t_ipsec_misc.sh revision 1.15
1# $NetBSD: t_ipsec_misc.sh,v 1.15 2017/07/21 04:43:42 ozaki-r Exp $ 2# 3# Copyright (c) 2017 Internet Initiative Japan Inc. 4# All rights reserved. 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25# POSSIBILITY OF SUCH DAMAGE. 26# 27 28SOCK_LOCAL=unix://ipsec_local 29SOCK_PEER=unix://ipsec_peer 30BUS=./bus_ipsec 31 32DEBUG=${DEBUG:-true} 33 34setup_sasp() 35{ 36 local proto=$1 37 local algo_args="$2" 38 local ip_local=$3 39 local ip_peer=$4 40 local lifetime=$5 41 local update=$6 42 local tmpfile=./tmp 43 local extra= 44 45 if [ "$update" = sa ]; then 46 extra="update $ip_local $ip_peer $proto 10000 $algo_args; 47 update $ip_peer $ip_local $proto 10001 $algo_args;" 48 elif [ "$update" = sp ]; then 49 extra="spdupdate $ip_local $ip_peer any -P out ipsec $proto/transport//require;" 50 fi 51 52 export RUMP_SERVER=$SOCK_LOCAL 53 cat > $tmpfile <<-EOF 54 add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; 55 add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; 56 spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 57 $extra 58 EOF 59 $DEBUG && cat $tmpfile 60 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 61 # XXX it can be expired if $lifetime is very short 62 #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 63 64 if [ "$update" = sp ]; then 65 extra="spdupdate $ip_peer $ip_local any -P out ipsec $proto/transport//require;" 66 fi 67 68 export RUMP_SERVER=$SOCK_PEER 69 cat > $tmpfile <<-EOF 70 add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; 71 add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; 72 spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 73 $extra 74 EOF 75 $DEBUG && cat $tmpfile 76 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 77 # XXX it can be expired if $lifetime is very short 78 #check_sa_entries $SOCK_PEER $ip_local $ip_peer 79} 80 81test_ipsec4_lifetime() 82{ 83 local proto=$1 84 local algo=$2 85 local ip_local=10.0.0.1 86 local ip_peer=10.0.0.2 87 local outfile=./out 88 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 89 local algo_args="$(generate_algo_args $proto $algo)" 90 local lifetime=3 91 92 rump_server_crypto_start $SOCK_LOCAL netipsec 93 rump_server_crypto_start $SOCK_PEER netipsec 94 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 95 rump_server_add_iface $SOCK_PEER shmif0 $BUS 96 97 export RUMP_SERVER=$SOCK_LOCAL 98 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 99 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 100 #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 101 102 export RUMP_SERVER=$SOCK_PEER 103 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 104 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 105 #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 106 107 extract_new_packets $BUS > $outfile 108 109 export RUMP_SERVER=$SOCK_LOCAL 110 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 111 112 extract_new_packets $BUS > $outfile 113 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \ 114 cat $outfile 115 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \ 116 cat $outfile 117 118 # Set up SAs with lifetime 1 sec. 119 setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 120 121 # Wait for the SAs to be expired 122 atf_check -s exit:0 sleep 2 123 124 # Check the SAs have been expired 125 export RUMP_SERVER=$SOCK_LOCAL 126 $DEBUG && $HIJACKING setkey -D 127 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 128 export RUMP_SERVER=$SOCK_PEER 129 $DEBUG && $HIJACKING setkey -D 130 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 131 132 # Clean up SPs 133 export RUMP_SERVER=$SOCK_LOCAL 134 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 135 export RUMP_SERVER=$SOCK_PEER 136 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 137 138 # Set up SAs with lifetime with $lifetime 139 setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 140 141 # Use the SAs; this will create a reference from an SP to an SA 142 export RUMP_SERVER=$SOCK_LOCAL 143 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 144 145 extract_new_packets $BUS > $outfile 146 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 147 cat $outfile 148 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 149 cat $outfile 150 151 atf_check -s exit:0 sleep $((lifetime + 1)) 152 153 export RUMP_SERVER=$SOCK_LOCAL 154 $DEBUG && $HIJACKING setkey -D 155 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a 156 157 export RUMP_SERVER=$SOCK_PEER 158 $DEBUG && $HIJACKING setkey -D 159 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a 160 161 export RUMP_SERVER=$SOCK_LOCAL 162 atf_check -s not-exit:0 -o match:'0 packets received' \ 163 rump.ping -c 1 -n -w 1 $ip_peer 164 165 test_flush_entries $SOCK_LOCAL 166 test_flush_entries $SOCK_PEER 167} 168 169test_ipsec6_lifetime() 170{ 171 local proto=$1 172 local algo=$2 173 local ip_local=fd00::1 174 local ip_peer=fd00::2 175 local outfile=./out 176 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 177 local algo_args="$(generate_algo_args $proto $algo)" 178 local lifetime=3 179 180 rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec 181 rump_server_crypto_start $SOCK_PEER netinet6 netipsec 182 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 183 rump_server_add_iface $SOCK_PEER shmif0 $BUS 184 185 export RUMP_SERVER=$SOCK_LOCAL 186 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 187 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local 188 189 export RUMP_SERVER=$SOCK_PEER 190 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 191 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer 192 193 extract_new_packets $BUS > $outfile 194 195 export RUMP_SERVER=$SOCK_LOCAL 196 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 197 198 extract_new_packets $BUS > $outfile 199 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \ 200 cat $outfile 201 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \ 202 cat $outfile 203 204 # Set up SAs with lifetime 1 sec. 205 setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 206 207 # Wait for the SAs to be expired 208 atf_check -s exit:0 sleep 2 209 210 # Check the SAs have been expired 211 export RUMP_SERVER=$SOCK_LOCAL 212 $DEBUG && $HIJACKING setkey -D 213 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 214 export RUMP_SERVER=$SOCK_PEER 215 $DEBUG && $HIJACKING setkey -D 216 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 217 218 # Clean up SPs 219 export RUMP_SERVER=$SOCK_LOCAL 220 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 221 export RUMP_SERVER=$SOCK_PEER 222 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 223 224 # Set up SAs with lifetime with $lifetime 225 setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 226 227 # Use the SAs; this will create a reference from an SP to an SA 228 export RUMP_SERVER=$SOCK_LOCAL 229 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 230 231 extract_new_packets $BUS > $outfile 232 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 233 cat $outfile 234 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 235 cat $outfile 236 237 atf_check -s exit:0 sleep $((lifetime + 1)) 238 239 export RUMP_SERVER=$SOCK_LOCAL 240 $DEBUG && $HIJACKING setkey -D 241 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a 242 243 export RUMP_SERVER=$SOCK_PEER 244 $DEBUG && $HIJACKING setkey -D 245 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a 246 247 export RUMP_SERVER=$SOCK_LOCAL 248 atf_check -s not-exit:0 -o match:'0 packets received' \ 249 rump.ping6 -c 1 -n -X 1 $ip_peer 250 251 test_flush_entries $SOCK_LOCAL 252 test_flush_entries $SOCK_PEER 253} 254 255test_lifetime_common() 256{ 257 local ipproto=$1 258 local proto=$2 259 local algo=$3 260 261 if [ $ipproto = ipv4 ]; then 262 test_ipsec4_lifetime $proto $algo 263 else 264 test_ipsec6_lifetime $proto $algo 265 fi 266} 267 268add_test_lifetime() 269{ 270 local ipproto=$1 271 local proto=$2 272 local algo=$3 273 local _algo=$(echo $algo | sed 's/-//g') 274 local name= desc= 275 276 name="ipsec_lifetime_${ipproto}_${proto}_${_algo}" 277 desc="Tests of lifetime of IPsec ($ipproto) with $proto ($algo)" 278 279 atf_test_case ${name} cleanup 280 eval " \ 281 ${name}_head() { \ 282 atf_set \"descr\" \"$desc\"; \ 283 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 284 }; \ 285 ${name}_body() { \ 286 test_lifetime_common $ipproto $proto $algo; \ 287 rump_server_destroy_ifaces; \ 288 }; \ 289 ${name}_cleanup() { \ 290 $DEBUG && dump; \ 291 cleanup; \ 292 } \ 293 " 294 atf_add_test_case ${name} 295} 296 297test_update() 298{ 299 local proto=$1 300 local algo=$2 301 local update=$3 302 local ip_local=10.0.0.1 303 local ip_peer=10.0.0.2 304 local algo_args="$(generate_algo_args $proto $algo)" 305 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 306 local outfile=./out 307 308 rump_server_crypto_start $SOCK_LOCAL netipsec 309 rump_server_crypto_start $SOCK_PEER netipsec 310 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 311 rump_server_add_iface $SOCK_PEER shmif0 $BUS 312 313 export RUMP_SERVER=$SOCK_LOCAL 314 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 315 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 316 317 export RUMP_SERVER=$SOCK_PEER 318 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 319 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 320 321 setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 $update 322 323 extract_new_packets $BUS > $outfile 324 325 export RUMP_SERVER=$SOCK_LOCAL 326 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 327 328 extract_new_packets $BUS > $outfile 329 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 330 cat $outfile 331 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 332 cat $outfile 333} 334 335add_test_update() 336{ 337 local proto=$1 338 local algo=$2 339 local update=$3 340 local _update=$(echo $update |tr 'a-z' 'A-Z') 341 local _algo=$(echo $algo | sed 's/-//g') 342 local name= desc= 343 344 desc="Tests trying to udpate $_update of $proto ($algo)" 345 name="ipsec_update_${update}_${proto}_${_algo}" 346 347 atf_test_case ${name} cleanup 348 eval " \ 349 ${name}_head() { \ 350 atf_set \"descr\" \"$desc\"; \ 351 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 352 }; \ 353 ${name}_body() { \ 354 test_update $proto $algo $update; \ 355 rump_server_destroy_ifaces; \ 356 }; \ 357 ${name}_cleanup() { \ 358 $DEBUG && dump; \ 359 cleanup; \ 360 } \ 361 " 362 atf_add_test_case ${name} 363} 364 365add_sa() 366{ 367 local proto=$1 368 local algo_args="$2" 369 local ip_local=$3 370 local ip_peer=$4 371 local lifetime=$5 372 local spi=$6 373 local tmpfile=./tmp 374 local extra= 375 376 export RUMP_SERVER=$SOCK_LOCAL 377 cat > $tmpfile <<-EOF 378 add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 379 add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 380 $extra 381 EOF 382 $DEBUG && cat $tmpfile 383 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 384 $DEBUG && $HIJACKING setkey -D 385 # XXX it can be expired if $lifetime is very short 386 #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 387 388 export RUMP_SERVER=$SOCK_PEER 389 cat > $tmpfile <<-EOF 390 add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 391 add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 392 $extra 393 EOF 394 $DEBUG && cat $tmpfile 395 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 396 $DEBUG && $HIJACKING setkey -D 397 # XXX it can be expired if $lifetime is very short 398 #check_sa_entries $SOCK_PEER $ip_local $ip_peer 399} 400 401delete_sa() 402{ 403 local proto=$1 404 local ip_local=$2 405 local ip_peer=$3 406 local spi=$4 407 local tmpfile=./tmp 408 local extra= 409 410 export RUMP_SERVER=$SOCK_LOCAL 411 cat > $tmpfile <<-EOF 412 delete $ip_local $ip_peer $proto $((spi)); 413 delete $ip_peer $ip_local $proto $((spi + 1)); 414 EOF 415 $DEBUG && cat $tmpfile 416 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 417 $DEBUG && $HIJACKING setkey -D 418 419 export RUMP_SERVER=$SOCK_PEER 420 cat > $tmpfile <<-EOF 421 delete $ip_local $ip_peer $proto $((spi)); 422 delete $ip_peer $ip_local $proto $((spi + 1)); 423 EOF 424 $DEBUG && cat $tmpfile 425 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 426 $DEBUG && $HIJACKING setkey -D 427} 428 429check_packet_spi() 430{ 431 local outfile=$1 432 local ip_local=$2 433 local ip_peer=$3 434 local proto=$4 435 local spi=$5 436 local spistr= 437 438 $DEBUG && cat $outfile 439 spistr=$(printf "%08x" $spi) 440 atf_check -s exit:0 \ 441 -o match:"$ip_local > $ip_peer: $proto_cap\(spi=0x$spistr," \ 442 cat $outfile 443 spistr=$(printf "%08x" $((spi + 1))) 444 atf_check -s exit:0 \ 445 -o match:"$ip_peer > $ip_local: $proto_cap\(spi=0x$spistr," \ 446 cat $outfile 447} 448 449wait_sa_disappeared() 450{ 451 local spi=$1 452 local i= 453 454 export RUMP_SERVER=$SOCK_LOCAL 455 for i in $(seq 1 10); do 456 $HIJACKING setkey -D |grep -q "spi=$spi" 457 [ $? != 0 ] && break 458 sleep 1 459 done 460 if [ $i -eq 10 ]; then 461 atf_fail "SA (spi=$spi) didn't disappear in 10s" 462 fi 463 export RUMP_SERVER=$SOCK_PEER 464 for i in $(seq 1 10); do 465 $HIJACKING setkey -D |grep -q "spi=$spi" 466 [ $? != 0 ] && break 467 sleep 1 468 done 469 if [ $i -eq 10 ]; then 470 atf_fail "SA (spi=$spi) didn't disappear in 10s" 471 fi 472} 473 474test_spi() 475{ 476 local proto=$1 477 local algo=$2 478 local preferred=$3 479 local method=$4 480 local ip_local=10.0.0.1 481 local ip_peer=10.0.0.2 482 local algo_args="$(generate_algo_args $proto $algo)" 483 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 484 local outfile=./out 485 local spistr= 486 local longtime= shorttime= 487 488 if [ $method = delete ]; then 489 shorttime=100 490 longtime=100 491 else 492 shorttime=3 493 longtime=6 494 fi 495 496 rump_server_crypto_start $SOCK_LOCAL netipsec 497 rump_server_crypto_start $SOCK_PEER netipsec 498 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 499 rump_server_add_iface $SOCK_PEER shmif0 $BUS 500 501 export RUMP_SERVER=$SOCK_LOCAL 502 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 503 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 504 if [ $preferred = old ]; then 505 atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 506 fi 507 508 export RUMP_SERVER=$SOCK_PEER 509 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 510 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 511 if [ $preferred = old ]; then 512 atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 513 fi 514 515 setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 516 517 extract_new_packets $BUS > $outfile 518 519 export RUMP_SERVER=$SOCK_LOCAL 520 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 521 extract_new_packets $BUS > $outfile 522 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 523 524 # Add a new SA with a different SPI 525 add_sa $proto "$algo_args" $ip_local $ip_peer $longtime 10010 526 527 export RUMP_SERVER=$SOCK_LOCAL 528 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 529 extract_new_packets $BUS > $outfile 530 if [ $preferred = old ]; then 531 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 532 else 533 # The new SA is preferred 534 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 535 fi 536 537 # Add another SA with a different SPI 538 add_sa $proto "$algo_args" $ip_local $ip_peer $shorttime 10020 539 540 export RUMP_SERVER=$SOCK_LOCAL 541 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 542 extract_new_packets $BUS > $outfile 543 if [ $preferred = old ]; then 544 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 545 else 546 # The newest SA is preferred 547 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10020 548 fi 549 550 if [ $method = delete ]; then 551 delete_sa $proto $ip_local $ip_peer 10020 552 else 553 wait_sa_disappeared 10020 554 fi 555 556 export RUMP_SERVER=$SOCK_LOCAL 557 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 558 extract_new_packets $BUS > $outfile 559 if [ $preferred = old ]; then 560 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 561 else 562 # The newest one is removed and the second one is used 563 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 564 fi 565 566 if [ $method = delete ]; then 567 delete_sa $proto $ip_local $ip_peer 10010 568 else 569 wait_sa_disappeared 10010 570 fi 571 572 export RUMP_SERVER=$SOCK_LOCAL 573 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 574 extract_new_packets $BUS > $outfile 575 if [ $preferred = old ]; then 576 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 577 else 578 # The second one is removed and the original one is used 579 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 580 fi 581} 582 583add_test_spi() 584{ 585 local proto=$1 586 local algo=$2 587 local preferred=$3 588 local method=$4 589 local _algo=$(echo $algo | sed 's/-//g') 590 local name= desc= 591 592 desc="Tests SAs with different SPIs of $proto ($algo) ($preferred SA preferred) ($method)" 593 name="ipsec_spi_${proto}_${_algo}_preferred_${preferred}_${method}" 594 595 atf_test_case ${name} cleanup 596 eval " \ 597 ${name}_head() { \ 598 atf_set \"descr\" \"$desc\"; \ 599 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 600 }; \ 601 ${name}_body() { \ 602 test_spi $proto $algo $preferred $method; \ 603 rump_server_destroy_ifaces; \ 604 }; \ 605 ${name}_cleanup() { \ 606 $DEBUG && dump; \ 607 cleanup; \ 608 } \ 609 " 610 atf_add_test_case ${name} 611} 612 613atf_init_test_cases() 614{ 615 local algo= 616 617 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 618 add_test_lifetime ipv4 esp $algo 619 add_test_lifetime ipv6 esp $algo 620 add_test_update esp $algo sa 621 add_test_update esp $algo sp 622 add_test_spi esp $algo new delete 623 add_test_spi esp $algo old delete 624 add_test_spi esp $algo new timeout 625 add_test_spi esp $algo old timeout 626 done 627 for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do 628 add_test_lifetime ipv4 ah $algo 629 add_test_lifetime ipv6 ah $algo 630 add_test_update ah $algo sa 631 add_test_update ah $algo sp 632 add_test_spi ah $algo new delete 633 add_test_spi ah $algo old delete 634 add_test_spi ah $algo new timeout 635 add_test_spi ah $algo old timeout 636 done 637} 638