config_tun_params, IPsecIPv4Params, IPsecIPv6Params, \
IpsecTra4, IpsecTun4, IpsecTra6, IpsecTun6, \
IpsecTun6HandoffTests, IpsecTun4HandoffTests, \
- IpsecTra6ExtTests, IpsecTunEsp4Tests
+ IpsecTra6ExtTests
from vpp_ipsec import VppIpsecSpd, VppIpsecSpdEntry, VppIpsecSA,\
VppIpsecSpdItfBinding
from vpp_ip_route import VppIpRoute, VppRoutePath
from vpp_papi import VppEnum
NUM_PKTS = 67
+engines_supporting_chain_bufs = ["openssl"]
class ConfigIpsecESP(TemplateIpsec):
class TestIpsecEsp1(TemplateIpsecEsp, IpsecTra46Tests,
- IpsecTun46Tests, IpsecTunEsp4Tests,
- IpsecTra6ExtTests):
+ IpsecTun46Tests, IpsecTra6ExtTests):
""" Ipsec ESP - TUN & TRA tests """
- pass
+
+ @classmethod
+ def setUpClass(cls):
+ super(TestIpsecEsp1, cls).setUpClass()
+
+ @classmethod
+ def tearDownClass(cls):
+ super(TestIpsecEsp1, cls).tearDownClass()
+
+ def setUp(self):
+ super(TestIpsecEsp1, self).setUp()
+
+ def tearDown(self):
+ super(TestIpsecEsp1, self).tearDown()
+
+ def test_tun_46(self):
+ """ ipsec 4o6 tunnel """
+ # add an SPD entry to direct 2.2.2.2 to the v6 tunnel SA
+ p6 = self.ipv6_params
+ p4 = self.ipv4_params
+
+ p6.remote_tun_if_host4 = "2.2.2.2"
+ e = VppEnum.vl_api_ipsec_spd_action_t
+
+ VppIpsecSpdEntry(self,
+ self.tun_spd,
+ p6.scapy_tun_sa_id,
+ self.pg1.remote_addr[p4.addr_type],
+ self.pg1.remote_addr[p4.addr_type],
+ p6.remote_tun_if_host4,
+ p6.remote_tun_if_host4,
+ 0,
+ priority=10,
+ policy=e.IPSEC_API_SPD_ACTION_PROTECT,
+ is_outbound=1).add_vpp_config()
+ VppIpRoute(self, p6.remote_tun_if_host4, p4.addr_len,
+ [VppRoutePath(self.tun_if.remote_addr[p4.addr_type],
+ 0xffffffff)]).add_vpp_config()
+
+ old_name = self.tun6_encrypt_node_name
+ self.tun6_encrypt_node_name = "esp4-encrypt"
+
+ self.verify_tun_46(p6, count=63)
+ self.tun6_encrypt_node_name = old_name
+
+ def test_tun_64(self):
+ """ ipsec 6o4 tunnel """
+ # add an SPD entry to direct 4444::4 to the v4 tunnel SA
+ p6 = self.ipv6_params
+ p4 = self.ipv4_params
+
+ p4.remote_tun_if_host6 = "4444::4"
+ e = VppEnum.vl_api_ipsec_spd_action_t
+
+ VppIpsecSpdEntry(self,
+ self.tun_spd,
+ p4.scapy_tun_sa_id,
+ self.pg1.remote_addr[p6.addr_type],
+ self.pg1.remote_addr[p6.addr_type],
+ p4.remote_tun_if_host6,
+ p4.remote_tun_if_host6,
+ 0,
+ priority=10,
+ policy=e.IPSEC_API_SPD_ACTION_PROTECT,
+ is_outbound=1).add_vpp_config()
+ d = DpoProto.DPO_PROTO_IP6
+ VppIpRoute(self, p4.remote_tun_if_host6, p6.addr_len,
+ [VppRoutePath(self.tun_if.remote_addr[p6.addr_type],
+ 0xffffffff,
+ proto=d)]).add_vpp_config()
+
+ old_name = self.tun4_encrypt_node_name
+ self.tun4_encrypt_node_name = "esp6-encrypt"
+ self.verify_tun_64(p4, count=63)
+ self.tun4_encrypt_node_name = old_name
class TestIpsecEsp2(TemplateIpsecEsp, IpsecTcpTests):
def run_test(self):
self.run_a_test(self.engine, self.flag, self.algo)
- def run_a_test(self, engine, flag, algo):
+ def run_a_test(self, engine, flag, algo, payload_size=None):
self.vapi.cli("set crypto handler all %s" % engine)
self.ipv4_params = IPsecIPv4Params()
self.verify_tun_44(self.params[socket.AF_INET],
count=NUM_PKTS)
+ LARGE_PKT_SZ = [
+ 1970, # results in 2 chained buffers entering decrypt node
+ # but leaving as simple buffer due to ICV removal (tra4)
+ 2004, # footer+ICV will be added to 2nd buffer (tun4)
+ 4010, # ICV ends up splitted accross 2 buffers in esp_decrypt
+ # for transport4; transport6 takes normal path
+ 4020, # same as above but tra4 and tra6 are switched
+ ]
+ if self.engine in engines_supporting_chain_bufs:
+ for sz in LARGE_PKT_SZ:
+ self.verify_tra_basic4(count=NUM_PKTS, payload_size=sz)
+ self.verify_tra_basic6(count=NUM_PKTS, payload_size=sz)
+ self.verify_tun_66(self.params[socket.AF_INET6],
+ count=NUM_PKTS, payload_size=sz)
+ self.verify_tun_44(self.params[socket.AF_INET],
+ count=NUM_PKTS, payload_size=sz)
+
#
# remove the SPDs, SAs, etc
#
# GEN AES-GCM-192/NONE AES-GCM-256/NONE AES-CBC-128/MD5-96 \
# GEN AES-CBC-192/SHA1-96 AES-CBC-256/SHA1-96 \
# GEN 3DES-CBC/SHA1-96 NONE/SHA1-96; do \
+# GEN [[ ${FLG} == "ESN" && ${ALG} == *"NONE" ]] && continue
# GEN echo -e "\n\nclass Test_${ENG}_${FLG}_${ALG}(RunTestIpsecEspAll):" |
# GEN sed -e 's/-/_/g' -e 's#/#_#g' ; \
# GEN echo ' """'$ENG $FLG $ALG IPSec test'"""' ;
self.run_test()
-class Test_ia32_ESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
- """ia32 ESN AES-GCM-128/NONE IPSec test"""
- def test_ipsec(self):
- self.run_test()
-
-
-class Test_ia32_ESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
- """ia32 ESN AES-GCM-192/NONE IPSec test"""
- def test_ipsec(self):
- self.run_test()
-
-
-class Test_ia32_ESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
- """ia32 ESN AES-GCM-256/NONE IPSec test"""
- def test_ipsec(self):
- self.run_test()
-
-
class Test_ia32_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
"""ia32 ESN AES-CBC-128/MD5-96 IPSec test"""
def test_ipsec(self):
self.run_test()
-class Test_ipsecmb_ESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
- """ipsecmb ESN AES-GCM-128/NONE IPSec test"""
- def test_ipsec(self):
- self.run_test()
-
-
-class Test_ipsecmb_ESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
- """ipsecmb ESN AES-GCM-192/NONE IPSec test"""
- def test_ipsec(self):
- self.run_test()
-
-
-class Test_ipsecmb_ESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
- """ipsecmb ESN AES-GCM-256/NONE IPSec test"""
- def test_ipsec(self):
- self.run_test()
-
-
class Test_ipsecmb_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
"""ipsecmb ESN AES-CBC-128/MD5-96 IPSec test"""
def test_ipsec(self):
self.run_test()
-class Test_openssl_ESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
- """openssl ESN AES-GCM-128/NONE IPSec test"""
- def test_ipsec(self):
- self.run_test()
-
-
-class Test_openssl_ESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
- """openssl ESN AES-GCM-192/NONE IPSec test"""
- def test_ipsec(self):
- self.run_test()
-
-
-class Test_openssl_ESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
- """openssl ESN AES-GCM-256/NONE IPSec test"""
- def test_ipsec(self):
- self.run_test()
-
-
class Test_openssl_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
"""openssl ESN AES-CBC-128/MD5-96 IPSec test"""
def test_ipsec(self):