t_ipsec_misc.sh revision 1.23
1# $NetBSD: t_ipsec_misc.sh,v 1.23 2019/07/23 04:31:25 ozaki-r Exp $ 2# 3# Copyright (c) 2017 Internet Initiative Japan Inc. 4# All rights reserved. 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25# POSSIBILITY OF SUCH DAMAGE. 26# 27 28SOCK_LOCAL=unix://ipsec_local 29SOCK_PEER=unix://ipsec_peer 30BUS=./bus_ipsec 31 32DEBUG=${DEBUG:-true} 33 34setup_sasp() 35{ 36 local proto=$1 37 local algo_args="$2" 38 local ip_local=$3 39 local ip_peer=$4 40 local lifetime=$5 41 local update=$6 42 local tmpfile=./tmp 43 local saadd=add 44 local saadd_algo_args="$algo_args" 45 local extra= 46 47 if [ "$update" = getspi ]; then 48 saadd=getspi 49 saadd_algo_args= 50 fi 51 52 if [ "$update" = sa -o "$update" = getspi ]; then 53 extra="update $ip_local $ip_peer $proto 10000 $algo_args; 54 update $ip_peer $ip_local $proto 10001 $algo_args;" 55 elif [ "$update" = sp ]; then 56 extra="spdupdate $ip_local $ip_peer any -P out ipsec $proto/transport//require;" 57 fi 58 59 export RUMP_SERVER=$SOCK_LOCAL 60 cat > $tmpfile <<-EOF 61 $saadd $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $saadd_algo_args; 62 $saadd $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $saadd_algo_args; 63 spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 64 $extra 65 EOF 66 $DEBUG && cat $tmpfile 67 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 68 # XXX it can be expired if $lifetime is very short 69 #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 70 71 if [ "$update" = sp ]; then 72 extra="spdupdate $ip_peer $ip_local any -P out ipsec $proto/transport//require;" 73 fi 74 75 export RUMP_SERVER=$SOCK_PEER 76 cat > $tmpfile <<-EOF 77 $saadd $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $saadd_algo_args; 78 $saadd $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $saadd_algo_args; 79 spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 80 $extra 81 EOF 82 $DEBUG && cat $tmpfile 83 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 84 # XXX it can be expired if $lifetime is very short 85 #check_sa_entries $SOCK_PEER $ip_local $ip_peer 86} 87 88test_sad_disapper_until() 89{ 90 local time=$1 91 local check_dead_sa=$2 92 local setkey_opts= 93 local n=$time 94 local tmpfile=./__tmp 95 local sock= ok= 96 97 if $check_dead_sa; then 98 setkey_opts="-D -a" 99 else 100 setkey_opts="-D" 101 fi 102 103 while [ $n -ne 0 ]; do 104 ok=0 105 sleep 1 106 for sock in $SOCK_LOCAL $SOCK_PEER; do 107 export RUMP_SERVER=$sock 108 $HIJACKING setkey $setkey_opts > $tmpfile 109 $DEBUG && cat $tmpfile 110 if grep -q 'No SAD entries.' $tmpfile; then 111 ok=$((ok + 1)) 112 fi 113 done 114 if [ $ok -eq 2 ]; then 115 return 116 fi 117 118 n=$((n - 1)) 119 done 120 121 atf_fail "SAs didn't disappear after $time sec." 122} 123 124test_ipsec4_lifetime() 125{ 126 local proto=$1 127 local algo=$2 128 local ip_local=10.0.0.1 129 local ip_peer=10.0.0.2 130 local outfile=./out 131 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 132 local algo_args="$(generate_algo_args $proto $algo)" 133 local lifetime=3 134 local buffertime=2 135 136 rump_server_crypto_start $SOCK_LOCAL netipsec 137 rump_server_crypto_start $SOCK_PEER netipsec 138 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 139 rump_server_add_iface $SOCK_PEER shmif0 $BUS 140 141 export RUMP_SERVER=$SOCK_LOCAL 142 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 143 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 144 #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 145 146 export RUMP_SERVER=$SOCK_PEER 147 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 148 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 149 #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 150 151 extract_new_packets $BUS > $outfile 152 153 export RUMP_SERVER=$SOCK_LOCAL 154 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 155 156 extract_new_packets $BUS > $outfile 157 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \ 158 cat $outfile 159 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \ 160 cat $outfile 161 162 # Set up SAs with lifetime 1 sec. 163 setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 164 165 # Check the SAs have been expired 166 test_sad_disapper_until $((1 + $buffertime)) false 167 168 # Clean up SPs 169 export RUMP_SERVER=$SOCK_LOCAL 170 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 171 export RUMP_SERVER=$SOCK_PEER 172 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 173 174 # Set up SAs with lifetime with $lifetime 175 setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 176 177 # Use the SAs; this will create a reference from an SP to an SA 178 export RUMP_SERVER=$SOCK_LOCAL 179 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 180 181 extract_new_packets $BUS > $outfile 182 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 183 cat $outfile 184 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 185 cat $outfile 186 187 # Check the SAs have been expired 188 test_sad_disapper_until $((lifetime + $buffertime)) true 189 190 export RUMP_SERVER=$SOCK_LOCAL 191 atf_check -s not-exit:0 -o match:'0 packets received' \ 192 rump.ping -c 1 -n -w 1 $ip_peer 193 194 test_flush_entries $SOCK_LOCAL 195 test_flush_entries $SOCK_PEER 196} 197 198test_ipsec6_lifetime() 199{ 200 local proto=$1 201 local algo=$2 202 local ip_local=fd00::1 203 local ip_peer=fd00::2 204 local outfile=./out 205 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 206 local algo_args="$(generate_algo_args $proto $algo)" 207 local lifetime=3 208 local buffertime=2 209 210 rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec 211 rump_server_crypto_start $SOCK_PEER netinet6 netipsec 212 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 213 rump_server_add_iface $SOCK_PEER shmif0 $BUS 214 215 export RUMP_SERVER=$SOCK_LOCAL 216 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 217 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local 218 219 export RUMP_SERVER=$SOCK_PEER 220 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 221 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer 222 223 extract_new_packets $BUS > $outfile 224 225 export RUMP_SERVER=$SOCK_LOCAL 226 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 227 228 extract_new_packets $BUS > $outfile 229 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \ 230 cat $outfile 231 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \ 232 cat $outfile 233 234 # Set up SAs with lifetime 1 sec. 235 setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 236 237 # Check the SAs have been expired 238 test_sad_disapper_until $((1 + $buffertime)) false 239 240 # Clean up SPs 241 export RUMP_SERVER=$SOCK_LOCAL 242 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 243 export RUMP_SERVER=$SOCK_PEER 244 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 245 246 # Set up SAs with lifetime with $lifetime 247 setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 248 249 # Use the SAs; this will create a reference from an SP to an SA 250 export RUMP_SERVER=$SOCK_LOCAL 251 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 252 253 extract_new_packets $BUS > $outfile 254 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 255 cat $outfile 256 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 257 cat $outfile 258 259 # Check the SAs have been expired 260 test_sad_disapper_until $((lifetime + $buffertime)) true 261 262 export RUMP_SERVER=$SOCK_LOCAL 263 atf_check -s not-exit:0 -o match:'0 packets received' \ 264 rump.ping6 -c 1 -n -X 1 $ip_peer 265 266 test_flush_entries $SOCK_LOCAL 267 test_flush_entries $SOCK_PEER 268} 269 270test_lifetime_common() 271{ 272 local ipproto=$1 273 local proto=$2 274 local algo=$3 275 276 if [ $ipproto = ipv4 ]; then 277 test_ipsec4_lifetime $proto $algo 278 else 279 test_ipsec6_lifetime $proto $algo 280 fi 281} 282 283add_test_lifetime() 284{ 285 local ipproto=$1 286 local proto=$2 287 local algo=$3 288 local _algo=$(echo $algo | sed 's/-//g') 289 local name= desc= 290 291 name="ipsec_lifetime_${ipproto}_${proto}_${_algo}" 292 desc="Tests of lifetime of IPsec ($ipproto) with $proto ($algo)" 293 294 atf_test_case ${name} cleanup 295 eval " 296 ${name}_head() { 297 atf_set descr \"$desc\" 298 atf_set require.progs rump_server setkey 299 } 300 ${name}_body() { 301 test_lifetime_common $ipproto $proto $algo 302 rump_server_destroy_ifaces 303 } 304 ${name}_cleanup() { 305 \$DEBUG && dump 306 cleanup 307 } 308 " 309 atf_add_test_case ${name} 310} 311 312test_update() 313{ 314 local proto=$1 315 local algo=$2 316 local update=$3 317 local ip_local=10.0.0.1 318 local ip_peer=10.0.0.2 319 local algo_args="$(generate_algo_args $proto $algo)" 320 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 321 local outfile=./out 322 323 rump_server_crypto_start $SOCK_LOCAL netipsec 324 rump_server_crypto_start $SOCK_PEER netipsec 325 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 326 rump_server_add_iface $SOCK_PEER shmif0 $BUS 327 328 export RUMP_SERVER=$SOCK_LOCAL 329 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 330 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 331 332 export RUMP_SERVER=$SOCK_PEER 333 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 334 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 335 336 setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 $update 337 338 extract_new_packets $BUS > $outfile 339 340 export RUMP_SERVER=$SOCK_LOCAL 341 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 342 343 extract_new_packets $BUS > $outfile 344 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 345 cat $outfile 346 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 347 cat $outfile 348} 349 350add_test_update() 351{ 352 local proto=$1 353 local algo=$2 354 local update=$3 355 local _update=$(echo $update |tr 'a-z' 'A-Z') 356 local _algo=$(echo $algo | sed 's/-//g') 357 local name= desc= 358 359 desc="Tests trying to udpate $_update of $proto ($algo)" 360 name="ipsec_update_${update}_${proto}_${_algo}" 361 362 atf_test_case ${name} cleanup 363 eval " 364 ${name}_head() { 365 atf_set descr \"$desc\" 366 atf_set require.progs rump_server setkey 367 } 368 ${name}_body() { 369 test_update $proto $algo $update 370 rump_server_destroy_ifaces 371 } 372 ${name}_cleanup() { 373 \$DEBUG && dump 374 cleanup 375 } 376 " 377 atf_add_test_case ${name} 378} 379 380test_getspi_update() 381{ 382 local proto=$1 383 local algo=$2 384 local ip_local=10.0.0.1 385 local ip_peer=10.0.0.2 386 local algo_args="$(generate_algo_args $proto $algo)" 387 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 388 local outfile=./out 389 390 rump_server_crypto_start $SOCK_LOCAL netipsec 391 rump_server_crypto_start $SOCK_PEER netipsec 392 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 393 rump_server_add_iface $SOCK_PEER shmif0 $BUS 394 395 export RUMP_SERVER=$SOCK_LOCAL 396 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 397 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 398 399 export RUMP_SERVER=$SOCK_PEER 400 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 401 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 402 403 setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 getspi 404 405 extract_new_packets $BUS > $outfile 406 407 export RUMP_SERVER=$SOCK_LOCAL 408 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 409 410 extract_new_packets $BUS > $outfile 411 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 412 cat $outfile 413 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 414 cat $outfile 415} 416 417add_test_getspi_update() 418{ 419 local proto=$1 420 local algo=$2 421 local _algo=$(echo $algo | sed 's/-//g') 422 local name= desc= 423 424 desc="Tests trying to getspi and udpate SA of $proto ($algo)" 425 name="ipsec_getspi_update_sa_${proto}_${_algo}" 426 427 atf_test_case ${name} cleanup 428 eval " 429 ${name}_head() { 430 atf_set descr \"$desc\" 431 atf_set require.progs rump_server setkey 432 } 433 ${name}_body() { 434 test_getspi_update $proto $algo 435 rump_server_destroy_ifaces 436 } 437 ${name}_cleanup() { 438 \$DEBUG && dump 439 cleanup 440 } 441 " 442 atf_add_test_case ${name} 443} 444 445add_sa() 446{ 447 local proto=$1 448 local algo_args="$2" 449 local ip_local=$3 450 local ip_peer=$4 451 local lifetime=$5 452 local spi=$6 453 local tmpfile=./tmp 454 local extra= 455 456 export RUMP_SERVER=$SOCK_LOCAL 457 cat > $tmpfile <<-EOF 458 add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 459 add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 460 $extra 461 EOF 462 $DEBUG && cat $tmpfile 463 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 464 $DEBUG && $HIJACKING setkey -D 465 # XXX it can be expired if $lifetime is very short 466 #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 467 468 export RUMP_SERVER=$SOCK_PEER 469 cat > $tmpfile <<-EOF 470 add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 471 add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 472 $extra 473 EOF 474 $DEBUG && cat $tmpfile 475 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 476 $DEBUG && $HIJACKING setkey -D 477 # XXX it can be expired if $lifetime is very short 478 #check_sa_entries $SOCK_PEER $ip_local $ip_peer 479} 480 481delete_sa() 482{ 483 local proto=$1 484 local ip_local=$2 485 local ip_peer=$3 486 local spi=$4 487 local tmpfile=./tmp 488 local extra= 489 490 export RUMP_SERVER=$SOCK_LOCAL 491 cat > $tmpfile <<-EOF 492 delete $ip_local $ip_peer $proto $((spi)); 493 delete $ip_peer $ip_local $proto $((spi + 1)); 494 EOF 495 $DEBUG && cat $tmpfile 496 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 497 $DEBUG && $HIJACKING setkey -D 498 499 export RUMP_SERVER=$SOCK_PEER 500 cat > $tmpfile <<-EOF 501 delete $ip_local $ip_peer $proto $((spi)); 502 delete $ip_peer $ip_local $proto $((spi + 1)); 503 EOF 504 $DEBUG && cat $tmpfile 505 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 506 $DEBUG && $HIJACKING setkey -D 507} 508 509check_packet_spi() 510{ 511 local outfile=$1 512 local ip_local=$2 513 local ip_peer=$3 514 local proto=$4 515 local spi=$5 516 local spistr= 517 518 $DEBUG && cat $outfile 519 spistr=$(printf "%08x" $spi) 520 atf_check -s exit:0 \ 521 -o match:"$ip_local > $ip_peer: $proto_cap\(spi=0x$spistr," \ 522 cat $outfile 523 spistr=$(printf "%08x" $((spi + 1))) 524 atf_check -s exit:0 \ 525 -o match:"$ip_peer > $ip_local: $proto_cap\(spi=0x$spistr," \ 526 cat $outfile 527} 528 529wait_sa_disappeared() 530{ 531 local spi=$1 532 local i= 533 534 export RUMP_SERVER=$SOCK_LOCAL 535 for i in $(seq 1 10); do 536 $HIJACKING setkey -D |grep -q "spi=$spi" 537 [ $? != 0 ] && break 538 sleep 1 539 done 540 if [ $i -eq 10 ]; then 541 atf_fail "SA (spi=$spi) didn't disappear in 10s" 542 fi 543 export RUMP_SERVER=$SOCK_PEER 544 for i in $(seq 1 10); do 545 $HIJACKING setkey -D |grep -q "spi=$spi" 546 [ $? != 0 ] && break 547 sleep 1 548 done 549 if [ $i -eq 10 ]; then 550 atf_fail "SA (spi=$spi) didn't disappear in 10s" 551 fi 552} 553 554test_spi() 555{ 556 local proto=$1 557 local algo=$2 558 local preferred=$3 559 local method=$4 560 local ip_local=10.0.0.1 561 local ip_peer=10.0.0.2 562 local algo_args="$(generate_algo_args $proto $algo)" 563 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 564 local outfile=./out 565 local spistr= 566 local longtime= shorttime= 567 568 if [ $method = timeout -a $preferred = new ]; then 569 skip_if_qemu 570 fi 571 572 if [ $method = delete ]; then 573 shorttime=100 574 longtime=100 575 else 576 shorttime=3 577 longtime=6 578 fi 579 580 rump_server_crypto_start $SOCK_LOCAL netipsec 581 rump_server_crypto_start $SOCK_PEER netipsec 582 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 583 rump_server_add_iface $SOCK_PEER shmif0 $BUS 584 585 export RUMP_SERVER=$SOCK_LOCAL 586 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 587 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 588 if [ $preferred = old ]; then 589 atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 590 fi 591 592 export RUMP_SERVER=$SOCK_PEER 593 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 594 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 595 if [ $preferred = old ]; then 596 atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 597 fi 598 599 setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 600 601 extract_new_packets $BUS > $outfile 602 603 export RUMP_SERVER=$SOCK_LOCAL 604 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 605 extract_new_packets $BUS > $outfile 606 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 607 608 # Add a new SA with a different SPI 609 add_sa $proto "$algo_args" $ip_local $ip_peer $longtime 10010 610 611 export RUMP_SERVER=$SOCK_LOCAL 612 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 613 extract_new_packets $BUS > $outfile 614 if [ $preferred = old ]; then 615 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 616 else 617 # The new SA is preferred 618 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 619 fi 620 621 # Add another SA with a different SPI 622 add_sa $proto "$algo_args" $ip_local $ip_peer $shorttime 10020 623 624 export RUMP_SERVER=$SOCK_LOCAL 625 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 626 extract_new_packets $BUS > $outfile 627 if [ $preferred = old ]; then 628 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 629 else 630 # The newest SA is preferred 631 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10020 632 fi 633 634 if [ $method = delete ]; then 635 delete_sa $proto $ip_local $ip_peer 10020 636 else 637 wait_sa_disappeared 10020 638 fi 639 640 export RUMP_SERVER=$SOCK_LOCAL 641 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 642 extract_new_packets $BUS > $outfile 643 if [ $preferred = old ]; then 644 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 645 else 646 # The newest one is removed and the second one is used 647 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 648 fi 649 650 if [ $method = delete ]; then 651 delete_sa $proto $ip_local $ip_peer 10010 652 else 653 wait_sa_disappeared 10010 654 fi 655 656 export RUMP_SERVER=$SOCK_LOCAL 657 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 658 extract_new_packets $BUS > $outfile 659 if [ $preferred = old ]; then 660 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 661 else 662 # The second one is removed and the original one is used 663 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 664 fi 665} 666 667add_test_spi() 668{ 669 local proto=$1 670 local algo=$2 671 local preferred=$3 672 local method=$4 673 local _algo=$(echo $algo | sed 's/-//g') 674 local name= desc= 675 676 desc="Tests SAs with different SPIs of $proto ($algo) ($preferred SA preferred) ($method)" 677 name="ipsec_spi_${proto}_${_algo}_preferred_${preferred}_${method}" 678 679 atf_test_case ${name} cleanup 680 eval " 681 ${name}_head() { 682 atf_set descr \"$desc\" 683 atf_set require.progs rump_server setkey 684 } 685 ${name}_body() { 686 test_spi $proto $algo $preferred $method 687 rump_server_destroy_ifaces 688 } 689 ${name}_cleanup() { 690 \$DEBUG && dump 691 cleanup 692 } 693 " 694 atf_add_test_case ${name} 695} 696 697setup_sp() 698{ 699 local proto=$1 700 local algo_args="$2" 701 local ip_local=$3 702 local ip_peer=$4 703 local tmpfile=./tmp 704 705 export RUMP_SERVER=$SOCK_LOCAL 706 cat > $tmpfile <<-EOF 707 spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 708 spdadd $ip_peer $ip_local any -P in ipsec $proto/transport//require; 709 EOF 710 $DEBUG && cat $tmpfile 711 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 712 check_sp_entries $SOCK_LOCAL $ip_local $ip_peer 713 714 export RUMP_SERVER=$SOCK_PEER 715 cat > $tmpfile <<-EOF 716 spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 717 spdadd $ip_local $ip_peer any -P in ipsec $proto/transport//require; 718 EOF 719 $DEBUG && cat $tmpfile 720 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 721 check_sp_entries $SOCK_PEER $ip_peer $ip_local 722} 723 724test_nosa() 725{ 726 local proto=$1 727 local algo=$2 728 local update=$3 729 local ip_local=10.0.0.1 730 local ip_peer=10.0.0.2 731 local algo_args="$(generate_algo_args $proto $algo)" 732 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 733 local outfile=./out 734 735 rump_server_crypto_start $SOCK_LOCAL netipsec 736 rump_server_crypto_start $SOCK_PEER netipsec 737 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 738 rump_server_add_iface $SOCK_PEER shmif0 $BUS 739 740 export RUMP_SERVER=$SOCK_LOCAL 741 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 742 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 743 744 export RUMP_SERVER=$SOCK_PEER 745 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 746 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 747 748 setup_sp $proto "$algo_args" $ip_local $ip_peer 749 750 extract_new_packets $BUS > $outfile 751 752 export RUMP_SERVER=$SOCK_LOCAL 753 # It doesn't work because there is no SA 754 atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 755} 756 757add_test_nosa() 758{ 759 local proto=$1 760 local algo=$2 761 local _algo=$(echo $algo | sed 's/-//g') 762 local name= desc= 763 764 desc="Tests SPs with no relevant SAs with $proto ($algo)" 765 name="ipsec_nosa_${proto}_${_algo}" 766 767 atf_test_case ${name} cleanup 768 eval " 769 ${name}_head() { 770 atf_set descr \"$desc\" 771 atf_set require.progs rump_server setkey 772 } 773 ${name}_body() { 774 test_nosa $proto $algo 775 rump_server_destroy_ifaces 776 } 777 ${name}_cleanup() { 778 \$DEBUG && dump 779 cleanup 780 } 781 " 782 atf_add_test_case ${name} 783} 784 785test_multiple_sa() 786{ 787 local proto=$1 788 local algo=$2 789 local update=$3 790 local ip_local=10.0.0.1 791 local ip_peer=10.0.0.2 792 local ip_peer2=10.0.0.3 793 local algo_args="$(generate_algo_args $proto $algo)" 794 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 795 local outfile=./out 796 797 rump_server_crypto_start $SOCK_LOCAL netipsec 798 rump_server_crypto_start $SOCK_PEER netipsec 799 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 800 rump_server_add_iface $SOCK_PEER shmif0 $BUS 801 802 export RUMP_SERVER=$SOCK_LOCAL 803 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 804 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 805 806 export RUMP_SERVER=$SOCK_PEER 807 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 808 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 809 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer2/24 alias 810 811 setup_sp $proto "$algo_args" "$ip_local" "0.0.0.0/0" 812 813 extract_new_packets $BUS > $outfile 814 815 export RUMP_SERVER=$SOCK_LOCAL 816 # There is no SA, so ping should fail 817 atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 818 atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2 819 820 add_sa $proto "$algo_args" $ip_local $ip_peer 100 10000 821 822 export RUMP_SERVER=$SOCK_LOCAL 823 # There is only an SA for $ip_peer, so ping to $ip_peer2 should fail 824 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 825 atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2 826 827 add_sa $proto "$algo_args" $ip_local $ip_peer2 100 10010 828 829 export RUMP_SERVER=$SOCK_LOCAL 830 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 831 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2 832 833 export RUMP_SERVER=$SOCK_LOCAL 834 atf_check -s exit:0 -o match:"$proto/transport//require" \ 835 $HIJACKING setkey -D -P 836 # Check if the policy isn't modified accidentally 837 atf_check -s exit:0 -o not-match:"$proto/transport/.+\-.+/require" \ 838 $HIJACKING setkey -D -P 839 export RUMP_SERVER=$SOCK_PEER 840 atf_check -s exit:0 -o match:"$proto/transport//require" \ 841 $HIJACKING setkey -D -P 842 # Check if the policy isn't modified accidentally 843 atf_check -s exit:0 -o not-match:"$proto/transport/.+\-.+/require" \ 844 $HIJACKING setkey -D -P 845} 846 847add_test_multiple_sa() 848{ 849 local proto=$1 850 local algo=$2 851 local _algo=$(echo $algo | sed 's/-//g') 852 local name= desc= 853 854 desc="Tests multiple SAs with $proto ($algo)" 855 name="ipsec_multiple_sa_${proto}_${_algo}" 856 857 atf_test_case ${name} cleanup 858 eval " 859 ${name}_head() { 860 atf_set descr \"$desc\" 861 atf_set require.progs rump_server setkey 862 } 863 ${name}_body() { 864 test_multiple_sa $proto $algo 865 rump_server_destroy_ifaces 866 } 867 ${name}_cleanup() { 868 \$DEBUG && dump 869 cleanup 870 } 871 " 872 atf_add_test_case ${name} 873} 874 875atf_init_test_cases() 876{ 877 local algo= 878 879 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 880 add_test_lifetime ipv4 esp $algo 881 add_test_lifetime ipv6 esp $algo 882 add_test_update esp $algo sa 883 add_test_update esp $algo sp 884 add_test_getspi_update esp $algo 885 add_test_spi esp $algo new delete 886 add_test_spi esp $algo old delete 887 add_test_spi esp $algo new timeout 888 add_test_spi esp $algo old timeout 889 add_test_nosa esp $algo 890 add_test_multiple_sa esp $algo 891 done 892 for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do 893 add_test_lifetime ipv4 ah $algo 894 add_test_lifetime ipv6 ah $algo 895 add_test_update ah $algo sa 896 add_test_update ah $algo sp 897 add_test_getspi_update ah $algo 898 add_test_spi ah $algo new delete 899 add_test_spi ah $algo old delete 900 add_test_spi ah $algo new timeout 901 add_test_spi ah $algo old timeout 902 add_test_nosa ah $algo 903 add_test_multiple_sa ah $algo 904 done 905} 906