test/ipsec: add reference packet to check decryption

Currently, only internal encryption and decryption were tested but the implementation might not be the on it is supposed to be. Add reference packets generated using Ubuntu-16.04, iproute2 and ping: # ip -V ip utility, iproute2-ss151103 # uname -a Linux router-vm 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux # ping -V ping utility, iputils-s20160308 Signed-off-by: Thomas Faivre <thomas.faivre@6wind.com>

test/ipsec: add reference packet to check decryption
Currently, only internal encryption and decryption were tested but the implementation might not be the on it is supposed to be. Add reference packets generated using Ubuntu-16.04, iproute2 and ping: # ip -V ip utility, iproute2-ss151103 # uname -a Linux router-vm 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux # ping -V ping utility, iputils-s20160308 Signed-off-by: Thomas Faivre <thomas.faivre@6wind.com>
8ea9b84b · Thomas Faivre · Guillaume Valadon · e430ef63 · 8ea9b84b
Commit 8ea9b84b authored 8 years ago by Thomas Faivre Committed by Guillaume Valadon 8 years ago
--- a/test/ipsec.uts
+++ b/test/ipsec.uts
@@ -74,6 +74,25 @@ d
 * after decryption the original packet payload should be unaltered
 assert(d[TCP] == p[TCP])
+# Generated with Linux 4.4.0-62-generic #83-Ubuntu
+# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \
+#    mode tunnel enc 'cbc(des)' '0x38627974656b6579' auth digest_null '' flag align4
+ref = IP() \
+    / ESP(spi=0x222,
+          data='\x0f\x6d\x2f\x3d\x1e\xc1\x0b\xc2\xb6\x8f\xfd\x67\x39\xc0\x96\x2c'
+               '\x17\x79\x88\xf6\xbc\x4d\xf7\x45\xd8\x36\x63\x86\xcd\x08\x7c\x08'
+               '\x2b\xf8\xa2\x91\x18\x21\x88\xd9\x26\x00\xc5\x21\x24\xbf\x8f\xf5'
+               '\x6c\x47\xb0\x3a\x8e\xdb\x75\x21\xd9\x33\x85\x5a\x15\xc6\x31\x00'
+               '\x1c\xef\x3e\x12\xce\x70\xec\x8f\x48\xc7\x81\x9b\x66\xcb\xf5\x39'
+               '\x91\xb3\x8e\x72\xfb\x7f\x64\x65\x6c\xf4\xa9\xf2\x5e\x63\x2f\x60',
+          seq=1)
+d_ref = sa.decrypt(ref)
+d_ref
+* Check for ICMP layer in decrypted reference
+assert(d_ref.haslayer(ICMP))
 #######################################
 = IPv4 / ESP - Transport - 3DES - NULL
@@ -107,6 +126,25 @@ d
 * after decryption the original packet payload should be unaltered
 assert(d[TCP] == p[TCP])
+# Generated with Linux 4.4.0-62-generic #83-Ubuntu
+# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \
+#   mode tunnel enc 'cbc(des3_ede)' '0x7468726565646966666572656e743862797465736b657973' auth digest_null '' flag align4
+ref = IP() \
+    / ESP(spi=0x222,
+          data='\x36\x5c\x9b\x41\x37\xc8\x59\x1e\x39\x63\xe8\x6b\xf7\x0d\x97\x54'
+               '\x13\x84\xf6\x81\x66\x19\xe7\xcb\x75\x94\xf1\x0b\x8e\xa3\xf1\xa0'
+               '\x3e\x88\x51\xc4\x50\xd0\xa9\x1f\x16\x25\xc6\xbd\xe9\x0b\xdc\xae'
+               '\xf8\x13\x00\xa3\x8c\x53\xee\x1c\x96\xc0\xfe\x99\x70\xab\x94\x77'
+               '\xd7\xc4\xe8\xfd\x9f\x96\x28\xb8\x95\x20\x86\x7b\x19\xbc\x8f\xf5'
+               '\x96\xb0\x7e\xcc\x04\x83\xae\x4d\xa3\xba\x1d\x44\xf0\xba\x2e\xcd',
+          seq=1)
+d_ref = sa.decrypt(ref)
+d_ref
+* Check for ICMP layer in decrypted reference
+assert(d_ref.haslayer(ICMP))
 #######################################
 = IPv4 / ESP - Transport - AES-CBC - NULL
@@ -139,6 +177,26 @@ d
 * after decryption the original packet payload should be unaltered
 assert(d[TCP] == p[TCP])
+# Generated with Linux 4.4.0-62-generic #83-Ubuntu
+# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \
+#   mode tunnel enc 'cbc(aes)' '0x7369787465656e6279746573206b6579' auth digest_null '' flag align4
+ref = IP() \
+    / ESP(spi=0x222,
+          data='\x08\x2f\x94\xe6\x53\xd8\x8e\x13\x70\xe8\xff\x61\x52\x90\x27\x3c'
+               '\xf2\xb4\x1f\x75\xd2\xa0\xac\xae\x1c\xa8\x5e\x1c\x78\x21\x4c\x7f'
+               '\xc3\x30\x17\x6a\x8d\xf3\xb1\xa7\xd1\xa8\x42\x01\xd6\x8d\x2d\x7e'
+               '\x5d\x06\xdf\xaa\x05\x27\x42\xb1\x00\x12\xcf\xff\x64\x02\x5a\x40'
+               '\xcd\xca\x1b\x91\xba\xf8\xc8\x59\xe7\xbd\x4d\x19\xb4\x8d\x39\x25'
+               '\x6c\x73\xf1\x2d\xaa\xee\xe1\x0b\x71\xcd\xfc\x11\x1d\x56\xce\x60'
+               '\xed\xd2\x32\x87\xd4\x90\xc3\xf5\x31\x47\x97\x69\x83\x82\x6d\x38',
+          seq=1)
+d_ref = sa.decrypt(ref)
+d_ref
+* Check for ICMP layer in decrypted reference
+assert(d_ref.haslayer(ICMP))
 #######################################
 = IPv4 / ESP - Transport - AES-CTR - NULL
@@ -171,6 +229,25 @@ d
 * after decryption original packet should be preserved
 assert(d[TCP] == p[TCP])
+# Generated with Linux 4.4.0-62-generic #83-Ubuntu
+# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \
+#    mode tunnel enc 'rfc3686(ctr(aes))' '0x3136627974656b65792b34627974656e6f6e6365' auth digest_null '' flag align4
+ref = IP() \
+    / ESP(spi=0x222,
+          data='\xc4\xca\x09\x0f\x8b\xd3\x05\x3d\xac\x5a\x2f\x87\xca\x71\x10\x01'
+               '\xa7\x95\xc9\x07\xcc\xd4\x05\x58\x65\x23\x22\x4b\x63\x9b\x1f\xef'
+               '\x55\xb9\x1a\x91\x52\x76\x00\xf7\x94\x7b\x1d\xe1\x8e\x03\x2e\x85'
+               '\xad\xdd\x83\x22\x8a\xc3\x88\x6e\x85\xf5\x9b\xed\xa9\x6e\xb1\xc3'
+               '\x78\x00\x2f\xcd\x77\xe8\x3e\xec\x0e\x77\x94\xb2\x9b\x0f\x64\x5e'
+               '\x09\x83\x03\x7d\x83\x22\x39\xbb\x94\x66\xae\x9f\xbf\x01\xda\xfb',
+          seq=1)
+d_ref = sa.decrypt(ref)
+d_ref
+* Check for ICMP layer in decrypted reference
+assert(d_ref.haslayer(ICMP))
 #######################################
 = IPv4 / ESP - Transport - Blowfish - NULL
@@ -203,6 +280,25 @@ d
 * after decryption original packet should be preserved
 assert(d[TCP] == p[TCP])
+# Generated with Linux 4.4.0-62-generic #83-Ubuntu
+# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \
+#    mode tunnel enc 'cbc(blowfish)' '0x7369787465656e6279746573206b6579' auth digest_null '' flag align4
+ref = IP() \
+    / ESP(spi=0x222,
+          data='\x93\x9f\x5a\x10\x55\x57\x30\xa0\xb4\x00\x72\x1e\x46\x42\x46\x20'
+               '\xbc\x01\xef\xc3\x79\xcc\x3e\x55\x64\xba\x09\xc2\x6a\x5a\x5c\xb3'
+               '\xcc\xb5\xd5\x87\x82\xb0\x0a\x94\x58\xfc\x50\x37\x40\xe1\x03\xd3'
+               '\x4a\x09\xb2\x23\x53\x56\xa4\x45\x4c\xbb\x81\x1c\xdb\x31\xa7\x67'
+               '\xbd\x38\x8e\xba\x55\xd9\x1f\xf1\x3c\xeb\x07\x4c\x02\xb0\x3e\xc5'
+               '\xf6\x60\xdd\x68\xe1\xd4\xec\xee\x27\xc0\x6d\x1a\x80\xe2\xcc\x7d',
+          seq=1)
+d_ref = sa.decrypt(ref)
+d_ref
+* Check for ICMP layer in decrypted reference
+assert(d_ref.haslayer(ICMP))
 #######################################
 = IPv4 / ESP - Transport - CAST - NULL
@@ -235,6 +331,25 @@ d
 * after decryption original packet should be preserved
 assert(d[TCP] == p[TCP])
+# Generated with Linux 4.4.0-62-generic #83-Ubuntu
+# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \
+#    mode tunnel enc 'cbc(cast5)' '0x7369787465656e6279746573206b6579' auth digest_null '' flag align4
+ref = IP() \
+    / ESP(spi=0x222,
+          data='\xcd\x4a\x46\x05\x51\x54\x73\x35\x1d\xad\x4b\x10\xc1\x15\xe2\x70'
+               '\xbc\x9c\x53\x8f\x4d\x1c\x87\x1a\xc1\xb0\xdf\x80\xd1\x0c\xa4\x59'
+               '\xe6\x50\xde\x46\xdb\x3f\x28\xc2\xda\x6c\x2b\x81\x5e\x7c\x7b\x4f'
+               '\xbc\x8d\xc1\x6d\x4a\x2b\x04\x91\x9e\xc4\x0b\xba\x05\xba\x3b\x71'
+               '\xac\xe3\x16\xcf\x7f\x00\xc5\x87\x7d\x72\x48\xe6\x5b\x43\x19\x24'
+               '\xae\xa6\x2c\xcc\xad\xbf\x37\x6c\x6e\xea\x71\x67\x73\xd6\x11\x9f',
+          seq=1)
+d_ref = sa.decrypt(ref)
+d_ref
+* Check for ICMP layer in decrypted reference
+assert(d_ref.haslayer(ICMP))
 ###############################################################################
 + IPv4 / ESP - Tunnel - Encryption Algorithms
@@ -1423,6 +1538,26 @@ d
 * after decryption original packet should be preserved
 assert(d[TCP] == p[TCP])
+# Generated with Linux 4.4.0-62-generic #83-Ubuntu
+# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \
+#    mode tunnel aead 'rfc4106(gcm(aes))' '0x3136627974656b65792b34627974656e6f6e6365' 128 flag align4
+ref = IP() \
+    / ESP(spi=0x222,
+          data='\x66\x00\x28\x86\xe9\xdf\xc5\x24\xb0\xbd\xfd\x62\x61\x7e\xd3\x76'
+               '\x7b\x48\x28\x8e\x76\xaa\xea\x48\xb8\x40\x30\x8a\xce\x50\x71\xbb'
+               '\xc0\xb2\x47\x71\xd7\xa4\xa0\xcb\x03\x68\xd3\x16\x5a\x7c\x37\x84'
+               '\x87\xc7\x19\x59\xb4\x7c\x76\xe3\x48\xc0\x90\x4b\xd2\x36\x95\xc1'
+               '\xb7\xa4\xb6\x7b\x89\xe6\x4f\x10\xae\xdb\x84\x47\x46\x00\xb4\x44'
+               '\xe6\x6d\x16\x55\x5f\x82\x36\xa5\x49\xf7\x52\x81\x65\x90\x4d\x28'
+               '\x92\xb2\xe3\xf1\xa4\x02\xd2\x37\xac\x0b\x7a\x10\xcf\x64\x46\xb9',
+          seq=1)
+d_ref = sa.decrypt(ref)
+d_ref
+* Check for ICMP layer in decrypted reference
+assert(d_ref.haslayer(ICMP))
 #######################################
 = IPv4 / ESP - Transport - AES-GCM - NULL - altered packet
@@ -1493,6 +1628,26 @@ d
 * after decryption original packet should be preserved
 assert(d == p)
+# Generated with Linux 4.4.0-62-generic #83-Ubuntu
+# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \
+#    mode tunnel aead 'rfc4309(ccm(aes))' '0x3136627974656b657933627974656e6f6e6365' 64
+ref = IP() \
+    / ESP(spi=0x222,
+          data='\x2e\x02\x9f\x1f\xad\x76\x80\x58\x8f\xeb\x45\xf1\x66\xe3\xad\xa6'
+               '\x90\x1b\x2b\x7d\xd3\x3d\xa4\x53\x35\xc8\xfa\x92\xfd\xd7\x42\x2f'
+               '\x87\x60\x9b\x46\xb0\x21\x5e\x82\xfb\x2f\x59\xba\xf0\x6c\xe5\x51'
+               '\xb8\x36\x20\x88\xfe\x49\x86\x60\xe8\x0a\x3d\x36\xb5\x8a\x08\xa9'
+               '\x5e\xe3\x87\xfa\x93\x3f\xe8\xc2\xc5\xbf\xb1\x2e\x6f\x7d\xc5\xa5'
+               '\xd8\xe5\xf3\x25\x21\x81\x43\x16\x48\x10\x7c\x04\x31\x20\x07\x7c'
+               '\x7b\xda\x5d\x1a\x72\x45\xc4\x79',
+          seq=1)
+d_ref = sa.decrypt(ref)
+d_ref
+* Check for ICMP layer in decrypted reference
+assert(d_ref.haslayer(ICMP))
 #######################################
 = IPv4 / ESP - Transport - AES-CCM - NULL - altered packet
 ~ combined_modes_ccm