github.com/elfadel/cilium@v1.6.12/pkg/datapath/linux/ipsec/ipsec_linux_test.go (about) 1 // Copyright 2018-2019 Authors of Cilium 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // +build privileged_tests 16 17 package ipsec 18 19 import ( 20 "bytes" 21 "net" 22 "os" 23 "testing" 24 25 "github.com/cilium/cilium/pkg/bpf" 26 27 "github.com/vishvananda/netlink" 28 . "gopkg.in/check.v1" 29 ) 30 31 // Hook up gocheck into the "go test" runner. 32 func Test(t *testing.T) { TestingT(t) } 33 34 type IPSecSuitePrivileged struct{} 35 36 var _ = Suite(&IPSecSuitePrivileged{}) 37 38 var ( 39 path = "ipsec_keys_test" 40 keysDat = []byte("1 hmac(sha256) 0123456789abcdef0123456789abcdef cbc(aes) 0123456789abcdef0123456789abcdef\n1 hmac(sha256) 0123456789abcdef0123456789abcdef cbc(aes) 0123456789abcdef0123456789abcdef foobar\n1 digest_null \"\" cipher_null \"\"\n") 41 keysAeadDat = []byte("6 rfc4106(gcm(aes)) 44434241343332312423222114131211f4f3f2f1 128\n") 42 invalidKeysDat = []byte("1 test abcdefghijklmnopqrstuvwzyzABCDEF test abcdefghijklmnopqrstuvwzyzABCDEF\n") 43 ) 44 45 func (p *IPSecSuitePrivileged) SetUpTest(c *C) { 46 err := bpf.ConfigureResourceLimits() 47 c.Assert(err, IsNil) 48 } 49 50 func (p *IPSecSuitePrivileged) TestLoadKeysNoFile(c *C) { 51 _, _, err := LoadIPSecKeysFile(path) 52 c.Assert(os.IsNotExist(err), Equals, true) 53 } 54 55 func (p *IPSecSuitePrivileged) TestInvalidLoadKeys(c *C) { 56 keys := bytes.NewReader(invalidKeysDat) 57 _, _, err := loadIPSecKeys(keys) 58 c.Assert(err, NotNil) 59 60 _, local, err := net.ParseCIDR("1.1.3.4/16") 61 c.Assert(err, IsNil) 62 _, remote, err := net.ParseCIDR("1.2.3.4/16") 63 c.Assert(err, IsNil) 64 65 _, err = UpsertIPsecEndpoint(local, remote, IPSecDirBoth, false) 66 c.Assert(err, NotNil) 67 } 68 69 func (p *IPSecSuitePrivileged) TestLoadKeys(c *C) { 70 keys := bytes.NewReader(keysDat) 71 _, _, err := loadIPSecKeys(keys) 72 c.Assert(err, IsNil) 73 keys = bytes.NewReader(keysAeadDat) 74 _, _, err = loadIPSecKeys(keys) 75 c.Assert(err, IsNil) 76 } 77 78 func (p *IPSecSuitePrivileged) TestUpsertIPSecEquals(c *C) { 79 _, local, err := net.ParseCIDR("1.2.3.4/16") 80 c.Assert(err, IsNil) 81 _, remote, err := net.ParseCIDR("1.2.3.4/16") 82 c.Assert(err, IsNil) 83 84 _, authKey, err := decodeIPSecKey("0123456789abcdef0123456789abcdef") 85 c.Assert(err, IsNil) 86 _, cryptKey, err := decodeIPSecKey("0123456789abcdef0123456789abcdef") 87 c.Assert(err, IsNil) 88 key := &ipSecKey{ 89 Spi: 1, 90 ReqID: 1, 91 Auth: &netlink.XfrmStateAlgo{Name: "hmac(sha256)", Key: authKey}, 92 Crypt: &netlink.XfrmStateAlgo{Name: "cbc(aes)", Key: cryptKey}, 93 } 94 95 ipSecKeysGlobal["1.2.3.4"] = key 96 ipSecKeysGlobal[""] = key 97 98 _, err = UpsertIPsecEndpoint(local, remote, IPSecDirBoth, false) 99 c.Assert(err, IsNil) 100 101 ipsecDeleteXfrmSpi(0) 102 103 _, aeadKey, err := decodeIPSecKey("44434241343332312423222114131211f4f3f2f1") 104 c.Assert(err, IsNil) 105 key = &ipSecKey{ 106 Spi: 1, 107 ReqID: 1, 108 Aead: &netlink.XfrmStateAlgo{Name: "rfc4106(gcm(aes))", Key: aeadKey, ICVLen: 128}, 109 Crypt: nil, 110 Auth: nil, 111 } 112 113 ipSecKeysGlobal["1.2.3.4"] = key 114 ipSecKeysGlobal[""] = key 115 116 _, err = UpsertIPsecEndpoint(local, remote, IPSecDirBoth, false) 117 c.Assert(err, IsNil) 118 119 ipsecDeleteXfrmSpi(0) 120 ipSecKeysGlobal["1.2.3.4"] = nil 121 ipSecKeysGlobal[""] = nil 122 } 123 124 func (p *IPSecSuitePrivileged) TestUpsertIPSecEndpoint(c *C) { 125 _, local, err := net.ParseCIDR("1.1.3.4/16") 126 c.Assert(err, IsNil) 127 _, remote, err := net.ParseCIDR("1.2.3.4/16") 128 c.Assert(err, IsNil) 129 130 _, authKey, err := decodeIPSecKey("0123456789abcdef0123456789abcdef") 131 c.Assert(err, IsNil) 132 _, cryptKey, err := decodeIPSecKey("0123456789abcdef0123456789abcdef") 133 c.Assert(err, IsNil) 134 key := &ipSecKey{ 135 Spi: 1, 136 ReqID: 1, 137 Auth: &netlink.XfrmStateAlgo{Name: "hmac(sha256)", Key: authKey}, 138 Crypt: &netlink.XfrmStateAlgo{Name: "cbc(aes)", Key: cryptKey}, 139 } 140 141 ipSecKeysGlobal["1.1.3.4"] = key 142 ipSecKeysGlobal["1.2.3.4"] = key 143 ipSecKeysGlobal[""] = key 144 145 _, err = UpsertIPsecEndpoint(local, remote, IPSecDirBoth, false) 146 c.Assert(err, IsNil) 147 148 ipsecDeleteXfrmSpi(0) 149 150 _, aeadKey, err := decodeIPSecKey("44434241343332312423222114131211f4f3f2f1") 151 c.Assert(err, IsNil) 152 key = &ipSecKey{ 153 Spi: 1, 154 ReqID: 1, 155 Aead: &netlink.XfrmStateAlgo{Name: "rfc4106(gcm(aes))", Key: aeadKey, ICVLen: 128}, 156 Crypt: nil, 157 Auth: nil, 158 } 159 160 ipSecKeysGlobal["1.1.3.4"] = key 161 ipSecKeysGlobal["1.2.3.4"] = key 162 ipSecKeysGlobal[""] = key 163 164 _, err = UpsertIPsecEndpoint(local, remote, IPSecDirBoth, false) 165 c.Assert(err, IsNil) 166 167 ipsecDeleteXfrmSpi(0) 168 ipSecKeysGlobal["1.1.3.4"] = nil 169 ipSecKeysGlobal["1.2.3.4"] = nil 170 ipSecKeysGlobal[""] = nil 171 } 172 173 func (p *IPSecSuitePrivileged) TestUpsertIPSecKeyMissing(c *C) { 174 _, local, err := net.ParseCIDR("1.1.3.4/16") 175 c.Assert(err, IsNil) 176 _, remote, err := net.ParseCIDR("1.2.3.4/16") 177 c.Assert(err, IsNil) 178 179 _, err = UpsertIPsecEndpoint(local, remote, IPSecDirBoth, false) 180 c.Assert(err, ErrorMatches, "unable to replace local state: IPSec key missing") 181 182 ipsecDeleteXfrmSpi(0) 183 }