265 lines
7.9 KiB
Bash
265 lines
7.9 KiB
Bash
# $NetBSD: t_ipsec_transport.sh,v 1.2 2017/05/09 04:25:28 ozaki-r Exp $
|
|
#
|
|
# Copyright (c) 2017 Internet Initiative Japan Inc.
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions
|
|
# are met:
|
|
# 1. Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
# 2. Redistributions in binary form must reproduce the above copyright
|
|
# notice, this list of conditions and the following disclaimer in the
|
|
# documentation and/or other materials provided with the distribution.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
# POSSIBILITY OF SUCH DAMAGE.
|
|
#
|
|
|
|
SOCK_LOCAL=unix://ipsec_local
|
|
SOCK_PEER=unix://ipsec_peer
|
|
BUS=./bus_ipsec
|
|
|
|
DEBUG=${DEBUG:-false}
|
|
|
|
test_ipsec4_transport()
|
|
{
|
|
local proto=$1
|
|
local algo=$2
|
|
local ip_local=10.0.0.1
|
|
local ip_peer=10.0.0.2
|
|
local keylen=$(get_one_valid_keylen $algo)
|
|
local key=$(generate_key $keylen)
|
|
local tmpfile=./tmp
|
|
local outfile=./out
|
|
local opt= proto_cap=
|
|
|
|
if [ $proto = esp ]; then
|
|
opt=-E
|
|
proto_cap=ESP
|
|
else
|
|
opt=-A
|
|
proto_cap=AH
|
|
fi
|
|
|
|
rump_server_crypto_start $SOCK_LOCAL netipsec
|
|
rump_server_crypto_start $SOCK_PEER netipsec
|
|
rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
|
|
rump_server_add_iface $SOCK_PEER shmif0 $BUS
|
|
|
|
export RUMP_SERVER=$SOCK_LOCAL
|
|
atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
|
|
atf_check -s exit:0 rump.ifconfig -w 10
|
|
|
|
export RUMP_SERVER=$SOCK_PEER
|
|
atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24
|
|
atf_check -s exit:0 rump.ifconfig -w 10
|
|
|
|
extract_new_packets $BUS > $outfile
|
|
|
|
export RUMP_SERVER=$SOCK_LOCAL
|
|
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
|
|
|
|
extract_new_packets $BUS > $outfile
|
|
atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \
|
|
cat $outfile
|
|
atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \
|
|
cat $outfile
|
|
|
|
export RUMP_SERVER=$SOCK_LOCAL
|
|
# from https://www.netbsd.org/docs/network/ipsec/
|
|
cat > $tmpfile <<-EOF
|
|
add $ip_local $ip_peer $proto 10000 $opt $algo $key;
|
|
add $ip_peer $ip_local $proto 10001 $opt $algo $key;
|
|
spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require;
|
|
EOF
|
|
$DEBUG && cat $tmpfile
|
|
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
|
|
$DEBUG && $HIJACKING setkey -D
|
|
atf_check -s exit:0 -o match:"$ip_local $ip_peer" \
|
|
$HIJACKING setkey -D
|
|
atf_check -s exit:0 -o match:"$ip_peer $ip_local" \
|
|
$HIJACKING setkey -D
|
|
# TODO: more detail checks
|
|
|
|
export RUMP_SERVER=$SOCK_PEER
|
|
cat > $tmpfile <<-EOF
|
|
add $ip_local $ip_peer $proto 10000 $opt $algo $key;
|
|
add $ip_peer $ip_local $proto 10001 $opt $algo $key;
|
|
spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require;
|
|
EOF
|
|
$DEBUG && cat $tmpfile
|
|
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
|
|
$DEBUG && $HIJACKING setkey -D
|
|
atf_check -s exit:0 -o match:"$ip_local $ip_peer" \
|
|
$HIJACKING setkey -D
|
|
atf_check -s exit:0 -o match:"$ip_peer $ip_local" \
|
|
$HIJACKING setkey -D
|
|
# TODO: more detail checks
|
|
|
|
export RUMP_SERVER=$SOCK_LOCAL
|
|
atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
|
|
|
|
extract_new_packets $BUS > $outfile
|
|
atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
|
|
cat $outfile
|
|
atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
|
|
cat $outfile
|
|
|
|
test_flush_entries $SOCK_LOCAL
|
|
test_flush_entries $SOCK_PEER
|
|
}
|
|
|
|
test_ipsec6_transport()
|
|
{
|
|
local proto=$1
|
|
local algo=$2
|
|
local ip_local=fd00::1
|
|
local ip_peer=fd00::2
|
|
local keylen=$(get_one_valid_keylen $algo)
|
|
local key=$(generate_key $keylen)
|
|
local tmpfile=./tmp
|
|
local outfile=./out
|
|
local opt= proto_cap=
|
|
|
|
if [ $proto = esp ]; then
|
|
opt=-E
|
|
proto_cap=ESP
|
|
else
|
|
opt=-A
|
|
proto_cap=AH
|
|
fi
|
|
|
|
rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec
|
|
rump_server_crypto_start $SOCK_PEER netinet6 netipsec
|
|
rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
|
|
rump_server_add_iface $SOCK_PEER shmif0 $BUS
|
|
|
|
export RUMP_SERVER=$SOCK_LOCAL
|
|
atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local
|
|
atf_check -s exit:0 rump.ifconfig -w 10
|
|
|
|
export RUMP_SERVER=$SOCK_PEER
|
|
atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer
|
|
atf_check -s exit:0 rump.ifconfig -w 10
|
|
|
|
extract_new_packets $BUS > $outfile
|
|
|
|
export RUMP_SERVER=$SOCK_LOCAL
|
|
atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer
|
|
|
|
extract_new_packets $BUS > $outfile
|
|
atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \
|
|
cat $outfile
|
|
atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \
|
|
cat $outfile
|
|
|
|
export RUMP_SERVER=$SOCK_LOCAL
|
|
# from https://www.netbsd.org/docs/network/ipsec/
|
|
cat > $tmpfile <<-EOF
|
|
add $ip_local $ip_peer $proto 10000 $opt $algo $key;
|
|
add $ip_peer $ip_local $proto 10001 $opt $algo $key;
|
|
spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require;
|
|
EOF
|
|
$DEBUG && cat $tmpfile
|
|
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
|
|
$DEBUG && $HIJACKING setkey -D
|
|
atf_check -s exit:0 -o match:"$ip_local $ip_peer" \
|
|
$HIJACKING setkey -D
|
|
atf_check -s exit:0 -o match:"$ip_peer $ip_local" \
|
|
$HIJACKING setkey -D
|
|
# TODO: more detail checks
|
|
|
|
export RUMP_SERVER=$SOCK_PEER
|
|
cat > $tmpfile <<-EOF
|
|
add $ip_local $ip_peer $proto 10000 $opt $algo $key;
|
|
add $ip_peer $ip_local $proto 10001 $opt $algo $key;
|
|
spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require;
|
|
EOF
|
|
$DEBUG && cat $tmpfile
|
|
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
|
|
$DEBUG && $HIJACKING setkey -D
|
|
atf_check -s exit:0 -o match:"$ip_local $ip_peer" \
|
|
$HIJACKING setkey -D
|
|
atf_check -s exit:0 -o match:"$ip_peer $ip_local" \
|
|
$HIJACKING setkey -D
|
|
# TODO: more detail checks
|
|
|
|
export RUMP_SERVER=$SOCK_LOCAL
|
|
atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer
|
|
|
|
extract_new_packets $BUS > $outfile
|
|
atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
|
|
cat $outfile
|
|
atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
|
|
cat $outfile
|
|
|
|
test_flush_entries $SOCK_LOCAL
|
|
test_flush_entries $SOCK_PEER
|
|
}
|
|
|
|
test_transport_common()
|
|
{
|
|
local ipproto=$1
|
|
local proto=$2
|
|
local algo=$3
|
|
|
|
if [ $ipproto = ipv4 ]; then
|
|
test_ipsec4_transport $proto $algo
|
|
else
|
|
test_ipsec6_transport $proto $algo
|
|
fi
|
|
}
|
|
|
|
add_test_transport_mode()
|
|
{
|
|
local ipproto=$1
|
|
local proto=$2
|
|
local algo=$3
|
|
local _algo=$(echo $algo | sed 's/-//g')
|
|
local name= desc=
|
|
|
|
name="ipsec_transport_${ipproto}_${proto}_${_algo}"
|
|
desc="Tests of IPsec ($ipproto) transport mode with $proto ($algo)"
|
|
|
|
atf_test_case ${name} cleanup
|
|
eval " \
|
|
${name}_head() { \
|
|
atf_set \"descr\" \"$desc\"; \
|
|
atf_set \"require.progs\" \"rump_server\" \"setkey\"; \
|
|
}; \
|
|
${name}_body() { \
|
|
test_transport_common $ipproto $proto $algo; \
|
|
rump_server_destroy_ifaces; \
|
|
}; \
|
|
${name}_cleanup() { \
|
|
$DEBUG && dump; \
|
|
cleanup; \
|
|
} \
|
|
"
|
|
atf_add_test_case ${name}
|
|
}
|
|
|
|
atf_init_test_cases()
|
|
{
|
|
local algo=
|
|
|
|
for algo in $ESP_ENCRYPTION_ALGORITHMS; do
|
|
add_test_transport_mode ipv4 esp $algo
|
|
add_test_transport_mode ipv6 esp $algo
|
|
done
|
|
for algo in $AH_AUTHENTICATION_ALGORITHMS; do
|
|
add_test_transport_mode ipv4 ah $algo
|
|
add_test_transport_mode ipv6 ah $algo
|
|
done
|
|
}
|