Home | History | Annotate | Line # | Download | only in ipsec
t_ipsec_transport.sh revision 1.2 
      1 #	$NetBSD: t_ipsec_transport.sh,v 1.2 2017/05/09 04:25:28 ozaki-r Exp $
      2 #
      3 # Copyright (c) 2017 Internet Initiative Japan Inc.
      4 # All rights reserved.
      5 #
      6 # Redistribution and use in source and binary forms, with or without
      7 # modification, are permitted provided that the following conditions
      8 # are met:
      9 # 1. Redistributions of source code must retain the above copyright
     10 #    notice, this list of conditions and the following disclaimer.
     11 # 2. Redistributions in binary form must reproduce the above copyright
     12 #    notice, this list of conditions and the following disclaimer in the
     13 #    documentation and/or other materials provided with the distribution.
     14 #
     15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
     16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
     17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     18 # PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
     19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
     20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
     21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
     22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
     23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
     25 # POSSIBILITY OF SUCH DAMAGE.
     26 #
     27 
     28 SOCK_LOCAL=unix://ipsec_local
     29 SOCK_PEER=unix://ipsec_peer
     30 BUS=./bus_ipsec
     31 
     32 DEBUG=${DEBUG:-false}
     33 
     34 test_ipsec4_transport()
     35 {
     36 	local proto=$1
     37 	local algo=$2
     38 	local ip_local=10.0.0.1
     39 	local ip_peer=10.0.0.2
     40 	local keylen=$(get_one_valid_keylen $algo)
     41 	local key=$(generate_key $keylen)
     42 	local tmpfile=./tmp
     43 	local outfile=./out
     44 	local opt= proto_cap=
     45 
     46 	if [ $proto = esp ]; then
     47 		opt=-E
     48 		proto_cap=ESP
     49 	else
     50 		opt=-A
     51 		proto_cap=AH
     52 	fi
     53 
     54 	rump_server_crypto_start $SOCK_LOCAL netipsec
     55 	rump_server_crypto_start $SOCK_PEER netipsec
     56 	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
     57 	rump_server_add_iface $SOCK_PEER shmif0 $BUS
     58 
     59 	export RUMP_SERVER=$SOCK_LOCAL
     60 	atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
     61 	atf_check -s exit:0 rump.ifconfig -w 10
     62 
     63 	export RUMP_SERVER=$SOCK_PEER
     64 	atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24
     65 	atf_check -s exit:0 rump.ifconfig -w 10
     66 
     67 	extract_new_packets $BUS > $outfile
     68 
     69 	export RUMP_SERVER=$SOCK_LOCAL
     70 	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
     71 
     72 	extract_new_packets $BUS > $outfile
     73 	atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \
     74 	    cat $outfile
     75 	atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \
     76 	    cat $outfile
     77 
     78 	export RUMP_SERVER=$SOCK_LOCAL
     79 	# from https://www.netbsd.org/docs/network/ipsec/
     80 	cat > $tmpfile <<-EOF
     81 	add $ip_local $ip_peer $proto 10000 $opt $algo $key;
     82 	add $ip_peer $ip_local $proto 10001 $opt $algo $key;
     83 	spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require;
     84 	EOF
     85 	$DEBUG && cat $tmpfile
     86 	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
     87 	$DEBUG && $HIJACKING setkey -D
     88 	atf_check -s exit:0 -o match:"$ip_local $ip_peer" \
     89 	    $HIJACKING setkey -D
     90 	atf_check -s exit:0 -o match:"$ip_peer $ip_local" \
     91 	    $HIJACKING setkey -D
     92 	# TODO: more detail checks
     93 
     94 	export RUMP_SERVER=$SOCK_PEER
     95 	cat > $tmpfile <<-EOF
     96 	add $ip_local $ip_peer $proto 10000 $opt $algo $key;
     97 	add $ip_peer $ip_local $proto 10001 $opt $algo $key;
     98 	spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require;
     99 	EOF
    100 	$DEBUG && cat $tmpfile
    101 	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
    102 	$DEBUG && $HIJACKING setkey -D
    103 	atf_check -s exit:0 -o match:"$ip_local $ip_peer" \
    104 	    $HIJACKING setkey -D
    105 	atf_check -s exit:0 -o match:"$ip_peer $ip_local" \
    106 	    $HIJACKING setkey -D
    107 	# TODO: more detail checks
    108 
    109 	export RUMP_SERVER=$SOCK_LOCAL
    110 	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
    111 
    112 	extract_new_packets $BUS > $outfile
    113 	atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
    114 	    cat $outfile
    115 	atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
    116 	    cat $outfile
    117 
    118 	test_flush_entries $SOCK_LOCAL
    119 	test_flush_entries $SOCK_PEER
    120 }
    121 
    122 test_ipsec6_transport()
    123 {
    124 	local proto=$1
    125 	local algo=$2
    126 	local ip_local=fd00::1
    127 	local ip_peer=fd00::2
    128 	local keylen=$(get_one_valid_keylen $algo)
    129 	local key=$(generate_key $keylen)
    130 	local tmpfile=./tmp
    131 	local outfile=./out
    132 	local opt= proto_cap=
    133 
    134 	if [ $proto = esp ]; then
    135 		opt=-E
    136 		proto_cap=ESP
    137 	else
    138 		opt=-A
    139 		proto_cap=AH
    140 	fi
    141 
    142 	rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec
    143 	rump_server_crypto_start $SOCK_PEER netinet6 netipsec
    144 	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
    145 	rump_server_add_iface $SOCK_PEER shmif0 $BUS
    146 
    147 	export RUMP_SERVER=$SOCK_LOCAL
    148 	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local
    149 	atf_check -s exit:0 rump.ifconfig -w 10
    150 
    151 	export RUMP_SERVER=$SOCK_PEER
    152 	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer
    153 	atf_check -s exit:0 rump.ifconfig -w 10
    154 
    155 	extract_new_packets $BUS > $outfile
    156 
    157 	export RUMP_SERVER=$SOCK_LOCAL
    158 	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer
    159 
    160 	extract_new_packets $BUS > $outfile
    161 	atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \
    162 	    cat $outfile
    163 	atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \
    164 	    cat $outfile
    165 
    166 	export RUMP_SERVER=$SOCK_LOCAL
    167 	# from https://www.netbsd.org/docs/network/ipsec/
    168 	cat > $tmpfile <<-EOF
    169 	add $ip_local $ip_peer $proto 10000 $opt $algo $key;
    170 	add $ip_peer $ip_local $proto 10001 $opt $algo $key;
    171 	spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require;
    172 	EOF
    173 	$DEBUG && cat $tmpfile
    174 	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
    175 	$DEBUG && $HIJACKING setkey -D
    176 	atf_check -s exit:0 -o match:"$ip_local $ip_peer" \
    177 	    $HIJACKING setkey -D
    178 	atf_check -s exit:0 -o match:"$ip_peer $ip_local" \
    179 	    $HIJACKING setkey -D
    180 	# TODO: more detail checks
    181 
    182 	export RUMP_SERVER=$SOCK_PEER
    183 	cat > $tmpfile <<-EOF
    184 	add $ip_local $ip_peer $proto 10000 $opt $algo $key;
    185 	add $ip_peer $ip_local $proto 10001 $opt $algo $key;
    186 	spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require;
    187 	EOF
    188 	$DEBUG && cat $tmpfile
    189 	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
    190 	$DEBUG && $HIJACKING setkey -D
    191 	atf_check -s exit:0 -o match:"$ip_local $ip_peer" \
    192 	    $HIJACKING setkey -D
    193 	atf_check -s exit:0 -o match:"$ip_peer $ip_local" \
    194 	    $HIJACKING setkey -D
    195 	# TODO: more detail checks
    196 
    197 	export RUMP_SERVER=$SOCK_LOCAL
    198 	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer
    199 
    200 	extract_new_packets $BUS > $outfile
    201 	atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
    202 	    cat $outfile
    203 	atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
    204 	    cat $outfile
    205 
    206 	test_flush_entries $SOCK_LOCAL
    207 	test_flush_entries $SOCK_PEER
    208 }
    209 
    210 test_transport_common()
    211 {
    212 	local ipproto=$1
    213 	local proto=$2
    214 	local algo=$3
    215 
    216 	if [ $ipproto = ipv4 ]; then
    217 		test_ipsec4_transport $proto $algo
    218 	else
    219 		test_ipsec6_transport $proto $algo
    220 	fi
    221 }
    222 
    223 add_test_transport_mode()
    224 {
    225 	local ipproto=$1
    226 	local proto=$2
    227 	local algo=$3
    228 	local _algo=$(echo $algo | sed 's/-//g')
    229 	local name= desc=
    230 
    231 	name="ipsec_transport_${ipproto}_${proto}_${_algo}"
    232 	desc="Tests of IPsec ($ipproto) transport mode with $proto ($algo)"
    233 
    234 	atf_test_case ${name} cleanup
    235 	eval "								\
    236 	    ${name}_head() {						\
    237 	        atf_set \"descr\" \"$desc\";				\
    238 	        atf_set \"require.progs\" \"rump_server\" \"setkey\";	\
    239 	    };								\
    240 	    ${name}_body() {						\
    241 	        test_transport_common $ipproto $proto $algo;		\
    242 	        rump_server_destroy_ifaces;				\
    243 	    };								\
    244 	    ${name}_cleanup() {						\
    245 	        $DEBUG && dump;						\
    246 	        cleanup;						\
    247 	    }								\
    248 	"
    249 	atf_add_test_case ${name}
    250 }
    251 
    252 atf_init_test_cases()
    253 {
    254 	local algo=
    255 
    256 	for algo in $ESP_ENCRYPTION_ALGORITHMS; do
    257 		add_test_transport_mode ipv4 esp $algo
    258 		add_test_transport_mode ipv6 esp $algo
    259 	done
    260 	for algo in $AH_AUTHENTICATION_ALGORITHMS; do
    261 		add_test_transport_mode ipv4 ah $algo
    262 		add_test_transport_mode ipv6 ah $algo
    263 	done
    264 }
    265