1 1.8 knakahar # $NetBSD: t_ipsec_transport.sh,v 1.8 2023/06/19 08:28:09 knakahara Exp $ 2 1.1 ozaki # 3 1.1 ozaki # Copyright (c) 2017 Internet Initiative Japan Inc. 4 1.1 ozaki # All rights reserved. 5 1.1 ozaki # 6 1.1 ozaki # Redistribution and use in source and binary forms, with or without 7 1.1 ozaki # modification, are permitted provided that the following conditions 8 1.1 ozaki # are met: 9 1.1 ozaki # 1. Redistributions of source code must retain the above copyright 10 1.1 ozaki # notice, this list of conditions and the following disclaimer. 11 1.1 ozaki # 2. Redistributions in binary form must reproduce the above copyright 12 1.1 ozaki # notice, this list of conditions and the following disclaimer in the 13 1.1 ozaki # documentation and/or other materials provided with the distribution. 14 1.1 ozaki # 15 1.1 ozaki # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 1.1 ozaki # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 1.1 ozaki # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 1.1 ozaki # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 1.1 ozaki # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 1.1 ozaki # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 1.1 ozaki # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 1.1 ozaki # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 1.1 ozaki # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 1.1 ozaki # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 1.1 ozaki # POSSIBILITY OF SUCH DAMAGE. 26 1.1 ozaki # 27 1.1 ozaki 28 1.1 ozaki SOCK_LOCAL=unix://ipsec_local 29 1.1 ozaki SOCK_PEER=unix://ipsec_peer 30 1.1 ozaki BUS=./bus_ipsec 31 1.1 ozaki 32 1.1 ozaki DEBUG=${DEBUG:-false} 33 1.1 ozaki 34 1.5 ozaki check_packets() 35 1.5 ozaki { 36 1.5 ozaki local outfile=$1 37 1.5 ozaki local src=$2 38 1.5 ozaki local dst=$3 39 1.5 ozaki local pktproto=$4 40 1.5 ozaki 41 1.5 ozaki atf_check -s exit:0 -o match:"$src > $dst: $pktproto" cat $outfile 42 1.5 ozaki atf_check -s exit:0 -o match:"$dst > $src: $pktproto" cat $outfile 43 1.5 ozaki } 44 1.5 ozaki 45 1.1 ozaki test_ipsec4_transport() 46 1.1 ozaki { 47 1.1 ozaki local proto=$1 48 1.1 ozaki local algo=$2 49 1.1 ozaki local ip_local=10.0.0.1 50 1.1 ozaki local ip_peer=10.0.0.2 51 1.1 ozaki local tmpfile=./tmp 52 1.1 ozaki local outfile=./out 53 1.5 ozaki local pktproto=$(generate_pktproto $proto) 54 1.4 ozaki local algo_args="$(generate_algo_args $proto $algo)" 55 1.5 ozaki local pktsize= 56 1.1 ozaki 57 1.1 ozaki rump_server_crypto_start $SOCK_LOCAL netipsec 58 1.1 ozaki rump_server_crypto_start $SOCK_PEER netipsec 59 1.1 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 60 1.1 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 61 1.1 ozaki 62 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 63 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 64 1.1 ozaki atf_check -s exit:0 rump.ifconfig -w 10 65 1.1 ozaki 66 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 67 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 68 1.1 ozaki atf_check -s exit:0 rump.ifconfig -w 10 69 1.1 ozaki 70 1.1 ozaki extract_new_packets $BUS > $outfile 71 1.1 ozaki 72 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 73 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 74 1.1 ozaki 75 1.1 ozaki extract_new_packets $BUS > $outfile 76 1.1 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \ 77 1.1 ozaki cat $outfile 78 1.1 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \ 79 1.1 ozaki cat $outfile 80 1.1 ozaki 81 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 82 1.1 ozaki # from https://www.netbsd.org/docs/network/ipsec/ 83 1.1 ozaki cat > $tmpfile <<-EOF 84 1.4 ozaki add $ip_local $ip_peer $proto 10000 $algo_args; 85 1.4 ozaki add $ip_peer $ip_local $proto 10001 $algo_args; 86 1.1 ozaki spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 87 1.1 ozaki EOF 88 1.1 ozaki $DEBUG && cat $tmpfile 89 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 90 1.3 ozaki check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 91 1.1 ozaki 92 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 93 1.1 ozaki cat > $tmpfile <<-EOF 94 1.4 ozaki add $ip_local $ip_peer $proto 10000 $algo_args; 95 1.4 ozaki add $ip_peer $ip_local $proto 10001 $algo_args; 96 1.1 ozaki spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 97 1.1 ozaki EOF 98 1.1 ozaki $DEBUG && cat $tmpfile 99 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 100 1.3 ozaki check_sa_entries $SOCK_PEER $ip_local $ip_peer 101 1.1 ozaki 102 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 103 1.5 ozaki if [ $proto = ipcomp ]; then 104 1.5 ozaki # IPComp sends a packet as-is if a compressed payload of 105 1.5 ozaki # the packet is greater than or equal to the original payload. 106 1.5 ozaki # So we have to fill a payload with 1 to let IPComp always send 107 1.5 ozaki # a compressed packet. 108 1.5 ozaki 109 1.5 ozaki # pktsize == minlen - 1 110 1.5 ozaki pktsize=$(($(get_minlen $algo) - 8 - 1)) 111 1.5 ozaki atf_check -s exit:0 -o ignore \ 112 1.5 ozaki rump.ping -c 1 -n -w 3 -s $pktsize -p ff $ip_peer 113 1.5 ozaki extract_new_packets $BUS > $outfile 114 1.5 ozaki check_packets $outfile $ip_local $ip_peer ICMP 115 1.5 ozaki 116 1.5 ozaki # pktsize == minlen 117 1.5 ozaki pktsize=$(($(get_minlen $algo) - 8)) 118 1.5 ozaki atf_check -s exit:0 -o ignore \ 119 1.5 ozaki rump.ping -c 1 -n -w 3 -s $pktsize -p ff $ip_peer 120 1.5 ozaki extract_new_packets $BUS > $outfile 121 1.5 ozaki check_packets $outfile $ip_local $ip_peer $pktproto 122 1.5 ozaki else 123 1.5 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 124 1.5 ozaki extract_new_packets $BUS > $outfile 125 1.5 ozaki check_packets $outfile $ip_local $ip_peer $pktproto 126 1.5 ozaki fi 127 1.2 ozaki 128 1.2 ozaki test_flush_entries $SOCK_LOCAL 129 1.2 ozaki test_flush_entries $SOCK_PEER 130 1.1 ozaki } 131 1.1 ozaki 132 1.1 ozaki test_ipsec6_transport() 133 1.1 ozaki { 134 1.1 ozaki local proto=$1 135 1.1 ozaki local algo=$2 136 1.1 ozaki local ip_local=fd00::1 137 1.1 ozaki local ip_peer=fd00::2 138 1.1 ozaki local tmpfile=./tmp 139 1.1 ozaki local outfile=./out 140 1.5 ozaki local pktproto=$(generate_pktproto $proto) 141 1.4 ozaki local algo_args="$(generate_algo_args $proto $algo)" 142 1.1 ozaki 143 1.1 ozaki rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec 144 1.1 ozaki rump_server_crypto_start $SOCK_PEER netinet6 netipsec 145 1.1 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 146 1.1 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 147 1.1 ozaki 148 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 149 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local 150 1.1 ozaki atf_check -s exit:0 rump.ifconfig -w 10 151 1.1 ozaki 152 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 153 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer 154 1.1 ozaki atf_check -s exit:0 rump.ifconfig -w 10 155 1.1 ozaki 156 1.1 ozaki extract_new_packets $BUS > $outfile 157 1.1 ozaki 158 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 159 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 160 1.1 ozaki 161 1.1 ozaki extract_new_packets $BUS > $outfile 162 1.1 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \ 163 1.1 ozaki cat $outfile 164 1.1 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \ 165 1.1 ozaki cat $outfile 166 1.1 ozaki 167 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 168 1.1 ozaki # from https://www.netbsd.org/docs/network/ipsec/ 169 1.1 ozaki cat > $tmpfile <<-EOF 170 1.4 ozaki add $ip_local $ip_peer $proto 10000 $algo_args; 171 1.4 ozaki add $ip_peer $ip_local $proto 10001 $algo_args; 172 1.1 ozaki spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 173 1.1 ozaki EOF 174 1.1 ozaki $DEBUG && cat $tmpfile 175 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 176 1.3 ozaki check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 177 1.1 ozaki 178 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 179 1.1 ozaki cat > $tmpfile <<-EOF 180 1.4 ozaki add $ip_local $ip_peer $proto 10000 $algo_args; 181 1.4 ozaki add $ip_peer $ip_local $proto 10001 $algo_args; 182 1.1 ozaki spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 183 1.1 ozaki EOF 184 1.1 ozaki $DEBUG && cat $tmpfile 185 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 186 1.3 ozaki check_sa_entries $SOCK_PEER $ip_local $ip_peer 187 1.1 ozaki 188 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 189 1.5 ozaki if [ $proto = ipcomp ]; then 190 1.5 ozaki # IPComp sends a packet as-is if a compressed payload of 191 1.5 ozaki # the packet is greater than or equal to the original payload. 192 1.5 ozaki # So we have to fill a payload with 1 to let IPComp always send 193 1.5 ozaki # a compressed packet. 194 1.5 ozaki 195 1.5 ozaki # pktsize == minlen - 1 196 1.5 ozaki pktsize=$(($(get_minlen $algo) - 8 - 1)) 197 1.5 ozaki atf_check -s exit:0 -o ignore \ 198 1.5 ozaki rump.ping6 -c 1 -n -X 3 -s $pktsize -p ff $ip_peer 199 1.5 ozaki extract_new_packets $BUS > $outfile 200 1.5 ozaki check_packets $outfile $ip_local $ip_peer ICMP6 201 1.5 ozaki 202 1.5 ozaki # pktsize == minlen 203 1.5 ozaki pktsize=$(($(get_minlen $algo) - 8)) 204 1.5 ozaki atf_check -s exit:0 -o ignore \ 205 1.5 ozaki rump.ping6 -c 1 -n -X 3 -s $pktsize -p ff $ip_peer 206 1.5 ozaki extract_new_packets $BUS > $outfile 207 1.5 ozaki check_packets $outfile $ip_local $ip_peer $pktproto 208 1.5 ozaki else 209 1.5 ozaki atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 210 1.5 ozaki extract_new_packets $BUS > $outfile 211 1.5 ozaki check_packets $outfile $ip_local $ip_peer $pktproto 212 1.5 ozaki fi 213 1.2 ozaki 214 1.2 ozaki test_flush_entries $SOCK_LOCAL 215 1.2 ozaki test_flush_entries $SOCK_PEER 216 1.1 ozaki } 217 1.1 ozaki 218 1.1 ozaki test_transport_common() 219 1.1 ozaki { 220 1.1 ozaki local ipproto=$1 221 1.1 ozaki local proto=$2 222 1.1 ozaki local algo=$3 223 1.1 ozaki 224 1.1 ozaki if [ $ipproto = ipv4 ]; then 225 1.1 ozaki test_ipsec4_transport $proto $algo 226 1.1 ozaki else 227 1.1 ozaki test_ipsec6_transport $proto $algo 228 1.1 ozaki fi 229 1.1 ozaki } 230 1.1 ozaki 231 1.1 ozaki add_test_transport_mode() 232 1.1 ozaki { 233 1.1 ozaki local ipproto=$1 234 1.1 ozaki local proto=$2 235 1.1 ozaki local algo=$3 236 1.1 ozaki local _algo=$(echo $algo | sed 's/-//g') 237 1.1 ozaki local name= desc= 238 1.1 ozaki 239 1.1 ozaki name="ipsec_transport_${ipproto}_${proto}_${_algo}" 240 1.1 ozaki desc="Tests of IPsec ($ipproto) transport mode with $proto ($algo)" 241 1.1 ozaki 242 1.1 ozaki atf_test_case ${name} cleanup 243 1.6 ozaki eval " 244 1.6 ozaki ${name}_head() { 245 1.6 ozaki atf_set descr \"$desc\" 246 1.6 ozaki atf_set require.progs rump_server setkey 247 1.6 ozaki } 248 1.6 ozaki ${name}_body() { 249 1.6 ozaki test_transport_common $ipproto $proto $algo 250 1.6 ozaki rump_server_destroy_ifaces 251 1.6 ozaki } 252 1.6 ozaki ${name}_cleanup() { 253 1.6 ozaki \$DEBUG && dump 254 1.6 ozaki cleanup 255 1.6 ozaki } 256 1.1 ozaki " 257 1.1 ozaki atf_add_test_case ${name} 258 1.1 ozaki } 259 1.1 ozaki 260 1.1 ozaki atf_init_test_cases() 261 1.1 ozaki { 262 1.1 ozaki local algo= 263 1.1 ozaki 264 1.8 knakahar for algo in $ESP_ENCRYPTION_ALGORITHMS; do 265 1.1 ozaki add_test_transport_mode ipv4 esp $algo 266 1.1 ozaki add_test_transport_mode ipv6 esp $algo 267 1.1 ozaki done 268 1.8 knakahar for algo in $AH_AUTHENTICATION_ALGORITHMS; do 269 1.1 ozaki add_test_transport_mode ipv4 ah $algo 270 1.1 ozaki add_test_transport_mode ipv6 ah $algo 271 1.1 ozaki done 272 1.8 knakahar for algo in $IPCOMP_COMPRESSION_ALGORITHMS; do 273 1.5 ozaki add_test_transport_mode ipv4 ipcomp $algo 274 1.5 ozaki add_test_transport_mode ipv6 ipcomp $algo 275 1.5 ozaki done 276 1.1 ozaki } 277
Indexes created Fri Sep 26 20:09:58 GMT 2025