lib/libipsec/test-policy.c

18334Speter/*	$KAME: test-policy.c,v 1.16 2003/08/26 03:24:08 itojun Exp $	*/
50397Sobrien
18334Speter/*
18334Speter * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
18334Speter * All rights reserved.
18334Speter *
18334Speter * Redistribution and use in source and binary forms, with or without
18334Speter * modification, are permitted provided that the following conditions
18334Speter * are met:
18334Speter * 1. Redistributions of source code must retain the above copyright
18334Speter *    notice, this list of conditions and the following disclaimer.
18334Speter * 2. Redistributions in binary form must reproduce the above copyright
18334Speter *    notice, this list of conditions and the following disclaimer in the
18334Speter *    documentation and/or other materials provided with the distribution.
18334Speter * 3. Neither the name of the project nor the names of its contributors
18334Speter *    may be used to endorse or promote products derived from this software
18334Speter *    without specific prior written permission.
18334Speter *
18334Speter * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18334Speter * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18334Speter * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18334Speter * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
18334Speter * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18334Speter * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
18334Speter * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
18334Speter * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
18334Speter * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
18334Speter * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
18334Speter * SUCH DAMAGE.
18334Speter */
18334Speter
18334Speter#include <sys/cdefs.h>
18334Speter__FBSDID("$FreeBSD: head/lib/libipsec/test-policy.c 121572 2003-10-26 12:00:27Z ume $");
18334Speter
18334Speter#include <sys/types.h>
18334Speter#include <sys/param.h>
18334Speter#include <sys/socket.h>
50397Sobrien
18334Speter#include <netinet/in.h>
18334Speter#include <net/pfkeyv2.h>
18334Speter#include <netkey/key_debug.h>
18334Speter#include <netinet6/ipsec.h>
18334Speter
18334Speter#include <stdio.h>
18334Speter#include <stdlib.h>
18334Speter#include <unistd.h>
18334Speter#include <string.h>
50397Sobrien#include <errno.h>
18334Speter#include <err.h>
18334Speter
18334Speter#include "libpfkey.h"
18334Speter
50397Sobrienstruct req_t {
18334Speter	int result;	/* expected result; 0:ok 1:ng */
18334Speter	char *str;
50397Sobrien} reqs[] = {
50397Sobrien{ 0, "out ipsec" },
50397Sobrien{ 1, "must_error" },
50397Sobrien{ 1, "in ipsec must_error" },
50397Sobrien{ 1, "out ipsec esp/must_error" },
50397Sobrien{ 1, "out discard" },
50397Sobrien{ 1, "out none" },
50397Sobrien{ 0, "in entrust" },
50397Sobrien{ 0, "out entrust" },
50397Sobrien{ 1, "out ipsec esp" },
50397Sobrien{ 0, "in ipsec ah/transport" },
50397Sobrien{ 1, "in ipsec ah/tunnel" },
50397Sobrien{ 0, "out ipsec ah/transport/" },
18334Speter{ 1, "out ipsec ah/tunnel/" },
18334Speter{ 0, "in ipsec esp / transport / 10.0.0.1-10.0.0.2" },
18334Speter{ 0, "in ipsec esp/tunnel/::1-::2" },
18334Speter{ 1, "in ipsec esp/tunnel/10.0.0.1-::2" },
50397Sobrien{ 0, "in ipsec esp/tunnel/::1-::2/require" },
18334Speter{ 0, "out ipsec ah/transport//use" },
18334Speter{ 1, "out ipsec ah/transport esp/use" },
18334Speter{ 1, "in ipsec ah/transport esp/tunnel" },
18334Speter{ 0, "in ipsec ah/transport esp/tunnel/::1-::1" },
50397Sobrien{ 0, "in ipsec
50397Sobrien	ah / transport
50397Sobrien	esp / tunnel / ::1-::2" },
50397Sobrien{ 0, "out ipsec
50397Sobrien	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
50397Sobrien	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
50397Sobrien	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
50397Sobrien	" },
50397Sobrien{ 0, "out ipsec esp/transport/fec0::10-fec0::11/use" },
50397Sobrien};
50397Sobrien
50397Sobrienint test1(void);
50397Sobrienint test1sub1(struct req_t *);
50397Sobrienint test1sub2(char *, int);
50397Sobrienint test2(void);
50397Sobrienint test2sub(int);
50397Sobrien
50397Sobrienint
18334Spetermain(ac, av)
50397Sobrien	int ac;
50397Sobrien	char **av;
50397Sobrien{
18334Speter	test1();
18334Speter	test2();
50397Sobrien
50397Sobrien	exit(0);
50397Sobrien}
18334Speter
18334Speterint
18334Spetertest1()
50397Sobrien{
18334Speter	int i;
18334Speter	int result;
18334Speter
18334Speter	printf("TEST1\n");
18334Speter	for (i = 0; i < sizeof(reqs)/sizeof(reqs[0]); i++) {
18334Speter		printf("#%d [%s]\n", i + 1, reqs[i].str);
18334Speter
18334Speter		result = test1sub1(&reqs[i]);
18334Speter		if (result == 0 && reqs[i].result == 1) {
18334Speter			warnx("ERROR: expecting failure.");
50397Sobrien		} else if (result == 1 && reqs[i].result == 0) {
18334Speter			warnx("ERROR: expecting success.");
50397Sobrien		}
18334Speter	}
50397Sobrien
50397Sobrien	return 0;
50397Sobrien}
18334Speter
50397Sobrienint
50397Sobrientest1sub1(req)
50397Sobrien	struct req_t *req;
50397Sobrien{
18334Speter	char *buf;
18334Speter
50397Sobrien	buf = ipsec_set_policy(req->str, strlen(req->str));
50397Sobrien	if (buf == NULL) {
50397Sobrien		printf("ipsec_set_policy: %s\n", ipsec_strerror());
18334Speter		return 1;
18334Speter	}
18334Speter
18334Speter	if (test1sub2(buf, PF_INET) != 0
50397Sobrien	 || test1sub2(buf, PF_INET6) != 0) {
50397Sobrien		free(buf);
50397Sobrien		return 1;
50397Sobrien	}
50397Sobrien#if 0
50397Sobrien	kdebug_sadb_x_policy((struct sadb_ext *)buf);
50397Sobrien#endif
50397Sobrien
50397Sobrien	free(buf);
50397Sobrien	return 0;
50397Sobrien}
50397Sobrien
50397Sobrienint
50397Sobrientest1sub2(policy, family)
50397Sobrien	char *policy;
50397Sobrien	int family;
50397Sobrien{
50397Sobrien	int so;
50397Sobrien	int proto = 0, optname = 0;
50397Sobrien	int len;
50397Sobrien	char getbuf[1024];
50397Sobrien
50397Sobrien	switch (family) {
50397Sobrien	case PF_INET:
50397Sobrien		proto = IPPROTO_IP;
50397Sobrien		optname = IP_IPSEC_POLICY;
50397Sobrien		break;
50397Sobrien	case PF_INET6:
50397Sobrien		proto = IPPROTO_IPV6;
50397Sobrien		optname = IPV6_IPSEC_POLICY;
50397Sobrien		break;
50397Sobrien	}
50397Sobrien
50397Sobrien	if ((so = socket(family, SOCK_DGRAM, 0)) < 0)
50397Sobrien		err(1, "socket");
50397Sobrien
50397Sobrien	len = ipsec_get_policylen(policy);
50397Sobrien#if 0
50397Sobrien	printf("\tsetlen:%d\n", len);
50397Sobrien#endif
50397Sobrien
50397Sobrien	if (setsockopt(so, proto, optname, policy, len) < 0) {
50397Sobrien		printf("fail to set sockopt; %s\n", strerror(errno));
50397Sobrien		close(so);
50397Sobrien		return 1;
50397Sobrien	}
50397Sobrien
50397Sobrien	memset(getbuf, 0, sizeof(getbuf));
50397Sobrien	memcpy(getbuf, policy, sizeof(struct sadb_x_policy));
50397Sobrien	if (getsockopt(so, proto, optname, getbuf, &len) < 0) {
50397Sobrien		printf("fail to get sockopt; %s\n", strerror(errno));
50397Sobrien		close(so);
50397Sobrien		return 1;
50397Sobrien	}
50397Sobrien
50397Sobrien    {
50397Sobrien	char *buf = NULL;
50397Sobrien
50397Sobrien#if 0
50397Sobrien	printf("\tgetlen:%d\n", len);
50397Sobrien#endif
50397Sobrien
50397Sobrien	if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) {
50397Sobrien		printf("%s\n", ipsec_strerror());
50397Sobrien		close(so);
50397Sobrien		return 1;
50397Sobrien	}
50397Sobrien#if 0
18334Speter	printf("\t[%s]\n", buf);
18334Speter#endif
18334Speter	free(buf);
18334Speter    }
18334Speter
18334Speter	close (so);
18334Speter	return 0;
18334Speter}
18334Speter
18334Speterchar addr[] = {
18334Speter	28, 28, 0, 0,
18334Speter	0, 0, 0, 0,
18334Speter	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1,
18334Speter	0, 0, 0, 0,
18334Speter};
50397Sobrien
18334Speterint
18334Spetertest2()
18334Speter{
18334Speter	int so;
18334Speter	char *pol1 = "out ipsec";
50397Sobrien	char *pol2 = "out ipsec ah/transport//use";
18334Speter	char *sp1, *sp2;
50397Sobrien	int splen1, splen2;
50397Sobrien	int spid;
50397Sobrien	struct sadb_msg *m;
50397Sobrien
50397Sobrien	printf("TEST2\n");
50397Sobrien	if (getuid() != 0)
50397Sobrien		errx(1, "root privilege required.");
50397Sobrien
50397Sobrien	sp1 = ipsec_set_policy(pol1, strlen(pol1));
50397Sobrien	splen1 = ipsec_get_policylen(sp1);
50397Sobrien	sp2 = ipsec_set_policy(pol2, strlen(pol2));
18334Speter	splen2 = ipsec_get_policylen(sp2);
18334Speter
18334Speter	if ((so = pfkey_open()) < 0)
18334Speter		errx(1, "ERROR: %s", ipsec_strerror());
18334Speter
18334Speter	printf("spdflush()\n");
18334Speter	if (pfkey_send_spdflush(so) < 0)
18334Speter		errx(1, "ERROR: %s", ipsec_strerror());
18334Speter	m = pfkey_recv(so);
18334Speter	free(m);
18334Speter
18334Speter	printf("spdsetidx()\n");
18334Speter	if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128,
18334Speter				(struct sockaddr *)addr, 128,
18334Speter				255, sp1, splen1, 0) < 0)
18334Speter		errx(1, "ERROR: %s", ipsec_strerror());
18334Speter	m = pfkey_recv(so);
18334Speter	free(m);
18334Speter
18334Speter	printf("spdupdate()\n");
18334Speter	if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
18334Speter				(struct sockaddr *)addr, 128,
50397Sobrien				255, sp2, splen2, 0) < 0)
50397Sobrien		errx(1, "ERROR: %s", ipsec_strerror());
18334Speter	m = pfkey_recv(so);
18334Speter	free(m);
50397Sobrien
18334Speter	printf("sleep(4)\n");
18334Speter	sleep(4);
18334Speter
18334Speter	printf("spddelete()\n");
18334Speter	if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128,
18334Speter				(struct sockaddr *)addr, 128,
18334Speter				255, sp1, splen1, 0) < 0)
50397Sobrien		errx(1, "ERROR: %s", ipsec_strerror());
18334Speter	m = pfkey_recv(so);
18334Speter	free(m);
18334Speter
50397Sobrien	printf("spdadd()\n");
18334Speter	if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128,
18334Speter				(struct sockaddr *)addr, 128,
18334Speter				255, sp2, splen2, 0) < 0)
50397Sobrien		errx(1, "ERROR: %s", ipsec_strerror());
18334Speter	spid = test2sub(so);
18334Speter
18334Speter	printf("spdget(%u)\n", spid);
50397Sobrien	if (pfkey_send_spdget(so, spid) < 0)
18334Speter		errx(1, "ERROR: %s", ipsec_strerror());
50397Sobrien	m = pfkey_recv(so);
18334Speter	free(m);
50397Sobrien
18334Speter	printf("sleep(4)\n");
50397Sobrien	sleep(4);
18334Speter
50397Sobrien	printf("spddelete2()\n");
18334Speter	if (pfkey_send_spddelete2(so, spid) < 0)
18334Speter		errx(1, "ERROR: %s", ipsec_strerror());
18334Speter	m = pfkey_recv(so);
18334Speter	free(m);
18334Speter
18334Speter	printf("spdadd() with lifetime's 10(s)\n");
50397Sobrien	if (pfkey_send_spdadd2(so, (struct sockaddr *)addr, 128,
18334Speter				(struct sockaddr *)addr, 128,
18334Speter				255, 0, 10, sp2, splen2, 0) < 0)
18334Speter		errx(1, "ERROR: %s", ipsec_strerror());
50397Sobrien	spid = test2sub(so);
18334Speter
50397Sobrien	/* expecting failure */
50397Sobrien	printf("spdupdate()\n");
50397Sobrien	if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
50397Sobrien				(struct sockaddr *)addr, 128,
50397Sobrien				255, sp2, splen2, 0) == 0) {
		warnx("ERROR: expecting failure.");
	}

	return 0;
}

int
test2sub(so)
	int so;
{
	struct sadb_msg *msg;
	caddr_t mhp[SADB_EXT_MAX + 1];

	if ((msg = pfkey_recv(so)) == NULL)
		errx(1, "ERROR: pfkey_recv failure.");
	if (pfkey_align(msg, mhp) < 0)
		errx(1, "ERROR: pfkey_align failure.");

	return ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id;
}