t_ipsec_tunnel_ipcomp.sh revision 1.2
1 # $NetBSD: t_ipsec_tunnel_ipcomp.sh,v 1.2 2017/08/03 03:16:27 ozaki-r Exp $ 2 # 3 # Copyright (c) 2017 Internet Initiative Japan Inc. 4 # All rights reserved. 5 # 6 # Redistribution and use in source and binary forms, with or without 7 # modification, are permitted provided that the following conditions 8 # are met: 9 # 1. Redistributions of source code must retain the above copyright 10 # notice, this list of conditions and the following disclaimer. 11 # 2. Redistributions in binary form must reproduce the above copyright 12 # notice, this list of conditions and the following disclaimer in the 13 # documentation and/or other materials provided with the distribution. 14 # 15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 # POSSIBILITY OF SUCH DAMAGE. 26 # 27 28 SOCK_LOCAL=unix://ipsec_local 29 SOCK_TUNNEL_LOCAL=unix://ipsec_tunel_local 30 SOCK_TUNNEL_REMOTE=unix://ipsec_tunnel_remote 31 SOCK_REMOTE=unix://ipsec_remote 32 BUS_LOCAL=./bus_ipsec_local 33 BUS_TUNNEL=./bus_ipsec_tunnel 34 BUS_REMOTE=./bus_ipsec_remote 35 36 DEBUG=${DEBUG:-false} 37 38 setup_servers() 39 { 40 41 # See https://www.netbsd.org/docs/network/ipsec/#sample_vpn 42 rump_server_crypto_start $SOCK_LOCAL netinet6 43 rump_server_crypto_start $SOCK_TUNNEL_LOCAL netipsec netinet6 44 rump_server_crypto_start $SOCK_TUNNEL_REMOTE netipsec netinet6 45 rump_server_crypto_start $SOCK_REMOTE netinet6 46 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL 47 rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif0 $BUS_LOCAL 48 rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif1 $BUS_TUNNEL 49 rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif0 $BUS_REMOTE 50 rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif1 $BUS_TUNNEL 51 rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE 52 } 53 54 check_tunnel_ipcomp_packets() 55 { 56 local outfile=$1 57 local osrc=$2 58 local odst=$3 59 local oproto=$4 60 local isrc=$5 61 local idst=$6 62 local iproto=$7 63 64 $DEBUG && cat $outfile 65 66 if [ $oproto = ESP ]; then 67 atf_check -s exit:0 \ 68 -o match:"$osrc > $odst: $oproto" \ 69 cat $outfile 70 atf_check -s exit:0 \ 71 -o match:"$odst > $osrc: $oproto" \ 72 cat $outfile 73 # TODO check the packet lengths to check IPComp is really used 74 return 75 fi 76 77 # AH 78 if [ $iproto = IPComp ]; then 79 atf_check -s exit:0 \ 80 -o match:"$osrc > $odst: $oproto.+: $iproto" \ 81 cat $outfile 82 atf_check -s exit:0 \ 83 -o match:"$odst > $osrc: $oproto.+: $iproto" \ 84 cat $outfile 85 else 86 atf_check -s exit:0 \ 87 -o match:"$osrc > $odst: $oproto.+ $isrc > $idst: $iproto" \ 88 cat $outfile 89 atf_check -s exit:0 \ 90 -o match:"$odst > $osrc: $oproto.+ $idst > $isrc: $iproto" \ 91 cat $outfile 92 fi 93 } 94 95 test_ipsec4_tunnel_ipcomp() 96 { 97 local proto=$1 98 local algo=$2 99 local calgo=$3 100 local ip_local=10.0.1.2 101 local ip_gw_local=10.0.1.1 102 local ip_gw_local_tunnel=20.0.0.1 103 local ip_gw_remote_tunnel=20.0.0.2 104 local ip_gw_remote=10.0.2.1 105 local ip_remote=10.0.2.2 106 local subnet_local=10.0.1.0 107 local subnet_remote=10.0.2.0 108 local tmpfile=./tmp 109 local outfile=./out 110 local pktproto=$(generate_pktproto $proto) 111 local algo_args="$(generate_algo_args $proto $algo)" 112 113 setup_servers 114 115 export RUMP_SERVER=$SOCK_LOCAL 116 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 117 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 118 atf_check -s exit:0 -o ignore \ 119 rump.route -n add -net $subnet_remote $ip_gw_local 120 121 export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 122 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 123 atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_local/24 124 atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_local_tunnel/24 125 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 126 atf_check -s exit:0 -o ignore \ 127 rump.route -n add -net $subnet_remote $ip_gw_remote_tunnel 128 rump.sysctl -a |grep ipsec 129 130 export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 131 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 132 atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_remote/24 133 atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_remote_tunnel/24 134 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 135 atf_check -s exit:0 -o ignore \ 136 rump.route -n add -net $subnet_local $ip_gw_local_tunnel 137 138 export RUMP_SERVER=$SOCK_REMOTE 139 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 140 atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 141 atf_check -s exit:0 -o ignore \ 142 rump.route -n add -net $subnet_local $ip_gw_remote 143 144 extract_new_packets $BUS_TUNNEL > $outfile 145 146 export RUMP_SERVER=$SOCK_LOCAL 147 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote 148 149 extract_new_packets $BUS_TUNNEL > $outfile 150 atf_check -s exit:0 \ 151 -o match:"$ip_local > $ip_remote: ICMP echo request" \ 152 cat $outfile 153 atf_check -s exit:0 \ 154 -o match:"$ip_remote > $ip_local: ICMP echo reply" \ 155 cat $outfile 156 157 export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 158 # from https://www.netbsd.org/docs/network/ipsec/ 159 cat > $tmpfile <<-EOF 160 add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args; 161 add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args; 162 add $ip_gw_local_tunnel $ip_gw_remote_tunnel ipcomp 10000 -C $calgo; 163 add $ip_gw_remote_tunnel $ip_gw_local_tunnel ipcomp 10001 -C $calgo; 164 spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec 165 ipcomp/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require 166 $proto/transport//require; 167 spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec 168 ipcomp/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require 169 $proto/transport//require; 170 EOF 171 $DEBUG && cat $tmpfile 172 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 173 check_sa_entries $SOCK_TUNNEL_LOCAL $ip_gw_local_tunnel \ 174 $ip_gw_remote_tunnel 175 176 export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 177 cat > $tmpfile <<-EOF 178 add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args; 179 add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args; 180 add $ip_gw_local_tunnel $ip_gw_remote_tunnel ipcomp 10000 -C $calgo; 181 add $ip_gw_remote_tunnel $ip_gw_local_tunnel ipcomp 10001 -C $calgo; 182 spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec 183 ipcomp/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require 184 $proto/transport//require; 185 spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec 186 ipcomp/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require 187 $proto/transport//require; 188 EOF 189 $DEBUG && cat $tmpfile 190 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 191 check_sa_entries $SOCK_TUNNEL_REMOTE $ip_gw_local_tunnel \ 192 $ip_gw_remote_tunnel 193 194 export RUMP_SERVER=$SOCK_LOCAL 195 # IPComp sends a packet as-is if a compressed payload of 196 # the packet is greater than or equal to the original payload. 197 # So we have to fill a payload with 1 to let IPComp always send 198 # a compressed packet. 199 200 # pktsize == minlen - 1 201 pktsize=$(($(get_minlen deflate) - 8 - 20 - 1)) 202 atf_check -s exit:0 -o ignore \ 203 rump.ping -c 1 -n -w 3 -s $pktsize -p ff $ip_remote 204 extract_new_packets $BUS_TUNNEL > $outfile 205 check_tunnel_ipcomp_packets $outfile \ 206 $ip_gw_local_tunnel $ip_gw_remote_tunnel $pktproto \ 207 $ip_local $ip_remote ICMP 208 209 # pktsize == minlen 210 pktsize=$(($(get_minlen deflate) - 8 - 20)) 211 atf_check -s exit:0 -o ignore \ 212 rump.ping -c 1 -n -w 3 -s $pktsize -p ff $ip_remote 213 extract_new_packets $BUS_TUNNEL > $outfile 214 check_tunnel_ipcomp_packets $outfile \ 215 $ip_gw_local_tunnel $ip_gw_remote_tunnel $pktproto \ 216 $ip_local $ip_remote IPComp 217 218 test_flush_entries $SOCK_TUNNEL_LOCAL 219 test_flush_entries $SOCK_TUNNEL_REMOTE 220 } 221 222 test_ipsec6_tunnel_ipcomp() 223 { 224 local proto=$1 225 local algo=$2 226 local calgo=$3 227 local ip_local=fd00:1::2 228 local ip_gw_local=fd00:1::1 229 local ip_gw_local_tunnel=fc00::1 230 local ip_gw_remote_tunnel=fc00::2 231 local ip_gw_remote=fd00:2::1 232 local ip_remote=fd00:2::2 233 local subnet_local=fd00:1:: 234 local subnet_remote=fd00:2:: 235 local tmpfile=./tmp 236 local outfile=./out 237 local pktproto=$(generate_pktproto $proto) 238 local algo_args="$(generate_algo_args $proto $algo)" 239 240 setup_servers 241 242 export RUMP_SERVER=$SOCK_LOCAL 243 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 244 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64 245 atf_check -s exit:0 -o ignore \ 246 rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_local 247 248 export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 249 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 250 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_local/64 251 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_local_tunnel/64 252 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1 253 atf_check -s exit:0 -o ignore \ 254 rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_remote_tunnel 255 256 export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 257 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 258 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_remote/64 259 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_remote_tunnel/64 260 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1 261 atf_check -s exit:0 -o ignore \ 262 rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_local_tunnel 263 264 export RUMP_SERVER=$SOCK_REMOTE 265 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 266 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote 267 atf_check -s exit:0 -o ignore \ 268 rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_remote 269 270 extract_new_packets $BUS_TUNNEL > $outfile 271 272 export RUMP_SERVER=$SOCK_LOCAL 273 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote 274 275 extract_new_packets $BUS_TUNNEL > $outfile 276 atf_check -s exit:0 \ 277 -o match:"$ip_local > $ip_remote: ICMP6, echo request" \ 278 cat $outfile 279 atf_check -s exit:0 \ 280 -o match:"$ip_remote > $ip_local: ICMP6, echo reply" \ 281 cat $outfile 282 283 export RUMP_SERVER=$SOCK_TUNNEL_LOCAL 284 # from https://www.netbsd.org/docs/network/ipsec/ 285 cat > $tmpfile <<-EOF 286 add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args; 287 add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args; 288 add $ip_gw_local_tunnel $ip_gw_remote_tunnel ipcomp 10000 -C $calgo; 289 add $ip_gw_remote_tunnel $ip_gw_local_tunnel ipcomp 10001 -C $calgo; 290 spdadd $subnet_local/64 $subnet_remote/64 any -P out ipsec 291 ipcomp/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require 292 $proto/transport//require; 293 spdadd $subnet_remote/64 $subnet_local/64 any -P in ipsec 294 ipcomp/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require 295 $proto/transport//require; 296 EOF 297 $DEBUG && cat $tmpfile 298 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 299 check_sa_entries $SOCK_TUNNEL_LOCAL $ip_gw_local_tunnel \ 300 $ip_gw_remote_tunnel 301 302 export RUMP_SERVER=$SOCK_TUNNEL_REMOTE 303 cat > $tmpfile <<-EOF 304 add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args; 305 add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args; 306 add $ip_gw_local_tunnel $ip_gw_remote_tunnel ipcomp 10000 -C $calgo; 307 add $ip_gw_remote_tunnel $ip_gw_local_tunnel ipcomp 10001 -C $calgo; 308 spdadd $subnet_remote/64 $subnet_local/64 any -P out ipsec 309 ipcomp/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require 310 $proto/transport//require; 311 spdadd $subnet_local/64 $subnet_remote/64 any -P in ipsec 312 ipcomp/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require 313 $proto/transport//require; 314 EOF 315 $DEBUG && cat $tmpfile 316 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 317 check_sa_entries $SOCK_TUNNEL_REMOTE $ip_gw_local_tunnel \ 318 $ip_gw_remote_tunnel 319 320 export RUMP_SERVER=$SOCK_LOCAL 321 322 # IPComp sends a packet as-is if a compressed payload of 323 # the packet is greater than or equal to the original payload. 324 # So we have to fill a payload with 1 to let IPComp always send 325 # a compressed packet. 326 327 # pktsize == minlen - 1 328 329 pktsize=$(($(get_minlen deflate) - 8 - 40 - 1)) 330 atf_check -s exit:0 -o ignore \ 331 rump.ping6 -c 1 -n -X 3 -s $pktsize -p ff $ip_remote 332 extract_new_packets $BUS_TUNNEL > $outfile 333 check_tunnel_ipcomp_packets $outfile \ 334 $ip_gw_local_tunnel $ip_gw_remote_tunnel $pktproto \ 335 $ip_local $ip_remote ICMP6 336 337 # pktsize == minlen 338 pktsize=$(($(get_minlen deflate) - 8 - 40)) 339 atf_check -s exit:0 -o ignore \ 340 rump.ping6 -c 1 -n -X 3 -s $pktsize -p ff $ip_remote 341 extract_new_packets $BUS_TUNNEL > $outfile 342 check_tunnel_ipcomp_packets $outfile \ 343 $ip_gw_local_tunnel $ip_gw_remote_tunnel $pktproto \ 344 $ip_local $ip_remote IPComp 345 346 test_flush_entries $SOCK_TUNNEL_LOCAL 347 test_flush_entries $SOCK_TUNNEL_REMOTE 348 } 349 350 test_tunnel_ipcomp_common() 351 { 352 local ipproto=$1 353 local proto=$2 354 local algo=$3 355 local calgo=$4 356 357 if [ $ipproto = ipv4 ]; then 358 test_ipsec4_tunnel_ipcomp $proto $algo $calgo 359 else 360 test_ipsec6_tunnel_ipcomp $proto $algo $calgo 361 fi 362 } 363 364 add_test_tunnel_mode() 365 { 366 local ipproto=$1 367 local proto=$2 368 local algo=$3 369 local calgo=$4 370 local _algo=$(echo $algo | sed 's/-//g') 371 local name= desc= 372 373 name="ipsec_tunnel_ipcomp_${calgo}_${ipproto}_${proto}_${_algo}" 374 desc="Tests of IPsec ($ipproto) tunnel mode with $proto ($algo) and ipcomp ($calgo)" 375 376 atf_test_case ${name} cleanup 377 eval " 378 ${name}_head() { 379 atf_set descr \"$desc\" 380 atf_set require.progs rump_server setkey 381 } 382 ${name}_body() { 383 test_tunnel_ipcomp_common $ipproto $proto $algo $calgo 384 rump_server_destroy_ifaces 385 } 386 ${name}_cleanup() { 387 \$DEBUG && dump 388 cleanup 389 } 390 " 391 atf_add_test_case ${name} 392 } 393 394 atf_init_test_cases() 395 { 396 local calgo= algo= 397 398 for calgo in $IPCOMP_COMPRESSION_ALGORITHMS; do 399 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 400 add_test_tunnel_mode ipv4 esp $algo $calgo 401 add_test_tunnel_mode ipv6 esp $algo $calgo 402 done 403 404 for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do 405 add_test_tunnel_mode ipv4 ah $algo $calgo 406 add_test_tunnel_mode ipv6 ah $algo $calgo 407 done 408 done 409 } 410
Indexes created Wed Sep 24 05:09:52 GMT 2025