, _cdp_tlv_types),
+- FieldLenField("len", None, "iface", "!H"),
++ FieldLenField("len", None, "iface", "!H",
++ adjust=lambda pkt, x: x + 4),
+ StrLenField("iface", "Port 1", length_from=lambda x:x.len - 4) ]
+@@ -319,7 +319,7 @@ class _CDPChecksum:
+ This padding is only used for checksum computation. The original
+ packet should not be altered."""
+ if len(pkt) % 2:
+- last_chr = pkt[-1]
++ last_chr = pkt[len(pkt)-1:]
+ if last_chr <= b'\x80':
+ return pkt[:-1] + b'\x00' + last_chr
+ else:
--- /dev/null
+diff --git a/scapy/layers/ipsec.py b/scapy/layers/ipsec.py
+index f8c601fa..f566d288 100644
+--- a/scapy/layers/ipsec.py
++++ b/scapy/layers/ipsec.py
+@@ -359,11 +359,8 @@ class CryptAlgo(object):
+ encryptor = cipher.encryptor()
+
+ if self.is_aead:
+- if esn_en:
+- aad = struct.pack('!LLL', esp.spi, esn, esp.seq)
+- else:
+- aad = struct.pack('!LL', esp.spi, esp.seq)
+- encryptor.authenticate_additional_data(aad)
++ encryptor.authenticate_additional_data(sa.build_aead(esp))
++
+ data = encryptor.update(data) + encryptor.finalize()
+ data += encryptor.tag[:self.icv_size]
+ else:
+@@ -401,12 +398,7 @@ class CryptAlgo(object):
+
+ if self.is_aead:
+ # Tag value check is done during the finalize method
+- if esn_en:
+- decryptor.authenticate_additional_data(
+- struct.pack('!LLL', esp.spi, esn, esp.seq))
+- else:
+- decryptor.authenticate_additional_data(
+- struct.pack('!LL', esp.spi, esp.seq))
++ decryptor.authenticate_additional_data(sa.build_aead(esp))
+ try:
+ data = decryptor.update(data) + decryptor.finalize()
+ except InvalidTag as err:
+@@ -545,7 +537,7 @@ class AuthAlgo(object):
+ else:
+ return self.mac(key, self.digestmod(), default_backend())
+
+- def sign(self, pkt, key):
++ def sign(self, pkt, key, trailer=None):
+ """
+ Sign an IPsec (ESP or AH) packet with this algo.
+
+@@ -561,16 +553,20 @@ class AuthAlgo(object):
+
+ if pkt.haslayer(ESP):
+ mac.update(raw(pkt[ESP]))
++ if trailer:
++ mac.update(trailer)
+ pkt[ESP].data += mac.finalize()[:self.icv_size]
+
+ elif pkt.haslayer(AH):
+ clone = zero_mutable_fields(pkt.copy(), sending=True)
+ mac.update(raw(clone))
++ if trailer:
++ mac.update(trailer)
+ pkt[AH].icv = mac.finalize()[:self.icv_size]
+
+ return pkt
+
+- def verify(self, pkt, key):
++ def verify(self, pkt, key, trailer):
+ """
+ Check that the integrity check value (icv) of a packet is valid.
+
+@@ -602,6 +598,8 @@ class AuthAlgo(object):
+ clone = zero_mutable_fields(pkt.copy(), sending=False)
+
+ mac.update(raw(clone))
++ if trailer:
++ mac.update(trailer) # bytearray(4)) #raw(trailer))
+ computed_icv = mac.finalize()[:self.icv_size]
+
+ # XXX: Cannot use mac.verify because the ICV can be truncated
+@@ -864,6 +862,23 @@ class SecurityAssociation(object):
+ raise TypeError('nat_t_header must be %s' % UDP.name)
+ self.nat_t_header = nat_t_header
+
++ def build_aead(self, esp):
++ if self.esn_en:
++ return (struct.pack('!LLL', esp.spi, self.seq_num >> 32, esp.seq))
++ else:
++ return (struct.pack('!LL', esp.spi, esp.seq))
++
++ def build_seq_num(self, num):
++ # only lower order bits are transmitted
++ # higher order bits are used in the ICV
++ lower = num & 0xffffffff
++ upper = num >> 32
++
++ if self.esn_en:
++ return lower, struct.pack("!I", upper)
++ else:
++ return lower, None
++
+ def check_spi(self, pkt):
+ if pkt.spi != self.spi:
+ raise TypeError('packet spi=0x%x does not match the SA spi=0x%x' %
+@@ -877,7 +892,8 @@ class SecurityAssociation(object):
+ if len(iv) != self.crypt_algo.iv_size:
+ raise TypeError('iv length must be %s' % self.crypt_algo.iv_size) # noqa: E501
+
+- esp = _ESPPlain(spi=self.spi, seq=seq_num or self.seq_num, iv=iv)
++ low_seq_num, high_seq_num = self.build_seq_num(seq_num or self.seq_num)
++ esp = _ESPPlain(spi=self.spi, seq=low_seq_num, iv=iv)
+
+ if self.tunnel_header:
+ tunnel = self.tunnel_header.copy()
+@@ -901,7 +917,7 @@ class SecurityAssociation(object):
+ esn_en=esn_en or self.esn_en,
+ esn=esn or self.esn)
+
+- self.auth_algo.sign(esp, self.auth_key)
++ self.auth_algo.sign(esp, self.auth_key, high_seq_num)
+
+ if self.nat_t_header:
+ nat_t_header = self.nat_t_header.copy()
+@@ -928,7 +944,8 @@ class SecurityAssociation(object):
+
+ def _encrypt_ah(self, pkt, seq_num=None):
+
+- ah = AH(spi=self.spi, seq=seq_num or self.seq_num,
++ low_seq_num, high_seq_num = self.build_seq_num(seq_num or self.seq_num)
++ ah = AH(spi=self.spi, seq=low_seq_num,
+ icv=b"\x00" * self.auth_algo.icv_size)
+
+ if self.tunnel_header:
+@@ -968,7 +985,8 @@ class SecurityAssociation(object):
+ else:
+ ip_header.plen = len(ip_header.payload) + len(ah) + len(payload)
+
+- signed_pkt = self.auth_algo.sign(ip_header / ah / payload, self.auth_key) # noqa: E501
++ signed_pkt = self.auth_algo.sign(ip_header / ah / payload,
++ self.auth_key, high_seq_num) # noqa: E501
+
+ # sequence number must always change, unless specified by the user
+ if seq_num is None:
+@@ -1005,11 +1023,12 @@ class SecurityAssociation(object):
+
+ def _decrypt_esp(self, pkt, verify=True, esn_en=None, esn=None):
+
++ low_seq_num, high_seq_num = self.build_seq_num(self.seq_num)
+ encrypted = pkt[ESP]
+
+ if verify:
+ self.check_spi(pkt)
+- self.auth_algo.verify(encrypted, self.auth_key)
++ self.auth_algo.verify(encrypted, self.auth_key, high_seq_num)
+
+ esp = self.crypt_algo.decrypt(self, encrypted, self.crypt_key,
+ self.crypt_algo.icv_size or
+@@ -1050,9 +1069,10 @@ class SecurityAssociation(object):
+
+ def _decrypt_ah(self, pkt, verify=True):
+
++ low_seq_num, high_seq_num = self.build_seq_num(self.seq_num)
+ if verify:
+ self.check_spi(pkt)
+- self.auth_algo.verify(pkt, self.auth_key)
++ self.auth_algo.verify(pkt, self.auth_key, high_seq_num)
+
+ ah = pkt[AH]
+ payload = ah.payload
+
--hash=sha256:1873c03321fc118f4e9746baf201ff990ceb915f433f23b395f5580d1840cb2a \
--hash=sha256:9b6323ef4ab914af344ba97510e966d64ba91055d6b9afa6b30799340e89cc03 \
# via packaging
-scapy==2.4.0 ; python_version >= "2.7" or python_version >= "3.4" \
- --hash=sha256:452f714f5c2eac6fd0a6146b1dbddfc24dd5f4103f3ed76227995a488cfb2b73
+scapy==2.4.3 ; python_version >= "2.7" or python_version >= "3.4" \
+ --hash=sha256:e2f8d11f6a941c14a789ae8b236b27bd634681f1b29b5e893861e284d234f6b0
six==1.12.0 \
--hash=sha256:3350809f0555b11f552448330d0b52d5f24c91a322ea4a15ef22629740f3761c \
--hash=sha256:d16a0141ec1a18405cd4ce8b4613101da75da0e9a7aec5bdd4fa804d0e0eba73
pexpect # ISC
psutil # BSD
pycodestyle # MIT (Expat license) https://pypi.org/project/pycodestyle/
-scapy==2.4.0; python_version >= '2.7' or python_version >= '3.4' # GPL2 https://github.com/secdev/scapy/blob/master/LICENSE
+scapy==2.4.3; python_version >= '2.7' or python_version >= '3.4' # GPL2 https://github.com/secdev/scapy/blob/master/LICENSE
six # MIT
subprocess32 # PSF
syslog_rfc5424_parser>=0.3.1 # ISC
import abc
import six
-from scapy.layers.l2 import Ether, Raw
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw
from scapy.layers.inet import IP, UDP
from util import ip4_range
from scapy.layers.inet import IP, ICMP, TCP, UDP
from scapy.layers.ipsec import SecurityAssociation, ESP
-from scapy.layers.l2 import Ether, Raw
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw
from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
from framework import VppTestCase, VppTestRunner
def config_tun_params(p, encryption_type, tun_if):
ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
- use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
- IPSEC_API_SAD_FLAG_USE_ESN))
+ esn_en = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
+ IPSEC_API_SAD_FLAG_USE_ESN))
crypt_key = mk_scapy_crypt_key(p)
p.scapy_tun_sa = SecurityAssociation(
encryption_type, spi=p.vpp_tun_spi,
src=tun_if.remote_addr[p.addr_type],
dst=tun_if.local_addr[p.addr_type]),
nat_t_header=p.nat_header,
- use_esn=use_esn)
+ esn_en=esn_en)
p.vpp_tun_sa = SecurityAssociation(
encryption_type, spi=p.scapy_tun_spi,
crypt_algo=p.crypt_algo,
dst=tun_if.remote_addr[p.addr_type],
src=tun_if.local_addr[p.addr_type]),
nat_t_header=p.nat_header,
- use_esn=use_esn)
+ esn_en=esn_en)
def config_tra_params(p, encryption_type):
- use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
- IPSEC_API_SAD_FLAG_USE_ESN))
+ esn_en = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
+ IPSEC_API_SAD_FLAG_USE_ESN))
crypt_key = mk_scapy_crypt_key(p)
p.scapy_tra_sa = SecurityAssociation(
encryption_type,
auth_algo=p.auth_algo,
auth_key=p.auth_key,
nat_t_header=p.nat_header,
- use_esn=use_esn)
+ esn_en=esn_en)
p.vpp_tra_sa = SecurityAssociation(
encryption_type,
spi=p.scapy_tra_spi,
auth_algo=p.auth_algo,
auth_key=p.auth_key,
nat_t_header=p.nat_header,
- use_esn=use_esn)
+ esn_en=esn_en)
class TemplateIpsec(VppTestCase):
""" verify methods for Transport v4 """
def verify_tra_anti_replay(self):
p = self.params[socket.AF_INET]
- use_esn = p.vpp_tra_sa.use_esn
+ esn_en = p.vpp_tra_sa.esn_en
seq_cycle_node_name = ('/err/%s/sequence number cycled' %
self.tra4_encrypt_node_name)
seq_num=17))
self.send_and_assert_no_replies(self.tra_if, pkt * 17)
- if use_esn:
+ if esn_en:
# an out of window error with ESN looks like a high sequence
# wrap. but since it isn't then the verify will fail.
hash_failed_count += 17
seq_num=seq))
for seq in range(259, 280)]
- if use_esn:
+ if esn_en:
rxs = self.send_and_expect(self.tra_if, pkts, self.tra_if)
#
byte_val = scapy.compat.chb(1 << (bp - 1) % 8)
byte_pos = n_bytes - (((bp - 1) // 8) + 1)
byte_array[byte_pos] = byte_val
- bitstring = b''.join([scapy.compat.chb(x) for x in byte_array])
+ bitstring = b''.join(byte_array)
self.assertEqual(len(bitstring), len(bier_hdr.BitString))
self.assertEqual(bitstring, bier_hdr.BitString)
from scapy.layers.l2 import Ether
from scapy.layers.inet import IP, UDP
-from scapy.layers.geneve import GENEVE
+from scapy.contrib.geneve import GENEVE
from scapy.utils import atol
from vpp_ip_route import VppIpRoute, VppRoutePath
from vpp_ip import INVALID_INDEX
import scapy.compat
from scapy.packet import Raw
-from scapy.layers.l2 import Ether
-from scapy.layers.inet import IP, UDP, ARP
+from scapy.layers.l2 import Ether, ARP
+from scapy.layers.inet import IP, UDP
from framework import VppTestCase, VppTestRunner
from util import ppp
#!/usr/bin/env python3
-import socket
+from socket import inet_pton, inet_ntop
import unittest
from parameterized import parameterized
ICMPv6TimeExceeded, ICMPv6EchoRequest, ICMPv6EchoReply, IPv6ExtHdrHopByHop
from scapy.layers.l2 import Ether, Dot1Q
from scapy.packet import Raw
-from scapy.utils import inet_pton, inet_ntop
from scapy.utils6 import in6_getnsma, in6_getnsmac, in6_ptop, in6_islladdr, \
in6_mactoifaceid
from six import moves
import copy
from scapy.layers.ipsec import SecurityAssociation, ESP
-from scapy.layers.l2 import Ether, Raw, GRE
+from scapy.layers.l2 import Ether, GRE
+from scapy.packet import Raw
from scapy.layers.inet import IP, UDP
from scapy.layers.inet6 import IPv6
from framework import VppTestRunner
def config_tun_params(p, encryption_type, tun_if):
ip_class_by_addr_type = {socket.AF_INET: IP, socket.AF_INET6: IPv6}
- use_esn = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
- IPSEC_API_SAD_FLAG_USE_ESN))
+ esn_en = bool(p.flags & (VppEnum.vl_api_ipsec_sad_flags_t.
+ IPSEC_API_SAD_FLAG_USE_ESN))
crypt_key = mk_scapy_crypt_key(p)
p.scapy_tun_sa = SecurityAssociation(
encryption_type, spi=p.vpp_tun_spi,
src=tun_if.remote_ip,
dst=tun_if.local_ip),
nat_t_header=p.nat_header,
- use_esn=use_esn)
+ esn_en=esn_en)
p.vpp_tun_sa = SecurityAssociation(
encryption_type, spi=p.scapy_tun_spi,
crypt_algo=p.crypt_algo,
dst=tun_if.remote_ip,
src=tun_if.local_ip),
nat_t_header=p.nat_header,
- use_esn=use_esn)
+ esn_en=esn_en)
class TemplateIpsec4TunIfEsp(TemplateIpsec):
import random
import copy
-from socket import AF_INET, AF_INET6
+from socket import AF_INET, AF_INET6, inet_pton, inet_ntop
from scapy.packet import Raw
from scapy.layers.l2 import Ether, ARP
from scapy.layers.inet import IP
-from scapy.utils import inet_pton, inet_ntop
from scapy.utils6 import in6_getnsma, in6_getnsmac, in6_ptop, in6_islladdr, \
in6_mactoifaceid, in6_ismaddr
from scapy.layers.inet6 import IPv6, UDP, ICMPv6ND_NS, ICMPv6ND_RS, \
from framework import VppTestCase, VppTestRunner
from template_bd import BridgeDomain
-from scapy.layers.l2 import Ether, Raw
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw
from scapy.layers.inet import IP, UDP
from scapy.layers.vxlan import VXLAN
from scapy.utils import atol
from framework import VppTestCase, VppTestRunner
from template_bd import BridgeDomain
-from scapy.layers.l2 import Ether, Raw
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw
from scapy.layers.inet import IP, UDP
from scapy.layers.vxlan import VXLAN
from scapy.utils import atol
from framework import VppTestCase, VppTestRunner, running_extended_tests
from template_bd import BridgeDomain
-from scapy.layers.l2 import Ether, Raw
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw
from scapy.layers.inet import IP, UDP
from scapy.layers.vxlan import VXLAN
from scapy.utils import atol
import os
import time
-import socket
+from socket import inet_pton, inet_ntop
import struct
from traceback import format_exc, format_stack
IPv6ExtHdrHopByHop
from util import ppp, ppc
from scapy.utils6 import in6_getnsma, in6_getnsmac, in6_ismaddr
-from scapy.utils import inet_pton, inet_ntop
class CaptureTimeoutError(Exception):