t_ipsec_misc.sh revision 1.25
1 1.25 andvar # $NetBSD: t_ipsec_misc.sh,v 1.25 2022/01/07 22:59:32 andvar Exp $ 2 1.1 ozaki # 3 1.1 ozaki # Copyright (c) 2017 Internet Initiative Japan Inc. 4 1.1 ozaki # All rights reserved. 5 1.1 ozaki # 6 1.1 ozaki # Redistribution and use in source and binary forms, with or without 7 1.1 ozaki # modification, are permitted provided that the following conditions 8 1.1 ozaki # are met: 9 1.1 ozaki # 1. Redistributions of source code must retain the above copyright 10 1.1 ozaki # notice, this list of conditions and the following disclaimer. 11 1.1 ozaki # 2. Redistributions in binary form must reproduce the above copyright 12 1.1 ozaki # notice, this list of conditions and the following disclaimer in the 13 1.1 ozaki # documentation and/or other materials provided with the distribution. 14 1.1 ozaki # 15 1.1 ozaki # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 1.1 ozaki # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 1.1 ozaki # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 1.1 ozaki # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 1.1 ozaki # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 1.1 ozaki # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 1.1 ozaki # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 1.1 ozaki # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 1.1 ozaki # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 1.1 ozaki # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 1.1 ozaki # POSSIBILITY OF SUCH DAMAGE. 26 1.1 ozaki # 27 1.1 ozaki 28 1.1 ozaki SOCK_LOCAL=unix://ipsec_local 29 1.1 ozaki SOCK_PEER=unix://ipsec_peer 30 1.1 ozaki BUS=./bus_ipsec 31 1.1 ozaki 32 1.4 ozaki DEBUG=${DEBUG:-true} 33 1.1 ozaki 34 1.1 ozaki setup_sasp() 35 1.1 ozaki { 36 1.1 ozaki local proto=$1 37 1.1 ozaki local algo_args="$2" 38 1.1 ozaki local ip_local=$3 39 1.1 ozaki local ip_peer=$4 40 1.1 ozaki local lifetime=$5 41 1.8 ozaki local update=$6 42 1.1 ozaki local tmpfile=./tmp 43 1.23 ozaki local saadd=add 44 1.23 ozaki local saadd_algo_args="$algo_args" 45 1.8 ozaki local extra= 46 1.8 ozaki 47 1.23 ozaki if [ "$update" = getspi ]; then 48 1.23 ozaki saadd=getspi 49 1.23 ozaki saadd_algo_args= 50 1.23 ozaki fi 51 1.23 ozaki 52 1.23 ozaki if [ "$update" = sa -o "$update" = getspi ]; then 53 1.8 ozaki extra="update $ip_local $ip_peer $proto 10000 $algo_args; 54 1.8 ozaki update $ip_peer $ip_local $proto 10001 $algo_args;" 55 1.8 ozaki elif [ "$update" = sp ]; then 56 1.8 ozaki extra="spdupdate $ip_local $ip_peer any -P out ipsec $proto/transport//require;" 57 1.8 ozaki fi 58 1.1 ozaki 59 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 60 1.1 ozaki cat > $tmpfile <<-EOF 61 1.23 ozaki $saadd $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $saadd_algo_args; 62 1.23 ozaki $saadd $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $saadd_algo_args; 63 1.1 ozaki spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 64 1.8 ozaki $extra 65 1.1 ozaki EOF 66 1.1 ozaki $DEBUG && cat $tmpfile 67 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 68 1.3 ozaki # XXX it can be expired if $lifetime is very short 69 1.3 ozaki #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 70 1.1 ozaki 71 1.8 ozaki if [ "$update" = sp ]; then 72 1.8 ozaki extra="spdupdate $ip_peer $ip_local any -P out ipsec $proto/transport//require;" 73 1.8 ozaki fi 74 1.8 ozaki 75 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 76 1.1 ozaki cat > $tmpfile <<-EOF 77 1.23 ozaki $saadd $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $saadd_algo_args; 78 1.23 ozaki $saadd $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $saadd_algo_args; 79 1.1 ozaki spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 80 1.8 ozaki $extra 81 1.1 ozaki EOF 82 1.1 ozaki $DEBUG && cat $tmpfile 83 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 84 1.3 ozaki # XXX it can be expired if $lifetime is very short 85 1.3 ozaki #check_sa_entries $SOCK_PEER $ip_local $ip_peer 86 1.1 ozaki } 87 1.1 ozaki 88 1.22 ozaki test_sad_disapper_until() 89 1.22 ozaki { 90 1.22 ozaki local time=$1 91 1.22 ozaki local check_dead_sa=$2 92 1.22 ozaki local setkey_opts= 93 1.22 ozaki local n=$time 94 1.22 ozaki local tmpfile=./__tmp 95 1.22 ozaki local sock= ok= 96 1.22 ozaki 97 1.22 ozaki if $check_dead_sa; then 98 1.22 ozaki setkey_opts="-D -a" 99 1.22 ozaki else 100 1.22 ozaki setkey_opts="-D" 101 1.22 ozaki fi 102 1.22 ozaki 103 1.22 ozaki while [ $n -ne 0 ]; do 104 1.22 ozaki ok=0 105 1.22 ozaki sleep 1 106 1.22 ozaki for sock in $SOCK_LOCAL $SOCK_PEER; do 107 1.22 ozaki export RUMP_SERVER=$sock 108 1.22 ozaki $HIJACKING setkey $setkey_opts > $tmpfile 109 1.22 ozaki $DEBUG && cat $tmpfile 110 1.22 ozaki if grep -q 'No SAD entries.' $tmpfile; then 111 1.22 ozaki ok=$((ok + 1)) 112 1.22 ozaki fi 113 1.22 ozaki done 114 1.22 ozaki if [ $ok -eq 2 ]; then 115 1.22 ozaki return 116 1.22 ozaki fi 117 1.22 ozaki 118 1.22 ozaki n=$((n - 1)) 119 1.22 ozaki done 120 1.22 ozaki 121 1.22 ozaki atf_fail "SAs didn't disappear after $time sec." 122 1.22 ozaki } 123 1.22 ozaki 124 1.1 ozaki test_ipsec4_lifetime() 125 1.1 ozaki { 126 1.1 ozaki local proto=$1 127 1.1 ozaki local algo=$2 128 1.1 ozaki local ip_local=10.0.0.1 129 1.1 ozaki local ip_peer=10.0.0.2 130 1.1 ozaki local outfile=./out 131 1.1 ozaki local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 132 1.1 ozaki local algo_args="$(generate_algo_args $proto $algo)" 133 1.1 ozaki local lifetime=3 134 1.21 ozaki local buffertime=2 135 1.1 ozaki 136 1.1 ozaki rump_server_crypto_start $SOCK_LOCAL netipsec 137 1.1 ozaki rump_server_crypto_start $SOCK_PEER netipsec 138 1.1 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 139 1.1 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 140 1.1 ozaki 141 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 142 1.1 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 143 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 144 1.1 ozaki #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 145 1.1 ozaki 146 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 147 1.1 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 148 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 149 1.1 ozaki #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 150 1.1 ozaki 151 1.1 ozaki extract_new_packets $BUS > $outfile 152 1.1 ozaki 153 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 154 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 155 1.1 ozaki 156 1.1 ozaki extract_new_packets $BUS > $outfile 157 1.1 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \ 158 1.1 ozaki cat $outfile 159 1.1 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \ 160 1.1 ozaki cat $outfile 161 1.1 ozaki 162 1.1 ozaki # Set up SAs with lifetime 1 sec. 163 1.1 ozaki setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 164 1.1 ozaki 165 1.1 ozaki # Check the SAs have been expired 166 1.22 ozaki test_sad_disapper_until $((1 + $buffertime)) false 167 1.1 ozaki 168 1.1 ozaki # Clean up SPs 169 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 170 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 171 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 172 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 173 1.1 ozaki 174 1.1 ozaki # Set up SAs with lifetime with $lifetime 175 1.1 ozaki setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 176 1.1 ozaki 177 1.1 ozaki # Use the SAs; this will create a reference from an SP to an SA 178 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 179 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 180 1.1 ozaki 181 1.1 ozaki extract_new_packets $BUS > $outfile 182 1.1 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 183 1.1 ozaki cat $outfile 184 1.1 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 185 1.1 ozaki cat $outfile 186 1.1 ozaki 187 1.22 ozaki # Check the SAs have been expired 188 1.22 ozaki test_sad_disapper_until $((lifetime + $buffertime)) true 189 1.1 ozaki 190 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 191 1.1 ozaki atf_check -s not-exit:0 -o match:'0 packets received' \ 192 1.1 ozaki rump.ping -c 1 -n -w 1 $ip_peer 193 1.1 ozaki 194 1.1 ozaki test_flush_entries $SOCK_LOCAL 195 1.1 ozaki test_flush_entries $SOCK_PEER 196 1.1 ozaki } 197 1.1 ozaki 198 1.1 ozaki test_ipsec6_lifetime() 199 1.1 ozaki { 200 1.1 ozaki local proto=$1 201 1.1 ozaki local algo=$2 202 1.1 ozaki local ip_local=fd00::1 203 1.1 ozaki local ip_peer=fd00::2 204 1.1 ozaki local outfile=./out 205 1.1 ozaki local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 206 1.1 ozaki local algo_args="$(generate_algo_args $proto $algo)" 207 1.1 ozaki local lifetime=3 208 1.21 ozaki local buffertime=2 209 1.1 ozaki 210 1.1 ozaki rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec 211 1.1 ozaki rump_server_crypto_start $SOCK_PEER netinet6 netipsec 212 1.1 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 213 1.1 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 214 1.1 ozaki 215 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 216 1.1 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 217 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local 218 1.1 ozaki 219 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 220 1.1 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 221 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer 222 1.1 ozaki 223 1.1 ozaki extract_new_packets $BUS > $outfile 224 1.1 ozaki 225 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 226 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 227 1.1 ozaki 228 1.1 ozaki extract_new_packets $BUS > $outfile 229 1.1 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \ 230 1.1 ozaki cat $outfile 231 1.1 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \ 232 1.1 ozaki cat $outfile 233 1.1 ozaki 234 1.1 ozaki # Set up SAs with lifetime 1 sec. 235 1.1 ozaki setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 236 1.1 ozaki 237 1.1 ozaki # Check the SAs have been expired 238 1.22 ozaki test_sad_disapper_until $((1 + $buffertime)) false 239 1.1 ozaki 240 1.1 ozaki # Clean up SPs 241 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 242 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 243 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 244 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 245 1.1 ozaki 246 1.1 ozaki # Set up SAs with lifetime with $lifetime 247 1.1 ozaki setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 248 1.1 ozaki 249 1.1 ozaki # Use the SAs; this will create a reference from an SP to an SA 250 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 251 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 252 1.1 ozaki 253 1.1 ozaki extract_new_packets $BUS > $outfile 254 1.1 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 255 1.1 ozaki cat $outfile 256 1.1 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 257 1.1 ozaki cat $outfile 258 1.1 ozaki 259 1.22 ozaki # Check the SAs have been expired 260 1.22 ozaki test_sad_disapper_until $((lifetime + $buffertime)) true 261 1.1 ozaki 262 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 263 1.1 ozaki atf_check -s not-exit:0 -o match:'0 packets received' \ 264 1.1 ozaki rump.ping6 -c 1 -n -X 1 $ip_peer 265 1.1 ozaki 266 1.1 ozaki test_flush_entries $SOCK_LOCAL 267 1.1 ozaki test_flush_entries $SOCK_PEER 268 1.1 ozaki } 269 1.1 ozaki 270 1.1 ozaki test_lifetime_common() 271 1.1 ozaki { 272 1.1 ozaki local ipproto=$1 273 1.1 ozaki local proto=$2 274 1.1 ozaki local algo=$3 275 1.1 ozaki 276 1.1 ozaki if [ $ipproto = ipv4 ]; then 277 1.1 ozaki test_ipsec4_lifetime $proto $algo 278 1.1 ozaki else 279 1.1 ozaki test_ipsec6_lifetime $proto $algo 280 1.1 ozaki fi 281 1.1 ozaki } 282 1.1 ozaki 283 1.1 ozaki add_test_lifetime() 284 1.1 ozaki { 285 1.1 ozaki local ipproto=$1 286 1.1 ozaki local proto=$2 287 1.1 ozaki local algo=$3 288 1.1 ozaki local _algo=$(echo $algo | sed 's/-//g') 289 1.1 ozaki local name= desc= 290 1.1 ozaki 291 1.1 ozaki name="ipsec_lifetime_${ipproto}_${proto}_${_algo}" 292 1.1 ozaki desc="Tests of lifetime of IPsec ($ipproto) with $proto ($algo)" 293 1.1 ozaki 294 1.1 ozaki atf_test_case ${name} cleanup 295 1.18 ozaki eval " 296 1.18 ozaki ${name}_head() { 297 1.18 ozaki atf_set descr \"$desc\" 298 1.18 ozaki atf_set require.progs rump_server setkey 299 1.18 ozaki } 300 1.18 ozaki ${name}_body() { 301 1.18 ozaki test_lifetime_common $ipproto $proto $algo 302 1.18 ozaki rump_server_destroy_ifaces 303 1.18 ozaki } 304 1.18 ozaki ${name}_cleanup() { 305 1.18 ozaki \$DEBUG && dump 306 1.18 ozaki cleanup 307 1.18 ozaki } 308 1.1 ozaki " 309 1.1 ozaki atf_add_test_case ${name} 310 1.1 ozaki } 311 1.1 ozaki 312 1.8 ozaki test_update() 313 1.8 ozaki { 314 1.8 ozaki local proto=$1 315 1.8 ozaki local algo=$2 316 1.8 ozaki local update=$3 317 1.8 ozaki local ip_local=10.0.0.1 318 1.8 ozaki local ip_peer=10.0.0.2 319 1.8 ozaki local algo_args="$(generate_algo_args $proto $algo)" 320 1.8 ozaki local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 321 1.8 ozaki local outfile=./out 322 1.8 ozaki 323 1.8 ozaki rump_server_crypto_start $SOCK_LOCAL netipsec 324 1.8 ozaki rump_server_crypto_start $SOCK_PEER netipsec 325 1.8 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 326 1.8 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 327 1.8 ozaki 328 1.8 ozaki export RUMP_SERVER=$SOCK_LOCAL 329 1.8 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 330 1.8 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 331 1.8 ozaki 332 1.8 ozaki export RUMP_SERVER=$SOCK_PEER 333 1.8 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 334 1.8 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 335 1.8 ozaki 336 1.8 ozaki setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 $update 337 1.8 ozaki 338 1.8 ozaki extract_new_packets $BUS > $outfile 339 1.8 ozaki 340 1.8 ozaki export RUMP_SERVER=$SOCK_LOCAL 341 1.8 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 342 1.8 ozaki 343 1.8 ozaki extract_new_packets $BUS > $outfile 344 1.8 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 345 1.8 ozaki cat $outfile 346 1.8 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 347 1.8 ozaki cat $outfile 348 1.8 ozaki } 349 1.8 ozaki 350 1.8 ozaki add_test_update() 351 1.8 ozaki { 352 1.8 ozaki local proto=$1 353 1.8 ozaki local algo=$2 354 1.8 ozaki local update=$3 355 1.8 ozaki local _update=$(echo $update |tr 'a-z' 'A-Z') 356 1.8 ozaki local _algo=$(echo $algo | sed 's/-//g') 357 1.8 ozaki local name= desc= 358 1.8 ozaki 359 1.25 andvar desc="Tests trying to update $_update of $proto ($algo)" 360 1.8 ozaki name="ipsec_update_${update}_${proto}_${_algo}" 361 1.8 ozaki 362 1.8 ozaki atf_test_case ${name} cleanup 363 1.18 ozaki eval " 364 1.18 ozaki ${name}_head() { 365 1.18 ozaki atf_set descr \"$desc\" 366 1.18 ozaki atf_set require.progs rump_server setkey 367 1.18 ozaki } 368 1.18 ozaki ${name}_body() { 369 1.18 ozaki test_update $proto $algo $update 370 1.18 ozaki rump_server_destroy_ifaces 371 1.18 ozaki } 372 1.18 ozaki ${name}_cleanup() { 373 1.18 ozaki \$DEBUG && dump 374 1.18 ozaki cleanup 375 1.18 ozaki } 376 1.8 ozaki " 377 1.8 ozaki atf_add_test_case ${name} 378 1.8 ozaki } 379 1.8 ozaki 380 1.23 ozaki test_getspi_update() 381 1.23 ozaki { 382 1.23 ozaki local proto=$1 383 1.23 ozaki local algo=$2 384 1.23 ozaki local ip_local=10.0.0.1 385 1.23 ozaki local ip_peer=10.0.0.2 386 1.23 ozaki local algo_args="$(generate_algo_args $proto $algo)" 387 1.23 ozaki local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 388 1.23 ozaki local outfile=./out 389 1.23 ozaki 390 1.23 ozaki rump_server_crypto_start $SOCK_LOCAL netipsec 391 1.23 ozaki rump_server_crypto_start $SOCK_PEER netipsec 392 1.23 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 393 1.23 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 394 1.23 ozaki 395 1.23 ozaki export RUMP_SERVER=$SOCK_LOCAL 396 1.23 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 397 1.23 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 398 1.23 ozaki 399 1.23 ozaki export RUMP_SERVER=$SOCK_PEER 400 1.23 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 401 1.23 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 402 1.23 ozaki 403 1.23 ozaki setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 getspi 404 1.23 ozaki 405 1.23 ozaki extract_new_packets $BUS > $outfile 406 1.23 ozaki 407 1.23 ozaki export RUMP_SERVER=$SOCK_LOCAL 408 1.23 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 409 1.23 ozaki 410 1.23 ozaki extract_new_packets $BUS > $outfile 411 1.23 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 412 1.23 ozaki cat $outfile 413 1.23 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 414 1.23 ozaki cat $outfile 415 1.23 ozaki } 416 1.23 ozaki 417 1.23 ozaki add_test_getspi_update() 418 1.23 ozaki { 419 1.23 ozaki local proto=$1 420 1.23 ozaki local algo=$2 421 1.23 ozaki local _algo=$(echo $algo | sed 's/-//g') 422 1.23 ozaki local name= desc= 423 1.23 ozaki 424 1.25 andvar desc="Tests trying to getspi and update SA of $proto ($algo)" 425 1.23 ozaki name="ipsec_getspi_update_sa_${proto}_${_algo}" 426 1.23 ozaki 427 1.23 ozaki atf_test_case ${name} cleanup 428 1.23 ozaki eval " 429 1.23 ozaki ${name}_head() { 430 1.23 ozaki atf_set descr \"$desc\" 431 1.23 ozaki atf_set require.progs rump_server setkey 432 1.23 ozaki } 433 1.23 ozaki ${name}_body() { 434 1.23 ozaki test_getspi_update $proto $algo 435 1.23 ozaki rump_server_destroy_ifaces 436 1.23 ozaki } 437 1.23 ozaki ${name}_cleanup() { 438 1.23 ozaki \$DEBUG && dump 439 1.23 ozaki cleanup 440 1.23 ozaki } 441 1.23 ozaki " 442 1.23 ozaki atf_add_test_case ${name} 443 1.23 ozaki } 444 1.23 ozaki 445 1.9 ozaki add_sa() 446 1.9 ozaki { 447 1.9 ozaki local proto=$1 448 1.9 ozaki local algo_args="$2" 449 1.9 ozaki local ip_local=$3 450 1.9 ozaki local ip_peer=$4 451 1.9 ozaki local lifetime=$5 452 1.9 ozaki local spi=$6 453 1.9 ozaki local tmpfile=./tmp 454 1.9 ozaki local extra= 455 1.9 ozaki 456 1.9 ozaki export RUMP_SERVER=$SOCK_LOCAL 457 1.9 ozaki cat > $tmpfile <<-EOF 458 1.9 ozaki add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 459 1.9 ozaki add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 460 1.9 ozaki $extra 461 1.9 ozaki EOF 462 1.9 ozaki $DEBUG && cat $tmpfile 463 1.9 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 464 1.9 ozaki $DEBUG && $HIJACKING setkey -D 465 1.9 ozaki # XXX it can be expired if $lifetime is very short 466 1.9 ozaki #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 467 1.9 ozaki 468 1.9 ozaki export RUMP_SERVER=$SOCK_PEER 469 1.9 ozaki cat > $tmpfile <<-EOF 470 1.9 ozaki add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 471 1.9 ozaki add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 472 1.9 ozaki $extra 473 1.9 ozaki EOF 474 1.9 ozaki $DEBUG && cat $tmpfile 475 1.9 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 476 1.9 ozaki $DEBUG && $HIJACKING setkey -D 477 1.9 ozaki # XXX it can be expired if $lifetime is very short 478 1.9 ozaki #check_sa_entries $SOCK_PEER $ip_local $ip_peer 479 1.9 ozaki } 480 1.9 ozaki 481 1.13 ozaki delete_sa() 482 1.13 ozaki { 483 1.13 ozaki local proto=$1 484 1.13 ozaki local ip_local=$2 485 1.13 ozaki local ip_peer=$3 486 1.13 ozaki local spi=$4 487 1.13 ozaki local tmpfile=./tmp 488 1.13 ozaki local extra= 489 1.13 ozaki 490 1.13 ozaki export RUMP_SERVER=$SOCK_LOCAL 491 1.13 ozaki cat > $tmpfile <<-EOF 492 1.13 ozaki delete $ip_local $ip_peer $proto $((spi)); 493 1.13 ozaki delete $ip_peer $ip_local $proto $((spi + 1)); 494 1.13 ozaki EOF 495 1.13 ozaki $DEBUG && cat $tmpfile 496 1.13 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 497 1.13 ozaki $DEBUG && $HIJACKING setkey -D 498 1.13 ozaki 499 1.13 ozaki export RUMP_SERVER=$SOCK_PEER 500 1.13 ozaki cat > $tmpfile <<-EOF 501 1.13 ozaki delete $ip_local $ip_peer $proto $((spi)); 502 1.13 ozaki delete $ip_peer $ip_local $proto $((spi + 1)); 503 1.13 ozaki EOF 504 1.13 ozaki $DEBUG && cat $tmpfile 505 1.13 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 506 1.13 ozaki $DEBUG && $HIJACKING setkey -D 507 1.13 ozaki } 508 1.13 ozaki 509 1.9 ozaki check_packet_spi() 510 1.9 ozaki { 511 1.9 ozaki local outfile=$1 512 1.9 ozaki local ip_local=$2 513 1.9 ozaki local ip_peer=$3 514 1.9 ozaki local proto=$4 515 1.9 ozaki local spi=$5 516 1.9 ozaki local spistr= 517 1.9 ozaki 518 1.9 ozaki $DEBUG && cat $outfile 519 1.9 ozaki spistr=$(printf "%08x" $spi) 520 1.9 ozaki atf_check -s exit:0 \ 521 1.9 ozaki -o match:"$ip_local > $ip_peer: $proto_cap\(spi=0x$spistr," \ 522 1.9 ozaki cat $outfile 523 1.9 ozaki spistr=$(printf "%08x" $((spi + 1))) 524 1.9 ozaki atf_check -s exit:0 \ 525 1.9 ozaki -o match:"$ip_peer > $ip_local: $proto_cap\(spi=0x$spistr," \ 526 1.9 ozaki cat $outfile 527 1.9 ozaki } 528 1.9 ozaki 529 1.12 ozaki wait_sa_disappeared() 530 1.12 ozaki { 531 1.12 ozaki local spi=$1 532 1.12 ozaki local i= 533 1.12 ozaki 534 1.12 ozaki export RUMP_SERVER=$SOCK_LOCAL 535 1.12 ozaki for i in $(seq 1 10); do 536 1.12 ozaki $HIJACKING setkey -D |grep -q "spi=$spi" 537 1.12 ozaki [ $? != 0 ] && break 538 1.12 ozaki sleep 1 539 1.12 ozaki done 540 1.12 ozaki if [ $i -eq 10 ]; then 541 1.12 ozaki atf_fail "SA (spi=$spi) didn't disappear in 10s" 542 1.12 ozaki fi 543 1.12 ozaki export RUMP_SERVER=$SOCK_PEER 544 1.12 ozaki for i in $(seq 1 10); do 545 1.12 ozaki $HIJACKING setkey -D |grep -q "spi=$spi" 546 1.12 ozaki [ $? != 0 ] && break 547 1.12 ozaki sleep 1 548 1.12 ozaki done 549 1.12 ozaki if [ $i -eq 10 ]; then 550 1.12 ozaki atf_fail "SA (spi=$spi) didn't disappear in 10s" 551 1.12 ozaki fi 552 1.12 ozaki } 553 1.12 ozaki 554 1.9 ozaki test_spi() 555 1.9 ozaki { 556 1.9 ozaki local proto=$1 557 1.9 ozaki local algo=$2 558 1.10 ozaki local preferred=$3 559 1.13 ozaki local method=$4 560 1.9 ozaki local ip_local=10.0.0.1 561 1.9 ozaki local ip_peer=10.0.0.2 562 1.9 ozaki local algo_args="$(generate_algo_args $proto $algo)" 563 1.9 ozaki local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 564 1.9 ozaki local outfile=./out 565 1.9 ozaki local spistr= 566 1.14 ozaki local longtime= shorttime= 567 1.14 ozaki 568 1.24 martin if [ $method = timeout ]; then 569 1.24 martin atf_skip \ 570 1.24 martin "PR 55632: test fails randomly, leaving spurious rump_server around" 571 1.24 martin fi 572 1.16 ozaki if [ $method = timeout -a $preferred = new ]; then 573 1.16 ozaki skip_if_qemu 574 1.16 ozaki fi 575 1.16 ozaki 576 1.14 ozaki if [ $method = delete ]; then 577 1.14 ozaki shorttime=100 578 1.14 ozaki longtime=100 579 1.14 ozaki else 580 1.14 ozaki shorttime=3 581 1.14 ozaki longtime=6 582 1.14 ozaki fi 583 1.9 ozaki 584 1.9 ozaki rump_server_crypto_start $SOCK_LOCAL netipsec 585 1.9 ozaki rump_server_crypto_start $SOCK_PEER netipsec 586 1.9 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 587 1.9 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 588 1.9 ozaki 589 1.9 ozaki export RUMP_SERVER=$SOCK_LOCAL 590 1.9 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 591 1.9 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 592 1.9 ozaki if [ $preferred = old ]; then 593 1.9 ozaki atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 594 1.9 ozaki fi 595 1.9 ozaki 596 1.9 ozaki export RUMP_SERVER=$SOCK_PEER 597 1.9 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 598 1.9 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 599 1.9 ozaki if [ $preferred = old ]; then 600 1.9 ozaki atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 601 1.9 ozaki fi 602 1.9 ozaki 603 1.9 ozaki setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 604 1.9 ozaki 605 1.9 ozaki extract_new_packets $BUS > $outfile 606 1.9 ozaki 607 1.9 ozaki export RUMP_SERVER=$SOCK_LOCAL 608 1.9 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 609 1.9 ozaki extract_new_packets $BUS > $outfile 610 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 611 1.9 ozaki 612 1.9 ozaki # Add a new SA with a different SPI 613 1.14 ozaki add_sa $proto "$algo_args" $ip_local $ip_peer $longtime 10010 614 1.9 ozaki 615 1.9 ozaki export RUMP_SERVER=$SOCK_LOCAL 616 1.9 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 617 1.9 ozaki extract_new_packets $BUS > $outfile 618 1.9 ozaki if [ $preferred = old ]; then 619 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 620 1.9 ozaki else 621 1.9 ozaki # The new SA is preferred 622 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 623 1.9 ozaki fi 624 1.9 ozaki 625 1.9 ozaki # Add another SA with a different SPI 626 1.14 ozaki add_sa $proto "$algo_args" $ip_local $ip_peer $shorttime 10020 627 1.9 ozaki 628 1.9 ozaki export RUMP_SERVER=$SOCK_LOCAL 629 1.9 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 630 1.9 ozaki extract_new_packets $BUS > $outfile 631 1.9 ozaki if [ $preferred = old ]; then 632 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 633 1.9 ozaki else 634 1.9 ozaki # The newest SA is preferred 635 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10020 636 1.9 ozaki fi 637 1.9 ozaki 638 1.13 ozaki if [ $method = delete ]; then 639 1.13 ozaki delete_sa $proto $ip_local $ip_peer 10020 640 1.13 ozaki else 641 1.13 ozaki wait_sa_disappeared 10020 642 1.13 ozaki fi 643 1.9 ozaki 644 1.9 ozaki export RUMP_SERVER=$SOCK_LOCAL 645 1.9 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 646 1.9 ozaki extract_new_packets $BUS > $outfile 647 1.9 ozaki if [ $preferred = old ]; then 648 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 649 1.9 ozaki else 650 1.9 ozaki # The newest one is removed and the second one is used 651 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 652 1.9 ozaki fi 653 1.9 ozaki 654 1.13 ozaki if [ $method = delete ]; then 655 1.13 ozaki delete_sa $proto $ip_local $ip_peer 10010 656 1.13 ozaki else 657 1.13 ozaki wait_sa_disappeared 10010 658 1.13 ozaki fi 659 1.9 ozaki 660 1.9 ozaki export RUMP_SERVER=$SOCK_LOCAL 661 1.9 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 662 1.9 ozaki extract_new_packets $BUS > $outfile 663 1.9 ozaki if [ $preferred = old ]; then 664 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 665 1.9 ozaki else 666 1.9 ozaki # The second one is removed and the original one is used 667 1.9 ozaki check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 668 1.9 ozaki fi 669 1.9 ozaki } 670 1.9 ozaki 671 1.9 ozaki add_test_spi() 672 1.9 ozaki { 673 1.9 ozaki local proto=$1 674 1.9 ozaki local algo=$2 675 1.9 ozaki local preferred=$3 676 1.13 ozaki local method=$4 677 1.9 ozaki local _algo=$(echo $algo | sed 's/-//g') 678 1.9 ozaki local name= desc= 679 1.9 ozaki 680 1.13 ozaki desc="Tests SAs with different SPIs of $proto ($algo) ($preferred SA preferred) ($method)" 681 1.13 ozaki name="ipsec_spi_${proto}_${_algo}_preferred_${preferred}_${method}" 682 1.9 ozaki 683 1.9 ozaki atf_test_case ${name} cleanup 684 1.18 ozaki eval " 685 1.18 ozaki ${name}_head() { 686 1.18 ozaki atf_set descr \"$desc\" 687 1.18 ozaki atf_set require.progs rump_server setkey 688 1.18 ozaki } 689 1.18 ozaki ${name}_body() { 690 1.18 ozaki test_spi $proto $algo $preferred $method 691 1.18 ozaki rump_server_destroy_ifaces 692 1.18 ozaki } 693 1.18 ozaki ${name}_cleanup() { 694 1.18 ozaki \$DEBUG && dump 695 1.18 ozaki cleanup 696 1.18 ozaki } 697 1.9 ozaki " 698 1.9 ozaki atf_add_test_case ${name} 699 1.9 ozaki } 700 1.9 ozaki 701 1.17 ozaki setup_sp() 702 1.17 ozaki { 703 1.17 ozaki local proto=$1 704 1.17 ozaki local algo_args="$2" 705 1.17 ozaki local ip_local=$3 706 1.17 ozaki local ip_peer=$4 707 1.17 ozaki local tmpfile=./tmp 708 1.17 ozaki 709 1.17 ozaki export RUMP_SERVER=$SOCK_LOCAL 710 1.17 ozaki cat > $tmpfile <<-EOF 711 1.17 ozaki spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 712 1.19 ozaki spdadd $ip_peer $ip_local any -P in ipsec $proto/transport//require; 713 1.17 ozaki EOF 714 1.17 ozaki $DEBUG && cat $tmpfile 715 1.17 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 716 1.17 ozaki check_sp_entries $SOCK_LOCAL $ip_local $ip_peer 717 1.17 ozaki 718 1.17 ozaki export RUMP_SERVER=$SOCK_PEER 719 1.17 ozaki cat > $tmpfile <<-EOF 720 1.17 ozaki spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 721 1.19 ozaki spdadd $ip_local $ip_peer any -P in ipsec $proto/transport//require; 722 1.17 ozaki EOF 723 1.17 ozaki $DEBUG && cat $tmpfile 724 1.17 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 725 1.17 ozaki check_sp_entries $SOCK_PEER $ip_peer $ip_local 726 1.17 ozaki } 727 1.17 ozaki 728 1.17 ozaki test_nosa() 729 1.17 ozaki { 730 1.17 ozaki local proto=$1 731 1.17 ozaki local algo=$2 732 1.17 ozaki local update=$3 733 1.17 ozaki local ip_local=10.0.0.1 734 1.17 ozaki local ip_peer=10.0.0.2 735 1.17 ozaki local algo_args="$(generate_algo_args $proto $algo)" 736 1.17 ozaki local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 737 1.17 ozaki local outfile=./out 738 1.17 ozaki 739 1.17 ozaki rump_server_crypto_start $SOCK_LOCAL netipsec 740 1.17 ozaki rump_server_crypto_start $SOCK_PEER netipsec 741 1.17 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 742 1.17 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 743 1.17 ozaki 744 1.17 ozaki export RUMP_SERVER=$SOCK_LOCAL 745 1.17 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 746 1.17 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 747 1.17 ozaki 748 1.17 ozaki export RUMP_SERVER=$SOCK_PEER 749 1.17 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 750 1.17 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 751 1.17 ozaki 752 1.17 ozaki setup_sp $proto "$algo_args" $ip_local $ip_peer 753 1.17 ozaki 754 1.17 ozaki extract_new_packets $BUS > $outfile 755 1.17 ozaki 756 1.17 ozaki export RUMP_SERVER=$SOCK_LOCAL 757 1.17 ozaki # It doesn't work because there is no SA 758 1.17 ozaki atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 759 1.17 ozaki } 760 1.17 ozaki 761 1.17 ozaki add_test_nosa() 762 1.17 ozaki { 763 1.17 ozaki local proto=$1 764 1.17 ozaki local algo=$2 765 1.17 ozaki local _algo=$(echo $algo | sed 's/-//g') 766 1.17 ozaki local name= desc= 767 1.17 ozaki 768 1.17 ozaki desc="Tests SPs with no relevant SAs with $proto ($algo)" 769 1.17 ozaki name="ipsec_nosa_${proto}_${_algo}" 770 1.17 ozaki 771 1.17 ozaki atf_test_case ${name} cleanup 772 1.18 ozaki eval " 773 1.18 ozaki ${name}_head() { 774 1.18 ozaki atf_set descr \"$desc\" 775 1.18 ozaki atf_set require.progs rump_server setkey 776 1.18 ozaki } 777 1.18 ozaki ${name}_body() { 778 1.18 ozaki test_nosa $proto $algo 779 1.18 ozaki rump_server_destroy_ifaces 780 1.18 ozaki } 781 1.18 ozaki ${name}_cleanup() { 782 1.18 ozaki \$DEBUG && dump 783 1.18 ozaki cleanup 784 1.18 ozaki } 785 1.17 ozaki " 786 1.17 ozaki atf_add_test_case ${name} 787 1.17 ozaki } 788 1.17 ozaki 789 1.20 ozaki test_multiple_sa() 790 1.20 ozaki { 791 1.20 ozaki local proto=$1 792 1.20 ozaki local algo=$2 793 1.20 ozaki local update=$3 794 1.20 ozaki local ip_local=10.0.0.1 795 1.20 ozaki local ip_peer=10.0.0.2 796 1.20 ozaki local ip_peer2=10.0.0.3 797 1.20 ozaki local algo_args="$(generate_algo_args $proto $algo)" 798 1.20 ozaki local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 799 1.20 ozaki local outfile=./out 800 1.20 ozaki 801 1.20 ozaki rump_server_crypto_start $SOCK_LOCAL netipsec 802 1.20 ozaki rump_server_crypto_start $SOCK_PEER netipsec 803 1.20 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 804 1.20 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 805 1.20 ozaki 806 1.20 ozaki export RUMP_SERVER=$SOCK_LOCAL 807 1.20 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 808 1.20 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 809 1.20 ozaki 810 1.20 ozaki export RUMP_SERVER=$SOCK_PEER 811 1.20 ozaki atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 812 1.20 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 813 1.20 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer2/24 alias 814 1.20 ozaki 815 1.20 ozaki setup_sp $proto "$algo_args" "$ip_local" "0.0.0.0/0" 816 1.20 ozaki 817 1.20 ozaki extract_new_packets $BUS > $outfile 818 1.20 ozaki 819 1.20 ozaki export RUMP_SERVER=$SOCK_LOCAL 820 1.20 ozaki # There is no SA, so ping should fail 821 1.20 ozaki atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 822 1.20 ozaki atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2 823 1.20 ozaki 824 1.20 ozaki add_sa $proto "$algo_args" $ip_local $ip_peer 100 10000 825 1.20 ozaki 826 1.20 ozaki export RUMP_SERVER=$SOCK_LOCAL 827 1.20 ozaki # There is only an SA for $ip_peer, so ping to $ip_peer2 should fail 828 1.20 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 829 1.20 ozaki atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2 830 1.20 ozaki 831 1.20 ozaki add_sa $proto "$algo_args" $ip_local $ip_peer2 100 10010 832 1.20 ozaki 833 1.20 ozaki export RUMP_SERVER=$SOCK_LOCAL 834 1.20 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 835 1.20 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2 836 1.20 ozaki 837 1.20 ozaki export RUMP_SERVER=$SOCK_LOCAL 838 1.20 ozaki atf_check -s exit:0 -o match:"$proto/transport//require" \ 839 1.20 ozaki $HIJACKING setkey -D -P 840 1.20 ozaki # Check if the policy isn't modified accidentally 841 1.20 ozaki atf_check -s exit:0 -o not-match:"$proto/transport/.+\-.+/require" \ 842 1.20 ozaki $HIJACKING setkey -D -P 843 1.20 ozaki export RUMP_SERVER=$SOCK_PEER 844 1.20 ozaki atf_check -s exit:0 -o match:"$proto/transport//require" \ 845 1.20 ozaki $HIJACKING setkey -D -P 846 1.20 ozaki # Check if the policy isn't modified accidentally 847 1.20 ozaki atf_check -s exit:0 -o not-match:"$proto/transport/.+\-.+/require" \ 848 1.20 ozaki $HIJACKING setkey -D -P 849 1.20 ozaki } 850 1.20 ozaki 851 1.20 ozaki add_test_multiple_sa() 852 1.20 ozaki { 853 1.20 ozaki local proto=$1 854 1.20 ozaki local algo=$2 855 1.20 ozaki local _algo=$(echo $algo | sed 's/-//g') 856 1.20 ozaki local name= desc= 857 1.20 ozaki 858 1.20 ozaki desc="Tests multiple SAs with $proto ($algo)" 859 1.20 ozaki name="ipsec_multiple_sa_${proto}_${_algo}" 860 1.20 ozaki 861 1.20 ozaki atf_test_case ${name} cleanup 862 1.20 ozaki eval " 863 1.20 ozaki ${name}_head() { 864 1.20 ozaki atf_set descr \"$desc\" 865 1.20 ozaki atf_set require.progs rump_server setkey 866 1.20 ozaki } 867 1.20 ozaki ${name}_body() { 868 1.20 ozaki test_multiple_sa $proto $algo 869 1.20 ozaki rump_server_destroy_ifaces 870 1.20 ozaki } 871 1.20 ozaki ${name}_cleanup() { 872 1.20 ozaki \$DEBUG && dump 873 1.20 ozaki cleanup 874 1.20 ozaki } 875 1.20 ozaki " 876 1.20 ozaki atf_add_test_case ${name} 877 1.20 ozaki } 878 1.20 ozaki 879 1.1 ozaki atf_init_test_cases() 880 1.1 ozaki { 881 1.1 ozaki local algo= 882 1.1 ozaki 883 1.1 ozaki for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 884 1.1 ozaki add_test_lifetime ipv4 esp $algo 885 1.1 ozaki add_test_lifetime ipv6 esp $algo 886 1.8 ozaki add_test_update esp $algo sa 887 1.8 ozaki add_test_update esp $algo sp 888 1.23 ozaki add_test_getspi_update esp $algo 889 1.13 ozaki add_test_spi esp $algo new delete 890 1.13 ozaki add_test_spi esp $algo old delete 891 1.13 ozaki add_test_spi esp $algo new timeout 892 1.13 ozaki add_test_spi esp $algo old timeout 893 1.17 ozaki add_test_nosa esp $algo 894 1.20 ozaki add_test_multiple_sa esp $algo 895 1.1 ozaki done 896 1.1 ozaki for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do 897 1.1 ozaki add_test_lifetime ipv4 ah $algo 898 1.1 ozaki add_test_lifetime ipv6 ah $algo 899 1.8 ozaki add_test_update ah $algo sa 900 1.8 ozaki add_test_update ah $algo sp 901 1.23 ozaki add_test_getspi_update ah $algo 902 1.13 ozaki add_test_spi ah $algo new delete 903 1.13 ozaki add_test_spi ah $algo old delete 904 1.13 ozaki add_test_spi ah $algo new timeout 905 1.13 ozaki add_test_spi ah $algo old timeout 906 1.17 ozaki add_test_nosa ah $algo 907 1.20 ozaki add_test_multiple_sa ah $algo 908 1.1 ozaki done 909 1.1 ozaki } 910
Indexes created Wed Sep 24 05:09:52 GMT 2025