summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-02-27 22:59:00 +0100
committerChristian Poessinger <christian@poessinger.com>2021-02-28 00:57:02 +0100
commitea10a87430452b5d1def7007dbf6fd349bce4c01 (patch)
treec350cae4b1c6dc8d749cadaf31312ab1a56ec6b2
parente721c998ba977db9184d13e119dda4d56269d553 (diff)
downloadvyos-1x-ea10a87430452b5d1def7007dbf6fd349bce4c01.tar.gz
vyos-1x-ea10a87430452b5d1def7007dbf6fd349bce4c01.zip
macsec: T3368: add support for gcm-aes-256 cipher
(cherry picked from commit 5bcc549edeaeaa767d77a68b33751e834d467c34)
-rw-r--r--interface-definitions/interfaces-macsec.xml.in8
-rwxr-xr-xsmoketest/scripts/cli/test_interfaces_macsec.py39
2 files changed, 43 insertions, 4 deletions
diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in
index 94d78c6dd..3f2e5bb69 100644
--- a/interface-definitions/interfaces-macsec.xml.in
+++ b/interface-definitions/interfaces-macsec.xml.in
@@ -28,14 +28,18 @@
<properties>
<help>Cipher suite used</help>
<completionHelp>
- <list>gcm-aes-128</list>
+ <list>gcm-aes-128 gcm-aes-256</list>
</completionHelp>
<valueHelp>
<format>gcm-aes-128</format>
<description>Galois/Counter Mode of AES cipher with 128-bit key (default)</description>
</valueHelp>
+ <valueHelp>
+ <format>gcm-aes-256</format>
+ <description>Galois/Counter Mode of AES cipher with 256-bit key</description>
+ </valueHelp>
<constraint>
- <regex>(gcm-aes-128)</regex>
+ <regex>^(gcm-aes-128|gcm-aes-256)$</regex>
</constraint>
</properties>
</leafNode>
diff --git a/smoketest/scripts/cli/test_interfaces_macsec.py b/smoketest/scripts/cli/test_interfaces_macsec.py
index 3a3e7bff3..d6bef993a 100755
--- a/smoketest/scripts/cli/test_interfaces_macsec.py
+++ b/smoketest/scripts/cli/test_interfaces_macsec.py
@@ -14,6 +14,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+import os
import re
import unittest
@@ -22,6 +23,7 @@ from netifaces import interfaces
from vyos.configsession import ConfigSessionError
from vyos.ifconfig import Section
+from vyos.util import cmd
from vyos.util import read_file
from vyos.util import process_named_running
@@ -30,6 +32,16 @@ def get_config_value(interface, key):
tmp = re.findall(r'\n?{}=(.*)'.format(key), tmp)
return tmp[0]
+def get_cipher(interface):
+ """ Returns the used encapsulation protocol for given interface.
+ If interface does not exist, None is returned.
+ """
+ if not os.path.exists(f'/sys/class/net/{interface}'):
+ return None
+ from json import loads
+ tmp = loads(cmd(f'ip -d -j link show {interface}'))[0]
+ return tmp['linkinfo']['info_data']['cipher_suite'].lower()
+
class MACsecInterfaceTest(BasicInterfaceTest.BaseTest):
@classmethod
def setUpClass(cls):
@@ -107,8 +119,30 @@ class MACsecInterfaceTest(BasicInterfaceTest.BaseTest):
# Check for running process
self.assertTrue(process_named_running('wpa_supplicant'))
- def test_macsec_mandatory_options(self):
+ def test_macsec_gcm_aes_128(self):
interface = 'macsec1'
+ cipher = 'gcm-aes-128'
+ self.session.set(self._base_path + [interface])
+
+ # check validate() - source interface is mandatory
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+ self.session.set(self._base_path + [interface, 'source-interface', 'eth0'])
+
+ # check validate() - cipher is mandatory
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+ self.session.set(self._base_path + [interface, 'security', 'cipher', cipher])
+
+ # final commit and verify
+ self.session.commit()
+ self.assertIn(interface, interfaces())
+ self.assertIn(interface, interfaces())
+ self.assertEqual(cipher, get_cipher(interface))
+
+ def test_macsec_gcm_aes_256(self):
+ interface = 'macsec4'
+ cipher = 'gcm-aes-256'
self.session.set(self._base_path + [interface])
# check validate() - source interface is mandatory
@@ -119,11 +153,12 @@ class MACsecInterfaceTest(BasicInterfaceTest.BaseTest):
# check validate() - cipher is mandatory
with self.assertRaises(ConfigSessionError):
self.session.commit()
- self.session.set(self._base_path + [interface, 'security', 'cipher', 'gcm-aes-128'])
+ self.session.set(self._base_path + [interface, 'security', 'cipher', cipher])
# final commit and verify
self.session.commit()
self.assertIn(interface, interfaces())
+ self.assertEqual(cipher, get_cipher(interface))
def test_macsec_source_interface(self):
# Ensure source-interface can bot be part of any other bond or bridge