Merge "Openswan/Libreswan: support sha256 for auth algorithm"

2016-04-15 14:25:01 +00:00 · 2016-04-15 14:25:01 +00:00 · da3b6583a2
commit da3b6583a2
parent 5de1151858 b73e100255
6 changed files with 111 additions and 6 deletions
--- a/neutron_vpnaas/db/migration/alembic_migrations/versions/EXPAND_HEAD
+++ b/neutron_vpnaas/db/migration/alembic_migrations/versions/EXPAND_HEAD
@ -1 +1 @@
-28ee739a7e4b
+fe637dc3f042
--- a/neutron_vpnaas/db/migration/alembic_migrations/versions/newton/expand/fe637dc3f042_support_sha256.py
+++ b/neutron_vpnaas/db/migration/alembic_migrations/versions/newton/expand/fe637dc3f042_support_sha256.py
@ -0,0 +1,42 @@
+# Copyright 2016 <Yi Jing Zhu/IBM>
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+
+"""support sha256
+
+Revision ID: fe637dc3f042
+Revises: 28ee739a7e4b
+Create Date: 2016-04-08 22:33:53.286083
+
+"""
+
+from neutron.db import migration
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = 'fe637dc3f042'
+down_revision = '28ee739a7e4b'
+
+# milestone identifier, used by neutron-db-manage
+neutron_milestone = [migration.NEWTON]
+
+new_auth = sa.Enum('sha1', 'sha256', name='vpn_auth_algorithms')
+
+
+def upgrade():
+    migration.alter_enum('ikepolicies', 'auth_algorithm', new_auth,
+                nullable=False, do_drop=False)
+    migration.alter_enum('ipsecpolicies', 'auth_algorithm', new_auth,
+                nullable=False, do_rename=False, do_create=False)
--- a/neutron_vpnaas/db/vpn/vpn_models.py
+++ b/neutron_vpnaas/db/vpn/vpn_models.py
@ -43,7 +43,7 @@ class IPsecPolicy(model_base.BASEV2, models_v2.HasId, models_v2.HasTenant):
    transform_protocol = sa.Column(sa.Enum("esp", "ah", "ah-esp",
                                           name="ipsec_transform_protocols"),
                                   nullable=False)
-    auth_algorithm = sa.Column(sa.Enum("sha1",
+    auth_algorithm = sa.Column(sa.Enum("sha1", "sha256",
                                       name="vpn_auth_algorithms"),
                               nullable=False)
    encryption_algorithm = sa.Column(sa.Enum("3des", "aes-128",
@ -66,7 +66,7 @@ class IKEPolicy(model_base.BASEV2, models_v2.HasId, models_v2.HasTenant):
    __tablename__ = 'ikepolicies'
    name = sa.Column(sa.String(attr.NAME_MAX_LEN))
    description = sa.Column(sa.String(attr.DESCRIPTION_MAX_LEN))
-    auth_algorithm = sa.Column(sa.Enum("sha1",
+    auth_algorithm = sa.Column(sa.Enum("sha1", "sha256",
                                       name="vpn_auth_algorithms"),
                               nullable=False)
    encryption_algorithm = sa.Column(sa.Enum("3des", "aes-128",
--- a/neutron_vpnaas/extensions/vpnaas.py
+++ b/neutron_vpnaas/extensions/vpnaas.py
@ -181,7 +181,7 @@ vpn_supported_lifetime_units = ['seconds']
 vpn_supported_pfs = ['group2', 'group5', 'group14']
 vpn_supported_ike_versions = ['v1', 'v2']
 vpn_supported_auth_mode = ['psk']
-vpn_supported_auth_algorithms = ['sha1']
+vpn_supported_auth_algorithms = ['sha1', 'sha256']
 vpn_supported_phase1_negotiation_mode = ['main']

 vpn_lifetime_limits = (60, attr.UNLIMITED)
--- a/neutron_vpnaas/services/vpn/device_drivers/ipsec.py
+++ b/neutron_vpnaas/services/vpn/device_drivers/ipsec.py
@ -142,6 +142,7 @@ class BaseSwanProcess(object):
        "aes-128": "aes128",
        "aes-256": "aes256",
        "aes-192": "aes192",
+        "sha256": "sha2_256",
        "group2": "modp1024",
        "group5": "modp1536",
        "group14": "modp2048",
--- a/neutron_vpnaas/tests/functional/common/test_scenario.py
+++ b/neutron_vpnaas/tests/functional/common/test_scenario.py
@ -93,6 +93,48 @@ FAKE_IPSEC_CONNECTION = {
    "id": _uuid()
 }

+
+FAKE_IKE_POLICY_SHA256 = {
+    'auth_algorithm': 'sha256',
+    "ike_version": "v1",
+    'encryption_algorithm': 'aes-128',
+    'pfs': 'group5',
+    'phase1_negotiation_mode': 'main',
+    'lifetime_units': 'seconds',
+    'lifetime_value': 3600
+}
+
+FAKE_IPSEC_POLICY_SHA256 = {
+    "encapsulation_mode": "tunnel",
+    "encryption_algorithm": "aes-128",
+    "pfs": "group5",
+    "lifetime_units": "seconds",
+    "lifetime_value": 3600,
+    "transform_protocol": "esp",
+    "auth_algorithm": "sha256",
+}
+
+FAKE_IPSEC_CONNECTION_SHA256 = {
+    "vpnservice_id": _uuid(),
+    "status": "PENDING_CREATE",
+    "psk": "969022489",
+    "initiator": "bi-directional",
+    "admin_state_up": True,
+    "auth_mode": "psk",
+    'external_ip': "172.24.4.8",
+    "peer_cidrs": ["10.100.255.224/28"],
+    "mtu": 1500,
+    "dpd_action": "hold",
+    "dpd_interval": 30,
+    "dpd_timeout": 120,
+    "route_mode": "static",
+    "ikepolicy": FAKE_IKE_POLICY_SHA256,
+    "ipsecpolicy": FAKE_IPSEC_POLICY_SHA256,
+    "peer_address": "172.24.4.8",
+    "peer_id": "172.24.4.8",
+    "id": _uuid()
+}
+
 PUBLIC_NET = netaddr.IPNetwork('19.4.4.0/24')
 PRIVATE_NET = netaddr.IPNetwork('35.4.0.0/16')
 FAKE_PUBLIC_SUBNET_ID = _uuid()
@ -184,8 +226,8 @@ class SiteInfo(object):
                                 'router_id': self.info['id'],
                                 'external_ip': str(self.public_net)})

-    def prepare_ipsec_conn_info(self, peer):
-        ipsec_connection = copy.deepcopy(FAKE_IPSEC_CONNECTION)
+    def prepare_ipsec_conn_info(self, peer, connection=FAKE_IPSEC_CONNECTION):
+        ipsec_connection = copy.deepcopy(connection)
        local_cidrs = [str(s) for s in self.private_nets]
        peer_cidrs = [str(s) for s in peer.private_nets]
        ipsec_connection.update({
@ -431,6 +473,13 @@ class TestIPSecBase(base.BaseSudoTestCase):
        site1.prepare_ipsec_conn_info(site2)
        site2.prepare_ipsec_conn_info(site1)

+    def prepare_ipsec_site_connections_sha256(self, site1, site2):
+        """Builds info for connections in both directions in prep for sync."""
+        site1.prepare_ipsec_conn_info(site2,
+                                    FAKE_IPSEC_CONNECTION_SHA256)
+        site2.prepare_ipsec_conn_info(site1,
+                                    FAKE_IPSEC_CONNECTION_SHA256)
+
    def sync_to_create_ipsec_connections(self, site1, site2):
        """Perform a sync, so that connections are created."""
        # Provide service info to sync
@ -520,6 +569,19 @@ class TestIPSecScenario(TestIPSecBase):
        self.check_ping(site1, site2)
        self.check_ping(site2, site1)

+    def test_single_ipsec_connection_sha256(self):
+        site1 = self.create_site(PUBLIC_NET[4], [self.private_nets[1]])
+        site2 = self.create_site(PUBLIC_NET[5], [self.private_nets[2]])
+
+        self.check_ping(site1, site2, success=False)
+        self.check_ping(site2, site1, success=False)
+
+        self.prepare_ipsec_site_connections_sha256(site1, site2)
+        self.sync_to_create_ipsec_connections(site1, site2)
+
+        self.check_ping(site1, site2)
+        self.check_ping(site2, site1)
+
    def test_ipsec_site_connections_with_mulitple_subnets(self):
        """Check with a pair of subnets on each end of connection."""
        site1 = self.create_site(PUBLIC_NET[4], self.private_nets[1:3])