Add test cases for IPComp

This commit is contained in:
ozaki-r 2017-07-03 06:01:16 +00:00
parent 58b9762c9a
commit b95a267001
6 changed files with 510 additions and 21 deletions

View File

@ -1,4 +1,4 @@
# $NetBSD: mi,v 1.753 2017/06/09 06:09:01 knakahara Exp $
# $NetBSD: mi,v 1.754 2017/07/03 06:01:16 ozaki-r Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@ -3319,6 +3319,7 @@
./usr/tests/net/ipsec/t_ipsec_sysctl tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_transport tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_tunnel tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_tunnel_ipcomp tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_tunnel_odd tests-net-tests atf,rump
./usr/tests/net/mcast tests-net-tests compattestfile,atf
./usr/tests/net/mcast/Atffile tests-net-tests atf,rump

View File

@ -1,4 +1,4 @@
# $NetBSD: Makefile,v 1.6 2017/05/15 09:58:22 ozaki-r Exp $
# $NetBSD: Makefile,v 1.7 2017/07/03 06:01:16 ozaki-r Exp $
#
.include <bsd.own.mk>
@ -6,7 +6,8 @@
TESTSDIR= ${TESTSBASE}/net/ipsec
.for name in ipsec_ah_keys ipsec_esp_keys ipsec_gif ipsec_l2tp ipsec_misc \
ipsec_sysctl ipsec_transport ipsec_tunnel ipsec_tunnel_odd
ipsec_sysctl ipsec_transport ipsec_tunnel ipsec_tunnel_ipcomp \
ipsec_tunnel_odd
TESTS_SH+= t_${name}
TESTS_SH_SRC_t_${name}= ../net_common.sh ./common.sh ./algorithms.sh \
t_${name}.sh

View File

@ -1,4 +1,4 @@
# $NetBSD: algorithms.sh,v 1.4 2017/05/12 02:34:45 ozaki-r Exp $
# $NetBSD: algorithms.sh,v 1.5 2017/07/03 06:01:16 ozaki-r Exp $
#
# Copyright (c) 2017 Internet Initiative Japan Inc.
# All rights reserved.
@ -111,6 +111,12 @@ invalid_keys_aesxcbcmac="120 136"
#valid_keys_tcpmd5="8 640"
#invalid_keys_tcpmd5="648"
IPCOMP_COMPRESSION_ALGORITHMS="deflate"
IPCOMP_COMPRESSION_ALGORITHMS_MINIMUM="deflate"
valid_keys_deflate="0"
invalid_keys_deflate="8"
minlen_deflate="90"
get_one_valid_keylen()
{
local algo=$1
@ -170,7 +176,18 @@ generate_algo_args()
if [ $proto = esp ]; then
echo "-E $algo $key"
else
elif [ $proto = ah ]; then
echo "-A $algo $key"
else
echo "-C $algo $key"
fi
}
get_minlen()
{
local algo=$1
local minlen=
eval minlen="\$minlen_${algo}"
echo $minlen
}

View File

@ -1,4 +1,4 @@
# $NetBSD: common.sh,v 1.3 2017/05/15 09:56:47 ozaki-r Exp $
# $NetBSD: common.sh,v 1.4 2017/07/03 06:01:16 ozaki-r Exp $
#
# Copyright (c) 2017 Internet Initiative Japan Inc.
# All rights reserved.
@ -53,3 +53,14 @@ check_sa_entries()
$HIJACKING setkey -D
# TODO: more detail checks
}
generate_pktproto()
{
local proto=$1
if [ $proto = ipcomp ]; then
echo IPComp
else
echo $proto | tr 'a-z' 'A-Z'
fi
}

View File

@ -1,4 +1,4 @@
# $NetBSD: t_ipsec_transport.sh,v 1.4 2017/05/12 02:34:45 ozaki-r Exp $
# $NetBSD: t_ipsec_transport.sh,v 1.5 2017/07/03 06:01:16 ozaki-r Exp $
#
# Copyright (c) 2017 Internet Initiative Japan Inc.
# All rights reserved.
@ -31,6 +31,17 @@ BUS=./bus_ipsec
DEBUG=${DEBUG:-false}
check_packets()
{
local outfile=$1
local src=$2
local dst=$3
local pktproto=$4
atf_check -s exit:0 -o match:"$src > $dst: $pktproto" cat $outfile
atf_check -s exit:0 -o match:"$dst > $src: $pktproto" cat $outfile
}
test_ipsec4_transport()
{
local proto=$1
@ -39,8 +50,9 @@ test_ipsec4_transport()
local ip_peer=10.0.0.2
local tmpfile=./tmp
local outfile=./out
local proto_cap=$(echo $proto | tr 'a-z' 'A-Z')
local pktproto=$(generate_pktproto $proto)
local algo_args="$(generate_algo_args $proto $algo)"
local pktsize=
rump_server_crypto_start $SOCK_LOCAL netipsec
rump_server_crypto_start $SOCK_PEER netipsec
@ -88,13 +100,30 @@ test_ipsec4_transport()
check_sa_entries $SOCK_PEER $ip_local $ip_peer
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
if [ $proto = ipcomp ]; then
# IPComp sends a packet as-is if a compressed payload of
# the packet is greater than or equal to the original payload.
# So we have to fill a payload with 1 to let IPComp always send
# a compressed packet.
# pktsize == minlen - 1
pktsize=$(($(get_minlen $algo) - 8 - 1))
atf_check -s exit:0 -o ignore \
rump.ping -c 1 -n -w 3 -s $pktsize -p ff $ip_peer
extract_new_packets $BUS > $outfile
atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
cat $outfile
atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
cat $outfile
check_packets $outfile $ip_local $ip_peer ICMP
# pktsize == minlen
pktsize=$(($(get_minlen $algo) - 8))
atf_check -s exit:0 -o ignore \
rump.ping -c 1 -n -w 3 -s $pktsize -p ff $ip_peer
extract_new_packets $BUS > $outfile
check_packets $outfile $ip_local $ip_peer $pktproto
else
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
extract_new_packets $BUS > $outfile
check_packets $outfile $ip_local $ip_peer $pktproto
fi
test_flush_entries $SOCK_LOCAL
test_flush_entries $SOCK_PEER
@ -108,7 +137,7 @@ test_ipsec6_transport()
local ip_peer=fd00::2
local tmpfile=./tmp
local outfile=./out
local proto_cap=$(echo $proto | tr 'a-z' 'A-Z')
local pktproto=$(generate_pktproto $proto)
local algo_args="$(generate_algo_args $proto $algo)"
rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec
@ -157,13 +186,30 @@ test_ipsec6_transport()
check_sa_entries $SOCK_PEER $ip_local $ip_peer
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer
if [ $proto = ipcomp ]; then
# IPComp sends a packet as-is if a compressed payload of
# the packet is greater than or equal to the original payload.
# So we have to fill a payload with 1 to let IPComp always send
# a compressed packet.
# pktsize == minlen - 1
pktsize=$(($(get_minlen $algo) - 8 - 1))
atf_check -s exit:0 -o ignore \
rump.ping6 -c 1 -n -X 3 -s $pktsize -p ff $ip_peer
extract_new_packets $BUS > $outfile
atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
cat $outfile
atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
cat $outfile
check_packets $outfile $ip_local $ip_peer ICMP6
# pktsize == minlen
pktsize=$(($(get_minlen $algo) - 8))
atf_check -s exit:0 -o ignore \
rump.ping6 -c 1 -n -X 3 -s $pktsize -p ff $ip_peer
extract_new_packets $BUS > $outfile
check_packets $outfile $ip_local $ip_peer $pktproto
else
atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer
extract_new_packets $BUS > $outfile
check_packets $outfile $ip_local $ip_peer $pktproto
fi
test_flush_entries $SOCK_LOCAL
test_flush_entries $SOCK_PEER
@ -223,4 +269,8 @@ atf_init_test_cases()
add_test_transport_mode ipv4 ah $algo
add_test_transport_mode ipv6 ah $algo
done
for algo in $IPCOMP_COMPRESSION_ALGORITHMS; do
add_test_transport_mode ipv4 ipcomp $algo
add_test_transport_mode ipv6 ipcomp $algo
done
}

View File

@ -0,0 +1,409 @@
# $NetBSD: t_ipsec_tunnel_ipcomp.sh,v 1.1 2017/07/03 06:01:16 ozaki-r Exp $
#
# Copyright (c) 2017 Internet Initiative Japan Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
SOCK_LOCAL=unix://ipsec_local
SOCK_TUNNEL_LOCAL=unix://ipsec_tunel_local
SOCK_TUNNEL_REMOTE=unix://ipsec_tunnel_remote
SOCK_REMOTE=unix://ipsec_remote
BUS_LOCAL=./bus_ipsec_local
BUS_TUNNEL=./bus_ipsec_tunnel
BUS_REMOTE=./bus_ipsec_remote
DEBUG=${DEBUG:-false}
setup_servers()
{
# See https://www.netbsd.org/docs/network/ipsec/#sample_vpn
rump_server_crypto_start $SOCK_LOCAL netinet6
rump_server_crypto_start $SOCK_TUNNEL_LOCAL netipsec netinet6
rump_server_crypto_start $SOCK_TUNNEL_REMOTE netipsec netinet6
rump_server_crypto_start $SOCK_REMOTE netinet6
rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif0 $BUS_LOCAL
rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif1 $BUS_TUNNEL
rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif0 $BUS_REMOTE
rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif1 $BUS_TUNNEL
rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
}
check_tunnel_ipcomp_packets()
{
local outfile=$1
local osrc=$2
local odst=$3
local oproto=$4
local isrc=$5
local idst=$6
local iproto=$7
$DEBUG && cat $outfile
if [ $oproto = ESP ]; then
atf_check -s exit:0 \
-o match:"$osrc > $odst: $oproto" \
cat $outfile
atf_check -s exit:0 \
-o match:"$odst > $osrc: $oproto" \
cat $outfile
# TODO check the packet lengths to check IPComp is really used
return
fi
# AH
if [ $iproto = IPComp ]; then
atf_check -s exit:0 \
-o match:"$osrc > $odst: $oproto.+: $iproto" \
cat $outfile
atf_check -s exit:0 \
-o match:"$odst > $osrc: $oproto.+: $iproto" \
cat $outfile
else
atf_check -s exit:0 \
-o match:"$osrc > $odst: $oproto.+ $isrc > $idst: $iproto" \
cat $outfile
atf_check -s exit:0 \
-o match:"$odst > $osrc: $oproto.+ $idst > $isrc: $iproto" \
cat $outfile
fi
}
test_ipsec4_tunnel_ipcomp()
{
local proto=$1
local algo=$2
local calgo=$3
local ip_local=10.0.1.2
local ip_gw_local=10.0.1.1
local ip_gw_local_tunnel=20.0.0.1
local ip_gw_remote_tunnel=20.0.0.2
local ip_gw_remote=10.0.2.1
local ip_remote=10.0.2.2
local subnet_local=10.0.1.0
local subnet_remote=10.0.2.0
local tmpfile=./tmp
local outfile=./out
local pktproto=$(generate_pktproto $proto)
local algo_args="$(generate_algo_args $proto $algo)"
setup_servers
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
atf_check -s exit:0 -o ignore \
rump.route -n add -net $subnet_remote $ip_gw_local
export RUMP_SERVER=$SOCK_TUNNEL_LOCAL
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_local/24
atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_local_tunnel/24
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1
atf_check -s exit:0 -o ignore \
rump.route -n add -net $subnet_remote $ip_gw_remote_tunnel
rump.sysctl -a |grep ipsec
export RUMP_SERVER=$SOCK_TUNNEL_REMOTE
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_remote/24
atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_remote_tunnel/24
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1
atf_check -s exit:0 -o ignore \
rump.route -n add -net $subnet_local $ip_gw_local_tunnel
export RUMP_SERVER=$SOCK_REMOTE
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24
atf_check -s exit:0 -o ignore \
rump.route -n add -net $subnet_local $ip_gw_remote
extract_new_packets $BUS_TUNNEL > $outfile
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
extract_new_packets $BUS_TUNNEL > $outfile
atf_check -s exit:0 \
-o match:"$ip_local > $ip_remote: ICMP echo request" \
cat $outfile
atf_check -s exit:0 \
-o match:"$ip_remote > $ip_local: ICMP echo reply" \
cat $outfile
export RUMP_SERVER=$SOCK_TUNNEL_LOCAL
# from https://www.netbsd.org/docs/network/ipsec/
cat > $tmpfile <<-EOF
add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args;
add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args;
add $ip_gw_local_tunnel $ip_gw_remote_tunnel ipcomp 10000 -C $calgo;
add $ip_gw_remote_tunnel $ip_gw_local_tunnel ipcomp 10001 -C $calgo;
spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec
ipcomp/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require
$proto/transport//require;
spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec
ipcomp/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require
$proto/transport//require;
EOF
$DEBUG && cat $tmpfile
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
check_sa_entries $SOCK_TUNNEL_LOCAL $ip_gw_local_tunnel \
$ip_gw_remote_tunnel
export RUMP_SERVER=$SOCK_TUNNEL_REMOTE
cat > $tmpfile <<-EOF
add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args;
add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args;
add $ip_gw_local_tunnel $ip_gw_remote_tunnel ipcomp 10000 -C $calgo;
add $ip_gw_remote_tunnel $ip_gw_local_tunnel ipcomp 10001 -C $calgo;
spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec
ipcomp/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require
$proto/transport//require;
spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec
ipcomp/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require
$proto/transport//require;
EOF
$DEBUG && cat $tmpfile
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
check_sa_entries $SOCK_TUNNEL_REMOTE $ip_gw_local_tunnel \
$ip_gw_remote_tunnel
export RUMP_SERVER=$SOCK_LOCAL
# IPComp sends a packet as-is if a compressed payload of
# the packet is greater than or equal to the original payload.
# So we have to fill a payload with 1 to let IPComp always send
# a compressed packet.
# pktsize == minlen - 1
pktsize=$(($(get_minlen deflate) - 8 - 20 - 1))
atf_check -s exit:0 -o ignore \
rump.ping -c 1 -n -w 3 -s $pktsize -p ff $ip_remote
extract_new_packets $BUS_TUNNEL > $outfile
check_tunnel_ipcomp_packets $outfile \
$ip_gw_local_tunnel $ip_gw_remote_tunnel $pktproto \
$ip_local $ip_remote ICMP
# pktsize == minlen
pktsize=$(($(get_minlen deflate) - 8 - 20))
atf_check -s exit:0 -o ignore \
rump.ping -c 1 -n -w 3 -s $pktsize -p ff $ip_remote
extract_new_packets $BUS_TUNNEL > $outfile
check_tunnel_ipcomp_packets $outfile \
$ip_gw_local_tunnel $ip_gw_remote_tunnel $pktproto \
$ip_local $ip_remote IPComp
test_flush_entries $SOCK_TUNNEL_LOCAL
test_flush_entries $SOCK_TUNNEL_REMOTE
}
test_ipsec6_tunnel_ipcomp()
{
local proto=$1
local algo=$2
local calgo=$3
local ip_local=fd00:1::2
local ip_gw_local=fd00:1::1
local ip_gw_local_tunnel=fc00::1
local ip_gw_remote_tunnel=fc00::2
local ip_gw_remote=fd00:2::1
local ip_remote=fd00:2::2
local subnet_local=fd00:1::
local subnet_remote=fd00:2::
local tmpfile=./tmp
local outfile=./out
local pktproto=$(generate_pktproto $proto)
local algo_args="$(generate_algo_args $proto $algo)"
setup_servers
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64
atf_check -s exit:0 -o ignore \
rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_local
export RUMP_SERVER=$SOCK_TUNNEL_LOCAL
atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_local/64
atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_local_tunnel/64
atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1
atf_check -s exit:0 -o ignore \
rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_remote_tunnel
export RUMP_SERVER=$SOCK_TUNNEL_REMOTE
atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_remote/64
atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_remote_tunnel/64
atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1
atf_check -s exit:0 -o ignore \
rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_local_tunnel
export RUMP_SERVER=$SOCK_REMOTE
atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote
atf_check -s exit:0 -o ignore \
rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_remote
extract_new_packets $BUS_TUNNEL > $outfile
export RUMP_SERVER=$SOCK_LOCAL
atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
extract_new_packets $BUS_TUNNEL > $outfile
atf_check -s exit:0 \
-o match:"$ip_local > $ip_remote: ICMP6, echo request" \
cat $outfile
atf_check -s exit:0 \
-o match:"$ip_remote > $ip_local: ICMP6, echo reply" \
cat $outfile
export RUMP_SERVER=$SOCK_TUNNEL_LOCAL
# from https://www.netbsd.org/docs/network/ipsec/
cat > $tmpfile <<-EOF
add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args;
add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args;
add $ip_gw_local_tunnel $ip_gw_remote_tunnel ipcomp 10000 -C $calgo;
add $ip_gw_remote_tunnel $ip_gw_local_tunnel ipcomp 10001 -C $calgo;
spdadd $subnet_local/64 $subnet_remote/64 any -P out ipsec
ipcomp/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require
$proto/transport//require;
spdadd $subnet_remote/64 $subnet_local/64 any -P in ipsec
ipcomp/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require
$proto/transport//require;
EOF
$DEBUG && cat $tmpfile
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
check_sa_entries $SOCK_TUNNEL_LOCAL $ip_gw_local_tunnel \
$ip_gw_remote_tunnel
export RUMP_SERVER=$SOCK_TUNNEL_REMOTE
cat > $tmpfile <<-EOF
add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args;
add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args;
add $ip_gw_local_tunnel $ip_gw_remote_tunnel ipcomp 10000 -C $calgo;
add $ip_gw_remote_tunnel $ip_gw_local_tunnel ipcomp 10001 -C $calgo;
spdadd $subnet_remote/64 $subnet_local/64 any -P out ipsec
ipcomp/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require
$proto/transport//require;
spdadd $subnet_local/64 $subnet_remote/64 any -P in ipsec
ipcomp/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require
$proto/transport//require;
EOF
$DEBUG && cat $tmpfile
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
check_sa_entries $SOCK_TUNNEL_REMOTE $ip_gw_local_tunnel \
$ip_gw_remote_tunnel
export RUMP_SERVER=$SOCK_LOCAL
# IPComp sends a packet as-is if a compressed payload of
# the packet is greater than or equal to the original payload.
# So we have to fill a payload with 1 to let IPComp always send
# a compressed packet.
# pktsize == minlen - 1
pktsize=$(($(get_minlen deflate) - 8 - 40 - 1))
atf_check -s exit:0 -o ignore \
rump.ping6 -c 1 -n -X 3 -s $pktsize -p ff $ip_remote
extract_new_packets $BUS_TUNNEL > $outfile
check_tunnel_ipcomp_packets $outfile \
$ip_gw_local_tunnel $ip_gw_remote_tunnel $pktproto \
$ip_local $ip_remote ICMP6
# pktsize == minlen
pktsize=$(($(get_minlen deflate) - 8 - 40))
atf_check -s exit:0 -o ignore \
rump.ping6 -c 1 -n -X 3 -s $pktsize -p ff $ip_remote
extract_new_packets $BUS_TUNNEL > $outfile
check_tunnel_ipcomp_packets $outfile \
$ip_gw_local_tunnel $ip_gw_remote_tunnel $pktproto \
$ip_local $ip_remote IPComp
test_flush_entries $SOCK_TUNNEL_LOCAL
test_flush_entries $SOCK_TUNNEL_REMOTE
}
test_tunnel_ipcomp_common()
{
local ipproto=$1
local proto=$2
local algo=$3
local calgo=$4
if [ $ipproto = ipv4 ]; then
test_ipsec4_tunnel_ipcomp $proto $algo $calgo
else
test_ipsec6_tunnel_ipcomp $proto $algo $calgo
fi
}
add_test_tunnel_mode()
{
local ipproto=$1
local proto=$2
local algo=$3
local calgo=$4
local _algo=$(echo $algo | sed 's/-//g')
local name= desc=
name="ipsec_tunnel_ipcomp_${calgo}_${ipproto}_${proto}_${_algo}"
desc="Tests of IPsec ($ipproto) tunnel mode with $proto ($algo) and ipcomp ($calgo)"
atf_test_case ${name} cleanup
eval " \
${name}_head() { \
atf_set \"descr\" \"$desc\"; \
atf_set \"require.progs\" \"rump_server\" \"setkey\"; \
}; \
${name}_body() { \
test_tunnel_ipcomp_common $ipproto $proto $algo $calgo; \
rump_server_destroy_ifaces; \
}; \
${name}_cleanup() { \
$DEBUG && dump; \
cleanup; \
} \
"
atf_add_test_case ${name}
}
atf_init_test_cases()
{
local calgo= algo=
for calgo in $IPCOMP_COMPRESSION_ALGORITHMS; do
for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
add_test_tunnel_mode ipv4 esp $algo $calgo
add_test_tunnel_mode ipv6 esp $algo $calgo
done
for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do
add_test_tunnel_mode ipv4 ah $algo $calgo
add_test_tunnel_mode ipv6 ah $algo $calgo
done
done
}