def tearDown(self):
super(ConfigIpsecESP, self).tearDown()
- def config_anti_replay(self, params):
+ def config_anti_replay(self, params, anti_replay_window_size=64):
saf = VppEnum.vl_api_ipsec_sad_flags_t
for p in params:
p.flags |= saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY
+ p.anti_replay_window_size = anti_replay_window_size
def config_network(self, params):
self.net_objs = []
flags = params.flags
tun_flags = params.tun_flags
salt = params.salt
+ anti_replay_window_size = params.anti_replay_window_size
objs = []
params.tun_sa_in = VppIpsecSA(
crypt_algo_vpp_id,
crypt_key,
self.vpp_esp_protocol,
- self.tun_if.local_addr[addr_type],
self.tun_if.remote_addr[addr_type],
+ self.tun_if.local_addr[addr_type],
tun_flags=tun_flags,
dscp=params.dscp,
flags=flags,
salt=salt,
hop_limit=params.outer_hop_limit,
+ anti_replay_window_size=anti_replay_window_size,
)
params.tun_sa_out = VppIpsecSA(
self,
crypt_algo_vpp_id,
crypt_key,
self.vpp_esp_protocol,
- self.tun_if.remote_addr[addr_type],
self.tun_if.local_addr[addr_type],
+ self.tun_if.remote_addr[addr_type],
tun_flags=tun_flags,
dscp=params.dscp,
flags=flags,
salt=salt,
hop_limit=params.outer_hop_limit,
+ anti_replay_window_size=anti_replay_window_size,
)
objs.append(params.tun_sa_in)
objs.append(params.tun_sa_out)
VppIpsecSpdEntry(
self,
self.tun_spd,
- vpp_tun_sa_id,
+ scapy_tun_sa_id,
remote_tun_if_host,
remote_tun_if_host,
self.pg1.remote_addr[addr_type],
VppIpsecSpdEntry(
self,
self.tun_spd,
- scapy_tun_sa_id,
+ vpp_tun_sa_id,
self.pg1.remote_addr[addr_type],
self.pg1.remote_addr[addr_type],
remote_tun_if_host,
VppIpsecSpdEntry(
self,
self.tun_spd,
- vpp_tun_sa_id,
+ scapy_tun_sa_id,
remote_tun_if_host,
remote_tun_if_host,
self.pg0.local_addr[addr_type],
VppIpsecSpdEntry(
self,
self.tun_spd,
- scapy_tun_sa_id,
+ vpp_tun_sa_id,
self.pg0.local_addr[addr_type],
self.pg0.local_addr[addr_type],
remote_tun_if_host,
e = VppEnum.vl_api_ipsec_spd_action_t
flags = params.flags
salt = params.salt
+ anti_replay_window_size = params.anti_replay_window_size
objs = []
params.tra_sa_in = VppIpsecSA(
self.vpp_esp_protocol,
flags=flags,
salt=salt,
+ anti_replay_window_size=anti_replay_window_size,
)
params.tra_sa_out = VppIpsecSA(
self,
self.vpp_esp_protocol,
flags=flags,
salt=salt,
+ anti_replay_window_size=anti_replay_window_size,
)
objs.append(params.tra_sa_in)
objs.append(params.tra_sa_out)
VppIpsecSpdEntry(
self,
self.tra_spd,
- vpp_tra_sa_id,
+ scapy_tra_sa_id,
self.tra_if.local_addr[addr_type],
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
VppIpsecSpdEntry(
self,
self.tra_spd,
- scapy_tra_sa_id,
+ vpp_tra_sa_id,
self.tra_if.local_addr[addr_type],
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
VppIpsecSpdEntry(
self,
self.tun_spd,
- p6.scapy_tun_sa_id,
+ p6.vpp_tun_sa_id,
self.pg1.remote_addr[p4.addr_type],
self.pg1.remote_addr[p4.addr_type],
p6.remote_tun_if_host4,
VppIpsecSpdEntry(
self,
self.tun_spd,
- p4.scapy_tun_sa_id,
+ p4.vpp_tun_sa_id,
self.pg1.remote_addr[p6.addr_type],
self.pg1.remote_addr[p6.addr_type],
p4.remote_tun_if_host6,
self.assertEqual(len(rxs), len(pkts))
for rx in rxs:
- if rx[ESP].spi == p.scapy_tun_spi:
+ if rx[ESP].spi == p.vpp_tun_spi:
decrypted = p.vpp_tun_sa.decrypt(rx[IP])
elif rx[ESP].spi == self.p_sync.vpp_tun_spi:
- decrypted = self.p_sync.scapy_tun_sa.decrypt(rx[IP])
+ decrypted = self.p_sync.vpp_tun_sa.decrypt(rx[IP])
else:
rx.show()
self.assertTrue(False)
self.assertEqual(len(rxs), len(pkts))
for rx in rxs:
- if rx[ESP].spi == p.scapy_tun_spi:
+ if rx[ESP].spi == p.vpp_tun_spi:
decrypted = p.vpp_tun_sa.decrypt(rx[IP])
elif rx[ESP].spi == self.p_sync.vpp_tun_spi:
- decrypted = self.p_sync.scapy_tun_sa.decrypt(rx[IP])
+ decrypted = self.p_sync.vpp_tun_sa.decrypt(rx[IP])
elif rx[ESP].spi == self.p_async.vpp_tun_spi:
- decrypted = self.p_async.scapy_tun_sa.decrypt(rx[IP])
+ decrypted = self.p_async.vpp_tun_sa.decrypt(rx[IP])
else:
rx.show()
self.assertTrue(False)
self.p_async.spd.remove_vpp_config()
self.p_async.sa.remove_vpp_config()
- # async mode should have been disabled now that there are
- # no async SAs. there's no API for this, so a reluctant
- # screen scrape.
- self.assertTrue("DISABLED" in self.vapi.cli("sh crypto async status"))
-
class TestIpsecEspHandoff(
TemplateIpsecEsp, IpsecTun6HandoffTests, IpsecTun4HandoffTests
"salt": 2020,
"key": b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h",
},
+ "AES-NULL-GMAC-128/NONE": {
+ "vpp-crypto": (
+ VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_128
+ ),
+ "vpp-integ": (
+ VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
+ ),
+ "scapy-crypto": "AES-NULL-GMAC",
+ "scapy-integ": "NULL",
+ "key": b"JPjyOWBeVEQiMe7h",
+ "salt": 0,
+ },
+ "AES-NULL-GMAC-192/NONE": {
+ "vpp-crypto": (
+ VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_192
+ ),
+ "vpp-integ": (
+ VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
+ ),
+ "scapy-crypto": "AES-NULL-GMAC",
+ "scapy-integ": "NULL",
+ "key": b"JPjyOWBeVEQiMe7h01234567",
+ "salt": 1010,
+ },
+ "AES-NULL-GMAC-256/NONE": {
+ "vpp-crypto": (
+ VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_256
+ ),
+ "vpp-integ": (
+ VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE
+ ),
+ "scapy-crypto": "AES-NULL-GMAC",
+ "scapy-integ": "NULL",
+ "key": b"JPjyOWBeVEQiMe7h0123456787654321",
+ "salt": 2020,
+ },
}
#
saf = VppEnum.vl_api_ipsec_sad_flags_t
if flag & saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY:
- self.unconfig_network()
- self.config_network(self.params.values())
- self.verify_tra_anti_replay()
+ for anti_replay_window_size in (
+ 64,
+ 131072,
+ ):
+ self.unconfig_network()
+ self.config_anti_replay(self.params.values(), anti_replay_window_size)
+ self.config_network(self.params.values())
+ self.verify_tra_anti_replay()
+ self.verify_tra_anti_replay_algorithm()
+ self.config_anti_replay(self.params.values())
self.unconfig_network()
self.config_network(self.params.values())
# GEN AES-GCM-192/NONE AES-GCM-256/NONE AES-CBC-128/MD5-96 \
# GEN AES-CBC-192/SHA1-96 AES-CBC-256/SHA1-96 \
# GEN 3DES-CBC/SHA1-96 NONE/SHA1-96 \
-# GEN AES-CTR-128/SHA1-96 AES-CTR-192/SHA1-96 AES-CTR-256/SHA1-96; do \
+# GEN AES-CTR-128/SHA1-96 AES-CTR-192/SHA1-96 AES-CTR-256/SHA1-96 \
+# GEN AES-NULL-GMAC-128/NONE AES-NULL-GMAC-192/NONE AES-NULL-GMAC-256/NONE; do \
# GEN echo -en "\n\nclass "
# GEN echo -e "Test_${ENG}_${ESN}_${AR}_${ALG}(RunTestIpsecEspAll):" |
# GEN sed -e 's/-/_/g' -e 's#/#_#g' ;
self.run_test()
+class Test_openssl_ESNon_ARon_AES_NULL_GMAC_128_NONE(RunTestIpsecEspAll):
+ """openssl ESNon ARon AES-NULL-GMAC-128/NONE IPSec test"""
+
+ def test_ipsec(self):
+ """openssl ESNon ARon AES-NULL-GMAC-128/NONE IPSec test"""
+ self.run_test()
+
+
+class Test_openssl_ESNon_ARon_AES_NULL_GMAC_192_NONE(RunTestIpsecEspAll):
+ """openssl ESNon ARon AES-NULL-GMAC-192/NONE IPSec test"""
+
+ def test_ipsec(self):
+ """openssl ESNon ARon AES-NULL-GMAC-192/NONE IPSec test"""
+ self.run_test()
+
+
+class Test_openssl_ESNon_ARon_AES_NULL_GMAC_256_NONE(RunTestIpsecEspAll):
+ """openssl ESNon ARon AES-NULL-GMAC-256/NONE IPSec test"""
+
+ def test_ipsec(self):
+ """openssl ESNon ARon AES-NULL-GMAC-256/NONE IPSec test"""
+ self.run_test()
+
+
class Test_openssl_ESNon_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll):
"""openssl ESNon ARoff AES-GCM-128/NONE IPSec test"""
self.run_test()
+class Test_openssl_ESNon_ARoff_AES_NULL_GMAC_128_NONE(RunTestIpsecEspAll):
+ """openssl ESNon ARoff AES-NULL-GMAC-128/NONE IPSec test"""
+
+ def test_ipsec(self):
+ """openssl ESNon ARoff AES-NULL-GMAC-128/NONE IPSec test"""
+ self.run_test()
+
+
+class Test_openssl_ESNon_ARoff_AES_NULL_GMAC_192_NONE(RunTestIpsecEspAll):
+ """openssl ESNon ARoff AES-NULL-GMAC-192/NONE IPSec test"""
+
+ def test_ipsec(self):
+ """openssl ESNon ARoff AES-NULL-GMAC-192/NONE IPSec test"""
+ self.run_test()
+
+
+class Test_openssl_ESNon_ARoff_AES_NULL_GMAC_256_NONE(RunTestIpsecEspAll):
+ """openssl ESNon ARoff AES-NULL-GMAC-256/NONE IPSec test"""
+
+ def test_ipsec(self):
+ """openssl ESNon ARoff AES-NULL-GMAC-256/NONE IPSec test"""
+ self.run_test()
+
+
class Test_openssl_ESNoff_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll):
"""openssl ESNoff ARon AES-GCM-128/NONE IPSec test"""
self.run_test()
+class Test_openssl_ESNoff_ARon_AES_NULL_GMAC_128_NONE(RunTestIpsecEspAll):
+ """openssl ESNoff ARon AES-NULL-GMAC-128/NONE IPSec test"""
+
+ def test_ipsec(self):
+ """openssl ESNoff ARon AES-NULL-GMAC-128/NONE IPSec test"""
+ self.run_test()
+
+
+class Test_openssl_ESNoff_ARon_AES_NULL_GMAC_192_NONE(RunTestIpsecEspAll):
+ """openssl ESNoff ARon AES-NULL-GMAC-192/NONE IPSec test"""
+
+ def test_ipsec(self):
+ """openssl ESNoff ARon AES-NULL-GMAC-192/NONE IPSec test"""
+ self.run_test()
+
+
+class Test_openssl_ESNoff_ARon_AES_NULL_GMAC_256_NONE(RunTestIpsecEspAll):
+ """openssl ESNoff ARon AES-NULL-GMAC-256/NONE IPSec test"""
+
+ def test_ipsec(self):
+ """openssl ESNoff ARon AES-NULL-GMAC-256/NONE IPSec test"""
+ self.run_test()
+
+
class Test_openssl_ESNoff_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll):
"""openssl ESNoff ARoff AES-GCM-128/NONE IPSec test"""
self.run_test()
+class Test_openssl_ESNoff_ARoff_AES_NULL_GMAC_128_NONE(RunTestIpsecEspAll):
+ """openssl ESNoff ARoff AES-NULL-GMAC-128/NONE IPSec test"""
+
+ def test_ipsec(self):
+ """openssl ESNoff ARoff AES-NULL-GMAC-128/NONE IPSec test"""
+ self.run_test()
+
+
+class Test_openssl_ESNoff_ARoff_AES_NULL_GMAC_192_NONE(RunTestIpsecEspAll):
+ """openssl ESNoff ARoff AES-NULL-GMAC-192/NONE IPSec test"""
+
+ def test_ipsec(self):
+ """openssl ESNoff ARoff AES-NULL-GMAC-192/NONE IPSec test"""
+ self.run_test()
+
+
+class Test_openssl_ESNoff_ARoff_AES_NULL_GMAC_256_NONE(RunTestIpsecEspAll):
+ """openssl ESNoff ARoff AES-NULL-GMAC-256/NONE IPSec test"""
+
+ def test_ipsec(self):
+ """openssl ESNoff ARoff AES-NULL-GMAC-256/NONE IPSec test"""
+ self.run_test()
+
+
class Test_async_ESNon_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll):
"""async ESNon ARon AES-GCM-128/NONE IPSec test"""
Code Review / vpp.git / blobdiff