t_ipsec_misc.sh revision 1.3
1 # $NetBSD: t_ipsec_misc.sh,v 1.3 2017/05/18 14:43:42 ozaki-r Exp $ 2 # 3 # Copyright (c) 2017 Internet Initiative Japan Inc. 4 # All rights reserved. 5 # 6 # Redistribution and use in source and binary forms, with or without 7 # modification, are permitted provided that the following conditions 8 # are met: 9 # 1. Redistributions of source code must retain the above copyright 10 # notice, this list of conditions and the following disclaimer. 11 # 2. Redistributions in binary form must reproduce the above copyright 12 # notice, this list of conditions and the following disclaimer in the 13 # documentation and/or other materials provided with the distribution. 14 # 15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 # POSSIBILITY OF SUCH DAMAGE. 26 # 27 28 SOCK_LOCAL=unix://ipsec_local 29 SOCK_PEER=unix://ipsec_peer 30 BUS=./bus_ipsec 31 32 DEBUG=${DEBUG:-false} 33 34 setup_sasp() 35 { 36 local proto=$1 37 local algo_args="$2" 38 local ip_local=$3 39 local ip_peer=$4 40 local lifetime=$5 41 local tmpfile=./tmp 42 43 export RUMP_SERVER=$SOCK_LOCAL 44 cat > $tmpfile <<-EOF 45 add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; 46 add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; 47 spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 48 EOF 49 $DEBUG && cat $tmpfile 50 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 51 # XXX it can be expired if $lifetime is very short 52 #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 53 54 export RUMP_SERVER=$SOCK_PEER 55 cat > $tmpfile <<-EOF 56 add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args; 57 add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; 58 spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 59 EOF 60 $DEBUG && cat $tmpfile 61 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 62 # XXX it can be expired if $lifetime is very short 63 #check_sa_entries $SOCK_PEER $ip_local $ip_peer 64 } 65 66 test_ipsec4_lifetime() 67 { 68 local proto=$1 69 local algo=$2 70 local ip_local=10.0.0.1 71 local ip_peer=10.0.0.2 72 local outfile=./out 73 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 74 local algo_args="$(generate_algo_args $proto $algo)" 75 local lifetime=3 76 77 rump_server_crypto_start $SOCK_LOCAL netipsec 78 rump_server_crypto_start $SOCK_PEER netipsec 79 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 80 rump_server_add_iface $SOCK_PEER shmif0 $BUS 81 82 export RUMP_SERVER=$SOCK_LOCAL 83 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 84 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 85 #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 86 87 export RUMP_SERVER=$SOCK_PEER 88 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 89 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 90 #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 91 92 extract_new_packets $BUS > $outfile 93 94 export RUMP_SERVER=$SOCK_LOCAL 95 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 96 97 extract_new_packets $BUS > $outfile 98 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \ 99 cat $outfile 100 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \ 101 cat $outfile 102 103 # Set up SAs with lifetime 1 sec. 104 setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 105 106 # Wait for the SAs to be expired 107 atf_check -s exit:0 sleep 2 108 109 # Check the SAs have been expired 110 export RUMP_SERVER=$SOCK_LOCAL 111 $DEBUG && $HIJACKING setkey -D 112 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 113 export RUMP_SERVER=$SOCK_PEER 114 $DEBUG && $HIJACKING setkey -D 115 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 116 117 # Clean up SPs 118 export RUMP_SERVER=$SOCK_LOCAL 119 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 120 export RUMP_SERVER=$SOCK_PEER 121 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 122 123 # Set up SAs with lifetime with $lifetime 124 setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 125 126 # Use the SAs; this will create a reference from an SP to an SA 127 export RUMP_SERVER=$SOCK_LOCAL 128 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 129 130 extract_new_packets $BUS > $outfile 131 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 132 cat $outfile 133 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 134 cat $outfile 135 136 atf_check -s exit:0 sleep $((lifetime + 1)) 137 138 export RUMP_SERVER=$SOCK_LOCAL 139 $DEBUG && $HIJACKING setkey -D 140 atf_check -s exit:0 -o empty $HIJACKING setkey -D 141 # The SA on output remain because sp/isr still refers it 142 atf_check -s exit:0 -o match:"$ip_local $ip_peer" \ 143 $HIJACKING setkey -D -a 144 atf_check -s exit:0 -o not-match:"$ip_peer $ip_local" \ 145 $HIJACKING setkey -D -a 146 147 export RUMP_SERVER=$SOCK_PEER 148 $DEBUG && $HIJACKING setkey -D 149 atf_check -s exit:0 -o empty $HIJACKING setkey -D 150 atf_check -s exit:0 -o not-match:"$ip_local $ip_peer" \ 151 $HIJACKING setkey -D -a 152 # The SA on output remain because sp/isr still refers it 153 atf_check -s exit:0 -o match:"$ip_peer $ip_local" \ 154 $HIJACKING setkey -D -a 155 156 export RUMP_SERVER=$SOCK_LOCAL 157 atf_check -s not-exit:0 -o match:'0 packets received' \ 158 rump.ping -c 1 -n -w 1 $ip_peer 159 160 test_flush_entries $SOCK_LOCAL 161 test_flush_entries $SOCK_PEER 162 } 163 164 test_ipsec6_lifetime() 165 { 166 local proto=$1 167 local algo=$2 168 local ip_local=fd00::1 169 local ip_peer=fd00::2 170 local tmpfile=./tmp 171 local outfile=./out 172 local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 173 local algo_args="$(generate_algo_args $proto $algo)" 174 local lifetime=3 175 176 rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec 177 rump_server_crypto_start $SOCK_PEER netinet6 netipsec 178 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 179 rump_server_add_iface $SOCK_PEER shmif0 $BUS 180 181 export RUMP_SERVER=$SOCK_LOCAL 182 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 183 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local 184 185 export RUMP_SERVER=$SOCK_PEER 186 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 187 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer 188 189 extract_new_packets $BUS > $outfile 190 191 export RUMP_SERVER=$SOCK_LOCAL 192 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 193 194 extract_new_packets $BUS > $outfile 195 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \ 196 cat $outfile 197 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \ 198 cat $outfile 199 200 # Set up SAs with lifetime 1 sec. 201 setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 202 203 # Wait for the SAs to be expired 204 atf_check -s exit:0 sleep 2 205 206 # Check the SAs have been expired 207 export RUMP_SERVER=$SOCK_LOCAL 208 $DEBUG && $HIJACKING setkey -D 209 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 210 export RUMP_SERVER=$SOCK_PEER 211 $DEBUG && $HIJACKING setkey -D 212 atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D 213 214 # Clean up SPs 215 export RUMP_SERVER=$SOCK_LOCAL 216 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 217 export RUMP_SERVER=$SOCK_PEER 218 atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 219 220 # Set up SAs with lifetime with $lifetime 221 setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 222 223 # Use the SAs; this will create a reference from an SP to an SA 224 export RUMP_SERVER=$SOCK_LOCAL 225 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 226 227 extract_new_packets $BUS > $outfile 228 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 229 cat $outfile 230 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 231 cat $outfile 232 233 atf_check -s exit:0 sleep $((lifetime + 1)) 234 235 export RUMP_SERVER=$SOCK_LOCAL 236 $DEBUG && $HIJACKING setkey -D 237 atf_check -s exit:0 -o empty $HIJACKING setkey -D 238 # The SA on output remain because sp/isr still refers it 239 atf_check -s exit:0 -o match:"$ip_local $ip_peer" \ 240 $HIJACKING setkey -D -a 241 atf_check -s exit:0 -o not-match:"$ip_peer $ip_local" \ 242 $HIJACKING setkey -D -a 243 244 export RUMP_SERVER=$SOCK_PEER 245 $DEBUG && $HIJACKING setkey -D 246 atf_check -s exit:0 -o empty $HIJACKING setkey -D 247 atf_check -s exit:0 -o not-match:"$ip_local $ip_peer" \ 248 $HIJACKING setkey -D -a 249 # The SA on output remain because sp/isr still refers it 250 atf_check -s exit:0 -o match:"$ip_peer $ip_local" \ 251 $HIJACKING setkey -D -a 252 253 export RUMP_SERVER=$SOCK_LOCAL 254 atf_check -s not-exit:0 -o match:'0 packets received' \ 255 rump.ping6 -c 1 -n -X 1 $ip_peer 256 257 test_flush_entries $SOCK_LOCAL 258 test_flush_entries $SOCK_PEER 259 } 260 261 test_lifetime_common() 262 { 263 local ipproto=$1 264 local proto=$2 265 local algo=$3 266 267 if [ $ipproto = ipv4 ]; then 268 test_ipsec4_lifetime $proto $algo 269 else 270 test_ipsec6_lifetime $proto $algo 271 fi 272 } 273 274 add_test_lifetime() 275 { 276 local ipproto=$1 277 local proto=$2 278 local algo=$3 279 local _algo=$(echo $algo | sed 's/-//g') 280 local name= desc= 281 282 name="ipsec_lifetime_${ipproto}_${proto}_${_algo}" 283 desc="Tests of lifetime of IPsec ($ipproto) with $proto ($algo)" 284 285 atf_test_case ${name} cleanup 286 eval " \ 287 ${name}_head() { \ 288 atf_set \"descr\" \"$desc\"; \ 289 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 290 }; \ 291 ${name}_body() { \ 292 test_lifetime_common $ipproto $proto $algo; \ 293 rump_server_destroy_ifaces; \ 294 }; \ 295 ${name}_cleanup() { \ 296 $DEBUG && dump; \ 297 cleanup; \ 298 } \ 299 " 300 atf_add_test_case ${name} 301 } 302 303 prepare_file() 304 { 305 local file=$1 306 local data="0123456789" 307 308 touch $file 309 for i in `seq 1 512` 310 do 311 echo $data >> $file 312 done 313 } 314 315 test_tcp() 316 { 317 local proto=$1 318 local ip_local=$2 319 local ip_peer=$3 320 local port=1234 321 local file_send=./file.send 322 local file_recv=./file.recv 323 local opts= 324 325 if [ $proto = ipv4 ]; then 326 opts="-N -w 3 -4" 327 else 328 opts="-N -w 3 -6" 329 fi 330 331 # Start nc server 332 start_nc_server $SOCK_PEER $port $file_recv $proto 333 334 export RUMP_SERVER=$SOCK_LOCAL 335 # Send a file to the server 336 prepare_file $file_send 337 atf_check -s exit:0 $HIJACKING nc $opts $ip_peer $port < $file_send 338 339 # Check if the file is transferred correctly 340 atf_check -s exit:0 diff -q $file_send $file_recv 341 342 stop_nc_server 343 rm -f $file_send $file_recv 344 } 345 346 test_tcp_ipv4() 347 { 348 local ip_local=10.0.0.1 349 local ip_peer=10.0.0.2 350 351 rump_server_crypto_start $SOCK_LOCAL netipsec 352 rump_server_crypto_start $SOCK_PEER netipsec 353 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 354 rump_server_add_iface $SOCK_PEER shmif0 $BUS 355 356 export RUMP_SERVER=$SOCK_LOCAL 357 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 358 atf_check -s exit:0 rump.ifconfig -w 10 359 360 export RUMP_SERVER=$SOCK_PEER 361 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 362 atf_check -s exit:0 rump.ifconfig -w 10 363 364 test_tcp ipv4 $ip_local $ip_peer 365 } 366 367 test_tcp_ipv6() 368 { 369 local ip_local=fd00::1 370 local ip_peer=fd00::2 371 372 rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec 373 rump_server_crypto_start $SOCK_PEER netinet6 netipsec 374 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 375 rump_server_add_iface $SOCK_PEER shmif0 $BUS 376 377 export RUMP_SERVER=$SOCK_LOCAL 378 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local 379 atf_check -s exit:0 rump.ifconfig -w 10 380 381 export RUMP_SERVER=$SOCK_PEER 382 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer 383 atf_check -s exit:0 rump.ifconfig -w 10 384 385 test_tcp ipv6 $ip_local $ip_peer 386 } 387 388 add_test_tcp() 389 { 390 local ipproto=$1 391 local name= desc= 392 393 name="ipsec_tcp_${ipproto}" 394 desc="Tests of TCP with IPsec enabled ($ipproto)" 395 396 atf_test_case ${name} cleanup 397 eval " \ 398 ${name}_head() { \ 399 atf_set \"descr\" \"$desc\"; \ 400 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 401 }; \ 402 ${name}_body() { \ 403 test_tcp_${ipproto}; \ 404 rump_server_destroy_ifaces; \ 405 }; \ 406 ${name}_cleanup() { \ 407 $DEBUG && dump; \ 408 cleanup; \ 409 } \ 410 " 411 atf_add_test_case ${name} 412 } 413 414 atf_init_test_cases() 415 { 416 local algo= 417 418 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 419 add_test_lifetime ipv4 esp $algo 420 add_test_lifetime ipv6 esp $algo 421 done 422 for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do 423 add_test_lifetime ipv4 ah $algo 424 add_test_lifetime ipv6 ah $algo 425 done 426 427 add_test_tcp ipv4 428 add_test_tcp ipv6 429 } 430
Indexes created Tue Sep 23 23:09:58 GMT 2025