t_ipsec_misc.sh revision 1.16
1 1.16 ozaki # $NetBSD: t_ipsec_misc.sh,v 1.16 2017/07/24 02:07:43 ozaki-r Exp $ 2 1.1 ozaki # 3 1.1 ozaki # Copyright (c) 2017 Internet Initiative Japan Inc. 4 1.1 ozaki # All rights reserved. 5 1.1 ozaki # 6 1.1 ozaki # Redistribution and use in source and binary forms, with or without 7 1.1 ozaki # modification, are permitted provided that the following conditions 8 1.1 ozaki # are met: 9 1.1 ozaki # 1. Redistributions of source code must retain the above copyright 10 1.1 ozaki # notice, this list of conditions and the following disclaimer. 11 1.1 ozaki # 2. Redistributions in binary form must reproduce the above copyright 12 1.1 ozaki # notice, this list of conditions and the following disclaimer in the 13 1.1 ozaki # documentation and/or other materials provided with the distribution. 14 1.1 ozaki # 15 1.1 ozaki # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 1.1 ozaki # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 1.1 ozaki # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 1.1 ozaki # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 1.1 ozaki # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 1.1 ozaki # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 1.1 ozaki # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 1.1 ozaki # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 1.1 ozaki # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 1.1 ozaki # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 1.1 ozaki # POSSIBILITY OF SUCH DAMAGE. 26 1.1 ozaki # 27 1.1 ozaki 28 1.1 ozaki SOCK_LOCAL=unix://ipsec_local 29 1.1 ozaki SOCK_PEER=unix://ipsec_peer 30 1.1 ozaki BUS=./bus_ipsec 31 1.1 ozaki 32 1.4 ozaki DEBUG=${DEBUG:-true} 33 1.1 ozaki 34 1.1 ozaki setup_sasp() 35 1.1 ozaki { 36 1.1 ozaki local proto=$1 37 1.1 ozaki local algo_args="$2" 38 1.1 ozaki local ip_local=$3 39 1.1 ozaki local ip_peer=$4 40 1.1 ozaki local lifetime=$5 41 1.8 ozaki local update=$6 42 1.1 ozaki local tmpfile=./tmp 43 1.8 ozaki local extra= 44 1.8 ozaki 45 1.8 ozaki if [ "$update" = sa ]; then 46 1.8 ozaki extra="update $ip_local $ip_peer $proto 10000 $algo_args; 47 1.8 ozaki update $ip_peer $ip_local $proto 10001 $algo_args;" 48 1.8 ozaki elif [ "$update" = sp ]; then 49 1.8 ozaki extra="spdupdate $ip_local $ip_peer any -P out ipsec $proto/transport//require;" 50 1.8 ozaki fi 51 1.1 ozaki 52 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 53 1.1 ozaki cat > $tmpfile <<-EOF 54 1.1 ozaki add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; 55 1.1 ozaki add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; 56 1.1 ozaki spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 57 1.8 ozaki $extra 58 1.1 ozaki EOF 59 1.1 ozaki $DEBUG && cat $tmpfile 60 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 61 1.3 ozaki # XXX it can be expired if $lifetime is very short 62 1.3 ozaki #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 63 1.1 ozaki 64 1.8 ozaki if [ "$update" = sp ]; then 65 1.8 ozaki extra="spdupdate $ip_peer $ip_local any -P out ipsec $proto/transport//require;" 66 1.8 ozaki fi 67 1.8 ozaki 68 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 69 1.1 ozaki cat > $tmpfile <<-EOF 70 1.1 ozaki add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; 71 1.1 ozaki add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; 72 1.1 ozaki spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 73 1.8 ozaki $extra 74 1.1 ozaki EOF 75 1.1 ozaki $DEBUG && cat $tmpfile 76 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 77 1.3 ozaki # XXX it can be expired if $lifetime is very short 78 1.3 ozaki #check_sa_entries $SOCK_PEER $ip_local $ip_peer 79 1.1 ozaki } 80 1.1 ozaki 81 1.1 ozaki test_ipsec4_lifetime() 82 1.1 ozaki { 83 1.1 ozaki local proto=$1 84 1.1 ozaki local algo=$2 85 1.1 ozaki local ip_local=10.0.0.1 86 1.1 ozaki local ip_peer=10.0.0.2 87 1.1 ozaki local outfile=./out 88 1.1 ozaki local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 89 1.1 ozaki local algo_args="$(generate_algo_args $proto $algo)" 90 1.1 ozaki local lifetime=3 91 1.1 ozaki 92 1.1 ozaki rump_server_crypto_start $SOCK_LOCAL netipsec 93 1.1 ozaki rump_server_crypto_start $SOCK_PEER netipsec 94 1.1 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 95 1.1 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 96 1.1 ozaki 97 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 98 1.1 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 99 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 100 1.1 ozaki #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 101 1.1 ozaki 102 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 103 1.1 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 104 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 105 1.1 ozaki #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 106 1.1 ozaki 107 1.1 ozaki extract_new_packets $BUS > $outfile 108 1.1 ozaki 109 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 110 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 111 1.1 ozaki 112 1.1 ozaki extract_new_packets $BUS > $outfile 113 1.1 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \ 114 1.1 ozaki cat $outfile 115 1.1 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \ 116 1.1 ozaki cat $outfile 117 1.1 ozaki 118 1.1 ozaki # Set up SAs with lifetime 1 sec. 119 1.1 ozaki setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 120 1.1 ozaki 121 1.1 ozaki # Wait for the SAs to be expired 122 1.1 ozaki atf_check -s exit:0 sleep 2 123 1.1 ozaki 124 1.1 ozaki # Check the SAs have been expired 125 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 126 1.1 ozaki $DEBUG && $HIJACKING setkey -D 127 1.1 ozaki atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 128 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 129 1.1 ozaki $DEBUG && $HIJACKING setkey -D 130 1.1 ozaki atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 131 1.1 ozaki 132 1.1 ozaki # Clean up SPs 133 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 134 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 135 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 136 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 137 1.1 ozaki 138 1.1 ozaki # Set up SAs with lifetime with $lifetime 139 1.1 ozaki setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 140 1.1 ozaki 141 1.1 ozaki # Use the SAs; this will create a reference from an SP to an SA 142 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 143 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 144 1.1 ozaki 145 1.1 ozaki extract_new_packets $BUS > $outfile 146 1.1 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 147 1.1 ozaki cat $outfile 148 1.1 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 149 1.1 ozaki cat $outfile 150 1.1 ozaki 151 1.1 ozaki atf_check -s exit:0 sleep $((lifetime + 1)) 152 1.1 ozaki 153 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 154 1.1 ozaki $DEBUG && $HIJACKING setkey -D 155 1.15 ozaki atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a 156 1.1 ozaki 157 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 158 1.1 ozaki $DEBUG && $HIJACKING setkey -D 159 1.15 ozaki atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a 160 1.1 ozaki 161 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 162 1.1 ozaki atf_check -s not-exit:0 -o match:'0 packets received' \ 163 1.1 ozaki rump.ping -c 1 -n -w 1 $ip_peer 164 1.1 ozaki 165 1.1 ozaki test_flush_entries $SOCK_LOCAL 166 1.1 ozaki test_flush_entries $SOCK_PEER 167 1.1 ozaki } 168 1.1 ozaki 169 1.1 ozaki test_ipsec6_lifetime() 170 1.1 ozaki { 171 1.1 ozaki local proto=$1 172 1.1 ozaki local algo=$2 173 1.1 ozaki local ip_local=fd00::1 174 1.1 ozaki local ip_peer=fd00::2 175 1.1 ozaki local outfile=./out 176 1.1 ozaki local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 177 1.1 ozaki local algo_args="$(generate_algo_args $proto $algo)" 178 1.1 ozaki local lifetime=3 179 1.1 ozaki 180 1.1 ozaki rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec 181 1.1 ozaki rump_server_crypto_start $SOCK_PEER netinet6 netipsec 182 1.1 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 183 1.1 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 184 1.1 ozaki 185 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 186 1.1 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 187 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local 188 1.1 ozaki 189 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 190 1.1 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 191 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer 192 1.1 ozaki 193 1.1 ozaki extract_new_packets $BUS > $outfile 194 1.1 ozaki 195 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 196 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 197 1.1 ozaki 198 1.1 ozaki extract_new_packets $BUS > $outfile 199 1.1 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \ 200 1.1 ozaki cat $outfile 201 1.1 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \ 202 1.1 ozaki cat $outfile 203 1.1 ozaki 204 1.1 ozaki # Set up SAs with lifetime 1 sec. 205 1.1 ozaki setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 206 1.1 ozaki 207 1.1 ozaki # Wait for the SAs to be expired 208 1.1 ozaki atf_check -s exit:0 sleep 2 209 1.1 ozaki 210 1.1 ozaki # Check the SAs have been expired 211 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 212 1.1 ozaki $DEBUG && $HIJACKING setkey -D 213 1.1 ozaki atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 214 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 215 1.1 ozaki $DEBUG && $HIJACKING setkey -D 216 1.1 ozaki atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 217 1.1 ozaki 218 1.1 ozaki # Clean up SPs 219 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 220 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 221 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 222 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 223 1.1 ozaki 224 1.1 ozaki # Set up SAs with lifetime with $lifetime 225 1.1 ozaki setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 226 1.1 ozaki 227 1.1 ozaki # Use the SAs; this will create a reference from an SP to an SA 228 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 229 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 230 1.1 ozaki 231 1.1 ozaki extract_new_packets $BUS > $outfile 232 1.1 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 233 1.1 ozaki cat $outfile 234 1.1 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 235 1.1 ozaki cat $outfile 236 1.1 ozaki 237 1.1 ozaki atf_check -s exit:0 sleep $((lifetime + 1)) 238 1.1 ozaki 239 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 240 1.1 ozaki $DEBUG && $HIJACKING setkey -D 241 1.15 ozaki atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a 242 1.1 ozaki 243 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 244 1.1 ozaki $DEBUG && $HIJACKING setkey -D 245 1.15 ozaki atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a 246 1.1 ozaki 247 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 248 1.1 ozaki atf_check -s not-exit:0 -o match:'0 packets received' \ 249 1.1 ozaki rump.ping6 -c 1 -n -X 1 $ip_peer 250 1.1 ozaki 251 1.1 ozaki test_flush_entries $SOCK_LOCAL 252 1.1 ozaki test_flush_entries $SOCK_PEER 253 1.1 ozaki } 254 1.1 ozaki 255 1.1 ozaki test_lifetime_common() 256 1.1 ozaki { 257 1.1 ozaki local ipproto=$1 258 1.1 ozaki local proto=$2 259 1.1 ozaki local algo=$3 260 1.1 ozaki 261 1.1 ozaki if [ $ipproto = ipv4 ]; then 262 1.1 ozaki test_ipsec4_lifetime $proto $algo 263 1.1 ozaki else 264 1.1 ozaki test_ipsec6_lifetime $proto $algo 265 1.1 ozaki fi 266 1.1 ozaki } 267 1.1 ozaki 268 1.1 ozaki add_test_lifetime() 269 1.1 ozaki { 270 1.1 ozaki local ipproto=$1 271 1.1 ozaki local proto=$2 272 1.1 ozaki local algo=$3 273 1.1 ozaki local _algo=$(echo $algo | sed 's/-//g') 274 1.1 ozaki local name= desc= 275 1.1 ozaki 276 1.1 ozaki name="ipsec_lifetime_${ipproto}_${proto}_${_algo}" 277 1.1 ozaki desc="Tests of lifetime of IPsec ($ipproto) with $proto ($algo)" 278 1.1 ozaki 279 1.1 ozaki atf_test_case ${name} cleanup 280 1.1 ozaki eval " \ 281 1.1 ozaki ${name}_head() { \ 282 1.1 ozaki atf_set \"descr\" \"$desc\"; \ 283 1.1 ozaki atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 284 1.1 ozaki }; \ 285 1.1 ozaki ${name}_body() { \ 286 1.1 ozaki test_lifetime_common $ipproto $proto $algo; \ 287 1.1 ozaki rump_server_destroy_ifaces; \ 288 1.1 ozaki }; \ 289 1.1 ozaki ${name}_cleanup() { \ 290 1.1 ozaki $DEBUG && dump; \ 291 1.1 ozaki cleanup; \ 292 1.1 ozaki } \ 293 1.1 ozaki " 294 1.1 ozaki atf_add_test_case ${name} 295 1.1 ozaki } 296 1.1 ozaki 297 1.8 ozaki test_update() 298 1.8 ozaki { 299 1.8 ozaki local proto=$1 300 1.8 ozaki local algo=$2 301 1.8 ozaki local update=$3 302 1.8 ozaki local ip_local=10.0.0.1 303 1.8 ozaki local ip_peer=10.0.0.2 304 1.8 ozaki local algo_args="$(generate_algo_args $proto $algo)" 305 1.8 ozaki local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 306 1.8 ozaki local outfile=./out 307 1.8 ozaki 308 1.8 ozaki rump_server_crypto_start $SOCK_LOCAL netipsec 309 1.8 ozaki rump_server_crypto_start $SOCK_PEER netipsec 310 1.8 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 311 1.8 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 312 1.8 ozaki 313 1.8 ozaki export RUMP_SERVER=$SOCK_LOCAL 314 1.8 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 315 1.8 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 316 1.8 ozaki 317 1.8 ozaki export RUMP_SERVER=$SOCK_PEER 318 1.8 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 319 1.8 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 320 1.8 ozaki 321 1.8 ozaki setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 $update 322 1.8 ozaki 323 1.8 ozaki extract_new_packets $BUS > $outfile 324 1.8 ozaki 325 1.8 ozaki export RUMP_SERVER=$SOCK_LOCAL 326 1.8 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 327 1.8 ozaki 328 1.8 ozaki extract_new_packets $BUS > $outfile 329 1.8 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 330 1.8 ozaki cat $outfile 331 1.8 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 332 1.8 ozaki cat $outfile 333 1.8 ozaki } 334 1.8 ozaki 335 1.8 ozaki add_test_update() 336 1.8 ozaki { 337 1.8 ozaki local proto=$1 338 1.8 ozaki local algo=$2 339 1.8 ozaki local update=$3 340 1.8 ozaki local _update=$(echo $update |tr 'a-z' 'A-Z') 341 1.8 ozaki local _algo=$(echo $algo | sed 's/-//g') 342 1.8 ozaki local name= desc= 343 1.8 ozaki 344 1.8 ozaki desc="Tests trying to udpate $_update of $proto ($algo)" 345 1.8 ozaki name="ipsec_update_${update}_${proto}_${_algo}" 346 1.8 ozaki 347 1.8 ozaki atf_test_case ${name} cleanup 348 1.8 ozaki eval " \ 349 1.8 ozaki ${name}_head() { \ 350 1.8 ozaki atf_set \"descr\" \"$desc\"; \ 351 1.8 ozaki atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 352 1.8 ozaki }; \ 353 1.8 ozaki ${name}_body() { \ 354 1.8 ozaki test_update $proto $algo $update; \ 355 1.8 ozaki rump_server_destroy_ifaces; \ 356 1.8 ozaki }; \ 357 1.8 ozaki ${name}_cleanup() { \ 358 1.8 ozaki $DEBUG && dump; \ 359 1.8 ozaki cleanup; \ 360 1.8 ozaki } \ 361 1.8 ozaki " 362 1.8 ozaki atf_add_test_case ${name} 363 1.8 ozaki } 364 1.8 ozaki 365 1.9 ozaki add_sa() 366 1.9 ozaki { 367 1.9 ozaki local proto=$1 368 1.9 ozaki local algo_args="$2" 369 1.9 ozaki local ip_local=$3 370 1.9 ozaki local ip_peer=$4 371 1.9 ozaki local lifetime=$5 372 1.9 ozaki local spi=$6 373 1.9 ozaki local tmpfile=./tmp 374 1.9 ozaki local extra= 375 1.9 ozaki 376 1.9 ozaki export RUMP_SERVER=$SOCK_LOCAL 377 1.9 ozaki cat > $tmpfile <<-EOF 378 1.9 ozaki add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 379 1.9 ozaki add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 380 1.9 ozaki $extra 381 1.9 ozaki EOF 382 1.9 ozaki $DEBUG && cat $tmpfile 383 1.9 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 384 1.9 ozaki $DEBUG && $HIJACKING setkey -D 385 1.9 ozaki # XXX it can be expired if $lifetime is very short 386 1.9 ozaki #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 387 1.9 ozaki 388 1.9 ozaki export RUMP_SERVER=$SOCK_PEER 389 1.9 ozaki cat > $tmpfile <<-EOF 390 1.9 ozaki add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 391 1.9 ozaki add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 392 1.9 ozaki $extra 393 1.9 ozaki EOF 394 1.9 ozaki $DEBUG && cat $tmpfile 395 1.9 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 396 1.9 ozaki $DEBUG && $HIJACKING setkey -D 397 1.9 ozaki # XXX it can be expired if $lifetime is very short 398 1.9 ozaki #check_sa_entries $SOCK_PEER $ip_local $ip_peer 399 1.9 ozaki } 400 1.9 ozaki 401 1.13 ozaki delete_sa() 402 1.13 ozaki { 403 1.13 ozaki local proto=$1 404 1.13 ozaki local ip_local=$2 405 1.13 ozaki local ip_peer=$3 406 1.13 ozaki local spi=$4 407 1.13 ozaki local tmpfile=./tmp 408 1.13 ozaki local extra= 409 1.13 ozaki 410 1.13 ozaki export RUMP_SERVER=$SOCK_LOCAL 411 1.13 ozaki cat > $tmpfile <<-EOF 412 1.13 ozaki delete $ip_local $ip_peer $proto $((spi)); 413 1.13 ozaki delete $ip_peer $ip_local $proto $((spi + 1)); 414 1.13 ozaki EOF 415 1.13 ozaki $DEBUG && cat $tmpfile 416 1.13 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 417 1.13 ozaki $DEBUG && $HIJACKING setkey -D 418 1.13 ozaki 419 1.13 ozaki export RUMP_SERVER=$SOCK_PEER 420 1.13 ozaki cat > $tmpfile <<-EOF 421 1.13 ozaki delete $ip_local $ip_peer $proto $((spi)); 422 1.13 ozaki delete $ip_peer $ip_local $proto $((spi + 1)); 423 1.13 ozaki EOF 424 1.13 ozaki $DEBUG && cat $tmpfile 425 1.13 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 426 1.13 ozaki $DEBUG && $HIJACKING setkey -D 427 1.13 ozaki } 428 1.13 ozaki 429 1.9 ozaki check_packet_spi() 430 1.9 ozaki { 431 1.9 ozaki local outfile=$1 432 1.9 ozaki local ip_local=$2 433 1.9 ozaki local ip_peer=$3 434 1.9 ozaki local proto=$4 435 1.9 ozaki local spi=$5 436 1.9 ozaki local spistr= 437 1.9 ozaki 438 1.9 ozaki $DEBUG && cat $outfile 439 1.9 ozaki spistr=$(printf "%08x" $spi) 440 1.9 ozaki atf_check -s exit:0 \ 441 1.9 ozaki -o match:"$ip_local > $ip_peer: $proto_cap\(spi=0x$spistr," \ 442 1.9 ozaki cat $outfile 443 1.9 ozaki spistr=$(printf "%08x" $((spi + 1))) 444 1.9 ozaki atf_check -s exit:0 \ 445 1.9 ozaki -o match:"$ip_peer > $ip_local: $proto_cap\(spi=0x$spistr," \ 446 1.9 ozaki cat $outfile 447 1.9 ozaki } 448 1.9 ozaki 449 1.12 ozaki wait_sa_disappeared() 450 1.12 ozaki { 451 1.12 ozaki local spi=$1 452 1.12 ozaki local i= 453 1.12 ozaki 454 1.12 ozaki export RUMP_SERVER=$SOCK_LOCAL 455 1.12 ozaki for i in $(seq 1 10); do 456 1.12 ozaki $HIJACKING setkey -D |grep -q "spi=$spi" 457 1.12 ozaki [ $? != 0 ] && break 458 1.12 ozaki sleep 1 459 1.12 ozaki done 460 1.12 ozaki if [ $i -eq 10 ]; then 461 1.12 ozaki atf_fail "SA (spi=$spi) didn't disappear in 10s" 462 1.12 ozaki fi 463 1.12 ozaki export RUMP_SERVER=$SOCK_PEER 464 1.12 ozaki for i in $(seq 1 10); do 465 1.12 ozaki $HIJACKING setkey -D |grep -q "spi=$spi" 466 1.12 ozaki [ $? != 0 ] && break 467 1.12 ozaki sleep 1 468 1.12 ozaki done 469 1.12 ozaki if [ $i -eq 10 ]; then 470 1.12 ozaki atf_fail "SA (spi=$spi) didn't disappear in 10s" 471 1.12 ozaki fi 472 1.12 ozaki } 473 1.12 ozaki 474 1.9 ozaki test_spi() 475 1.9 ozaki { 476 1.9 ozaki local proto=$1 477 1.9 ozaki local algo=$2 478 1.10 ozaki local preferred=$3 479 1.13 ozaki local method=$4 480 1.9 ozaki local ip_local=10.0.0.1 481 1.9 ozaki local ip_peer=10.0.0.2 482 1.9 ozaki local algo_args="$(generate_algo_args $proto $algo)" 483 1.9 ozaki local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 484 1.9 ozaki local outfile=./out 485 1.9 ozaki local spistr= 486 1.14 ozaki local longtime= shorttime= 487 1.14 ozaki 488 1.16 ozaki if [ $method = timeout -a $preferred = new ]; then 489 1.16 ozaki skip_if_qemu 490 1.16 ozaki fi 491 1.16 ozaki 492 1.14 ozaki if [ $method = delete ]; then 493 1.14 ozaki shorttime=100 494 1.14 ozaki longtime=100 495 1.14 ozaki else 496 1.14 ozaki shorttime=3 497 1.14 ozaki longtime=6 498 1.14 ozaki fi 499 1.9 ozaki 500 1.9 ozaki rump_server_crypto_start $SOCK_LOCAL netipsec 501 1.9 ozaki rump_server_crypto_start $SOCK_PEER netipsec 502 1.9 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 503 1.9 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 504 1.9 ozaki 505 1.9 ozaki export RUMP_SERVER=$SOCK_LOCAL 506 1.9 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 507 1.9 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 508 1.9 ozaki if [ $preferred = old ]; then 509 1.9 ozaki atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 510 1.9 ozaki fi 511 1.9 ozaki 512 1.9 ozaki export RUMP_SERVER=$SOCK_PEER 513 1.9 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 514 1.9 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 515 1.9 ozaki if [ $preferred = old ]; then 516 1.9 ozaki atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 517 1.9 ozaki fi 518 1.9 ozaki 519 1.9 ozaki setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 520 1.9 ozaki 521 1.9 ozaki extract_new_packets $BUS > $outfile 522 1.9 ozaki 523 1.9 ozaki export RUMP_SERVER=$SOCK_LOCAL 524 1.9 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 525 1.9 ozaki extract_new_packets $BUS > $outfile 526 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 527 1.9 ozaki 528 1.9 ozaki # Add a new SA with a different SPI 529 1.14 ozaki add_sa $proto "$algo_args" $ip_local $ip_peer $longtime 10010 530 1.9 ozaki 531 1.9 ozaki export RUMP_SERVER=$SOCK_LOCAL 532 1.9 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 533 1.9 ozaki extract_new_packets $BUS > $outfile 534 1.9 ozaki if [ $preferred = old ]; then 535 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 536 1.9 ozaki else 537 1.9 ozaki # The new SA is preferred 538 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 539 1.9 ozaki fi 540 1.9 ozaki 541 1.9 ozaki # Add another SA with a different SPI 542 1.14 ozaki add_sa $proto "$algo_args" $ip_local $ip_peer $shorttime 10020 543 1.9 ozaki 544 1.9 ozaki export RUMP_SERVER=$SOCK_LOCAL 545 1.9 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 546 1.9 ozaki extract_new_packets $BUS > $outfile 547 1.9 ozaki if [ $preferred = old ]; then 548 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 549 1.9 ozaki else 550 1.9 ozaki # The newest SA is preferred 551 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10020 552 1.9 ozaki fi 553 1.9 ozaki 554 1.13 ozaki if [ $method = delete ]; then 555 1.13 ozaki delete_sa $proto $ip_local $ip_peer 10020 556 1.13 ozaki else 557 1.13 ozaki wait_sa_disappeared 10020 558 1.13 ozaki fi 559 1.9 ozaki 560 1.9 ozaki export RUMP_SERVER=$SOCK_LOCAL 561 1.9 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 562 1.9 ozaki extract_new_packets $BUS > $outfile 563 1.9 ozaki if [ $preferred = old ]; then 564 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 565 1.9 ozaki else 566 1.9 ozaki # The newest one is removed and the second one is used 567 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 568 1.9 ozaki fi 569 1.9 ozaki 570 1.13 ozaki if [ $method = delete ]; then 571 1.13 ozaki delete_sa $proto $ip_local $ip_peer 10010 572 1.13 ozaki else 573 1.13 ozaki wait_sa_disappeared 10010 574 1.13 ozaki fi 575 1.9 ozaki 576 1.9 ozaki export RUMP_SERVER=$SOCK_LOCAL 577 1.9 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 578 1.9 ozaki extract_new_packets $BUS > $outfile 579 1.9 ozaki if [ $preferred = old ]; then 580 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 581 1.9 ozaki else 582 1.9 ozaki # The second one is removed and the original one is used 583 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 584 1.9 ozaki fi 585 1.9 ozaki } 586 1.9 ozaki 587 1.9 ozaki add_test_spi() 588 1.9 ozaki { 589 1.9 ozaki local proto=$1 590 1.9 ozaki local algo=$2 591 1.9 ozaki local preferred=$3 592 1.13 ozaki local method=$4 593 1.9 ozaki local _algo=$(echo $algo | sed 's/-//g') 594 1.9 ozaki local name= desc= 595 1.9 ozaki 596 1.13 ozaki desc="Tests SAs with different SPIs of $proto ($algo) ($preferred SA preferred) ($method)" 597 1.13 ozaki name="ipsec_spi_${proto}_${_algo}_preferred_${preferred}_${method}" 598 1.9 ozaki 599 1.9 ozaki atf_test_case ${name} cleanup 600 1.9 ozaki eval " \ 601 1.9 ozaki ${name}_head() { \ 602 1.9 ozaki atf_set \"descr\" \"$desc\"; \ 603 1.9 ozaki atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 604 1.9 ozaki }; \ 605 1.9 ozaki ${name}_body() { \ 606 1.13 ozaki test_spi $proto $algo $preferred $method; \ 607 1.9 ozaki rump_server_destroy_ifaces; \ 608 1.9 ozaki }; \ 609 1.9 ozaki ${name}_cleanup() { \ 610 1.9 ozaki $DEBUG && dump; \ 611 1.9 ozaki cleanup; \ 612 1.9 ozaki } \ 613 1.9 ozaki " 614 1.9 ozaki atf_add_test_case ${name} 615 1.9 ozaki } 616 1.9 ozaki 617 1.1 ozaki atf_init_test_cases() 618 1.1 ozaki { 619 1.1 ozaki local algo= 620 1.1 ozaki 621 1.1 ozaki for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 622 1.1 ozaki add_test_lifetime ipv4 esp $algo 623 1.1 ozaki add_test_lifetime ipv6 esp $algo 624 1.8 ozaki add_test_update esp $algo sa 625 1.8 ozaki add_test_update esp $algo sp 626 1.13 ozaki add_test_spi esp $algo new delete 627 1.13 ozaki add_test_spi esp $algo old delete 628 1.13 ozaki add_test_spi esp $algo new timeout 629 1.13 ozaki add_test_spi esp $algo old timeout 630 1.1 ozaki done 631 1.1 ozaki for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do 632 1.1 ozaki add_test_lifetime ipv4 ah $algo 633 1.1 ozaki add_test_lifetime ipv6 ah $algo 634 1.8 ozaki add_test_update ah $algo sa 635 1.8 ozaki add_test_update ah $algo sp 636 1.13 ozaki add_test_spi ah $algo new delete 637 1.13 ozaki add_test_spi ah $algo old delete 638 1.13 ozaki add_test_spi ah $algo new timeout 639 1.13 ozaki add_test_spi ah $algo old timeout 640 1.1 ozaki done 641 1.1 ozaki } 642
Indexes created Tue Sep 23 21:09:50 GMT 2025