t_ipsec_misc.sh revision 1.19
1 # $NetBSD: t_ipsec_misc.sh,v 1.19 2017/10/20 03:43:51 ozaki-r Exp $ 2 # 3 # Copyright (c) 2017 Internet Initiative Japan Inc. 4 # All rights reserved. 5 # 6 # Redistribution and use in source and binary forms, with or without 7 # modification, are permitted provided that the following conditions 8 # are met: 9 # 1. Redistributions of source code must retain the above copyright 10 # notice, this list of conditions and the following disclaimer. 11 # 2. Redistributions in binary form must reproduce the above copyright 12 # notice, this list of conditions and the following disclaimer in the 13 # documentation and/or other materials provided with the distribution. 14 # 15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 # POSSIBILITY OF SUCH DAMAGE. 26 # 27 28 SOCK_LOCAL=unix://ipsec_local 29 SOCK_PEER=unix://ipsec_peer 30 BUS=./bus_ipsec 31 32 DEBUG=${DEBUG:-true} 33 34 setup_sasp() 35 { 36 local proto=$1 37 local algo_args="$2" 38 local ip_local=$3 39 local ip_peer=$4 40 local lifetime=$5 41 local update=$6 42 local tmpfile=./tmp 43 local extra= 44 45 if [ "$update" = sa ]; then 46 extra="update $ip_local $ip_peer $proto 10000 $algo_args; 47 update $ip_peer $ip_local $proto 10001 $algo_args;" 48 elif [ "$update" = sp ]; then 49 extra="spdupdate $ip_local $ip_peer any -P out ipsec $proto/transport//require;" 50 fi 51 52 export RUMP_SERVER=$SOCK_LOCAL 53 cat > $tmpfile <<-EOF 54 add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; 55 add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; 56 spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 57 $extra 58 EOF 59 $DEBUG && cat $tmpfile 60 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 61 # XXX it can be expired if $lifetime is very short 62 #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 63 64 if [ "$update" = sp ]; then 65 extra="spdupdate $ip_peer $ip_local any -P out ipsec $proto/transport//require;" 66 fi 67 68 export RUMP_SERVER=$SOCK_PEER 69 cat > $tmpfile <<-EOF 70 add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; 71 add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; 72 spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 73 $extra 74 EOF 75 $DEBUG && cat $tmpfile 76 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 77 # XXX it can be expired if $lifetime is very short 78 #check_sa_entries $SOCK_PEER $ip_local $ip_peer 79 } 80 81 test_ipsec4_lifetime() 82 { 83 local proto=$1 84 local algo=$2 85 local ip_local=10.0.0.1 86 local ip_peer=10.0.0.2 87 local outfile=./out 88 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 89 local algo_args="$(generate_algo_args $proto $algo)" 90 local lifetime=3 91 92 rump_server_crypto_start $SOCK_LOCAL netipsec 93 rump_server_crypto_start $SOCK_PEER netipsec 94 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 95 rump_server_add_iface $SOCK_PEER shmif0 $BUS 96 97 export RUMP_SERVER=$SOCK_LOCAL 98 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 99 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 100 #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 101 102 export RUMP_SERVER=$SOCK_PEER 103 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 104 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 105 #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 106 107 extract_new_packets $BUS > $outfile 108 109 export RUMP_SERVER=$SOCK_LOCAL 110 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 111 112 extract_new_packets $BUS > $outfile 113 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \ 114 cat $outfile 115 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \ 116 cat $outfile 117 118 # Set up SAs with lifetime 1 sec. 119 setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 120 121 # Wait for the SAs to be expired 122 atf_check -s exit:0 sleep 2 123 124 # Check the SAs have been expired 125 export RUMP_SERVER=$SOCK_LOCAL 126 $DEBUG && $HIJACKING setkey -D 127 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 128 export RUMP_SERVER=$SOCK_PEER 129 $DEBUG && $HIJACKING setkey -D 130 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 131 132 # Clean up SPs 133 export RUMP_SERVER=$SOCK_LOCAL 134 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 135 export RUMP_SERVER=$SOCK_PEER 136 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 137 138 # Set up SAs with lifetime with $lifetime 139 setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 140 141 # Use the SAs; this will create a reference from an SP to an SA 142 export RUMP_SERVER=$SOCK_LOCAL 143 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 144 145 extract_new_packets $BUS > $outfile 146 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 147 cat $outfile 148 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 149 cat $outfile 150 151 atf_check -s exit:0 sleep $((lifetime + 1)) 152 153 export RUMP_SERVER=$SOCK_LOCAL 154 $DEBUG && $HIJACKING setkey -D 155 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a 156 157 export RUMP_SERVER=$SOCK_PEER 158 $DEBUG && $HIJACKING setkey -D 159 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a 160 161 export RUMP_SERVER=$SOCK_LOCAL 162 atf_check -s not-exit:0 -o match:'0 packets received' \ 163 rump.ping -c 1 -n -w 1 $ip_peer 164 165 test_flush_entries $SOCK_LOCAL 166 test_flush_entries $SOCK_PEER 167 } 168 169 test_ipsec6_lifetime() 170 { 171 local proto=$1 172 local algo=$2 173 local ip_local=fd00::1 174 local ip_peer=fd00::2 175 local outfile=./out 176 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 177 local algo_args="$(generate_algo_args $proto $algo)" 178 local lifetime=3 179 180 rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec 181 rump_server_crypto_start $SOCK_PEER netinet6 netipsec 182 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 183 rump_server_add_iface $SOCK_PEER shmif0 $BUS 184 185 export RUMP_SERVER=$SOCK_LOCAL 186 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 187 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local 188 189 export RUMP_SERVER=$SOCK_PEER 190 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 191 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer 192 193 extract_new_packets $BUS > $outfile 194 195 export RUMP_SERVER=$SOCK_LOCAL 196 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 197 198 extract_new_packets $BUS > $outfile 199 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \ 200 cat $outfile 201 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \ 202 cat $outfile 203 204 # Set up SAs with lifetime 1 sec. 205 setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 206 207 # Wait for the SAs to be expired 208 atf_check -s exit:0 sleep 2 209 210 # Check the SAs have been expired 211 export RUMP_SERVER=$SOCK_LOCAL 212 $DEBUG && $HIJACKING setkey -D 213 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 214 export RUMP_SERVER=$SOCK_PEER 215 $DEBUG && $HIJACKING setkey -D 216 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 217 218 # Clean up SPs 219 export RUMP_SERVER=$SOCK_LOCAL 220 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 221 export RUMP_SERVER=$SOCK_PEER 222 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 223 224 # Set up SAs with lifetime with $lifetime 225 setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 226 227 # Use the SAs; this will create a reference from an SP to an SA 228 export RUMP_SERVER=$SOCK_LOCAL 229 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 230 231 extract_new_packets $BUS > $outfile 232 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 233 cat $outfile 234 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 235 cat $outfile 236 237 atf_check -s exit:0 sleep $((lifetime + 1)) 238 239 export RUMP_SERVER=$SOCK_LOCAL 240 $DEBUG && $HIJACKING setkey -D 241 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a 242 243 export RUMP_SERVER=$SOCK_PEER 244 $DEBUG && $HIJACKING setkey -D 245 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a 246 247 export RUMP_SERVER=$SOCK_LOCAL 248 atf_check -s not-exit:0 -o match:'0 packets received' \ 249 rump.ping6 -c 1 -n -X 1 $ip_peer 250 251 test_flush_entries $SOCK_LOCAL 252 test_flush_entries $SOCK_PEER 253 } 254 255 test_lifetime_common() 256 { 257 local ipproto=$1 258 local proto=$2 259 local algo=$3 260 261 if [ $ipproto = ipv4 ]; then 262 test_ipsec4_lifetime $proto $algo 263 else 264 test_ipsec6_lifetime $proto $algo 265 fi 266 } 267 268 add_test_lifetime() 269 { 270 local ipproto=$1 271 local proto=$2 272 local algo=$3 273 local _algo=$(echo $algo | sed 's/-//g') 274 local name= desc= 275 276 name="ipsec_lifetime_${ipproto}_${proto}_${_algo}" 277 desc="Tests of lifetime of IPsec ($ipproto) with $proto ($algo)" 278 279 atf_test_case ${name} cleanup 280 eval " 281 ${name}_head() { 282 atf_set descr \"$desc\" 283 atf_set require.progs rump_server setkey 284 } 285 ${name}_body() { 286 test_lifetime_common $ipproto $proto $algo 287 rump_server_destroy_ifaces 288 } 289 ${name}_cleanup() { 290 \$DEBUG && dump 291 cleanup 292 } 293 " 294 atf_add_test_case ${name} 295 } 296 297 test_update() 298 { 299 local proto=$1 300 local algo=$2 301 local update=$3 302 local ip_local=10.0.0.1 303 local ip_peer=10.0.0.2 304 local algo_args="$(generate_algo_args $proto $algo)" 305 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 306 local outfile=./out 307 308 rump_server_crypto_start $SOCK_LOCAL netipsec 309 rump_server_crypto_start $SOCK_PEER netipsec 310 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 311 rump_server_add_iface $SOCK_PEER shmif0 $BUS 312 313 export RUMP_SERVER=$SOCK_LOCAL 314 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 315 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 316 317 export RUMP_SERVER=$SOCK_PEER 318 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 319 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 320 321 setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 $update 322 323 extract_new_packets $BUS > $outfile 324 325 export RUMP_SERVER=$SOCK_LOCAL 326 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 327 328 extract_new_packets $BUS > $outfile 329 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 330 cat $outfile 331 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 332 cat $outfile 333 } 334 335 add_test_update() 336 { 337 local proto=$1 338 local algo=$2 339 local update=$3 340 local _update=$(echo $update |tr 'a-z' 'A-Z') 341 local _algo=$(echo $algo | sed 's/-//g') 342 local name= desc= 343 344 desc="Tests trying to udpate $_update of $proto ($algo)" 345 name="ipsec_update_${update}_${proto}_${_algo}" 346 347 atf_test_case ${name} cleanup 348 eval " 349 ${name}_head() { 350 atf_set descr \"$desc\" 351 atf_set require.progs rump_server setkey 352 } 353 ${name}_body() { 354 test_update $proto $algo $update 355 rump_server_destroy_ifaces 356 } 357 ${name}_cleanup() { 358 \$DEBUG && dump 359 cleanup 360 } 361 " 362 atf_add_test_case ${name} 363 } 364 365 add_sa() 366 { 367 local proto=$1 368 local algo_args="$2" 369 local ip_local=$3 370 local ip_peer=$4 371 local lifetime=$5 372 local spi=$6 373 local tmpfile=./tmp 374 local extra= 375 376 export RUMP_SERVER=$SOCK_LOCAL 377 cat > $tmpfile <<-EOF 378 add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 379 add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 380 $extra 381 EOF 382 $DEBUG && cat $tmpfile 383 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 384 $DEBUG && $HIJACKING setkey -D 385 # XXX it can be expired if $lifetime is very short 386 #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 387 388 export RUMP_SERVER=$SOCK_PEER 389 cat > $tmpfile <<-EOF 390 add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 391 add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 392 $extra 393 EOF 394 $DEBUG && cat $tmpfile 395 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 396 $DEBUG && $HIJACKING setkey -D 397 # XXX it can be expired if $lifetime is very short 398 #check_sa_entries $SOCK_PEER $ip_local $ip_peer 399 } 400 401 delete_sa() 402 { 403 local proto=$1 404 local ip_local=$2 405 local ip_peer=$3 406 local spi=$4 407 local tmpfile=./tmp 408 local extra= 409 410 export RUMP_SERVER=$SOCK_LOCAL 411 cat > $tmpfile <<-EOF 412 delete $ip_local $ip_peer $proto $((spi)); 413 delete $ip_peer $ip_local $proto $((spi + 1)); 414 EOF 415 $DEBUG && cat $tmpfile 416 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 417 $DEBUG && $HIJACKING setkey -D 418 419 export RUMP_SERVER=$SOCK_PEER 420 cat > $tmpfile <<-EOF 421 delete $ip_local $ip_peer $proto $((spi)); 422 delete $ip_peer $ip_local $proto $((spi + 1)); 423 EOF 424 $DEBUG && cat $tmpfile 425 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 426 $DEBUG && $HIJACKING setkey -D 427 } 428 429 check_packet_spi() 430 { 431 local outfile=$1 432 local ip_local=$2 433 local ip_peer=$3 434 local proto=$4 435 local spi=$5 436 local spistr= 437 438 $DEBUG && cat $outfile 439 spistr=$(printf "%08x" $spi) 440 atf_check -s exit:0 \ 441 -o match:"$ip_local > $ip_peer: $proto_cap\(spi=0x$spistr," \ 442 cat $outfile 443 spistr=$(printf "%08x" $((spi + 1))) 444 atf_check -s exit:0 \ 445 -o match:"$ip_peer > $ip_local: $proto_cap\(spi=0x$spistr," \ 446 cat $outfile 447 } 448 449 wait_sa_disappeared() 450 { 451 local spi=$1 452 local i= 453 454 export RUMP_SERVER=$SOCK_LOCAL 455 for i in $(seq 1 10); do 456 $HIJACKING setkey -D |grep -q "spi=$spi" 457 [ $? != 0 ] && break 458 sleep 1 459 done 460 if [ $i -eq 10 ]; then 461 atf_fail "SA (spi=$spi) didn't disappear in 10s" 462 fi 463 export RUMP_SERVER=$SOCK_PEER 464 for i in $(seq 1 10); do 465 $HIJACKING setkey -D |grep -q "spi=$spi" 466 [ $? != 0 ] && break 467 sleep 1 468 done 469 if [ $i -eq 10 ]; then 470 atf_fail "SA (spi=$spi) didn't disappear in 10s" 471 fi 472 } 473 474 test_spi() 475 { 476 local proto=$1 477 local algo=$2 478 local preferred=$3 479 local method=$4 480 local ip_local=10.0.0.1 481 local ip_peer=10.0.0.2 482 local algo_args="$(generate_algo_args $proto $algo)" 483 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 484 local outfile=./out 485 local spistr= 486 local longtime= shorttime= 487 488 if [ $method = timeout -a $preferred = new ]; then 489 skip_if_qemu 490 fi 491 492 if [ $method = delete ]; then 493 shorttime=100 494 longtime=100 495 else 496 shorttime=3 497 longtime=6 498 fi 499 500 rump_server_crypto_start $SOCK_LOCAL netipsec 501 rump_server_crypto_start $SOCK_PEER netipsec 502 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 503 rump_server_add_iface $SOCK_PEER shmif0 $BUS 504 505 export RUMP_SERVER=$SOCK_LOCAL 506 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 507 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 508 if [ $preferred = old ]; then 509 atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 510 fi 511 512 export RUMP_SERVER=$SOCK_PEER 513 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 514 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 515 if [ $preferred = old ]; then 516 atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 517 fi 518 519 setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 520 521 extract_new_packets $BUS > $outfile 522 523 export RUMP_SERVER=$SOCK_LOCAL 524 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 525 extract_new_packets $BUS > $outfile 526 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 527 528 # Add a new SA with a different SPI 529 add_sa $proto "$algo_args" $ip_local $ip_peer $longtime 10010 530 531 export RUMP_SERVER=$SOCK_LOCAL 532 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 533 extract_new_packets $BUS > $outfile 534 if [ $preferred = old ]; then 535 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 536 else 537 # The new SA is preferred 538 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 539 fi 540 541 # Add another SA with a different SPI 542 add_sa $proto "$algo_args" $ip_local $ip_peer $shorttime 10020 543 544 export RUMP_SERVER=$SOCK_LOCAL 545 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 546 extract_new_packets $BUS > $outfile 547 if [ $preferred = old ]; then 548 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 549 else 550 # The newest SA is preferred 551 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10020 552 fi 553 554 if [ $method = delete ]; then 555 delete_sa $proto $ip_local $ip_peer 10020 556 else 557 wait_sa_disappeared 10020 558 fi 559 560 export RUMP_SERVER=$SOCK_LOCAL 561 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 562 extract_new_packets $BUS > $outfile 563 if [ $preferred = old ]; then 564 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 565 else 566 # The newest one is removed and the second one is used 567 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 568 fi 569 570 if [ $method = delete ]; then 571 delete_sa $proto $ip_local $ip_peer 10010 572 else 573 wait_sa_disappeared 10010 574 fi 575 576 export RUMP_SERVER=$SOCK_LOCAL 577 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 578 extract_new_packets $BUS > $outfile 579 if [ $preferred = old ]; then 580 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 581 else 582 # The second one is removed and the original one is used 583 check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 584 fi 585 } 586 587 add_test_spi() 588 { 589 local proto=$1 590 local algo=$2 591 local preferred=$3 592 local method=$4 593 local _algo=$(echo $algo | sed 's/-//g') 594 local name= desc= 595 596 desc="Tests SAs with different SPIs of $proto ($algo) ($preferred SA preferred) ($method)" 597 name="ipsec_spi_${proto}_${_algo}_preferred_${preferred}_${method}" 598 599 atf_test_case ${name} cleanup 600 eval " 601 ${name}_head() { 602 atf_set descr \"$desc\" 603 atf_set require.progs rump_server setkey 604 } 605 ${name}_body() { 606 test_spi $proto $algo $preferred $method 607 rump_server_destroy_ifaces 608 } 609 ${name}_cleanup() { 610 \$DEBUG && dump 611 cleanup 612 } 613 " 614 atf_add_test_case ${name} 615 } 616 617 setup_sp() 618 { 619 local proto=$1 620 local algo_args="$2" 621 local ip_local=$3 622 local ip_peer=$4 623 local tmpfile=./tmp 624 625 export RUMP_SERVER=$SOCK_LOCAL 626 cat > $tmpfile <<-EOF 627 spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 628 spdadd $ip_peer $ip_local any -P in ipsec $proto/transport//require; 629 EOF 630 $DEBUG && cat $tmpfile 631 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 632 check_sp_entries $SOCK_LOCAL $ip_local $ip_peer 633 634 export RUMP_SERVER=$SOCK_PEER 635 cat > $tmpfile <<-EOF 636 spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 637 spdadd $ip_local $ip_peer any -P in ipsec $proto/transport//require; 638 EOF 639 $DEBUG && cat $tmpfile 640 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 641 check_sp_entries $SOCK_PEER $ip_peer $ip_local 642 } 643 644 test_nosa() 645 { 646 local proto=$1 647 local algo=$2 648 local update=$3 649 local ip_local=10.0.0.1 650 local ip_peer=10.0.0.2 651 local algo_args="$(generate_algo_args $proto $algo)" 652 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 653 local outfile=./out 654 655 rump_server_crypto_start $SOCK_LOCAL netipsec 656 rump_server_crypto_start $SOCK_PEER netipsec 657 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 658 rump_server_add_iface $SOCK_PEER shmif0 $BUS 659 660 export RUMP_SERVER=$SOCK_LOCAL 661 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 662 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 663 664 export RUMP_SERVER=$SOCK_PEER 665 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 666 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 667 668 setup_sp $proto "$algo_args" $ip_local $ip_peer 669 670 extract_new_packets $BUS > $outfile 671 672 export RUMP_SERVER=$SOCK_LOCAL 673 # It doesn't work because there is no SA 674 atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 675 } 676 677 add_test_nosa() 678 { 679 local proto=$1 680 local algo=$2 681 local _algo=$(echo $algo | sed 's/-//g') 682 local name= desc= 683 684 desc="Tests SPs with no relevant SAs with $proto ($algo)" 685 name="ipsec_nosa_${proto}_${_algo}" 686 687 atf_test_case ${name} cleanup 688 eval " 689 ${name}_head() { 690 atf_set descr \"$desc\" 691 atf_set require.progs rump_server setkey 692 } 693 ${name}_body() { 694 test_nosa $proto $algo 695 rump_server_destroy_ifaces 696 } 697 ${name}_cleanup() { 698 \$DEBUG && dump 699 cleanup 700 } 701 " 702 atf_add_test_case ${name} 703 } 704 705 atf_init_test_cases() 706 { 707 local algo= 708 709 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 710 add_test_lifetime ipv4 esp $algo 711 add_test_lifetime ipv6 esp $algo 712 add_test_update esp $algo sa 713 add_test_update esp $algo sp 714 add_test_spi esp $algo new delete 715 add_test_spi esp $algo old delete 716 add_test_spi esp $algo new timeout 717 add_test_spi esp $algo old timeout 718 add_test_nosa esp $algo 719 done 720 for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do 721 add_test_lifetime ipv4 ah $algo 722 add_test_lifetime ipv6 ah $algo 723 add_test_update ah $algo sa 724 add_test_update ah $algo sp 725 add_test_spi ah $algo new delete 726 add_test_spi ah $algo old delete 727 add_test_spi ah $algo new timeout 728 add_test_spi ah $algo old timeout 729 add_test_nosa ah $algo 730 done 731 } 732
Indexes created Wed Sep 24 15:09:51 GMT 2025