Wed Jul 5 01:25:03 2017 UTC ()
Add test cases for updating SA/SP

The tests require newly-added udpate command of setkey.


(ozaki-r)
diff -r1.7 -r1.8 src/tests/net/ipsec/t_ipsec_misc.sh
cvs diff -r1.7 -r1.8 src/tests/net/ipsec/t_ipsec_misc.sh (expand / switch to unified diff)

--- src/tests/net/ipsec/t_ipsec_misc.sh 2017/06/19 10:05:04 1.7
+++ src/tests/net/ipsec/t_ipsec_misc.sh 2017/07/05 01:25:03 1.8
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1# $NetBSD: t_ipsec_misc.sh,v 1.7 2017/06/19 10:05:04 ozaki-r Exp $ 1# $NetBSD: t_ipsec_misc.sh,v 1.8 2017/07/05 01:25:03 ozaki-r Exp $
2# 2#
3# Copyright (c) 2017 Internet Initiative Japan Inc. 3# Copyright (c) 2017 Internet Initiative Japan Inc.
4# All rights reserved. 4# All rights reserved.
5# 5#
6# Redistribution and use in source and binary forms, with or without 6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions 7# modification, are permitted provided that the following conditions
8# are met: 8# are met:
9# 1. Redistributions of source code must retain the above copyright 9# 1. Redistributions of source code must retain the above copyright
10# notice, this list of conditions and the following disclaimer. 10# notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright 11# 2. Redistributions in binary form must reproduce the above copyright
12# notice, this list of conditions and the following disclaimer in the 12# notice, this list of conditions and the following disclaimer in the
13# documentation and/or other materials provided with the distribution. 13# documentation and/or other materials provided with the distribution.
14# 14#
@@ -28,44 +28,59 @@ @@ -28,44 +28,59 @@
28SOCK_LOCAL=unix://ipsec_local 28SOCK_LOCAL=unix://ipsec_local
29SOCK_PEER=unix://ipsec_peer 29SOCK_PEER=unix://ipsec_peer
30BUS=./bus_ipsec 30BUS=./bus_ipsec
31 31
32DEBUG=${DEBUG:-true} 32DEBUG=${DEBUG:-true}
33 33
34setup_sasp() 34setup_sasp()
35{ 35{
36 local proto=$1 36 local proto=$1
37 local algo_args="$2" 37 local algo_args="$2"
38 local ip_local=$3 38 local ip_local=$3
39 local ip_peer=$4 39 local ip_peer=$4
40 local lifetime=$5 40 local lifetime=$5
 41 local update=$6
41 local tmpfile=./tmp 42 local tmpfile=./tmp
 43 local extra=
 44
 45 if [ "$update" = sa ]; then
 46 extra="update $ip_local $ip_peer $proto 10000 $algo_args;
 47 update $ip_peer $ip_local $proto 10001 $algo_args;"
 48 elif [ "$update" = sp ]; then
 49 extra="spdupdate $ip_local $ip_peer any -P out ipsec $proto/transport//require;"
 50 fi
42 51
43 export RUMP_SERVER=$SOCK_LOCAL 52 export RUMP_SERVER=$SOCK_LOCAL
44 cat > $tmpfile <<-EOF 53 cat > $tmpfile <<-EOF
45 add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; 54 add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args;
46 add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; 55 add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args;
47 spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 56 spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require;
 57 $extra
48 EOF 58 EOF
49 $DEBUG && cat $tmpfile 59 $DEBUG && cat $tmpfile
50 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 60 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
51 # XXX it can be expired if $lifetime is very short 61 # XXX it can be expired if $lifetime is very short
52 #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 62 #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer
53 63
 64 if [ "$update" = sp ]; then
 65 extra="spdupdate $ip_peer $ip_local any -P out ipsec $proto/transport//require;"
 66 fi
 67
54 export RUMP_SERVER=$SOCK_PEER 68 export RUMP_SERVER=$SOCK_PEER
55 cat > $tmpfile <<-EOF 69 cat > $tmpfile <<-EOF
56 add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; 70 add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args;
57 add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; 71 add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args;
58 spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 72 spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require;
 73 $extra
59 EOF 74 EOF
60 $DEBUG && cat $tmpfile 75 $DEBUG && cat $tmpfile
61 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 76 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
62 # XXX it can be expired if $lifetime is very short 77 # XXX it can be expired if $lifetime is very short
63 #check_sa_entries $SOCK_PEER $ip_local $ip_peer 78 #check_sa_entries $SOCK_PEER $ip_local $ip_peer
64} 79}
65 80
66test_ipsec4_lifetime() 81test_ipsec4_lifetime()
67{ 82{
68 local proto=$1 83 local proto=$1
69 local algo=$2 84 local algo=$2
70 local ip_local=10.0.0.1 85 local ip_local=10.0.0.1
71 local ip_peer=10.0.0.2 86 local ip_peer=10.0.0.2
@@ -502,36 +517,108 @@ add_test_tcp() @@ -502,36 +517,108 @@ add_test_tcp()
502 }; \ 517 }; \
503 ${name}_body() { \ 518 ${name}_body() { \
504 test_tcp_${ipproto} $proto $algo; \ 519 test_tcp_${ipproto} $proto $algo; \
505 rump_server_destroy_ifaces; \ 520 rump_server_destroy_ifaces; \
506 }; \ 521 }; \
507 ${name}_cleanup() { \ 522 ${name}_cleanup() { \
508 $DEBUG && dump; \ 523 $DEBUG && dump; \
509 cleanup; \ 524 cleanup; \
510 } \ 525 } \
511 " 526 "
512 atf_add_test_case ${name} 527 atf_add_test_case ${name}
513} 528}
514 529
 530test_update()
 531{
 532 local proto=$1
 533 local algo=$2
 534 local update=$3
 535 local ip_local=10.0.0.1
 536 local ip_peer=10.0.0.2
 537 local algo_args="$(generate_algo_args $proto $algo)"
 538 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z')
 539 local outfile=./out
 540
 541 rump_server_crypto_start $SOCK_LOCAL netipsec
 542 rump_server_crypto_start $SOCK_PEER netipsec
 543 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
 544 rump_server_add_iface $SOCK_PEER shmif0 $BUS
 545
 546 export RUMP_SERVER=$SOCK_LOCAL
 547 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
 548 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
 549
 550 export RUMP_SERVER=$SOCK_PEER
 551 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
 552 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24
 553
 554 setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 $update
 555
 556 extract_new_packets $BUS > $outfile
 557
 558 export RUMP_SERVER=$SOCK_LOCAL
 559 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
 560
 561 extract_new_packets $BUS > $outfile
 562 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
 563 cat $outfile
 564 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
 565 cat $outfile
 566}
 567
 568add_test_update()
 569{
 570 local proto=$1
 571 local algo=$2
 572 local update=$3
 573 local _update=$(echo $update |tr 'a-z' 'A-Z')
 574 local _algo=$(echo $algo | sed 's/-//g')
 575 local name= desc=
 576
 577 desc="Tests trying to udpate $_update of $proto ($algo)"
 578 name="ipsec_update_${update}_${proto}_${_algo}"
 579
 580 atf_test_case ${name} cleanup
 581 eval " \
 582 ${name}_head() { \
 583 atf_set \"descr\" \"$desc\"; \
 584 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \
 585 }; \
 586 ${name}_body() { \
 587 test_update $proto $algo $update; \
 588 rump_server_destroy_ifaces; \
 589 }; \
 590 ${name}_cleanup() { \
 591 $DEBUG && dump; \
 592 cleanup; \
 593 } \
 594 "
 595 atf_add_test_case ${name}
 596}
 597
515atf_init_test_cases() 598atf_init_test_cases()
516{ 599{
517 local algo= 600 local algo=
518 601
519 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 602 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
520 add_test_lifetime ipv4 esp $algo 603 add_test_lifetime ipv4 esp $algo
521 add_test_lifetime ipv6 esp $algo 604 add_test_lifetime ipv6 esp $algo
522 add_test_tcp ipv4 esp $algo 605 add_test_tcp ipv4 esp $algo
523 add_test_tcp ipv6 esp $algo 606 add_test_tcp ipv6 esp $algo
524 add_test_tcp ipv4mappedipv6 esp $algo 607 add_test_tcp ipv4mappedipv6 esp $algo
 608 add_test_update esp $algo sa
 609 add_test_update esp $algo sp
525 done 610 done
526 for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do 611 for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do
527 add_test_lifetime ipv4 ah $algo 612 add_test_lifetime ipv4 ah $algo
528 add_test_lifetime ipv6 ah $algo 613 add_test_lifetime ipv6 ah $algo
529 add_test_tcp ipv4 ah $algo 614 add_test_tcp ipv4 ah $algo
530 add_test_tcp ipv6 ah $algo 615 add_test_tcp ipv6 ah $algo
531 add_test_tcp ipv4mappedipv6 ah $algo 616 add_test_tcp ipv4mappedipv6 ah $algo
 617 add_test_update ah $algo sa
 618 add_test_update ah $algo sp
532 done 619 done
533 620
534 add_test_tcp ipv4 none 621 add_test_tcp ipv4 none
535 add_test_tcp ipv6 none 622 add_test_tcp ipv6 none
536 add_test_tcp ipv4mappedipv6 none 623 add_test_tcp ipv4mappedipv6 none
537} 624}