t_ipsec_transport.sh revision 1.3
1 # $NetBSD: t_ipsec_transport.sh,v 1.3 2017/05/10 04:46:13 ozaki-r Exp $ 2 # 3 # Copyright (c) 2017 Internet Initiative Japan Inc. 4 # All rights reserved. 5 # 6 # Redistribution and use in source and binary forms, with or without 7 # modification, are permitted provided that the following conditions 8 # are met: 9 # 1. Redistributions of source code must retain the above copyright 10 # notice, this list of conditions and the following disclaimer. 11 # 2. Redistributions in binary form must reproduce the above copyright 12 # notice, this list of conditions and the following disclaimer in the 13 # documentation and/or other materials provided with the distribution. 14 # 15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 # POSSIBILITY OF SUCH DAMAGE. 26 # 27 28 SOCK_LOCAL=unix://ipsec_local 29 SOCK_PEER=unix://ipsec_peer 30 BUS=./bus_ipsec 31 32 DEBUG=${DEBUG:-false} 33 34 test_ipsec4_transport() 35 { 36 local proto=$1 37 local algo=$2 38 local ip_local=10.0.0.1 39 local ip_peer=10.0.0.2 40 local keylen=$(get_one_valid_keylen $algo) 41 local key=$(generate_key $keylen) 42 local tmpfile=./tmp 43 local outfile=./out 44 local opt= proto_cap= 45 46 if [ $proto = esp ]; then 47 opt=-E 48 proto_cap=ESP 49 else 50 opt=-A 51 proto_cap=AH 52 fi 53 54 rump_server_crypto_start $SOCK_LOCAL netipsec 55 rump_server_crypto_start $SOCK_PEER netipsec 56 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 57 rump_server_add_iface $SOCK_PEER shmif0 $BUS 58 59 export RUMP_SERVER=$SOCK_LOCAL 60 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 61 atf_check -s exit:0 rump.ifconfig -w 10 62 63 export RUMP_SERVER=$SOCK_PEER 64 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 65 atf_check -s exit:0 rump.ifconfig -w 10 66 67 extract_new_packets $BUS > $outfile 68 69 export RUMP_SERVER=$SOCK_LOCAL 70 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 71 72 extract_new_packets $BUS > $outfile 73 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \ 74 cat $outfile 75 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \ 76 cat $outfile 77 78 export RUMP_SERVER=$SOCK_LOCAL 79 # from https://www.netbsd.org/docs/network/ipsec/ 80 cat > $tmpfile <<-EOF 81 add $ip_local $ip_peer $proto 10000 $opt $algo $key; 82 add $ip_peer $ip_local $proto 10001 $opt $algo $key; 83 spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 84 EOF 85 $DEBUG && cat $tmpfile 86 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 87 check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 88 89 export RUMP_SERVER=$SOCK_PEER 90 cat > $tmpfile <<-EOF 91 add $ip_local $ip_peer $proto 10000 $opt $algo $key; 92 add $ip_peer $ip_local $proto 10001 $opt $algo $key; 93 spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 94 EOF 95 $DEBUG && cat $tmpfile 96 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 97 check_sa_entries $SOCK_PEER $ip_local $ip_peer 98 99 export RUMP_SERVER=$SOCK_LOCAL 100 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 101 102 extract_new_packets $BUS > $outfile 103 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 104 cat $outfile 105 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 106 cat $outfile 107 108 test_flush_entries $SOCK_LOCAL 109 test_flush_entries $SOCK_PEER 110 } 111 112 test_ipsec6_transport() 113 { 114 local proto=$1 115 local algo=$2 116 local ip_local=fd00::1 117 local ip_peer=fd00::2 118 local keylen=$(get_one_valid_keylen $algo) 119 local key=$(generate_key $keylen) 120 local tmpfile=./tmp 121 local outfile=./out 122 local opt= proto_cap= 123 124 if [ $proto = esp ]; then 125 opt=-E 126 proto_cap=ESP 127 else 128 opt=-A 129 proto_cap=AH 130 fi 131 132 rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec 133 rump_server_crypto_start $SOCK_PEER netinet6 netipsec 134 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 135 rump_server_add_iface $SOCK_PEER shmif0 $BUS 136 137 export RUMP_SERVER=$SOCK_LOCAL 138 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local 139 atf_check -s exit:0 rump.ifconfig -w 10 140 141 export RUMP_SERVER=$SOCK_PEER 142 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer 143 atf_check -s exit:0 rump.ifconfig -w 10 144 145 extract_new_packets $BUS > $outfile 146 147 export RUMP_SERVER=$SOCK_LOCAL 148 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 149 150 extract_new_packets $BUS > $outfile 151 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \ 152 cat $outfile 153 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \ 154 cat $outfile 155 156 export RUMP_SERVER=$SOCK_LOCAL 157 # from https://www.netbsd.org/docs/network/ipsec/ 158 cat > $tmpfile <<-EOF 159 add $ip_local $ip_peer $proto 10000 $opt $algo $key; 160 add $ip_peer $ip_local $proto 10001 $opt $algo $key; 161 spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 162 EOF 163 $DEBUG && cat $tmpfile 164 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 165 check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 166 167 export RUMP_SERVER=$SOCK_PEER 168 cat > $tmpfile <<-EOF 169 add $ip_local $ip_peer $proto 10000 $opt $algo $key; 170 add $ip_peer $ip_local $proto 10001 $opt $algo $key; 171 spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 172 EOF 173 $DEBUG && cat $tmpfile 174 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 175 check_sa_entries $SOCK_PEER $ip_local $ip_peer 176 177 export RUMP_SERVER=$SOCK_LOCAL 178 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 179 180 extract_new_packets $BUS > $outfile 181 atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 182 cat $outfile 183 atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 184 cat $outfile 185 186 test_flush_entries $SOCK_LOCAL 187 test_flush_entries $SOCK_PEER 188 } 189 190 test_transport_common() 191 { 192 local ipproto=$1 193 local proto=$2 194 local algo=$3 195 196 if [ $ipproto = ipv4 ]; then 197 test_ipsec4_transport $proto $algo 198 else 199 test_ipsec6_transport $proto $algo 200 fi 201 } 202 203 add_test_transport_mode() 204 { 205 local ipproto=$1 206 local proto=$2 207 local algo=$3 208 local _algo=$(echo $algo | sed 's/-//g') 209 local name= desc= 210 211 name="ipsec_transport_${ipproto}_${proto}_${_algo}" 212 desc="Tests of IPsec ($ipproto) transport mode with $proto ($algo)" 213 214 atf_test_case ${name} cleanup 215 eval " \ 216 ${name}_head() { \ 217 atf_set \"descr\" \"$desc\"; \ 218 atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ 219 }; \ 220 ${name}_body() { \ 221 test_transport_common $ipproto $proto $algo; \ 222 rump_server_destroy_ifaces; \ 223 }; \ 224 ${name}_cleanup() { \ 225 $DEBUG && dump; \ 226 cleanup; \ 227 } \ 228 " 229 atf_add_test_case ${name} 230 } 231 232 atf_init_test_cases() 233 { 234 local algo= 235 236 for algo in $ESP_ENCRYPTION_ALGORITHMS; do 237 add_test_transport_mode ipv4 esp $algo 238 add_test_transport_mode ipv6 esp $algo 239 done 240 for algo in $AH_AUTHENTICATION_ALGORITHMS; do 241 add_test_transport_mode ipv4 ah $algo 242 add_test_transport_mode ipv6 ah $algo 243 done 244 } 245
Indexes created Fri Sep 26 20:09:58 GMT 2025