Enable sha384/sha512 auth algorithms for *Swan drivers

Closes-Bug: #1747654
Change-Id: I84d3ac6379bc0b6d483b557f38f3a462f0f1f1bf
This commit is contained in:
Hunt Xu 2018-02-06 18:21:21 +08:00
parent 4b1c05a17f
commit 03b6cc8187
5 changed files with 21 additions and 64 deletions

View File

@ -151,6 +151,8 @@ class BaseSwanProcess(object):
"aes-256": "aes256", "aes-256": "aes256",
"aes-192": "aes192", "aes-192": "aes192",
"sha256": "sha2_256", "sha256": "sha2_256",
"sha384": "sha2_384",
"sha512": "sha2_512",
"group2": "modp1024", "group2": "modp1024",
"group5": "modp1536", "group5": "modp1536",
"group14": "modp2048", "group14": "modp2048",

View File

@ -23,11 +23,6 @@ class IpsecValidationFailure(nexception.BadRequest):
"with value '%(value)s'") "with value '%(value)s'")
class IkeValidationFailure(nexception.BadRequest):
message = _("IKE does not support %(resource)s attribute %(key)s "
"with value '%(value)s'")
class IpsecVpnValidator(driver_validator.VpnDriverValidator): class IpsecVpnValidator(driver_validator.VpnDriverValidator):
"""Driver-specific validator methods for the Openswan, Strongswan """Driver-specific validator methods for the Openswan, Strongswan
@ -46,43 +41,11 @@ class IpsecVpnValidator(driver_validator.VpnDriverValidator):
key='transform_protocol', key='transform_protocol',
value=transform_protocol) value=transform_protocol)
def _check_auth_algorithm(self, context, auth_algorithm):
"""Restrict selecting sha384 and sha512 as IPSec Policy auth algorithm.
For those *Swan implementations, the 'sha384' and 'sha512' auth
algorithm is not supported and therefore request should be rejected.
"""
if auth_algorithm in ["sha384", "sha512"]:
raise IpsecValidationFailure(
resource='IPsec Policy',
key='auth_algorithm',
value=auth_algorithm)
def validate_ipsec_policy(self, context, ipsec_policy): def validate_ipsec_policy(self, context, ipsec_policy):
transform_protocol = ipsec_policy.get('transform_protocol') transform_protocol = ipsec_policy.get('transform_protocol')
self._check_transform_protocol(context, transform_protocol) self._check_transform_protocol(context, transform_protocol)
auth_algorithm = ipsec_policy.get('auth_algorithm')
self._check_auth_algorithm(context, auth_algorithm)
def validate_ike_policy(self, context, ike_policy):
"""Restrict selecting sha384 and sha512 as IKE Policy auth algorithm.
For those *Swan implementations, the 'sha384' and 'sha512' auth
algorithm is not supported and therefore request should be rejected.
"""
auth_algorithm = ike_policy.get('auth_algorithm')
if auth_algorithm in ["sha384", "sha512"]:
raise IkeValidationFailure(
resource='IKE Policy',
key='auth_algorithm',
value=auth_algorithm)
def validate_ipsec_site_connection(self, context, ipsec_sitecon): def validate_ipsec_site_connection(self, context, ipsec_sitecon):
if 'ikepolicy_id' in ipsec_sitecon:
ike_policy = self.driver.service_plugin.get_ikepolicy(
context, ipsec_sitecon['ikepolicy_id'])
self.validate_ike_policy(context, ike_policy)
if 'ipsecpolicy_id' in ipsec_sitecon: if 'ipsecpolicy_id' in ipsec_sitecon:
ipsec_policy = self.driver.service_plugin.get_ipsecpolicy( ipsec_policy = self.driver.service_plugin.get_ipsecpolicy(
context, ipsec_sitecon['ipsecpolicy_id']) context, ipsec_sitecon['ipsecpolicy_id'])

View File

@ -227,7 +227,7 @@ class TestStrongSwanScenario(test_scenario.TestIPSecBase):
self.check_ping(site1, site2) self.check_ping(site1, site2)
self.check_ping(site2, site1) self.check_ping(site2, site1)
def test_strongswan_connection_with_sha256(self): def _test_strongswan_connection_with_auth_algo(self, auth_algo):
site1 = self.create_site(test_scenario.PUBLIC_NET[4], site1 = self.create_site(test_scenario.PUBLIC_NET[4],
[self.private_nets[1]]) [self.private_nets[1]])
site2 = self.create_site(test_scenario.PUBLIC_NET[5], site2 = self.create_site(test_scenario.PUBLIC_NET[5],
@ -237,9 +237,18 @@ class TestStrongSwanScenario(test_scenario.TestIPSecBase):
self.check_ping(site2, site1, success=False) self.check_ping(site2, site1, success=False)
self.prepare_ipsec_site_connections(site1, site2) self.prepare_ipsec_site_connections(site1, site2)
self._override_auth_algorithm_for_site(site1, 'sha256') self._override_auth_algorithm_for_site(site1, auth_algo)
self._override_auth_algorithm_for_site(site2, 'sha256') self._override_auth_algorithm_for_site(site2, auth_algo)
self.sync_to_create_ipsec_connections(site1, site2) self.sync_to_create_ipsec_connections(site1, site2)
self.check_ping(site1, site2) self.check_ping(site1, site2)
self.check_ping(site2, site1) self.check_ping(site2, site1)
def test_strongswan_connection_with_sha256(self):
self._test_strongswan_connection_with_auth_algo('sha256')
def test_strongswan_connection_with_sha384(self):
self._test_strongswan_connection_with_auth_algo('sha384')
def test_strongswan_connection_with_sha512(self):
self._test_strongswan_connection_with_auth_algo('sha512')

View File

@ -459,31 +459,8 @@ class TestIPsecDriver(base.BaseTestCase):
ctxt, FAKE_SERVICE_ID, v4_ip='10.0.0.99', v6_ip='2001::1') ctxt, FAKE_SERVICE_ID, v4_ip='10.0.0.99', v6_ip='2001::1')
def test_validate_ipsec_policy(self): def test_validate_ipsec_policy(self):
# Validate IPsec Policy transform_protocol and auth_algorithm # Validate IPsec Policy transform_protocol
ipsec_policy = {'transform_protocol': 'ah-esp'} ipsec_policy = {'transform_protocol': 'ah-esp'}
self.assertRaises(ipsec_validator.IpsecValidationFailure, self.assertRaises(ipsec_validator.IpsecValidationFailure,
self.validator.validate_ipsec_policy, self.validator.validate_ipsec_policy,
self.context, ipsec_policy) self.context, ipsec_policy)
auth_algorithm = {'auth_algorithm': 'sha384'}
self.assertRaises(ipsec_validator.IpsecValidationFailure,
self.validator.validate_ipsec_policy,
self.context, auth_algorithm)
auth_algorithm = {'auth_algorithm': 'sha512'}
self.assertRaises(ipsec_validator.IpsecValidationFailure,
self.validator.validate_ipsec_policy,
self.context, auth_algorithm)
def test_validate_ike_policy(self):
# Validate IKE Policy auth_algorithm
auth_algorithm = {'auth_algorithm': 'sha384'}
self.assertRaises(ipsec_validator.IkeValidationFailure,
self.validator.validate_ike_policy,
self.context, auth_algorithm)
auth_algorithm = {'auth_algorithm': 'sha512'}
self.assertRaises(ipsec_validator.IkeValidationFailure,
self.validator.validate_ike_policy,
self.context, auth_algorithm)

View File

@ -0,0 +1,6 @@
---
prelude: >
Enable sha384 and sha512 auth algorithms for \*Swan drivers
features:
- Users can now specify sha384 and sha512 as the auth algorithm for both IKE
policy and IPsec policy, when using \*Swan IPsec drivers.