xref: /netbsd-src/tests/net/ipsec/t_ipsec_gif.sh (revision 9b45ffed94eaa6c871bd36fc45e90d68e4dcda4a) 
1#	$NetBSD: t_ipsec_gif.sh,v 1.10 2023/08/22 05:40:50 rin Exp $
2#
3# Copyright (c) 2017 Internet Initiative Japan Inc.
4# All rights reserved.
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
18# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25# POSSIBILITY OF SUCH DAMAGE.
26#
27
28SOCK_LOCAL=unix://ipsec_gif_local
29SOCK_TUN_LOCAL=unix://ipsec_gif_tunel_local
30SOCK_TUN_REMOTE=unix://ipsec_gif_tunnel_remote
31SOCK_REMOTE=unix://ipsec_gif_remote
32BUS_LOCAL=./bus_ipsec_local
33BUS_TUNNEL=./bus_ipsec_tunnel
34BUS_REMOTE=./bus_ipsec_remote
35
36DEBUG=${DEBUG:-true}
37
38make_gif_pktstr()
39{
40	local src=$1
41	local dst=$2
42	local src_inner=$3
43	local dst_inner=$4
44	local proto=$5
45	local ipproto=$6
46	local proto_cap= inner_str=
47
48	if [ $proto = esp ]; then
49		proto_cap=ESP
50	else
51		proto_cap=AH
52		inner_str="$src_inner > $dst_inner"
53	fi
54
55	echo "$src > $dst: $proto_cap.+$inner_str"
56}
57
58wait_for_all_dad_completions()
59{
60
61	for sock in $SOCK_LOCAL $SOCK_TUN_LOCAL $SOCK_TUN_REMOTE $SOCK_REMOTE; do
62		export RUMP_SERVER=$sock
63		atf_check -s exit:0 rump.ifconfig -w 10
64	done
65}
66
67test_ipsec4_gif()
68{
69	local mode=$1
70	local proto=$2
71	local algo=$3
72	local ip_local=10.0.1.2
73	local ip_gw_local=10.0.1.1
74	local ip_gwlo_tun=20.0.0.1
75	local ip_gwlo_gif=20.1.0.1
76	local ip_gwre_gif=20.1.0.2
77	local ip_gwre_tun=20.0.0.2
78	local ip_gw_remote=10.0.2.1
79	local ip_remote=10.0.2.2
80	local subnet_local=10.0.1.0
81	local subnet_remote=10.0.2.0
82	local tmpfile=./tmp
83	local outfile=./out
84	local str=
85	local algo_args="$(generate_algo_args $proto $algo)"
86
87	rump_server_crypto_start $SOCK_LOCAL
88	rump_server_crypto_start $SOCK_TUN_LOCAL netipsec gif
89	rump_server_crypto_start $SOCK_TUN_REMOTE netipsec gif
90	rump_server_crypto_start $SOCK_REMOTE
91	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
92	rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
93	rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL
94	rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE
95	rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL
96	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
97
98	export RUMP_SERVER=$SOCK_LOCAL
99	atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
100	atf_check -s exit:0 -o ignore \
101	    rump.route -n add -net $subnet_remote $ip_gw_local
102
103	export RUMP_SERVER=$SOCK_TUN_LOCAL
104	atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_local/24
105	atf_check -s exit:0 rump.ifconfig shmif1 $ip_gwlo_tun/24
106	rump_server_add_iface $SOCK_TUN_LOCAL gif0
107	atf_check -s exit:0 rump.ifconfig gif0 \
108	    tunnel $ip_gwlo_tun $ip_gwre_tun
109	atf_check -s exit:0 rump.ifconfig gif0 \
110	    inet $ip_gwlo_gif/32 $ip_gwre_gif
111	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1
112	atf_check -s exit:0 -o ignore \
113	    rump.route -n add -net $subnet_remote $ip_gwre_gif
114
115	export RUMP_SERVER=$SOCK_TUN_REMOTE
116	atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_remote/24
117	atf_check -s exit:0 rump.ifconfig shmif1 $ip_gwre_tun/24
118	rump_server_add_iface $SOCK_TUN_REMOTE gif0
119	atf_check -s exit:0 rump.ifconfig gif0 \
120	    tunnel $ip_gwre_tun $ip_gwlo_tun
121	atf_check -s exit:0 rump.ifconfig gif0 \
122	    inet $ip_gwre_gif/32 $ip_gwlo_gif
123	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1
124	atf_check -s exit:0 -o ignore \
125	    rump.route -n add -net $subnet_local $ip_gwlo_gif
126
127	export RUMP_SERVER=$SOCK_REMOTE
128	atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24
129
130	wait_for_all_dad_completions
131
132	atf_check -s exit:0 -o ignore \
133	    rump.route -n add -net $subnet_local $ip_gw_remote
134
135	extract_new_packets $BUS_TUNNEL > $outfile
136
137	export RUMP_SERVER=$SOCK_LOCAL
138	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
139
140	extract_new_packets $BUS_TUNNEL > $outfile
141	str="$ip_gwlo_tun > $ip_gwre_tun:"
142	str="$str $ip_local > $ip_remote: ICMP echo request,"
143	atf_check -s exit:0 -o match:"$str" cat $outfile
144	str="$ip_gwre_tun > $ip_gwlo_tun:"
145	str="$str $ip_remote > $ip_local: ICMP echo reply,"
146	atf_check -s exit:0 -o match:"$str" cat $outfile
147
148	if [ $mode = tunnel ]; then
149		export RUMP_SERVER=$SOCK_TUN_LOCAL
150		# from https://www.netbsd.org/docs/network/ipsec/
151		cat > $tmpfile <<-EOF
152		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
153		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
154		spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec
155		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
156		spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec
157		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
158		EOF
159		$DEBUG && cat $tmpfile
160		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
161
162		export RUMP_SERVER=$SOCK_TUN_REMOTE
163		cat > $tmpfile <<-EOF
164		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
165		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
166		spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec
167		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
168		spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec
169		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
170		EOF
171		$DEBUG && cat $tmpfile
172		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
173	else # transport mode
174		export RUMP_SERVER=$SOCK_TUN_LOCAL
175		# from https://www.netbsd.org/docs/network/ipsec/
176		cat > $tmpfile <<-EOF
177		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
178		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
179		spdadd $ip_gwlo_tun/32 $ip_gwre_tun/32 any -P out ipsec
180		    $proto/transport//require;
181		spdadd $ip_gwre_tun/32 $ip_gwlo_tun/32 any -P in ipsec
182		    $proto/transport//require;
183		EOF
184		$DEBUG && cat $tmpfile
185		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
186
187		export RUMP_SERVER=$SOCK_TUN_REMOTE
188		cat > $tmpfile <<-EOF
189		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
190		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
191		spdadd $ip_gwre_tun/32 $ip_gwlo_tun/32 any -P out ipsec
192		    $proto/transport//require;
193		spdadd $ip_gwlo_tun/32 $ip_gwre_tun/32 any -P in ipsec
194		    $proto/transport//require;
195		EOF
196		$DEBUG && cat $tmpfile
197		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
198	fi
199
200	check_sa_entries $SOCK_TUN_LOCAL $ip_gwlo_tun $ip_gwre_tun
201	check_sa_entries $SOCK_TUN_REMOTE $ip_gwlo_tun $ip_gwre_tun
202
203	export RUMP_SERVER=$SOCK_LOCAL
204	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
205
206	extract_new_packets $BUS_TUNNEL > $outfile
207	str=$(make_gif_pktstr $ip_gwlo_tun $ip_gwre_tun \
208	    $ip_local $ip_remote $proto ipv4)
209	atf_check -s exit:0 -o match:"$str" cat $outfile
210	str=$(make_gif_pktstr $ip_gwre_tun $ip_gwlo_tun \
211	    $ip_remote $ip_local $proto ipv4)
212	atf_check -s exit:0 -o match:"$str" cat $outfile
213
214	test_flush_entries $SOCK_TUN_LOCAL
215	test_flush_entries $SOCK_TUN_REMOTE
216}
217
218test_ipsec6_gif()
219{
220	local mode=$1
221	local proto=$2
222	local algo=$3
223	local ip_local=fd00:1::2
224	local ip_gw_local=fd00:1::1
225	local ip_gwlo_tun=fc00::1
226	local ip_gwlo_gif=fc01::1
227	local ip_gwre_gif=fc01::2
228	local ip_gwre_tun=fc00::2
229	local ip_gw_remote=fd00:2::1
230	local ip_remote=fd00:2::2
231	local subnet_local=fd00:1::
232	local subnet_remote=fd00:2::
233	local tmpfile=./tmp
234	local outfile=./out
235	local str=
236	local algo_args="$(generate_algo_args $proto $algo)"
237
238	rump_server_crypto_start $SOCK_LOCAL netinet6
239	rump_server_crypto_start $SOCK_TUN_LOCAL netipsec netinet6 gif
240	rump_server_crypto_start $SOCK_TUN_REMOTE netipsec netinet6 gif
241	rump_server_crypto_start $SOCK_REMOTE netinet6
242	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
243	rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
244	rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL
245	rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE
246	rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL
247	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
248
249	export RUMP_SERVER=$SOCK_LOCAL
250	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64
251	atf_check -s exit:0 -o ignore \
252	    rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_local
253
254	export RUMP_SERVER=$SOCK_TUN_LOCAL
255	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_local/64
256	atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gwlo_tun/64
257	rump_server_add_iface $SOCK_TUN_LOCAL gif0
258	atf_check -s exit:0 rump.ifconfig gif0 \
259	    tunnel $ip_gwlo_tun $ip_gwre_tun
260	atf_check -s exit:0 rump.ifconfig gif0 \
261	    inet6 $ip_gwlo_gif/128 $ip_gwre_gif
262	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1
263	atf_check -s exit:0 -o ignore \
264	    rump.route -n add -inet6 -net $subnet_remote/64 $ip_gwlo_gif
265
266	export RUMP_SERVER=$SOCK_TUN_REMOTE
267	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_remote/64
268	atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gwre_tun/64
269	rump_server_add_iface $SOCK_TUN_REMOTE gif0
270	atf_check -s exit:0 rump.ifconfig gif0 \
271	    tunnel $ip_gwre_tun $ip_gwlo_tun
272	atf_check -s exit:0 rump.ifconfig gif0 \
273	    inet6 $ip_gwre_gif/128 $ip_gwlo_gif
274	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1
275	atf_check -s exit:0 -o ignore \
276	    rump.route -n add -inet6 -net $subnet_local/64 $ip_gwre_gif
277
278	export RUMP_SERVER=$SOCK_REMOTE
279	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote
280
281	wait_for_all_dad_completions
282
283	atf_check -s exit:0 -o ignore \
284	    rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_remote
285
286	extract_new_packets $BUS_TUNNEL > $outfile
287
288	export RUMP_SERVER=$SOCK_LOCAL
289	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
290
291	extract_new_packets $BUS_TUNNEL > $outfile
292	str="$ip_gwlo_tun > $ip_gwre_tun:"
293	str="$str $ip_local > $ip_remote: ICMP6, echo request"
294	atf_check -s exit:0 -o match:"$str" cat $outfile
295	str="$ip_gwre_tun > $ip_gwlo_tun:"
296	str="$str $ip_remote > $ip_local: ICMP6, echo reply,"
297	atf_check -s exit:0 -o match:"$str" cat $outfile
298
299	if [ $mode = tunnel ]; then
300		export RUMP_SERVER=$SOCK_TUN_LOCAL
301		# from https://www.netbsd.org/docs/network/ipsec/
302		cat > $tmpfile <<-EOF
303		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
304		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
305		spdadd $subnet_local/64 $subnet_remote/64 any -P out ipsec
306		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
307		spdadd $subnet_remote/64 $subnet_local/64 any -P in ipsec
308		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
309		EOF
310		$DEBUG && cat $tmpfile
311		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
312
313		export RUMP_SERVER=$SOCK_TUN_REMOTE
314		cat > $tmpfile <<-EOF
315		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
316		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
317		spdadd $subnet_remote/64 $subnet_local/64 any -P out ipsec
318		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
319		spdadd $subnet_local/64 $subnet_remote/64 any -P in ipsec
320		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
321		EOF
322		$DEBUG && cat $tmpfile
323		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
324	else # transport mode
325		export RUMP_SERVER=$SOCK_TUN_LOCAL
326		# from https://www.netbsd.org/docs/network/ipsec/
327		cat > $tmpfile <<-EOF
328		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
329		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
330		spdadd $ip_gwlo_tun/128 $ip_gwre_tun/128 any -P out ipsec
331		    $proto/transport//require;
332		spdadd $ip_gwre_tun/128 $ip_gwlo_tun/128 any -P in ipsec
333		    $proto/transport//require;
334		EOF
335		$DEBUG && cat $tmpfile
336		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
337
338		export RUMP_SERVER=$SOCK_TUN_REMOTE
339		cat > $tmpfile <<-EOF
340		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
341		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
342		spdadd $ip_gwre_tun/128 $ip_gwlo_tun/128 any -P out ipsec
343		    $proto/transport//require;
344		spdadd $ip_gwlo_tun/128 $ip_gwre_tun/128 any -P in ipsec
345		    $proto/transport//require;
346		EOF
347		$DEBUG && cat $tmpfile
348		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
349	fi
350
351	check_sa_entries $SOCK_TUN_LOCAL $ip_gwlo_tun $ip_gwre_tun
352	check_sa_entries $SOCK_TUN_REMOTE $ip_gwlo_tun $ip_gwre_tun
353
354	export RUMP_SERVER=$SOCK_LOCAL
355	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
356
357	extract_new_packets $BUS_TUNNEL > $outfile
358	str=$(make_gif_pktstr $ip_gwlo_tun $ip_gwre_tun \
359	    $ip_local $ip_remote $proto ipv6)
360	atf_check -s exit:0 -o match:"$str" cat $outfile
361	str=$(make_gif_pktstr $ip_gwre_tun $ip_gwlo_tun \
362	    $ip_remote $ip_local $proto ipv6)
363	atf_check -s exit:0 -o match:"$str" cat $outfile
364
365	test_flush_entries $SOCK_TUN_LOCAL
366	test_flush_entries $SOCK_TUN_REMOTE
367}
368
369test_ipsec_gif_common()
370{
371	local ipproto=$1
372	local mode=$2
373	local proto=$3
374	local algo=$4
375
376	if [ $ipproto = ipv4 ]; then
377		test_ipsec4_gif $mode $proto $algo
378	else
379		test_ipsec6_gif $mode $proto $algo
380	fi
381}
382
383add_test_ipsec_gif()
384{
385	local ipproto=$1
386	local mode=$2
387	local proto=$3
388	local algo=$4
389	local _algo=$(echo $algo | sed 's/-//g')
390	local name= desc=
391
392	name="ipsec_gif_${ipproto}_${mode}_${proto}_${_algo}"
393	desc="Tests of gif/IPsec ($ipproto) ${mode} mode with $proto ($algo)"
394
395	atf_test_case ${name} cleanup
396	eval "
397	    ${name}_head() {
398	        atf_set descr \"$desc\"
399	        atf_set require.progs rump_server setkey
400	    }
401	    ${name}_body() {
402	        test_ipsec_gif_common $ipproto $mode $proto $algo
403	        rump_server_destroy_ifaces
404	    }
405	    ${name}_cleanup() {
406	        \$DEBUG && dump
407	        cleanup
408	    }
409	"
410	atf_add_test_case ${name}
411}
412
413atf_init_test_cases()
414{
415	local algo=
416
417	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
418		add_test_ipsec_gif ipv4 tunnel esp $algo
419		add_test_ipsec_gif ipv6 tunnel esp $algo
420		add_test_ipsec_gif ipv4 transport esp $algo
421		add_test_ipsec_gif ipv6 transport esp $algo
422	done
423
424	for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do
425		add_test_ipsec_gif ipv4 tunnel ah $algo
426		add_test_ipsec_gif ipv6 tunnel ah $algo
427		add_test_ipsec_gif ipv4 transport ah $algo
428		add_test_ipsec_gif ipv6 transport ah $algo
429	done
430}
431