Enable sha384/sha512 auth algorithms for *Swan drivers
Closes-Bug: #1747654 Change-Id: I84d3ac6379bc0b6d483b557f38f3a462f0f1f1bf
This commit is contained in:
parent
4b1c05a17f
commit
03b6cc8187
@ -151,6 +151,8 @@ class BaseSwanProcess(object):
|
||||
"aes-256": "aes256",
|
||||
"aes-192": "aes192",
|
||||
"sha256": "sha2_256",
|
||||
"sha384": "sha2_384",
|
||||
"sha512": "sha2_512",
|
||||
"group2": "modp1024",
|
||||
"group5": "modp1536",
|
||||
"group14": "modp2048",
|
||||
|
@ -23,11 +23,6 @@ class IpsecValidationFailure(nexception.BadRequest):
|
||||
"with value '%(value)s'")
|
||||
|
||||
|
||||
class IkeValidationFailure(nexception.BadRequest):
|
||||
message = _("IKE does not support %(resource)s attribute %(key)s "
|
||||
"with value '%(value)s'")
|
||||
|
||||
|
||||
class IpsecVpnValidator(driver_validator.VpnDriverValidator):
|
||||
|
||||
"""Driver-specific validator methods for the Openswan, Strongswan
|
||||
@ -46,43 +41,11 @@ class IpsecVpnValidator(driver_validator.VpnDriverValidator):
|
||||
key='transform_protocol',
|
||||
value=transform_protocol)
|
||||
|
||||
def _check_auth_algorithm(self, context, auth_algorithm):
|
||||
"""Restrict selecting sha384 and sha512 as IPSec Policy auth algorithm.
|
||||
|
||||
For those *Swan implementations, the 'sha384' and 'sha512' auth
|
||||
algorithm is not supported and therefore request should be rejected.
|
||||
"""
|
||||
if auth_algorithm in ["sha384", "sha512"]:
|
||||
raise IpsecValidationFailure(
|
||||
resource='IPsec Policy',
|
||||
key='auth_algorithm',
|
||||
value=auth_algorithm)
|
||||
|
||||
def validate_ipsec_policy(self, context, ipsec_policy):
|
||||
transform_protocol = ipsec_policy.get('transform_protocol')
|
||||
self._check_transform_protocol(context, transform_protocol)
|
||||
auth_algorithm = ipsec_policy.get('auth_algorithm')
|
||||
self._check_auth_algorithm(context, auth_algorithm)
|
||||
|
||||
def validate_ike_policy(self, context, ike_policy):
|
||||
"""Restrict selecting sha384 and sha512 as IKE Policy auth algorithm.
|
||||
|
||||
For those *Swan implementations, the 'sha384' and 'sha512' auth
|
||||
algorithm is not supported and therefore request should be rejected.
|
||||
"""
|
||||
auth_algorithm = ike_policy.get('auth_algorithm')
|
||||
if auth_algorithm in ["sha384", "sha512"]:
|
||||
raise IkeValidationFailure(
|
||||
resource='IKE Policy',
|
||||
key='auth_algorithm',
|
||||
value=auth_algorithm)
|
||||
|
||||
def validate_ipsec_site_connection(self, context, ipsec_sitecon):
|
||||
if 'ikepolicy_id' in ipsec_sitecon:
|
||||
ike_policy = self.driver.service_plugin.get_ikepolicy(
|
||||
context, ipsec_sitecon['ikepolicy_id'])
|
||||
self.validate_ike_policy(context, ike_policy)
|
||||
|
||||
if 'ipsecpolicy_id' in ipsec_sitecon:
|
||||
ipsec_policy = self.driver.service_plugin.get_ipsecpolicy(
|
||||
context, ipsec_sitecon['ipsecpolicy_id'])
|
||||
|
@ -227,7 +227,7 @@ class TestStrongSwanScenario(test_scenario.TestIPSecBase):
|
||||
self.check_ping(site1, site2)
|
||||
self.check_ping(site2, site1)
|
||||
|
||||
def test_strongswan_connection_with_sha256(self):
|
||||
def _test_strongswan_connection_with_auth_algo(self, auth_algo):
|
||||
site1 = self.create_site(test_scenario.PUBLIC_NET[4],
|
||||
[self.private_nets[1]])
|
||||
site2 = self.create_site(test_scenario.PUBLIC_NET[5],
|
||||
@ -237,9 +237,18 @@ class TestStrongSwanScenario(test_scenario.TestIPSecBase):
|
||||
self.check_ping(site2, site1, success=False)
|
||||
|
||||
self.prepare_ipsec_site_connections(site1, site2)
|
||||
self._override_auth_algorithm_for_site(site1, 'sha256')
|
||||
self._override_auth_algorithm_for_site(site2, 'sha256')
|
||||
self._override_auth_algorithm_for_site(site1, auth_algo)
|
||||
self._override_auth_algorithm_for_site(site2, auth_algo)
|
||||
self.sync_to_create_ipsec_connections(site1, site2)
|
||||
|
||||
self.check_ping(site1, site2)
|
||||
self.check_ping(site2, site1)
|
||||
|
||||
def test_strongswan_connection_with_sha256(self):
|
||||
self._test_strongswan_connection_with_auth_algo('sha256')
|
||||
|
||||
def test_strongswan_connection_with_sha384(self):
|
||||
self._test_strongswan_connection_with_auth_algo('sha384')
|
||||
|
||||
def test_strongswan_connection_with_sha512(self):
|
||||
self._test_strongswan_connection_with_auth_algo('sha512')
|
||||
|
@ -459,31 +459,8 @@ class TestIPsecDriver(base.BaseTestCase):
|
||||
ctxt, FAKE_SERVICE_ID, v4_ip='10.0.0.99', v6_ip='2001::1')
|
||||
|
||||
def test_validate_ipsec_policy(self):
|
||||
# Validate IPsec Policy transform_protocol and auth_algorithm
|
||||
# Validate IPsec Policy transform_protocol
|
||||
ipsec_policy = {'transform_protocol': 'ah-esp'}
|
||||
self.assertRaises(ipsec_validator.IpsecValidationFailure,
|
||||
self.validator.validate_ipsec_policy,
|
||||
self.context, ipsec_policy)
|
||||
|
||||
auth_algorithm = {'auth_algorithm': 'sha384'}
|
||||
self.assertRaises(ipsec_validator.IpsecValidationFailure,
|
||||
self.validator.validate_ipsec_policy,
|
||||
self.context, auth_algorithm)
|
||||
|
||||
auth_algorithm = {'auth_algorithm': 'sha512'}
|
||||
self.assertRaises(ipsec_validator.IpsecValidationFailure,
|
||||
self.validator.validate_ipsec_policy,
|
||||
self.context, auth_algorithm)
|
||||
|
||||
def test_validate_ike_policy(self):
|
||||
# Validate IKE Policy auth_algorithm
|
||||
|
||||
auth_algorithm = {'auth_algorithm': 'sha384'}
|
||||
self.assertRaises(ipsec_validator.IkeValidationFailure,
|
||||
self.validator.validate_ike_policy,
|
||||
self.context, auth_algorithm)
|
||||
|
||||
auth_algorithm = {'auth_algorithm': 'sha512'}
|
||||
self.assertRaises(ipsec_validator.IkeValidationFailure,
|
||||
self.validator.validate_ike_policy,
|
||||
self.context, auth_algorithm)
|
||||
|
@ -0,0 +1,6 @@
|
||||
---
|
||||
prelude: >
|
||||
Enable sha384 and sha512 auth algorithms for \*Swan drivers
|
||||
features:
|
||||
- Users can now specify sha384 and sha512 as the auth algorithm for both IKE
|
||||
policy and IPsec policy, when using \*Swan IPsec drivers.
|
Loading…
Reference in New Issue
Block a user