1# $NetBSD: t_ipsec_unnumbered.sh,v 1.2 2023/09/27 08:48:01 knakahara Exp $ 2# 3# Copyright (c) 2022 Internet Initiative Japan Inc. 4# All rights reserved. 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25# POSSIBILITY OF SUCH DAMAGE. 26# 27 28SOCK_LOCAL=unix://ipsec_local 29SOCK_REMOTE=unix://ipsec_remote 30BUS_LOCAL_I=./bus_ipsec_local_inner 31BUS_REMOTE_I=./bus_ipsec_remote_inner 32BUS_GLOBAL=./bus_ipsec_global 33 34DEBUG=${DEBUG:-false} 35TIMEOUT=7 36 37setup_servers_ipv4() 38{ 39 40 rump_server_crypto_start $SOCK_LOCAL netipsec ipsec 41 rump_server_crypto_start $SOCK_REMOTE netipsec ipsec 42 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_GLOBAL 43 rump_server_add_iface $SOCK_LOCAL shmif1 $BUS_LOCAL_I 44 rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_GLOBAL 45 rump_server_add_iface $SOCK_REMOTE shmif1 $BUS_REMOTE_I 46} 47 48setup_servers_ipv6() 49{ 50 51 rump_server_crypto_start $SOCK_LOCAL netipsec netinet6 ipsec 52 rump_server_crypto_start $SOCK_REMOTE netipsec netinet6 ipsec 53 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_GLOBAL 54 rump_server_add_iface $SOCK_LOCAL shmif1 $BUS_LOCAL_I 55 rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_GLOBAL 56 rump_server_add_iface $SOCK_REMOTE shmif1 $BUS_REMOTE_I 57} 58 59setup_servers() 60{ 61 local proto=$1 62 63 setup_servers_$proto 64} 65 66add_sa() 67{ 68 local outer=$1 69 local proto=$2 70 local algo="$3" 71 local src=$4 72 local dst=$5 73 local tmpfile=./tmp 74 local spi=10000 75 local algo_args="$(generate_algo_args esp $algo)" 76 local uniq=8192 # 8192(reqid_base) + 2 * 0(unit id of "ipsec0") 77 78 export RUMP_SERVER=$SOCK_LOCAL 79 cat > $tmpfile <<-EOF 80 add $src $dst $proto $((spi)) -u $uniq -m transport $algo_args; 81 add $dst $src $proto $((spi + 1)) -u $uniq -m transport $algo_args; 82 EOF 83 $DEBUG && cat $tmpfile 84 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 85 $DEBUG && $HIJACKING setkey -D 86 # XXX it can be expired if $lifetime is very short 87 #check_sa_entries $SOCK_LOCAL $ip_local $ip_remote 88 89 export RUMP_SERVER=$SOCK_REMOTE 90 cat > $tmpfile <<-EOF 91 add $src $dst $proto $((spi)) -u $uniq -m transport $algo_args; 92 add $dst $src $proto $((spi + 1)) -u $uniq -m transport $algo_args; 93 EOF 94 $DEBUG && cat $tmpfile 95 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 96 $DEBUG && $HIJACKING setkey -D 97} 98 99test_ipsecif_unnumbered_ipv4() 100{ 101 local algo=$1 102 local ip_local_i=192.168.22.1 103 local ip_local_i_subnet=192.168.22.0/24 104 local ip_local_o=10.0.0.2 105 local ip_remote_i=192.168.33.1 106 local ip_remote_i_subnet=192.168.33.0/24 107 local ip_remote_o=10.0.0.3 108 local outfile=./out 109 110 setup_servers ipv4 111 112 export RUMP_SERVER=$SOCK_LOCAL 113 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 114 atf_check -s exit:0 rump.sysctl -q -w net.ipsecif.use_fixed_reqid=1 115 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local_o/24 116 atf_check -s exit:0 rump.ifconfig shmif1 $ip_local_i/24 117 118 export RUMP_SERVER=$SOCK_REMOTE 119 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 120 atf_check -s exit:0 rump.sysctl -q -w net.ipsecif.use_fixed_reqid=1 121 atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote_o/24 122 atf_check -s exit:0 rump.ifconfig shmif1 $ip_remote_i/24 123 124 export RUMP_SERVER=$SOCK_LOCAL 125 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w $TIMEOUT $ip_remote_o 126 127 # setup ipsecif(4) as unnumbered for local 128 export RUMP_SERVER=$SOCK_LOCAL 129 atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 create 130 atf_check -s exit:0 -o ignore \ 131 rump.ifconfig ipsec0 tunnel $ip_local_o $ip_remote_o 132 atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 unnumbered 133 atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 $ip_local_i/32 134 atf_check -s exit:0 -o ignore \ 135 rump.route add -inet $ip_remote_i_subnet -ifp ipsec0 $ip_local_i 136 $DEBUG && rump.ifconfig -v ipsec0 137 $DEBUG && $HIJACKING setkey -DP 138 $DEBUG && rump.route -nL show 139 140 # setup ipsecif(4) as unnumbered for remote 141 export RUMP_SERVER=$SOCK_REMOTE 142 atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 create 143 atf_check -s exit:0 -o ignore \ 144 rump.ifconfig ipsec0 tunnel $ip_remote_o $ip_local_o 145 atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 unnumbered 146 atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 $ip_remote_i/32 147 atf_check -s exit:0 -o ignore \ 148 rump.route add -inet $ip_local_i_subnet -ifp ipsec0 $ip_remote_i 149 $DEBUG && rump.ifconfig -v ipsec0 150 $DEBUG && $HIJACKING setkey -DP 151 $DEBUG && rump.route -nL show 152 153 add_sa ipv4 esp $algo $ip_local_o $ip_remote_o 154 155 # test unnumbered ipsecif(4) 156 extract_new_packets $BUS_GLOBAL > $outfile 157 export RUMP_SERVER=$SOCK_LOCAL 158 atf_check -s exit:0 -o ignore \ 159 rump.ping -c 1 -n -w $TIMEOUT -I $ip_local_i $ip_remote_i 160 extract_new_packets $BUS_GLOBAL > $outfile 161 $DEBUG && cat $outfile 162 atf_check -s exit:0 \ 163 -o match:"$ip_local_o > $ip_remote_o: ESP" \ 164 cat $outfile 165 atf_check -s exit:0 \ 166 -o match:"$ip_remote_o > $ip_local_o: ESP" \ 167 cat $outfile 168} 169 170test_ipsecif_unnumbered_ipv6() 171{ 172 local algo=$1 173 local ip_local_i=192.168.22.1 174 local ip_local_i_subnet=192.168.22.0/24 175 local ip_local_o=fc00::2 176 local ip_remote_i=192.168.33.1 177 local ip_remote_i_subnet=192.168.33.0/24 178 local ip_remote_o=fc00::3 179 local outfile=./out 180 181 setup_servers ipv6 182 183 export RUMP_SERVER=$SOCK_LOCAL 184 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 185 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 186 atf_check -s exit:0 rump.sysctl -q -w net.ipsecif.use_fixed_reqid=1 187 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local_o/64 188 atf_check -s exit:0 rump.ifconfig shmif1 $ip_local_i/24 189 190 export RUMP_SERVER=$SOCK_REMOTE 191 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 192 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 193 atf_check -s exit:0 rump.sysctl -q -w net.ipsecif.use_fixed_reqid=1 194 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote_o/64 195 atf_check -s exit:0 rump.ifconfig shmif1 $ip_remote_i/24 196 197 export RUMP_SERVER=$SOCK_LOCAL 198 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X $TIMEOUT $ip_remote_o 199 200 # setup ipsecif(4) as unnumbered for local 201 export RUMP_SERVER=$SOCK_LOCAL 202 atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 create 203 atf_check -s exit:0 -o ignore \ 204 rump.ifconfig ipsec0 tunnel $ip_local_o $ip_remote_o 205 atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 unnumbered 206 atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 $ip_local_i/32 207 atf_check -s exit:0 -o ignore \ 208 rump.route add -inet $ip_remote_i_subnet -ifp ipsec0 $ip_local_i 209 $DEBUG && rump.ifconfig -v ipsec0 210 $DEBUG && rump.route -nL show 211 212 # setup ipsecif(4) as unnumbered for remote 213 export RUMP_SERVER=$SOCK_REMOTE 214 atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 create 215 atf_check -s exit:0 -o ignore \ 216 rump.ifconfig ipsec0 tunnel $ip_remote_o $ip_local_o 217 atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 unnumbered 218 atf_check -s exit:0 -o ignore rump.ifconfig ipsec0 $ip_remote_i/32 219 atf_check -s exit:0 -o ignore \ 220 rump.route add -inet $ip_local_i_subnet -ifp ipsec0 $ip_remote_i 221 $DEBUG && rump.ifconfig -v ipsec0 222 $DEBUG && rump.route -nL show 223 224 add_sa ipv6 esp $algo $ip_local_o $ip_remote_o 225 226 # test unnumbered gif(4) 227 extract_new_packets $BUS_GLOBAL > $outfile 228 export RUMP_SERVER=$SOCK_LOCAL 229 atf_check -s exit:0 -o ignore \ 230 rump.ping -c 1 -n -w $TIMEOUT -I $ip_local_i $ip_remote_i 231 extract_new_packets $BUS_GLOBAL > $outfile 232 $DEBUG && cat $outfile 233 atf_check -s exit:0 \ 234 -o match:"$ip_local_o > $ip_remote_o: ESP" \ 235 cat $outfile 236 atf_check -s exit:0 \ 237 -o match:"$ip_remote_o > $ip_local_o: ESP" \ 238 cat $outfile 239} 240 241add_test_ipsecif_unnumbered() 242{ 243 local outer=$1 244 local algo=$2 245 local _algo=$(echo $algo | sed 's/-//g') 246 local name= 247 local desc= 248 249 name="ipsecif_unnumbered_over${outer}_${_algo}" 250 desc="Does unnumbered ipsecif over ${outer} $algo" 251 252 atf_test_case ${name} cleanup 253 eval " 254 ${name}_head() { 255 atf_set descr \"${desc}\" 256 atf_set require.progs rump_server setkey 257 } 258 ${name}_body() { 259 test_ipsecif_unnumbered_${outer} $algo 260 rump_server_destroy_ifaces 261 } 262 ${name}_cleanup() { 263 \$DEBUG && dump 264 cleanup 265 }" 266 atf_add_test_case ${name} 267} 268 269atf_init_test_cases() 270{ 271 local algo= 272 273 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 274 add_test_ipsecif_unnumbered ipv4 $algo 275 add_test_ipsecif_unnumbered ipv6 $algo 276 done 277} 278