Enable sha384/sha512 auth algorithms for *Swan drivers
Closes-Bug: #1747654 Change-Id: I84d3ac6379bc0b6d483b557f38f3a462f0f1f1bf
This commit is contained in:
parent
4b1c05a17f
commit
03b6cc8187
@ -151,6 +151,8 @@ class BaseSwanProcess(object):
|
|||||||
"aes-256": "aes256",
|
"aes-256": "aes256",
|
||||||
"aes-192": "aes192",
|
"aes-192": "aes192",
|
||||||
"sha256": "sha2_256",
|
"sha256": "sha2_256",
|
||||||
|
"sha384": "sha2_384",
|
||||||
|
"sha512": "sha2_512",
|
||||||
"group2": "modp1024",
|
"group2": "modp1024",
|
||||||
"group5": "modp1536",
|
"group5": "modp1536",
|
||||||
"group14": "modp2048",
|
"group14": "modp2048",
|
||||||
|
@ -23,11 +23,6 @@ class IpsecValidationFailure(nexception.BadRequest):
|
|||||||
"with value '%(value)s'")
|
"with value '%(value)s'")
|
||||||
|
|
||||||
|
|
||||||
class IkeValidationFailure(nexception.BadRequest):
|
|
||||||
message = _("IKE does not support %(resource)s attribute %(key)s "
|
|
||||||
"with value '%(value)s'")
|
|
||||||
|
|
||||||
|
|
||||||
class IpsecVpnValidator(driver_validator.VpnDriverValidator):
|
class IpsecVpnValidator(driver_validator.VpnDriverValidator):
|
||||||
|
|
||||||
"""Driver-specific validator methods for the Openswan, Strongswan
|
"""Driver-specific validator methods for the Openswan, Strongswan
|
||||||
@ -46,43 +41,11 @@ class IpsecVpnValidator(driver_validator.VpnDriverValidator):
|
|||||||
key='transform_protocol',
|
key='transform_protocol',
|
||||||
value=transform_protocol)
|
value=transform_protocol)
|
||||||
|
|
||||||
def _check_auth_algorithm(self, context, auth_algorithm):
|
|
||||||
"""Restrict selecting sha384 and sha512 as IPSec Policy auth algorithm.
|
|
||||||
|
|
||||||
For those *Swan implementations, the 'sha384' and 'sha512' auth
|
|
||||||
algorithm is not supported and therefore request should be rejected.
|
|
||||||
"""
|
|
||||||
if auth_algorithm in ["sha384", "sha512"]:
|
|
||||||
raise IpsecValidationFailure(
|
|
||||||
resource='IPsec Policy',
|
|
||||||
key='auth_algorithm',
|
|
||||||
value=auth_algorithm)
|
|
||||||
|
|
||||||
def validate_ipsec_policy(self, context, ipsec_policy):
|
def validate_ipsec_policy(self, context, ipsec_policy):
|
||||||
transform_protocol = ipsec_policy.get('transform_protocol')
|
transform_protocol = ipsec_policy.get('transform_protocol')
|
||||||
self._check_transform_protocol(context, transform_protocol)
|
self._check_transform_protocol(context, transform_protocol)
|
||||||
auth_algorithm = ipsec_policy.get('auth_algorithm')
|
|
||||||
self._check_auth_algorithm(context, auth_algorithm)
|
|
||||||
|
|
||||||
def validate_ike_policy(self, context, ike_policy):
|
|
||||||
"""Restrict selecting sha384 and sha512 as IKE Policy auth algorithm.
|
|
||||||
|
|
||||||
For those *Swan implementations, the 'sha384' and 'sha512' auth
|
|
||||||
algorithm is not supported and therefore request should be rejected.
|
|
||||||
"""
|
|
||||||
auth_algorithm = ike_policy.get('auth_algorithm')
|
|
||||||
if auth_algorithm in ["sha384", "sha512"]:
|
|
||||||
raise IkeValidationFailure(
|
|
||||||
resource='IKE Policy',
|
|
||||||
key='auth_algorithm',
|
|
||||||
value=auth_algorithm)
|
|
||||||
|
|
||||||
def validate_ipsec_site_connection(self, context, ipsec_sitecon):
|
def validate_ipsec_site_connection(self, context, ipsec_sitecon):
|
||||||
if 'ikepolicy_id' in ipsec_sitecon:
|
|
||||||
ike_policy = self.driver.service_plugin.get_ikepolicy(
|
|
||||||
context, ipsec_sitecon['ikepolicy_id'])
|
|
||||||
self.validate_ike_policy(context, ike_policy)
|
|
||||||
|
|
||||||
if 'ipsecpolicy_id' in ipsec_sitecon:
|
if 'ipsecpolicy_id' in ipsec_sitecon:
|
||||||
ipsec_policy = self.driver.service_plugin.get_ipsecpolicy(
|
ipsec_policy = self.driver.service_plugin.get_ipsecpolicy(
|
||||||
context, ipsec_sitecon['ipsecpolicy_id'])
|
context, ipsec_sitecon['ipsecpolicy_id'])
|
||||||
|
@ -227,7 +227,7 @@ class TestStrongSwanScenario(test_scenario.TestIPSecBase):
|
|||||||
self.check_ping(site1, site2)
|
self.check_ping(site1, site2)
|
||||||
self.check_ping(site2, site1)
|
self.check_ping(site2, site1)
|
||||||
|
|
||||||
def test_strongswan_connection_with_sha256(self):
|
def _test_strongswan_connection_with_auth_algo(self, auth_algo):
|
||||||
site1 = self.create_site(test_scenario.PUBLIC_NET[4],
|
site1 = self.create_site(test_scenario.PUBLIC_NET[4],
|
||||||
[self.private_nets[1]])
|
[self.private_nets[1]])
|
||||||
site2 = self.create_site(test_scenario.PUBLIC_NET[5],
|
site2 = self.create_site(test_scenario.PUBLIC_NET[5],
|
||||||
@ -237,9 +237,18 @@ class TestStrongSwanScenario(test_scenario.TestIPSecBase):
|
|||||||
self.check_ping(site2, site1, success=False)
|
self.check_ping(site2, site1, success=False)
|
||||||
|
|
||||||
self.prepare_ipsec_site_connections(site1, site2)
|
self.prepare_ipsec_site_connections(site1, site2)
|
||||||
self._override_auth_algorithm_for_site(site1, 'sha256')
|
self._override_auth_algorithm_for_site(site1, auth_algo)
|
||||||
self._override_auth_algorithm_for_site(site2, 'sha256')
|
self._override_auth_algorithm_for_site(site2, auth_algo)
|
||||||
self.sync_to_create_ipsec_connections(site1, site2)
|
self.sync_to_create_ipsec_connections(site1, site2)
|
||||||
|
|
||||||
self.check_ping(site1, site2)
|
self.check_ping(site1, site2)
|
||||||
self.check_ping(site2, site1)
|
self.check_ping(site2, site1)
|
||||||
|
|
||||||
|
def test_strongswan_connection_with_sha256(self):
|
||||||
|
self._test_strongswan_connection_with_auth_algo('sha256')
|
||||||
|
|
||||||
|
def test_strongswan_connection_with_sha384(self):
|
||||||
|
self._test_strongswan_connection_with_auth_algo('sha384')
|
||||||
|
|
||||||
|
def test_strongswan_connection_with_sha512(self):
|
||||||
|
self._test_strongswan_connection_with_auth_algo('sha512')
|
||||||
|
@ -459,31 +459,8 @@ class TestIPsecDriver(base.BaseTestCase):
|
|||||||
ctxt, FAKE_SERVICE_ID, v4_ip='10.0.0.99', v6_ip='2001::1')
|
ctxt, FAKE_SERVICE_ID, v4_ip='10.0.0.99', v6_ip='2001::1')
|
||||||
|
|
||||||
def test_validate_ipsec_policy(self):
|
def test_validate_ipsec_policy(self):
|
||||||
# Validate IPsec Policy transform_protocol and auth_algorithm
|
# Validate IPsec Policy transform_protocol
|
||||||
ipsec_policy = {'transform_protocol': 'ah-esp'}
|
ipsec_policy = {'transform_protocol': 'ah-esp'}
|
||||||
self.assertRaises(ipsec_validator.IpsecValidationFailure,
|
self.assertRaises(ipsec_validator.IpsecValidationFailure,
|
||||||
self.validator.validate_ipsec_policy,
|
self.validator.validate_ipsec_policy,
|
||||||
self.context, ipsec_policy)
|
self.context, ipsec_policy)
|
||||||
|
|
||||||
auth_algorithm = {'auth_algorithm': 'sha384'}
|
|
||||||
self.assertRaises(ipsec_validator.IpsecValidationFailure,
|
|
||||||
self.validator.validate_ipsec_policy,
|
|
||||||
self.context, auth_algorithm)
|
|
||||||
|
|
||||||
auth_algorithm = {'auth_algorithm': 'sha512'}
|
|
||||||
self.assertRaises(ipsec_validator.IpsecValidationFailure,
|
|
||||||
self.validator.validate_ipsec_policy,
|
|
||||||
self.context, auth_algorithm)
|
|
||||||
|
|
||||||
def test_validate_ike_policy(self):
|
|
||||||
# Validate IKE Policy auth_algorithm
|
|
||||||
|
|
||||||
auth_algorithm = {'auth_algorithm': 'sha384'}
|
|
||||||
self.assertRaises(ipsec_validator.IkeValidationFailure,
|
|
||||||
self.validator.validate_ike_policy,
|
|
||||||
self.context, auth_algorithm)
|
|
||||||
|
|
||||||
auth_algorithm = {'auth_algorithm': 'sha512'}
|
|
||||||
self.assertRaises(ipsec_validator.IkeValidationFailure,
|
|
||||||
self.validator.validate_ike_policy,
|
|
||||||
self.context, auth_algorithm)
|
|
||||||
|
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
prelude: >
|
||||||
|
Enable sha384 and sha512 auth algorithms for \*Swan drivers
|
||||||
|
features:
|
||||||
|
- Users can now specify sha384 and sha512 as the auth algorithm for both IKE
|
||||||
|
policy and IPsec policy, when using \*Swan IPsec drivers.
|
Loading…
x
Reference in New Issue
Block a user