import socket
import unittest
from scapy.layers.ipsec import ESP
-from scapy.layers.inet import UDP
+from scapy.layers.inet import IP, ICMP, UDP
+from scapy.layers.inet6 import IPv6
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw
+from parameterized import parameterized
from framework import VppTestRunner
from template_ipsec import IpsecTra46Tests, IpsecTun46Tests, TemplateIpsec, \
IpsecTcpTests, IpsecTun4Tests, IpsecTra4Tests, config_tra_params, \
- IPsecIPv4Params, IPsecIPv6Params, \
- IpsecTra4, IpsecTun4, IpsecTra6, IpsecTun6
+ config_tun_params, IPsecIPv4Params, IPsecIPv6Params, \
+ IpsecTra4, IpsecTun4, IpsecTra6, IpsecTun6, \
+ IpsecTun6HandoffTests, IpsecTun4HandoffTests, \
+ IpsecTra6ExtTests
from vpp_ipsec import VppIpsecSpd, VppIpsecSpdEntry, VppIpsecSA,\
VppIpsecSpdItfBinding
from vpp_ip_route import VppIpRoute, VppRoutePath
from vpp_ip import DpoProto
from vpp_papi import VppEnum
+NUM_PKTS = 67
+engines_supporting_chain_bufs = ["openssl"]
+
class ConfigIpsecESP(TemplateIpsec):
encryption_type = ESP
config_tra_params(p, self.encryption_type)
for p in params:
self.config_esp_tun(p)
+ config_tun_params(p, self.encryption_type, self.tun_if)
for p in params:
d = DpoProto.DPO_PROTO_IP6 if p.is_ipv6 else DpoProto.DPO_PROTO_IP4
r = VppIpRoute(self, p.remote_tun_if_host, p.addr_len,
[VppRoutePath(self.tun_if.remote_addr[p.addr_type],
0xffffffff,
- proto=d)],
- is_ip6=p.is_ipv6)
+ proto=d)])
r.add_vpp_config()
self.net_objs.append(r)
addr_any = params.addr_any
addr_bcast = params.addr_bcast
e = VppEnum.vl_api_ipsec_spd_action_t
+ flags = params.flags
+ tun_flags = params.tun_flags
+ salt = params.salt
objs = []
params.tun_sa_in = VppIpsecSA(self, scapy_tun_sa_id, scapy_tun_spi,
crypt_algo_vpp_id, crypt_key,
self.vpp_esp_protocol,
self.tun_if.local_addr[addr_type],
- self.tun_if.remote_addr[addr_type])
+ self.tun_if.remote_addr[addr_type],
+ tun_flags=tun_flags,
+ dscp=params.dscp,
+ flags=flags,
+ salt=salt)
params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
self.vpp_esp_protocol,
self.tun_if.remote_addr[addr_type],
- self.tun_if.local_addr[addr_type])
+ self.tun_if.local_addr[addr_type],
+ tun_flags=tun_flags,
+ dscp=params.dscp,
+ flags=flags,
+ salt=salt)
objs.append(params.tun_sa_in)
objs.append(params.tun_sa_out)
IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
e = VppEnum.vl_api_ipsec_spd_action_t
flags = params.flags | flags
+ salt = params.salt
objs = []
params.tra_sa_in = VppIpsecSA(self, scapy_tra_sa_id, scapy_tra_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
self.vpp_esp_protocol,
- flags=flags)
+ flags=flags,
+ salt=salt)
params.tra_sa_out = VppIpsecSA(self, vpp_tra_sa_id, vpp_tra_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
self.vpp_esp_protocol,
- flags=flags)
+ flags=flags,
+ salt=salt)
objs.append(params.tra_sa_in)
objs.append(params.tra_sa_out)
super(TemplateIpsecEsp, self).tearDown()
-class TestIpsecEsp1(TemplateIpsecEsp, IpsecTra46Tests, IpsecTun46Tests):
+class TestIpsecEsp1(TemplateIpsecEsp, IpsecTra46Tests,
+ IpsecTun46Tests, IpsecTra6ExtTests):
""" Ipsec ESP - TUN & TRA tests """
- pass
+
+ @classmethod
+ def setUpClass(cls):
+ super(TestIpsecEsp1, cls).setUpClass()
+
+ @classmethod
+ def tearDownClass(cls):
+ super(TestIpsecEsp1, cls).tearDownClass()
+
+ def setUp(self):
+ super(TestIpsecEsp1, self).setUp()
+
+ def tearDown(self):
+ super(TestIpsecEsp1, self).tearDown()
+
+ def test_tun_46(self):
+ """ ipsec 4o6 tunnel """
+ # add an SPD entry to direct 2.2.2.2 to the v6 tunnel SA
+ p6 = self.ipv6_params
+ p4 = self.ipv4_params
+
+ p6.remote_tun_if_host4 = "2.2.2.2"
+ e = VppEnum.vl_api_ipsec_spd_action_t
+
+ VppIpsecSpdEntry(self,
+ self.tun_spd,
+ p6.scapy_tun_sa_id,
+ self.pg1.remote_addr[p4.addr_type],
+ self.pg1.remote_addr[p4.addr_type],
+ p6.remote_tun_if_host4,
+ p6.remote_tun_if_host4,
+ 0,
+ priority=10,
+ policy=e.IPSEC_API_SPD_ACTION_PROTECT,
+ is_outbound=1).add_vpp_config()
+ VppIpRoute(self, p6.remote_tun_if_host4, p4.addr_len,
+ [VppRoutePath(self.tun_if.remote_addr[p4.addr_type],
+ 0xffffffff)]).add_vpp_config()
+
+ old_name = self.tun6_encrypt_node_name
+ self.tun6_encrypt_node_name = "esp4-encrypt"
+
+ self.verify_tun_46(p6, count=63)
+ self.tun6_encrypt_node_name = old_name
+
+ def test_tun_64(self):
+ """ ipsec 6o4 tunnel """
+ # add an SPD entry to direct 4444::4 to the v4 tunnel SA
+ p6 = self.ipv6_params
+ p4 = self.ipv4_params
+
+ p4.remote_tun_if_host6 = "4444::4"
+ e = VppEnum.vl_api_ipsec_spd_action_t
+
+ VppIpsecSpdEntry(self,
+ self.tun_spd,
+ p4.scapy_tun_sa_id,
+ self.pg1.remote_addr[p6.addr_type],
+ self.pg1.remote_addr[p6.addr_type],
+ p4.remote_tun_if_host6,
+ p4.remote_tun_if_host6,
+ 0,
+ priority=10,
+ policy=e.IPSEC_API_SPD_ACTION_PROTECT,
+ is_outbound=1).add_vpp_config()
+ d = DpoProto.DPO_PROTO_IP6
+ VppIpRoute(self, p4.remote_tun_if_host6, p6.addr_len,
+ [VppRoutePath(self.tun_if.remote_addr[p6.addr_type],
+ 0xffffffff,
+ proto=d)]).add_vpp_config()
+
+ old_name = self.tun4_encrypt_node_name
+ self.tun4_encrypt_node_name = "esp6-encrypt"
+ self.verify_tun_64(p4, count=63)
+ self.tun4_encrypt_node_name = old_name
+
+
+class TestIpsecEspTun(TemplateIpsecEsp, IpsecTun46Tests):
+ """ Ipsec ESP - TUN encap tests """
+
+ def setUp(self):
+ self.ipv4_params = IPsecIPv4Params()
+ self.ipv6_params = IPsecIPv6Params()
+
+ c = (VppEnum.vl_api_tunnel_encap_decap_flags_t.
+ TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP)
+ c1 = c | (VppEnum.vl_api_tunnel_encap_decap_flags_t.
+ TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)
+
+ self.ipv4_params.tun_flags = c
+ self.ipv6_params.tun_flags = c1
+
+ super(TestIpsecEspTun, self).setUp()
+
+ def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy only DSCP
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IP(src=src, dst=dst, tos=5) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy both
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IPv6(src=src, dst=dst, tc=5) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def verify_encrypted(self, p, sa, rxs):
+ # just check that only the DSCP is copied
+ for rx in rxs:
+ self.assertEqual(rx[IP].tos, 4)
+
+ def verify_encrypted6(self, p, sa, rxs):
+ # just check that the DSCP & ECN are copied
+ for rx in rxs:
+ self.assertEqual(rx[IPv6].tc, 5)
+
+
+class TestIpsecEspTun2(TemplateIpsecEsp, IpsecTun46Tests):
+ """ Ipsec ESP - TUN DSCP tests """
+
+ def setUp(self):
+ self.ipv4_params = IPsecIPv4Params()
+ self.ipv6_params = IPsecIPv6Params()
+
+ self.ipv4_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF
+ self.ipv6_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11
+
+ super(TestIpsecEspTun2, self).setUp()
+
+ def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy only DSCP
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IP(src=src, dst=dst) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy both
+ return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+ IPv6(src=src, dst=dst) /
+ UDP(sport=4444, dport=4444) /
+ Raw(b'X' * payload_size)
+ for i in range(count)]
+
+ def verify_encrypted(self, p, sa, rxs):
+ # just check that only the DSCP is copied
+ for rx in rxs:
+ self.assertEqual(rx[IP].tos,
+ VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2)
+
+ def verify_encrypted6(self, p, sa, rxs):
+ # just check that the DSCP & ECN are copied
+ for rx in rxs:
+ self.assertEqual(rx[IPv6].tc,
+ VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11 << 2)
class TestIpsecEsp2(TemplateIpsecEsp, IpsecTcpTests):
pass
+class TestIpsecEspHandoff(TemplateIpsecEsp,
+ IpsecTun6HandoffTests,
+ IpsecTun4HandoffTests):
+ """ Ipsec ESP - handoff tests """
+ pass
+
+
class TemplateIpsecEspUdp(ConfigIpsecESP):
"""
UDP encapped ESP
self.tun_if).add_vpp_config()
self.config_esp_tun(p)
- self.logger.info(self.vapi.ppcli("show ipsec"))
+ self.logger.info(self.vapi.ppcli("show ipsec all"))
d = DpoProto.DPO_PROTO_IP4
VppIpRoute(self, p.remote_tun_if_host, p.addr_len,
def tearDown(self):
super(TemplateIpsecEspUdp, self).tearDown()
- if not self.vpp_dead:
- self.vapi.cli("show hardware")
+ def show_commands_at_teardown(self):
+ self.logger.info(self.vapi.cli("show hardware"))
-class TestIpsecEspUdp(TemplateIpsecEspUdp, IpsecTra4Tests, IpsecTun4Tests):
+
+class TestIpsecEspUdp(TemplateIpsecEspUdp, IpsecTra4Tests):
""" Ipsec NAT-T ESP UDP tests """
pass
-class TestIpsecEspAll(ConfigIpsecESP,
- IpsecTra4, IpsecTra6,
- IpsecTun4, IpsecTun6):
+class MyParameters():
+ def __init__(self):
+ self.engines = ["ia32", "ipsecmb", "openssl"]
+ flag_esn = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN
+ self.flags = [0, flag_esn]
+ # foreach crypto algorithm
+ self.algos = {
+ 'AES-GCM-128/NONE': {
+ 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_AES_GCM_128),
+ 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_NONE),
+ 'scapy-crypto': "AES-GCM",
+ 'scapy-integ': "NULL",
+ 'key': b"JPjyOWBeVEQiMe7h",
+ 'salt': 0},
+ 'AES-GCM-192/NONE': {
+ 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_AES_GCM_192),
+ 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_NONE),
+ 'scapy-crypto': "AES-GCM",
+ 'scapy-integ': "NULL",
+ 'key': b"JPjyOWBeVEQiMe7h01234567",
+ 'salt': 1010},
+ 'AES-GCM-256/NONE': {
+ 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_AES_GCM_256),
+ 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_NONE),
+ 'scapy-crypto': "AES-GCM",
+ 'scapy-integ': "NULL",
+ 'key': b"JPjyOWBeVEQiMe7h0123456787654321",
+ 'salt': 2020},
+ 'AES-CBC-128/MD5-96': {
+ 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_AES_CBC_128),
+ 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_MD5_96),
+ 'scapy-crypto': "AES-CBC",
+ 'scapy-integ': "HMAC-MD5-96",
+ 'salt': 0,
+ 'key': b"JPjyOWBeVEQiMe7h"},
+ 'AES-CBC-192/SHA1-96': {
+ 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_AES_CBC_192),
+ 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_SHA1_96),
+ 'scapy-crypto': "AES-CBC",
+ 'scapy-integ': "HMAC-SHA1-96",
+ 'salt': 0,
+ 'key': b"JPjyOWBeVEQiMe7hJPjyOWBe"},
+ 'AES-CBC-256/SHA1-96': {
+ 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_AES_CBC_256),
+ 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_SHA1_96),
+ 'scapy-crypto': "AES-CBC",
+ 'scapy-integ': "HMAC-SHA1-96",
+ 'salt': 0,
+ 'key': b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"},
+ '3DES-CBC/SHA1-96': {
+ 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_3DES_CBC),
+ 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_SHA1_96),
+ 'scapy-crypto': "3DES",
+ 'scapy-integ': "HMAC-SHA1-96",
+ 'salt': 0,
+ 'key': b"JPjyOWBeVEQiMe7h00112233"},
+ 'NONE/SHA1-96': {
+ 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_NONE),
+ 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_SHA1_96),
+ 'scapy-crypto': "NULL",
+ 'scapy-integ': "HMAC-SHA1-96",
+ 'salt': 0,
+ 'key': b"JPjyOWBeVEQiMe7h00112233"},
+ 'AES-CTR-128/SHA1-96': {
+ 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_AES_CTR_128),
+ 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_SHA1_96),
+ 'scapy-crypto': "AES-CTR",
+ 'scapy-integ': "HMAC-SHA1-96",
+ 'salt': 0,
+ 'key': b"JPjyOWBeVEQiMe7h"},
+ 'AES-CTR-192/SHA1-96': {
+ 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_AES_CTR_192),
+ 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_SHA1_96),
+ 'scapy-crypto': "AES-CTR",
+ 'scapy-integ': "HMAC-SHA1-96",
+ 'salt': 1010,
+ 'key': b"JPjyOWBeVEQiMe7hJPjyOWBe"},
+ 'AES-CTR-256/SHA1-96': {
+ 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_AES_CTR_256),
+ 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_SHA1_96),
+ 'scapy-crypto': "AES-CTR",
+ 'scapy-integ': "HMAC-SHA1-96",
+ 'salt': 2020,
+ 'key': b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}}
+
+
+class RunTestIpsecEspAll(ConfigIpsecESP,
+ IpsecTra4, IpsecTra6,
+ IpsecTun4, IpsecTun6):
""" Ipsec ESP all Algos """
def setUp(self):
- super(TestIpsecEspAll, self).setUp()
+ super(RunTestIpsecEspAll, self).setUp()
+ test_args = str.split(self.__doc__, " ")
+
+ params = MyParameters()
+ self.engine = test_args[0]
+ self.flag = params.flags[0]
+ if test_args[1] == 'ESN':
+ self.flag = params.flags[1]
+
+ self.algo = params.algos[test_args[2]]
def tearDown(self):
- super(TestIpsecEspAll, self).tearDown()
+ super(RunTestIpsecEspAll, self).tearDown()
- def test_crypto_algs(self):
- """All engines AES-CBC-[128, 192, 256] w/o ESN"""
+ def run_test(self):
+ self.run_a_test(self.engine, self.flag, self.algo)
- # foreach VPP crypto engine
- engines = ["ia32", "openssl"]
+ def run_a_test(self, engine, flag, algo, payload_size=None):
+ if engine == "ia32":
+ engine = "native"
+ self.vapi.cli("set crypto handler all %s" % engine)
- # foreach crypto algorithm
- algos = [{'vpp': VppEnum.vl_api_ipsec_crypto_alg_t.
- IPSEC_API_CRYPTO_ALG_AES_CBC_128,
- 'scapy': "AES-CBC",
- 'key': "JPjyOWBeVEQiMe7h"},
- {'vpp': VppEnum.vl_api_ipsec_crypto_alg_t.
- IPSEC_API_CRYPTO_ALG_AES_CBC_192,
- 'scapy': "AES-CBC",
- 'key': "JPjyOWBeVEQiMe7hJPjyOWBe"},
- {'vpp': VppEnum.vl_api_ipsec_crypto_alg_t.
- IPSEC_API_CRYPTO_ALG_AES_CBC_256,
- 'scapy': "AES-CBC",
- 'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}]
-
- # bug found in VPP needs fixing with flag
- # (VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN)
- flags = [0]
+ self.ipv4_params = IPsecIPv4Params()
+ self.ipv6_params = IPsecIPv6Params()
+
+ self.params = {self.ipv4_params.addr_type:
+ self.ipv4_params,
+ self.ipv6_params.addr_type:
+ self.ipv6_params}
+
+ for _, p in self.params.items():
+ p.auth_algo_vpp_id = algo['vpp-integ']
+ p.crypt_algo_vpp_id = algo['vpp-crypto']
+ p.crypt_algo = algo['scapy-crypto']
+ p.auth_algo = algo['scapy-integ']
+ p.crypt_key = algo['key']
+ p.salt = algo['salt']
+ p.flags = p.flags | flag
+
+ self.reporter.send_keep_alive(self)
+
+ #
+ # configure the SPDs. SAs, etc
+ #
+ self.config_network(self.params.values())
+
+ #
+ # run some traffic.
+ # An exhautsive 4o6, 6o4 is not necessary
+ # for each algo
+ #
+ self.verify_tra_basic6(count=NUM_PKTS)
+ self.verify_tra_basic4(count=NUM_PKTS)
+ self.verify_tun_66(self.params[socket.AF_INET6],
+ count=NUM_PKTS)
+ #
+ # Use an odd-byte payload size to check for correct padding.
+ #
+ # 49 + 2 == 51 which should pad +1 to 52 for 4 byte alignment, +5
+ # to 56 for 8 byte alignment, and +13 to 64 for 64 byte alignment.
+ # This should catch bugs where the code is incorrectly over-padding
+ # for algorithms that don't require it
+ psz = 49 - len(IP()/ICMP()) if payload_size is None else payload_size
+ self.verify_tun_44(self.params[socket.AF_INET],
+ count=NUM_PKTS, payload_size=psz)
+
+ LARGE_PKT_SZ = [
+ 1970, # results in 2 chained buffers entering decrypt node
+ # but leaving as simple buffer due to ICV removal (tra4)
+ 2004, # footer+ICV will be added to 2nd buffer (tun4)
+ 4010, # ICV ends up splitted accross 2 buffers in esp_decrypt
+ # for transport4; transport6 takes normal path
+ 4020, # same as above but tra4 and tra6 are switched
+ ]
+ if self.engine in engines_supporting_chain_bufs:
+ for sz in LARGE_PKT_SZ:
+ self.verify_tra_basic4(count=NUM_PKTS, payload_size=sz)
+ self.verify_tra_basic6(count=NUM_PKTS, payload_size=sz)
+ self.verify_tun_66(self.params[socket.AF_INET6],
+ count=NUM_PKTS, payload_size=sz)
+ self.verify_tun_44(self.params[socket.AF_INET],
+ count=NUM_PKTS, payload_size=sz)
+
+ #
+ # remove the SPDs, SAs, etc
+ #
+ self.unconfig_network()
#
- # loop through the VPP engines
+ # reconfigure the network and SA to run the
+ # anti replay tests
#
- for engine in engines:
- self.vapi.cli("set crypto engine all %s" % engine)
-
- #
- # loop through each of the algorithms
- #
- for algo in algos:
- # with self.subTest(algo=algo['scapy']):
- for flag in flags:
- #
- # setup up the config paramters
- #
- self.ipv4_params = IPsecIPv4Params()
- self.ipv6_params = IPsecIPv6Params()
-
- self.params = {self.ipv4_params.addr_type:
- self.ipv4_params,
- self.ipv6_params.addr_type:
- self.ipv6_params}
-
- for _, p in self.params.items():
- p.crypt_algo_vpp_id = algo['vpp']
- p.crypt_algo = algo['scapy']
- p.crypt_key = algo['key']
- p.flags = p.flags | flag
-
- #
- # configure the SPDs. SAs, etc
- #
- self.config_network(self.params.values())
-
- #
- # run some traffic.
- # An exhautsive 4o6, 6o4 is not necessary
- # for each algo
- #
- self.verify_tra_basic6(count=17)
- self.verify_tra_basic4(count=17)
- self.verify_tun_66(self.params[socket.AF_INET6], 17)
- self.verify_tun_44(self.params[socket.AF_INET], 17)
-
- #
- # remove the SPDs, SAs, etc
- #
- self.unconfig_network()
+ self.config_network(self.params.values())
+ self.verify_tra_anti_replay()
+ self.unconfig_network()
+
+#
+# To generate test classes, do:
+# grep '# GEN' test_ipsec_esp.py | sed -e 's/# GEN //g' | bash
+#
+# GEN for ENG in ia32 ipsecmb openssl; do \
+# GEN for FLG in noESN ESN; do for ALG in AES-GCM-128/NONE \
+# GEN AES-GCM-192/NONE AES-GCM-256/NONE AES-CBC-128/MD5-96 \
+# GEN AES-CBC-192/SHA1-96 AES-CBC-256/SHA1-96 \
+# GEN 3DES-CBC/SHA1-96 NONE/SHA1-96 \
+# GEN AES-CTR-128/SHA1-96 AES-CTR-192/SHA1-96 AES-CTR-256/SHA1-96; do \
+# GEN [[ ${FLG} == "ESN" && ${ALG} == *"NONE" ]] && continue
+# GEN echo -e "\n\nclass Test_${ENG}_${FLG}_${ALG}(RunTestIpsecEspAll):" |
+# GEN sed -e 's/-/_/g' -e 's#/#_#g' ; \
+# GEN echo ' """'$ENG $FLG $ALG IPSec test'"""' ;
+# GEN echo " def test_ipsec(self):";
+# GEN echo " self.run_test()";
+# GEN done; done; done
+
+
+class Test_ia32_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
+ """ia32 noESN AES-GCM-128/NONE IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
+ """ia32 noESN AES-GCM-192/NONE IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
+ """ia32 noESN AES-GCM-256/NONE IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+ """ia32 noESN AES-CBC-128/MD5-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+ """ia32 noESN AES-CBC-192/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+ """ia32 noESN AES-CBC-256/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+ """ia32 noESN 3DES-CBC/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
+ """ia32 noESN NONE/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+ """ia32 noESN AES-CTR-128/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+ """ia32 noESN AES-CTR-192/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+ """ia32 noESN AES-CTR-256/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+ """ia32 ESN AES-CBC-128/MD5-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+ """ia32 ESN AES-CBC-192/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+ """ia32 ESN AES-CBC-256/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+ """ia32 ESN 3DES-CBC/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
+ """ia32 ESN NONE/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+ """ia32 ESN AES-CTR-128/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+ """ia32 ESN AES-CTR-192/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ia32_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+ """ia32 ESN AES-CTR-256/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
+ """ipsecmb noESN AES-GCM-128/NONE IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
+ """ipsecmb noESN AES-GCM-192/NONE IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
+ """ipsecmb noESN AES-GCM-256/NONE IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+ """ipsecmb noESN AES-CBC-128/MD5-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+ """ipsecmb noESN AES-CBC-192/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+ """ipsecmb noESN AES-CBC-256/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+ """ipsecmb noESN 3DES-CBC/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
+ """ipsecmb noESN NONE/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+ """ipsecmb noESN AES-CTR-128/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+ """ipsecmb noESN AES-CTR-192/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+ """ipsecmb noESN AES-CTR-256/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+ """ipsecmb ESN AES-CBC-128/MD5-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+ """ipsecmb ESN AES-CBC-192/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+ """ipsecmb ESN AES-CBC-256/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+ """ipsecmb ESN 3DES-CBC/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
+ """ipsecmb ESN NONE/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+ """ipsecmb ESN AES-CTR-128/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+ """ipsecmb ESN AES-CTR-192/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_ipsecmb_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+ """ipsecmb ESN AES-CTR-256/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
+ """openssl noESN AES-GCM-128/NONE IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
+ """openssl noESN AES-GCM-192/NONE IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
+ """openssl noESN AES-GCM-256/NONE IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+ """openssl noESN AES-CBC-128/MD5-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+ """openssl noESN AES-CBC-192/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+ """openssl noESN AES-CBC-256/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+ """openssl noESN 3DES-CBC/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
+ """openssl noESN NONE/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+ """openssl noESN AES-CTR-128/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+ """openssl noESN AES-CTR-192/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+ """openssl noESN AES-CTR-256/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
+ """openssl ESN AES-CBC-128/MD5-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
+ """openssl ESN AES-CBC-192/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
+ """openssl ESN AES-CBC-256/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
+ """openssl ESN 3DES-CBC/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
+ """openssl ESN NONE/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
+ """openssl ESN AES-CTR-128/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
+ """openssl ESN AES-CTR-192/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
+
+
+class Test_openssl_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
+ """openssl ESN AES-CTR-256/SHA1-96 IPSec test"""
+ def test_ipsec(self):
+ self.run_test()
if __name__ == '__main__':