X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Fikev2%2Ftest%2Ftest_ikev2.py;h=558e8a02f87f91bc25f0673e58082f62bc8074b0;hb=af2cc6425;hp=3db3a05a1c3819aa8a3fbd6755691573f2e29ef5;hpb=027d813a509be0f30e05b48b888007b0094e4faf;p=vpp.git diff --git a/src/plugins/ikev2/test/test_ikev2.py b/src/plugins/ikev2/test/test_ikev2.py index 3db3a05a1c3..558e8a02f87 100644 --- a/src/plugins/ikev2/test/test_ikev2.py +++ b/src/plugins/ikev2/test/test_ikev2.py @@ -18,6 +18,7 @@ from scapy.layers.inet import IP, UDP, Ether from scapy.layers.inet6 import IPv6 from scapy.packet import raw, Raw from scapy.utils import long_converter +from framework import tag_fixme_vpp_workers from framework import VppTestCase, VppTestRunner from vpp_ikev2 import Profile, IDType, AuthMethod from vpp_papi import VppEnum @@ -592,6 +593,10 @@ class IkePeer(VppTestCase): self.vapi.cli('ikev2 set logging level 4') self.vapi.cli('event-lo clear') + def assert_counter(self, count, name, version='ip4'): + node_name = '/err/ikev2-%s/' % version + name + self.assertEqual(count, self.statistics.get_err_counter(node_name)) + def create_rekey_request(self): sa, first_payload = self.generate_auth_payload(is_rekey=True) header = ikev2.IKEv2( @@ -1317,11 +1322,24 @@ class TemplateResponder(IkePeer): self.sa.child_sas[0].rspi = prop.SPI self.sa.calc_child_keys() + IKE_NODE_SUFFIX = 'ip4' + + def verify_counters(self): + self.assert_counter(2, 'processed', self.IKE_NODE_SUFFIX) + self.assert_counter(1, 'init_sa_req', self.IKE_NODE_SUFFIX) + self.assert_counter(1, 'ike_auth_req', self.IKE_NODE_SUFFIX) + + r = self.vapi.ikev2_sa_dump() + s = r[0].sa.stats + self.assertEqual(1, s.n_sa_auth_req) + self.assertEqual(1, s.n_sa_init_req) + def test_responder(self): self.send_sa_init_req() self.send_sa_auth() self.verify_ipsec_sas() self.verify_ike_sas() + self.verify_counters() class Ikev2Params(object): @@ -1404,6 +1422,20 @@ class Ikev2Params(object): if udp_encap: self.p.set_udp_encap(True) + if 'responder_hostname' in params: + hn = params['responder_hostname'] + self.p.add_responder_hostname(hn) + + # configure static dns record + self.vapi.dns_name_server_add_del( + is_ip6=0, is_add=1, + server_address=IPv4Address(u'8.8.8.8').packed) + self.vapi.dns_enable_disable(enable=1) + + cmd = "dns cache add {} {}".format(hn['hostname'], + self.pg0.remote_ip4) + self.vapi.cli(cmd) + self.sa = IKEv2SA(self, i_id=idi['data'], r_id=idr['data'], is_initiator=is_init, id_type=self.p.local_id['id_type'], @@ -1621,13 +1653,17 @@ class TestApi(VppTestCase): self.assertEqual(ap.tun_itf, 0xffffffff) +@tag_fixme_vpp_workers class TestResponderBehindNAT(TemplateResponder, Ikev2Params): """ test responder - responder behind NAT """ + IKE_NODE_SUFFIX = 'ip4-natt' + def config_tc(self): self.config_params({'r_natt': True}) +@tag_fixme_vpp_workers class TestInitiatorNATT(TemplateInitiator, Ikev2Params): """ test ikev2 initiator - NAT traversal (intitiator behind NAT) """ @@ -1653,6 +1689,7 @@ class TestInitiatorNATT(TemplateInitiator, Ikev2Params): 'integ_alg': 12}}) +@tag_fixme_vpp_workers class TestInitiatorPsk(TemplateInitiator, Ikev2Params): """ test ikev2 initiator - pre shared key auth """ @@ -1660,8 +1697,6 @@ class TestInitiatorPsk(TemplateInitiator, Ikev2Params): self.config_params({ 'is_initiator': False, # seen from test case perspective # thus vpp is initiator - 'responder': {'sw_if_index': self.pg0.sw_if_index, - 'addr': self.pg0.remote_ip4}, 'ike-crypto': ('AES-GCM-16ICV', 32), 'ike-integ': 'NULL', 'ike-dh': '3072MODPgr', @@ -1674,9 +1709,12 @@ class TestInitiatorPsk(TemplateInitiator, Ikev2Params): 'crypto_alg': 12, # "aes-cbc" 'crypto_key_size': 256, # "hmac-sha2-256-128" - 'integ_alg': 12}}) + 'integ_alg': 12}, + 'responder_hostname': {'hostname': 'vpp.responder.org', + 'sw_if_index': self.pg0.sw_if_index}}) +@tag_fixme_vpp_workers class TestInitiatorRequestWindowSize(TestInitiatorPsk): """ test initiator - request window size (1) """ @@ -1718,6 +1756,7 @@ class TestInitiatorRequestWindowSize(TestInitiatorPsk): self.verify_ipsec_sas(is_rekey=True) +@tag_fixme_vpp_workers class TestInitiatorRekey(TestInitiatorPsk): """ test ikev2 initiator - rekey """ @@ -1755,6 +1794,7 @@ class TestInitiatorRekey(TestInitiatorPsk): self.verify_ipsec_sas(is_rekey=True) +@tag_fixme_vpp_workers class TestInitiatorDelSAFromResponder(TemplateInitiator, Ikev2Params): """ test ikev2 initiator - delete IKE SA from responder """ @@ -1780,19 +1820,25 @@ class TestInitiatorDelSAFromResponder(TemplateInitiator, Ikev2Params): 'integ_alg': 12}}) +@tag_fixme_vpp_workers class TestResponderInitBehindNATT(TemplateResponder, Ikev2Params): """ test ikev2 responder - initiator behind NAT """ + + IKE_NODE_SUFFIX = 'ip4-natt' + def config_tc(self): self.config_params( {'i_natt': True}) +@tag_fixme_vpp_workers class TestResponderPsk(TemplateResponder, Ikev2Params): """ test ikev2 responder - pre shared key auth """ def config_tc(self): self.config_params() +@tag_fixme_vpp_workers class TestResponderDpd(TestResponderPsk): """ Dead peer detection test @@ -1822,6 +1868,7 @@ class TestResponderDpd(TestResponderPsk): self.assertEqual(len(ipsec_sas), 0) +@tag_fixme_vpp_workers class TestResponderRekey(TestResponderPsk): """ test ikev2 responder - rekey """ @@ -1845,8 +1892,45 @@ class TestResponderRekey(TestResponderPsk): self.sa.calc_child_keys() self.verify_ike_sas() self.verify_ipsec_sas(is_rekey=True) + self.assert_counter(1, 'rekey_req', 'ip4') + r = self.vapi.ikev2_sa_dump() + self.assertEqual(r[0].sa.stats.n_rekey_req, 1) +class TestResponderVrf(TestResponderPsk, Ikev2Params): + """ test ikev2 responder - non-default table id """ + + @classmethod + def setUpClass(cls): + import scapy.contrib.ikev2 as _ikev2 + globals()['ikev2'] = _ikev2 + super(IkePeer, cls).setUpClass() + cls.create_pg_interfaces(range(1)) + cls.vapi.cli("ip table add 1") + cls.vapi.cli("set interface ip table pg0 1") + for i in cls.pg_interfaces: + i.admin_up() + i.config_ip4() + i.resolve_arp() + i.config_ip6() + i.resolve_ndp() + + def config_tc(self): + self.config_params({'dpd_disabled': False}) + + def test_responder(self): + self.vapi.ikev2_profile_set_liveness(period=2, max_retries=1) + super(TestResponderVrf, self).test_responder() + self.pg0.enable_capture() + self.pg_start() + capture = self.pg0.get_capture(expected_count=1, timeout=5) + ih = self.get_ike_header(capture[0]) + self.assertEqual(ih.exch_type, 37) # INFORMATIONAL + plain = self.sa.hmac_and_decrypt(ih) + self.assertEqual(plain, b'') + + +@tag_fixme_vpp_workers class TestResponderRsaSign(TemplateResponder, Ikev2Params): """ test ikev2 responder - cert based auth """ def config_tc(self): @@ -1859,6 +1943,7 @@ class TestResponderRsaSign(TemplateResponder, Ikev2Params): 'server-cert': 'server-cert.pem'}) +@tag_fixme_vpp_workers class Test_IKE_AES_CBC_128_SHA256_128_MODP2048_ESP_AES_CBC_192_SHA_384_192\ (TemplateResponder, Ikev2Params): """ @@ -1873,8 +1958,10 @@ class Test_IKE_AES_CBC_128_SHA256_128_MODP2048_ESP_AES_CBC_192_SHA_384_192\ 'ike-dh': '2048MODPgr'}) +@tag_fixme_vpp_workers class TestAES_CBC_128_SHA256_128_MODP3072_ESP_AES_GCM_16\ (TemplateResponder, Ikev2Params): + """ IKE:AES_CBC_128_SHA256_128,DH=modp3072 ESP:AES_GCM_16 """ @@ -1887,10 +1974,14 @@ class TestAES_CBC_128_SHA256_128_MODP3072_ESP_AES_GCM_16\ 'ike-dh': '3072MODPgr'}) +@tag_fixme_vpp_workers class Test_IKE_AES_GCM_16_256(TemplateResponder, Ikev2Params): """ IKE:AES_GCM_16_256 """ + + IKE_NODE_SUFFIX = 'ip6' + def config_tc(self): self.config_params({ 'del_sa_from_responder': True, @@ -1905,6 +1996,7 @@ class Test_IKE_AES_GCM_16_256(TemplateResponder, Ikev2Params): 'end_addr': '11::100'}}) +@tag_fixme_vpp_workers class TestInitiatorKeepaliveMsg(TestInitiatorPsk): """ Test for keep alive messages @@ -1920,6 +2012,9 @@ class TestInitiatorKeepaliveMsg(TestInitiatorPsk): self.assertEqual(ih.id, self.sa.msg_id) plain = self.sa.hmac_and_decrypt(ih) self.assertEqual(plain, b'') + self.assert_counter(1, 'keepalive', 'ip4') + r = self.vapi.ikev2_sa_dump() + self.assertEqual(1, r[0].sa.stats.n_keepalives) def test_initiator(self): super(TestInitiatorKeepaliveMsg, self).test_initiator() @@ -1935,10 +2030,6 @@ class TestMalformedMessages(TemplateResponder, Ikev2Params): def config_tc(self): self.config_params() - def assert_counter(self, count, name, version='ip4'): - node_name = '/err/ikev2-%s/' % version + name - self.assertEqual(count, self.statistics.get_err_counter(node_name)) - def create_ike_init_msg(self, length=None, payload=None): msg = ikev2.IKEv2(length=length, init_SPI='\x11' * 8, flags='Initiator', exch_type='IKE_SA_INIT') @@ -1950,13 +2041,13 @@ class TestMalformedMessages(TemplateResponder, Ikev2Params): def verify_bad_packet_length(self): ike_msg = self.create_ike_init_msg(length=0xdead) self.send_and_assert_no_replies(self.pg0, ike_msg * self.pkt_count) - self.assert_counter(self.pkt_count, 'Bad packet length') + self.assert_counter(self.pkt_count, 'bad_length') def verify_bad_sa_payload_length(self): p = ikev2.IKEv2_payload_SA(length=0xdead) ike_msg = self.create_ike_init_msg(payload=p) self.send_and_assert_no_replies(self.pg0, ike_msg * self.pkt_count) - self.assert_counter(self.pkt_count, 'Malformed packet') + self.assert_counter(self.pkt_count, 'malformed_packet') def test_responder(self): self.pkt_count = 254