t_ipsec_transport.sh revision 1.1.6.1
1 1.1.6.1 pgoyette # $NetBSD: t_ipsec_transport.sh,v 1.1.6.1 2017/05/11 02:58:42 pgoyette Exp $ 2 1.1 ozaki # 3 1.1 ozaki # Copyright (c) 2017 Internet Initiative Japan Inc. 4 1.1 ozaki # All rights reserved. 5 1.1 ozaki # 6 1.1 ozaki # Redistribution and use in source and binary forms, with or without 7 1.1 ozaki # modification, are permitted provided that the following conditions 8 1.1 ozaki # are met: 9 1.1 ozaki # 1. Redistributions of source code must retain the above copyright 10 1.1 ozaki # notice, this list of conditions and the following disclaimer. 11 1.1 ozaki # 2. Redistributions in binary form must reproduce the above copyright 12 1.1 ozaki # notice, this list of conditions and the following disclaimer in the 13 1.1 ozaki # documentation and/or other materials provided with the distribution. 14 1.1 ozaki # 15 1.1 ozaki # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 1.1 ozaki # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 1.1 ozaki # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 1.1 ozaki # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 1.1 ozaki # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 1.1 ozaki # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 1.1 ozaki # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 1.1 ozaki # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 1.1 ozaki # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 1.1 ozaki # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 1.1 ozaki # POSSIBILITY OF SUCH DAMAGE. 26 1.1 ozaki # 27 1.1 ozaki 28 1.1 ozaki SOCK_LOCAL=unix://ipsec_local 29 1.1 ozaki SOCK_PEER=unix://ipsec_peer 30 1.1 ozaki BUS=./bus_ipsec 31 1.1 ozaki 32 1.1 ozaki DEBUG=${DEBUG:-false} 33 1.1 ozaki 34 1.1 ozaki test_ipsec4_transport() 35 1.1 ozaki { 36 1.1 ozaki local proto=$1 37 1.1 ozaki local algo=$2 38 1.1 ozaki local ip_local=10.0.0.1 39 1.1 ozaki local ip_peer=10.0.0.2 40 1.1 ozaki local keylen=$(get_one_valid_keylen $algo) 41 1.1 ozaki local key=$(generate_key $keylen) 42 1.1 ozaki local tmpfile=./tmp 43 1.1 ozaki local outfile=./out 44 1.1 ozaki local opt= proto_cap= 45 1.1 ozaki 46 1.1 ozaki if [ $proto = esp ]; then 47 1.1 ozaki opt=-E 48 1.1 ozaki proto_cap=ESP 49 1.1 ozaki else 50 1.1 ozaki opt=-A 51 1.1 ozaki proto_cap=AH 52 1.1 ozaki fi 53 1.1 ozaki 54 1.1 ozaki rump_server_crypto_start $SOCK_LOCAL netipsec 55 1.1 ozaki rump_server_crypto_start $SOCK_PEER netipsec 56 1.1 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 57 1.1 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 58 1.1 ozaki 59 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 60 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 61 1.1 ozaki atf_check -s exit:0 rump.ifconfig -w 10 62 1.1 ozaki 63 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 64 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 65 1.1 ozaki atf_check -s exit:0 rump.ifconfig -w 10 66 1.1 ozaki 67 1.1 ozaki extract_new_packets $BUS > $outfile 68 1.1 ozaki 69 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 70 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 71 1.1 ozaki 72 1.1 ozaki extract_new_packets $BUS > $outfile 73 1.1 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \ 74 1.1 ozaki cat $outfile 75 1.1 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \ 76 1.1 ozaki cat $outfile 77 1.1 ozaki 78 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 79 1.1 ozaki # from https://www.netbsd.org/docs/network/ipsec/ 80 1.1 ozaki cat > $tmpfile <<-EOF 81 1.1 ozaki add $ip_local $ip_peer $proto 10000 $opt $algo $key; 82 1.1 ozaki add $ip_peer $ip_local $proto 10001 $opt $algo $key; 83 1.1 ozaki spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 84 1.1 ozaki EOF 85 1.1 ozaki $DEBUG && cat $tmpfile 86 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 87 1.1.6.1 pgoyette check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 88 1.1 ozaki 89 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 90 1.1 ozaki cat > $tmpfile <<-EOF 91 1.1 ozaki add $ip_local $ip_peer $proto 10000 $opt $algo $key; 92 1.1 ozaki add $ip_peer $ip_local $proto 10001 $opt $algo $key; 93 1.1 ozaki spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 94 1.1 ozaki EOF 95 1.1 ozaki $DEBUG && cat $tmpfile 96 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 97 1.1.6.1 pgoyette check_sa_entries $SOCK_PEER $ip_local $ip_peer 98 1.1 ozaki 99 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 100 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 101 1.1 ozaki 102 1.1 ozaki extract_new_packets $BUS > $outfile 103 1.1 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 104 1.1 ozaki cat $outfile 105 1.1 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 106 1.1 ozaki cat $outfile 107 1.1.6.1 pgoyette 108 1.1.6.1 pgoyette test_flush_entries $SOCK_LOCAL 109 1.1.6.1 pgoyette test_flush_entries $SOCK_PEER 110 1.1 ozaki } 111 1.1 ozaki 112 1.1 ozaki test_ipsec6_transport() 113 1.1 ozaki { 114 1.1 ozaki local proto=$1 115 1.1 ozaki local algo=$2 116 1.1 ozaki local ip_local=fd00::1 117 1.1 ozaki local ip_peer=fd00::2 118 1.1 ozaki local keylen=$(get_one_valid_keylen $algo) 119 1.1 ozaki local key=$(generate_key $keylen) 120 1.1 ozaki local tmpfile=./tmp 121 1.1 ozaki local outfile=./out 122 1.1 ozaki local opt= proto_cap= 123 1.1 ozaki 124 1.1 ozaki if [ $proto = esp ]; then 125 1.1 ozaki opt=-E 126 1.1 ozaki proto_cap=ESP 127 1.1 ozaki else 128 1.1 ozaki opt=-A 129 1.1 ozaki proto_cap=AH 130 1.1 ozaki fi 131 1.1 ozaki 132 1.1 ozaki rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec 133 1.1 ozaki rump_server_crypto_start $SOCK_PEER netinet6 netipsec 134 1.1 ozaki rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 135 1.1 ozaki rump_server_add_iface $SOCK_PEER shmif0 $BUS 136 1.1 ozaki 137 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 138 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local 139 1.1 ozaki atf_check -s exit:0 rump.ifconfig -w 10 140 1.1 ozaki 141 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 142 1.1 ozaki atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer 143 1.1 ozaki atf_check -s exit:0 rump.ifconfig -w 10 144 1.1 ozaki 145 1.1 ozaki extract_new_packets $BUS > $outfile 146 1.1 ozaki 147 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 148 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 149 1.1 ozaki 150 1.1 ozaki extract_new_packets $BUS > $outfile 151 1.1 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \ 152 1.1 ozaki cat $outfile 153 1.1 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \ 154 1.1 ozaki cat $outfile 155 1.1 ozaki 156 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 157 1.1 ozaki # from https://www.netbsd.org/docs/network/ipsec/ 158 1.1 ozaki cat > $tmpfile <<-EOF 159 1.1 ozaki add $ip_local $ip_peer $proto 10000 $opt $algo $key; 160 1.1 ozaki add $ip_peer $ip_local $proto 10001 $opt $algo $key; 161 1.1 ozaki spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 162 1.1 ozaki EOF 163 1.1 ozaki $DEBUG && cat $tmpfile 164 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 165 1.1.6.1 pgoyette check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 166 1.1 ozaki 167 1.1 ozaki export RUMP_SERVER=$SOCK_PEER 168 1.1 ozaki cat > $tmpfile <<-EOF 169 1.1 ozaki add $ip_local $ip_peer $proto 10000 $opt $algo $key; 170 1.1 ozaki add $ip_peer $ip_local $proto 10001 $opt $algo $key; 171 1.1 ozaki spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 172 1.1 ozaki EOF 173 1.1 ozaki $DEBUG && cat $tmpfile 174 1.1 ozaki atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 175 1.1.6.1 pgoyette check_sa_entries $SOCK_PEER $ip_local $ip_peer 176 1.1 ozaki 177 1.1 ozaki export RUMP_SERVER=$SOCK_LOCAL 178 1.1 ozaki atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 179 1.1 ozaki 180 1.1 ozaki extract_new_packets $BUS > $outfile 181 1.1 ozaki atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 182 1.1 ozaki cat $outfile 183 1.1 ozaki atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 184 1.1 ozaki cat $outfile 185 1.1.6.1 pgoyette 186 1.1.6.1 pgoyette test_flush_entries $SOCK_LOCAL 187 1.1.6.1 pgoyette test_flush_entries $SOCK_PEER 188 1.1 ozaki } 189 1.1 ozaki 190 1.1 ozaki test_transport_common() 191 1.1 ozaki { 192 1.1 ozaki local ipproto=$1 193 1.1 ozaki local proto=$2 194 1.1 ozaki local algo=$3 195 1.1 ozaki 196 1.1 ozaki if [ $ipproto = ipv4 ]; then 197 1.1 ozaki test_ipsec4_transport $proto $algo 198 1.1 ozaki else 199 1.1 ozaki test_ipsec6_transport $proto $algo 200 1.1 ozaki fi 201 1.1 ozaki } 202 1.1 ozaki 203 1.1 ozaki add_test_transport_mode() 204 1.1 ozaki { 205 1.1 ozaki local ipproto=$1 206 1.1 ozaki local proto=$2 207 1.1 ozaki local algo=$3 208 1.1 ozaki local _algo=$(echo $algo | sed 's/-//g') 209 1.1 ozaki local name= desc= 210 1.1 ozaki 211 1.1 ozaki name="ipsec_transport_${ipproto}_${proto}_${_algo}" 212 1.1 ozaki desc="Tests of IPsec ($ipproto) transport mode with $proto ($algo)" 213 1.1 ozaki 214 1.1 ozaki atf_test_case ${name} cleanup 215 1.1 ozaki eval " \ 216 1.1 ozaki ${name}_head() { \ 217 1.1 ozaki atf_set \"descr\" \"$desc\"; \ 218 1.1 ozaki atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 219 1.1 ozaki }; \ 220 1.1 ozaki ${name}_body() { \ 221 1.1 ozaki test_transport_common $ipproto $proto $algo; \ 222 1.1 ozaki rump_server_destroy_ifaces; \ 223 1.1 ozaki }; \ 224 1.1 ozaki ${name}_cleanup() { \ 225 1.1 ozaki $DEBUG && dump; \ 226 1.1 ozaki cleanup; \ 227 1.1 ozaki } \ 228 1.1 ozaki " 229 1.1 ozaki atf_add_test_case ${name} 230 1.1 ozaki } 231 1.1 ozaki 232 1.1 ozaki atf_init_test_cases() 233 1.1 ozaki { 234 1.1 ozaki local algo= 235 1.1 ozaki 236 1.1 ozaki for algo in $ESP_ENCRYPTION_ALGORITHMS; do 237 1.1 ozaki add_test_transport_mode ipv4 esp $algo 238 1.1 ozaki add_test_transport_mode ipv6 esp $algo 239 1.1 ozaki done 240 1.1 ozaki for algo in $AH_AUTHENTICATION_ALGORITHMS; do 241 1.1 ozaki add_test_transport_mode ipv4 ah $algo 242 1.1 ozaki add_test_transport_mode ipv6 ah $algo 243 1.1 ozaki done 244 1.1 ozaki } 245
Indexes created Wed Oct 22 13:09:56 GMT 2025