ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
vpp/test/test_ipsec_esp.py
Christian Hopps fb7e7ed2cd ipsec: fix padding/alignment for native IPsec encryption 
Not all ESP crypto algorithms require padding/alignment to be the same
as AES block/IV size. CCM, CTR and GCM all have no padding/alignment
requirements, and the RFCs indicate that no padding (beyond ESPs 4 octet
alignment requirement) should be used unless TFC (traffic flow
confidentiality) has been requested.

  CTR: https://tools.ietf.org/html/rfc3686#section-3.2
  GCM: https://tools.ietf.org/html/rfc4106#section-3.2
  CCM: https://tools.ietf.org/html/rfc4309#section-3.2

- VPP is incorrectly using the IV/AES block size to pad CTR and GCM.
These modes do not require padding (beyond ESPs 4 octet requirement), as
a result packets will have unnecessary padding, which will waste
bandwidth at least and possibly fail certain network configurations that
have finely tuned MTU configurations at worst.

Fix this as well as changing the field names from ".*block_size" to
".*block_align" to better represent their actual (and only) use. Rename
"block_sz" in esp_encrypt to "esp_align" and set it correctly as well.

test: ipsec: Add unit-test to test for RFC correct padding/alignment

test: patch scapy to not incorrectly pad ccm, ctr, gcm modes as well

- Scapy is also incorrectly using the AES block size of 16 to pad CCM,
CTR, and GCM cipher modes. A bug report has been opened with the
and acknowledged with the upstream scapy project as well:

  https://github.com/secdev/scapy/issues/2322

Ticket: VPP-1928
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: Iaa4d6a325a2e99fdcb2c375a3395bcfe7947770e
2020-09-07 09:43:27 +00:00

879 lines
32 KiB
Python
Raw Permalink Blame History

import socket
import unittest
from scapy.layers.ipsec import ESP
from scapy.layers.inet import IP, ICMP, UDP
from parameterized import parameterized
from framework import VppTestRunner
from template_ipsec import IpsecTra46Tests, IpsecTun46Tests, TemplateIpsec, \
IpsecTcpTests, IpsecTun4Tests, IpsecTra4Tests, config_tra_params, \
config_tun_params, IPsecIPv4Params, IPsecIPv6Params, \
IpsecTra4, IpsecTun4, IpsecTra6, IpsecTun6, \
IpsecTun6HandoffTests, IpsecTun4HandoffTests, \
IpsecTra6ExtTests
from vpp_ipsec import VppIpsecSpd, VppIpsecSpdEntry, VppIpsecSA,\
VppIpsecSpdItfBinding
from vpp_ip_route import VppIpRoute, VppRoutePath
from vpp_ip import DpoProto
from vpp_papi import VppEnum
NUM_PKTS = 67
engines_supporting_chain_bufs = ["openssl"]
class ConfigIpsecESP(TemplateIpsec):
encryption_type = ESP
tra4_encrypt_node_name = "esp4-encrypt"
tra4_decrypt_node_name = "esp4-decrypt"
tra6_encrypt_node_name = "esp6-encrypt"
tra6_decrypt_node_name = "esp6-decrypt"
tun4_encrypt_node_name = "esp4-encrypt"
tun4_decrypt_node_name = "esp4-decrypt"
tun6_encrypt_node_name = "esp6-encrypt"
tun6_decrypt_node_name = "esp6-decrypt"
@classmethod
def setUpClass(cls):
super(ConfigIpsecESP, cls).setUpClass()
@classmethod
def tearDownClass(cls):
super(ConfigIpsecESP, cls).tearDownClass()
def setUp(self):
super(ConfigIpsecESP, self).setUp()
def tearDown(self):
super(ConfigIpsecESP, self).tearDown()
def config_network(self, params):
self.net_objs = []
self.tun_if = self.pg0
self.tra_if = self.pg2
self.logger.info(self.vapi.ppcli("show int addr"))
self.tra_spd = VppIpsecSpd(self, self.tra_spd_id)
self.tra_spd.add_vpp_config()
self.net_objs.append(self.tra_spd)
self.tun_spd = VppIpsecSpd(self, self.tun_spd_id)
self.tun_spd.add_vpp_config()
self.net_objs.append(self.tun_spd)
b = VppIpsecSpdItfBinding(self, self.tun_spd,
self.tun_if)
b.add_vpp_config()
self.net_objs.append(b)
b = VppIpsecSpdItfBinding(self, self.tra_spd,
self.tra_if)
b.add_vpp_config()
self.net_objs.append(b)
for p in params:
self.config_esp_tra(p)
config_tra_params(p, self.encryption_type)
for p in params:
self.config_esp_tun(p)
config_tun_params(p, self.encryption_type, self.tun_if)
for p in params:
d = DpoProto.DPO_PROTO_IP6 if p.is_ipv6 else DpoProto.DPO_PROTO_IP4
r = VppIpRoute(self, p.remote_tun_if_host, p.addr_len,
[VppRoutePath(self.tun_if.remote_addr[p.addr_type],
0xffffffff,
proto=d)])
r.add_vpp_config()
self.net_objs.append(r)
self.logger.info(self.vapi.ppcli("show ipsec all"))
def unconfig_network(self):
for o in reversed(self.net_objs):
o.remove_vpp_config()
self.net_objs = []
def config_esp_tun(self, params):
addr_type = params.addr_type
scapy_tun_sa_id = params.scapy_tun_sa_id
scapy_tun_spi = params.scapy_tun_spi
vpp_tun_sa_id = params.vpp_tun_sa_id
vpp_tun_spi = params.vpp_tun_spi
auth_algo_vpp_id = params.auth_algo_vpp_id
auth_key = params.auth_key
crypt_algo_vpp_id = params.crypt_algo_vpp_id
crypt_key = params.crypt_key
remote_tun_if_host = params.remote_tun_if_host
addr_any = params.addr_any
addr_bcast = params.addr_bcast
e = VppEnum.vl_api_ipsec_spd_action_t
flags = params.flags
salt = params.salt
objs = []
params.tun_sa_in = VppIpsecSA(self, scapy_tun_sa_id, scapy_tun_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
self.vpp_esp_protocol,
self.tun_if.local_addr[addr_type],
self.tun_if.remote_addr[addr_type],
flags=flags,
salt=salt)
params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
self.vpp_esp_protocol,
self.tun_if.remote_addr[addr_type],
self.tun_if.local_addr[addr_type],
flags=flags,
salt=salt)
objs.append(params.tun_sa_in)
objs.append(params.tun_sa_out)
params.spd_policy_in_any = VppIpsecSpdEntry(self, self.tun_spd,
scapy_tun_sa_id,
addr_any, addr_bcast,
addr_any, addr_bcast,
socket.IPPROTO_ESP)
params.spd_policy_out_any = VppIpsecSpdEntry(self, self.tun_spd,
scapy_tun_sa_id,
addr_any, addr_bcast,
addr_any, addr_bcast,
socket.IPPROTO_ESP,
is_outbound=0)
objs.append(params.spd_policy_out_any)
objs.append(params.spd_policy_in_any)
objs.append(VppIpsecSpdEntry(self, self.tun_spd, vpp_tun_sa_id,
remote_tun_if_host, remote_tun_if_host,
self.pg1.remote_addr[addr_type],
self.pg1.remote_addr[addr_type],
0,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0))
objs.append(VppIpsecSpdEntry(self, self.tun_spd, scapy_tun_sa_id,
self.pg1.remote_addr[addr_type],
self.pg1.remote_addr[addr_type],
remote_tun_if_host, remote_tun_if_host,
0,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=10))
objs.append(VppIpsecSpdEntry(self, self.tun_spd, vpp_tun_sa_id,
remote_tun_if_host, remote_tun_if_host,
self.pg0.local_addr[addr_type],
self.pg0.local_addr[addr_type],
0,
priority=20,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0))
objs.append(VppIpsecSpdEntry(self, self.tun_spd, scapy_tun_sa_id,
self.pg0.local_addr[addr_type],
self.pg0.local_addr[addr_type],
remote_tun_if_host, remote_tun_if_host,
0,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=20))
for o in objs:
o.add_vpp_config()
self.net_objs = self.net_objs + objs
def config_esp_tra(self, params):
addr_type = params.addr_type
scapy_tra_sa_id = params.scapy_tra_sa_id
scapy_tra_spi = params.scapy_tra_spi
vpp_tra_sa_id = params.vpp_tra_sa_id
vpp_tra_spi = params.vpp_tra_spi
auth_algo_vpp_id = params.auth_algo_vpp_id
auth_key = params.auth_key
crypt_algo_vpp_id = params.crypt_algo_vpp_id
crypt_key = params.crypt_key
addr_any = params.addr_any
addr_bcast = params.addr_bcast
flags = (VppEnum.vl_api_ipsec_sad_flags_t.
IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
e = VppEnum.vl_api_ipsec_spd_action_t
flags = params.flags | flags
salt = params.salt
objs = []
params.tra_sa_in = VppIpsecSA(self, scapy_tra_sa_id, scapy_tra_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
self.vpp_esp_protocol,
flags=flags,
salt=salt)
params.tra_sa_out = VppIpsecSA(self, vpp_tra_sa_id, vpp_tra_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
self.vpp_esp_protocol,
flags=flags,
salt=salt)
objs.append(params.tra_sa_in)
objs.append(params.tra_sa_out)
objs.append(VppIpsecSpdEntry(self, self.tra_spd, vpp_tra_sa_id,
addr_any, addr_bcast,
addr_any, addr_bcast,
socket.IPPROTO_ESP))
objs.append(VppIpsecSpdEntry(self, self.tra_spd, vpp_tra_sa_id,
addr_any, addr_bcast,
addr_any, addr_bcast,
socket.IPPROTO_ESP,
is_outbound=0))
objs.append(VppIpsecSpdEntry(self, self.tra_spd, vpp_tra_sa_id,
self.tra_if.local_addr[addr_type],
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
self.tra_if.remote_addr[addr_type],
0, priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0))
objs.append(VppIpsecSpdEntry(self, self.tra_spd, scapy_tra_sa_id,
self.tra_if.local_addr[addr_type],
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
self.tra_if.remote_addr[addr_type],
0, policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=10))
for o in objs:
o.add_vpp_config()
self.net_objs = self.net_objs + objs
class TemplateIpsecEsp(ConfigIpsecESP):
"""
Basic test for ipsec esp sanity - tunnel and transport modes.
Below 4 cases are covered as part of this test
1) ipsec esp v4 transport basic test - IPv4 Transport mode
scenario using HMAC-SHA1-96 integrity algo
2) ipsec esp v4 transport burst test
Above test for 257 pkts
3) ipsec esp 4o4 tunnel basic test - IPv4 Tunnel mode
scenario using HMAC-SHA1-96 integrity algo
4) ipsec esp 4o4 tunnel burst test
Above test for 257 pkts
TRANSPORT MODE:
--- encrypt ---
|pg2| <-------> |VPP|
--- decrypt ---
TUNNEL MODE:
--- encrypt --- plain ---
|pg0| <------- |VPP| <------ |pg1|
--- --- ---
--- decrypt --- plain ---
|pg0| -------> |VPP| ------> |pg1|
--- --- ---
"""
@classmethod
def setUpClass(cls):
super(TemplateIpsecEsp, cls).setUpClass()
@classmethod
def tearDownClass(cls):
super(TemplateIpsecEsp, cls).tearDownClass()
def setUp(self):
super(TemplateIpsecEsp, self).setUp()
self.config_network(self.params.values())
def tearDown(self):
self.unconfig_network()
super(TemplateIpsecEsp, self).tearDown()
class TestIpsecEsp1(TemplateIpsecEsp, IpsecTra46Tests,
IpsecTun46Tests, IpsecTra6ExtTests):
""" Ipsec ESP - TUN & TRA tests """
@classmethod
def setUpClass(cls):
super(TestIpsecEsp1, cls).setUpClass()
@classmethod
def tearDownClass(cls):
super(TestIpsecEsp1, cls).tearDownClass()
def setUp(self):
super(TestIpsecEsp1, self).setUp()
def tearDown(self):
super(TestIpsecEsp1, self).tearDown()
def test_tun_46(self):
""" ipsec 4o6 tunnel """
# add an SPD entry to direct 2.2.2.2 to the v6 tunnel SA
p6 = self.ipv6_params
p4 = self.ipv4_params
p6.remote_tun_if_host4 = "2.2.2.2"
e = VppEnum.vl_api_ipsec_spd_action_t
VppIpsecSpdEntry(self,
self.tun_spd,
p6.scapy_tun_sa_id,
self.pg1.remote_addr[p4.addr_type],
self.pg1.remote_addr[p4.addr_type],
p6.remote_tun_if_host4,
p6.remote_tun_if_host4,
0,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=1).add_vpp_config()
VppIpRoute(self, p6.remote_tun_if_host4, p4.addr_len,
[VppRoutePath(self.tun_if.remote_addr[p4.addr_type],
0xffffffff)]).add_vpp_config()
old_name = self.tun6_encrypt_node_name
self.tun6_encrypt_node_name = "esp4-encrypt"
self.verify_tun_46(p6, count=63)
self.tun6_encrypt_node_name = old_name
def test_tun_64(self):
""" ipsec 6o4 tunnel """
# add an SPD entry to direct 4444::4 to the v4 tunnel SA
p6 = self.ipv6_params
p4 = self.ipv4_params
p4.remote_tun_if_host6 = "4444::4"
e = VppEnum.vl_api_ipsec_spd_action_t
VppIpsecSpdEntry(self,
self.tun_spd,
p4.scapy_tun_sa_id,
self.pg1.remote_addr[p6.addr_type],
self.pg1.remote_addr[p6.addr_type],
p4.remote_tun_if_host6,
p4.remote_tun_if_host6,
0,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=1).add_vpp_config()
d = DpoProto.DPO_PROTO_IP6
VppIpRoute(self, p4.remote_tun_if_host6, p6.addr_len,
[VppRoutePath(self.tun_if.remote_addr[p6.addr_type],
0xffffffff,
proto=d)]).add_vpp_config()
old_name = self.tun4_encrypt_node_name
self.tun4_encrypt_node_name = "esp6-encrypt"
self.verify_tun_64(p4, count=63)
self.tun4_encrypt_node_name = old_name
class TestIpsecEsp2(TemplateIpsecEsp, IpsecTcpTests):
""" Ipsec ESP - TCP tests """
pass
class TestIpsecEspHandoff(TemplateIpsecEsp,
IpsecTun6HandoffTests,
IpsecTun4HandoffTests):
""" Ipsec ESP - handoff tests """
pass
class TemplateIpsecEspUdp(ConfigIpsecESP):
"""
UDP encapped ESP
"""
@classmethod
def setUpClass(cls):
super(TemplateIpsecEspUdp, cls).setUpClass()
@classmethod
def tearDownClass(cls):
super(TemplateIpsecEspUdp, cls).tearDownClass()
def setUp(self):
super(TemplateIpsecEspUdp, self).setUp()
self.net_objs = []
self.tun_if = self.pg0
self.tra_if = self.pg2
self.logger.info(self.vapi.ppcli("show int addr"))
p = self.ipv4_params
p.flags = (VppEnum.vl_api_ipsec_sad_flags_t.
IPSEC_API_SAD_FLAG_UDP_ENCAP)
p.nat_header = UDP(sport=5454, dport=4500)
self.tra_spd = VppIpsecSpd(self, self.tra_spd_id)
self.tra_spd.add_vpp_config()
VppIpsecSpdItfBinding(self, self.tra_spd,
self.tra_if).add_vpp_config()
self.config_esp_tra(p)
config_tra_params(p, self.encryption_type)
self.tun_spd = VppIpsecSpd(self, self.tun_spd_id)
self.tun_spd.add_vpp_config()
VppIpsecSpdItfBinding(self, self.tun_spd,
self.tun_if).add_vpp_config()
self.config_esp_tun(p)
self.logger.info(self.vapi.ppcli("show ipsec all"))
d = DpoProto.DPO_PROTO_IP4
VppIpRoute(self, p.remote_tun_if_host, p.addr_len,
[VppRoutePath(self.tun_if.remote_addr[p.addr_type],
0xffffffff,
proto=d)]).add_vpp_config()
def tearDown(self):
super(TemplateIpsecEspUdp, self).tearDown()
def show_commands_at_teardown(self):
self.logger.info(self.vapi.cli("show hardware"))
class TestIpsecEspUdp(TemplateIpsecEspUdp, IpsecTra4Tests):
""" Ipsec NAT-T ESP UDP tests """
pass
class MyParameters():
def __init__(self):
self.engines = ["ia32", "ipsecmb", "openssl"]
flag_esn = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN
self.flags = [0, flag_esn]
# foreach crypto algorithm
self.algos = {
'AES-GCM-128/NONE': {
'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_GCM_128),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_NONE),
'scapy-crypto': "AES-GCM",
'scapy-integ': "NULL",
'key': b"JPjyOWBeVEQiMe7h",
'salt': 0},
'AES-GCM-192/NONE': {
'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_GCM_192),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_NONE),
'scapy-crypto': "AES-GCM",
'scapy-integ': "NULL",
'key': b"JPjyOWBeVEQiMe7h01234567",
'salt': 1010},
'AES-GCM-256/NONE': {
'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_GCM_256),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_NONE),
'scapy-crypto': "AES-GCM",
'scapy-integ': "NULL",
'key': b"JPjyOWBeVEQiMe7h0123456787654321",
'salt': 2020},
'AES-CBC-128/MD5-96': {
'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_128),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_MD5_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-MD5-96",
'salt': 0,
'key': b"JPjyOWBeVEQiMe7h"},
'AES-CBC-192/SHA1-96': {
'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_192),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-SHA1-96",
'salt': 0,
'key': b"JPjyOWBeVEQiMe7hJPjyOWBe"},
'AES-CBC-256/SHA1-96': {
'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_AES_CBC_256),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "AES-CBC",
'scapy-integ': "HMAC-SHA1-96",
'salt': 0,
'key': b"JPjyOWBeVEQiMe7hJPjyOWBeVEQiMe7h"},
'3DES-CBC/SHA1-96': {
'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_3DES_CBC),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "3DES",
'scapy-integ': "HMAC-SHA1-96",
'salt': 0,
'key': b"JPjyOWBeVEQiMe7h00112233"},
'NONE/SHA1-96': {
'vpp-crypto': (VppEnum.vl_api_ipsec_crypto_alg_t.
IPSEC_API_CRYPTO_ALG_NONE),
'vpp-integ': (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_SHA1_96),
'scapy-crypto': "NULL",
'scapy-integ': "HMAC-SHA1-96",
'salt': 0,
'key': b"JPjyOWBeVEQiMe7h00112233"}}
class RunTestIpsecEspAll(ConfigIpsecESP,
IpsecTra4, IpsecTra6,
IpsecTun4, IpsecTun6):
""" Ipsec ESP all Algos """
def setUp(self):
super(RunTestIpsecEspAll, self).setUp()
test_args = str.split(self.__doc__, " ")
params = MyParameters()
self.engine = test_args[0]
self.flag = params.flags[0]
if test_args[1] == 'ESN':
self.flag = params.flags[1]
self.algo = params.algos[test_args[2]]
def tearDown(self):
super(RunTestIpsecEspAll, self).tearDown()
def run_test(self):
self.run_a_test(self.engine, self.flag, self.algo)
def run_a_test(self, engine, flag, algo, payload_size=None):
if engine == "ia32":
engine = "native"
self.vapi.cli("set crypto handler all %s" % engine)
self.ipv4_params = IPsecIPv4Params()
self.ipv6_params = IPsecIPv6Params()
self.params = {self.ipv4_params.addr_type:
self.ipv4_params,
self.ipv6_params.addr_type:
self.ipv6_params}
for _, p in self.params.items():
p.auth_algo_vpp_id = algo['vpp-integ']
p.crypt_algo_vpp_id = algo['vpp-crypto']
p.crypt_algo = algo['scapy-crypto']
p.auth_algo = algo['scapy-integ']
p.crypt_key = algo['key']
p.salt = algo['salt']
p.flags = p.flags | flag
self.reporter.send_keep_alive(self)
#
# configure the SPDs. SAs, etc
#
self.config_network(self.params.values())
#
# run some traffic.
# An exhautsive 4o6, 6o4 is not necessary
# for each algo
#
self.verify_tra_basic6(count=NUM_PKTS)
self.verify_tra_basic4(count=NUM_PKTS)
self.verify_tun_66(self.params[socket.AF_INET6],
count=NUM_PKTS)
#
# Use an odd-byte payload size to check for correct padding.
#
# 49 + 2 == 51 which should pad +1 to 52 for 4 byte alignment, +5
# to 56 for 8 byte alignment, and +13 to 64 for 64 byte alignment.
# This should catch bugs where the code is incorrectly over-padding
# for algorithms that don't require it
psz = 49 - len(IP()/ICMP()) if payload_size is None else payload_size
self.verify_tun_44(self.params[socket.AF_INET],
count=NUM_PKTS, payload_size=psz)
LARGE_PKT_SZ = [
1970, # results in 2 chained buffers entering decrypt node
# but leaving as simple buffer due to ICV removal (tra4)
2004, # footer+ICV will be added to 2nd buffer (tun4)
4010, # ICV ends up splitted accross 2 buffers in esp_decrypt
# for transport4; transport6 takes normal path
4020, # same as above but tra4 and tra6 are switched
]
if self.engine in engines_supporting_chain_bufs:
for sz in LARGE_PKT_SZ:
self.verify_tra_basic4(count=NUM_PKTS, payload_size=sz)
self.verify_tra_basic6(count=NUM_PKTS, payload_size=sz)
self.verify_tun_66(self.params[socket.AF_INET6],
count=NUM_PKTS, payload_size=sz)
self.verify_tun_44(self.params[socket.AF_INET],
count=NUM_PKTS, payload_size=sz)
#
# remove the SPDs, SAs, etc
#
self.unconfig_network()
#
# reconfigure the network and SA to run the
# anti replay tests
#
self.config_network(self.params.values())
self.verify_tra_anti_replay()
self.unconfig_network()
#
# To generate test classes, do:
# grep '# GEN' test_ipsec_esp.py | sed -e 's/# GEN //g' | bash
#
# GEN for ENG in ia32 ipsecmb openssl; do \
# GEN for FLG in noESN ESN; do for ALG in AES-GCM-128/NONE \
# GEN AES-GCM-192/NONE AES-GCM-256/NONE AES-CBC-128/MD5-96 \
# GEN AES-CBC-192/SHA1-96 AES-CBC-256/SHA1-96 \
# GEN 3DES-CBC/SHA1-96 NONE/SHA1-96; do \
# GEN [[ ${FLG} == "ESN" && ${ALG} == *"NONE" ]] && continue
# GEN echo -e "\n\nclass Test_${ENG}_${FLG}_${ALG}(RunTestIpsecEspAll):" |
# GEN sed -e 's/-/_/g' -e 's#/#_#g' ; \
# GEN echo ' """'$ENG $FLG $ALG IPSec test'"""' ;
# GEN echo " def test_ipsec(self):";
# GEN echo " self.run_test()";
# GEN done; done; done
class Test_ia32_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
"""ia32 noESN AES-GCM-128/NONE IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ia32_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
"""ia32 noESN AES-GCM-192/NONE IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ia32_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
"""ia32 noESN AES-GCM-256/NONE IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ia32_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
"""ia32 noESN AES-CBC-128/MD5-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ia32_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
"""ia32 noESN AES-CBC-192/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ia32_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
"""ia32 noESN AES-CBC-256/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ia32_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
"""ia32 noESN 3DES-CBC/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ia32_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
"""ia32 noESN NONE/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ia32_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
"""ia32 ESN AES-CBC-128/MD5-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ia32_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
"""ia32 ESN AES-CBC-192/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ia32_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
"""ia32 ESN AES-CBC-256/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ia32_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
"""ia32 ESN 3DES-CBC/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ia32_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
"""ia32 ESN NONE/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ipsecmb_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
"""ipsecmb noESN AES-GCM-128/NONE IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ipsecmb_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
"""ipsecmb noESN AES-GCM-192/NONE IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ipsecmb_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
"""ipsecmb noESN AES-GCM-256/NONE IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ipsecmb_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
"""ipsecmb noESN AES-CBC-128/MD5-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ipsecmb_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
"""ipsecmb noESN AES-CBC-192/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ipsecmb_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
"""ipsecmb noESN AES-CBC-256/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ipsecmb_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
"""ipsecmb noESN 3DES-CBC/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ipsecmb_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
"""ipsecmb noESN NONE/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ipsecmb_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
"""ipsecmb ESN AES-CBC-128/MD5-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ipsecmb_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
"""ipsecmb ESN AES-CBC-192/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ipsecmb_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
"""ipsecmb ESN AES-CBC-256/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ipsecmb_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
"""ipsecmb ESN 3DES-CBC/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_ipsecmb_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
"""ipsecmb ESN NONE/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_openssl_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll):
"""openssl noESN AES-GCM-128/NONE IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_openssl_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll):
"""openssl noESN AES-GCM-192/NONE IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_openssl_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll):
"""openssl noESN AES-GCM-256/NONE IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_openssl_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
"""openssl noESN AES-CBC-128/MD5-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_openssl_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
"""openssl noESN AES-CBC-192/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_openssl_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
"""openssl noESN AES-CBC-256/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_openssl_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
"""openssl noESN 3DES-CBC/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_openssl_noESN_NONE_SHA1_96(RunTestIpsecEspAll):
"""openssl noESN NONE/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_openssl_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll):
"""openssl ESN AES-CBC-128/MD5-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_openssl_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll):
"""openssl ESN AES-CBC-192/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_openssl_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll):
"""openssl ESN AES-CBC-256/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_openssl_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll):
"""openssl ESN 3DES-CBC/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
class Test_openssl_ESN_NONE_SHA1_96(RunTestIpsecEspAll):
"""openssl ESN NONE/SHA1-96 IPSec test"""
def test_ipsec(self):
self.run_test()
if __name__ == '__main__':
unittest.main(testRunner=VppTestRunner)
Reference in New Issue View Git Blame Copy Permalink