# $NetBSD: t_ipsec_transport.sh,v 1.2 2017/05/09 04:25:28 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # SOCK_LOCAL=unix://ipsec_local SOCK_PEER=unix://ipsec_peer BUS=./bus_ipsec DEBUG=${DEBUG:-false} test_ipsec4_transport() { local proto=$1 local algo=$2 local ip_local=10.0.0.1 local ip_peer=10.0.0.2 local keylen=$(get_one_valid_keylen $algo) local key=$(generate_key $keylen) local tmpfile=./tmp local outfile=./out local opt= proto_cap= if [ $proto = esp ]; then opt=-E proto_cap=ESP else opt=-A proto_cap=AH fi rump_server_crypto_start $SOCK_LOCAL netipsec rump_server_crypto_start $SOCK_PEER netipsec rump_server_add_iface $SOCK_LOCAL shmif0 $BUS rump_server_add_iface $SOCK_PEER shmif0 $BUS export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 atf_check -s exit:0 rump.ifconfig -w 10 export RUMP_SERVER=$SOCK_PEER atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 atf_check -s exit:0 rump.ifconfig -w 10 extract_new_packets $BUS > $outfile export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer extract_new_packets $BUS > $outfile atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \ cat $outfile atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \ cat $outfile export RUMP_SERVER=$SOCK_LOCAL # from https://www.netbsd.org/docs/network/ipsec/ cat > $tmpfile <<-EOF add $ip_local $ip_peer $proto 10000 $opt $algo $key; add $ip_peer $ip_local $proto 10001 $opt $algo $key; spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; EOF $DEBUG && cat $tmpfile atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile $DEBUG && $HIJACKING setkey -D atf_check -s exit:0 -o match:"$ip_local $ip_peer" \ $HIJACKING setkey -D atf_check -s exit:0 -o match:"$ip_peer $ip_local" \ $HIJACKING setkey -D # TODO: more detail checks export RUMP_SERVER=$SOCK_PEER cat > $tmpfile <<-EOF add $ip_local $ip_peer $proto 10000 $opt $algo $key; add $ip_peer $ip_local $proto 10001 $opt $algo $key; spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; EOF $DEBUG && cat $tmpfile atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile $DEBUG && $HIJACKING setkey -D atf_check -s exit:0 -o match:"$ip_local $ip_peer" \ $HIJACKING setkey -D atf_check -s exit:0 -o match:"$ip_peer $ip_local" \ $HIJACKING setkey -D # TODO: more detail checks export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer extract_new_packets $BUS > $outfile atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ cat $outfile atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ cat $outfile test_flush_entries $SOCK_LOCAL test_flush_entries $SOCK_PEER } test_ipsec6_transport() { local proto=$1 local algo=$2 local ip_local=fd00::1 local ip_peer=fd00::2 local keylen=$(get_one_valid_keylen $algo) local key=$(generate_key $keylen) local tmpfile=./tmp local outfile=./out local opt= proto_cap= if [ $proto = esp ]; then opt=-E proto_cap=ESP else opt=-A proto_cap=AH fi rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec rump_server_crypto_start $SOCK_PEER netinet6 netipsec rump_server_add_iface $SOCK_LOCAL shmif0 $BUS rump_server_add_iface $SOCK_PEER shmif0 $BUS export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local atf_check -s exit:0 rump.ifconfig -w 10 export RUMP_SERVER=$SOCK_PEER atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer atf_check -s exit:0 rump.ifconfig -w 10 extract_new_packets $BUS > $outfile export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer extract_new_packets $BUS > $outfile atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \ cat $outfile atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \ cat $outfile export RUMP_SERVER=$SOCK_LOCAL # from https://www.netbsd.org/docs/network/ipsec/ cat > $tmpfile <<-EOF add $ip_local $ip_peer $proto 10000 $opt $algo $key; add $ip_peer $ip_local $proto 10001 $opt $algo $key; spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; EOF $DEBUG && cat $tmpfile atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile $DEBUG && $HIJACKING setkey -D atf_check -s exit:0 -o match:"$ip_local $ip_peer" \ $HIJACKING setkey -D atf_check -s exit:0 -o match:"$ip_peer $ip_local" \ $HIJACKING setkey -D # TODO: more detail checks export RUMP_SERVER=$SOCK_PEER cat > $tmpfile <<-EOF add $ip_local $ip_peer $proto 10000 $opt $algo $key; add $ip_peer $ip_local $proto 10001 $opt $algo $key; spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; EOF $DEBUG && cat $tmpfile atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile $DEBUG && $HIJACKING setkey -D atf_check -s exit:0 -o match:"$ip_local $ip_peer" \ $HIJACKING setkey -D atf_check -s exit:0 -o match:"$ip_peer $ip_local" \ $HIJACKING setkey -D # TODO: more detail checks export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer extract_new_packets $BUS > $outfile atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ cat $outfile atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ cat $outfile test_flush_entries $SOCK_LOCAL test_flush_entries $SOCK_PEER } test_transport_common() { local ipproto=$1 local proto=$2 local algo=$3 if [ $ipproto = ipv4 ]; then test_ipsec4_transport $proto $algo else test_ipsec6_transport $proto $algo fi } add_test_transport_mode() { local ipproto=$1 local proto=$2 local algo=$3 local _algo=$(echo $algo | sed 's/-//g') local name= desc= name="ipsec_transport_${ipproto}_${proto}_${_algo}" desc="Tests of IPsec ($ipproto) transport mode with $proto ($algo)" atf_test_case ${name} cleanup eval " \ ${name}_head() { \ atf_set \"descr\" \"$desc\"; \ atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ }; \ ${name}_body() { \ test_transport_common $ipproto $proto $algo; \ rump_server_destroy_ifaces; \ }; \ ${name}_cleanup() { \ $DEBUG && dump; \ cleanup; \ } \ " atf_add_test_case ${name} } atf_init_test_cases() { local algo= for algo in $ESP_ENCRYPTION_ALGORITHMS; do add_test_transport_mode ipv4 esp $algo add_test_transport_mode ipv6 esp $algo done for algo in $AH_AUTHENTICATION_ALGORITHMS; do add_test_transport_mode ipv4 ah $algo add_test_transport_mode ipv6 ah $algo done }