diff options
author | Neale Ranns <neale@graphiant.com> | 2021-06-28 13:31:28 +0000 |
---|---|---|
committer | Beno�t Ganne <bganne@cisco.com> | 2021-06-29 17:12:28 +0000 |
commit | 5b8911020ee5512d76c8daccaa199878ed7cbc01 (patch) | |
tree | 0c0960f5ffc12f1fe3d1a354a0736bd9ac374a07 | |
parent | 3871bd3a07dfc775c29ea333d10c05ced2fea80e (diff) |
ipsec: Fix setting the hi-sequence number for decrypt
Type: fix
two problems;
1 - just because anti-reply is not enabled doesn't mean the high sequence
number should not be used.
- fix, there needs to be some means to detect a wrapped packet, so we
use a window size of 2^30.
2 - The SA object was used as a scratch pad for the high-sequence
number used during decryption. That means that once the batch has been
processed the high-sequence number used is lost. This means it is not
possible to distinguish this case:
if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl))
{
...
if (post_decrypt)
{
if (hi_seq_used == sa->seq_hi)
/* the high sequence number used to succesfully decrypt this
* packet is the same as the last-sequnence number of the SA.
* that means this packet did not cause a wrap.
* this packet is thus out of window and should be dropped */
return 1;
else
/* The packet decrypted with a different high sequence number
* to the SA, that means it is the wrap packet and should be
* accepted */
return 0;
}
- fix: don't use the SA as a scratch pad, use the 'packet_data' - the
same place that is used as the scratch pad for the low sequence number.
other consequences:
- An SA doesn't have seq and last_seq, it has only seq; the sequence
numnber of the last packet tx'd or rx'd.
- there's 64bits of space available on the SA's first cache line. move
the AES CTR mode IV there.
- test the ESN/AR combinations to catch the bugs this fixes. This
doubles the amount of tests, but without AR on they only run for 2
seconds. In the AR tests, the time taken to wait for packets that won't
arrive is dropped from 1 to 0.2 seconds thus reducing the runtime of
these tests from 10-15 to about 5 sceonds.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iaac78905289a272dc01930d70decd8109cf5e7a5
-rw-r--r-- | src/vnet/ipsec/ah_decrypt.c | 11 | ||||
-rw-r--r-- | src/vnet/ipsec/esp.h | 7 | ||||
-rw-r--r-- | src/vnet/ipsec/esp_decrypt.c | 135 | ||||
-rw-r--r-- | src/vnet/ipsec/esp_encrypt.c | 16 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_api.c | 12 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_format.c | 5 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.h | 178 | ||||
-rw-r--r-- | test/template_ipsec.py | 213 | ||||
-rw-r--r-- | test/test_ipsec_esp.py | 995 |
9 files changed, 1245 insertions, 327 deletions
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c index d192fb6b80a..182ed3d231c 100644 --- a/src/vnet/ipsec/ah_decrypt.c +++ b/src/vnet/ipsec/ah_decrypt.c @@ -98,6 +98,7 @@ typedef struct }; u32 sa_index; u32 seq; + u32 seq_hi; u8 icv_padding_len; u8 icv_size; u8 ip_hdr_size; @@ -221,7 +222,8 @@ ah_decrypt_inline (vlib_main_t * vm, pd->seq = clib_host_to_net_u32 (ah0->seq_no); /* anti-replay check */ - if (ipsec_sa_anti_replay_check (sa0, pd->seq)) + if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, ~0, false, + &pd->seq_hi)) { b[0]->error = node->errors[AH_DECRYPT_ERROR_REPLAY]; next[0] = AH_DECRYPT_NEXT_DROP; @@ -257,7 +259,7 @@ ah_decrypt_inline (vlib_main_t * vm, op->user_data = b - bufs; if (ipsec_sa_is_set_USE_ESN (sa0)) { - u32 seq_hi = clib_host_to_net_u32 (sa0->seq_hi); + u32 seq_hi = clib_host_to_net_u32 (pd->seq_hi); op->len += sizeof (seq_hi); clib_memcpy (op->src + b[0]->current_length, &seq_hi, @@ -322,13 +324,14 @@ ah_decrypt_inline (vlib_main_t * vm, if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE)) { /* redo the anit-reply check. see esp_decrypt for details */ - if (ipsec_sa_anti_replay_check (sa0, pd->seq)) + if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, pd->seq_hi, + true, NULL)) { b[0]->error = node->errors[AH_DECRYPT_ERROR_REPLAY]; next[0] = AH_DECRYPT_NEXT_DROP; goto trace; } - ipsec_sa_anti_replay_advance (sa0, pd->seq); + ipsec_sa_anti_replay_advance (sa0, pd->seq, pd->seq_hi); } u16 ah_hdr_len = sizeof (ah_header_t) + pd->icv_size diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h index a0643c3b939..d179233df49 100644 --- a/src/vnet/ipsec/esp.h +++ b/src/vnet/ipsec/esp.h @@ -118,7 +118,8 @@ esp_seq_advance (ipsec_sa_t * sa) } always_inline u16 -esp_aad_fill (u8 * data, const esp_header_t * esp, const ipsec_sa_t * sa) +esp_aad_fill (u8 *data, const esp_header_t *esp, const ipsec_sa_t *sa, + u32 seq_hi) { esp_aead_t *aad; @@ -128,7 +129,7 @@ esp_aad_fill (u8 * data, const esp_header_t * esp, const ipsec_sa_t * sa) if (ipsec_sa_is_set_USE_ESN (sa)) { /* SPI, seq-hi, seq-low */ - aad->data[1] = (u32) clib_host_to_net_u32 (sa->seq_hi); + aad->data[1] = (u32) clib_host_to_net_u32 (seq_hi); aad->data[2] = esp->seq; return 12; } @@ -199,7 +200,7 @@ typedef struct i16 current_length; u16 hdr_sz; u16 is_chain; - u32 protect_index; + u32 seq_hi; } esp_decrypt_packet_data_t; STATIC_ASSERT_SIZEOF (esp_decrypt_packet_data_t, 3 * sizeof (u64)); diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index ec6d9811806..b700f2c9935 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -92,10 +92,14 @@ typedef struct u32 seq; u32 sa_seq; u32 sa_seq_hi; + u32 pkt_seq_hi; ipsec_crypto_alg_t crypto_alg; ipsec_integ_alg_t integ_alg; } esp_decrypt_trace_t; +/* The number of byres in the hisequence number */ +#define N_HI_ESN_BYTES 4 + /* packet trace format function */ static u8 * format_esp_decrypt_trace (u8 * s, va_list * args) @@ -104,11 +108,11 @@ format_esp_decrypt_trace (u8 * s, va_list * args) CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); esp_decrypt_trace_t *t = va_arg (*args, esp_decrypt_trace_t *); - s = - format (s, - "esp: crypto %U integrity %U pkt-seq %d sa-seq %u sa-seq-hi %u", - format_ipsec_crypto_alg, t->crypto_alg, format_ipsec_integ_alg, - t->integ_alg, t->seq, t->sa_seq, t->sa_seq_hi); + s = format (s, + "esp: crypto %U integrity %U pkt-seq %d sa-seq %u sa-seq-hi %u " + "pkt-seq-hi %u", + format_ipsec_crypto_alg, t->crypto_alg, format_ipsec_integ_alg, + t->integ_alg, t->seq, t->sa_seq, t->sa_seq_hi, t->pkt_seq_hi); return s; } @@ -235,40 +239,41 @@ esp_move_icv (vlib_main_t * vm, vlib_buffer_t * first, return lb_curr; } -static_always_inline i16 -esp_insert_esn (vlib_main_t * vm, ipsec_sa_t * sa, - esp_decrypt_packet_data2_t * pd2, u32 * data_len, - u8 ** digest, u16 * len, vlib_buffer_t * b, u8 * payload) +static_always_inline u16 +esp_insert_esn (vlib_main_t *vm, ipsec_sa_t *sa, esp_decrypt_packet_data_t *pd, + esp_decrypt_packet_data2_t *pd2, u32 *data_len, u8 **digest, + u16 *len, vlib_buffer_t *b, u8 *payload) { if (!ipsec_sa_is_set_USE_ESN (sa)) return 0; - /* shift ICV by 4 bytes to insert ESN */ - u32 seq_hi = clib_host_to_net_u32 (sa->seq_hi); - u8 tmp[ESP_MAX_ICV_SIZE], sz = sizeof (sa->seq_hi); + u32 seq_hi = clib_host_to_net_u32 (pd->seq_hi); + u8 tmp[ESP_MAX_ICV_SIZE]; if (pd2->icv_removed) { u16 space_left = vlib_buffer_space_left_at_end (vm, pd2->lb); - if (space_left >= sz) + if (space_left >= N_HI_ESN_BYTES) { - clib_memcpy_fast (vlib_buffer_get_tail (pd2->lb), &seq_hi, sz); - *data_len += sz; + clib_memcpy_fast (vlib_buffer_get_tail (pd2->lb), &seq_hi, + N_HI_ESN_BYTES); + *data_len += N_HI_ESN_BYTES; } else - return sz; + return N_HI_ESN_BYTES; len[0] = b->current_length; } else { clib_memcpy_fast (tmp, payload + len[0], ESP_MAX_ICV_SIZE); - clib_memcpy_fast (payload + len[0], &seq_hi, sz); - clib_memcpy_fast (payload + len[0] + sz, tmp, ESP_MAX_ICV_SIZE); - *data_len += sz; - *digest += sz; + clib_memcpy_fast (payload + len[0], &seq_hi, N_HI_ESN_BYTES); + clib_memcpy_fast (payload + len[0] + N_HI_ESN_BYTES, tmp, + ESP_MAX_ICV_SIZE); + *data_len += N_HI_ESN_BYTES; + *digest += N_HI_ESN_BYTES; } - return sz; + return N_HI_ESN_BYTES; } static_always_inline u8 * @@ -284,14 +289,14 @@ esp_move_icv_esn (vlib_main_t * vm, vlib_buffer_t * first, if (ipsec_sa_is_set_USE_ESN (sa)) { - u8 sz = sizeof (sa->seq_hi); - u32 seq_hi = clib_host_to_net_u32 (sa->seq_hi); + u32 seq_hi = clib_host_to_net_u32 (pd->seq_hi); u16 space_left = vlib_buffer_space_left_at_end (vm, pd2->lb); - if (space_left >= sz) + if (space_left >= N_HI_ESN_BYTES) { - clib_memcpy_fast (vlib_buffer_get_tail (pd2->lb), &seq_hi, sz); - *len += sz; + clib_memcpy_fast (vlib_buffer_get_tail (pd2->lb), &seq_hi, + N_HI_ESN_BYTES); + *len += N_HI_ESN_BYTES; } else { @@ -299,7 +304,8 @@ esp_move_icv_esn (vlib_main_t * vm, vlib_buffer_t * first, * (with ICV data) */ ASSERT (pd2->icv_removed); vlib_buffer_t *tmp = vlib_get_buffer (vm, pd2->free_buffer_index); - clib_memcpy_fast (vlib_buffer_get_current (tmp) - sz, &seq_hi, sz); + clib_memcpy_fast (vlib_buffer_get_current (tmp) - N_HI_ESN_BYTES, + &seq_hi, N_HI_ESN_BYTES); extra_esn[0] = 1; } } @@ -307,11 +313,12 @@ esp_move_icv_esn (vlib_main_t * vm, vlib_buffer_t * first, } static_always_inline int -esp_decrypt_chain_integ (vlib_main_t * vm, ipsec_per_thread_data_t * ptd, - esp_decrypt_packet_data2_t * pd2, - ipsec_sa_t * sa0, vlib_buffer_t * b, u8 icv_sz, - u8 * start_src, u32 start_len, - u8 ** digest, u16 * n_ch, u32 * integ_total_len) +esp_decrypt_chain_integ (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, + const esp_decrypt_packet_data_t *pd, + esp_decrypt_packet_data2_t *pd2, ipsec_sa_t *sa0, + vlib_buffer_t *b, u8 icv_sz, u8 *start_src, + u32 start_len, u8 **digest, u16 *n_ch, + u32 *integ_total_len) { vnet_crypto_op_chunk_t *ch; vlib_buffer_t *cb = vlib_get_buffer (vm, b->next_buffer); @@ -334,19 +341,19 @@ esp_decrypt_chain_integ (vlib_main_t * vm, ipsec_per_thread_data_t * ptd, ch->len = cb->current_length - icv_sz; if (ipsec_sa_is_set_USE_ESN (sa0)) { - u32 seq_hi = clib_host_to_net_u32 (sa0->seq_hi); - u8 tmp[ESP_MAX_ICV_SIZE], sz = sizeof (sa0->seq_hi); + u32 seq_hi = clib_host_to_net_u32 (pd->seq_hi); + u8 tmp[ESP_MAX_ICV_SIZE]; u8 *esn; vlib_buffer_t *tmp_b; u16 space_left = vlib_buffer_space_left_at_end (vm, pd2->lb); - if (space_left < sz) + if (space_left < N_HI_ESN_BYTES) { if (pd2->icv_removed) { /* use pre-data area from the last bufer that was removed from the chain */ tmp_b = vlib_get_buffer (vm, pd2->free_buffer_index); - esn = tmp_b->data - sz; + esn = tmp_b->data - N_HI_ESN_BYTES; } else { @@ -358,28 +365,29 @@ esp_decrypt_chain_integ (vlib_main_t * vm, ipsec_per_thread_data_t * ptd, esn = tmp_b->data; pd2->free_buffer_index = tmp_bi; } - clib_memcpy_fast (esn, &seq_hi, sz); + clib_memcpy_fast (esn, &seq_hi, N_HI_ESN_BYTES); vec_add2 (ptd->chunks, ch, 1); n_chunks += 1; ch->src = esn; - ch->len = sz; + ch->len = N_HI_ESN_BYTES; } else { if (pd2->icv_removed) { - clib_memcpy_fast (vlib_buffer_get_tail - (pd2->lb), &seq_hi, sz); + clib_memcpy_fast (vlib_buffer_get_tail (pd2->lb), + &seq_hi, N_HI_ESN_BYTES); } else { clib_memcpy_fast (tmp, *digest, ESP_MAX_ICV_SIZE); - clib_memcpy_fast (*digest, &seq_hi, sz); - clib_memcpy_fast (*digest + sz, tmp, ESP_MAX_ICV_SIZE); - *digest += sz; + clib_memcpy_fast (*digest, &seq_hi, N_HI_ESN_BYTES); + clib_memcpy_fast (*digest + N_HI_ESN_BYTES, tmp, + ESP_MAX_ICV_SIZE); + *digest += N_HI_ESN_BYTES; } - ch->len += sz; + ch->len += N_HI_ESN_BYTES; } } total_len += ch->len; @@ -540,7 +548,7 @@ esp_decrypt_prepare_sync_op (vlib_main_t * vm, vlib_node_runtime_t * node, op->flags |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS; op->chunk_index = vec_len (ptd->chunks); - if (esp_decrypt_chain_integ (vm, ptd, pd2, sa0, b, icv_sz, + if (esp_decrypt_chain_integ (vm, ptd, pd, pd2, sa0, b, icv_sz, payload, pd->current_length, &op->digest, &op->n_chunks, 0) < 0) { @@ -550,7 +558,7 @@ esp_decrypt_prepare_sync_op (vlib_main_t * vm, vlib_node_runtime_t * node, } } else - esp_insert_esn (vm, sa0, pd2, &op->len, &op->digest, &len, b, + esp_insert_esn (vm, sa0, pd, pd2, &op->len, &op->digest, &len, b, payload); out: vec_add_aligned (*(integ_ops[0]), op, 1, CLIB_CACHE_LINE_BYTES); @@ -576,7 +584,7 @@ esp_decrypt_prepare_sync_op (vlib_main_t * vm, vlib_node_runtime_t * node, /* constuct aad in a scratch space in front of the nonce */ esp_header_t *esp0 = (esp_header_t *) (payload - esp_sz); op->aad = (u8 *) nonce - sizeof (esp_aead_t); - op->aad_len = esp_aad_fill (op->aad, esp0, sa0); + op->aad_len = esp_aad_fill (op->aad, esp0, sa0, pd->seq_hi); op->tag = payload + len; op->tag_len = 16; } @@ -617,7 +625,6 @@ esp_decrypt_prepare_async_frame (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_buffer_t *b, u16 *next, u16 async_next) { const u8 esp_sz = sizeof (esp_header_t); - u32 current_protect_index = vnet_buffer (b)->ipsec.protect_index; esp_decrypt_packet_data_t *async_pd = &(esp_post_data (b))->decrypt_data; esp_decrypt_packet_data2_t *async_pd2 = esp_post_data2 (b); u8 *tag = payload + len, *iv = payload + esp_sz, *aad = 0; @@ -671,16 +678,16 @@ esp_decrypt_prepare_async_frame (vlib_main_t *vm, vlib_node_runtime_t *node, tag = vlib_buffer_get_tail (pd2->lb) - icv_sz; flags |= VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS; - if (esp_decrypt_chain_integ (vm, ptd, pd2, sa0, b, icv_sz, payload, - pd->current_length, &tag, - 0, &integ_len) < 0) + if (esp_decrypt_chain_integ (vm, ptd, pd, pd2, sa0, b, icv_sz, + payload, pd->current_length, &tag, 0, + &integ_len) < 0) { /* allocate buffer failed, will not add to frame and drop */ return (ESP_DECRYPT_ERROR_NO_BUFFERS); } } else - esp_insert_esn (vm, sa0, pd2, &integ_len, &tag, &len, b, payload); + esp_insert_esn (vm, sa0, pd, pd2, &integ_len, &tag, &len, b, payload); } else key_index = sa0->crypto_key_index; @@ -701,7 +708,7 @@ out: /* constuct aad in a scratch space in front of the nonce */ esp_header_t *esp0 = (esp_header_t *) (payload - esp_sz); aad = (u8 *) nonce - sizeof (esp_aead_t); - esp_aad_fill (aad, esp0, sa0); + esp_aad_fill (aad, esp0, sa0, pd->seq_hi); tag = payload + len; } else @@ -730,7 +737,6 @@ out: *async_pd = *pd; *async_pd2 = *pd2; - pd->protect_index = current_protect_index; /* for AEAD integ_len - crypto_len will be negative, it is ok since it * is ignored by the engine. */ @@ -776,14 +782,15 @@ esp_decrypt_post_crypto (vlib_main_t * vm, vlib_node_runtime_t * node, * a sequence s, s+1, s+2, s+3, ... s+n and nothing will prevent any * implementation, sequential or batching, from decrypting these. */ - if (ipsec_sa_anti_replay_check (sa0, pd->seq)) + if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, pd->seq_hi, true, + NULL)) { b->error = node->errors[ESP_DECRYPT_ERROR_REPLAY]; next[0] = ESP_DECRYPT_NEXT_DROP; return; } - ipsec_sa_anti_replay_advance (sa0, pd->seq); + ipsec_sa_anti_replay_advance (sa0, pd->seq, pd->seq_hi); if (pd->is_chain) { @@ -968,12 +975,8 @@ esp_decrypt_post_crypto (vlib_main_t * vm, vlib_node_runtime_t * node, */ const ipsec_tun_protect_t *itp; - if (is_async) - itp = ipsec_tun_protect_get (pd->protect_index); - else - itp = - ipsec_tun_protect_get (vnet_buffer (b)-> - ipsec.protect_index); + itp = + ipsec_tun_protect_get (vnet_buffer (b)->ipsec.protect_index); if (PREDICT_TRUE (next_header == IP_PROTOCOL_IP_IN_IP)) { @@ -1148,7 +1151,8 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, pd->current_length = b[0]->current_length; /* anti-reply check */ - if (ipsec_sa_anti_replay_check (sa0, pd->seq)) + if (ipsec_sa_anti_replay_and_sn_advance (sa0, pd->seq, ~0, false, + &pd->seq_hi)) { err = ESP_DECRYPT_ERROR_REPLAY; esp_set_next_index (b[0], node, err, n_noop, noop_nexts, @@ -1306,8 +1310,9 @@ esp_decrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, tr->crypto_alg = sa0->crypto_alg; tr->integ_alg = sa0->integ_alg; tr->seq = pd->seq; - tr->sa_seq = sa0->last_seq; + tr->sa_seq = sa0->seq; tr->sa_seq_hi = sa0->seq_hi; + tr->pkt_seq_hi = pd->seq_hi; } /* next */ @@ -1374,7 +1379,7 @@ esp_decrypt_post_inline (vlib_main_t * vm, tr->crypto_alg = sa0->crypto_alg; tr->integ_alg = sa0->integ_alg; tr->seq = pd->seq; - tr->sa_seq = sa0->last_seq; + tr->sa_seq = sa0->seq; tr->sa_seq_hi = sa0->seq_hi; } diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 68aeb60885c..da9c56a7e03 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -379,7 +379,7 @@ esp_encrypt_chain_integ (vlib_main_t * vm, ipsec_per_thread_data_t * ptd, always_inline void esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, vnet_crypto_op_t **crypto_ops, - vnet_crypto_op_t **integ_ops, ipsec_sa_t *sa0, + vnet_crypto_op_t **integ_ops, ipsec_sa_t *sa0, u32 seq_hi, u8 *payload, u16 payload_len, u8 iv_sz, u8 icv_sz, u32 bi, vlib_buffer_t **b, vlib_buffer_t *lb, u32 hdr_len, esp_header_t *esp) @@ -408,7 +408,7 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, { /* constuct aad in a scratch space in front of the nonce */ op->aad = (u8 *) nonce - sizeof (esp_aead_t); - op->aad_len = esp_aad_fill (op->aad, esp, sa0); + op->aad_len = esp_aad_fill (op->aad, esp, sa0, seq_hi); op->tag = payload + op->len; op->tag_len = 16; } @@ -465,8 +465,8 @@ esp_prepare_sync_op (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, } else if (ipsec_sa_is_set_USE_ESN (sa0)) { - u32 seq_hi = clib_net_to_host_u32 (sa0->seq_hi); - clib_memcpy_fast (op->digest, &seq_hi, sizeof (seq_hi)); + u32 tmp = clib_net_to_host_u32 (seq_hi); + clib_memcpy_fast (op->digest, &tmp, sizeof (seq_hi)); op->len += sizeof (seq_hi); } } @@ -508,7 +508,7 @@ esp_prepare_async_frame (vlib_main_t *vm, ipsec_per_thread_data_t *ptd, { /* constuct aad in a scratch space in front of the nonce */ aad = (u8 *) nonce - sizeof (esp_aead_t); - esp_aad_fill (aad, esp, sa); + esp_aad_fill (aad, esp, sa, sa->seq_hi); key_index = sa->crypto_key_index; } else @@ -956,9 +956,9 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, async_next_node, lb); } else - esp_prepare_sync_op (vm, ptd, crypto_ops, integ_ops, sa0, payload, - payload_len, iv_sz, icv_sz, n_sync, b, lb, - hdr_len, esp); + esp_prepare_sync_op (vm, ptd, crypto_ops, integ_ops, sa0, sa0->seq_hi, + payload, payload_len, iv_sz, icv_sz, n_sync, b, + lb, hdr_len, esp); vlib_buffer_advance (b[0], 0LL - hdr_len); diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index 73f4474a604..11bfa41b4f1 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -826,11 +826,11 @@ send_ipsec_sa_details (ipsec_sa_t * sa, void *arg) } mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq)); - mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq)); + mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->seq)); if (ipsec_sa_is_set_USE_ESN (sa)) { mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi)); - mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi)); + mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi)); } if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa)) mp->replay_window = clib_host_to_net_u64 (sa->replay_window); @@ -913,11 +913,11 @@ send_ipsec_sa_v2_details (ipsec_sa_t * sa, void *arg) mp->entry.dscp = ip_dscp_encode (sa->tunnel.t_dscp); mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq)); - mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq)); + mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->seq)); if (ipsec_sa_is_set_USE_ESN (sa)) { mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi)); - mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi)); + mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi)); } if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa)) mp->replay_window = clib_host_to_net_u64 (sa->replay_window); @@ -993,11 +993,11 @@ send_ipsec_sa_v3_details (ipsec_sa_t *sa, void *arg) } mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq)); - mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq)); + mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->seq)); if (ipsec_sa_is_set_USE_ESN (sa)) { mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi)); - mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi)); + mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi)); } if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa)) mp->replay_window = clib_host_to_net_u64 (sa->replay_window); diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c index b67c11da1cd..5f7caab44e4 100644 --- a/src/vnet/ipsec/ipsec_format.c +++ b/src/vnet/ipsec/ipsec_format.c @@ -293,9 +293,8 @@ format_ipsec_sa (u8 * s, va_list * args) s = format (s, "\n salt 0x%x", clib_net_to_host_u32 (sa->salt)); s = format (s, "\n thread-index:%d", sa->thread_index); s = format (s, "\n seq %u seq-hi %u", sa->seq, sa->seq_hi); - s = format (s, "\n last-seq %u last-seq-hi %u window %U", - sa->last_seq, sa->last_seq_hi, - format_ipsec_replay_window, sa->replay_window); + s = format (s, "\n window %U", format_ipsec_replay_window, + sa->replay_window); s = format (s, "\n crypto alg %U", format_ipsec_crypto_alg, sa->crypto_alg); if (sa->crypto_alg && (flags & IPSEC_FORMAT_INSECURE)) diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index 7827ef18084..14461ad2cdd 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -131,9 +131,8 @@ typedef struct u32 spi; u32 seq; u32 seq_hi; - u32 last_seq; - u32 last_seq_hi; u64 replay_window; + u64 ctr_iv_counter; dpo_id_t dpo; vnet_crypto_key_index_t crypto_key_index; @@ -162,7 +161,6 @@ typedef struct CLIB_CACHE_LINE_ALIGN_MARK (cacheline1); - u64 ctr_iv_counter; union { ip4_header_t ip4_hdr; @@ -312,45 +310,104 @@ extern uword unformat_ipsec_key (unformat_input_t * input, va_list * args); */ #define IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND(_tl) (_tl - IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE + 1) +always_inline int +ipsec_sa_anti_replay_check (const ipsec_sa_t *sa, u32 seq) +{ + if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa) && + sa->replay_window & (1ULL << (sa->seq - seq))) + return 1; + else + return 0; +} + /* * Anti replay check. * inputs need to be in host byte order. + * + * The function runs in two contexts. pre and post decrypt. + * Pre-decrypt it: + * 1 - determines if a packet is a replay - a simple check in the window + * 2 - returns the hi-seq number that should be used to decrypt. + * post-decrypt: + * Checks whether the packet is a replay or falls out of window + * + * This funcion should be called even without anti-replay enabled to ensure + * the high sequence number is set. */ always_inline int -ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 seq) +ipsec_sa_anti_replay_and_sn_advance (const ipsec_sa_t *sa, u32 seq, + u32 hi_seq_used, bool post_decrypt, + u32 *hi_seq_req) { - u32 diff, tl, th; - - if ((sa->flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) == 0) - return 0; + ASSERT ((post_decrypt == false) == (hi_seq_req != 0)); if (!ipsec_sa_is_set_USE_ESN (sa)) { - if (PREDICT_TRUE (seq > sa->last_seq)) + if (hi_seq_req) + /* no ESN, therefore the hi-seq is always 0 */ + *hi_seq_req = 0; + + if (!ipsec_sa_is_set_USE_ANTI_REPLAY (sa)) return 0; - diff = sa->last_seq - seq; + if (PREDICT_TRUE (seq > sa->seq)) + return 0; + + u32 diff = sa->seq - seq; if (IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE > diff) - return (sa->replay_window & (1ULL << diff)) ? 1 : 0; + return ((sa->replay_window & (1ULL << diff)) ? 1 : 0); else return 1; return 0; } - tl = sa->last_seq; - th = sa->last_seq_hi; - diff = tl - seq; - - if (PREDICT_TRUE (tl >= (IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX))) + if (!ipsec_sa_is_set_USE_ANTI_REPLAY (sa)) + { + /* there's no AR configured for this SA, but in order + * to know whether a packet has wrapped the hi ESN we need + * to know whether it is out of window. if we use the default + * lower bound then we are effectively forcing AR because + * out of window packets will get the increased hi seq number + * and will thus fail to decrypt. IOW we need a window to know + * if the SN has wrapped, but we don't want a window to check for + * anti replay. to resolve the contradiction we use a huge window. + * if the packet is not within 2^30 of the current SN, we'll consider + * it a wrap. + */ + if (hi_seq_req) + { + if (seq >= sa->seq) + /* The packet's sequence number is larger that the SA's. + * that can't be a warp - unless we lost more than + * 2^32 packets ... how could we know? */ + *hi_seq_req = sa->seq_hi; + else + { + /* The packet's SN is less than the SAs, so either the SN has + * wrapped or the SN is just old. */ + if (sa->seq - seq > (1 << 30)) + /* It's really really really old => it wrapped */ + *hi_seq_req = sa->seq_hi + 1; + else + *hi_seq_req = sa->seq_hi; + } + } + /* + * else + * this is post-decrpyt and since it decrypted we accept it + */ + return 0; + } + if (PREDICT_TRUE (sa->seq >= (IPSEC_SA_ANTI_REPLAY_WINDOW_MAX_INDEX))) { /* * the last sequence number VPP recieved is more than one * window size greater than zero. * Case A from RFC4303 Appendix A. */ - if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl)) + if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (sa->seq)) { /* * the received sequence number is lower than the lower bound @@ -358,8 +415,28 @@ ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 seq) * the high sequence number has wrapped. if it decrypts corrently * then it's the latter. */ - sa->seq_hi = th + 1; - return 0; + if (post_decrypt) + { + if (hi_seq_used == sa->seq_hi) + /* the high sequence number used to succesfully decrypt this + * packet is the same as the last-sequnence number of the SA. + * that means this packet did not cause a wrap. + * this packet is thus out of window and should be dropped */ + return 1; + else + /* The packet decrypted with a different high sequence number + * to the SA, that means it is the wrap packet and should be + * accepted */ + return 0; + } + else + { + /* pre-decrypt it might be the might that casues a wrap, we + * need to decrpyt to find out */ + if (hi_seq_req) + *hi_seq_req = sa->seq_hi + 1; + return 0; + } } else { @@ -367,13 +444,14 @@ ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 seq) * the recieved sequence number greater than the low * end of the window. */ - sa->seq_hi = th; - if (seq <= tl) + if (hi_seq_req) + *hi_seq_req = sa->seq_hi; + if (seq <= sa->seq) /* * The recieved seq number is within bounds of the window * check if it's a duplicate */ - return (sa->replay_window & (1ULL << diff)) ? 1 : 0; + return (ipsec_sa_anti_replay_check (sa, seq)); else /* * The received sequence number is greater than the window @@ -393,19 +471,20 @@ ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 seq) * RHS will be a larger number. * Case B from RFC4303 Appendix A. */ - if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (tl)) + if (seq < IPSEC_SA_ANTI_REPLAY_WINDOW_LOWER_BOUND (sa->seq)) { /* * the sequence number is less than the lower bound. */ - if (seq <= tl) + if (seq <= sa->seq) { /* * the packet is within the window upper bound. * check for duplicates. */ - sa->seq_hi = th; - return (sa->replay_window & (1ULL << diff)) ? 1 : 0; + if (hi_seq_req) + *hi_seq_req = sa->seq_hi; + return (ipsec_sa_anti_replay_check (sa, seq)); } else { @@ -418,7 +497,8 @@ ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 seq) * wrapped the high sequence again. If it were the latter then * we've lost close to 2^32 packets. */ - sa->seq_hi = th; + if (hi_seq_req) + *hi_seq_req = sa->seq_hi; return 0; } } @@ -431,73 +511,79 @@ ipsec_sa_anti_replay_check (ipsec_sa_t * sa, u32 seq) * However, since TL is the other side of 0 to the received * packet, the SA has moved on to a higher sequence number. */ - sa->seq_hi = th - 1; - return (sa->replay_window & (1ULL << diff)) ? 1 : 0; + if (hi_seq_req) + *hi_seq_req = sa->seq_hi - 1; + return (ipsec_sa_anti_replay_check (sa, seq)); } } + /* unhandled case */ + ASSERT (0); return 0; } /* * Anti replay window advance * inputs need to be in host byte order. + * This function both advances the anti-replay window and the sequence number + * We always need to move on the SN but the window updates are only needed + * if AR is on. + * However, updating the window is trivial, so we do it anyway to save + * the branch cost. */ always_inline void -ipsec_sa_anti_replay_advance (ipsec_sa_t * sa, u32 seq) +ipsec_sa_anti_replay_advance (ipsec_sa_t *sa, u32 seq, u32 hi_seq) { u32 pos; - if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) == 0) - return; - if (PREDICT_TRUE (sa->flags & IPSEC_SA_FLAG_USE_ESN)) + if (ipsec_sa_is_set_USE_ESN (sa)) { - int wrap = sa->seq_hi - sa->last_seq_hi; + int wrap = hi_seq - sa->seq_hi; - if (wrap == 0 && seq > sa->last_seq) + if (wrap == 0 && seq > sa->seq) { - pos = seq - sa->last_seq; + pos = seq - sa->seq; if (pos < IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE) sa->replay_window = ((sa->replay_window) << pos) | 1; else sa->replay_window = 1; - sa->last_seq = seq; + sa->seq = seq; } else if (wrap > 0) { - pos = ~seq + sa->last_seq + 1; + pos = ~seq + sa->seq + 1; if (pos < IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE) sa->replay_window = ((sa->replay_window) << pos) | 1; else sa->replay_window = 1; - sa->last_seq = seq; - sa->last_seq_hi = sa->seq_hi; + sa->seq = seq; + sa->seq_hi = hi_seq; } else if (wrap < 0) { - pos = ~seq + sa->last_seq + 1; + pos = ~seq + sa->seq + 1; sa->replay_window |= (1ULL << pos); } else { - pos = sa->last_seq - seq; + pos = sa->seq - seq; sa->replay_window |= (1ULL << pos); } } else { - if (seq > sa->last_seq) + if (seq > sa->seq) { - pos = seq - sa->last_seq; + pos = seq - sa->seq; if (pos < IPSEC_SA_ANTI_REPLAY_WINDOW_SIZE) sa->replay_window = ((sa->replay_window) << pos) | 1; else sa->replay_window = 1; - sa->last_seq = seq; + sa->seq = seq; } else { - pos = sa->last_seq - seq; + pos = sa->seq - seq; sa->replay_window |= (1ULL << pos); } } diff --git a/test/template_ipsec.py b/test/template_ipsec.py index fd9d91f3cfb..57c84342cb7 100644 --- a/test/template_ipsec.py +++ b/test/template_ipsec.py @@ -324,6 +324,199 @@ class IpsecTra4(object): return count + def verify_hi_seq_num(self): + p = self.params[socket.AF_INET] + saf = VppEnum.vl_api_ipsec_sad_flags_t + esn_on = p.vpp_tra_sa.esn_en + ar_on = p.flags & saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY + + seq_cycle_node_name = \ + ('/err/%s/sequence number cycled (packet dropped)' % + self.tra4_encrypt_node_name) + replay_count = self.get_replay_counts(p) + hash_failed_count = self.get_hash_failed_counts(p) + seq_cycle_count = self.statistics.get_err_counter(seq_cycle_node_name) + + # a few packets so we get the rx seq number above the window size and + # thus can simulate a wrap with an out of window packet + pkts = [(Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=seq)) + for seq in range(63, 80)] + recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if) + + # these 4 packets will all choose seq-num 0 to decrpyt since none + # are out of window when first checked. however, once #200 has + # decrypted it will move the window to 200 and has #81 is out of + # window. this packet should be dropped. + pkts = [(Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=200)), + (Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=81)), + (Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=201)), + (Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=202))] + + # if anti-replay is off then we won't drop #81 + n_rx = 3 if ar_on else 4 + self.send_and_expect(self.tra_if, pkts, self.tra_if, n_rx=n_rx) + # this packet is one before the wrap + pkts = [(Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=203))] + recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if) + + # move the window over half way to a wrap + pkts = [(Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=0x80000001))] + recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if) + + # anti-replay will drop old packets, no anti-replay will not + pkts = [(Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=0x44000001))] + + if ar_on: + self.send_and_assert_no_replies(self.tra_if, pkts) + else: + recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if) + + if esn_on: + # + # validate wrapping the ESN + # + + # wrap scapy's TX SA SN + p.scapy_tra_sa.seq_num = 0x100000005 + + # send a packet that wraps the window for both AR and no AR + pkts = [(Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=0x100000005))] + + rxs = self.send_and_expect(self.tra_if, pkts, self.tra_if) + for rx in rxs: + decrypted = p.vpp_tra_sa.decrypt(rx[0][IP]) + + # move the window forward to half way to the next wrap + pkts = [(Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=0x180000005))] + + rxs = self.send_and_expect(self.tra_if, pkts, self.tra_if) + + # a packet less than 2^30 from the current position is: + # - AR: out of window and dropped + # - non-AR: accepted + pkts = [(Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=0x170000005))] + + if ar_on: + self.send_and_assert_no_replies(self.tra_if, pkts) + else: + self.send_and_expect(self.tra_if, pkts, self.tra_if) + + # a packet more than 2^30 from the current position is: + # - AR: out of window and dropped + # - non-AR: considered a wrap, but since it's not a wrap + # it won't decrpyt and so will be dropped + pkts = [(Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=0x130000005))] + + self.send_and_assert_no_replies(self.tra_if, pkts) + + # a packet less than 2^30 from the current position and is a + # wrap; (the seq is currently at 0x180000005). + # - AR: out of window so considered a wrap, so accepted + # - non-AR: not considered a wrap, so won't decrypt + p.scapy_tra_sa.seq_num = 0x260000005 + pkts = [(Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=0x260000005))] + if ar_on: + self.send_and_expect(self.tra_if, pkts, self.tra_if) + else: + self.send_and_assert_no_replies(self.tra_if, pkts) + + # + # window positions are different now for AR/non-AR + # move non-AR forward + # + if not ar_on: + # a packet more than 2^30 from the current position and is a + # wrap; (the seq is currently at 0x180000005). + # - AR: accepted + # - non-AR: not considered a wrap, so won't decrypt + + pkts = [(Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=0x200000005)), + (Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=0x200000006))] + self.send_and_expect(self.tra_if, pkts, self.tra_if) + + pkts = [(Ether(src=self.tra_if.remote_mac, + dst=self.tra_if.local_mac) / + p.scapy_tra_sa.encrypt(IP(src=self.tra_if.remote_ip4, + dst=self.tra_if.local_ip4) / + ICMP(), + seq_num=0x260000005))] + self.send_and_expect(self.tra_if, pkts, self.tra_if) + def verify_tra_anti_replay(self): p = self.params[socket.AF_INET] esn_en = p.vpp_tra_sa.esn_en @@ -359,7 +552,7 @@ class IpsecTra4(object): recv_pkts = self.send_and_expect(self.tra_if, pkts, self.tra_if) # replayed packets are dropped - self.send_and_assert_no_replies(self.tra_if, pkts) + self.send_and_assert_no_replies(self.tra_if, pkts, timeout=0.2) replay_count += len(pkts) self.assertEqual(self.get_replay_counts(p), replay_count) @@ -393,7 +586,7 @@ class IpsecTra4(object): recv_pkts = self.send_and_expect(self.tra_if, [pkt], self.tra_if) # replayed packets are dropped - self.send_and_assert_no_replies(self.tra_if, pkt * 3) + self.send_and_assert_no_replies(self.tra_if, pkt * 3, timeout=0.2) replay_count += 3 self.assertEqual(self.get_replay_counts(p), replay_count) @@ -420,7 +613,7 @@ class IpsecTra4(object): dst=self.tra_if.local_ip4) / ICMP(), seq_num=350)) - self.send_and_assert_no_replies(self.tra_if, pkt * 17) + self.send_and_assert_no_replies(self.tra_if, pkt * 17, timeout=0.2) hash_failed_count += 17 self.assertEqual(self.get_hash_failed_counts(p), hash_failed_count) @@ -436,7 +629,7 @@ class IpsecTra4(object): dst=self.tra_if.local_ip4) / ICMP(), seq_num=350)) - self.send_and_assert_no_replies(self.tra_if, pkt * 17) + self.send_and_assert_no_replies(self.tra_if, pkt * 17, timeout=0.2) undersize_count += 17 self.assert_error_counter_equal(undersize_node_name, @@ -462,7 +655,7 @@ class IpsecTra4(object): dst=self.tra_if.local_ip4) / ICMP(), seq_num=17)) - self.send_and_assert_no_replies(self.tra_if, pkt * 17) + self.send_and_assert_no_replies(self.tra_if, pkt * 17, timeout=0.2) if esn_en: # an out of window error with ESN looks like a high sequence @@ -526,6 +719,7 @@ class IpsecTra4(object): ICMP(), seq_num=0x100000005)) rx = self.send_and_expect(self.tra_if, [pkt], self.tra_if) + decrypted = p.vpp_tra_sa.decrypt(rx[0][IP]) # @@ -544,7 +738,7 @@ class IpsecTra4(object): # # While in case A we cannot wrap the high sequence number again - # becuase VPP will consider this packet to be one that moves the + # because VPP will consider this packet to be one that moves the # window forward # pkt = (Ether(src=self.tra_if.remote_mac, @@ -553,13 +747,14 @@ class IpsecTra4(object): dst=self.tra_if.local_ip4) / ICMP(), seq_num=0x200000999)) - self.send_and_assert_no_replies(self.tra_if, [pkt], self.tra_if) + self.send_and_assert_no_replies(self.tra_if, [pkt], self.tra_if, + timeout=0.2) hash_failed_count += 1 self.assertEqual(self.get_hash_failed_counts(p), hash_failed_count) # - # but if we move the wondow forward to case B, then we can wrap + # but if we move the window forward to case B, then we can wrap # again # p.scapy_tra_sa.seq_num = 0x100000555 @@ -587,7 +782,7 @@ class IpsecTra4(object): # without ESN TX sequence numbers can't wrap and packets are # dropped from here on out. # - self.send_and_assert_no_replies(self.tra_if, pkts) + self.send_and_assert_no_replies(self.tra_if, pkts, timeout=0.2) seq_cycle_count += len(pkts) self.assert_error_counter_equal(seq_cycle_node_name, seq_cycle_count) diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py index 41ac56efafd..6fd4ba15a32 100644 --- a/test/test_ipsec_esp.py +++ b/test/test_ipsec_esp.py @@ -50,6 +50,11 @@ class ConfigIpsecESP(TemplateIpsec): def tearDown(self): super(ConfigIpsecESP, self).tearDown() + def config_anti_replay(self, params): + saf = VppEnum.vl_api_ipsec_sad_flags_t + for p in params: + p.flags |= saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY + def config_network(self, params): self.net_objs = [] self.tun_if = self.pg0 @@ -200,10 +205,8 @@ class ConfigIpsecESP(TemplateIpsec): crypt_key = params.crypt_key addr_any = params.addr_any addr_bcast = params.addr_bcast - flags = (VppEnum.vl_api_ipsec_sad_flags_t. - IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY) e = VppEnum.vl_api_ipsec_spd_action_t - flags = params.flags | flags + flags = params.flags salt = params.salt objs = [] @@ -292,6 +295,7 @@ class TemplateIpsecEsp(ConfigIpsecESP): def setUp(self): super(TemplateIpsecEsp, self).setUp() + self.config_anti_replay(self.params.values()) self.config_network(self.params.values()) def tearDown(self): @@ -698,7 +702,9 @@ class TemplateIpsecEspUdp(ConfigIpsecESP): p = self.ipv4_params p.flags = (VppEnum.vl_api_ipsec_sad_flags_t. - IPSEC_API_SAD_FLAG_UDP_ENCAP) + IPSEC_API_SAD_FLAG_UDP_ENCAP | + VppEnum.vl_api_ipsec_sad_flags_t. + IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY) p.nat_header = UDP(sport=5454, dport=4500) self.tra_spd = VppIpsecSpd(self, self.tra_spd_id) @@ -737,8 +743,10 @@ class TestIpsecEspUdp(TemplateIpsecEspUdp, IpsecTra4Tests): class MyParameters(): def __init__(self): - flag_esn = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_USE_ESN - self.flags = [0, flag_esn] + saf = VppEnum.vl_api_ipsec_sad_flags_t + flag_esn = saf.IPSEC_API_SAD_FLAG_USE_ESN + flag_ar = saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY + self.flags = [0, flag_esn, flag_ar] # foreach crypto algorithm self.algos = { 'AES-GCM-128/NONE': { @@ -862,10 +870,12 @@ class RunTestIpsecEspAll(ConfigIpsecESP, params = MyParameters() self.engine = test_args[0] self.flag = params.flags[0] - if test_args[1] == 'ESN': - self.flag = params.flags[1] + if test_args[1] == 'ESNon': + self.flag |= params.flags[1] + if test_args[2] == 'ARon': + self.flag |= params.flags[2] - self.algo = params.algos[test_args[2]] + self.algo = params.algos[test_args[3]] self.async_mode = False if self.engine == "async": self.async_mode = True @@ -898,7 +908,7 @@ class RunTestIpsecEspAll(ConfigIpsecESP, p.auth_algo = algo['scapy-integ'] p.crypt_key = algo['key'] p.salt = algo['salt'] - p.flags = p.flags | flag + p.flags = flag p.outer_flow_label = 243224 p.async_mode = self.async_mode @@ -947,24 +957,29 @@ class RunTestIpsecEspAll(ConfigIpsecESP, count=NUM_PKTS, payload_size=sz) # - # swap the handlers while SAs are up + # reconfigure the network and SA to run the + # anti replay tests # - for e in engines: - if e != engine: - self.vapi.cli("set crypto handler all %s" % e) - self.verify_tra_basic4(count=NUM_PKTS) + saf = VppEnum.vl_api_ipsec_sad_flags_t + if flag & saf.IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY: + self.unconfig_network() + self.config_network(self.params.values()) + self.verify_tra_anti_replay() - # - # remove the SPDs, SAs, etc - # self.unconfig_network() + self.config_network(self.params.values()) + self.verify_hi_seq_num() # - # reconfigure the network and SA to run the - # anti replay tests + # swap the handlers while SAs are up # + self.unconfig_network() self.config_network(self.params.values()) - self.verify_tra_anti_replay() + for e in engines: + if e != engine: + self.vapi.cli("set crypto handler all %s" % e) + self.verify_tra_basic4(count=NUM_PKTS) + self.unconfig_network() # @@ -972,480 +987,1094 @@ class RunTestIpsecEspAll(ConfigIpsecESP, # grep '# GEN' test_ipsec_esp.py | sed -e 's/# GEN //g' | bash # # GEN for ENG in native ipsecmb openssl; do \ -# GEN for FLG in noESN ESN; do for ALG in AES-GCM-128/NONE \ +# GEN for ESN in ESNon ESNoff; do for AR in ARon ARoff; do \ +# GEN for ALG in AES-GCM-128/NONE \ # GEN AES-GCM-192/NONE AES-GCM-256/NONE AES-CBC-128/MD5-96 \ # GEN AES-CBC-192/SHA1-96 AES-CBC-256/SHA1-96 \ # GEN 3DES-CBC/SHA1-96 NONE/SHA1-96 \ # GEN AES-CTR-128/SHA1-96 AES-CTR-192/SHA1-96 AES-CTR-256/SHA1-96; do \ -# GEN echo -e "\n\nclass Test_${ENG}_${FLG}_${ALG}(RunTestIpsecEspAll):" | -# GEN sed -e 's/-/_/g' -e 's#/#_#g' ; \ -# GEN echo ' """'$ENG $FLG $ALG IPSec test'"""' ; +# GEN echo -en "\n\nclass " +# GEN echo -e "Test_${ENG}_${ESN}_${AR}_${ALG}(RunTestIpsecEspAll):" | +# GEN sed -e 's/-/_/g' -e 's#/#_#g' ; +# GEN echo ' """'$ENG $ESN $AR $ALG IPSec test'"""' ; # GEN echo " def test_ipsec(self):"; +# GEN echo ' """'$ENG $ESN $AR $ALG IPSec test'"""' ; # GEN echo " self.run_test()"; -# GEN done; done; done +# GEN done; done; done; done # -# GEN for FLG in noESN ESN; do for ALG in \ +# GEN for ESN in ESNon ESNoff; do for AR in ARon ARoff; do \ +# GEN for ALG in \ # GEN AES-GCM-128/NONE AES-GCM-192/NONE AES-GCM-256/NONE \ # GEN AES-CBC-192/SHA1-96 AES-CBC-256/SHA1-96; do \ -# GEN echo -e "\n\nclass Test_async_${FLG}_${ALG}(RunTestIpsecEspAll):" | -# GEN sed -e 's/-/_/g' -e 's#/#_#g' ; \ -# GEN echo ' """'async $FLG $ALG IPSec test'"""' ; +# GEN echo -en "\n\nclass " +# GEN echo -e "Test_async_${ESN}_${AR}_${ALG}(RunTestIpsecEspAll):" | +# GEN sed -e 's/-/_/g' -e 's#/#_#g' ; +# GEN echo ' """'async $ESN $AR $ALG IPSec test'"""' ; # GEN echo " def test_ipsec(self):"; +# GEN echo ' """'async $ESN $AR $ALG IPSec test'"""' ; # GEN echo " self.run_test()"; -# GEN done; done; +# GEN done; done; done; + + +class Test_native_ESNon_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll): + """native ESNon ARon AES-GCM-128/NONE IPSec test""" + def test_ipsec(self): + """native ESNon ARon AES-GCM-128/NONE IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll): + """native ESNon ARon AES-GCM-192/NONE IPSec test""" + def test_ipsec(self): + """native ESNon ARon AES-GCM-192/NONE IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll): + """native ESNon ARon AES-GCM-256/NONE IPSec test""" + def test_ipsec(self): + """native ESNon ARon AES-GCM-256/NONE IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARon_AES_CBC_128_MD5_96(RunTestIpsecEspAll): + """native ESNon ARon AES-CBC-128/MD5-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARon AES-CBC-128/MD5-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """native ESNon ARon AES-CBC-192/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARon AES-CBC-192/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """native ESNon ARon AES-CBC-256/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARon AES-CBC-256/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARon_3DES_CBC_SHA1_96(RunTestIpsecEspAll): + """native ESNon ARon 3DES-CBC/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARon 3DES-CBC/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARon_NONE_SHA1_96(RunTestIpsecEspAll): + """native ESNon ARon NONE/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARon NONE/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARon_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): + """native ESNon ARon AES-CTR-128/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARon AES-CTR-128/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARon_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): + """native ESNon ARon AES-CTR-192/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARon AES-CTR-192/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARon_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): + """native ESNon ARon AES-CTR-256/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARon AES-CTR-256/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll): + """native ESNon ARoff AES-GCM-128/NONE IPSec test""" + def test_ipsec(self): + """native ESNon ARoff AES-GCM-128/NONE IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll): + """native ESNon ARoff AES-GCM-192/NONE IPSec test""" + def test_ipsec(self): + """native ESNon ARoff AES-GCM-192/NONE IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll): + """native ESNon ARoff AES-GCM-256/NONE IPSec test""" + def test_ipsec(self): + """native ESNon ARoff AES-GCM-256/NONE IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARoff_AES_CBC_128_MD5_96(RunTestIpsecEspAll): + """native ESNon ARoff AES-CBC-128/MD5-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARoff AES-CBC-128/MD5-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """native ESNon ARoff AES-CBC-192/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARoff AES-CBC-192/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """native ESNon ARoff AES-CBC-256/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARoff AES-CBC-256/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARoff_3DES_CBC_SHA1_96(RunTestIpsecEspAll): + """native ESNon ARoff 3DES-CBC/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARoff 3DES-CBC/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARoff_NONE_SHA1_96(RunTestIpsecEspAll): + """native ESNon ARoff NONE/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARoff NONE/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARoff_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): + """native ESNon ARoff AES-CTR-128/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARoff AES-CTR-128/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARoff_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): + """native ESNon ARoff AES-CTR-192/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARoff AES-CTR-192/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNon_ARoff_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): + """native ESNon ARoff AES-CTR-256/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNon ARoff AES-CTR-256/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll): + """native ESNoff ARon AES-GCM-128/NONE IPSec test""" + def test_ipsec(self): + """native ESNoff ARon AES-GCM-128/NONE IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll): + """native ESNoff ARon AES-GCM-192/NONE IPSec test""" + def test_ipsec(self): + """native ESNoff ARon AES-GCM-192/NONE IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll): + """native ESNoff ARon AES-GCM-256/NONE IPSec test""" + def test_ipsec(self): + """native ESNoff ARon AES-GCM-256/NONE IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARon_AES_CBC_128_MD5_96(RunTestIpsecEspAll): + """native ESNoff ARon AES-CBC-128/MD5-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARon AES-CBC-128/MD5-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """native ESNoff ARon AES-CBC-192/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARon AES-CBC-192/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """native ESNoff ARon AES-CBC-256/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARon AES-CBC-256/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARon_3DES_CBC_SHA1_96(RunTestIpsecEspAll): + """native ESNoff ARon 3DES-CBC/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARon 3DES-CBC/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARon_NONE_SHA1_96(RunTestIpsecEspAll): + """native ESNoff ARon NONE/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARon NONE/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARon_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): + """native ESNoff ARon AES-CTR-128/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARon AES-CTR-128/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARon_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): + """native ESNoff ARon AES-CTR-192/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARon AES-CTR-192/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARon_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): + """native ESNoff ARon AES-CTR-256/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARon AES-CTR-256/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll): + """native ESNoff ARoff AES-GCM-128/NONE IPSec test""" + def test_ipsec(self): + """native ESNoff ARoff AES-GCM-128/NONE IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll): + """native ESNoff ARoff AES-GCM-192/NONE IPSec test""" + def test_ipsec(self): + """native ESNoff ARoff AES-GCM-192/NONE IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll): + """native ESNoff ARoff AES-GCM-256/NONE IPSec test""" + def test_ipsec(self): + """native ESNoff ARoff AES-GCM-256/NONE IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARoff_AES_CBC_128_MD5_96(RunTestIpsecEspAll): + """native ESNoff ARoff AES-CBC-128/MD5-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARoff AES-CBC-128/MD5-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """native ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """native ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARoff_3DES_CBC_SHA1_96(RunTestIpsecEspAll): + """native ESNoff ARoff 3DES-CBC/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARoff 3DES-CBC/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARoff_NONE_SHA1_96(RunTestIpsecEspAll): + """native ESNoff ARoff NONE/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARoff NONE/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARoff_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): + """native ESNoff ARoff AES-CTR-128/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARoff AES-CTR-128/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARoff_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): + """native ESNoff ARoff AES-CTR-192/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARoff AES-CTR-192/SHA1-96 IPSec test""" + self.run_test() + + +class Test_native_ESNoff_ARoff_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): + """native ESNoff ARoff AES-CTR-256/SHA1-96 IPSec test""" + def test_ipsec(self): + """native ESNoff ARoff AES-CTR-256/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll): + """ipsecmb ESNon ARon AES-GCM-128/NONE IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARon AES-GCM-128/NONE IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll): + """ipsecmb ESNon ARon AES-GCM-192/NONE IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARon AES-GCM-192/NONE IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll): + """ipsecmb ESNon ARon AES-GCM-256/NONE IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARon AES-GCM-256/NONE IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARon_AES_CBC_128_MD5_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARon AES-CBC-128/MD5-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARon AES-CBC-128/MD5-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARon AES-CBC-192/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARon AES-CBC-192/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARon AES-CBC-256/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARon AES-CBC-256/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARon_3DES_CBC_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARon 3DES-CBC/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARon 3DES-CBC/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARon_NONE_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARon NONE/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARon NONE/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARon_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARon AES-CTR-128/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARon AES-CTR-128/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARon_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARon AES-CTR-192/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARon AES-CTR-192/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARon_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARon AES-CTR-256/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARon AES-CTR-256/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll): + """ipsecmb ESNon ARoff AES-GCM-128/NONE IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARoff AES-GCM-128/NONE IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll): + """ipsecmb ESNon ARoff AES-GCM-192/NONE IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARoff AES-GCM-192/NONE IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll): + """ipsecmb ESNon ARoff AES-GCM-256/NONE IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARoff AES-GCM-256/NONE IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARoff_AES_CBC_128_MD5_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARoff AES-CBC-128/MD5-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARoff AES-CBC-128/MD5-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARoff AES-CBC-192/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARoff AES-CBC-192/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARoff AES-CBC-256/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARoff AES-CBC-256/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARoff_3DES_CBC_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARoff 3DES-CBC/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARoff 3DES-CBC/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARoff_NONE_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARoff NONE/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARoff NONE/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARoff_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARoff AES-CTR-128/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARoff AES-CTR-128/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARoff_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARoff AES-CTR-192/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARoff AES-CTR-192/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNon_ARoff_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNon ARoff AES-CTR-256/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNon ARoff AES-CTR-256/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNoff_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll): + """ipsecmb ESNoff ARon AES-GCM-128/NONE IPSec test""" + def test_ipsec(self): + """ipsecmb ESNoff ARon AES-GCM-128/NONE IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNoff_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll): + """ipsecmb ESNoff ARon AES-GCM-192/NONE IPSec test""" + def test_ipsec(self): + """ipsecmb ESNoff ARon AES-GCM-192/NONE IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNoff_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll): + """ipsecmb ESNoff ARon AES-GCM-256/NONE IPSec test""" + def test_ipsec(self): + """ipsecmb ESNoff ARon AES-GCM-256/NONE IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNoff_ARon_AES_CBC_128_MD5_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARon AES-CBC-128/MD5-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNoff ARon AES-CBC-128/MD5-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNoff_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARon AES-CBC-192/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNoff ARon AES-CBC-192/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNoff_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARon AES-CBC-256/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNoff ARon AES-CBC-256/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNoff_ARon_3DES_CBC_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARon 3DES-CBC/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNoff ARon 3DES-CBC/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNoff_ARon_NONE_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARon NONE/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNoff ARon NONE/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNoff_ARon_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARon AES-CTR-128/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNoff ARon AES-CTR-128/SHA1-96 IPSec test""" + self.run_test() + + +class Test_ipsecmb_ESNoff_ARon_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARon AES-CTR-192/SHA1-96 IPSec test""" + def test_ipsec(self): + """ipsecmb ESNoff ARon AES-CTR-192/SHA1-96 IPSec test""" + self.run_test() -class Test_native_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll): - """native noESN AES-GCM-128/NONE IPSec test""" +class Test_ipsecmb_ESNoff_ARon_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARon AES-CTR-256/SHA1-96 IPSec test""" def test_ipsec(self): + """ipsecmb ESNoff ARon AES-CTR-256/SHA1-96 IPSec test""" self.run_test() -class Test_native_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll): - """native noESN AES-GCM-192/NONE IPSec test""" +class Test_ipsecmb_ESNoff_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll): + """ipsecmb ESNoff ARoff AES-GCM-128/NONE IPSec test""" def test_ipsec(self): + """ipsecmb ESNoff ARoff AES-GCM-128/NONE IPSec test""" self.run_test() -class Test_native_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll): - """native noESN AES-GCM-256/NONE IPSec test""" +class Test_ipsecmb_ESNoff_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll): + """ipsecmb ESNoff ARoff AES-GCM-192/NONE IPSec test""" def test_ipsec(self): + """ipsecmb ESNoff ARoff AES-GCM-192/NONE IPSec test""" self.run_test() -class Test_native_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll): - """native noESN AES-CBC-128/MD5-96 IPSec test""" +class Test_ipsecmb_ESNoff_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll): + """ipsecmb ESNoff ARoff AES-GCM-256/NONE IPSec test""" def test_ipsec(self): + """ipsecmb ESNoff ARoff AES-GCM-256/NONE IPSec test""" self.run_test() -class Test_native_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): - """native noESN AES-CBC-192/SHA1-96 IPSec test""" +class Test_ipsecmb_ESNoff_ARoff_AES_CBC_128_MD5_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARoff AES-CBC-128/MD5-96 IPSec test""" def test_ipsec(self): + """ipsecmb ESNoff ARoff AES-CBC-128/MD5-96 IPSec test""" self.run_test() -class Test_native_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): - """native noESN AES-CBC-256/SHA1-96 IPSec test""" +class Test_ipsecmb_ESNoff_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test""" def test_ipsec(self): + """ipsecmb ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test""" self.run_test() -class Test_native_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll): - """native noESN 3DES-CBC/SHA1-96 IPSec test""" +class Test_ipsecmb_ESNoff_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test""" def test_ipsec(self): + """ipsecmb ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test""" self.run_test() -class Test_native_noESN_NONE_SHA1_96(RunTestIpsecEspAll): - """native noESN NONE/SHA1-96 IPSec test""" +class Test_ipsecmb_ESNoff_ARoff_3DES_CBC_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARoff 3DES-CBC/SHA1-96 IPSec test""" def test_ipsec(self): + """ipsecmb ESNoff ARoff 3DES-CBC/SHA1-96 IPSec test""" self.run_test() -class Test_native_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): - """native noESN AES-CTR-128/SHA1-96 IPSec test""" +class Test_ipsecmb_ESNoff_ARoff_NONE_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARoff NONE/SHA1-96 IPSec test""" def test_ipsec(self): + """ipsecmb ESNoff ARoff NONE/SHA1-96 IPSec test""" self.run_test() -class Test_native_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): - """native noESN AES-CTR-192/SHA1-96 IPSec test""" +class Test_ipsecmb_ESNoff_ARoff_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARoff AES-CTR-128/SHA1-96 IPSec test""" def test_ipsec(self): + """ipsecmb ESNoff ARoff AES-CTR-128/SHA1-96 IPSec test""" self.run_test() -class Test_native_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): - """native noESN AES-CTR-256/SHA1-96 IPSec test""" +class Test_ipsecmb_ESNoff_ARoff_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARoff AES-CTR-192/SHA1-96 IPSec test""" def test_ipsec(self): + """ipsecmb ESNoff ARoff AES-CTR-192/SHA1-96 IPSec test""" self.run_test() -class Test_native_ESN_AES_GCM_128_NONE(RunTestIpsecEspAll): - """native ESN AES-GCM-128/NONE IPSec test""" +class Test_ipsecmb_ESNoff_ARoff_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): + """ipsecmb ESNoff ARoff AES-CTR-256/SHA1-96 IPSec test""" def test_ipsec(self): + """ipsecmb ESNoff ARoff AES-CTR-256/SHA1-96 IPSec test""" self.run_test() -class Test_native_ESN_AES_GCM_192_NONE(RunTestIpsecEspAll): - """native ESN AES-GCM-192/NONE IPSec test""" +class Test_openssl_ESNon_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll): + """openssl ESNon ARon AES-GCM-128/NONE IPSec test""" def test_ipsec(self): + """openssl ESNon ARon AES-GCM-128/NONE IPSec test""" self.run_test() -class Test_native_ESN_AES_GCM_256_NONE(RunTestIpsecEspAll): - """native ESN AES-GCM-256/NONE IPSec test""" +class Test_openssl_ESNon_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll): + """openssl ESNon ARon AES-GCM-192/NONE IPSec test""" def test_ipsec(self): + """openssl ESNon ARon AES-GCM-192/NONE IPSec test""" self.run_test() -class Test_native_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll): - """native ESN AES-CBC-128/MD5-96 IPSec test""" +class Test_openssl_ESNon_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll): + """openssl ESNon ARon AES-GCM-256/NONE IPSec test""" def test_ipsec(self): + """openssl ESNon ARon AES-GCM-256/NONE IPSec test""" self.run_test() -class Test_native_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): - """native ESN AES-CBC-192/SHA1-96 IPSec test""" +class Test_openssl_ESNon_ARon_AES_CBC_128_MD5_96(RunTestIpsecEspAll): + """openssl ESNon ARon AES-CBC-128/MD5-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARon AES-CBC-128/MD5-96 IPSec test""" self.run_test() -class Test_native_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): - """native ESN AES-CBC-256/SHA1-96 IPSec test""" +class Test_openssl_ESNon_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """openssl ESNon ARon AES-CBC-192/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARon AES-CBC-192/SHA1-96 IPSec test""" self.run_test() -class Test_native_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll): - """native ESN 3DES-CBC/SHA1-96 IPSec test""" +class Test_openssl_ESNon_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """openssl ESNon ARon AES-CBC-256/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARon AES-CBC-256/SHA1-96 IPSec test""" self.run_test() -class Test_native_ESN_NONE_SHA1_96(RunTestIpsecEspAll): - """native ESN NONE/SHA1-96 IPSec test""" +class Test_openssl_ESNon_ARon_3DES_CBC_SHA1_96(RunTestIpsecEspAll): + """openssl ESNon ARon 3DES-CBC/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARon 3DES-CBC/SHA1-96 IPSec test""" self.run_test() -class Test_native_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): - """native ESN AES-CTR-128/SHA1-96 IPSec test""" +class Test_openssl_ESNon_ARon_NONE_SHA1_96(RunTestIpsecEspAll): + """openssl ESNon ARon NONE/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARon NONE/SHA1-96 IPSec test""" self.run_test() -class Test_native_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): - """native ESN AES-CTR-192/SHA1-96 IPSec test""" +class Test_openssl_ESNon_ARon_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): + """openssl ESNon ARon AES-CTR-128/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARon AES-CTR-128/SHA1-96 IPSec test""" self.run_test() -class Test_native_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): - """native ESN AES-CTR-256/SHA1-96 IPSec test""" +class Test_openssl_ESNon_ARon_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): + """openssl ESNon ARon AES-CTR-192/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARon AES-CTR-192/SHA1-96 IPSec test""" self.run_test() -class Test_ipsecmb_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll): - """ipsecmb noESN AES-GCM-128/NONE IPSec test""" +class Test_openssl_ESNon_ARon_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): + """openssl ESNon ARon AES-CTR-256/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARon AES-CTR-256/SHA1-96 IPSec test""" self.run_test() -class Test_ipsecmb_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll): - """ipsecmb noESN AES-GCM-192/NONE IPSec test""" +class Test_openssl_ESNon_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll): + """openssl ESNon ARoff AES-GCM-128/NONE IPSec test""" def test_ipsec(self): + """openssl ESNon ARoff AES-GCM-128/NONE IPSec test""" self.run_test() -class Test_ipsecmb_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll): - """ipsecmb noESN AES-GCM-256/NONE IPSec test""" +class Test_openssl_ESNon_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll): + """openssl ESNon ARoff AES-GCM-192/NONE IPSec test""" def test_ipsec(self): + """openssl ESNon ARoff AES-GCM-192/NONE IPSec test""" self.run_test() -class Test_ipsecmb_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll): - """ipsecmb noESN AES-CBC-128/MD5-96 IPSec test""" +class Test_openssl_ESNon_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll): + """openssl ESNon ARoff AES-GCM-256/NONE IPSec test""" def test_ipsec(self): + """openssl ESNon ARoff AES-GCM-256/NONE IPSec test""" self.run_test() -class Test_ipsecmb_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): - """ipsecmb noESN AES-CBC-192/SHA1-96 IPSec test""" +class Test_openssl_ESNon_ARoff_AES_CBC_128_MD5_96(RunTestIpsecEspAll): + """openssl ESNon ARoff AES-CBC-128/MD5-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARoff AES-CBC-128/MD5-96 IPSec test""" self.run_test() -class Test_ipsecmb_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): - """ipsecmb noESN AES-CBC-256/SHA1-96 IPSec test""" +class Test_openssl_ESNon_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """openssl ESNon ARoff AES-CBC-192/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARoff AES-CBC-192/SHA1-96 IPSec test""" self.run_test() -class Test_ipsecmb_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll): - """ipsecmb noESN 3DES-CBC/SHA1-96 IPSec test""" +class Test_openssl_ESNon_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """openssl ESNon ARoff AES-CBC-256/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARoff AES-CBC-256/SHA1-96 IPSec test""" self.run_test() -class Test_ipsecmb_noESN_NONE_SHA1_96(RunTestIpsecEspAll): - """ipsecmb noESN NONE/SHA1-96 IPSec test""" +class Test_openssl_ESNon_ARoff_3DES_CBC_SHA1_96(RunTestIpsecEspAll): + """openssl ESNon ARoff 3DES-CBC/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARoff 3DES-CBC/SHA1-96 IPSec test""" self.run_test() -class Test_ipsecmb_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): - """ipsecmb noESN AES-CTR-128/SHA1-96 IPSec test""" +class Test_openssl_ESNon_ARoff_NONE_SHA1_96(RunTestIpsecEspAll): + """openssl ESNon ARoff NONE/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARoff NONE/SHA1-96 IPSec test""" self.run_test() -class Test_ipsecmb_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): - """ipsecmb noESN AES-CTR-192/SHA1-96 IPSec test""" +class Test_openssl_ESNon_ARoff_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): + """openssl ESNon ARoff AES-CTR-128/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARoff AES-CTR-128/SHA1-96 IPSec test""" self.run_test() -class Test_ipsecmb_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): - """ipsecmb noESN AES-CTR-256/SHA1-96 IPSec test""" +class Test_openssl_ESNon_ARoff_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): + """openssl ESNon ARoff AES-CTR-192/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARoff AES-CTR-192/SHA1-96 IPSec test""" self.run_test() -class Test_ipsecmb_ESN_AES_GCM_128_NONE(RunTestIpsecEspAll): - """ipsecmb ESN AES-GCM-128/NONE IPSec test""" +class Test_openssl_ESNon_ARoff_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): + """openssl ESNon ARoff AES-CTR-256/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNon ARoff AES-CTR-256/SHA1-96 IPSec test""" self.run_test() -class Test_ipsecmb_ESN_AES_GCM_192_NONE(RunTestIpsecEspAll): - """ipsecmb ESN AES-GCM-192/NONE IPSec test""" +class Test_openssl_ESNoff_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll): + """openssl ESNoff ARon AES-GCM-128/NONE IPSec test""" def test_ipsec(self): + """openssl ESNoff ARon AES-GCM-128/NONE IPSec test""" self.run_test() -class Test_ipsecmb_ESN_AES_GCM_256_NONE(RunTestIpsecEspAll): - """ipsecmb ESN AES-GCM-256/NONE IPSec test""" +class Test_openssl_ESNoff_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll): + """openssl ESNoff ARon AES-GCM-192/NONE IPSec test""" def test_ipsec(self): + """openssl ESNoff ARon AES-GCM-192/NONE IPSec test""" self.run_test() -class Test_ipsecmb_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll): - """ipsecmb ESN AES-CBC-128/MD5-96 IPSec test""" +class Test_openssl_ESNoff_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll): + """openssl ESNoff ARon AES-GCM-256/NONE IPSec test""" def test_ipsec(self): + """openssl ESNoff ARon AES-GCM-256/NONE IPSec test""" self.run_test() -class Test_ipsecmb_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): - """ipsecmb ESN AES-CBC-192/SHA1-96 IPSec test""" +class Test_openssl_ESNoff_ARon_AES_CBC_128_MD5_96(RunTestIpsecEspAll): + """openssl ESNoff ARon AES-CBC-128/MD5-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARon AES-CBC-128/MD5-96 IPSec test""" self.run_test() -class Test_ipsecmb_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): - """ipsecmb ESN AES-CBC-256/SHA1-96 IPSec test""" +class Test_openssl_ESNoff_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """openssl ESNoff ARon AES-CBC-192/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARon AES-CBC-192/SHA1-96 IPSec test""" self.run_test() -class Test_ipsecmb_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll): - """ipsecmb ESN 3DES-CBC/SHA1-96 IPSec test""" +class Test_openssl_ESNoff_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """openssl ESNoff ARon AES-CBC-256/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARon AES-CBC-256/SHA1-96 IPSec test""" self.run_test() -class Test_ipsecmb_ESN_NONE_SHA1_96(RunTestIpsecEspAll): - """ipsecmb ESN NONE/SHA1-96 IPSec test""" +class Test_openssl_ESNoff_ARon_3DES_CBC_SHA1_96(RunTestIpsecEspAll): + """openssl ESNoff ARon 3DES-CBC/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARon 3DES-CBC/SHA1-96 IPSec test""" self.run_test() -class Test_ipsecmb_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): - """ipsecmb ESN AES-CTR-128/SHA1-96 IPSec test""" +class Test_openssl_ESNoff_ARon_NONE_SHA1_96(RunTestIpsecEspAll): + """openssl ESNoff ARon NONE/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARon NONE/SHA1-96 IPSec test""" self.run_test() -class Test_ipsecmb_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): - """ipsecmb ESN AES-CTR-192/SHA1-96 IPSec test""" +class Test_openssl_ESNoff_ARon_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): + """openssl ESNoff ARon AES-CTR-128/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARon AES-CTR-128/SHA1-96 IPSec test""" self.run_test() -class Test_ipsecmb_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): - """ipsecmb ESN AES-CTR-256/SHA1-96 IPSec test""" +class Test_openssl_ESNoff_ARon_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): + """openssl ESNoff ARon AES-CTR-192/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARon AES-CTR-192/SHA1-96 IPSec test""" self.run_test() -class Test_openssl_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll): - """openssl noESN AES-GCM-128/NONE IPSec test""" +class Test_openssl_ESNoff_ARon_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): + """openssl ESNoff ARon AES-CTR-256/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARon AES-CTR-256/SHA1-96 IPSec test""" self.run_test() -class Test_openssl_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll): - """openssl noESN AES-GCM-192/NONE IPSec test""" +class Test_openssl_ESNoff_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll): + """openssl ESNoff ARoff AES-GCM-128/NONE IPSec test""" def test_ipsec(self): + """openssl ESNoff ARoff AES-GCM-128/NONE IPSec test""" self.run_test() -class Test_openssl_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll): - """openssl noESN AES-GCM-256/NONE IPSec test""" +class Test_openssl_ESNoff_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll): + """openssl ESNoff ARoff AES-GCM-192/NONE IPSec test""" def test_ipsec(self): + """openssl ESNoff ARoff AES-GCM-192/NONE IPSec test""" self.run_test() -class Test_openssl_noESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll): - """openssl noESN AES-CBC-128/MD5-96 IPSec test""" +class Test_openssl_ESNoff_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll): + """openssl ESNoff ARoff AES-GCM-256/NONE IPSec test""" def test_ipsec(self): + """openssl ESNoff ARoff AES-GCM-256/NONE IPSec test""" self.run_test() -class Test_openssl_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): - """openssl noESN AES-CBC-192/SHA1-96 IPSec test""" +class Test_openssl_ESNoff_ARoff_AES_CBC_128_MD5_96(RunTestIpsecEspAll): + """openssl ESNoff ARoff AES-CBC-128/MD5-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARoff AES-CBC-128/MD5-96 IPSec test""" self.run_test() -class Test_openssl_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): - """openssl noESN AES-CBC-256/SHA1-96 IPSec test""" +class Test_openssl_ESNoff_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """openssl ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test""" self.run_test() -class Test_openssl_noESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll): - """openssl noESN 3DES-CBC/SHA1-96 IPSec test""" +class Test_openssl_ESNoff_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """openssl ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test""" self.run_test() -class Test_openssl_noESN_NONE_SHA1_96(RunTestIpsecEspAll): - """openssl noESN NONE/SHA1-96 IPSec test""" +class Test_openssl_ESNoff_ARoff_3DES_CBC_SHA1_96(RunTestIpsecEspAll): + """openssl ESNoff ARoff 3DES-CBC/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARoff 3DES-CBC/SHA1-96 IPSec test""" self.run_test() -class Test_openssl_noESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): - """openssl noESN AES-CTR-128/SHA1-96 IPSec test""" +class Test_openssl_ESNoff_ARoff_NONE_SHA1_96(RunTestIpsecEspAll): + """openssl ESNoff ARoff NONE/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARoff NONE/SHA1-96 IPSec test""" self.run_test() -class Test_openssl_noESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): - """openssl noESN AES-CTR-192/SHA1-96 IPSec test""" +class Test_openssl_ESNoff_ARoff_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): + """openssl ESNoff ARoff AES-CTR-128/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARoff AES-CTR-128/SHA1-96 IPSec test""" self.run_test() -class Test_openssl_noESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): - """openssl noESN AES-CTR-256/SHA1-96 IPSec test""" +class Test_openssl_ESNoff_ARoff_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): + """openssl ESNoff ARoff AES-CTR-192/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARoff AES-CTR-192/SHA1-96 IPSec test""" self.run_test() -class Test_openssl_ESN_AES_GCM_128_NONE(RunTestIpsecEspAll): - """openssl ESN AES-GCM-128/NONE IPSec test""" +class Test_openssl_ESNoff_ARoff_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): + """openssl ESNoff ARoff AES-CTR-256/SHA1-96 IPSec test""" def test_ipsec(self): + """openssl ESNoff ARoff AES-CTR-256/SHA1-96 IPSec test""" self.run_test() -class Test_openssl_ESN_AES_GCM_192_NONE(RunTestIpsecEspAll): - """openssl ESN AES-GCM-192/NONE IPSec test""" +class Test_async_ESNon_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll): + """async ESNon ARon AES-GCM-128/NONE IPSec test""" def test_ipsec(self): + """async ESNon ARon AES-GCM-128/NONE IPSec test""" self.run_test() -class Test_openssl_ESN_AES_GCM_256_NONE(RunTestIpsecEspAll): - """openssl ESN AES-GCM-256/NONE IPSec test""" +class Test_async_ESNon_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll): + """async ESNon ARon AES-GCM-192/NONE IPSec test""" def test_ipsec(self): + """async ESNon ARon AES-GCM-192/NONE IPSec test""" self.run_test() -class Test_openssl_ESN_AES_CBC_128_MD5_96(RunTestIpsecEspAll): - """openssl ESN AES-CBC-128/MD5-96 IPSec test""" +class Test_async_ESNon_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll): + """async ESNon ARon AES-GCM-256/NONE IPSec test""" def test_ipsec(self): + """async ESNon ARon AES-GCM-256/NONE IPSec test""" self.run_test() -class Test_openssl_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): - """openssl ESN AES-CBC-192/SHA1-96 IPSec test""" +class Test_async_ESNon_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """async ESNon ARon AES-CBC-192/SHA1-96 IPSec test""" def test_ipsec(self): + """async ESNon ARon AES-CBC-192/SHA1-96 IPSec test""" self.run_test() -class Test_openssl_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): - """openssl ESN AES-CBC-256/SHA1-96 IPSec test""" +class Test_async_ESNon_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """async ESNon ARon AES-CBC-256/SHA1-96 IPSec test""" def test_ipsec(self): + """async ESNon ARon AES-CBC-256/SHA1-96 IPSec test""" self.run_test() -class Test_openssl_ESN_3DES_CBC_SHA1_96(RunTestIpsecEspAll): - """openssl ESN 3DES-CBC/SHA1-96 IPSec test""" +class Test_async_ESNon_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll): + """async ESNon ARoff AES-GCM-128/NONE IPSec test""" def test_ipsec(self): + """async ESNon ARoff AES-GCM-128/NONE IPSec test""" self.run_test() -class Test_openssl_ESN_NONE_SHA1_96(RunTestIpsecEspAll): - """openssl ESN NONE/SHA1-96 IPSec test""" +class Test_async_ESNon_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll): + """async ESNon ARoff AES-GCM-192/NONE IPSec test""" def test_ipsec(self): + """async ESNon ARoff AES-GCM-192/NONE IPSec test""" self.run_test() -class Test_openssl_ESN_AES_CTR_128_SHA1_96(RunTestIpsecEspAll): - """openssl ESN AES-CTR-128/SHA1-96 IPSec test""" +class Test_async_ESNon_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll): + """async ESNon ARoff AES-GCM-256/NONE IPSec test""" def test_ipsec(self): + """async ESNon ARoff AES-GCM-256/NONE IPSec test""" self.run_test() -class Test_openssl_ESN_AES_CTR_192_SHA1_96(RunTestIpsecEspAll): - """openssl ESN AES-CTR-192/SHA1-96 IPSec test""" +class Test_async_ESNon_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """async ESNon ARoff AES-CBC-192/SHA1-96 IPSec test""" def test_ipsec(self): + """async ESNon ARoff AES-CBC-192/SHA1-96 IPSec test""" self.run_test() -class Test_openssl_ESN_AES_CTR_256_SHA1_96(RunTestIpsecEspAll): - """openssl ESN AES-CTR-256/SHA1-96 IPSec test""" +class Test_async_ESNon_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """async ESNon ARoff AES-CBC-256/SHA1-96 IPSec test""" def test_ipsec(self): + """async ESNon ARoff AES-CBC-256/SHA1-96 IPSec test""" self.run_test() -class Test_async_noESN_AES_GCM_128_NONE(RunTestIpsecEspAll): - """async noESN AES-GCM-128/NONE IPSec test""" +class Test_async_ESNoff_ARon_AES_GCM_128_NONE(RunTestIpsecEspAll): + """async ESNoff ARon AES-GCM-128/NONE IPSec test""" def test_ipsec(self): + """async ESNoff ARon AES-GCM-128/NONE IPSec test""" self.run_test() -class Test_async_noESN_AES_GCM_192_NONE(RunTestIpsecEspAll): - """async noESN AES-GCM-192/NONE IPSec test""" +class Test_async_ESNoff_ARon_AES_GCM_192_NONE(RunTestIpsecEspAll): + """async ESNoff ARon AES-GCM-192/NONE IPSec test""" def test_ipsec(self): + """async ESNoff ARon AES-GCM-192/NONE IPSec test""" self.run_test() -class Test_async_noESN_AES_GCM_256_NONE(RunTestIpsecEspAll): - """async noESN AES-GCM-256/NONE IPSec test""" +class Test_async_ESNoff_ARon_AES_GCM_256_NONE(RunTestIpsecEspAll): + """async ESNoff ARon AES-GCM-256/NONE IPSec test""" def test_ipsec(self): + """async ESNoff ARon AES-GCM-256/NONE IPSec test""" self.run_test() -class Test_async_noESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): - """async noESN AES-CBC-192/SHA1-96 IPSec test""" +class Test_async_ESNoff_ARon_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """async ESNoff ARon AES-CBC-192/SHA1-96 IPSec test""" def test_ipsec(self): + """async ESNoff ARon AES-CBC-192/SHA1-96 IPSec test""" self.run_test() -class Test_async_noESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): - """async noESN AES-CBC-256/SHA1-96 IPSec test""" +class Test_async_ESNoff_ARon_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """async ESNoff ARon AES-CBC-256/SHA1-96 IPSec test""" def test_ipsec(self): + """async ESNoff ARon AES-CBC-256/SHA1-96 IPSec test""" self.run_test() -class Test_async_ESN_AES_GCM_128_NONE(RunTestIpsecEspAll): - """async ESN AES-GCM-128/NONE IPSec test""" +class Test_async_ESNoff_ARoff_AES_GCM_128_NONE(RunTestIpsecEspAll): + """async ESNoff ARoff AES-GCM-128/NONE IPSec test""" def test_ipsec(self): + """async ESNoff ARoff AES-GCM-128/NONE IPSec test""" self.run_test() -class Test_async_ESN_AES_GCM_192_NONE(RunTestIpsecEspAll): - """async ESN AES-GCM-192/NONE IPSec test""" +class Test_async_ESNoff_ARoff_AES_GCM_192_NONE(RunTestIpsecEspAll): + """async ESNoff ARoff AES-GCM-192/NONE IPSec test""" def test_ipsec(self): + """async ESNoff ARoff AES-GCM-192/NONE IPSec test""" self.run_test() -class Test_async_ESN_AES_GCM_256_NONE(RunTestIpsecEspAll): - """async ESN AES-GCM-256/NONE IPSec test""" +class Test_async_ESNoff_ARoff_AES_GCM_256_NONE(RunTestIpsecEspAll): + """async ESNoff ARoff AES-GCM-256/NONE IPSec test""" def test_ipsec(self): + """async ESNoff ARoff AES-GCM-256/NONE IPSec test""" self.run_test() -class Test_async_ESN_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): - """async ESN AES-CBC-192/SHA1-96 IPSec test""" +class Test_async_ESNoff_ARoff_AES_CBC_192_SHA1_96(RunTestIpsecEspAll): + """async ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test""" def test_ipsec(self): + """async ESNoff ARoff AES-CBC-192/SHA1-96 IPSec test""" self.run_test() -class Test_async_ESN_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): - """async ESN AES-CBC-256/SHA1-96 IPSec test""" +class Test_async_ESNoff_ARoff_AES_CBC_256_SHA1_96(RunTestIpsecEspAll): + """async ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test""" def test_ipsec(self): + """async ESNoff ARoff AES-CBC-256/SHA1-96 IPSec test""" self.run_test() |