Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / fb7e7ed2cd10446d5ecd1b1e8df470e706c448ed^! / . / test / test_ipsec_esp.py
commitfb7e7ed2cd10446d5ecd1b1e8df470e706c448ed[log] [tgz]
authorChristian Hopps <chopps@labn.net>Sun Nov 03 07:02:15 2019 -0500
committerDamjan Marion <dmarion@me.com>Mon Sep 07 09:43:27 2020 +0000
tree2590e834f09c2d936f83d9bc766af99e084a522f
parentdce44e4e2302042890dc8b579d4ff6f99509ae7a [diff] [blame]
ipsec: fix padding/alignment for native IPsec encryption

Not all ESP crypto algorithms require padding/alignment to be the same
as AES block/IV size. CCM, CTR and GCM all have no padding/alignment
requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet
alignment requirement) should be used unless TFC (traffic flow
confidentiality) has been requested.

  CTR: https://tools.ietf.org/html/rfc3686#section-3.2
  GCM: https://tools.ietf.org/html/rfc4106#section-3.2
  CCM: https://tools.ietf.org/html/rfc4309#section-3.2

- VPP is incorrectly using the IV/AES block size to pad CTR and GCM.
These modes do not require padding (beyond ESPs 4 octet requirement), as
a result packets will have unnecessary padding, which will waste
bandwidth at least and possibly fail certain network configurations that
have finely tuned MTU configurations at worst.

Fix this as well as changing the field names from ".*block_size" to
".*block_align" to better represent their actual (and only) use. Rename
"block_sz" in esp_encrypt to "esp_align" and set it correctly as well.

test: ipsec: Add unit-test to test for RFC correct padding/alignment

test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well

- Scapy is also incorrectly using the AES block size of 16 to pad CCM,
CTR, and GCM cipher modes. A bug report has been opened with the
and acknowledged with the upstream scapy project as well:

  https://github.com/secdev/scapy/issues/2322

Ticket: VPP-1928
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e

diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py
index 7448df1..dbd21f1 100644
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py

@@ -1,7 +1,7 @@
 import socket
 import unittest
 from scapy.layers.ipsec import ESP
-from scapy.layers.inet import UDP
+from scapy.layers.inet import IP, ICMP, UDP
 
 from parameterized import parameterized
 from framework import VppTestRunner
@@ -544,6 +544,8 @@
         self.run_a_test(self.engine, self.flag, self.algo)
 
     def run_a_test(self, engine, flag, algo, payload_size=None):
+        if engine == "ia32":
+            engine = "native"
         self.vapi.cli("set crypto handler all %s" % engine)
 
         self.ipv4_params = IPsecIPv4Params()
@@ -579,8 +581,16 @@
         self.verify_tra_basic4(count=NUM_PKTS)
         self.verify_tun_66(self.params[socket.AF_INET6],
                            count=NUM_PKTS)
+        #
+        # Use an odd-byte payload size to check for correct padding.
+        #
+        # 49 + 2 == 51 which should pad +1 to 52 for 4 byte alignment, +5
+        # to 56 for 8 byte alignment, and +13 to 64 for 64 byte alignment.
+        # This should catch bugs where the code is incorrectly over-padding
+        # for algorithms that don't require it
+        psz = 49 - len(IP()/ICMP()) if payload_size is None else payload_size
         self.verify_tun_44(self.params[socket.AF_INET],
-                           count=NUM_PKTS)
+                           count=NUM_PKTS, payload_size=psz)
 
         LARGE_PKT_SZ = [
             1970,  # results in 2 chained buffers entering decrypt node