# $NetBSD: t_ipsec_misc.sh,v 1.25 2022/01/07 22:59:32 andvar Exp $
#
# Copyright (c) 2017 Internet Initiative Japan Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
SOCK_LOCAL=unix://ipsec_local
SOCK_PEER=unix://ipsec_peer
BUS=./bus_ipsec
DEBUG=${DEBUG:-true}
setup_sasp()
{
local proto=$1
local algo_args="$2"
local ip_local=$3
local ip_peer=$4
local lifetime=$5
local update=$6
local tmpfile=./tmp
local saadd=add
local saadd_algo_args="$algo_args"
local extra=
if [ "$update" = getspi ]; then
saadd=getspi
saadd_algo_args=
fi
if [ "$update" = sa -o "$update" = getspi ]; then
extra="update $ip_local $ip_peer $proto 10000 $algo_args;
update $ip_peer $ip_local $proto 10001 $algo_args;"
elif [ "$update" = sp ]; then
extra="spdupdate $ip_local $ip_peer any -P out ipsec $proto/transport//require;"
fi
export RUMP_SERVER=$SOCK_LOCAL
cat > $tmpfile <<-EOF
$saadd $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $saadd_algo_args;
$saadd $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $saadd_algo_args;
spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require;
$extra
EOF
$DEBUG && cat $tmpfile
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
# XXX it can be expired if $lifetime is very short
#check_sa_entries $SOCK_LOCAL $ip_local $ip_peer
if [ "$update" = sp ]; then
extra="spdupdate $ip_peer $ip_local any -P out ipsec $proto/transport//require;"
fi
export RUMP_SERVER=$SOCK_PEER
cat > $tmpfile <<-EOF
$saadd $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $saadd_algo_args;
$saadd $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $saadd_algo_args;
spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require;
$extra
EOF
$DEBUG && cat $tmpfile
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
# XXX it can be expired if $lifetime is very short
#check_sa_entries $SOCK_PEER $ip_local $ip_peer
}
test_sad_disapper_until()
{
local time=$1
local check_dead_sa=$2
local setkey_opts=
local n=$time
local tmpfile=./__tmp
local sock= ok=
if $check_dead_sa; then
setkey_opts="-D -a"
else
setkey_opts="-D"
fi
while [ $n -ne 0 ]; do
ok=0
sleep 1
for sock in $SOCK_LOCAL $SOCK_PEER; do
export RUMP_SERVER=$sock
$HIJACKING setkey $setkey_opts > $tmpfile
$DEBUG && cat $tmpfile
if grep -q 'No SAD entries.' $tmpfile; then
ok=$((ok + 1))
fi
done
if [ $ok -eq 2 ]; then
return
fi
n=$((n - 1))
done
atf_fail "SAs didn't disappear after $time sec."
}
test_ipsec4_lifetime()
{
local proto=$1
local algo=$2
local ip_local=10.0.0.1
local ip_peer=10.0.0.2
local outfile=./out
local proto_cap=$(echo $proto | tr 'a-z' 'A-Z')
local algo_args="$(generate_algo_args $proto $algo)"
local lifetime=3
local buffertime=2
rump_server_crypto_start $SOCK_LOCAL netipsec
rump_server_crypto_start $SOCK_PEER netipsec
rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
rump_server_add_iface $SOCK_PEER shmif0 $BUS
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
#atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff
export RUMP_SERVER=$SOCK_PEER
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24
#atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff
extract_new_packets $BUS > $outfile
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
extract_new_packets $BUS > $outfile
atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \
cat $outfile
atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \
cat $outfile
# Set up SAs with lifetime 1 sec.
setup_sasp $proto "$algo_args" $ip_local $ip_peer 1
# Check the SAs have been expired
test_sad_disapper_until $((1 + $buffertime)) false
# Clean up SPs
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o empty $HIJACKING setkey -F -P
export RUMP_SERVER=$SOCK_PEER
atf_check -s exit:0 -o empty $HIJACKING setkey -F -P
# Set up SAs with lifetime with $lifetime
setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime
# Use the SAs; this will create a reference from an SP to an SA
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
extract_new_packets $BUS > $outfile
atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
cat $outfile
atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
cat $outfile
# Check the SAs have been expired
test_sad_disapper_until $((lifetime + $buffertime)) true
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s not-exit:0 -o match:'0 packets received' \
rump.ping -c 1 -n -w 1 $ip_peer
test_flush_entries $SOCK_LOCAL
test_flush_entries $SOCK_PEER
}
test_ipsec6_lifetime()
{
local proto=$1
local algo=$2
local ip_local=fd00::1
local ip_peer=fd00::2
local outfile=./out
local proto_cap=$(echo $proto | tr 'a-z' 'A-Z')
local algo_args="$(generate_algo_args $proto $algo)"
local lifetime=3
local buffertime=2
rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec
rump_server_crypto_start $SOCK_PEER netinet6 netipsec
rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
rump_server_add_iface $SOCK_PEER shmif0 $BUS
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local
export RUMP_SERVER=$SOCK_PEER
atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer
extract_new_packets $BUS > $outfile
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer
extract_new_packets $BUS > $outfile
atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \
cat $outfile
atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \
cat $outfile
# Set up SAs with lifetime 1 sec.
setup_sasp $proto "$algo_args" $ip_local $ip_peer 1
# Check the SAs have been expired
test_sad_disapper_until $((1 + $buffertime)) false
# Clean up SPs
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o empty $HIJACKING setkey -F -P
export RUMP_SERVER=$SOCK_PEER
atf_check -s exit:0 -o empty $HIJACKING setkey -F -P
# Set up SAs with lifetime with $lifetime
setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime
# Use the SAs; this will create a reference from an SP to an SA
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer
extract_new_packets $BUS > $outfile
atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
cat $outfile
atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
cat $outfile
# Check the SAs have been expired
test_sad_disapper_until $((lifetime + $buffertime)) true
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s not-exit:0 -o match:'0 packets received' \
rump.ping6 -c 1 -n -X 1 $ip_peer
test_flush_entries $SOCK_LOCAL
test_flush_entries $SOCK_PEER
}
test_lifetime_common()
{
local ipproto=$1
local proto=$2
local algo=$3
if [ $ipproto = ipv4 ]; then
test_ipsec4_lifetime $proto $algo
else
test_ipsec6_lifetime $proto $algo
fi
}
add_test_lifetime()
{
local ipproto=$1
local proto=$2
local algo=$3
local _algo=$(echo $algo | sed 's/-//g')
local name= desc=
name="ipsec_lifetime_${ipproto}_${proto}_${_algo}"
desc="Tests of lifetime of IPsec ($ipproto) with $proto ($algo)"
atf_test_case ${name} cleanup
eval "
${name}_head() {
atf_set descr \"$desc\"
atf_set require.progs rump_server setkey
}
${name}_body() {
test_lifetime_common $ipproto $proto $algo
rump_server_destroy_ifaces
}
${name}_cleanup() {
\$DEBUG && dump
cleanup
}
"
atf_add_test_case ${name}
}
test_update()
{
local proto=$1
local algo=$2
local update=$3
local ip_local=10.0.0.1
local ip_peer=10.0.0.2
local algo_args="$(generate_algo_args $proto $algo)"
local proto_cap=$(echo $proto | tr 'a-z' 'A-Z')
local outfile=./out
rump_server_crypto_start $SOCK_LOCAL netipsec
rump_server_crypto_start $SOCK_PEER netipsec
rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
rump_server_add_iface $SOCK_PEER shmif0 $BUS
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
export RUMP_SERVER=$SOCK_PEER
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24
setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 $update
extract_new_packets $BUS > $outfile
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
extract_new_packets $BUS > $outfile
atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
cat $outfile
atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
cat $outfile
}
add_test_update()
{
local proto=$1
local algo=$2
local update=$3
local _update=$(echo $update |tr 'a-z' 'A-Z')
local _algo=$(echo $algo | sed 's/-//g')
local name= desc=
desc="Tests trying to update $_update of $proto ($algo)"
name="ipsec_update_${update}_${proto}_${_algo}"
atf_test_case ${name} cleanup
eval "
${name}_head() {
atf_set descr \"$desc\"
atf_set require.progs rump_server setkey
}
${name}_body() {
test_update $proto $algo $update
rump_server_destroy_ifaces
}
${name}_cleanup() {
\$DEBUG && dump
cleanup
}
"
atf_add_test_case ${name}
}
test_getspi_update()
{
local proto=$1
local algo=$2
local ip_local=10.0.0.1
local ip_peer=10.0.0.2
local algo_args="$(generate_algo_args $proto $algo)"
local proto_cap=$(echo $proto | tr 'a-z' 'A-Z')
local outfile=./out
rump_server_crypto_start $SOCK_LOCAL netipsec
rump_server_crypto_start $SOCK_PEER netipsec
rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
rump_server_add_iface $SOCK_PEER shmif0 $BUS
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
export RUMP_SERVER=$SOCK_PEER
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24
setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 getspi
extract_new_packets $BUS > $outfile
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
extract_new_packets $BUS > $outfile
atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
cat $outfile
atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
cat $outfile
}
add_test_getspi_update()
{
local proto=$1
local algo=$2
local _algo=$(echo $algo | sed 's/-//g')
local name= desc=
desc="Tests trying to getspi and update SA of $proto ($algo)"
name="ipsec_getspi_update_sa_${proto}_${_algo}"
atf_test_case ${name} cleanup
eval "
${name}_head() {
atf_set descr \"$desc\"
atf_set require.progs rump_server setkey
}
${name}_body() {
test_getspi_update $proto $algo
rump_server_destroy_ifaces
}
${name}_cleanup() {
\$DEBUG && dump
cleanup
}
"
atf_add_test_case ${name}
}
add_sa()
{
local proto=$1
local algo_args="$2"
local ip_local=$3
local ip_peer=$4
local lifetime=$5
local spi=$6
local tmpfile=./tmp
local extra=
export RUMP_SERVER=$SOCK_LOCAL
cat > $tmpfile <<-EOF
add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args;
add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args;
$extra
EOF
$DEBUG && cat $tmpfile
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
$DEBUG && $HIJACKING setkey -D
# XXX it can be expired if $lifetime is very short
#check_sa_entries $SOCK_LOCAL $ip_local $ip_peer
export RUMP_SERVER=$SOCK_PEER
cat > $tmpfile <<-EOF
add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args;
add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args;
$extra
EOF
$DEBUG && cat $tmpfile
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
$DEBUG && $HIJACKING setkey -D
# XXX it can be expired if $lifetime is very short
#check_sa_entries $SOCK_PEER $ip_local $ip_peer
}
delete_sa()
{
local proto=$1
local ip_local=$2
local ip_peer=$3
local spi=$4
local tmpfile=./tmp
local extra=
export RUMP_SERVER=$SOCK_LOCAL
cat > $tmpfile <<-EOF
delete $ip_local $ip_peer $proto $((spi));
delete $ip_peer $ip_local $proto $((spi + 1));
EOF
$DEBUG && cat $tmpfile
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
$DEBUG && $HIJACKING setkey -D
export RUMP_SERVER=$SOCK_PEER
cat > $tmpfile <<-EOF
delete $ip_local $ip_peer $proto $((spi));
delete $ip_peer $ip_local $proto $((spi + 1));
EOF
$DEBUG && cat $tmpfile
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
$DEBUG && $HIJACKING setkey -D
}
check_packet_spi()
{
local outfile=$1
local ip_local=$2
local ip_peer=$3
local proto=$4
local spi=$5
local spistr=
$DEBUG && cat $outfile
spistr=$(printf "%08x" $spi)
atf_check -s exit:0 \
-o match:"$ip_local > $ip_peer: $proto_cap\(spi=0x$spistr," \
cat $outfile
spistr=$(printf "%08x" $((spi + 1)))
atf_check -s exit:0 \
-o match:"$ip_peer > $ip_local: $proto_cap\(spi=0x$spistr," \
cat $outfile
}
wait_sa_disappeared()
{
local spi=$1
local i=
export RUMP_SERVER=$SOCK_LOCAL
for i in $(seq 1 10); do
$HIJACKING setkey -D |grep -q "spi=$spi"
[ $? != 0 ] && break
sleep 1
done
if [ $i -eq 10 ]; then
atf_fail "SA (spi=$spi) didn't disappear in 10s"
fi
export RUMP_SERVER=$SOCK_PEER
for i in $(seq 1 10); do
$HIJACKING setkey -D |grep -q "spi=$spi"
[ $? != 0 ] && break
sleep 1
done
if [ $i -eq 10 ]; then
atf_fail "SA (spi=$spi) didn't disappear in 10s"
fi
}
test_spi()
{
local proto=$1
local algo=$2
local preferred=$3
local method=$4
local ip_local=10.0.0.1
local ip_peer=10.0.0.2
local algo_args="$(generate_algo_args $proto $algo)"
local proto_cap=$(echo $proto | tr 'a-z' 'A-Z')
local outfile=./out
local spistr=
local longtime= shorttime=
if [ $method = timeout ]; then
atf_skip \
"PR 55632: test fails randomly, leaving spurious rump_server around"
fi
if [ $method = timeout -a $preferred = new ]; then
skip_if_qemu
fi
if [ $method = delete ]; then
shorttime=100
longtime=100
else
shorttime=3
longtime=6
fi
rump_server_crypto_start $SOCK_LOCAL netipsec
rump_server_crypto_start $SOCK_PEER netipsec
rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
rump_server_add_iface $SOCK_PEER shmif0 $BUS
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
if [ $preferred = old ]; then
atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1
fi
export RUMP_SERVER=$SOCK_PEER
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24
if [ $preferred = old ]; then
atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1
fi
setup_sasp $proto "$algo_args" $ip_local $ip_peer 100
extract_new_packets $BUS > $outfile
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
extract_new_packets $BUS > $outfile
check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000
# Add a new SA with a different SPI
add_sa $proto "$algo_args" $ip_local $ip_peer $longtime 10010
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
extract_new_packets $BUS > $outfile
if [ $preferred = old ]; then
check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000
else
# The new SA is preferred
check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010
fi
# Add another SA with a different SPI
add_sa $proto "$algo_args" $ip_local $ip_peer $shorttime 10020
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
extract_new_packets $BUS > $outfile
if [ $preferred = old ]; then
check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000
else
# The newest SA is preferred
check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10020
fi
if [ $method = delete ]; then
delete_sa $proto $ip_local $ip_peer 10020
else
wait_sa_disappeared 10020
fi
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
extract_new_packets $BUS > $outfile
if [ $preferred = old ]; then
check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000
else
# The newest one is removed and the second one is used
check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010
fi
if [ $method = delete ]; then
delete_sa $proto $ip_local $ip_peer 10010
else
wait_sa_disappeared 10010
fi
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
extract_new_packets $BUS > $outfile
if [ $preferred = old ]; then
check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000
else
# The second one is removed and the original one is used
check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000
fi
}
add_test_spi()
{
local proto=$1
local algo=$2
local preferred=$3
local method=$4
local _algo=$(echo $algo | sed 's/-//g')
local name= desc=
desc="Tests SAs with different SPIs of $proto ($algo) ($preferred SA preferred) ($method)"
name="ipsec_spi_${proto}_${_algo}_preferred_${preferred}_${method}"
atf_test_case ${name} cleanup
eval "
${name}_head() {
atf_set descr \"$desc\"
atf_set require.progs rump_server setkey
}
${name}_body() {
test_spi $proto $algo $preferred $method
rump_server_destroy_ifaces
}
${name}_cleanup() {
\$DEBUG && dump
cleanup
}
"
atf_add_test_case ${name}
}
setup_sp()
{
local proto=$1
local algo_args="$2"
local ip_local=$3
local ip_peer=$4
local tmpfile=./tmp
export RUMP_SERVER=$SOCK_LOCAL
cat > $tmpfile <<-EOF
spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require;
spdadd $ip_peer $ip_local any -P in ipsec $proto/transport//require;
EOF
$DEBUG && cat $tmpfile
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
check_sp_entries $SOCK_LOCAL $ip_local $ip_peer
export RUMP_SERVER=$SOCK_PEER
cat > $tmpfile <<-EOF
spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require;
spdadd $ip_local $ip_peer any -P in ipsec $proto/transport//require;
EOF
$DEBUG && cat $tmpfile
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
check_sp_entries $SOCK_PEER $ip_peer $ip_local
}
test_nosa()
{
local proto=$1
local algo=$2
local update=$3
local ip_local=10.0.0.1
local ip_peer=10.0.0.2
local algo_args="$(generate_algo_args $proto $algo)"
local proto_cap=$(echo $proto | tr 'a-z' 'A-Z')
local outfile=./out
rump_server_crypto_start $SOCK_LOCAL netipsec
rump_server_crypto_start $SOCK_PEER netipsec
rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
rump_server_add_iface $SOCK_PEER shmif0 $BUS
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
export RUMP_SERVER=$SOCK_PEER
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24
setup_sp $proto "$algo_args" $ip_local $ip_peer
extract_new_packets $BUS > $outfile
export RUMP_SERVER=$SOCK_LOCAL
# It doesn't work because there is no SA
atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
}
add_test_nosa()
{
local proto=$1
local algo=$2
local _algo=$(echo $algo | sed 's/-//g')
local name= desc=
desc="Tests SPs with no relevant SAs with $proto ($algo)"
name="ipsec_nosa_${proto}_${_algo}"
atf_test_case ${name} cleanup
eval "
${name}_head() {
atf_set descr \"$desc\"
atf_set require.progs rump_server setkey
}
${name}_body() {
test_nosa $proto $algo
rump_server_destroy_ifaces
}
${name}_cleanup() {
\$DEBUG && dump
cleanup
}
"
atf_add_test_case ${name}
}
test_multiple_sa()
{
local proto=$1
local algo=$2
local update=$3
local ip_local=10.0.0.1
local ip_peer=10.0.0.2
local ip_peer2=10.0.0.3
local algo_args="$(generate_algo_args $proto $algo)"
local proto_cap=$(echo $proto | tr 'a-z' 'A-Z')
local outfile=./out
rump_server_crypto_start $SOCK_LOCAL netipsec
rump_server_crypto_start $SOCK_PEER netipsec
rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
rump_server_add_iface $SOCK_PEER shmif0 $BUS
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
export RUMP_SERVER=$SOCK_PEER
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24
atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer2/24 alias
setup_sp $proto "$algo_args" "$ip_local" "0.0.0.0/0"
extract_new_packets $BUS > $outfile
export RUMP_SERVER=$SOCK_LOCAL
# There is no SA, so ping should fail
atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2
add_sa $proto "$algo_args" $ip_local $ip_peer 100 10000
export RUMP_SERVER=$SOCK_LOCAL
# There is only an SA for $ip_peer, so ping to $ip_peer2 should fail
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2
add_sa $proto "$algo_args" $ip_local $ip_peer2 100 10010
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o match:"$proto/transport//require" \
$HIJACKING setkey -D -P
# Check if the policy isn't modified accidentally
atf_check -s exit:0 -o not-match:"$proto/transport/.+\-.+/require" \
$HIJACKING setkey -D -P
export RUMP_SERVER=$SOCK_PEER
atf_check -s exit:0 -o match:"$proto/transport//require" \
$HIJACKING setkey -D -P
# Check if the policy isn't modified accidentally
atf_check -s exit:0 -o not-match:"$proto/transport/.+\-.+/require" \
$HIJACKING setkey -D -P
}
add_test_multiple_sa()
{
local proto=$1
local algo=$2
local _algo=$(echo $algo | sed 's/-//g')
local name= desc=
desc="Tests multiple SAs with $proto ($algo)"
name="ipsec_multiple_sa_${proto}_${_algo}"
atf_test_case ${name} cleanup
eval "
${name}_head() {
atf_set descr \"$desc\"
atf_set require.progs rump_server setkey
}
${name}_body() {
test_multiple_sa $proto $algo
rump_server_destroy_ifaces
}
${name}_cleanup() {
\$DEBUG && dump
cleanup
}
"
atf_add_test_case ${name}
}
atf_init_test_cases()
{
local algo=
for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
add_test_lifetime ipv4 esp $algo
add_test_lifetime ipv6 esp $algo
add_test_update esp $algo sa
add_test_update esp $algo sp
add_test_getspi_update esp $algo
add_test_spi esp $algo new delete
add_test_spi esp $algo old delete
add_test_spi esp $algo new timeout
add_test_spi esp $algo old timeout
add_test_nosa esp $algo
add_test_multiple_sa esp $algo
done
for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do
add_test_lifetime ipv4 ah $algo
add_test_lifetime ipv6 ah $algo
add_test_update ah $algo sa
add_test_update ah $algo sp
add_test_getspi_update ah $algo
add_test_spi ah $algo new delete
add_test_spi ah $algo old delete
add_test_spi ah $algo new timeout
add_test_spi ah $algo old timeout
add_test_nosa ah $algo
add_test_multiple_sa ah $algo
done
}