3 from scapy.layers.ipsec import ESP
4 from scapy.layers.inet import IP, ICMP, UDP
5 from scapy.layers.inet6 import IPv6
6 from scapy.layers.l2 import Ether
7 from scapy.packet import Raw
9 from parameterized import parameterized
10 from framework import VppTestRunner
11 from template_ipsec import IpsecTra46Tests, IpsecTun46Tests, TemplateIpsec, \
12 IpsecTcpTests, IpsecTun4Tests, IpsecTra4Tests, config_tra_params, \
13 config_tun_params, IPsecIPv4Params, IPsecIPv6Params, \
14 IpsecTra4, IpsecTun4, IpsecTra6, IpsecTun6, \
15 IpsecTun6HandoffTests, IpsecTun4HandoffTests, \
17 from vpp_ipsec import VppIpsecSpd, VppIpsecSpdEntry, VppIpsecSA,\
19 from vpp_ip_route import VppIpRoute, VppRoutePath
20 from vpp_ip import DpoProto
21 from vpp_papi import VppEnum
24 engines_supporting_chain_bufs = ["openssl"]
27 class ConfigIpsecESP(TemplateIpsec):
29 tra4_encrypt_node_name = "esp4-encrypt"
30 tra4_decrypt_node_name = "esp4-decrypt"
31 tra6_encrypt_node_name = "esp6-encrypt"
32 tra6_decrypt_node_name = "esp6-decrypt"
33 tun4_encrypt_node_name = "esp4-encrypt"
34 tun4_decrypt_node_name = "esp4-decrypt"
35 tun6_encrypt_node_name = "esp6-encrypt"
36 tun6_decrypt_node_name = "esp6-decrypt"
40 super(ConfigIpsecESP, cls).setUpClass()
43 def tearDownClass(cls):
44 super(ConfigIpsecESP, cls).tearDownClass()
47 super(ConfigIpsecESP, self).setUp()
50 super(ConfigIpsecESP, self).tearDown()
52 def config_network(self, params):
54 self.tun_if = self.pg0
55 self.tra_if = self.pg2
56 self.logger.info(self.vapi.ppcli("show int addr"))
58 self.tra_spd = VppIpsecSpd(self, self.tra_spd_id)
59 self.tra_spd.add_vpp_config()
60 self.net_objs.append(self.tra_spd)
61 self.tun_spd = VppIpsecSpd(self, self.tun_spd_id)
62 self.tun_spd.add_vpp_config()
63 self.net_objs.append(self.tun_spd)
65 b = VppIpsecSpdItfBinding(self, self.tun_spd,
68 self.net_objs.append(b)
70 b = VppIpsecSpdItfBinding(self, self.tra_spd,
73 self.net_objs.append(b)
76 self.config_esp_tra(p)
77 config_tra_params(p, self.encryption_type)
79 self.config_esp_tun(p)
80 config_tun_params(p, self.encryption_type, self.tun_if)
83 d = DpoProto.DPO_PROTO_IP6 if p.is_ipv6 else DpoProto.DPO_PROTO_IP4
84 r = VppIpRoute(self, p.remote_tun_if_host, p.addr_len,
85 [VppRoutePath(self.tun_if.remote_addr[p.addr_type],
89 self.net_objs.append(r)
91 self.logger.info(self.vapi.ppcli("show ipsec all"))
93 def unconfig_network(self):
94 for o in reversed(self.net_objs):
98 def config_esp_tun(self, params):
99 addr_type = params.addr_type
100 scapy_tun_sa_id = params.scapy_tun_sa_id
101 scapy_tun_spi = params.scapy_tun_spi
102 vpp_tun_sa_id = params.vpp_tun_sa_id
103 vpp_tun_spi = params.vpp_tun_spi
104 auth_algo_vpp_id = params.auth_algo_vpp_id
105 auth_key = params.auth_key
106 crypt_algo_vpp_id = params.crypt_algo_vpp_id
107 crypt_key = params.crypt_key
108 remote_tun_if_host = params.remote_tun_if_host
109 addr_any = params.addr_any
110 addr_bcast = params.addr_bcast
111 e = VppEnum.vl_api_ipsec_spd_action_t
113 tun_flags = params.tun_flags
117 params.tun_sa_in = VppIpsecSA(self, scapy_tun_sa_id, scapy_tun_spi,
118 auth_algo_vpp_id, auth_key,
119 crypt_algo_vpp_id, crypt_key,
120 self.vpp_esp_protocol,
121 self.tun_if.local_addr[addr_type],
122 self.tun_if.remote_addr[addr_type],
127 params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
128 auth_algo_vpp_id, auth_key,
129 crypt_algo_vpp_id, crypt_key,
130 self.vpp_esp_protocol,
131 self.tun_if.remote_addr[addr_type],
132 self.tun_if.local_addr[addr_type],
137 objs.append(params.tun_sa_in)
138 objs.append(params.tun_sa_out)
140 params.spd_policy_in_any = VppIpsecSpdEntry(self, self.tun_spd,
142 addr_any, addr_bcast,
143 addr_any, addr_bcast,
145 params.spd_policy_out_any = VppIpsecSpdEntry(self, self.tun_spd,
147 addr_any, addr_bcast,
148 addr_any, addr_bcast,
151 objs.append(params.spd_policy_out_any)
152 objs.append(params.spd_policy_in_any)
154 objs.append(VppIpsecSpdEntry(self, self.tun_spd, vpp_tun_sa_id,
155 remote_tun_if_host, remote_tun_if_host,
156 self.pg1.remote_addr[addr_type],
157 self.pg1.remote_addr[addr_type],
160 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
162 objs.append(VppIpsecSpdEntry(self, self.tun_spd, scapy_tun_sa_id,
163 self.pg1.remote_addr[addr_type],
164 self.pg1.remote_addr[addr_type],
165 remote_tun_if_host, remote_tun_if_host,
167 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
169 objs.append(VppIpsecSpdEntry(self, self.tun_spd, vpp_tun_sa_id,
170 remote_tun_if_host, remote_tun_if_host,
171 self.pg0.local_addr[addr_type],
172 self.pg0.local_addr[addr_type],
175 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
177 objs.append(VppIpsecSpdEntry(self, self.tun_spd, scapy_tun_sa_id,
178 self.pg0.local_addr[addr_type],
179 self.pg0.local_addr[addr_type],
180 remote_tun_if_host, remote_tun_if_host,
182 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
186 self.net_objs = self.net_objs + objs
188 def config_esp_tra(self, params):
189 addr_type = params.addr_type
190 scapy_tra_sa_id = params.scapy_tra_sa_id
191 scapy_tra_spi = params.scapy_tra_spi
192 vpp_tra_sa_id = params.vpp_tra_sa_id
193 vpp_tra_spi = params.vpp_tra_spi
194 auth_algo_vpp_id = params.auth_algo_vpp_id
195 auth_key = params.auth_key
196 crypt_algo_vpp_id = params.crypt_algo_vpp_id
197 crypt_key = params.crypt_key
198 addr_any = params.addr_any
199 addr_bcast = params.addr_bcast
200 flags = (VppEnum.vl_api_ipsec_sad_flags_t.
201 IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
202 e = VppEnum.vl_api_ipsec_spd_action_t
203 flags = params.flags | flags
207 params.tra_sa_in = VppIpsecSA(self, scapy_tra_sa_id, scapy_tra_spi,
208 auth_algo_vpp_id, auth_key,
209 crypt_algo_vpp_id, crypt_key,
210 self.vpp_esp_protocol,
213 params.tra_sa_out = VppIpsecSA(self, vpp_tra_sa_id, vpp_tra_spi,
214 auth_algo_vpp_id, auth_key,
215 crypt_algo_vpp_id, crypt_key,
216 self.vpp_esp_protocol,
219 objs.append(params.tra_sa_in)
220 objs.append(params.tra_sa_out)
222 objs.append(VppIpsecSpdEntry(self, self.tra_spd, vpp_tra_sa_id,
223 addr_any, addr_bcast,
224 addr_any, addr_bcast,
226 objs.append(VppIpsecSpdEntry(self, self.tra_spd, vpp_tra_sa_id,
227 addr_any, addr_bcast,
228 addr_any, addr_bcast,
231 objs.append(VppIpsecSpdEntry(self, self.tra_spd, vpp_tra_sa_id,
232 self.tra_if.local_addr[addr_type],
233 self.tra_if.local_addr[addr_type],
234 self.tra_if.remote_addr[addr_type],
235 self.tra_if.remote_addr[addr_type],
237 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
239 objs.append(VppIpsecSpdEntry(self, self.tra_spd, scapy_tra_sa_id,
240 self.tra_if.local_addr[addr_type],
241 self.tra_if.local_addr[addr_type],
242 self.tra_if.remote_addr[addr_type],
243 self.tra_if.remote_addr[addr_type],
244 0, policy=e.IPSEC_API_SPD_ACTION_PROTECT,
248 self.net_objs = self.net_objs + objs
251 class TemplateIpsecEsp(ConfigIpsecESP):
253 Basic test for ipsec esp sanity - tunnel and transport modes.
255 Below 4 cases are covered as part of this test
256 1) ipsec esp v4 transport basic test - IPv4 Transport mode
257 scenario using HMAC-SHA1-96 integrity algo
258 2) ipsec esp v4 transport burst test
259 Above test for 257 pkts
260 3) ipsec esp 4o4 tunnel basic test - IPv4 Tunnel mode
261 scenario using HMAC-SHA1-96 integrity algo
262 4) ipsec esp 4o4 tunnel burst test
263 Above test for 257 pkts
268 |pg2| <-------> |VPP|
273 --- encrypt --- plain ---
274 |pg0| <------- |VPP| <------ |pg1|
277 --- decrypt --- plain ---
278 |pg0| -------> |VPP| ------> |pg1|
284 super(TemplateIpsecEsp, cls).setUpClass()
287 def tearDownClass(cls):
288 super(TemplateIpsecEsp, cls).tearDownClass()
291 super(TemplateIpsecEsp, self).setUp()
292 self.config_network(self.params.values())
295 self.unconfig_network()
296 super(TemplateIpsecEsp, self).tearDown()
299 class TestIpsecEsp1(TemplateIpsecEsp, IpsecTra46Tests,
300 IpsecTun46Tests, IpsecTra6ExtTests):
301 """ Ipsec ESP - TUN & TRA tests """
305 super(TestIpsecEsp1, cls).setUpClass()
308 def tearDownClass(cls):
309 super(TestIpsecEsp1, cls).tearDownClass()
312 super(TestIpsecEsp1, self).setUp()
315 super(TestIpsecEsp1, self).tearDown()
317 def test_tun_46(self):
318 """ ipsec 4o6 tunnel """
319 # add an SPD entry to direct 2.2.2.2 to the v6 tunnel SA
320 p6 = self.ipv6_params
321 p4 = self.ipv4_params
323 p6.remote_tun_if_host4 = "2.2.2.2"
324 e = VppEnum.vl_api_ipsec_spd_action_t
326 VppIpsecSpdEntry(self,
329 self.pg1.remote_addr[p4.addr_type],
330 self.pg1.remote_addr[p4.addr_type],
331 p6.remote_tun_if_host4,
332 p6.remote_tun_if_host4,
335 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
336 is_outbound=1).add_vpp_config()
337 VppIpRoute(self, p6.remote_tun_if_host4, p4.addr_len,
338 [VppRoutePath(self.tun_if.remote_addr[p4.addr_type],
339 0xffffffff)]).add_vpp_config()
341 old_name = self.tun6_encrypt_node_name
342 self.tun6_encrypt_node_name = "esp4-encrypt"
344 self.verify_tun_46(p6, count=63)
345 self.tun6_encrypt_node_name = old_name
347 def test_tun_64(self):
348 """ ipsec 6o4 tunnel """
349 # add an SPD entry to direct 4444::4 to the v4 tunnel SA
350 p6 = self.ipv6_params
351 p4 = self.ipv4_params
353 p4.remote_tun_if_host6 = "4444::4"
354 e = VppEnum.vl_api_ipsec_spd_action_t
356 VppIpsecSpdEntry(self,
359 self.pg1.remote_addr[p6.addr_type],
360 self.pg1.remote_addr[p6.addr_type],
361 p4.remote_tun_if_host6,
362 p4.remote_tun_if_host6,
365 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
366 is_outbound=1).add_vpp_config()
367 d = DpoProto.DPO_PROTO_IP6
368 VppIpRoute(self, p4.remote_tun_if_host6, p6.addr_len,
369 [VppRoutePath(self.tun_if.remote_addr[p6.addr_type],
371 proto=d)]).add_vpp_config()
373 old_name = self.tun4_encrypt_node_name
374 self.tun4_encrypt_node_name = "esp6-encrypt"
375 self.verify_tun_64(p4, count=63)
376 self.tun4_encrypt_node_name = old_name
379 class TestIpsecEspTun(TemplateIpsecEsp, IpsecTun46Tests):
380 """ Ipsec ESP - TUN encap tests """
383 self.ipv4_params = IPsecIPv4Params()
384 self.ipv6_params = IPsecIPv6Params()
386 c = (VppEnum.vl_api_tunnel_encap_decap_flags_t.
387 TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP)
388 c1 = c | (VppEnum.vl_api_tunnel_encap_decap_flags_t.
389 TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)
391 self.ipv4_params.tun_flags = c
392 self.ipv6_params.tun_flags = c1
394 super(TestIpsecEspTun, self).setUp()
396 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
397 # set the DSCP + ECN - flags are set to copy only DSCP
398 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
399 IP(src=src, dst=dst, tos=5) /
400 UDP(sport=4444, dport=4444) /
401 Raw(b'X' * payload_size)
402 for i in range(count)]
404 def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
405 # set the DSCP + ECN - flags are set to copy both
406 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
407 IPv6(src=src, dst=dst, tc=5) /
408 UDP(sport=4444, dport=4444) /
409 Raw(b'X' * payload_size)
410 for i in range(count)]
412 def verify_encrypted(self, p, sa, rxs):
413 # just check that only the DSCP is copied
415 self.assertEqual(rx[IP].tos, 4)
417 def verify_encrypted6(self, p, sa, rxs):
418 # just check that the DSCP & ECN are copied
420 self.assertEqual(rx[IPv6].tc, 5)
423 class TestIpsecEspTun2(TemplateIpsecEsp, IpsecTun46Tests):
424 """ Ipsec ESP - TUN DSCP tests """
427 self.ipv4_params = IPsecIPv4Params()
428 self.ipv6_params = IPsecIPv6Params()
430 self.ipv4_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF
431 self.ipv6_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11
433 super(TestIpsecEspTun2, self).setUp()
435 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
436 # set the DSCP + ECN - flags are set to copy only DSCP
437 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
438 IP(src=src, dst=dst) /
439 UDP(sport=4444, dport=4444) /
440 Raw(b'X' * payload_size)
441 for i in range(count)]
443 def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
444 # set the DSCP + ECN - flags are set to copy both
445 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
446 IPv6(src=src, dst=dst) /
447 UDP(sport=4444, dport=4444) /
448 Raw(b'X' * payload_size)
449 for i in range(count)]
451 def verify_encrypted(self, p, sa, rxs):
452 # just check that only the DSCP is copied
454 self.assertEqual(rx[IP].tos,
455 VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2)
457 def verify_encrypted6(self, p, sa, rxs):
458 # just check that the DSCP & ECN are copied
460 self.assertEqual(rx[IPv6].tc,
461 VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11 << 2)
464 class TestIpsecEsp2(TemplateIpsecEsp, IpsecTcpTests):
465 """ Ipsec ESP - TCP tests """
469 class TestIpsecEspHandoff(TemplateIpsecEsp,
470 IpsecTun6HandoffTests,
471 IpsecTun4HandoffTests):
472 """ Ipsec ESP - handoff tests """
476 class TemplateIpsecEspUdp(ConfigIpsecESP):
483 super(TemplateIpsecEspUdp, cls).setUpClass()
486 def tearDownClass(cls):
487 super(TemplateIpsecEspUdp, cls).tearDownClass()
490 super(TemplateIpsecEspUdp, self).setUp()
492 self.tun_if = self.pg0
493 self.tra_if = self.pg2
494 self.logger.info(self.vapi.ppcli("show int addr"))
497 p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
498 IPSEC_API_SAD_FLAG_UDP_ENCAP)
499 p.nat_header = UDP(sport=5454, dport=4500)
501 self.tra_spd = VppIpsecSpd(self, self.tra_spd_id)
502 self.tra_spd.add_vpp_config()
503 VppIpsecSpdItfBinding(self, self.tra_spd,
504 self.tra_if).add_vpp_config()
506 self.config_esp_tra(p)
507 config_tra_params(p, self.encryption_type)
509 self.tun_spd = VppIpsecSpd(self, self.tun_spd_id)
510 self.tun_spd.add_vpp_config()
511 VppIpsecSpdItfBinding(self, self.tun_spd,
512 self.tun_if).add_vpp_config()
514 self.config_esp_tun(p)
515 self.logger.info(self.vapi.ppcli("show ipsec all"))
517 d = DpoProto.DPO_PROTO_IP4
518 VppIpRoute(self, p.remote_tun_if_host, p.addr_len,
519 [VppRoutePath(self.tun_if.remote_addr[p.addr_type],
521 proto=d)]).add_vpp_config()
524 super(TemplateIpsecEspUdp, self).tearDown()
526 def show_commands_at_teardown(self):
527 self.logger.info(self.vapi.cli("show hardware"))
530 class TestIpsecEspUdp(TemplateIpsecEspUdp, IpsecTra4Tests):
531 """ Ipsec NAT-T ESP UDP tests """
535 class MyParameters():
537 self.engines = ["ia32", "ipsecmb", "openssl"]
538 flag_esn = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN
539 self.flags = [0, flag_esn]
540 # foreach crypto algorithm
542 'AES-GCM-128/NONE': {
543 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
544 IPSEC_API_CRYPTO_ALG_AES_GCM_128),
545 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
546 IPSEC_API_INTEG_ALG_NONE),
547 'scapy-crypto': "AES-GCM",
548 'scapy-integ': "NULL",
549 'key': b"JPjyOWBeVEQiMe7h",
551 'AES-GCM-192/NONE': {
552 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
553 IPSEC_API_CRYPTO_ALG_AES_GCM_192),
554 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
555 IPSEC_API_INTEG_ALG_NONE),
556 'scapy-crypto': "AES-GCM",
557 'scapy-integ': "NULL",
558 'key': b"JPjyOWBeVEQiMe7h01234567",
560 'AES-GCM-256/NONE': {
561 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
562 IPSEC_API_CRYPTO_ALG_AES_GCM_256),
563 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
564 IPSEC_API_INTEG_ALG_NONE),
565 'scapy-crypto': "AES-GCM",
566 'scapy-integ': "NULL",
567 'key': b"JPjyOWBeVEQiMe7h0123456787654321",
569 'AES-CBC-128/MD5-96': {
570 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
571 IPSEC_API_CRYPTO_ALG_AES_CBC_128),
572 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
573 IPSEC_API_INTEG_ALG_MD5_96),
574 'scapy-crypto': "AES-CBC",
575 'scapy-integ': "HMAC-MD5-96",
577 'key': b"JPjyOWBeVEQiMe7h"},
578 'AES-CBC-192/SHA1-96': {
579 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
580 IPSEC_API_CRYPTO_ALG_AES_CBC_192),
581 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
582 IPSEC_API_INTEG_ALG_SHA1_96),
583 'scapy-crypto': "AES-CBC",
584 'scapy-integ': "HMAC-SHA1-96",
586 'key': b"JPjyOWBeVEQiMe7hJPjyOWBe"},
587 'AES-CBC-256/SHA1-96': {
588 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
589 IPSEC_API_CRYPTO_ALG_AES_CBC_256),
590 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
591 IPSEC_API_INTEG_ALG_SHA1_96),
592 'scapy-crypto': "AES-CBC",
593 'scapy-integ': "HMAC-SHA1-96",
595 'key': b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"},
596 '3DES-CBC/SHA1-96': {
597 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
598 IPSEC_API_CRYPTO_ALG_3DES_CBC),
599 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
600 IPSEC_API_INTEG_ALG_SHA1_96),
601 'scapy-crypto': "3DES",
602 'scapy-integ': "HMAC-SHA1-96",
604 'key': b"JPjyOWBeVEQiMe7h00112233"},
606 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
607 IPSEC_API_CRYPTO_ALG_NONE),
608 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
609 IPSEC_API_INTEG_ALG_SHA1_96),
610 'scapy-crypto': "NULL",
611 'scapy-integ': "HMAC-SHA1-96",
613 'key': b"JPjyOWBeVEQiMe7h00112233"},
614 'AES-CTR-128/SHA1-96': {
615 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
616 IPSEC_API_CRYPTO_ALG_AES_CTR_128),
617 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
618 IPSEC_API_INTEG_ALG_SHA1_96),
619 'scapy-crypto': "AES-CTR",
620 'scapy-integ': "HMAC-SHA1-96",
622 'key': b"JPjyOWBeVEQiMe7h"},
623 'AES-CTR-192/SHA1-96': {
624 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
625 IPSEC_API_CRYPTO_ALG_AES_CTR_192),
626 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
627 IPSEC_API_INTEG_ALG_SHA1_96),
628 'scapy-crypto': "AES-CTR",
629 'scapy-integ': "HMAC-SHA1-96",
631 'key': b"JPjyOWBeVEQiMe7hJPjyOWBe"},
632 'AES-CTR-256/SHA1-96': {
633 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
634 IPSEC_API_CRYPTO_ALG_AES_CTR_256),
635 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
636 IPSEC_API_INTEG_ALG_SHA1_96),
637 'scapy-crypto': "AES-CTR",
638 'scapy-integ': "HMAC-SHA1-96",
640 'key': b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}}
643 class RunTestIpsecEspAll(ConfigIpsecESP,
644 IpsecTra4, IpsecTra6,
645 IpsecTun4, IpsecTun6):
646 """ Ipsec ESP all Algos """
649 super(RunTestIpsecEspAll, self).setUp()
650 test_args = str.split(self.__doc__, " ")
652 params = MyParameters()
653 self.engine = test_args[0]
654 self.flag = params.flags[0]
655 if test_args[1] == 'ESN':
656 self.flag = params.flags[1]
658 self.algo = params.algos[test_args[2]]
661 super(RunTestIpsecEspAll, self).tearDown()
664 self.run_a_test(self.engine, self.flag, self.algo)
666 def run_a_test(self, engine, flag, algo, payload_size=None):
669 self.vapi.cli("set crypto handler all %s" % engine)
671 self.ipv4_params = IPsecIPv4Params()
672 self.ipv6_params = IPsecIPv6Params()
674 self.params = {self.ipv4_params.addr_type:
676 self.ipv6_params.addr_type:
679 for _, p in self.params.items():
680 p.auth_algo_vpp_id = algo['vpp-integ']
681 p.crypt_algo_vpp_id = algo['vpp-crypto']
682 p.crypt_algo = algo['scapy-crypto']
683 p.auth_algo = algo['scapy-integ']
684 p.crypt_key = algo['key']
685 p.salt = algo['salt']
686 p.flags = p.flags | flag
688 self.reporter.send_keep_alive(self)
691 # configure the SPDs. SAs, etc
693 self.config_network(self.params.values())
697 # An exhautsive 4o6, 6o4 is not necessary
700 self.verify_tra_basic6(count=NUM_PKTS)
701 self.verify_tra_basic4(count=NUM_PKTS)
702 self.verify_tun_66(self.params[socket.AF_INET6],
705 # Use an odd-byte payload size to check for correct padding.
707 # 49 + 2 == 51 which should pad +1 to 52 for 4 byte alignment, +5
708 # to 56 for 8 byte alignment, and +13 to 64 for 64 byte alignment.
709 # This should catch bugs where the code is incorrectly over-padding
710 # for algorithms that don't require it
711 psz = 49 - len(IP()/ICMP()) if payload_size is None else payload_size
712 self.verify_tun_44(self.params[socket.AF_INET],
713 count=NUM_PKTS, payload_size=psz)
716 1970, # results in 2 chained buffers entering decrypt node
717 # but leaving as simple buffer due to ICV removal (tra4)
718 2004, # footer+ICV will be added to 2nd buffer (tun4)
719 4010, # ICV ends up splitted accross 2 buffers in esp_decrypt
720 # for transport4; transport6 takes normal path
721 4020, # same as above but tra4 and tra6 are switched
723 if self.engine in engines_supporting_chain_bufs:
724 for sz in LARGE_PKT_SZ:
725 self.verify_tra_basic4(count=NUM_PKTS, payload_size=sz)
726 self.verify_tra_basic6(count=NUM_PKTS, payload_size=sz)
727 self.verify_tun_66(self.params[socket.AF_INET6],
728 count=NUM_PKTS, payload_size=sz)
729 self.verify_tun_44(self.params[socket.AF_INET],
730 count=NUM_PKTS, payload_size=sz)
733 # remove the SPDs, SAs, etc
735 self.unconfig_network()
738 # reconfigure the network and SA to run the
741 self.config_network(self.params.values())
742 self.verify_tra_anti_replay()
743 self.unconfig_network()
746 # To generate test classes, do:
747 # grep '# GEN' test_ipsec_esp.py | sed -e 's/# GEN //g' | bash
749 # GEN for ENG in ia32 ipsecmb openssl; do \
750 # GEN for FLG in noESN ESN; do for ALG in AES-GCM-128/NONE \
751 # GEN AES-GCM-192/NONE AES-GCM-256/NONE AES-CBC-128/MD5-96 \
752 # GEN AES-CBC-192/SHA1-96 AES-CBC-256/SHA1-96 \
753 # GEN 3DES-CBC/SHA1-96 NONE/SHA1-96 \
754 # GEN AES-CTR-128/SHA1-96 AES-CTR-192/SHA1-96 AES-CTR-256/SHA1-96; do \
755 # GEN [[ ${FLG} == "ESN" && ${ALG} == *"NONE" ]] && continue
756 # GEN echo -e "\n\nclass Test_${ENG}_${FLG}_${ALG}(RunTestIpsecEspAll):" |
757 # GEN sed -e 's/-/_/g' -e 's#/#_#g' ; \
758 # GEN echo ' """'$ENG $FLG $ALG IPSec test'"""' ;
759 # GEN echo " def test_ipsec(self):";
760 # GEN echo " self.run_test()";
761 # GEN done; done; done
764 class Test_ia32_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
765 """ia32 noESN AES-GCM-128/NONE IPSec test"""
766 def test_ipsec(self):
770 class Test_ia32_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
771 """ia32 noESN AES-GCM-192/NONE IPSec test"""
772 def test_ipsec(self):
776 class Test_ia32_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
777 """ia32 noESN AES-GCM-256/NONE IPSec test"""
778 def test_ipsec(self):
782 class Test_ia32_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
783 """ia32 noESN AES-CBC-128/MD5-96 IPSec test"""
784 def test_ipsec(self):
788 class Test_ia32_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
789 """ia32 noESN AES-CBC-192/SHA1-96 IPSec test"""
790 def test_ipsec(self):
794 class Test_ia32_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
795 """ia32 noESN AES-CBC-256/SHA1-96 IPSec test"""
796 def test_ipsec(self):
800 class Test_ia32_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
801 """ia32 noESN 3DES-CBC/SHA1-96 IPSec test"""
802 def test_ipsec(self):
806 class Test_ia32_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
807 """ia32 noESN NONE/SHA1-96 IPSec test"""
808 def test_ipsec(self):
812 class Test_ia32_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
813 """ia32 noESN AES-CTR-128/SHA1-96 IPSec test"""
814 def test_ipsec(self):
818 class Test_ia32_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
819 """ia32 noESN AES-CTR-192/SHA1-96 IPSec test"""
820 def test_ipsec(self):
824 class Test_ia32_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
825 """ia32 noESN AES-CTR-256/SHA1-96 IPSec test"""
826 def test_ipsec(self):
830 class Test_ia32_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
831 """ia32 ESN AES-CBC-128/MD5-96 IPSec test"""
832 def test_ipsec(self):
836 class Test_ia32_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
837 """ia32 ESN AES-CBC-192/SHA1-96 IPSec test"""
838 def test_ipsec(self):
842 class Test_ia32_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
843 """ia32 ESN AES-CBC-256/SHA1-96 IPSec test"""
844 def test_ipsec(self):
848 class Test_ia32_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
849 """ia32 ESN 3DES-CBC/SHA1-96 IPSec test"""
850 def test_ipsec(self):
854 class Test_ia32_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
855 """ia32 ESN NONE/SHA1-96 IPSec test"""
856 def test_ipsec(self):
860 class Test_ia32_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
861 """ia32 ESN AES-CTR-128/SHA1-96 IPSec test"""
862 def test_ipsec(self):
866 class Test_ia32_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
867 """ia32 ESN AES-CTR-192/SHA1-96 IPSec test"""
868 def test_ipsec(self):
872 class Test_ia32_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
873 """ia32 ESN AES-CTR-256/SHA1-96 IPSec test"""
874 def test_ipsec(self):
878 class Test_ipsecmb_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
879 """ipsecmb noESN AES-GCM-128/NONE IPSec test"""
880 def test_ipsec(self):
884 class Test_ipsecmb_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
885 """ipsecmb noESN AES-GCM-192/NONE IPSec test"""
886 def test_ipsec(self):
890 class Test_ipsecmb_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
891 """ipsecmb noESN AES-GCM-256/NONE IPSec test"""
892 def test_ipsec(self):
896 class Test_ipsecmb_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
897 """ipsecmb noESN AES-CBC-128/MD5-96 IPSec test"""
898 def test_ipsec(self):
902 class Test_ipsecmb_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
903 """ipsecmb noESN AES-CBC-192/SHA1-96 IPSec test"""
904 def test_ipsec(self):
908 class Test_ipsecmb_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
909 """ipsecmb noESN AES-CBC-256/SHA1-96 IPSec test"""
910 def test_ipsec(self):
914 class Test_ipsecmb_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
915 """ipsecmb noESN 3DES-CBC/SHA1-96 IPSec test"""
916 def test_ipsec(self):
920 class Test_ipsecmb_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
921 """ipsecmb noESN NONE/SHA1-96 IPSec test"""
922 def test_ipsec(self):
926 class Test_ipsecmb_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
927 """ipsecmb noESN AES-CTR-128/SHA1-96 IPSec test"""
928 def test_ipsec(self):
932 class Test_ipsecmb_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
933 """ipsecmb noESN AES-CTR-192/SHA1-96 IPSec test"""
934 def test_ipsec(self):
938 class Test_ipsecmb_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
939 """ipsecmb noESN AES-CTR-256/SHA1-96 IPSec test"""
940 def test_ipsec(self):
944 class Test_ipsecmb_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
945 """ipsecmb ESN AES-CBC-128/MD5-96 IPSec test"""
946 def test_ipsec(self):
950 class Test_ipsecmb_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
951 """ipsecmb ESN AES-CBC-192/SHA1-96 IPSec test"""
952 def test_ipsec(self):
956 class Test_ipsecmb_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
957 """ipsecmb ESN AES-CBC-256/SHA1-96 IPSec test"""
958 def test_ipsec(self):
962 class Test_ipsecmb_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
963 """ipsecmb ESN 3DES-CBC/SHA1-96 IPSec test"""
964 def test_ipsec(self):
968 class Test_ipsecmb_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
969 """ipsecmb ESN NONE/SHA1-96 IPSec test"""
970 def test_ipsec(self):
974 class Test_ipsecmb_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
975 """ipsecmb ESN AES-CTR-128/SHA1-96 IPSec test"""
976 def test_ipsec(self):
980 class Test_ipsecmb_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
981 """ipsecmb ESN AES-CTR-192/SHA1-96 IPSec test"""
982 def test_ipsec(self):
986 class Test_ipsecmb_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
987 """ipsecmb ESN AES-CTR-256/SHA1-96 IPSec test"""
988 def test_ipsec(self):
992 class Test_openssl_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
993 """openssl noESN AES-GCM-128/NONE IPSec test"""
994 def test_ipsec(self):
998 class Test_openssl_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
999 """openssl noESN AES-GCM-192/NONE IPSec test"""
1000 def test_ipsec(self):
1004 class Test_openssl_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
1005 """openssl noESN AES-GCM-256/NONE IPSec test"""
1006 def test_ipsec(self):
1010 class Test_openssl_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
1011 """openssl noESN AES-CBC-128/MD5-96 IPSec test"""
1012 def test_ipsec(self):
1016 class Test_openssl_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
1017 """openssl noESN AES-CBC-192/SHA1-96 IPSec test"""
1018 def test_ipsec(self):
1022 class Test_openssl_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
1023 """openssl noESN AES-CBC-256/SHA1-96 IPSec test"""
1024 def test_ipsec(self):
1028 class Test_openssl_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
1029 """openssl noESN 3DES-CBC/SHA1-96 IPSec test"""
1030 def test_ipsec(self):
1034 class Test_openssl_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
1035 """openssl noESN NONE/SHA1-96 IPSec test"""
1036 def test_ipsec(self):
1040 class Test_openssl_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
1041 """openssl noESN AES-CTR-128/SHA1-96 IPSec test"""
1042 def test_ipsec(self):
1046 class Test_openssl_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
1047 """openssl noESN AES-CTR-192/SHA1-96 IPSec test"""
1048 def test_ipsec(self):
1052 class Test_openssl_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
1053 """openssl noESN AES-CTR-256/SHA1-96 IPSec test"""
1054 def test_ipsec(self):
1058 class Test_openssl_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
1059 """openssl ESN AES-CBC-128/MD5-96 IPSec test"""
1060 def test_ipsec(self):
1064 class Test_openssl_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
1065 """openssl ESN AES-CBC-192/SHA1-96 IPSec test"""
1066 def test_ipsec(self):
1070 class Test_openssl_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
1071 """openssl ESN AES-CBC-256/SHA1-96 IPSec test"""
1072 def test_ipsec(self):
1076 class Test_openssl_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
1077 """openssl ESN 3DES-CBC/SHA1-96 IPSec test"""
1078 def test_ipsec(self):
1082 class Test_openssl_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
1083 """openssl ESN NONE/SHA1-96 IPSec test"""
1084 def test_ipsec(self):
1088 class Test_openssl_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
1089 """openssl ESN AES-CTR-128/SHA1-96 IPSec test"""
1090 def test_ipsec(self):
1094 class Test_openssl_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
1095 """openssl ESN AES-CTR-192/SHA1-96 IPSec test"""
1096 def test_ipsec(self):
1100 class Test_openssl_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
1101 """openssl ESN AES-CTR-256/SHA1-96 IPSec test"""
1102 def test_ipsec(self):
1106 if __name__ == '__main__':
1107 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob