macsec: T3368: add support for gcm-aes-256 cipher

author: Christian Poessinger <christian@poessinger.com> 2021-02-27 22:59:00 +0100
committer: Christian Poessinger <christian@poessinger.com> 2021-02-28 00:54:37 +0100
commit: 5bcc549edeaeaa767d77a68b33751e834d467c34 (patch)
tree: 55d8f3d6eec096a58e5099b77d223b5d31ace095
parent: 857294427afba3259e683f2360c735f0f4be32b6 (diff)
download: vyos-1x-5bcc549edeaeaa767d77a68b33751e834d467c34.tar.gz
vyos-1x-5bcc549edeaeaa767d77a68b33751e834d467c34.zip
2 files changed, 43 insertions, 4 deletions
diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in
index 94d78c6dd..3f2e5bb69 100644
--- a/interface-definitions/interfaces-macsec.xml.in
+++ b/interface-definitions/interfaces-macsec.xml.in
@@ -28,14 +28,18 @@
                 <properties>
                   <help>Cipher suite used</help>
                   <completionHelp>
-                    <list>gcm-aes-128</list>
+                    <list>gcm-aes-128 gcm-aes-256</list>
                   </completionHelp>
                   <valueHelp>
                     <format>gcm-aes-128</format>
                     <description>Galois/Counter Mode of AES cipher with 128-bit key (default)</description>
                   </valueHelp>
+                  <valueHelp>
+                    <format>gcm-aes-256</format>
+                    <description>Galois/Counter Mode of AES cipher with 256-bit key</description>
+                  </valueHelp>
                   <constraint>
-                    <regex>(gcm-aes-128)</regex>
+                    <regex>^(gcm-aes-128|gcm-aes-256)$</regex>
                   </constraint>
                 </properties>
               </leafNode>
diff --git a/smoketest/scripts/cli/test_interfaces_macsec.py b/smoketest/scripts/cli/test_interfaces_macsec.py
index 3a3e7bff3..d6bef993a 100755
--- a/smoketest/scripts/cli/test_interfaces_macsec.py
+++ b/smoketest/scripts/cli/test_interfaces_macsec.py
@@ -14,6 +14,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import os
 import re
 import unittest
 
@@ -22,6 +23,7 @@ from netifaces import interfaces
 
 from vyos.configsession import ConfigSessionError
 from vyos.ifconfig import Section
+from vyos.util import cmd
 from vyos.util import read_file
 from vyos.util import process_named_running
 
@@ -30,6 +32,16 @@ def get_config_value(interface, key):
     tmp = re.findall(r'\n?{}=(.*)'.format(key), tmp)
     return tmp[0]
 
+def get_cipher(interface):
+    """ Returns the used encapsulation protocol for given interface.
+        If interface does not exist, None is returned.
+    """
+    if not os.path.exists(f'/sys/class/net/{interface}'):
+        return None
+    from json import loads
+    tmp = loads(cmd(f'ip -d -j link show {interface}'))[0]
+    return tmp['linkinfo']['info_data']['cipher_suite'].lower()
+
 class MACsecInterfaceTest(BasicInterfaceTest.BaseTest):
     @classmethod
     def setUpClass(cls):
@@ -107,8 +119,30 @@ class MACsecInterfaceTest(BasicInterfaceTest.BaseTest):
             # Check for running process
             self.assertTrue(process_named_running('wpa_supplicant'))
 
-    def test_macsec_mandatory_options(self):
+    def test_macsec_gcm_aes_128(self):
         interface = 'macsec1'
+        cipher = 'gcm-aes-128'
+        self.session.set(self._base_path + [interface])
+
+        # check validate() - source interface is mandatory
+        with self.assertRaises(ConfigSessionError):
+            self.session.commit()
+        self.session.set(self._base_path + [interface, 'source-interface', 'eth0'])
+
+        # check validate() - cipher is mandatory
+        with self.assertRaises(ConfigSessionError):
+            self.session.commit()
+        self.session.set(self._base_path + [interface, 'security', 'cipher', cipher])
+
+        # final commit and verify
+        self.session.commit()
+        self.assertIn(interface, interfaces())
+        self.assertIn(interface, interfaces())
+        self.assertEqual(cipher, get_cipher(interface))
+
+    def test_macsec_gcm_aes_256(self):
+        interface = 'macsec4'
+        cipher = 'gcm-aes-256'
         self.session.set(self._base_path + [interface])
 
         # check validate() - source interface is mandatory
@@ -119,11 +153,12 @@ class MACsecInterfaceTest(BasicInterfaceTest.BaseTest):
         # check validate() - cipher is mandatory
         with self.assertRaises(ConfigSessionError):
             self.session.commit()
-        self.session.set(self._base_path + [interface, 'security', 'cipher', 'gcm-aes-128'])
+        self.session.set(self._base_path + [interface, 'security', 'cipher', cipher])
 
         # final commit and verify
         self.session.commit()
         self.assertIn(interface, interfaces())
+        self.assertEqual(cipher, get_cipher(interface))
 
     def test_macsec_source_interface(self):
         # Ensure source-interface can bot be part of any other bond or bridge
author	Christian Poessinger <christian@poessinger.com>	2021-02-27 22:59:00 +0100
committer	Christian Poessinger <christian@poessinger.com>	2021-02-28 00:54:37 +0100
commit	5bcc549edeaeaa767d77a68b33751e834d467c34 (patch)
tree	55d8f3d6eec096a58e5099b77d223b5d31ace095
parent	857294427afba3259e683f2360c735f0f4be32b6 (diff)
download	vyos-1x-5bcc549edeaeaa767d77a68b33751e834d467c34.tar.gz vyos-1x-5bcc549edeaeaa767d77a68b33751e834d467c34.zip