3 from scapy.layers.ipsec import ESP
4 from scapy.layers.inet import IP, ICMP, UDP
5 from scapy.layers.inet6 import IPv6
6 from scapy.layers.l2 import Ether
7 from scapy.packet import Raw
9 from parameterized import parameterized
10 from framework import VppTestRunner
11 from template_ipsec import IpsecTra46Tests, IpsecTun46Tests, TemplateIpsec, \
12 IpsecTcpTests, IpsecTun4Tests, IpsecTra4Tests, config_tra_params, \
13 config_tun_params, IPsecIPv4Params, IPsecIPv6Params, \
14 IpsecTra4, IpsecTun4, IpsecTra6, IpsecTun6, \
15 IpsecTun6HandoffTests, IpsecTun4HandoffTests, \
17 from vpp_ipsec import VppIpsecSpd, VppIpsecSpdEntry, VppIpsecSA,\
19 from vpp_ip_route import VppIpRoute, VppRoutePath
20 from vpp_ip import DpoProto
21 from vpp_papi import VppEnum
24 engines_supporting_chain_bufs = ["openssl"]
27 class ConfigIpsecESP(TemplateIpsec):
29 tra4_encrypt_node_name = "esp4-encrypt"
30 tra4_decrypt_node_name = ["esp4-decrypt", "esp4-decrypt-post"]
31 tra6_encrypt_node_name = "esp6-encrypt"
32 tra6_decrypt_node_name = ["esp6-decrypt", "esp6-decrypt-post"]
33 tun4_encrypt_node_name = "esp4-encrypt"
34 tun4_decrypt_node_name = ["esp4-decrypt", "esp4-decrypt-post"]
35 tun6_encrypt_node_name = "esp6-encrypt"
36 tun6_decrypt_node_name = ["esp6-decrypt", "esp6-decrypt-post"]
40 super(ConfigIpsecESP, cls).setUpClass()
43 def tearDownClass(cls):
44 super(ConfigIpsecESP, cls).tearDownClass()
47 super(ConfigIpsecESP, self).setUp()
50 super(ConfigIpsecESP, self).tearDown()
52 def config_network(self, params):
54 self.tun_if = self.pg0
55 self.tra_if = self.pg2
56 self.logger.info(self.vapi.ppcli("show int addr"))
58 self.tra_spd = VppIpsecSpd(self, self.tra_spd_id)
59 self.tra_spd.add_vpp_config()
60 self.net_objs.append(self.tra_spd)
61 self.tun_spd = VppIpsecSpd(self, self.tun_spd_id)
62 self.tun_spd.add_vpp_config()
63 self.net_objs.append(self.tun_spd)
65 b = VppIpsecSpdItfBinding(self, self.tun_spd,
68 self.net_objs.append(b)
70 b = VppIpsecSpdItfBinding(self, self.tra_spd,
73 self.net_objs.append(b)
76 self.config_esp_tra(p)
77 config_tra_params(p, self.encryption_type)
79 self.config_esp_tun(p)
80 config_tun_params(p, self.encryption_type, self.tun_if)
83 d = DpoProto.DPO_PROTO_IP6 if p.is_ipv6 else DpoProto.DPO_PROTO_IP4
84 r = VppIpRoute(self, p.remote_tun_if_host, p.addr_len,
85 [VppRoutePath(self.tun_if.remote_addr[p.addr_type],
89 self.net_objs.append(r)
91 self.logger.info(self.vapi.ppcli("show ipsec all"))
93 def unconfig_network(self):
94 for o in reversed(self.net_objs):
98 def config_esp_tun(self, params):
99 addr_type = params.addr_type
100 scapy_tun_sa_id = params.scapy_tun_sa_id
101 scapy_tun_spi = params.scapy_tun_spi
102 vpp_tun_sa_id = params.vpp_tun_sa_id
103 vpp_tun_spi = params.vpp_tun_spi
104 auth_algo_vpp_id = params.auth_algo_vpp_id
105 auth_key = params.auth_key
106 crypt_algo_vpp_id = params.crypt_algo_vpp_id
107 crypt_key = params.crypt_key
108 remote_tun_if_host = params.remote_tun_if_host
109 addr_any = params.addr_any
110 addr_bcast = params.addr_bcast
111 e = VppEnum.vl_api_ipsec_spd_action_t
113 tun_flags = params.tun_flags
117 params.tun_sa_in = VppIpsecSA(self, scapy_tun_sa_id, scapy_tun_spi,
118 auth_algo_vpp_id, auth_key,
119 crypt_algo_vpp_id, crypt_key,
120 self.vpp_esp_protocol,
121 self.tun_if.local_addr[addr_type],
122 self.tun_if.remote_addr[addr_type],
127 hop_limit=params.outer_hop_limit)
128 params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
129 auth_algo_vpp_id, auth_key,
130 crypt_algo_vpp_id, crypt_key,
131 self.vpp_esp_protocol,
132 self.tun_if.remote_addr[addr_type],
133 self.tun_if.local_addr[addr_type],
138 hop_limit=params.outer_hop_limit)
139 objs.append(params.tun_sa_in)
140 objs.append(params.tun_sa_out)
142 params.spd_policy_in_any = VppIpsecSpdEntry(self, self.tun_spd,
144 addr_any, addr_bcast,
145 addr_any, addr_bcast,
147 params.spd_policy_out_any = VppIpsecSpdEntry(self, self.tun_spd,
149 addr_any, addr_bcast,
150 addr_any, addr_bcast,
153 objs.append(params.spd_policy_out_any)
154 objs.append(params.spd_policy_in_any)
156 objs.append(VppIpsecSpdEntry(self, self.tun_spd, vpp_tun_sa_id,
157 remote_tun_if_host, remote_tun_if_host,
158 self.pg1.remote_addr[addr_type],
159 self.pg1.remote_addr[addr_type],
162 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
164 objs.append(VppIpsecSpdEntry(self, self.tun_spd, scapy_tun_sa_id,
165 self.pg1.remote_addr[addr_type],
166 self.pg1.remote_addr[addr_type],
167 remote_tun_if_host, remote_tun_if_host,
169 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
171 objs.append(VppIpsecSpdEntry(self, self.tun_spd, vpp_tun_sa_id,
172 remote_tun_if_host, remote_tun_if_host,
173 self.pg0.local_addr[addr_type],
174 self.pg0.local_addr[addr_type],
177 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
179 objs.append(VppIpsecSpdEntry(self, self.tun_spd, scapy_tun_sa_id,
180 self.pg0.local_addr[addr_type],
181 self.pg0.local_addr[addr_type],
182 remote_tun_if_host, remote_tun_if_host,
184 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
188 self.net_objs = self.net_objs + objs
190 def config_esp_tra(self, params):
191 addr_type = params.addr_type
192 scapy_tra_sa_id = params.scapy_tra_sa_id
193 scapy_tra_spi = params.scapy_tra_spi
194 vpp_tra_sa_id = params.vpp_tra_sa_id
195 vpp_tra_spi = params.vpp_tra_spi
196 auth_algo_vpp_id = params.auth_algo_vpp_id
197 auth_key = params.auth_key
198 crypt_algo_vpp_id = params.crypt_algo_vpp_id
199 crypt_key = params.crypt_key
200 addr_any = params.addr_any
201 addr_bcast = params.addr_bcast
202 flags = (VppEnum.vl_api_ipsec_sad_flags_t.
203 IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
204 e = VppEnum.vl_api_ipsec_spd_action_t
205 flags = params.flags | flags
209 params.tra_sa_in = VppIpsecSA(self, scapy_tra_sa_id, scapy_tra_spi,
210 auth_algo_vpp_id, auth_key,
211 crypt_algo_vpp_id, crypt_key,
212 self.vpp_esp_protocol,
215 params.tra_sa_out = VppIpsecSA(self, vpp_tra_sa_id, vpp_tra_spi,
216 auth_algo_vpp_id, auth_key,
217 crypt_algo_vpp_id, crypt_key,
218 self.vpp_esp_protocol,
221 objs.append(params.tra_sa_in)
222 objs.append(params.tra_sa_out)
224 objs.append(VppIpsecSpdEntry(self, self.tra_spd, vpp_tra_sa_id,
225 addr_any, addr_bcast,
226 addr_any, addr_bcast,
228 objs.append(VppIpsecSpdEntry(self, self.tra_spd, vpp_tra_sa_id,
229 addr_any, addr_bcast,
230 addr_any, addr_bcast,
233 objs.append(VppIpsecSpdEntry(self, self.tra_spd, vpp_tra_sa_id,
234 self.tra_if.local_addr[addr_type],
235 self.tra_if.local_addr[addr_type],
236 self.tra_if.remote_addr[addr_type],
237 self.tra_if.remote_addr[addr_type],
239 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
241 objs.append(VppIpsecSpdEntry(self, self.tra_spd, scapy_tra_sa_id,
242 self.tra_if.local_addr[addr_type],
243 self.tra_if.local_addr[addr_type],
244 self.tra_if.remote_addr[addr_type],
245 self.tra_if.remote_addr[addr_type],
246 0, policy=e.IPSEC_API_SPD_ACTION_PROTECT,
250 self.net_objs = self.net_objs + objs
253 class TemplateIpsecEsp(ConfigIpsecESP):
255 Basic test for ipsec esp sanity - tunnel and transport modes.
257 Below 4 cases are covered as part of this test
258 1) ipsec esp v4 transport basic test - IPv4 Transport mode
259 scenario using HMAC-SHA1-96 integrity algo
260 2) ipsec esp v4 transport burst test
261 Above test for 257 pkts
262 3) ipsec esp 4o4 tunnel basic test - IPv4 Tunnel mode
263 scenario using HMAC-SHA1-96 integrity algo
264 4) ipsec esp 4o4 tunnel burst test
265 Above test for 257 pkts
270 |pg2| <-------> |VPP|
275 --- encrypt --- plain ---
276 |pg0| <------- |VPP| <------ |pg1|
279 --- decrypt --- plain ---
280 |pg0| -------> |VPP| ------> |pg1|
286 super(TemplateIpsecEsp, cls).setUpClass()
289 def tearDownClass(cls):
290 super(TemplateIpsecEsp, cls).tearDownClass()
293 super(TemplateIpsecEsp, self).setUp()
294 self.config_network(self.params.values())
297 self.unconfig_network()
298 super(TemplateIpsecEsp, self).tearDown()
301 class TestIpsecEsp1(TemplateIpsecEsp, IpsecTra46Tests,
302 IpsecTun46Tests, IpsecTra6ExtTests):
303 """ Ipsec ESP - TUN & TRA tests """
307 super(TestIpsecEsp1, cls).setUpClass()
310 def tearDownClass(cls):
311 super(TestIpsecEsp1, cls).tearDownClass()
314 super(TestIpsecEsp1, self).setUp()
317 super(TestIpsecEsp1, self).tearDown()
319 def test_tun_46(self):
320 """ ipsec 4o6 tunnel """
321 # add an SPD entry to direct 2.2.2.2 to the v6 tunnel SA
322 p6 = self.ipv6_params
323 p4 = self.ipv4_params
325 p6.remote_tun_if_host4 = "2.2.2.2"
326 e = VppEnum.vl_api_ipsec_spd_action_t
328 VppIpsecSpdEntry(self,
331 self.pg1.remote_addr[p4.addr_type],
332 self.pg1.remote_addr[p4.addr_type],
333 p6.remote_tun_if_host4,
334 p6.remote_tun_if_host4,
337 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
338 is_outbound=1).add_vpp_config()
339 VppIpRoute(self, p6.remote_tun_if_host4, p4.addr_len,
340 [VppRoutePath(self.tun_if.remote_addr[p4.addr_type],
341 0xffffffff)]).add_vpp_config()
343 old_name = self.tun6_encrypt_node_name
344 self.tun6_encrypt_node_name = "esp4-encrypt"
346 self.verify_tun_46(p6, count=63)
347 self.tun6_encrypt_node_name = old_name
349 def test_tun_64(self):
350 """ ipsec 6o4 tunnel """
351 # add an SPD entry to direct 4444::4 to the v4 tunnel SA
352 p6 = self.ipv6_params
353 p4 = self.ipv4_params
355 p4.remote_tun_if_host6 = "4444::4"
356 e = VppEnum.vl_api_ipsec_spd_action_t
358 VppIpsecSpdEntry(self,
361 self.pg1.remote_addr[p6.addr_type],
362 self.pg1.remote_addr[p6.addr_type],
363 p4.remote_tun_if_host6,
364 p4.remote_tun_if_host6,
367 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
368 is_outbound=1).add_vpp_config()
369 d = DpoProto.DPO_PROTO_IP6
370 VppIpRoute(self, p4.remote_tun_if_host6, p6.addr_len,
371 [VppRoutePath(self.tun_if.remote_addr[p6.addr_type],
373 proto=d)]).add_vpp_config()
375 old_name = self.tun4_encrypt_node_name
376 self.tun4_encrypt_node_name = "esp6-encrypt"
377 self.verify_tun_64(p4, count=63)
378 self.tun4_encrypt_node_name = old_name
381 class TestIpsecEspTun(TemplateIpsecEsp, IpsecTun46Tests):
382 """ Ipsec ESP - TUN encap tests """
385 self.ipv4_params = IPsecIPv4Params()
386 self.ipv6_params = IPsecIPv6Params()
388 c = (VppEnum.vl_api_tunnel_encap_decap_flags_t.
389 TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP)
390 c1 = c | (VppEnum.vl_api_tunnel_encap_decap_flags_t.
391 TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)
393 self.ipv4_params.tun_flags = c
394 self.ipv6_params.tun_flags = c1
396 super(TestIpsecEspTun, self).setUp()
398 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
399 # set the DSCP + ECN - flags are set to copy only DSCP
400 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
401 IP(src=src, dst=dst, tos=5) /
402 UDP(sport=4444, dport=4444) /
403 Raw(b'X' * payload_size)
404 for i in range(count)]
406 def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=54):
407 # set the DSCP + ECN - flags are set to copy both
408 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
409 IPv6(src=src, dst=dst, tc=5) /
410 UDP(sport=4444, dport=4444) /
411 Raw(b'X' * payload_size)
412 for i in range(count)]
414 def verify_encrypted(self, p, sa, rxs):
415 # just check that only the DSCP is copied
417 self.assertEqual(rx[IP].tos, 4)
419 def verify_encrypted6(self, p, sa, rxs):
420 # just check that the DSCP & ECN are copied
422 self.assertEqual(rx[IPv6].tc, 5)
425 class TestIpsecEspTun2(TemplateIpsecEsp, IpsecTun46Tests):
426 """ Ipsec ESP - TUN DSCP tests """
429 self.ipv4_params = IPsecIPv4Params()
430 self.ipv6_params = IPsecIPv6Params()
432 self.ipv4_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF
433 self.ipv6_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11
435 super(TestIpsecEspTun2, self).setUp()
437 def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
438 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
439 IP(src=src, dst=dst) /
440 UDP(sport=4444, dport=4444) /
441 Raw(b'X' * payload_size)
442 for i in range(count)]
444 def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=54):
445 return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
446 IPv6(src=src, dst=dst) /
447 UDP(sport=4444, dport=4444) /
448 Raw(b'X' * payload_size)
449 for i in range(count)]
451 def verify_encrypted(self, p, sa, rxs):
452 # just check that only the DSCP is set
454 self.assertEqual(rx[IP].tos,
455 VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2)
457 def verify_encrypted6(self, p, sa, rxs):
458 # just check that the DSCP is set
460 self.assertEqual(rx[IPv6].tc,
461 VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11 << 2)
464 class TestIpsecEsp2(TemplateIpsecEsp, IpsecTcpTests):
465 """ Ipsec ESP - TCP tests """
469 class TestIpsecEspAsync(TemplateIpsecEsp):
470 """ Ipsec ESP - Aysnc tests """
472 worker_config = "workers 2"
475 super(TestIpsecEspAsync, self).setUp()
477 self.vapi.ipsec_set_async_mode(async_enable=True)
478 self.p4 = IPsecIPv4Params()
480 self.p4.crypt_algo_vpp_id = (VppEnum.vl_api_ipsec_crypto_alg_t.
481 IPSEC_API_CRYPTO_ALG_AES_CBC_256)
482 self.p4.crypt_algo = 'AES-CBC' # scapy name
483 self.p4.crypt_key = b'JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h'
485 self.p4.scapy_tun_sa_id += 0xf0000
486 self.p4.scapy_tun_spi += 0xf0000
487 self.p4.vpp_tun_sa_id += 0xf0000
488 self.p4.vpp_tun_spi += 0xf0000
489 self.p4.remote_tun_if_host = "2.2.2.2"
490 e = VppEnum.vl_api_ipsec_spd_action_t
492 self.p4.sa = VppIpsecSA(
494 self.p4.vpp_tun_sa_id,
496 self.p4.auth_algo_vpp_id,
498 self.p4.crypt_algo_vpp_id,
500 self.vpp_esp_protocol,
501 self.tun_if.local_addr[self.p4.addr_type],
502 self.tun_if.remote_addr[self.p4.addr_type]).add_vpp_config()
503 self.p4.spd = VppIpsecSpdEntry(
506 self.p4.vpp_tun_sa_id,
507 self.pg1.remote_addr[self.p4.addr_type],
508 self.pg1.remote_addr[self.p4.addr_type],
509 self.p4.remote_tun_if_host,
510 self.p4.remote_tun_if_host,
513 policy=e.IPSEC_API_SPD_ACTION_PROTECT,
514 is_outbound=1).add_vpp_config()
515 VppIpRoute(self, self.p4.remote_tun_if_host, self.p4.addr_len,
516 [VppRoutePath(self.tun_if.remote_addr[self.p4.addr_type],
517 0xffffffff)]).add_vpp_config()
518 config_tun_params(self.p4, self.encryption_type, self.tun_if)
520 def test_dual_stream(self):
521 """ Alternating SAs """
522 p = self.params[self.p4.addr_type]
524 pkts = [(Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
525 IP(src=self.pg1.remote_ip4,
526 dst=self.p4.remote_tun_if_host) /
527 UDP(sport=4444, dport=4444) /
529 (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
530 IP(src=self.pg1.remote_ip4,
531 dst=p.remote_tun_if_host) /
532 UDP(sport=4444, dport=4444) /
536 rxs = self.send_and_expect(self.pg1, pkts, self.pg0)
538 self.assertEqual(len(rxs), len(pkts))
541 if rx[ESP].spi == p.scapy_tun_spi:
542 decrypted = p.vpp_tun_sa.decrypt(rx[IP])
543 elif rx[ESP].spi == self.p4.vpp_tun_spi:
544 decrypted = self.p4.scapy_tun_sa.decrypt(rx[IP])
547 self.assertTrue(False)
549 self.p4.spd.remove_vpp_config()
550 self.p4.sa.remove_vpp_config()
553 class TestIpsecEspHandoff(TemplateIpsecEsp,
554 IpsecTun6HandoffTests,
555 IpsecTun4HandoffTests):
556 """ Ipsec ESP - handoff tests """
560 class TemplateIpsecEspUdp(ConfigIpsecESP):
567 super(TemplateIpsecEspUdp, cls).setUpClass()
570 def tearDownClass(cls):
571 super(TemplateIpsecEspUdp, cls).tearDownClass()
574 super(TemplateIpsecEspUdp, self).setUp()
576 self.tun_if = self.pg0
577 self.tra_if = self.pg2
578 self.logger.info(self.vapi.ppcli("show int addr"))
581 p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
582 IPSEC_API_SAD_FLAG_UDP_ENCAP)
583 p.nat_header = UDP(sport=5454, dport=4500)
585 self.tra_spd = VppIpsecSpd(self, self.tra_spd_id)
586 self.tra_spd.add_vpp_config()
587 VppIpsecSpdItfBinding(self, self.tra_spd,
588 self.tra_if).add_vpp_config()
590 self.config_esp_tra(p)
591 config_tra_params(p, self.encryption_type)
593 self.tun_spd = VppIpsecSpd(self, self.tun_spd_id)
594 self.tun_spd.add_vpp_config()
595 VppIpsecSpdItfBinding(self, self.tun_spd,
596 self.tun_if).add_vpp_config()
598 self.config_esp_tun(p)
599 self.logger.info(self.vapi.ppcli("show ipsec all"))
601 d = DpoProto.DPO_PROTO_IP4
602 VppIpRoute(self, p.remote_tun_if_host, p.addr_len,
603 [VppRoutePath(self.tun_if.remote_addr[p.addr_type],
605 proto=d)]).add_vpp_config()
608 super(TemplateIpsecEspUdp, self).tearDown()
610 def show_commands_at_teardown(self):
611 self.logger.info(self.vapi.cli("show hardware"))
614 class TestIpsecEspUdp(TemplateIpsecEspUdp, IpsecTra4Tests):
615 """ Ipsec NAT-T ESP UDP tests """
619 class MyParameters():
621 self.engines = ["ia32", "ipsecmb", "openssl"]
622 flag_esn = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN
623 self.flags = [0, flag_esn]
624 # foreach crypto algorithm
626 'AES-GCM-128/NONE': {
627 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
628 IPSEC_API_CRYPTO_ALG_AES_GCM_128),
629 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
630 IPSEC_API_INTEG_ALG_NONE),
631 'scapy-crypto': "AES-GCM",
632 'scapy-integ': "NULL",
633 'key': b"JPjyOWBeVEQiMe7h",
635 'AES-GCM-192/NONE': {
636 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
637 IPSEC_API_CRYPTO_ALG_AES_GCM_192),
638 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
639 IPSEC_API_INTEG_ALG_NONE),
640 'scapy-crypto': "AES-GCM",
641 'scapy-integ': "NULL",
642 'key': b"JPjyOWBeVEQiMe7h01234567",
644 'AES-GCM-256/NONE': {
645 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
646 IPSEC_API_CRYPTO_ALG_AES_GCM_256),
647 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
648 IPSEC_API_INTEG_ALG_NONE),
649 'scapy-crypto': "AES-GCM",
650 'scapy-integ': "NULL",
651 'key': b"JPjyOWBeVEQiMe7h0123456787654321",
653 'AES-CBC-128/MD5-96': {
654 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
655 IPSEC_API_CRYPTO_ALG_AES_CBC_128),
656 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
657 IPSEC_API_INTEG_ALG_MD5_96),
658 'scapy-crypto': "AES-CBC",
659 'scapy-integ': "HMAC-MD5-96",
661 'key': b"JPjyOWBeVEQiMe7h"},
662 'AES-CBC-192/SHA1-96': {
663 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
664 IPSEC_API_CRYPTO_ALG_AES_CBC_192),
665 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
666 IPSEC_API_INTEG_ALG_SHA1_96),
667 'scapy-crypto': "AES-CBC",
668 'scapy-integ': "HMAC-SHA1-96",
670 'key': b"JPjyOWBeVEQiMe7hJPjyOWBe"},
671 'AES-CBC-256/SHA1-96': {
672 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
673 IPSEC_API_CRYPTO_ALG_AES_CBC_256),
674 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
675 IPSEC_API_INTEG_ALG_SHA1_96),
676 'scapy-crypto': "AES-CBC",
677 'scapy-integ': "HMAC-SHA1-96",
679 'key': b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"},
680 '3DES-CBC/SHA1-96': {
681 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
682 IPSEC_API_CRYPTO_ALG_3DES_CBC),
683 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
684 IPSEC_API_INTEG_ALG_SHA1_96),
685 'scapy-crypto': "3DES",
686 'scapy-integ': "HMAC-SHA1-96",
688 'key': b"JPjyOWBeVEQiMe7h00112233"},
690 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
691 IPSEC_API_CRYPTO_ALG_NONE),
692 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
693 IPSEC_API_INTEG_ALG_SHA1_96),
694 'scapy-crypto': "NULL",
695 'scapy-integ': "HMAC-SHA1-96",
697 'key': b"JPjyOWBeVEQiMe7h00112233"},
698 'AES-CTR-128/SHA1-96': {
699 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
700 IPSEC_API_CRYPTO_ALG_AES_CTR_128),
701 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
702 IPSEC_API_INTEG_ALG_SHA1_96),
703 'scapy-crypto': "AES-CTR",
704 'scapy-integ': "HMAC-SHA1-96",
706 'key': b"JPjyOWBeVEQiMe7h"},
707 'AES-CTR-192/SHA1-96': {
708 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
709 IPSEC_API_CRYPTO_ALG_AES_CTR_192),
710 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
711 IPSEC_API_INTEG_ALG_SHA1_96),
712 'scapy-crypto': "AES-CTR",
713 'scapy-integ': "HMAC-SHA1-96",
715 'key': b"JPjyOWBeVEQiMe7hJPjyOWBe"},
716 'AES-CTR-256/SHA1-96': {
717 'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
718 IPSEC_API_CRYPTO_ALG_AES_CTR_256),
719 'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
720 IPSEC_API_INTEG_ALG_SHA1_96),
721 'scapy-crypto': "AES-CTR",
722 'scapy-integ': "HMAC-SHA1-96",
724 'key': b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"}}
727 class RunTestIpsecEspAll(ConfigIpsecESP,
728 IpsecTra4, IpsecTra6,
729 IpsecTun4, IpsecTun6):
730 """ Ipsec ESP all Algos """
733 def setUpConstants(cls):
734 test_args = str.split(cls.__doc__, " ")
735 engine = test_args[0]
736 if engine == "async":
737 cls.worker_config = "workers 2"
738 super(RunTestIpsecEspAll, cls).setUpConstants()
741 super(RunTestIpsecEspAll, self).setUp()
742 test_args = str.split(self.__doc__, " ")
744 params = MyParameters()
745 self.engine = test_args[0]
746 self.flag = params.flags[0]
747 if test_args[1] == 'ESN':
748 self.flag = params.flags[1]
750 self.algo = params.algos[test_args[2]]
751 self.async_mode = False
752 if self.engine == "async":
753 self.async_mode = True
756 super(RunTestIpsecEspAll, self).tearDown()
759 self.run_a_test(self.engine, self.flag, self.algo)
761 def run_a_test(self, engine, flag, algo, payload_size=None):
763 self.vapi.cli("set ipsec async mode on")
765 self.vapi.cli("set crypto handler all %s" % engine)
767 self.logger.info(self.vapi.cli("show crypto async status"))
768 self.ipv4_params = IPsecIPv4Params()
769 self.ipv6_params = IPsecIPv6Params()
771 self.params = {self.ipv4_params.addr_type:
773 self.ipv6_params.addr_type:
776 for _, p in self.params.items():
777 p.auth_algo_vpp_id = algo['vpp-integ']
778 p.crypt_algo_vpp_id = algo['vpp-crypto']
779 p.crypt_algo = algo['scapy-crypto']
780 p.auth_algo = algo['scapy-integ']
781 p.crypt_key = algo['key']
782 p.salt = algo['salt']
783 p.flags = p.flags | flag
784 p.outer_flow_label = 243224
785 p.async_mode = self.async_mode
787 self.reporter.send_keep_alive(self)
790 # configure the SPDs. SAs, etc
792 self.config_network(self.params.values())
796 # An exhautsive 4o6, 6o4 is not necessary
799 self.verify_tra_basic6(count=NUM_PKTS)
800 self.verify_tra_basic4(count=NUM_PKTS)
801 self.verify_tun_66(self.params[socket.AF_INET6],
804 # Use an odd-byte payload size to check for correct padding.
806 # 49 + 2 == 51 which should pad +1 to 52 for 4 byte alignment, +5
807 # to 56 for 8 byte alignment, and +13 to 64 for 64 byte alignment.
808 # This should catch bugs where the code is incorrectly over-padding
809 # for algorithms that don't require it
810 psz = 49 - len(IP()/ICMP()) if payload_size is None else payload_size
811 self.verify_tun_44(self.params[socket.AF_INET],
812 count=NUM_PKTS, payload_size=psz)
815 1970, # results in 2 chained buffers entering decrypt node
816 # but leaving as simple buffer due to ICV removal (tra4)
817 2004, # footer+ICV will be added to 2nd buffer (tun4)
818 4010, # ICV ends up splitted accross 2 buffers in esp_decrypt
819 # for transport4; transport6 takes normal path
820 4020, # same as above but tra4 and tra6 are switched
822 if self.engine in engines_supporting_chain_bufs:
823 for sz in LARGE_PKT_SZ:
824 self.verify_tra_basic4(count=NUM_PKTS, payload_size=sz)
825 self.verify_tra_basic6(count=NUM_PKTS, payload_size=sz)
826 self.verify_tun_66(self.params[socket.AF_INET6],
827 count=NUM_PKTS, payload_size=sz)
828 self.verify_tun_44(self.params[socket.AF_INET],
829 count=NUM_PKTS, payload_size=sz)
832 # remove the SPDs, SAs, etc
834 self.unconfig_network()
837 # reconfigure the network and SA to run the
840 self.config_network(self.params.values())
841 self.verify_tra_anti_replay()
842 self.unconfig_network()
845 # To generate test classes, do:
846 # grep '# GEN' test_ipsec_esp.py | sed -e 's/# GEN //g' | bash
848 # GEN for ENG in native ipsecmb openssl; do \
849 # GEN for FLG in noESN ESN; do for ALG in AES-GCM-128/NONE \
850 # GEN AES-GCM-192/NONE AES-GCM-256/NONE AES-CBC-128/MD5-96 \
851 # GEN AES-CBC-192/SHA1-96 AES-CBC-256/SHA1-96 \
852 # GEN 3DES-CBC/SHA1-96 NONE/SHA1-96 \
853 # GEN AES-CTR-128/SHA1-96 AES-CTR-192/SHA1-96 AES-CTR-256/SHA1-96; do \
854 # GEN [[ ${FLG} == "ESN" && ${ALG} == *"NONE" ]] && continue
855 # GEN echo -e "\n\nclass Test_${ENG}_${FLG}_${ALG}(RunTestIpsecEspAll):" |
856 # GEN sed -e 's/-/_/g' -e 's#/#_#g' ; \
857 # GEN echo ' """'$ENG $FLG $ALG IPSec test'"""' ;
858 # GEN echo " def test_ipsec(self):";
859 # GEN echo " self.run_test()";
860 # GEN done; done; done
862 # GEN for FLG in noESN ESN; do for ALG in \
863 # GEN AES-GCM-128/NONE AES-GCM-192/NONE AES-GCM-256/NONE \
864 # GEN AES-CBC-192/SHA1-96 AES-CBC-256/SHA1-96; do \
865 # GEN [[ ${FLG} == "ESN" && ${ALG} == *"NONE" ]] && continue
866 # GEN echo -e "\n\nclass Test_async_${FLG}_${ALG}(RunTestIpsecEspAll):" |
867 # GEN sed -e 's/-/_/g' -e 's#/#_#g' ; \
868 # GEN echo ' """'async $FLG $ALG IPSec test'"""' ;
869 # GEN echo " def test_ipsec(self):";
870 # GEN echo " self.run_test()";
874 class Test_native_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
875 """native noESN AES-GCM-128/NONE IPSec test"""
876 def test_ipsec(self):
880 class Test_native_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
881 """native noESN AES-GCM-192/NONE IPSec test"""
882 def test_ipsec(self):
886 class Test_native_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
887 """native noESN AES-GCM-256/NONE IPSec test"""
888 def test_ipsec(self):
892 class Test_native_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
893 """native noESN AES-CBC-128/MD5-96 IPSec test"""
894 def test_ipsec(self):
898 class Test_native_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
899 """native noESN AES-CBC-192/SHA1-96 IPSec test"""
900 def test_ipsec(self):
904 class Test_native_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
905 """native noESN AES-CBC-256/SHA1-96 IPSec test"""
906 def test_ipsec(self):
910 class Test_native_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
911 """native noESN 3DES-CBC/SHA1-96 IPSec test"""
912 def test_ipsec(self):
916 class Test_native_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
917 """native noESN NONE/SHA1-96 IPSec test"""
918 def test_ipsec(self):
922 class Test_native_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
923 """native noESN AES-CTR-128/SHA1-96 IPSec test"""
924 def test_ipsec(self):
928 class Test_native_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
929 """native noESN AES-CTR-192/SHA1-96 IPSec test"""
930 def test_ipsec(self):
934 class Test_native_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
935 """native noESN AES-CTR-256/SHA1-96 IPSec test"""
936 def test_ipsec(self):
940 class Test_native_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
941 """native ESN AES-CBC-128/MD5-96 IPSec test"""
942 def test_ipsec(self):
946 class Test_native_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
947 """native ESN AES-CBC-192/SHA1-96 IPSec test"""
948 def test_ipsec(self):
952 class Test_native_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
953 """native ESN AES-CBC-256/SHA1-96 IPSec test"""
954 def test_ipsec(self):
958 class Test_native_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
959 """native ESN 3DES-CBC/SHA1-96 IPSec test"""
960 def test_ipsec(self):
964 class Test_native_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
965 """native ESN NONE/SHA1-96 IPSec test"""
966 def test_ipsec(self):
970 class Test_native_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
971 """native ESN AES-CTR-128/SHA1-96 IPSec test"""
972 def test_ipsec(self):
976 class Test_native_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
977 """native ESN AES-CTR-192/SHA1-96 IPSec test"""
978 def test_ipsec(self):
982 class Test_native_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
983 """native ESN AES-CTR-256/SHA1-96 IPSec test"""
984 def test_ipsec(self):
988 class Test_ipsecmb_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
989 """ipsecmb noESN AES-GCM-128/NONE IPSec test"""
990 def test_ipsec(self):
994 class Test_ipsecmb_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
995 """ipsecmb noESN AES-GCM-192/NONE IPSec test"""
996 def test_ipsec(self):
1000 class Test_ipsecmb_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
1001 """ipsecmb noESN AES-GCM-256/NONE IPSec test"""
1002 def test_ipsec(self):
1006 class Test_ipsecmb_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
1007 """ipsecmb noESN AES-CBC-128/MD5-96 IPSec test"""
1008 def test_ipsec(self):
1012 class Test_ipsecmb_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
1013 """ipsecmb noESN AES-CBC-192/SHA1-96 IPSec test"""
1014 def test_ipsec(self):
1018 class Test_ipsecmb_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
1019 """ipsecmb noESN AES-CBC-256/SHA1-96 IPSec test"""
1020 def test_ipsec(self):
1024 class Test_ipsecmb_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
1025 """ipsecmb noESN 3DES-CBC/SHA1-96 IPSec test"""
1026 def test_ipsec(self):
1030 class Test_ipsecmb_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
1031 """ipsecmb noESN NONE/SHA1-96 IPSec test"""
1032 def test_ipsec(self):
1036 class Test_ipsecmb_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
1037 """ipsecmb noESN AES-CTR-128/SHA1-96 IPSec test"""
1038 def test_ipsec(self):
1042 class Test_ipsecmb_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
1043 """ipsecmb noESN AES-CTR-192/SHA1-96 IPSec test"""
1044 def test_ipsec(self):
1048 class Test_ipsecmb_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
1049 """ipsecmb noESN AES-CTR-256/SHA1-96 IPSec test"""
1050 def test_ipsec(self):
1054 class Test_ipsecmb_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
1055 """ipsecmb ESN AES-CBC-128/MD5-96 IPSec test"""
1056 def test_ipsec(self):
1060 class Test_ipsecmb_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
1061 """ipsecmb ESN AES-CBC-192/SHA1-96 IPSec test"""
1062 def test_ipsec(self):
1066 class Test_ipsecmb_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
1067 """ipsecmb ESN AES-CBC-256/SHA1-96 IPSec test"""
1068 def test_ipsec(self):
1072 class Test_ipsecmb_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
1073 """ipsecmb ESN 3DES-CBC/SHA1-96 IPSec test"""
1074 def test_ipsec(self):
1078 class Test_ipsecmb_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
1079 """ipsecmb ESN NONE/SHA1-96 IPSec test"""
1080 def test_ipsec(self):
1084 class Test_ipsecmb_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
1085 """ipsecmb ESN AES-CTR-128/SHA1-96 IPSec test"""
1086 def test_ipsec(self):
1090 class Test_ipsecmb_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
1091 """ipsecmb ESN AES-CTR-192/SHA1-96 IPSec test"""
1092 def test_ipsec(self):
1096 class Test_ipsecmb_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
1097 """ipsecmb ESN AES-CTR-256/SHA1-96 IPSec test"""
1098 def test_ipsec(self):
1102 class Test_openssl_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
1103 """openssl noESN AES-GCM-128/NONE IPSec test"""
1104 def test_ipsec(self):
1108 class Test_openssl_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
1109 """openssl noESN AES-GCM-192/NONE IPSec test"""
1110 def test_ipsec(self):
1114 class Test_openssl_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
1115 """openssl noESN AES-GCM-256/NONE IPSec test"""
1116 def test_ipsec(self):
1120 class Test_openssl_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
1121 """openssl noESN AES-CBC-128/MD5-96 IPSec test"""
1122 def test_ipsec(self):
1126 class Test_openssl_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
1127 """openssl noESN AES-CBC-192/SHA1-96 IPSec test"""
1128 def test_ipsec(self):
1132 class Test_openssl_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
1133 """openssl noESN AES-CBC-256/SHA1-96 IPSec test"""
1134 def test_ipsec(self):
1138 class Test_openssl_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
1139 """openssl noESN 3DES-CBC/SHA1-96 IPSec test"""
1140 def test_ipsec(self):
1144 class Test_openssl_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
1145 """openssl noESN NONE/SHA1-96 IPSec test"""
1146 def test_ipsec(self):
1150 class Test_openssl_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
1151 """openssl noESN AES-CTR-128/SHA1-96 IPSec test"""
1152 def test_ipsec(self):
1156 class Test_openssl_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
1157 """openssl noESN AES-CTR-192/SHA1-96 IPSec test"""
1158 def test_ipsec(self):
1162 class Test_openssl_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
1163 """openssl noESN AES-CTR-256/SHA1-96 IPSec test"""
1164 def test_ipsec(self):
1168 class Test_openssl_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
1169 """openssl ESN AES-CBC-128/MD5-96 IPSec test"""
1170 def test_ipsec(self):
1174 class Test_openssl_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
1175 """openssl ESN AES-CBC-192/SHA1-96 IPSec test"""
1176 def test_ipsec(self):
1180 class Test_openssl_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
1181 """openssl ESN AES-CBC-256/SHA1-96 IPSec test"""
1182 def test_ipsec(self):
1186 class Test_openssl_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
1187 """openssl ESN 3DES-CBC/SHA1-96 IPSec test"""
1188 def test_ipsec(self):
1192 class Test_openssl_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
1193 """openssl ESN NONE/SHA1-96 IPSec test"""
1194 def test_ipsec(self):
1198 class Test_openssl_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll):
1199 """openssl ESN AES-CTR-128/SHA1-96 IPSec test"""
1200 def test_ipsec(self):
1204 class Test_openssl_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll):
1205 """openssl ESN AES-CTR-192/SHA1-96 IPSec test"""
1206 def test_ipsec(self):
1210 class Test_openssl_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll):
1211 """openssl ESN AES-CTR-256/SHA1-96 IPSec test"""
1212 def test_ipsec(self):
1216 class Test_async_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
1217 """async noESN AES-GCM-128/NONE IPSec test"""
1218 def test_ipsec(self):
1222 class Test_async_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
1223 """async noESN AES-GCM-192/NONE IPSec test"""
1224 def test_ipsec(self):
1228 class Test_async_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
1229 """async noESN AES-GCM-256/NONE IPSec test"""
1230 def test_ipsec(self):
1234 class Test_async_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
1235 """async noESN AES-CBC-192/SHA1-96 IPSec test"""
1236 def test_ipsec(self):
1240 class Test_async_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
1241 """async noESN AES-CBC-256/SHA1-96 IPSec test"""
1242 def test_ipsec(self):
1246 class Test_async_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
1247 """async ESN AES-CBC-192/SHA1-96 IPSec test"""
1248 def test_ipsec(self):
1252 class Test_async_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
1253 """async ESN AES-CBC-256/SHA1-96 IPSec test"""
1254 def test_ipsec(self):
Code Review / vpp.git / blob