X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=test%2Ftest_ipsec_esp.py;h=fdd7eb8af1518d3a386c915a17c46140783e5cc4;hb=c78eeaba49cba55a5e4c18aad1bd41e4c9b3aa33;hp=90f013f8010299950cfe0f271b0836e109e65e8e;hpb=815c6a4fbcbb636ce3b4dc98446ad205a30670a6;p=vpp.git diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py index 90f013f8010..fdd7eb8af15 100644 --- a/test/test_ipsec_esp.py +++ b/test/test_ipsec_esp.py @@ -62,10 +62,11 @@ class ConfigIpsecESP(TemplateIpsec): def tearDown(self): super(ConfigIpsecESP, self).tearDown() - def config_anti_replay(self, params): + def config_anti_replay(self, params, anti_replay_window_size=64): saf = VppEnum.vl_api_ipsec_sad_flags_t for p in params: p.flags |= saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY + p.anti_replay_window_size = anti_replay_window_size def config_network(self, params): self.net_objs = [] @@ -134,6 +135,7 @@ class ConfigIpsecESP(TemplateIpsec): flags = params.flags tun_flags = params.tun_flags salt = params.salt + anti_replay_window_size = params.anti_replay_window_size objs = [] params.tun_sa_in = VppIpsecSA( @@ -145,13 +147,14 @@ class ConfigIpsecESP(TemplateIpsec): crypt_algo_vpp_id, crypt_key, self.vpp_esp_protocol, - self.tun_if.local_addr[addr_type], self.tun_if.remote_addr[addr_type], + self.tun_if.local_addr[addr_type], tun_flags=tun_flags, dscp=params.dscp, flags=flags, salt=salt, hop_limit=params.outer_hop_limit, + anti_replay_window_size=anti_replay_window_size, ) params.tun_sa_out = VppIpsecSA( self, @@ -162,13 +165,14 @@ class ConfigIpsecESP(TemplateIpsec): crypt_algo_vpp_id, crypt_key, self.vpp_esp_protocol, - self.tun_if.remote_addr[addr_type], self.tun_if.local_addr[addr_type], + self.tun_if.remote_addr[addr_type], tun_flags=tun_flags, dscp=params.dscp, flags=flags, salt=salt, hop_limit=params.outer_hop_limit, + anti_replay_window_size=anti_replay_window_size, ) objs.append(params.tun_sa_in) objs.append(params.tun_sa_out) @@ -201,7 +205,7 @@ class ConfigIpsecESP(TemplateIpsec): VppIpsecSpdEntry( self, self.tun_spd, - vpp_tun_sa_id, + scapy_tun_sa_id, remote_tun_if_host, remote_tun_if_host, self.pg1.remote_addr[addr_type], @@ -216,7 +220,7 @@ class ConfigIpsecESP(TemplateIpsec): VppIpsecSpdEntry( self, self.tun_spd, - scapy_tun_sa_id, + vpp_tun_sa_id, self.pg1.remote_addr[addr_type], self.pg1.remote_addr[addr_type], remote_tun_if_host, @@ -230,7 +234,7 @@ class ConfigIpsecESP(TemplateIpsec): VppIpsecSpdEntry( self, self.tun_spd, - vpp_tun_sa_id, + scapy_tun_sa_id, remote_tun_if_host, remote_tun_if_host, self.pg0.local_addr[addr_type], @@ -245,7 +249,7 @@ class ConfigIpsecESP(TemplateIpsec): VppIpsecSpdEntry( self, self.tun_spd, - scapy_tun_sa_id, + vpp_tun_sa_id, self.pg0.local_addr[addr_type], self.pg0.local_addr[addr_type], remote_tun_if_host, @@ -274,6 +278,7 @@ class ConfigIpsecESP(TemplateIpsec): e = VppEnum.vl_api_ipsec_spd_action_t flags = params.flags salt = params.salt + anti_replay_window_size = params.anti_replay_window_size objs = [] params.tra_sa_in = VppIpsecSA( @@ -287,6 +292,7 @@ class ConfigIpsecESP(TemplateIpsec): self.vpp_esp_protocol, flags=flags, salt=salt, + anti_replay_window_size=anti_replay_window_size, ) params.tra_sa_out = VppIpsecSA( self, @@ -299,6 +305,7 @@ class ConfigIpsecESP(TemplateIpsec): self.vpp_esp_protocol, flags=flags, salt=salt, + anti_replay_window_size=anti_replay_window_size, ) objs.append(params.tra_sa_in) objs.append(params.tra_sa_out) @@ -332,7 +339,7 @@ class ConfigIpsecESP(TemplateIpsec): VppIpsecSpdEntry( self, self.tra_spd, - vpp_tra_sa_id, + scapy_tra_sa_id, self.tra_if.local_addr[addr_type], self.tra_if.local_addr[addr_type], self.tra_if.remote_addr[addr_type], @@ -347,7 +354,7 @@ class ConfigIpsecESP(TemplateIpsec): VppIpsecSpdEntry( self, self.tra_spd, - scapy_tra_sa_id, + vpp_tra_sa_id, self.tra_if.local_addr[addr_type], self.tra_if.local_addr[addr_type], self.tra_if.remote_addr[addr_type], @@ -447,7 +454,7 @@ class TestIpsecEsp1( VppIpsecSpdEntry( self, self.tun_spd, - p6.scapy_tun_sa_id, + p6.vpp_tun_sa_id, self.pg1.remote_addr[p4.addr_type], self.pg1.remote_addr[p4.addr_type], p6.remote_tun_if_host4, @@ -482,7 +489,7 @@ class TestIpsecEsp1( VppIpsecSpdEntry( self, self.tun_spd, - p4.scapy_tun_sa_id, + p4.vpp_tun_sa_id, self.pg1.remote_addr[p6.addr_type], self.pg1.remote_addr[p6.addr_type], p4.remote_tun_if_host6, @@ -746,10 +753,10 @@ class TestIpsecEspAsync(TemplateIpsecEsp): self.assertEqual(len(rxs), len(pkts)) for rx in rxs: - if rx[ESP].spi == p.scapy_tun_spi: + if rx[ESP].spi == p.vpp_tun_spi: decrypted = p.vpp_tun_sa.decrypt(rx[IP]) elif rx[ESP].spi == self.p_sync.vpp_tun_spi: - decrypted = self.p_sync.scapy_tun_sa.decrypt(rx[IP]) + decrypted = self.p_sync.vpp_tun_sa.decrypt(rx[IP]) else: rx.show() self.assertTrue(False) @@ -807,12 +814,12 @@ class TestIpsecEspAsync(TemplateIpsecEsp): self.assertEqual(len(rxs), len(pkts)) for rx in rxs: - if rx[ESP].spi == p.scapy_tun_spi: + if rx[ESP].spi == p.vpp_tun_spi: decrypted = p.vpp_tun_sa.decrypt(rx[IP]) elif rx[ESP].spi == self.p_sync.vpp_tun_spi: - decrypted = self.p_sync.scapy_tun_sa.decrypt(rx[IP]) + decrypted = self.p_sync.vpp_tun_sa.decrypt(rx[IP]) elif rx[ESP].spi == self.p_async.vpp_tun_spi: - decrypted = self.p_async.scapy_tun_sa.decrypt(rx[IP]) + decrypted = self.p_async.vpp_tun_sa.decrypt(rx[IP]) else: rx.show() self.assertTrue(False) @@ -822,11 +829,6 @@ class TestIpsecEspAsync(TemplateIpsecEsp): self.p_async.spd.remove_vpp_config() self.p_async.sa.remove_vpp_config() - # async mode should have been disabled now that there are - # no async SAs. there's no API for this, so a reluctant - # screen scrape. - self.assertTrue("DISABLED" in self.vapi.cli("sh crypto async status")) - class TestIpsecEspHandoff( TemplateIpsecEsp, IpsecTun6HandoffTests, IpsecTun4HandoffTests @@ -1038,6 +1040,42 @@ class MyParameters: "salt": 2020, "key": b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h", }, + "AES-NULL-GMAC-128/NONE": { + "vpp-crypto": ( + VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_128 + ), + "vpp-integ": ( + VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE + ), + "scapy-crypto": "AES-NULL-GMAC", + "scapy-integ": "NULL", + "key": b"JPjyOWBeVEQiMe7h", + "salt": 0, + }, + "AES-NULL-GMAC-192/NONE": { + "vpp-crypto": ( + VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_192 + ), + "vpp-integ": ( + VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE + ), + "scapy-crypto": "AES-NULL-GMAC", + "scapy-integ": "NULL", + "key": b"JPjyOWBeVEQiMe7h01234567", + "salt": 1010, + }, + "AES-NULL-GMAC-256/NONE": { + "vpp-crypto": ( + VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_NULL_GMAC_256 + ), + "vpp-integ": ( + VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_NONE + ), + "scapy-crypto": "AES-NULL-GMAC", + "scapy-integ": "NULL", + "key": b"JPjyOWBeVEQiMe7h0123456787654321", + "salt": 2020, + }, } @@ -1153,9 +1191,16 @@ class RunTestIpsecEspAll(ConfigIpsecESP, IpsecTra4, IpsecTra6, IpsecTun4, IpsecT # saf = VppEnum.vl_api_ipsec_sad_flags_t if flag & saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY: - self.unconfig_network() - self.config_network(self.params.values()) - self.verify_tra_anti_replay() + for anti_replay_window_size in ( + 64, + 131072, + ): + self.unconfig_network() + self.config_anti_replay(self.params.values(), anti_replay_window_size) + self.config_network(self.params.values()) + self.verify_tra_anti_replay() + self.verify_tra_anti_replay_algorithm() + self.config_anti_replay(self.params.values()) self.unconfig_network() self.config_network(self.params.values()) @@ -1187,7 +1232,8 @@ class RunTestIpsecEspAll(ConfigIpsecESP, IpsecTra4, IpsecTra6, IpsecTun4, IpsecT # GEN AES-GCM-192/NONE AES-GCM-256/NONE AES-CBC-128/MD5-96 \ # GEN AES-CBC-192/SHA1-96 AES-CBC-256/SHA1-96 \ # GEN 3DES-CBC/SHA1-96 NONE/SHA1-96 \ -# GEN AES-CTR-128/SHA1-96 AES-CTR-192/SHA1-96 AES-CTR-256/SHA1-96; do \ +# GEN AES-CTR-128/SHA1-96 AES-CTR-192/SHA1-96 AES-CTR-256/SHA1-96 \ +# GEN AES-NULL-GMAC-128/NONE AES-NULL-GMAC-192/NONE AES-NULL-GMAC-256/NONE; do \ # GEN echo -en "\n\nclass " # GEN echo -e "Test_${ENG}_${ESN}_${AR}_${ALG}(RunTestIpsecEspAll):" | # GEN sed -e 's/-/_/g' -e 's#/#_#g' ; @@ -2003,6 +2049,30 @@ class Test_openssl_ESNon_ARon_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): self.run_test() +class Test_openssl_ESNon_ARon_AES_NULL_GMAC_128_NONE(RunTestIpsecEspAll): + """openssl ESNon ARon AES-NULL-GMAC-128/NONE IPSec test""" + + def test_ipsec(self): + """openssl ESNon ARon AES-NULL-GMAC-128/NONE IPSec test""" + self.run_test() + + +class Test_openssl_ESNon_ARon_AES_NULL_GMAC_192_NONE(RunTestIpsecEspAll): + """openssl ESNon ARon AES-NULL-GMAC-192/NONE IPSec test""" + + def test_ipsec(self): + """openssl ESNon ARon AES-NULL-GMAC-192/NONE IPSec test""" + self.run_test() + + +class Test_openssl_ESNon_ARon_AES_NULL_GMAC_256_NONE(RunTestIpsecEspAll): + """openssl ESNon ARon AES-NULL-GMAC-256/NONE IPSec test""" + + def test_ipsec(self): + """openssl ESNon ARon AES-NULL-GMAC-256/NONE IPSec test""" + self.run_test() + + class Test_openssl_ESNon_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll): """openssl ESNon ARoff AES-GCM-128/NONE IPSec test""" @@ -2091,6 +2161,30 @@ class Test_openssl_ESNon_ARoff_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): self.run_test() +class Test_openssl_ESNon_ARoff_AES_NULL_GMAC_128_NONE(RunTestIpsecEspAll): + """openssl ESNon ARoff AES-NULL-GMAC-128/NONE IPSec test""" + + def test_ipsec(self): + """openssl ESNon ARoff AES-NULL-GMAC-128/NONE IPSec test""" + self.run_test() + + +class Test_openssl_ESNon_ARoff_AES_NULL_GMAC_192_NONE(RunTestIpsecEspAll): + """openssl ESNon ARoff AES-NULL-GMAC-192/NONE IPSec test""" + + def test_ipsec(self): + """openssl ESNon ARoff AES-NULL-GMAC-192/NONE IPSec test""" + self.run_test() + + +class Test_openssl_ESNon_ARoff_AES_NULL_GMAC_256_NONE(RunTestIpsecEspAll): + """openssl ESNon ARoff AES-NULL-GMAC-256/NONE IPSec test""" + + def test_ipsec(self): + """openssl ESNon ARoff AES-NULL-GMAC-256/NONE IPSec test""" + self.run_test() + + class Test_openssl_ESNoff_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll): """openssl ESNoff ARon AES-GCM-128/NONE IPSec test""" @@ -2179,6 +2273,30 @@ class Test_openssl_ESNoff_ARon_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): self.run_test() +class Test_openssl_ESNoff_ARon_AES_NULL_GMAC_128_NONE(RunTestIpsecEspAll): + """openssl ESNoff ARon AES-NULL-GMAC-128/NONE IPSec test""" + + def test_ipsec(self): + """openssl ESNoff ARon AES-NULL-GMAC-128/NONE IPSec test""" + self.run_test() + + +class Test_openssl_ESNoff_ARon_AES_NULL_GMAC_192_NONE(RunTestIpsecEspAll): + """openssl ESNoff ARon AES-NULL-GMAC-192/NONE IPSec test""" + + def test_ipsec(self): + """openssl ESNoff ARon AES-NULL-GMAC-192/NONE IPSec test""" + self.run_test() + + +class Test_openssl_ESNoff_ARon_AES_NULL_GMAC_256_NONE(RunTestIpsecEspAll): + """openssl ESNoff ARon AES-NULL-GMAC-256/NONE IPSec test""" + + def test_ipsec(self): + """openssl ESNoff ARon AES-NULL-GMAC-256/NONE IPSec test""" + self.run_test() + + class Test_openssl_ESNoff_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll): """openssl ESNoff ARoff AES-GCM-128/NONE IPSec test""" @@ -2267,6 +2385,30 @@ class Test_openssl_ESNoff_ARoff_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): self.run_test() +class Test_openssl_ESNoff_ARoff_AES_NULL_GMAC_128_NONE(RunTestIpsecEspAll): + """openssl ESNoff ARoff AES-NULL-GMAC-128/NONE IPSec test""" + + def test_ipsec(self): + """openssl ESNoff ARoff AES-NULL-GMAC-128/NONE IPSec test""" + self.run_test() + + +class Test_openssl_ESNoff_ARoff_AES_NULL_GMAC_192_NONE(RunTestIpsecEspAll): + """openssl ESNoff ARoff AES-NULL-GMAC-192/NONE IPSec test""" + + def test_ipsec(self): + """openssl ESNoff ARoff AES-NULL-GMAC-192/NONE IPSec test""" + self.run_test() + + +class Test_openssl_ESNoff_ARoff_AES_NULL_GMAC_256_NONE(RunTestIpsecEspAll): + """openssl ESNoff ARoff AES-NULL-GMAC-256/NONE IPSec test""" + + def test_ipsec(self): + """openssl ESNoff ARoff AES-NULL-GMAC-256/NONE IPSec test""" + self.run_test() + + class Test_async_ESNon_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll): """async ESNon ARon AES-GCM-128/NONE IPSec test"""