1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
#!/usr/bin/env python3
#
# Copyright (C) 2020 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import re
import unittest
from psutil import process_iter
from vyos.ifconfig import Section
from base_interfaces_test import BasicInterfaceTest
from vyos.configsession import ConfigSessionError
from vyos.util import read_file
def get_config_value(intf, key):
tmp = read_file(f'/run/wpa_supplicant/{intf}.conf')
tmp = re.findall(r'\n?{}=(.*)'.format(key), tmp)
return tmp[0]
class MACsecInterfaceTest(BasicInterfaceTest.BaseTest):
def setUp(self):
super().setUp()
self._base_path = ['interfaces', 'macsec']
self._options = {
'macsec0': ['source-interface eth0',
'security cipher gcm-aes-128']
}
# if we have a physical eth1 interface, add a second macsec instance
if 'eth1' in Section.interfaces("ethernet"):
macsec = { 'macsec1': ['source-interface eth1', 'security cipher gcm-aes-128'] }
self._options.update(macsec)
self._interfaces = list(self._options)
def test_encryption(self):
""" MACsec can be operating in authentication and encryption
mode - both using different mandatory settings, lets test
encryption as the basic authentication test has been performed
using the base class tests """
intf = 'macsec0'
src_intf = 'eth0'
mak_cak = '232e44b7fda6f8e2d88a07bf78a7aff4'
mak_ckn = '40916f4b23e3d548ad27eedd2d10c6f98c2d21684699647d63d41b500dfe8836'
replay_window = '64'
self.session.set(self._base_path + [intf, 'security', 'encrypt'])
# check validate() - Cipher suite must be set for MACsec
with self.assertRaises(ConfigSessionError):
self.session.commit()
self.session.set(self._base_path + [intf, 'security', 'cipher', 'gcm-aes-128'])
# check validate() - Physical source interface must be set for MACsec
with self.assertRaises(ConfigSessionError):
self.session.commit()
self.session.set(self._base_path + [intf, 'source-interface', src_intf])
# check validate() - MACsec security keys mandartory when encryption is enabled
with self.assertRaises(ConfigSessionError):
self.session.commit()
self.session.set(self._base_path + [intf, 'security', 'mka', 'cak', mak_cak])
# check validate() - MACsec security keys mandartory when encryption is enabled
with self.assertRaises(ConfigSessionError):
self.session.commit()
self.session.set(self._base_path + [intf, 'security', 'mka', 'ckn', mak_ckn])
self.session.set(self._base_path + [intf, 'security', 'replay-window', replay_window])
self.session.commit()
tmp = get_config_value(src_intf, 'macsec_integ_only')
self.assertTrue("0" in tmp)
tmp = get_config_value(src_intf, 'mka_cak')
self.assertTrue(mak_cak in tmp)
tmp = get_config_value(src_intf, 'mka_ckn')
self.assertTrue(mak_ckn in tmp)
# check that the default priority of 255 is programmed
tmp = get_config_value(src_intf, 'mka_priority')
self.assertTrue("255" in tmp)
tmp = get_config_value(src_intf, 'macsec_replay_window')
self.assertTrue(replay_window in tmp)
# Check for running process
self.assertTrue("wpa_supplicant" in (p.name() for p in process_iter()))
if __name__ == '__main__':
unittest.main()
|
