t_ipsec_misc.sh revision 1.13
1 # $NetBSD: t_ipsec_misc.sh,v 1.13 2017/07/19 02:06:47 ozaki-r Exp $ 2 # 3 # Copyright (c) 2017 Internet Initiative Japan Inc. 4 # All rights reserved. 5 # 6 # Redistribution and use in source and binary forms, with or without 7 # modification, are permitted provided that the following conditions 8 # are met: 9 # 1. Redistributions of source code must retain the above copyright 10 # notice, this list of conditions and the following disclaimer. 11 # 2. Redistributions in binary form must reproduce the above copyright 12 # notice, this list of conditions and the following disclaimer in the 13 # documentation and/or other materials provided with the distribution. 14 # 15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 # POSSIBILITY OF SUCH DAMAGE. 26 # 27 28 SOCK_LOCAL=unix://ipsec_local 29 SOCK_PEER=unix://ipsec_peer 30 BUS=./bus_ipsec 31 32 DEBUG=${DEBUG:-true} 33 34 setup_sasp() 35 { 36 local proto=$1 37 local algo_args="$2" 38 local ip_local=$3 39 local ip_peer=$4 40 local lifetime=$5 41 local update=$6 42 local tmpfile=./tmp 43 local extra= 44 45 if [ "$update" = sa ]; then 46 extra="update $ip_local $ip_peer $proto 10000 $algo_args; 47 update $ip_peer $ip_local $proto 10001 $algo_args;" 48 elif [ "$update" = sp ]; then 49 extra="spdupdate $ip_local $ip_peer any -P out ipsec $proto/transport//require;" 50 fi 51 52 export RUMP_SERVER=$SOCK_LOCAL 53 cat > $tmpfile <<-EOF 54 add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; 55 add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; 56 spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 57 $extra 58 EOF 59 $DEBUG && cat $tmpfile 60 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 61 # XXX it can be expired if $lifetime is very short 62 #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 63 64 if [ "$update" = sp ]; then 65 extra="spdupdate $ip_peer $ip_local any -P out ipsec $proto/transport//require;" 66 fi 67 68 export RUMP_SERVER=$SOCK_PEER 69 cat > $tmpfile <<-EOF 70 add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; 71 add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; 72 spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 73 $extra 74 EOF 75 $DEBUG && cat $tmpfile 76 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 77 # XXX it can be expired if $lifetime is very short 78 #check_sa_entries $SOCK_PEER $ip_local $ip_peer 79 } 80 81 test_ipsec4_lifetime() 82 { 83 local proto=$1 84 local algo=$2 85 local ip_local=10.0.0.1 86 local ip_peer=10.0.0.2 87 local outfile=./out 88 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 89 local algo_args="$(generate_algo_args $proto $algo)" 90 local lifetime=3 91 92 rump_server_crypto_start $SOCK_LOCAL netipsec 93 rump_server_crypto_start $SOCK_PEER netipsec 94 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 95 rump_server_add_iface $SOCK_PEER shmif0 $BUS 96 97 export RUMP_SERVER=$SOCK_LOCAL 98 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 99 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 100 #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 101 102 export RUMP_SERVER=$SOCK_PEER 103 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 104 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 105 #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 106 107 extract_new_packets $BUS > $outfile 108 109 export RUMP_SERVER=$SOCK_LOCAL 110 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 111 112 extract_new_packets $BUS > $outfile 113 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \ 114 cat $outfile 115 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \ 116 cat $outfile 117 118 # Set up SAs with lifetime 1 sec. 119 setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 120 121 # Wait for the SAs to be expired 122 atf_check -s exit:0 sleep 2 123 124 # Check the SAs have been expired 125 export RUMP_SERVER=$SOCK_LOCAL 126 $DEBUG && $HIJACKING setkey -D 127 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 128 export RUMP_SERVER=$SOCK_PEER 129 $DEBUG && $HIJACKING setkey -D 130 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 131 132 # Clean up SPs 133 export RUMP_SERVER=$SOCK_LOCAL 134 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 135 export RUMP_SERVER=$SOCK_PEER 136 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 137 138 # Set up SAs with lifetime with $lifetime 139 setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 140 141 # Use the SAs; this will create a reference from an SP to an SA 142 export RUMP_SERVER=$SOCK_LOCAL 143 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 144 145 extract_new_packets $BUS > $outfile 146 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 147 cat $outfile 148 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 149 cat $outfile 150 151 atf_check -s exit:0 sleep $((lifetime + 1)) 152 153 export RUMP_SERVER=$SOCK_LOCAL 154 $DEBUG && $HIJACKING setkey -D 155 atf_check -s exit:0 -o empty $HIJACKING setkey -D 156 # The SA on output remain because sp/isr still refers it 157 atf_check -s exit:0 -o match:"$ip_local $ip_peer" \ 158 $HIJACKING setkey -D -a 159 atf_check -s exit:0 -o not-match:"$ip_peer $ip_local" \ 160 $HIJACKING setkey -D -a 161 162 export RUMP_SERVER=$SOCK_PEER 163 $DEBUG && $HIJACKING setkey -D 164 atf_check -s exit:0 -o empty $HIJACKING setkey -D 165 atf_check -s exit:0 -o not-match:"$ip_local $ip_peer" \ 166 $HIJACKING setkey -D -a 167 # The SA on output remain because sp/isr still refers it 168 atf_check -s exit:0 -o match:"$ip_peer $ip_local" \ 169 $HIJACKING setkey -D -a 170 171 export RUMP_SERVER=$SOCK_LOCAL 172 atf_check -s not-exit:0 -o match:'0 packets received' \ 173 rump.ping -c 1 -n -w 1 $ip_peer 174 175 test_flush_entries $SOCK_LOCAL 176 test_flush_entries $SOCK_PEER 177 } 178 179 test_ipsec6_lifetime() 180 { 181 local proto=$1 182 local algo=$2 183 local ip_local=fd00::1 184 local ip_peer=fd00::2 185 local outfile=./out 186 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 187 local algo_args="$(generate_algo_args $proto $algo)" 188 local lifetime=3 189 190 rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec 191 rump_server_crypto_start $SOCK_PEER netinet6 netipsec 192 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 193 rump_server_add_iface $SOCK_PEER shmif0 $BUS 194 195 export RUMP_SERVER=$SOCK_LOCAL 196 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 197 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local 198 199 export RUMP_SERVER=$SOCK_PEER 200 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 201 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer 202 203 extract_new_packets $BUS > $outfile 204 205 export RUMP_SERVER=$SOCK_LOCAL 206 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 207 208 extract_new_packets $BUS > $outfile 209 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \ 210 cat $outfile 211 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \ 212 cat $outfile 213 214 # Set up SAs with lifetime 1 sec. 215 setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 216 217 # Wait for the SAs to be expired 218 atf_check -s exit:0 sleep 2 219 220 # Check the SAs have been expired 221 export RUMP_SERVER=$SOCK_LOCAL 222 $DEBUG && $HIJACKING setkey -D 223 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 224 export RUMP_SERVER=$SOCK_PEER 225 $DEBUG && $HIJACKING setkey -D 226 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 227 228 # Clean up SPs 229 export RUMP_SERVER=$SOCK_LOCAL 230 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 231 export RUMP_SERVER=$SOCK_PEER 232 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 233 234 # Set up SAs with lifetime with $lifetime 235 setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 236 237 # Use the SAs; this will create a reference from an SP to an SA 238 export RUMP_SERVER=$SOCK_LOCAL 239 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 240 241 extract_new_packets $BUS > $outfile 242 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 243 cat $outfile 244 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 245 cat $outfile 246 247 atf_check -s exit:0 sleep $((lifetime + 1)) 248 249 export RUMP_SERVER=$SOCK_LOCAL 250 $DEBUG && $HIJACKING setkey -D 251 atf_check -s exit:0 -o empty $HIJACKING setkey -D 252 # The SA on output remain because sp/isr still refers it 253 atf_check -s exit:0 -o match:"$ip_local $ip_peer" \ 254 $HIJACKING setkey -D -a 255 atf_check -s exit:0 -o not-match:"$ip_peer $ip_local" \ 256 $HIJACKING setkey -D -a 257 258 export RUMP_SERVER=$SOCK_PEER 259 $DEBUG && $HIJACKING setkey -D 260 atf_check -s exit:0 -o empty $HIJACKING setkey -D 261 atf_check -s exit:0 -o not-match:"$ip_local $ip_peer" \ 262 $HIJACKING setkey -D -a 263 # The SA on output remain because sp/isr still refers it 264 atf_check -s exit:0 -o match:"$ip_peer $ip_local" \ 265 $HIJACKING setkey -D -a 266 267 export RUMP_SERVER=$SOCK_LOCAL 268 atf_check -s not-exit:0 -o match:'0 packets received' \ 269 rump.ping6 -c 1 -n -X 1 $ip_peer 270 271 test_flush_entries $SOCK_LOCAL 272 test_flush_entries $SOCK_PEER 273 } 274 275 test_lifetime_common() 276 { 277 local ipproto=$1 278 local proto=$2 279 local algo=$3 280 281 if [ $ipproto = ipv4 ]; then 282 test_ipsec4_lifetime $proto $algo 283 else 284 test_ipsec6_lifetime $proto $algo 285 fi 286 } 287 288 add_test_lifetime() 289 { 290 local ipproto=$1 291 local proto=$2 292 local algo=$3 293 local _algo=$(echo $algo | sed 's/-//g') 294 local name= desc= 295 296 name="ipsec_lifetime_${ipproto}_${proto}_${_algo}" 297 desc="Tests of lifetime of IPsec ($ipproto) with $proto ($algo)" 298 299 atf_test_case ${name} cleanup 300 eval " \ 301 ${name}_head() { \ 302 atf_set \"descr\" \"$desc\"; \ 303 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 304 }; \ 305 ${name}_body() { \ 306 test_lifetime_common $ipproto $proto $algo; \ 307 rump_server_destroy_ifaces; \ 308 }; \ 309 ${name}_cleanup() { \ 310 $DEBUG && dump; \ 311 cleanup; \ 312 } \ 313 " 314 atf_add_test_case ${name} 315 } 316 317 test_update() 318 { 319 local proto=$1 320 local algo=$2 321 local update=$3 322 local ip_local=10.0.0.1 323 local ip_peer=10.0.0.2 324 local algo_args="$(generate_algo_args $proto $algo)" 325 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 326 local outfile=./out 327 328 rump_server_crypto_start $SOCK_LOCAL netipsec 329 rump_server_crypto_start $SOCK_PEER netipsec 330 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 331 rump_server_add_iface $SOCK_PEER shmif0 $BUS 332 333 export RUMP_SERVER=$SOCK_LOCAL 334 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 335 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 336 337 export RUMP_SERVER=$SOCK_PEER 338 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 339 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 340 341 setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 $update 342 343 extract_new_packets $BUS > $outfile 344 345 export RUMP_SERVER=$SOCK_LOCAL 346 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 347 348 extract_new_packets $BUS > $outfile 349 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 350 cat $outfile 351 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 352 cat $outfile 353 } 354 355 add_test_update() 356 { 357 local proto=$1 358 local algo=$2 359 local update=$3 360 local _update=$(echo $update |tr 'a-z' 'A-Z') 361 local _algo=$(echo $algo | sed 's/-//g') 362 local name= desc= 363 364 desc="Tests trying to udpate $_update of $proto ($algo)" 365 name="ipsec_update_${update}_${proto}_${_algo}" 366 367 atf_test_case ${name} cleanup 368 eval " \ 369 ${name}_head() { \ 370 atf_set \"descr\" \"$desc\"; \ 371 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 372 }; \ 373 ${name}_body() { \ 374 test_update $proto $algo $update; \ 375 rump_server_destroy_ifaces; \ 376 }; \ 377 ${name}_cleanup() { \ 378 $DEBUG && dump; \ 379 cleanup; \ 380 } \ 381 " 382 atf_add_test_case ${name} 383 } 384 385 add_sa() 386 { 387 local proto=$1 388 local algo_args="$2" 389 local ip_local=$3 390 local ip_peer=$4 391 local lifetime=$5 392 local spi=$6 393 local tmpfile=./tmp 394 local extra= 395 396 export RUMP_SERVER=$SOCK_LOCAL 397 cat > $tmpfile <<-EOF 398 add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 399 add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 400 $extra 401 EOF 402 $DEBUG && cat $tmpfile 403 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 404 $DEBUG && $HIJACKING setkey -D 405 # XXX it can be expired if $lifetime is very short 406 #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 407 408 export RUMP_SERVER=$SOCK_PEER 409 cat > $tmpfile <<-EOF 410 add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 411 add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 412 $extra 413 EOF 414 $DEBUG && cat $tmpfile 415 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 416 $DEBUG && $HIJACKING setkey -D 417 # XXX it can be expired if $lifetime is very short 418 #check_sa_entries $SOCK_PEER $ip_local $ip_peer 419 } 420 421 delete_sa() 422 { 423 local proto=$1 424 local ip_local=$2 425 local ip_peer=$3 426 local spi=$4 427 local tmpfile=./tmp 428 local extra= 429 430 export RUMP_SERVER=$SOCK_LOCAL 431 cat > $tmpfile <<-EOF 432 delete $ip_local $ip_peer $proto $((spi)); 433 delete $ip_peer $ip_local $proto $((spi + 1)); 434 EOF 435 $DEBUG && cat $tmpfile 436 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 437 $DEBUG && $HIJACKING setkey -D 438 439 export RUMP_SERVER=$SOCK_PEER 440 cat > $tmpfile <<-EOF 441 delete $ip_local $ip_peer $proto $((spi)); 442 delete $ip_peer $ip_local $proto $((spi + 1)); 443 EOF 444 $DEBUG && cat $tmpfile 445 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 446 $DEBUG && $HIJACKING setkey -D 447 } 448 449 check_packet_spi() 450 { 451 local outfile=$1 452 local ip_local=$2 453 local ip_peer=$3 454 local proto=$4 455 local spi=$5 456 local spistr= 457 458 $DEBUG && cat $outfile 459 spistr=$(printf "%08x" $spi) 460 atf_check -s exit:0 \ 461 -o match:"$ip_local > $ip_peer: $proto_cap\(spi=0x$spistr," \ 462 cat $outfile 463 spistr=$(printf "%08x" $((spi + 1))) 464 atf_check -s exit:0 \ 465 -o match:"$ip_peer > $ip_local: $proto_cap\(spi=0x$spistr," \ 466 cat $outfile 467 } 468 469 wait_sa_disappeared() 470 { 471 local spi=$1 472 local i= 473 474 export RUMP_SERVER=$SOCK_LOCAL 475 for i in $(seq 1 10); do 476 $HIJACKING setkey -D |grep -q "spi=$spi" 477 [ $? != 0 ] && break 478 sleep 1 479 done 480 if [ $i -eq 10 ]; then 481 atf_fail "SA (spi=$spi) didn't disappear in 10s" 482 fi 483 export RUMP_SERVER=$SOCK_PEER 484 for i in $(seq 1 10); do 485 $HIJACKING setkey -D |grep -q "spi=$spi" 486 [ $? != 0 ] && break 487 sleep 1 488 done 489 if [ $i -eq 10 ]; then 490 atf_fail "SA (spi=$spi) didn't disappear in 10s" 491 fi 492 } 493 494 test_spi() 495 { 496 local proto=$1 497 local algo=$2 498 local preferred=$3 499 local method=$4 500 local ip_local=10.0.0.1 501 local ip_peer=10.0.0.2 502 local algo_args="$(generate_algo_args $proto $algo)" 503 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 504 local outfile=./out 505 local spistr= 506 507 rump_server_crypto_start $SOCK_LOCAL netipsec 508 rump_server_crypto_start $SOCK_PEER netipsec 509 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 510 rump_server_add_iface $SOCK_PEER shmif0 $BUS 511 512 export RUMP_SERVER=$SOCK_LOCAL 513 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 514 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 515 if [ $preferred = old ]; then 516 atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 517 fi 518 519 export RUMP_SERVER=$SOCK_PEER 520 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 521 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 522 if [ $preferred = old ]; then 523 atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 524 fi 525 526 setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 527 528 extract_new_packets $BUS > $outfile 529 530 export RUMP_SERVER=$SOCK_LOCAL 531 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 532 extract_new_packets $BUS > $outfile 533 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 534 535 # Add a new SA with a different SPI 536 add_sa $proto "$algo_args" $ip_local $ip_peer 6 10010 537 538 export RUMP_SERVER=$SOCK_LOCAL 539 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 540 extract_new_packets $BUS > $outfile 541 if [ $preferred = old ]; then 542 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 543 else 544 # The new SA is preferred 545 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 546 fi 547 548 # Add another SA with a different SPI 549 add_sa $proto "$algo_args" $ip_local $ip_peer 3 10020 550 551 export RUMP_SERVER=$SOCK_LOCAL 552 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 553 extract_new_packets $BUS > $outfile 554 if [ $preferred = old ]; then 555 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 556 else 557 # The newest SA is preferred 558 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10020 559 fi 560 561 if [ $method = delete ]; then 562 delete_sa $proto $ip_local $ip_peer 10020 563 else 564 wait_sa_disappeared 10020 565 fi 566 567 export RUMP_SERVER=$SOCK_LOCAL 568 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 569 extract_new_packets $BUS > $outfile 570 if [ $preferred = old ]; then 571 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 572 else 573 # The newest one is removed and the second one is used 574 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 575 fi 576 577 if [ $method = delete ]; then 578 delete_sa $proto $ip_local $ip_peer 10010 579 else 580 wait_sa_disappeared 10010 581 fi 582 583 export RUMP_SERVER=$SOCK_LOCAL 584 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 585 extract_new_packets $BUS > $outfile 586 if [ $preferred = old ]; then 587 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 588 else 589 # The second one is removed and the original one is used 590 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 591 fi 592 } 593 594 add_test_spi() 595 { 596 local proto=$1 597 local algo=$2 598 local preferred=$3 599 local method=$4 600 local _algo=$(echo $algo | sed 's/-//g') 601 local name= desc= 602 603 desc="Tests SAs with different SPIs of $proto ($algo) ($preferred SA preferred) ($method)" 604 name="ipsec_spi_${proto}_${_algo}_preferred_${preferred}_${method}" 605 606 atf_test_case ${name} cleanup 607 eval " \ 608 ${name}_head() { \ 609 atf_set \"descr\" \"$desc\"; \ 610 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 611 }; \ 612 ${name}_body() { \ 613 test_spi $proto $algo $preferred $method; \ 614 rump_server_destroy_ifaces; \ 615 }; \ 616 ${name}_cleanup() { \ 617 $DEBUG && dump; \ 618 cleanup; \ 619 } \ 620 " 621 atf_add_test_case ${name} 622 } 623 624 atf_init_test_cases() 625 { 626 local algo= 627 628 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 629 add_test_lifetime ipv4 esp $algo 630 add_test_lifetime ipv6 esp $algo 631 add_test_update esp $algo sa 632 add_test_update esp $algo sp 633 add_test_spi esp $algo new delete 634 add_test_spi esp $algo old delete 635 add_test_spi esp $algo new timeout 636 add_test_spi esp $algo old timeout 637 done 638 for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do 639 add_test_lifetime ipv4 ah $algo 640 add_test_lifetime ipv6 ah $algo 641 add_test_update ah $algo sa 642 add_test_update ah $algo sp 643 add_test_spi ah $algo new delete 644 add_test_spi ah $algo old delete 645 add_test_spi ah $algo new timeout 646 add_test_spi ah $algo old timeout 647 done 648 } 649
Indexes created Tue Sep 23 23:09:58 GMT 2025