import socket
import unittest
-import struct
from scapy.layers.ipsec import ESP
from scapy.layers.inet import UDP
+from parameterized import parameterized
from framework import VppTestRunner
from template_ipsec import IpsecTra46Tests, IpsecTun46Tests, TemplateIpsec, \
IpsecTcpTests, IpsecTun4Tests, IpsecTra4Tests, config_tra_params, \
from vpp_ip import DpoProto
from vpp_papi import VppEnum
+NUM_PKTS = 67
+
class ConfigIpsecESP(TemplateIpsec):
encryption_type = ESP
r = VppIpRoute(self, p.remote_tun_if_host, p.addr_len,
[VppRoutePath(self.tun_if.remote_addr[p.addr_type],
0xffffffff,
- proto=d)],
- is_ip6=p.is_ipv6)
+ proto=d)])
r.add_vpp_config()
self.net_objs.append(r)
addr_bcast = params.addr_bcast
e = VppEnum.vl_api_ipsec_spd_action_t
flags = params.flags
+ salt = params.salt
objs = []
params.tun_sa_in = VppIpsecSA(self, scapy_tun_sa_id, scapy_tun_spi,
self.vpp_esp_protocol,
self.tun_if.local_addr[addr_type],
self.tun_if.remote_addr[addr_type],
- flags=flags)
+ flags=flags,
+ salt=salt)
params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
self.vpp_esp_protocol,
self.tun_if.remote_addr[addr_type],
self.tun_if.local_addr[addr_type],
- flags=flags)
+ flags=flags,
+ salt=salt)
objs.append(params.tun_sa_in)
objs.append(params.tun_sa_out)
IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
e = VppEnum.vl_api_ipsec_spd_action_t
flags = params.flags | flags
+ salt = params.salt
objs = []
params.tra_sa_in = VppIpsecSA(self, scapy_tra_sa_id, scapy_tra_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
self.vpp_esp_protocol,
- flags=flags)
+ flags=flags,
+ salt=salt)
params.tra_sa_out = VppIpsecSA(self, vpp_tra_sa_id, vpp_tra_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
self.vpp_esp_protocol,
- flags=flags)
+ flags=flags,
+ salt=salt)
objs.append(params.tra_sa_in)
objs.append(params.tra_sa_out)
def tearDown(self):
super(TestIpsecEspAll, self).tearDown()
- def test_crypto_algs(self):
- """All engines AES-[CBC, GCM]-[128, 192, 256] w/ & w/o ESN"""
-
- # foreach VPP crypto engine
- engines = ["ia32", "ipsecmb", "openssl"]
+ @parameterized.expand(["ia32", "ipsecmb", "openssl"])
+ def test_crypto_algs(self, engine):
+ """AES-[CBC, GCM]-[128, 192, 256] 3DES-CBC w/ & w/o ESN"""
# foreach crypto algorithm
algos = [{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
'scapy-crypto': "AES-GCM",
'scapy-integ': "NULL",
'key': "JPjyOWBeVEQiMe7h",
- 'salt': struct.pack("!L", 0)},
+ 'salt': 0},
+ {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_AES_GCM_192),
+ 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_NONE),
+ 'scapy-crypto': "AES-GCM",
+ 'scapy-integ': "NULL",
+ 'key': "JPjyOWBeVEQiMe7h01234567",
+ 'salt': 1010},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_GCM_256),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
'scapy-crypto': "AES-GCM",
'scapy-integ': "NULL",
'key': "JPjyOWBeVEQiMe7h0123456787654321",
- 'salt': struct.pack("!L", 0)},
+ 'salt': 2020},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_128),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-SHA1-96",
- 'salt': '',
+ 'salt': 0,
'key': "JPjyOWBeVEQiMe7h"},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_192),
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-SHA1-96",
- 'salt': '',
+ 'salt': 0,
'key': "JPjyOWBeVEQiMe7hJPjyOWBe"},
{'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_256),
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-SHA1-96",
- 'salt': '',
- 'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}]
+ 'salt': 0,
+ 'key': "JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"},
+ {'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
+ IPSEC_API_CRYPTO_ALG_3DES_CBC),
+ 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
+ IPSEC_API_INTEG_ALG_SHA1_96),
+ 'scapy-crypto': "3DES",
+ 'scapy-integ': "HMAC-SHA1-96",
+ 'salt': 0,
+ 'key': "JPjyOWBeVEQiMe7h00112233"}]
# with and without ESN
flags = [0,
VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN]
+ self.vapi.cli("set crypto handler all %s" % engine)
#
- # loop through the VPP engines
+ # loop through each of the algorithms
#
- for engine in engines:
- self.vapi.cli("set crypto handler all %s" % engine)
- #
- # loop through each of the algorithms
- #
- for algo in algos:
- # with self.subTest(algo=algo['scapy']):
- for flag in flags:
- #
- # setup up the config paramters
- #
- self.ipv4_params = IPsecIPv4Params()
- self.ipv6_params = IPsecIPv6Params()
-
- self.params = {self.ipv4_params.addr_type:
- self.ipv4_params,
- self.ipv6_params.addr_type:
- self.ipv6_params}
-
- for _, p in self.params.items():
- p.auth_algo_vpp_id = algo['vpp-integ']
- p.crypt_algo_vpp_id = algo['vpp-crypto']
- p.crypt_algo = algo['scapy-crypto']
- p.auth_algo = algo['scapy-integ']
- p.crypt_key = algo['key']
- p.crypt_salt = algo['salt']
- p.flags = p.flags | flag
-
- #
- # configure the SPDs. SAs, etc
- #
- self.config_network(self.params.values())
-
- #
- # run some traffic.
- # An exhautsive 4o6, 6o4 is not necessary
- # for each algo
- #
- self.verify_tra_basic6(count=17)
- self.verify_tra_basic4(count=17)
- self.verify_tun_66(self.params[socket.AF_INET6], 17)
- self.verify_tun_44(self.params[socket.AF_INET], 17)
-
- #
- # remove the SPDs, SAs, etc
- #
- self.unconfig_network()
+ for algo in algos:
+ # with self.subTest(algo=algo['scapy']):
+ for flag in flags:
+ #
+ # setup up the config paramters
+ #
+ self.ipv4_params = IPsecIPv4Params()
+ self.ipv6_params = IPsecIPv6Params()
+
+ self.params = {self.ipv4_params.addr_type:
+ self.ipv4_params,
+ self.ipv6_params.addr_type:
+ self.ipv6_params}
+
+ for _, p in self.params.items():
+ p.auth_algo_vpp_id = algo['vpp-integ']
+ p.crypt_algo_vpp_id = algo['vpp-crypto']
+ p.crypt_algo = algo['scapy-crypto']
+ p.auth_algo = algo['scapy-integ']
+ p.crypt_key = algo['key']
+ p.salt = algo['salt']
+ p.flags = p.flags | flag
+
+ self.reporter.send_keep_alive(self)
+
+ #
+ # configure the SPDs. SAs, etc
+ #
+ self.config_network(self.params.values())
+
+ #
+ # run some traffic.
+ # An exhautsive 4o6, 6o4 is not necessary
+ # for each algo
+ #
+ self.verify_tra_basic6(count=NUM_PKTS)
+ self.verify_tra_basic4(count=NUM_PKTS)
+ self.verify_tun_66(self.params[socket.AF_INET6],
+ count=NUM_PKTS)
+ self.verify_tun_44(self.params[socket.AF_INET],
+ count=NUM_PKTS)
+
+ #
+ # remove the SPDs, SAs, etc
+ #
+ self.unconfig_network()
+
+ #
+ # reconfigure the network and SA to run the
+ # anti replay tests
+ #
+ self.config_network(self.params.values())
+ self.verify_tra_anti_replay()
+ self.unconfig_network()
if __name__ == '__main__':
Code Review / vpp.git / blobdiff