From 8ea9b84b4a94baf1580214d7c200850dcdfc2602 Mon Sep 17 00:00:00 2001 From: Thomas Faivre <thomas.faivre@6wind.com> Date: Thu, 9 Mar 2017 16:21:29 +0100 Subject: [PATCH] test/ipsec: add reference packet to check decryption Currently, only internal encryption and decryption were tested but the implementation might not be the on it is supposed to be. Add reference packets generated using Ubuntu-16.04, iproute2 and ping: # ip -V ip utility, iproute2-ss151103 # uname -a Linux router-vm 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux # ping -V ping utility, iputils-s20160308 Signed-off-by: Thomas Faivre <thomas.faivre@6wind.com> --- test/ipsec.uts | 155 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 155 insertions(+) diff --git a/test/ipsec.uts b/test/ipsec.uts index 7ffc1c26..8a71d37f 100644 --- a/test/ipsec.uts +++ b/test/ipsec.uts @@ -74,6 +74,25 @@ d * after decryption the original packet payload should be unaltered assert(d[TCP] == p[TCP]) +# Generated with Linux 4.4.0-62-generic #83-Ubuntu +# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \ +# mode tunnel enc 'cbc(des)' '0x38627974656b6579' auth digest_null '' flag align4 +ref = IP() \ + / ESP(spi=0x222, + data='\x0f\x6d\x2f\x3d\x1e\xc1\x0b\xc2\xb6\x8f\xfd\x67\x39\xc0\x96\x2c' + '\x17\x79\x88\xf6\xbc\x4d\xf7\x45\xd8\x36\x63\x86\xcd\x08\x7c\x08' + '\x2b\xf8\xa2\x91\x18\x21\x88\xd9\x26\x00\xc5\x21\x24\xbf\x8f\xf5' + '\x6c\x47\xb0\x3a\x8e\xdb\x75\x21\xd9\x33\x85\x5a\x15\xc6\x31\x00' + '\x1c\xef\x3e\x12\xce\x70\xec\x8f\x48\xc7\x81\x9b\x66\xcb\xf5\x39' + '\x91\xb3\x8e\x72\xfb\x7f\x64\x65\x6c\xf4\xa9\xf2\x5e\x63\x2f\x60', + seq=1) + +d_ref = sa.decrypt(ref) +d_ref + +* Check for ICMP layer in decrypted reference +assert(d_ref.haslayer(ICMP)) + ####################################### = IPv4 / ESP - Transport - 3DES - NULL @@ -107,6 +126,25 @@ d * after decryption the original packet payload should be unaltered assert(d[TCP] == p[TCP]) +# Generated with Linux 4.4.0-62-generic #83-Ubuntu +# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \ +# mode tunnel enc 'cbc(des3_ede)' '0x7468726565646966666572656e743862797465736b657973' auth digest_null '' flag align4 +ref = IP() \ + / ESP(spi=0x222, + data='\x36\x5c\x9b\x41\x37\xc8\x59\x1e\x39\x63\xe8\x6b\xf7\x0d\x97\x54' + '\x13\x84\xf6\x81\x66\x19\xe7\xcb\x75\x94\xf1\x0b\x8e\xa3\xf1\xa0' + '\x3e\x88\x51\xc4\x50\xd0\xa9\x1f\x16\x25\xc6\xbd\xe9\x0b\xdc\xae' + '\xf8\x13\x00\xa3\x8c\x53\xee\x1c\x96\xc0\xfe\x99\x70\xab\x94\x77' + '\xd7\xc4\xe8\xfd\x9f\x96\x28\xb8\x95\x20\x86\x7b\x19\xbc\x8f\xf5' + '\x96\xb0\x7e\xcc\x04\x83\xae\x4d\xa3\xba\x1d\x44\xf0\xba\x2e\xcd', + seq=1) + +d_ref = sa.decrypt(ref) +d_ref + +* Check for ICMP layer in decrypted reference +assert(d_ref.haslayer(ICMP)) + ####################################### = IPv4 / ESP - Transport - AES-CBC - NULL @@ -139,6 +177,26 @@ d * after decryption the original packet payload should be unaltered assert(d[TCP] == p[TCP]) +# Generated with Linux 4.4.0-62-generic #83-Ubuntu +# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \ +# mode tunnel enc 'cbc(aes)' '0x7369787465656e6279746573206b6579' auth digest_null '' flag align4 +ref = IP() \ + / ESP(spi=0x222, + data='\x08\x2f\x94\xe6\x53\xd8\x8e\x13\x70\xe8\xff\x61\x52\x90\x27\x3c' + '\xf2\xb4\x1f\x75\xd2\xa0\xac\xae\x1c\xa8\x5e\x1c\x78\x21\x4c\x7f' + '\xc3\x30\x17\x6a\x8d\xf3\xb1\xa7\xd1\xa8\x42\x01\xd6\x8d\x2d\x7e' + '\x5d\x06\xdf\xaa\x05\x27\x42\xb1\x00\x12\xcf\xff\x64\x02\x5a\x40' + '\xcd\xca\x1b\x91\xba\xf8\xc8\x59\xe7\xbd\x4d\x19\xb4\x8d\x39\x25' + '\x6c\x73\xf1\x2d\xaa\xee\xe1\x0b\x71\xcd\xfc\x11\x1d\x56\xce\x60' + '\xed\xd2\x32\x87\xd4\x90\xc3\xf5\x31\x47\x97\x69\x83\x82\x6d\x38', + seq=1) + +d_ref = sa.decrypt(ref) +d_ref + +* Check for ICMP layer in decrypted reference +assert(d_ref.haslayer(ICMP)) + ####################################### = IPv4 / ESP - Transport - AES-CTR - NULL @@ -171,6 +229,25 @@ d * after decryption original packet should be preserved assert(d[TCP] == p[TCP]) +# Generated with Linux 4.4.0-62-generic #83-Ubuntu +# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \ +# mode tunnel enc 'rfc3686(ctr(aes))' '0x3136627974656b65792b34627974656e6f6e6365' auth digest_null '' flag align4 +ref = IP() \ + / ESP(spi=0x222, + data='\xc4\xca\x09\x0f\x8b\xd3\x05\x3d\xac\x5a\x2f\x87\xca\x71\x10\x01' + '\xa7\x95\xc9\x07\xcc\xd4\x05\x58\x65\x23\x22\x4b\x63\x9b\x1f\xef' + '\x55\xb9\x1a\x91\x52\x76\x00\xf7\x94\x7b\x1d\xe1\x8e\x03\x2e\x85' + '\xad\xdd\x83\x22\x8a\xc3\x88\x6e\x85\xf5\x9b\xed\xa9\x6e\xb1\xc3' + '\x78\x00\x2f\xcd\x77\xe8\x3e\xec\x0e\x77\x94\xb2\x9b\x0f\x64\x5e' + '\x09\x83\x03\x7d\x83\x22\x39\xbb\x94\x66\xae\x9f\xbf\x01\xda\xfb', + seq=1) + +d_ref = sa.decrypt(ref) +d_ref + +* Check for ICMP layer in decrypted reference +assert(d_ref.haslayer(ICMP)) + ####################################### = IPv4 / ESP - Transport - Blowfish - NULL @@ -203,6 +280,25 @@ d * after decryption original packet should be preserved assert(d[TCP] == p[TCP]) +# Generated with Linux 4.4.0-62-generic #83-Ubuntu +# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \ +# mode tunnel enc 'cbc(blowfish)' '0x7369787465656e6279746573206b6579' auth digest_null '' flag align4 +ref = IP() \ + / ESP(spi=0x222, + data='\x93\x9f\x5a\x10\x55\x57\x30\xa0\xb4\x00\x72\x1e\x46\x42\x46\x20' + '\xbc\x01\xef\xc3\x79\xcc\x3e\x55\x64\xba\x09\xc2\x6a\x5a\x5c\xb3' + '\xcc\xb5\xd5\x87\x82\xb0\x0a\x94\x58\xfc\x50\x37\x40\xe1\x03\xd3' + '\x4a\x09\xb2\x23\x53\x56\xa4\x45\x4c\xbb\x81\x1c\xdb\x31\xa7\x67' + '\xbd\x38\x8e\xba\x55\xd9\x1f\xf1\x3c\xeb\x07\x4c\x02\xb0\x3e\xc5' + '\xf6\x60\xdd\x68\xe1\xd4\xec\xee\x27\xc0\x6d\x1a\x80\xe2\xcc\x7d', + seq=1) + +d_ref = sa.decrypt(ref) +d_ref + +* Check for ICMP layer in decrypted reference +assert(d_ref.haslayer(ICMP)) + ####################################### = IPv4 / ESP - Transport - CAST - NULL @@ -235,6 +331,25 @@ d * after decryption original packet should be preserved assert(d[TCP] == p[TCP]) +# Generated with Linux 4.4.0-62-generic #83-Ubuntu +# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \ +# mode tunnel enc 'cbc(cast5)' '0x7369787465656e6279746573206b6579' auth digest_null '' flag align4 +ref = IP() \ + / ESP(spi=0x222, + data='\xcd\x4a\x46\x05\x51\x54\x73\x35\x1d\xad\x4b\x10\xc1\x15\xe2\x70' + '\xbc\x9c\x53\x8f\x4d\x1c\x87\x1a\xc1\xb0\xdf\x80\xd1\x0c\xa4\x59' + '\xe6\x50\xde\x46\xdb\x3f\x28\xc2\xda\x6c\x2b\x81\x5e\x7c\x7b\x4f' + '\xbc\x8d\xc1\x6d\x4a\x2b\x04\x91\x9e\xc4\x0b\xba\x05\xba\x3b\x71' + '\xac\xe3\x16\xcf\x7f\x00\xc5\x87\x7d\x72\x48\xe6\x5b\x43\x19\x24' + '\xae\xa6\x2c\xcc\xad\xbf\x37\x6c\x6e\xea\x71\x67\x73\xd6\x11\x9f', + seq=1) + +d_ref = sa.decrypt(ref) +d_ref + +* Check for ICMP layer in decrypted reference +assert(d_ref.haslayer(ICMP)) + ############################################################################### + IPv4 / ESP - Tunnel - Encryption Algorithms @@ -1423,6 +1538,26 @@ d * after decryption original packet should be preserved assert(d[TCP] == p[TCP]) +# Generated with Linux 4.4.0-62-generic #83-Ubuntu +# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \ +# mode tunnel aead 'rfc4106(gcm(aes))' '0x3136627974656b65792b34627974656e6f6e6365' 128 flag align4 +ref = IP() \ + / ESP(spi=0x222, + data='\x66\x00\x28\x86\xe9\xdf\xc5\x24\xb0\xbd\xfd\x62\x61\x7e\xd3\x76' + '\x7b\x48\x28\x8e\x76\xaa\xea\x48\xb8\x40\x30\x8a\xce\x50\x71\xbb' + '\xc0\xb2\x47\x71\xd7\xa4\xa0\xcb\x03\x68\xd3\x16\x5a\x7c\x37\x84' + '\x87\xc7\x19\x59\xb4\x7c\x76\xe3\x48\xc0\x90\x4b\xd2\x36\x95\xc1' + '\xb7\xa4\xb6\x7b\x89\xe6\x4f\x10\xae\xdb\x84\x47\x46\x00\xb4\x44' + '\xe6\x6d\x16\x55\x5f\x82\x36\xa5\x49\xf7\x52\x81\x65\x90\x4d\x28' + '\x92\xb2\xe3\xf1\xa4\x02\xd2\x37\xac\x0b\x7a\x10\xcf\x64\x46\xb9', + seq=1) + +d_ref = sa.decrypt(ref) +d_ref + +* Check for ICMP layer in decrypted reference +assert(d_ref.haslayer(ICMP)) + ####################################### = IPv4 / ESP - Transport - AES-GCM - NULL - altered packet @@ -1493,6 +1628,26 @@ d * after decryption original packet should be preserved assert(d == p) +# Generated with Linux 4.4.0-62-generic #83-Ubuntu +# ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 546 reqid 1 \ +# mode tunnel aead 'rfc4309(ccm(aes))' '0x3136627974656b657933627974656e6f6e6365' 64 +ref = IP() \ + / ESP(spi=0x222, + data='\x2e\x02\x9f\x1f\xad\x76\x80\x58\x8f\xeb\x45\xf1\x66\xe3\xad\xa6' + '\x90\x1b\x2b\x7d\xd3\x3d\xa4\x53\x35\xc8\xfa\x92\xfd\xd7\x42\x2f' + '\x87\x60\x9b\x46\xb0\x21\x5e\x82\xfb\x2f\x59\xba\xf0\x6c\xe5\x51' + '\xb8\x36\x20\x88\xfe\x49\x86\x60\xe8\x0a\x3d\x36\xb5\x8a\x08\xa9' + '\x5e\xe3\x87\xfa\x93\x3f\xe8\xc2\xc5\xbf\xb1\x2e\x6f\x7d\xc5\xa5' + '\xd8\xe5\xf3\x25\x21\x81\x43\x16\x48\x10\x7c\x04\x31\x20\x07\x7c' + '\x7b\xda\x5d\x1a\x72\x45\xc4\x79', + seq=1) + +d_ref = sa.decrypt(ref) +d_ref + +* Check for ICMP layer in decrypted reference +assert(d_ref.haslayer(ICMP)) + ####################################### = IPv4 / ESP - Transport - AES-CCM - NULL - altered packet ~ combined_modes_ccm -- GitLab