1#	$NetBSD: t_ipsec_unnumbered.sh,v 1.2 2023/09/27 08:48:01 knakahara Exp $
2#
3# Copyright (c) 2022 Internet Initiative Japan Inc.
4# All rights reserved.
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
18# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25# POSSIBILITY OF SUCH DAMAGE.
26#
27
28SOCK_LOCAL=unix://ipsec_local
29SOCK_REMOTE=unix://ipsec_remote
30BUS_LOCAL_I=./bus_ipsec_local_inner
31BUS_REMOTE_I=./bus_ipsec_remote_inner
32BUS_GLOBAL=./bus_ipsec_global
33
34DEBUG=${DEBUG:-false}
35TIMEOUT=7
36
37setup_servers_ipv4()
38{
39
40	rump_server_crypto_start $SOCK_LOCAL netipsec ipsec
41	rump_server_crypto_start $SOCK_REMOTE netipsec ipsec
42	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_GLOBAL
43	rump_server_add_iface $SOCK_LOCAL shmif1 $BUS_LOCAL_I
44	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_GLOBAL
45	rump_server_add_iface $SOCK_REMOTE shmif1 $BUS_REMOTE_I
46}
47
48setup_servers_ipv6()
49{
50
51	rump_server_crypto_start $SOCK_LOCAL netipsec netinet6 ipsec
52	rump_server_crypto_start $SOCK_REMOTE netipsec netinet6 ipsec
53	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_GLOBAL
54	rump_server_add_iface $SOCK_LOCAL shmif1 $BUS_LOCAL_I
55	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_GLOBAL
56	rump_server_add_iface $SOCK_REMOTE shmif1 $BUS_REMOTE_I
57}
58
59setup_servers()
60{
61	local proto=$1
62
63	setup_servers_$proto
64}
65
66add_sa()
67{
68	local outer=$1
69	local proto=$2
70	local algo="$3"
71	local src=$4
72	local dst=$5
73	local tmpfile=./tmp
74	local spi=10000
75	local algo_args="$(generate_algo_args esp $algo)"
76	local uniq=8192 # 8192(reqid_base) + 2 * 0(unit id of "ipsec0")
77
78	export RUMP_SERVER=$SOCK_LOCAL
79	cat > $tmpfile <<-EOF
80	add $src $dst $proto $((spi)) -u $uniq -m transport $algo_args;
81	add $dst $src $proto $((spi + 1)) -u $uniq -m transport $algo_args;
82	EOF
83	$DEBUG && cat $tmpfile
84	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
85	$DEBUG && $HIJACKING setkey -D
86	# XXX it can be expired if $lifetime is very short
87	#check_sa_entries $SOCK_LOCAL $ip_local $ip_remote
88
89	export RUMP_SERVER=$SOCK_REMOTE
90	cat > $tmpfile <<-EOF
91	add $src $dst $proto $((spi)) -u $uniq -m transport $algo_args;
92	add $dst $src $proto $((spi + 1)) -u $uniq -m transport $algo_args;
93	EOF
94	$DEBUG && cat $tmpfile
95	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
96	$DEBUG && $HIJACKING setkey -D
97}
98
99test_ipsecif_unnumbered_ipv4()
100{
101	local algo=$1
102	local ip_local_i=192.168.22.1
103	local ip_local_i_subnet=192.168.22.0/24
104	local ip_local_o=10.0.0.2
105	local ip_remote_i=192.168.33.1
106	local ip_remote_i_subnet=192.168.33.0/24
107	local ip_remote_o=10.0.0.3
108	local outfile=./out
109
110	setup_servers ipv4
111
112	export RUMP_SERVER=$SOCK_LOCAL
113	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
114	atf_check -s exit:0 rump.sysctl -q -w net.ipsecif.use_fixed_reqid=1
115	atf_check -s exit:0 rump.ifconfig shmif0 $ip_local_o/24
116	atf_check -s exit:0 rump.ifconfig shmif1 $ip_local_i/24
117
118	export RUMP_SERVER=$SOCK_REMOTE
119	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
120	atf_check -s exit:0 rump.sysctl -q -w net.ipsecif.use_fixed_reqid=1
121	atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote_o/24
122	atf_check -s exit:0 rump.ifconfig shmif1 $ip_remote_i/24
123
124	export RUMP_SERVER=$SOCK_LOCAL
125	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w $TIMEOUT $ip_remote_o
126
127	# setup ipsecif(4) as unnumbered for local
128	export RUMP_SERVER=$SOCK_LOCAL
129	atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 create
130	atf_check -s exit:0 -o ignore \
131		  rump.ifconfig ipsec0 tunnel $ip_local_o $ip_remote_o
132	atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 unnumbered
133	atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 $ip_local_i/32
134	atf_check -s exit:0 -o ignore \
135		  rump.route add -inet $ip_remote_i_subnet -ifp ipsec0 $ip_local_i
136	$DEBUG && rump.ifconfig -v ipsec0
137	$DEBUG && $HIJACKING setkey -DP
138	$DEBUG && rump.route -nL show
139
140	# setup ipsecif(4) as unnumbered for remote
141	export RUMP_SERVER=$SOCK_REMOTE
142	atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 create
143	atf_check -s exit:0 -o ignore \
144		  rump.ifconfig ipsec0 tunnel $ip_remote_o $ip_local_o
145	atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 unnumbered
146	atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 $ip_remote_i/32
147	atf_check -s exit:0 -o ignore \
148		  rump.route add -inet $ip_local_i_subnet -ifp ipsec0 $ip_remote_i
149	$DEBUG && rump.ifconfig -v ipsec0
150	$DEBUG && $HIJACKING setkey -DP
151	$DEBUG && rump.route -nL show
152
153	add_sa ipv4 esp $algo $ip_local_o $ip_remote_o
154
155	# test unnumbered ipsecif(4)
156	extract_new_packets $BUS_GLOBAL > $outfile
157	export RUMP_SERVER=$SOCK_LOCAL
158	atf_check -s exit:0 -o ignore \
159		  rump.ping -c 1 -n -w $TIMEOUT -I $ip_local_i $ip_remote_i
160	extract_new_packets $BUS_GLOBAL > $outfile
161	$DEBUG && cat $outfile
162	atf_check -s exit:0 \
163	    -o match:"$ip_local_o > $ip_remote_o: ESP" \
164	    cat $outfile
165	atf_check -s exit:0 \
166	    -o match:"$ip_remote_o > $ip_local_o: ESP" \
167	    cat $outfile
168}
169
170test_ipsecif_unnumbered_ipv6()
171{
172	local algo=$1
173	local ip_local_i=192.168.22.1
174	local ip_local_i_subnet=192.168.22.0/24
175	local ip_local_o=fc00::2
176	local ip_remote_i=192.168.33.1
177	local ip_remote_i_subnet=192.168.33.0/24
178	local ip_remote_o=fc00::3
179	local outfile=./out
180
181	setup_servers ipv6
182
183	export RUMP_SERVER=$SOCK_LOCAL
184	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
185	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
186	atf_check -s exit:0 rump.sysctl -q -w net.ipsecif.use_fixed_reqid=1
187	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local_o/64
188	atf_check -s exit:0 rump.ifconfig shmif1 $ip_local_i/24
189
190	export RUMP_SERVER=$SOCK_REMOTE
191	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
192	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
193	atf_check -s exit:0 rump.sysctl -q -w net.ipsecif.use_fixed_reqid=1
194	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote_o/64
195	atf_check -s exit:0 rump.ifconfig shmif1 $ip_remote_i/24
196
197	export RUMP_SERVER=$SOCK_LOCAL
198	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X $TIMEOUT $ip_remote_o
199
200	# setup ipsecif(4) as unnumbered for local
201	export RUMP_SERVER=$SOCK_LOCAL
202	atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 create
203	atf_check -s exit:0 -o ignore \
204		  rump.ifconfig ipsec0 tunnel $ip_local_o $ip_remote_o
205	atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 unnumbered
206	atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 $ip_local_i/32
207	atf_check -s exit:0 -o ignore \
208		  rump.route add -inet $ip_remote_i_subnet -ifp ipsec0 $ip_local_i
209	$DEBUG && rump.ifconfig -v ipsec0
210	$DEBUG && rump.route -nL show
211
212	# setup ipsecif(4) as unnumbered for remote
213	export RUMP_SERVER=$SOCK_REMOTE
214	atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 create
215	atf_check -s exit:0 -o ignore \
216		  rump.ifconfig ipsec0 tunnel $ip_remote_o $ip_local_o
217	atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 unnumbered
218	atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 $ip_remote_i/32
219	atf_check -s exit:0 -o ignore \
220		  rump.route add -inet $ip_local_i_subnet -ifp ipsec0 $ip_remote_i
221	$DEBUG && rump.ifconfig -v ipsec0
222	$DEBUG && rump.route -nL show
223
224	add_sa ipv6 esp $algo $ip_local_o $ip_remote_o
225
226	# test unnumbered gif(4)
227	extract_new_packets $BUS_GLOBAL > $outfile
228	export RUMP_SERVER=$SOCK_LOCAL
229	atf_check -s exit:0 -o ignore \
230		  rump.ping -c 1 -n -w $TIMEOUT -I $ip_local_i $ip_remote_i
231	extract_new_packets $BUS_GLOBAL > $outfile
232	$DEBUG && cat $outfile
233	atf_check -s exit:0 \
234	    -o match:"$ip_local_o > $ip_remote_o: ESP" \
235	    cat $outfile
236	atf_check -s exit:0 \
237	    -o match:"$ip_remote_o > $ip_local_o: ESP" \
238	    cat $outfile
239}
240
241add_test_ipsecif_unnumbered()
242{
243	local outer=$1
244	local algo=$2
245	local _algo=$(echo $algo | sed 's/-//g')
246	local name=
247	local desc=
248
249	name="ipsecif_unnumbered_over${outer}_${_algo}"
250	desc="Does unnumbered ipsecif over ${outer} $algo"
251
252	atf_test_case ${name} cleanup
253	eval "
254	     ${name}_head() {
255		atf_set descr \"${desc}\"
256		atf_set require.progs rump_server setkey
257	    }
258	    ${name}_body() {
259		test_ipsecif_unnumbered_${outer} $algo
260		rump_server_destroy_ifaces
261	    }
262	    ${name}_cleanup() {
263			\$DEBUG && dump
264			cleanup
265	    }"
266	atf_add_test_case ${name}
267}
268
269atf_init_test_cases()
270{
271	local algo=
272
273	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
274		add_test_ipsecif_unnumbered ipv4 $algo
275		add_test_ipsecif_unnumbered ipv6 $algo
276	done
277}
278