t_ipsec_misc.sh revision 1.12
1 # $NetBSD: t_ipsec_misc.sh,v 1.12 2017/07/19 02:06:11 ozaki-r Exp $ 2 # 3 # Copyright (c) 2017 Internet Initiative Japan Inc. 4 # All rights reserved. 5 # 6 # Redistribution and use in source and binary forms, with or without 7 # modification, are permitted provided that the following conditions 8 # are met: 9 # 1. Redistributions of source code must retain the above copyright 10 # notice, this list of conditions and the following disclaimer. 11 # 2. Redistributions in binary form must reproduce the above copyright 12 # notice, this list of conditions and the following disclaimer in the 13 # documentation and/or other materials provided with the distribution. 14 # 15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 # POSSIBILITY OF SUCH DAMAGE. 26 # 27 28 SOCK_LOCAL=unix://ipsec_local 29 SOCK_PEER=unix://ipsec_peer 30 BUS=./bus_ipsec 31 32 DEBUG=${DEBUG:-true} 33 34 setup_sasp() 35 { 36 local proto=$1 37 local algo_args="$2" 38 local ip_local=$3 39 local ip_peer=$4 40 local lifetime=$5 41 local update=$6 42 local tmpfile=./tmp 43 local extra= 44 45 if [ "$update" = sa ]; then 46 extra="update $ip_local $ip_peer $proto 10000 $algo_args; 47 update $ip_peer $ip_local $proto 10001 $algo_args;" 48 elif [ "$update" = sp ]; then 49 extra="spdupdate $ip_local $ip_peer any -P out ipsec $proto/transport//require;" 50 fi 51 52 export RUMP_SERVER=$SOCK_LOCAL 53 cat > $tmpfile <<-EOF 54 add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; 55 add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; 56 spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 57 $extra 58 EOF 59 $DEBUG && cat $tmpfile 60 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 61 # XXX it can be expired if $lifetime is very short 62 #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 63 64 if [ "$update" = sp ]; then 65 extra="spdupdate $ip_peer $ip_local any -P out ipsec $proto/transport//require;" 66 fi 67 68 export RUMP_SERVER=$SOCK_PEER 69 cat > $tmpfile <<-EOF 70 add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; 71 add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; 72 spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 73 $extra 74 EOF 75 $DEBUG && cat $tmpfile 76 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 77 # XXX it can be expired if $lifetime is very short 78 #check_sa_entries $SOCK_PEER $ip_local $ip_peer 79 } 80 81 test_ipsec4_lifetime() 82 { 83 local proto=$1 84 local algo=$2 85 local ip_local=10.0.0.1 86 local ip_peer=10.0.0.2 87 local outfile=./out 88 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 89 local algo_args="$(generate_algo_args $proto $algo)" 90 local lifetime=3 91 92 rump_server_crypto_start $SOCK_LOCAL netipsec 93 rump_server_crypto_start $SOCK_PEER netipsec 94 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 95 rump_server_add_iface $SOCK_PEER shmif0 $BUS 96 97 export RUMP_SERVER=$SOCK_LOCAL 98 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 99 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 100 #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 101 102 export RUMP_SERVER=$SOCK_PEER 103 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 104 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 105 #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 106 107 extract_new_packets $BUS > $outfile 108 109 export RUMP_SERVER=$SOCK_LOCAL 110 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 111 112 extract_new_packets $BUS > $outfile 113 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \ 114 cat $outfile 115 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \ 116 cat $outfile 117 118 # Set up SAs with lifetime 1 sec. 119 setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 120 121 # Wait for the SAs to be expired 122 atf_check -s exit:0 sleep 2 123 124 # Check the SAs have been expired 125 export RUMP_SERVER=$SOCK_LOCAL 126 $DEBUG && $HIJACKING setkey -D 127 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 128 export RUMP_SERVER=$SOCK_PEER 129 $DEBUG && $HIJACKING setkey -D 130 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 131 132 # Clean up SPs 133 export RUMP_SERVER=$SOCK_LOCAL 134 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 135 export RUMP_SERVER=$SOCK_PEER 136 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 137 138 # Set up SAs with lifetime with $lifetime 139 setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 140 141 # Use the SAs; this will create a reference from an SP to an SA 142 export RUMP_SERVER=$SOCK_LOCAL 143 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 144 145 extract_new_packets $BUS > $outfile 146 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 147 cat $outfile 148 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 149 cat $outfile 150 151 atf_check -s exit:0 sleep $((lifetime + 1)) 152 153 export RUMP_SERVER=$SOCK_LOCAL 154 $DEBUG && $HIJACKING setkey -D 155 atf_check -s exit:0 -o empty $HIJACKING setkey -D 156 # The SA on output remain because sp/isr still refers it 157 atf_check -s exit:0 -o match:"$ip_local $ip_peer" \ 158 $HIJACKING setkey -D -a 159 atf_check -s exit:0 -o not-match:"$ip_peer $ip_local" \ 160 $HIJACKING setkey -D -a 161 162 export RUMP_SERVER=$SOCK_PEER 163 $DEBUG && $HIJACKING setkey -D 164 atf_check -s exit:0 -o empty $HIJACKING setkey -D 165 atf_check -s exit:0 -o not-match:"$ip_local $ip_peer" \ 166 $HIJACKING setkey -D -a 167 # The SA on output remain because sp/isr still refers it 168 atf_check -s exit:0 -o match:"$ip_peer $ip_local" \ 169 $HIJACKING setkey -D -a 170 171 export RUMP_SERVER=$SOCK_LOCAL 172 atf_check -s not-exit:0 -o match:'0 packets received' \ 173 rump.ping -c 1 -n -w 1 $ip_peer 174 175 test_flush_entries $SOCK_LOCAL 176 test_flush_entries $SOCK_PEER 177 } 178 179 test_ipsec6_lifetime() 180 { 181 local proto=$1 182 local algo=$2 183 local ip_local=fd00::1 184 local ip_peer=fd00::2 185 local outfile=./out 186 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 187 local algo_args="$(generate_algo_args $proto $algo)" 188 local lifetime=3 189 190 rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec 191 rump_server_crypto_start $SOCK_PEER netinet6 netipsec 192 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 193 rump_server_add_iface $SOCK_PEER shmif0 $BUS 194 195 export RUMP_SERVER=$SOCK_LOCAL 196 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 197 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local 198 199 export RUMP_SERVER=$SOCK_PEER 200 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 201 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer 202 203 extract_new_packets $BUS > $outfile 204 205 export RUMP_SERVER=$SOCK_LOCAL 206 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 207 208 extract_new_packets $BUS > $outfile 209 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \ 210 cat $outfile 211 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \ 212 cat $outfile 213 214 # Set up SAs with lifetime 1 sec. 215 setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 216 217 # Wait for the SAs to be expired 218 atf_check -s exit:0 sleep 2 219 220 # Check the SAs have been expired 221 export RUMP_SERVER=$SOCK_LOCAL 222 $DEBUG && $HIJACKING setkey -D 223 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 224 export RUMP_SERVER=$SOCK_PEER 225 $DEBUG && $HIJACKING setkey -D 226 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 227 228 # Clean up SPs 229 export RUMP_SERVER=$SOCK_LOCAL 230 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 231 export RUMP_SERVER=$SOCK_PEER 232 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 233 234 # Set up SAs with lifetime with $lifetime 235 setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 236 237 # Use the SAs; this will create a reference from an SP to an SA 238 export RUMP_SERVER=$SOCK_LOCAL 239 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 240 241 extract_new_packets $BUS > $outfile 242 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 243 cat $outfile 244 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 245 cat $outfile 246 247 atf_check -s exit:0 sleep $((lifetime + 1)) 248 249 export RUMP_SERVER=$SOCK_LOCAL 250 $DEBUG && $HIJACKING setkey -D 251 atf_check -s exit:0 -o empty $HIJACKING setkey -D 252 # The SA on output remain because sp/isr still refers it 253 atf_check -s exit:0 -o match:"$ip_local $ip_peer" \ 254 $HIJACKING setkey -D -a 255 atf_check -s exit:0 -o not-match:"$ip_peer $ip_local" \ 256 $HIJACKING setkey -D -a 257 258 export RUMP_SERVER=$SOCK_PEER 259 $DEBUG && $HIJACKING setkey -D 260 atf_check -s exit:0 -o empty $HIJACKING setkey -D 261 atf_check -s exit:0 -o not-match:"$ip_local $ip_peer" \ 262 $HIJACKING setkey -D -a 263 # The SA on output remain because sp/isr still refers it 264 atf_check -s exit:0 -o match:"$ip_peer $ip_local" \ 265 $HIJACKING setkey -D -a 266 267 export RUMP_SERVER=$SOCK_LOCAL 268 atf_check -s not-exit:0 -o match:'0 packets received' \ 269 rump.ping6 -c 1 -n -X 1 $ip_peer 270 271 test_flush_entries $SOCK_LOCAL 272 test_flush_entries $SOCK_PEER 273 } 274 275 test_lifetime_common() 276 { 277 local ipproto=$1 278 local proto=$2 279 local algo=$3 280 281 if [ $ipproto = ipv4 ]; then 282 test_ipsec4_lifetime $proto $algo 283 else 284 test_ipsec6_lifetime $proto $algo 285 fi 286 } 287 288 add_test_lifetime() 289 { 290 local ipproto=$1 291 local proto=$2 292 local algo=$3 293 local _algo=$(echo $algo | sed 's/-//g') 294 local name= desc= 295 296 name="ipsec_lifetime_${ipproto}_${proto}_${_algo}" 297 desc="Tests of lifetime of IPsec ($ipproto) with $proto ($algo)" 298 299 atf_test_case ${name} cleanup 300 eval " \ 301 ${name}_head() { \ 302 atf_set \"descr\" \"$desc\"; \ 303 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 304 }; \ 305 ${name}_body() { \ 306 test_lifetime_common $ipproto $proto $algo; \ 307 rump_server_destroy_ifaces; \ 308 }; \ 309 ${name}_cleanup() { \ 310 $DEBUG && dump; \ 311 cleanup; \ 312 } \ 313 " 314 atf_add_test_case ${name} 315 } 316 317 test_update() 318 { 319 local proto=$1 320 local algo=$2 321 local update=$3 322 local ip_local=10.0.0.1 323 local ip_peer=10.0.0.2 324 local algo_args="$(generate_algo_args $proto $algo)" 325 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 326 local outfile=./out 327 328 rump_server_crypto_start $SOCK_LOCAL netipsec 329 rump_server_crypto_start $SOCK_PEER netipsec 330 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 331 rump_server_add_iface $SOCK_PEER shmif0 $BUS 332 333 export RUMP_SERVER=$SOCK_LOCAL 334 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 335 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 336 337 export RUMP_SERVER=$SOCK_PEER 338 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 339 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 340 341 setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 $update 342 343 extract_new_packets $BUS > $outfile 344 345 export RUMP_SERVER=$SOCK_LOCAL 346 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 347 348 extract_new_packets $BUS > $outfile 349 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 350 cat $outfile 351 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 352 cat $outfile 353 } 354 355 add_test_update() 356 { 357 local proto=$1 358 local algo=$2 359 local update=$3 360 local _update=$(echo $update |tr 'a-z' 'A-Z') 361 local _algo=$(echo $algo | sed 's/-//g') 362 local name= desc= 363 364 desc="Tests trying to udpate $_update of $proto ($algo)" 365 name="ipsec_update_${update}_${proto}_${_algo}" 366 367 atf_test_case ${name} cleanup 368 eval " \ 369 ${name}_head() { \ 370 atf_set \"descr\" \"$desc\"; \ 371 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 372 }; \ 373 ${name}_body() { \ 374 test_update $proto $algo $update; \ 375 rump_server_destroy_ifaces; \ 376 }; \ 377 ${name}_cleanup() { \ 378 $DEBUG && dump; \ 379 cleanup; \ 380 } \ 381 " 382 atf_add_test_case ${name} 383 } 384 385 add_sa() 386 { 387 local proto=$1 388 local algo_args="$2" 389 local ip_local=$3 390 local ip_peer=$4 391 local lifetime=$5 392 local spi=$6 393 local tmpfile=./tmp 394 local extra= 395 396 export RUMP_SERVER=$SOCK_LOCAL 397 cat > $tmpfile <<-EOF 398 add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 399 add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 400 $extra 401 EOF 402 $DEBUG && cat $tmpfile 403 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 404 $DEBUG && $HIJACKING setkey -D 405 # XXX it can be expired if $lifetime is very short 406 #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 407 408 export RUMP_SERVER=$SOCK_PEER 409 cat > $tmpfile <<-EOF 410 add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 411 add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 412 $extra 413 EOF 414 $DEBUG && cat $tmpfile 415 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 416 $DEBUG && $HIJACKING setkey -D 417 # XXX it can be expired if $lifetime is very short 418 #check_sa_entries $SOCK_PEER $ip_local $ip_peer 419 } 420 421 check_packet_spi() 422 { 423 local outfile=$1 424 local ip_local=$2 425 local ip_peer=$3 426 local proto=$4 427 local spi=$5 428 local spistr= 429 430 $DEBUG && cat $outfile 431 spistr=$(printf "%08x" $spi) 432 atf_check -s exit:0 \ 433 -o match:"$ip_local > $ip_peer: $proto_cap\(spi=0x$spistr," \ 434 cat $outfile 435 spistr=$(printf "%08x" $((spi + 1))) 436 atf_check -s exit:0 \ 437 -o match:"$ip_peer > $ip_local: $proto_cap\(spi=0x$spistr," \ 438 cat $outfile 439 } 440 441 wait_sa_disappeared() 442 { 443 local spi=$1 444 local i= 445 446 export RUMP_SERVER=$SOCK_LOCAL 447 for i in $(seq 1 10); do 448 $HIJACKING setkey -D |grep -q "spi=$spi" 449 [ $? != 0 ] && break 450 sleep 1 451 done 452 if [ $i -eq 10 ]; then 453 atf_fail "SA (spi=$spi) didn't disappear in 10s" 454 fi 455 export RUMP_SERVER=$SOCK_PEER 456 for i in $(seq 1 10); do 457 $HIJACKING setkey -D |grep -q "spi=$spi" 458 [ $? != 0 ] && break 459 sleep 1 460 done 461 if [ $i -eq 10 ]; then 462 atf_fail "SA (spi=$spi) didn't disappear in 10s" 463 fi 464 } 465 466 test_spi() 467 { 468 local proto=$1 469 local algo=$2 470 local preferred=$3 471 local ip_local=10.0.0.1 472 local ip_peer=10.0.0.2 473 local algo_args="$(generate_algo_args $proto $algo)" 474 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 475 local outfile=./out 476 local spistr= 477 478 rump_server_crypto_start $SOCK_LOCAL netipsec 479 rump_server_crypto_start $SOCK_PEER netipsec 480 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 481 rump_server_add_iface $SOCK_PEER shmif0 $BUS 482 483 export RUMP_SERVER=$SOCK_LOCAL 484 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 485 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 486 if [ $preferred = old ]; then 487 atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 488 fi 489 490 export RUMP_SERVER=$SOCK_PEER 491 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 492 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 493 if [ $preferred = old ]; then 494 atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 495 fi 496 497 setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 498 499 extract_new_packets $BUS > $outfile 500 501 export RUMP_SERVER=$SOCK_LOCAL 502 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 503 extract_new_packets $BUS > $outfile 504 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 505 506 # Add a new SA with a different SPI 507 add_sa $proto "$algo_args" $ip_local $ip_peer 6 10010 508 509 export RUMP_SERVER=$SOCK_LOCAL 510 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 511 extract_new_packets $BUS > $outfile 512 if [ $preferred = old ]; then 513 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 514 else 515 # The new SA is preferred 516 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 517 fi 518 519 # Add another SA with a different SPI 520 add_sa $proto "$algo_args" $ip_local $ip_peer 3 10020 521 522 export RUMP_SERVER=$SOCK_LOCAL 523 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 524 extract_new_packets $BUS > $outfile 525 if [ $preferred = old ]; then 526 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 527 else 528 # The newest SA is preferred 529 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10020 530 fi 531 532 wait_sa_disappeared 10020 533 534 export RUMP_SERVER=$SOCK_LOCAL 535 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 536 extract_new_packets $BUS > $outfile 537 if [ $preferred = old ]; then 538 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 539 else 540 # The newest one is removed and the second one is used 541 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 542 fi 543 544 wait_sa_disappeared 10010 545 546 export RUMP_SERVER=$SOCK_LOCAL 547 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 548 extract_new_packets $BUS > $outfile 549 if [ $preferred = old ]; then 550 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 551 else 552 # The second one is removed and the original one is used 553 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 554 fi 555 } 556 557 add_test_spi() 558 { 559 local proto=$1 560 local algo=$2 561 local preferred=$3 562 local _algo=$(echo $algo | sed 's/-//g') 563 local name= desc= 564 565 desc="Tests SAs with different SPIs of $proto ($algo) ($preferred SA preferred)" 566 name="ipsec_spi_${proto}_${_algo}_preferred_${preferred}" 567 568 atf_test_case ${name} cleanup 569 eval " \ 570 ${name}_head() { \ 571 atf_set \"descr\" \"$desc\"; \ 572 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 573 }; \ 574 ${name}_body() { \ 575 test_spi $proto $algo $preferred; \ 576 rump_server_destroy_ifaces; \ 577 }; \ 578 ${name}_cleanup() { \ 579 $DEBUG && dump; \ 580 cleanup; \ 581 } \ 582 " 583 atf_add_test_case ${name} 584 } 585 586 atf_init_test_cases() 587 { 588 local algo= 589 590 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 591 add_test_lifetime ipv4 esp $algo 592 add_test_lifetime ipv6 esp $algo 593 add_test_update esp $algo sa 594 add_test_update esp $algo sp 595 add_test_spi esp $algo new 596 add_test_spi esp $algo old 597 done 598 for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do 599 add_test_lifetime ipv4 ah $algo 600 add_test_lifetime ipv6 ah $algo 601 add_test_update ah $algo sa 602 add_test_update ah $algo sp 603 add_test_spi ah $algo new 604 add_test_spi ah $algo old 605 done 606 } 607
Indexes created Fri Sep 26 20:09:58 GMT 2025