| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | # $NetBSD: t_ipsec_misc.sh,v 1.7 2017/06/19 10:05:04 ozaki-r Exp $ | | 1 | # $NetBSD: t_ipsec_misc.sh,v 1.8 2017/07/05 01:25:03 ozaki-r Exp $ |
2 | # | | 2 | # |
3 | # Copyright (c) 2017 Internet Initiative Japan Inc. | | 3 | # Copyright (c) 2017 Internet Initiative Japan Inc. |
4 | # All rights reserved. | | 4 | # All rights reserved. |
5 | # | | 5 | # |
6 | # Redistribution and use in source and binary forms, with or without | | 6 | # Redistribution and use in source and binary forms, with or without |
7 | # modification, are permitted provided that the following conditions | | 7 | # modification, are permitted provided that the following conditions |
8 | # are met: | | 8 | # are met: |
9 | # 1. Redistributions of source code must retain the above copyright | | 9 | # 1. Redistributions of source code must retain the above copyright |
10 | # notice, this list of conditions and the following disclaimer. | | 10 | # notice, this list of conditions and the following disclaimer. |
11 | # 2. Redistributions in binary form must reproduce the above copyright | | 11 | # 2. Redistributions in binary form must reproduce the above copyright |
12 | # notice, this list of conditions and the following disclaimer in the | | 12 | # notice, this list of conditions and the following disclaimer in the |
13 | # documentation and/or other materials provided with the distribution. | | 13 | # documentation and/or other materials provided with the distribution. |
14 | # | | 14 | # |
| @@ -28,44 +28,59 @@ | | | @@ -28,44 +28,59 @@ |
28 | SOCK_LOCAL=unix://ipsec_local | | 28 | SOCK_LOCAL=unix://ipsec_local |
29 | SOCK_PEER=unix://ipsec_peer | | 29 | SOCK_PEER=unix://ipsec_peer |
30 | BUS=./bus_ipsec | | 30 | BUS=./bus_ipsec |
31 | | | 31 | |
32 | DEBUG=${DEBUG:-true} | | 32 | DEBUG=${DEBUG:-true} |
33 | | | 33 | |
34 | setup_sasp() | | 34 | setup_sasp() |
35 | { | | 35 | { |
36 | local proto=$1 | | 36 | local proto=$1 |
37 | local algo_args="$2" | | 37 | local algo_args="$2" |
38 | local ip_local=$3 | | 38 | local ip_local=$3 |
39 | local ip_peer=$4 | | 39 | local ip_peer=$4 |
40 | local lifetime=$5 | | 40 | local lifetime=$5 |
| | | 41 | local update=$6 |
41 | local tmpfile=./tmp | | 42 | local tmpfile=./tmp |
| | | 43 | local extra= |
| | | 44 | |
| | | 45 | if [ "$update" = sa ]; then |
| | | 46 | extra="update $ip_local $ip_peer $proto 10000 $algo_args; |
| | | 47 | update $ip_peer $ip_local $proto 10001 $algo_args;" |
| | | 48 | elif [ "$update" = sp ]; then |
| | | 49 | extra="spdupdate $ip_local $ip_peer any -P out ipsec $proto/transport//require;" |
| | | 50 | fi |
42 | | | 51 | |
43 | export RUMP_SERVER=$SOCK_LOCAL | | 52 | export RUMP_SERVER=$SOCK_LOCAL |
44 | cat > $tmpfile <<-EOF | | 53 | cat > $tmpfile <<-EOF |
45 | add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; | | 54 | add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; |
46 | add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; | | 55 | add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; |
47 | spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; | | 56 | spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; |
| | | 57 | $extra |
48 | EOF | | 58 | EOF |
49 | $DEBUG && cat $tmpfile | | 59 | $DEBUG && cat $tmpfile |
50 | atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile | | 60 | atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile |
51 | # XXX it can be expired if $lifetime is very short | | 61 | # XXX it can be expired if $lifetime is very short |
52 | #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer | | 62 | #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer |
53 | | | 63 | |
| | | 64 | if [ "$update" = sp ]; then |
| | | 65 | extra="spdupdate $ip_peer $ip_local any -P out ipsec $proto/transport//require;" |
| | | 66 | fi |
| | | 67 | |
54 | export RUMP_SERVER=$SOCK_PEER | | 68 | export RUMP_SERVER=$SOCK_PEER |
55 | cat > $tmpfile <<-EOF | | 69 | cat > $tmpfile <<-EOF |
56 | add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; | | 70 | add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; |
57 | add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; | | 71 | add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; |
58 | spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; | | 72 | spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; |
| | | 73 | $extra |
59 | EOF | | 74 | EOF |
60 | $DEBUG && cat $tmpfile | | 75 | $DEBUG && cat $tmpfile |
61 | atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile | | 76 | atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile |
62 | # XXX it can be expired if $lifetime is very short | | 77 | # XXX it can be expired if $lifetime is very short |
63 | #check_sa_entries $SOCK_PEER $ip_local $ip_peer | | 78 | #check_sa_entries $SOCK_PEER $ip_local $ip_peer |
64 | } | | 79 | } |
65 | | | 80 | |
66 | test_ipsec4_lifetime() | | 81 | test_ipsec4_lifetime() |
67 | { | | 82 | { |
68 | local proto=$1 | | 83 | local proto=$1 |
69 | local algo=$2 | | 84 | local algo=$2 |
70 | local ip_local=10.0.0.1 | | 85 | local ip_local=10.0.0.1 |
71 | local ip_peer=10.0.0.2 | | 86 | local ip_peer=10.0.0.2 |
| @@ -502,36 +517,108 @@ add_test_tcp() | | | @@ -502,36 +517,108 @@ add_test_tcp() |
502 | }; \ | | 517 | }; \ |
503 | ${name}_body() { \ | | 518 | ${name}_body() { \ |
504 | test_tcp_${ipproto} $proto $algo; \ | | 519 | test_tcp_${ipproto} $proto $algo; \ |
505 | rump_server_destroy_ifaces; \ | | 520 | rump_server_destroy_ifaces; \ |
506 | }; \ | | 521 | }; \ |
507 | ${name}_cleanup() { \ | | 522 | ${name}_cleanup() { \ |
508 | $DEBUG && dump; \ | | 523 | $DEBUG && dump; \ |
509 | cleanup; \ | | 524 | cleanup; \ |
510 | } \ | | 525 | } \ |
511 | " | | 526 | " |
512 | atf_add_test_case ${name} | | 527 | atf_add_test_case ${name} |
513 | } | | 528 | } |
514 | | | 529 | |
| | | 530 | test_update() |
| | | 531 | { |
| | | 532 | local proto=$1 |
| | | 533 | local algo=$2 |
| | | 534 | local update=$3 |
| | | 535 | local ip_local=10.0.0.1 |
| | | 536 | local ip_peer=10.0.0.2 |
| | | 537 | local algo_args="$(generate_algo_args $proto $algo)" |
| | | 538 | local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') |
| | | 539 | local outfile=./out |
| | | 540 | |
| | | 541 | rump_server_crypto_start $SOCK_LOCAL netipsec |
| | | 542 | rump_server_crypto_start $SOCK_PEER netipsec |
| | | 543 | rump_server_add_iface $SOCK_LOCAL shmif0 $BUS |
| | | 544 | rump_server_add_iface $SOCK_PEER shmif0 $BUS |
| | | 545 | |
| | | 546 | export RUMP_SERVER=$SOCK_LOCAL |
| | | 547 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 |
| | | 548 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 |
| | | 549 | |
| | | 550 | export RUMP_SERVER=$SOCK_PEER |
| | | 551 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 |
| | | 552 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 |
| | | 553 | |
| | | 554 | setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 $update |
| | | 555 | |
| | | 556 | extract_new_packets $BUS > $outfile |
| | | 557 | |
| | | 558 | export RUMP_SERVER=$SOCK_LOCAL |
| | | 559 | atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer |
| | | 560 | |
| | | 561 | extract_new_packets $BUS > $outfile |
| | | 562 | atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ |
| | | 563 | cat $outfile |
| | | 564 | atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ |
| | | 565 | cat $outfile |
| | | 566 | } |
| | | 567 | |
| | | 568 | add_test_update() |
| | | 569 | { |
| | | 570 | local proto=$1 |
| | | 571 | local algo=$2 |
| | | 572 | local update=$3 |
| | | 573 | local _update=$(echo $update |tr 'a-z' 'A-Z') |
| | | 574 | local _algo=$(echo $algo | sed 's/-//g') |
| | | 575 | local name= desc= |
| | | 576 | |
| | | 577 | desc="Tests trying to udpate $_update of $proto ($algo)" |
| | | 578 | name="ipsec_update_${update}_${proto}_${_algo}" |
| | | 579 | |
| | | 580 | atf_test_case ${name} cleanup |
| | | 581 | eval " \ |
| | | 582 | ${name}_head() { \ |
| | | 583 | atf_set \"descr\" \"$desc\"; \ |
| | | 584 | atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ |
| | | 585 | }; \ |
| | | 586 | ${name}_body() { \ |
| | | 587 | test_update $proto $algo $update; \ |
| | | 588 | rump_server_destroy_ifaces; \ |
| | | 589 | }; \ |
| | | 590 | ${name}_cleanup() { \ |
| | | 591 | $DEBUG && dump; \ |
| | | 592 | cleanup; \ |
| | | 593 | } \ |
| | | 594 | " |
| | | 595 | atf_add_test_case ${name} |
| | | 596 | } |
| | | 597 | |
515 | atf_init_test_cases() | | 598 | atf_init_test_cases() |
516 | { | | 599 | { |
517 | local algo= | | 600 | local algo= |
518 | | | 601 | |
519 | for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do | | 602 | for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do |
520 | add_test_lifetime ipv4 esp $algo | | 603 | add_test_lifetime ipv4 esp $algo |
521 | add_test_lifetime ipv6 esp $algo | | 604 | add_test_lifetime ipv6 esp $algo |
522 | add_test_tcp ipv4 esp $algo | | 605 | add_test_tcp ipv4 esp $algo |
523 | add_test_tcp ipv6 esp $algo | | 606 | add_test_tcp ipv6 esp $algo |
524 | add_test_tcp ipv4mappedipv6 esp $algo | | 607 | add_test_tcp ipv4mappedipv6 esp $algo |
| | | 608 | add_test_update esp $algo sa |
| | | 609 | add_test_update esp $algo sp |
525 | done | | 610 | done |
526 | for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do | | 611 | for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do |
527 | add_test_lifetime ipv4 ah $algo | | 612 | add_test_lifetime ipv4 ah $algo |
528 | add_test_lifetime ipv6 ah $algo | | 613 | add_test_lifetime ipv6 ah $algo |
529 | add_test_tcp ipv4 ah $algo | | 614 | add_test_tcp ipv4 ah $algo |
530 | add_test_tcp ipv6 ah $algo | | 615 | add_test_tcp ipv6 ah $algo |
531 | add_test_tcp ipv4mappedipv6 ah $algo | | 616 | add_test_tcp ipv4mappedipv6 ah $algo |
| | | 617 | add_test_update ah $algo sa |
| | | 618 | add_test_update ah $algo sp |
532 | done | | 619 | done |
533 | | | 620 | |
534 | add_test_tcp ipv4 none | | 621 | add_test_tcp ipv4 none |
535 | add_test_tcp ipv6 none | | 622 | add_test_tcp ipv6 none |
536 | add_test_tcp ipv4mappedipv6 none | | 623 | add_test_tcp ipv4mappedipv6 none |
537 | } | | 624 | } |