1*000f6541Sandvar# $NetBSD: t_ipsec_misc.sh,v 1.25 2022/01/07 22:59:32 andvar Exp $ 2fe20eadbSozaki-r# 3fe20eadbSozaki-r# Copyright (c) 2017 Internet Initiative Japan Inc. 4fe20eadbSozaki-r# All rights reserved. 5fe20eadbSozaki-r# 6fe20eadbSozaki-r# Redistribution and use in source and binary forms, with or without 7fe20eadbSozaki-r# modification, are permitted provided that the following conditions 8fe20eadbSozaki-r# are met: 9fe20eadbSozaki-r# 1. Redistributions of source code must retain the above copyright 10fe20eadbSozaki-r# notice, this list of conditions and the following disclaimer. 11fe20eadbSozaki-r# 2. Redistributions in binary form must reproduce the above copyright 12fe20eadbSozaki-r# notice, this list of conditions and the following disclaimer in the 13fe20eadbSozaki-r# documentation and/or other materials provided with the distribution. 14fe20eadbSozaki-r# 15fe20eadbSozaki-r# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16fe20eadbSozaki-r# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17fe20eadbSozaki-r# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18fe20eadbSozaki-r# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19fe20eadbSozaki-r# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20fe20eadbSozaki-r# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21fe20eadbSozaki-r# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22fe20eadbSozaki-r# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23fe20eadbSozaki-r# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24fe20eadbSozaki-r# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25fe20eadbSozaki-r# POSSIBILITY OF SUCH DAMAGE. 26fe20eadbSozaki-r# 27fe20eadbSozaki-r 28fe20eadbSozaki-rSOCK_LOCAL=unix://ipsec_local 29fe20eadbSozaki-rSOCK_PEER=unix://ipsec_peer 30fe20eadbSozaki-rBUS=./bus_ipsec 31fe20eadbSozaki-r 321104a9e5Sozaki-rDEBUG=${DEBUG:-true} 33fe20eadbSozaki-r 34fe20eadbSozaki-rsetup_sasp() 35fe20eadbSozaki-r{ 36fe20eadbSozaki-r local proto=$1 37fe20eadbSozaki-r local algo_args="$2" 38fe20eadbSozaki-r local ip_local=$3 39fe20eadbSozaki-r local ip_peer=$4 40fe20eadbSozaki-r local lifetime=$5 419f04f77dSozaki-r local update=$6 42fe20eadbSozaki-r local tmpfile=./tmp 43ac002ee3Sozaki-r local saadd=add 44ac002ee3Sozaki-r local saadd_algo_args="$algo_args" 459f04f77dSozaki-r local extra= 469f04f77dSozaki-r 47ac002ee3Sozaki-r if [ "$update" = getspi ]; then 48ac002ee3Sozaki-r saadd=getspi 49ac002ee3Sozaki-r saadd_algo_args= 50ac002ee3Sozaki-r fi 51ac002ee3Sozaki-r 52ac002ee3Sozaki-r if [ "$update" = sa -o "$update" = getspi ]; then 539f04f77dSozaki-r extra="update $ip_local $ip_peer $proto 10000 $algo_args; 549f04f77dSozaki-r update $ip_peer $ip_local $proto 10001 $algo_args;" 559f04f77dSozaki-r elif [ "$update" = sp ]; then 569f04f77dSozaki-r extra="spdupdate $ip_local $ip_peer any -P out ipsec $proto/transport//require;" 579f04f77dSozaki-r fi 58fe20eadbSozaki-r 59fe20eadbSozaki-r export RUMP_SERVER=$SOCK_LOCAL 60fe20eadbSozaki-r cat > $tmpfile <<-EOF 61ac002ee3Sozaki-r $saadd $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $saadd_algo_args; 62ac002ee3Sozaki-r $saadd $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $saadd_algo_args; 63fe20eadbSozaki-r spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 649f04f77dSozaki-r $extra 65fe20eadbSozaki-r EOF 66fe20eadbSozaki-r $DEBUG && cat $tmpfile 67fe20eadbSozaki-r atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 6843af182fSozaki-r # XXX it can be expired if $lifetime is very short 6943af182fSozaki-r #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 70fe20eadbSozaki-r 719f04f77dSozaki-r if [ "$update" = sp ]; then 729f04f77dSozaki-r extra="spdupdate $ip_peer $ip_local any -P out ipsec $proto/transport//require;" 739f04f77dSozaki-r fi 749f04f77dSozaki-r 75fe20eadbSozaki-r export RUMP_SERVER=$SOCK_PEER 76fe20eadbSozaki-r cat > $tmpfile <<-EOF 77ac002ee3Sozaki-r $saadd $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $saadd_algo_args; 78ac002ee3Sozaki-r $saadd $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $saadd_algo_args; 79fe20eadbSozaki-r spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 809f04f77dSozaki-r $extra 81fe20eadbSozaki-r EOF 82fe20eadbSozaki-r $DEBUG && cat $tmpfile 83fe20eadbSozaki-r atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 8443af182fSozaki-r # XXX it can be expired if $lifetime is very short 8543af182fSozaki-r #check_sa_entries $SOCK_PEER $ip_local $ip_peer 86fe20eadbSozaki-r} 87fe20eadbSozaki-r 886676be48Sozaki-rtest_sad_disapper_until() 896676be48Sozaki-r{ 906676be48Sozaki-r local time=$1 916676be48Sozaki-r local check_dead_sa=$2 926676be48Sozaki-r local setkey_opts= 936676be48Sozaki-r local n=$time 946676be48Sozaki-r local tmpfile=./__tmp 956676be48Sozaki-r local sock= ok= 966676be48Sozaki-r 976676be48Sozaki-r if $check_dead_sa; then 986676be48Sozaki-r setkey_opts="-D -a" 996676be48Sozaki-r else 1006676be48Sozaki-r setkey_opts="-D" 1016676be48Sozaki-r fi 1026676be48Sozaki-r 1036676be48Sozaki-r while [ $n -ne 0 ]; do 1046676be48Sozaki-r ok=0 1056676be48Sozaki-r sleep 1 1066676be48Sozaki-r for sock in $SOCK_LOCAL $SOCK_PEER; do 1076676be48Sozaki-r export RUMP_SERVER=$sock 1086676be48Sozaki-r $HIJACKING setkey $setkey_opts > $tmpfile 1096676be48Sozaki-r $DEBUG && cat $tmpfile 1106676be48Sozaki-r if grep -q 'No SAD entries.' $tmpfile; then 1116676be48Sozaki-r ok=$((ok + 1)) 1126676be48Sozaki-r fi 1136676be48Sozaki-r done 1146676be48Sozaki-r if [ $ok -eq 2 ]; then 1156676be48Sozaki-r return 1166676be48Sozaki-r fi 1176676be48Sozaki-r 1186676be48Sozaki-r n=$((n - 1)) 1196676be48Sozaki-r done 1206676be48Sozaki-r 1216676be48Sozaki-r atf_fail "SAs didn't disappear after $time sec." 1226676be48Sozaki-r} 1236676be48Sozaki-r 124fe20eadbSozaki-rtest_ipsec4_lifetime() 125fe20eadbSozaki-r{ 126fe20eadbSozaki-r local proto=$1 127fe20eadbSozaki-r local algo=$2 128fe20eadbSozaki-r local ip_local=10.0.0.1 129fe20eadbSozaki-r local ip_peer=10.0.0.2 130fe20eadbSozaki-r local outfile=./out 131fe20eadbSozaki-r local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 132fe20eadbSozaki-r local algo_args="$(generate_algo_args $proto $algo)" 133fe20eadbSozaki-r local lifetime=3 134eb73cc98Sozaki-r local buffertime=2 135fe20eadbSozaki-r 136fe20eadbSozaki-r rump_server_crypto_start $SOCK_LOCAL netipsec 137fe20eadbSozaki-r rump_server_crypto_start $SOCK_PEER netipsec 138fe20eadbSozaki-r rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 139fe20eadbSozaki-r rump_server_add_iface $SOCK_PEER shmif0 $BUS 140fe20eadbSozaki-r 141fe20eadbSozaki-r export RUMP_SERVER=$SOCK_LOCAL 142fe20eadbSozaki-r atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 143fe20eadbSozaki-r atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 144fe20eadbSozaki-r #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 145fe20eadbSozaki-r 146fe20eadbSozaki-r export RUMP_SERVER=$SOCK_PEER 147fe20eadbSozaki-r atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 148fe20eadbSozaki-r atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 149fe20eadbSozaki-r #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff 150fe20eadbSozaki-r 151fe20eadbSozaki-r extract_new_packets $BUS > $outfile 152fe20eadbSozaki-r 153fe20eadbSozaki-r export RUMP_SERVER=$SOCK_LOCAL 154fe20eadbSozaki-r atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 155fe20eadbSozaki-r 156fe20eadbSozaki-r extract_new_packets $BUS > $outfile 157fe20eadbSozaki-r atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \ 158fe20eadbSozaki-r cat $outfile 159fe20eadbSozaki-r atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \ 160fe20eadbSozaki-r cat $outfile 161fe20eadbSozaki-r 162fe20eadbSozaki-r # Set up SAs with lifetime 1 sec. 163fe20eadbSozaki-r setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 164fe20eadbSozaki-r 165fe20eadbSozaki-r # Check the SAs have been expired 1666676be48Sozaki-r test_sad_disapper_until $((1 + $buffertime)) false 167fe20eadbSozaki-r 168fe20eadbSozaki-r # Clean up SPs 169fe20eadbSozaki-r export RUMP_SERVER=$SOCK_LOCAL 170fe20eadbSozaki-r atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 171fe20eadbSozaki-r export RUMP_SERVER=$SOCK_PEER 172fe20eadbSozaki-r atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 173fe20eadbSozaki-r 174fe20eadbSozaki-r # Set up SAs with lifetime with $lifetime 175fe20eadbSozaki-r setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 176fe20eadbSozaki-r 177fe20eadbSozaki-r # Use the SAs; this will create a reference from an SP to an SA 178fe20eadbSozaki-r export RUMP_SERVER=$SOCK_LOCAL 179fe20eadbSozaki-r atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 180fe20eadbSozaki-r 181fe20eadbSozaki-r extract_new_packets $BUS > $outfile 182fe20eadbSozaki-r atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 183fe20eadbSozaki-r cat $outfile 184fe20eadbSozaki-r atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 185fe20eadbSozaki-r cat $outfile 186fe20eadbSozaki-r 1876676be48Sozaki-r # Check the SAs have been expired 1886676be48Sozaki-r test_sad_disapper_until $((lifetime + $buffertime)) true 189fe20eadbSozaki-r 190fe20eadbSozaki-r export RUMP_SERVER=$SOCK_LOCAL 191fe20eadbSozaki-r atf_check -s not-exit:0 -o match:'0 packets received' \ 192fe20eadbSozaki-r rump.ping -c 1 -n -w 1 $ip_peer 193fe20eadbSozaki-r 194fe20eadbSozaki-r test_flush_entries $SOCK_LOCAL 195fe20eadbSozaki-r test_flush_entries $SOCK_PEER 196fe20eadbSozaki-r} 197fe20eadbSozaki-r 198fe20eadbSozaki-rtest_ipsec6_lifetime() 199fe20eadbSozaki-r{ 200fe20eadbSozaki-r local proto=$1 201fe20eadbSozaki-r local algo=$2 202fe20eadbSozaki-r local ip_local=fd00::1 203fe20eadbSozaki-r local ip_peer=fd00::2 204fe20eadbSozaki-r local outfile=./out 205fe20eadbSozaki-r local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 206fe20eadbSozaki-r local algo_args="$(generate_algo_args $proto $algo)" 207fe20eadbSozaki-r local lifetime=3 208eb73cc98Sozaki-r local buffertime=2 209fe20eadbSozaki-r 210fe20eadbSozaki-r rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec 211fe20eadbSozaki-r rump_server_crypto_start $SOCK_PEER netinet6 netipsec 212fe20eadbSozaki-r rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 213fe20eadbSozaki-r rump_server_add_iface $SOCK_PEER shmif0 $BUS 214fe20eadbSozaki-r 215fe20eadbSozaki-r export RUMP_SERVER=$SOCK_LOCAL 216fe20eadbSozaki-r atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 217fe20eadbSozaki-r atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local 218fe20eadbSozaki-r 219fe20eadbSozaki-r export RUMP_SERVER=$SOCK_PEER 220fe20eadbSozaki-r atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 221fe20eadbSozaki-r atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer 222fe20eadbSozaki-r 223fe20eadbSozaki-r extract_new_packets $BUS > $outfile 224fe20eadbSozaki-r 225fe20eadbSozaki-r export RUMP_SERVER=$SOCK_LOCAL 226fe20eadbSozaki-r atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 227fe20eadbSozaki-r 228fe20eadbSozaki-r extract_new_packets $BUS > $outfile 229fe20eadbSozaki-r atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \ 230fe20eadbSozaki-r cat $outfile 231fe20eadbSozaki-r atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \ 232fe20eadbSozaki-r cat $outfile 233fe20eadbSozaki-r 234fe20eadbSozaki-r # Set up SAs with lifetime 1 sec. 235fe20eadbSozaki-r setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 236fe20eadbSozaki-r 237fe20eadbSozaki-r # Check the SAs have been expired 2386676be48Sozaki-r test_sad_disapper_until $((1 + $buffertime)) false 239fe20eadbSozaki-r 240fe20eadbSozaki-r # Clean up SPs 241fe20eadbSozaki-r export RUMP_SERVER=$SOCK_LOCAL 242fe20eadbSozaki-r atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 243fe20eadbSozaki-r export RUMP_SERVER=$SOCK_PEER 244fe20eadbSozaki-r atf_check -s exit:0 -o empty $HIJACKING setkey -F -P 245fe20eadbSozaki-r 246fe20eadbSozaki-r # Set up SAs with lifetime with $lifetime 247fe20eadbSozaki-r setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime 248fe20eadbSozaki-r 249fe20eadbSozaki-r # Use the SAs; this will create a reference from an SP to an SA 250fe20eadbSozaki-r export RUMP_SERVER=$SOCK_LOCAL 251fe20eadbSozaki-r atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 252fe20eadbSozaki-r 253fe20eadbSozaki-r extract_new_packets $BUS > $outfile 254fe20eadbSozaki-r atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 255fe20eadbSozaki-r cat $outfile 256fe20eadbSozaki-r atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 257fe20eadbSozaki-r cat $outfile 258fe20eadbSozaki-r 2596676be48Sozaki-r # Check the SAs have been expired 2606676be48Sozaki-r test_sad_disapper_until $((lifetime + $buffertime)) true 261fe20eadbSozaki-r 262fe20eadbSozaki-r export RUMP_SERVER=$SOCK_LOCAL 263fe20eadbSozaki-r atf_check -s not-exit:0 -o match:'0 packets received' \ 264fe20eadbSozaki-r rump.ping6 -c 1 -n -X 1 $ip_peer 265fe20eadbSozaki-r 266fe20eadbSozaki-r test_flush_entries $SOCK_LOCAL 267fe20eadbSozaki-r test_flush_entries $SOCK_PEER 268fe20eadbSozaki-r} 269fe20eadbSozaki-r 270fe20eadbSozaki-rtest_lifetime_common() 271fe20eadbSozaki-r{ 272fe20eadbSozaki-r local ipproto=$1 273fe20eadbSozaki-r local proto=$2 274fe20eadbSozaki-r local algo=$3 275fe20eadbSozaki-r 276fe20eadbSozaki-r if [ $ipproto = ipv4 ]; then 277fe20eadbSozaki-r test_ipsec4_lifetime $proto $algo 278fe20eadbSozaki-r else 279fe20eadbSozaki-r test_ipsec6_lifetime $proto $algo 280fe20eadbSozaki-r fi 281fe20eadbSozaki-r} 282fe20eadbSozaki-r 283fe20eadbSozaki-radd_test_lifetime() 284fe20eadbSozaki-r{ 285fe20eadbSozaki-r local ipproto=$1 286fe20eadbSozaki-r local proto=$2 287fe20eadbSozaki-r local algo=$3 288fe20eadbSozaki-r local _algo=$(echo $algo | sed 's/-//g') 289fe20eadbSozaki-r local name= desc= 290fe20eadbSozaki-r 291fe20eadbSozaki-r name="ipsec_lifetime_${ipproto}_${proto}_${_algo}" 292fe20eadbSozaki-r desc="Tests of lifetime of IPsec ($ipproto) with $proto ($algo)" 293fe20eadbSozaki-r 294fe20eadbSozaki-r atf_test_case ${name} cleanup 2953f30ca4eSozaki-r eval " 2963f30ca4eSozaki-r ${name}_head() { 2973f30ca4eSozaki-r atf_set descr \"$desc\" 2983f30ca4eSozaki-r atf_set require.progs rump_server setkey 2993f30ca4eSozaki-r } 3003f30ca4eSozaki-r ${name}_body() { 3013f30ca4eSozaki-r test_lifetime_common $ipproto $proto $algo 3023f30ca4eSozaki-r rump_server_destroy_ifaces 3033f30ca4eSozaki-r } 3043f30ca4eSozaki-r ${name}_cleanup() { 3053f30ca4eSozaki-r \$DEBUG && dump 3063f30ca4eSozaki-r cleanup 3073f30ca4eSozaki-r } 308fe20eadbSozaki-r " 309fe20eadbSozaki-r atf_add_test_case ${name} 310fe20eadbSozaki-r} 311fe20eadbSozaki-r 3129f04f77dSozaki-rtest_update() 3139f04f77dSozaki-r{ 3149f04f77dSozaki-r local proto=$1 3159f04f77dSozaki-r local algo=$2 3169f04f77dSozaki-r local update=$3 3179f04f77dSozaki-r local ip_local=10.0.0.1 3189f04f77dSozaki-r local ip_peer=10.0.0.2 3199f04f77dSozaki-r local algo_args="$(generate_algo_args $proto $algo)" 3209f04f77dSozaki-r local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 3219f04f77dSozaki-r local outfile=./out 3229f04f77dSozaki-r 3239f04f77dSozaki-r rump_server_crypto_start $SOCK_LOCAL netipsec 3249f04f77dSozaki-r rump_server_crypto_start $SOCK_PEER netipsec 3259f04f77dSozaki-r rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 3269f04f77dSozaki-r rump_server_add_iface $SOCK_PEER shmif0 $BUS 3279f04f77dSozaki-r 3289f04f77dSozaki-r export RUMP_SERVER=$SOCK_LOCAL 3299f04f77dSozaki-r atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 3309f04f77dSozaki-r atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 3319f04f77dSozaki-r 3329f04f77dSozaki-r export RUMP_SERVER=$SOCK_PEER 3339f04f77dSozaki-r atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 3349f04f77dSozaki-r atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 3359f04f77dSozaki-r 3369f04f77dSozaki-r setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 $update 3379f04f77dSozaki-r 3389f04f77dSozaki-r extract_new_packets $BUS > $outfile 3399f04f77dSozaki-r 3409f04f77dSozaki-r export RUMP_SERVER=$SOCK_LOCAL 3419f04f77dSozaki-r atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 3429f04f77dSozaki-r 3439f04f77dSozaki-r extract_new_packets $BUS > $outfile 3449f04f77dSozaki-r atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 3459f04f77dSozaki-r cat $outfile 3469f04f77dSozaki-r atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 3479f04f77dSozaki-r cat $outfile 3489f04f77dSozaki-r} 3499f04f77dSozaki-r 3509f04f77dSozaki-radd_test_update() 3519f04f77dSozaki-r{ 3529f04f77dSozaki-r local proto=$1 3539f04f77dSozaki-r local algo=$2 3549f04f77dSozaki-r local update=$3 3559f04f77dSozaki-r local _update=$(echo $update |tr 'a-z' 'A-Z') 3569f04f77dSozaki-r local _algo=$(echo $algo | sed 's/-//g') 3579f04f77dSozaki-r local name= desc= 3589f04f77dSozaki-r 359*000f6541Sandvar desc="Tests trying to update $_update of $proto ($algo)" 3609f04f77dSozaki-r name="ipsec_update_${update}_${proto}_${_algo}" 3619f04f77dSozaki-r 3629f04f77dSozaki-r atf_test_case ${name} cleanup 3633f30ca4eSozaki-r eval " 3643f30ca4eSozaki-r ${name}_head() { 3653f30ca4eSozaki-r atf_set descr \"$desc\" 3663f30ca4eSozaki-r atf_set require.progs rump_server setkey 3673f30ca4eSozaki-r } 3683f30ca4eSozaki-r ${name}_body() { 3693f30ca4eSozaki-r test_update $proto $algo $update 3703f30ca4eSozaki-r rump_server_destroy_ifaces 3713f30ca4eSozaki-r } 3723f30ca4eSozaki-r ${name}_cleanup() { 3733f30ca4eSozaki-r \$DEBUG && dump 3743f30ca4eSozaki-r cleanup 3753f30ca4eSozaki-r } 3769f04f77dSozaki-r " 3779f04f77dSozaki-r atf_add_test_case ${name} 3789f04f77dSozaki-r} 3799f04f77dSozaki-r 380ac002ee3Sozaki-rtest_getspi_update() 381ac002ee3Sozaki-r{ 382ac002ee3Sozaki-r local proto=$1 383ac002ee3Sozaki-r local algo=$2 384ac002ee3Sozaki-r local ip_local=10.0.0.1 385ac002ee3Sozaki-r local ip_peer=10.0.0.2 386ac002ee3Sozaki-r local algo_args="$(generate_algo_args $proto $algo)" 387ac002ee3Sozaki-r local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 388ac002ee3Sozaki-r local outfile=./out 389ac002ee3Sozaki-r 390ac002ee3Sozaki-r rump_server_crypto_start $SOCK_LOCAL netipsec 391ac002ee3Sozaki-r rump_server_crypto_start $SOCK_PEER netipsec 392ac002ee3Sozaki-r rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 393ac002ee3Sozaki-r rump_server_add_iface $SOCK_PEER shmif0 $BUS 394ac002ee3Sozaki-r 395ac002ee3Sozaki-r export RUMP_SERVER=$SOCK_LOCAL 396ac002ee3Sozaki-r atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 397ac002ee3Sozaki-r atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 398ac002ee3Sozaki-r 399ac002ee3Sozaki-r export RUMP_SERVER=$SOCK_PEER 400ac002ee3Sozaki-r atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 401ac002ee3Sozaki-r atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 402ac002ee3Sozaki-r 403ac002ee3Sozaki-r setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 getspi 404ac002ee3Sozaki-r 405ac002ee3Sozaki-r extract_new_packets $BUS > $outfile 406ac002ee3Sozaki-r 407ac002ee3Sozaki-r export RUMP_SERVER=$SOCK_LOCAL 408ac002ee3Sozaki-r atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 409ac002ee3Sozaki-r 410ac002ee3Sozaki-r extract_new_packets $BUS > $outfile 411ac002ee3Sozaki-r atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ 412ac002ee3Sozaki-r cat $outfile 413ac002ee3Sozaki-r atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ 414ac002ee3Sozaki-r cat $outfile 415ac002ee3Sozaki-r} 416ac002ee3Sozaki-r 417ac002ee3Sozaki-radd_test_getspi_update() 418ac002ee3Sozaki-r{ 419ac002ee3Sozaki-r local proto=$1 420ac002ee3Sozaki-r local algo=$2 421ac002ee3Sozaki-r local _algo=$(echo $algo | sed 's/-//g') 422ac002ee3Sozaki-r local name= desc= 423ac002ee3Sozaki-r 424*000f6541Sandvar desc="Tests trying to getspi and update SA of $proto ($algo)" 425ac002ee3Sozaki-r name="ipsec_getspi_update_sa_${proto}_${_algo}" 426ac002ee3Sozaki-r 427ac002ee3Sozaki-r atf_test_case ${name} cleanup 428ac002ee3Sozaki-r eval " 429ac002ee3Sozaki-r ${name}_head() { 430ac002ee3Sozaki-r atf_set descr \"$desc\" 431ac002ee3Sozaki-r atf_set require.progs rump_server setkey 432ac002ee3Sozaki-r } 433ac002ee3Sozaki-r ${name}_body() { 434ac002ee3Sozaki-r test_getspi_update $proto $algo 435ac002ee3Sozaki-r rump_server_destroy_ifaces 436ac002ee3Sozaki-r } 437ac002ee3Sozaki-r ${name}_cleanup() { 438ac002ee3Sozaki-r \$DEBUG && dump 439ac002ee3Sozaki-r cleanup 440ac002ee3Sozaki-r } 441ac002ee3Sozaki-r " 442ac002ee3Sozaki-r atf_add_test_case ${name} 443ac002ee3Sozaki-r} 444ac002ee3Sozaki-r 445dfda6b6aSozaki-radd_sa() 446dfda6b6aSozaki-r{ 447dfda6b6aSozaki-r local proto=$1 448dfda6b6aSozaki-r local algo_args="$2" 449dfda6b6aSozaki-r local ip_local=$3 450dfda6b6aSozaki-r local ip_peer=$4 451dfda6b6aSozaki-r local lifetime=$5 452dfda6b6aSozaki-r local spi=$6 453dfda6b6aSozaki-r local tmpfile=./tmp 454dfda6b6aSozaki-r local extra= 455dfda6b6aSozaki-r 456dfda6b6aSozaki-r export RUMP_SERVER=$SOCK_LOCAL 457dfda6b6aSozaki-r cat > $tmpfile <<-EOF 458dfda6b6aSozaki-r add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 459dfda6b6aSozaki-r add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 460dfda6b6aSozaki-r $extra 461dfda6b6aSozaki-r EOF 462dfda6b6aSozaki-r $DEBUG && cat $tmpfile 463dfda6b6aSozaki-r atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 464dfda6b6aSozaki-r $DEBUG && $HIJACKING setkey -D 465dfda6b6aSozaki-r # XXX it can be expired if $lifetime is very short 466dfda6b6aSozaki-r #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 467dfda6b6aSozaki-r 468dfda6b6aSozaki-r export RUMP_SERVER=$SOCK_PEER 469dfda6b6aSozaki-r cat > $tmpfile <<-EOF 470dfda6b6aSozaki-r add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; 471dfda6b6aSozaki-r add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; 472dfda6b6aSozaki-r $extra 473dfda6b6aSozaki-r EOF 474dfda6b6aSozaki-r $DEBUG && cat $tmpfile 475dfda6b6aSozaki-r atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 476dfda6b6aSozaki-r $DEBUG && $HIJACKING setkey -D 477dfda6b6aSozaki-r # XXX it can be expired if $lifetime is very short 478dfda6b6aSozaki-r #check_sa_entries $SOCK_PEER $ip_local $ip_peer 479dfda6b6aSozaki-r} 480dfda6b6aSozaki-r 48138d6ad3aSozaki-rdelete_sa() 48238d6ad3aSozaki-r{ 48338d6ad3aSozaki-r local proto=$1 48438d6ad3aSozaki-r local ip_local=$2 48538d6ad3aSozaki-r local ip_peer=$3 48638d6ad3aSozaki-r local spi=$4 48738d6ad3aSozaki-r local tmpfile=./tmp 48838d6ad3aSozaki-r local extra= 48938d6ad3aSozaki-r 49038d6ad3aSozaki-r export RUMP_SERVER=$SOCK_LOCAL 49138d6ad3aSozaki-r cat > $tmpfile <<-EOF 49238d6ad3aSozaki-r delete $ip_local $ip_peer $proto $((spi)); 49338d6ad3aSozaki-r delete $ip_peer $ip_local $proto $((spi + 1)); 49438d6ad3aSozaki-r EOF 49538d6ad3aSozaki-r $DEBUG && cat $tmpfile 49638d6ad3aSozaki-r atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 49738d6ad3aSozaki-r $DEBUG && $HIJACKING setkey -D 49838d6ad3aSozaki-r 49938d6ad3aSozaki-r export RUMP_SERVER=$SOCK_PEER 50038d6ad3aSozaki-r cat > $tmpfile <<-EOF 50138d6ad3aSozaki-r delete $ip_local $ip_peer $proto $((spi)); 50238d6ad3aSozaki-r delete $ip_peer $ip_local $proto $((spi + 1)); 50338d6ad3aSozaki-r EOF 50438d6ad3aSozaki-r $DEBUG && cat $tmpfile 50538d6ad3aSozaki-r atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 50638d6ad3aSozaki-r $DEBUG && $HIJACKING setkey -D 50738d6ad3aSozaki-r} 50838d6ad3aSozaki-r 509dfda6b6aSozaki-rcheck_packet_spi() 510dfda6b6aSozaki-r{ 511dfda6b6aSozaki-r local outfile=$1 512dfda6b6aSozaki-r local ip_local=$2 513dfda6b6aSozaki-r local ip_peer=$3 514dfda6b6aSozaki-r local proto=$4 515dfda6b6aSozaki-r local spi=$5 516dfda6b6aSozaki-r local spistr= 517dfda6b6aSozaki-r 518dfda6b6aSozaki-r $DEBUG && cat $outfile 519dfda6b6aSozaki-r spistr=$(printf "%08x" $spi) 520dfda6b6aSozaki-r atf_check -s exit:0 \ 521dfda6b6aSozaki-r -o match:"$ip_local > $ip_peer: $proto_cap\(spi=0x$spistr," \ 522dfda6b6aSozaki-r cat $outfile 523dfda6b6aSozaki-r spistr=$(printf "%08x" $((spi + 1))) 524dfda6b6aSozaki-r atf_check -s exit:0 \ 525dfda6b6aSozaki-r -o match:"$ip_peer > $ip_local: $proto_cap\(spi=0x$spistr," \ 526dfda6b6aSozaki-r cat $outfile 527dfda6b6aSozaki-r} 528dfda6b6aSozaki-r 52980503e64Sozaki-rwait_sa_disappeared() 53080503e64Sozaki-r{ 53180503e64Sozaki-r local spi=$1 53280503e64Sozaki-r local i= 53380503e64Sozaki-r 53480503e64Sozaki-r export RUMP_SERVER=$SOCK_LOCAL 53580503e64Sozaki-r for i in $(seq 1 10); do 53680503e64Sozaki-r $HIJACKING setkey -D |grep -q "spi=$spi" 53780503e64Sozaki-r [ $? != 0 ] && break 53880503e64Sozaki-r sleep 1 53980503e64Sozaki-r done 54080503e64Sozaki-r if [ $i -eq 10 ]; then 54180503e64Sozaki-r atf_fail "SA (spi=$spi) didn't disappear in 10s" 54280503e64Sozaki-r fi 54380503e64Sozaki-r export RUMP_SERVER=$SOCK_PEER 54480503e64Sozaki-r for i in $(seq 1 10); do 54580503e64Sozaki-r $HIJACKING setkey -D |grep -q "spi=$spi" 54680503e64Sozaki-r [ $? != 0 ] && break 54780503e64Sozaki-r sleep 1 54880503e64Sozaki-r done 54980503e64Sozaki-r if [ $i -eq 10 ]; then 55080503e64Sozaki-r atf_fail "SA (spi=$spi) didn't disappear in 10s" 55180503e64Sozaki-r fi 55280503e64Sozaki-r} 55380503e64Sozaki-r 554dfda6b6aSozaki-rtest_spi() 555dfda6b6aSozaki-r{ 556dfda6b6aSozaki-r local proto=$1 557dfda6b6aSozaki-r local algo=$2 5588534aec0Sozaki-r local preferred=$3 55938d6ad3aSozaki-r local method=$4 560dfda6b6aSozaki-r local ip_local=10.0.0.1 561dfda6b6aSozaki-r local ip_peer=10.0.0.2 562dfda6b6aSozaki-r local algo_args="$(generate_algo_args $proto $algo)" 563dfda6b6aSozaki-r local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 564dfda6b6aSozaki-r local outfile=./out 565dfda6b6aSozaki-r local spistr= 566a9fb96bdSozaki-r local longtime= shorttime= 567a9fb96bdSozaki-r 568fb1355a7Smartin if [ $method = timeout ]; then 569fb1355a7Smartin atf_skip \ 570fb1355a7Smartin "PR 55632: test fails randomly, leaving spurious rump_server around" 571fb1355a7Smartin fi 572b0de75e1Sozaki-r if [ $method = timeout -a $preferred = new ]; then 573b0de75e1Sozaki-r skip_if_qemu 574b0de75e1Sozaki-r fi 575b0de75e1Sozaki-r 576a9fb96bdSozaki-r if [ $method = delete ]; then 577a9fb96bdSozaki-r shorttime=100 578a9fb96bdSozaki-r longtime=100 579a9fb96bdSozaki-r else 580a9fb96bdSozaki-r shorttime=3 581a9fb96bdSozaki-r longtime=6 582a9fb96bdSozaki-r fi 583dfda6b6aSozaki-r 584dfda6b6aSozaki-r rump_server_crypto_start $SOCK_LOCAL netipsec 585dfda6b6aSozaki-r rump_server_crypto_start $SOCK_PEER netipsec 586dfda6b6aSozaki-r rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 587dfda6b6aSozaki-r rump_server_add_iface $SOCK_PEER shmif0 $BUS 588dfda6b6aSozaki-r 589dfda6b6aSozaki-r export RUMP_SERVER=$SOCK_LOCAL 590dfda6b6aSozaki-r atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 591dfda6b6aSozaki-r atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 592dfda6b6aSozaki-r if [ $preferred = old ]; then 593dfda6b6aSozaki-r atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 594dfda6b6aSozaki-r fi 595dfda6b6aSozaki-r 596dfda6b6aSozaki-r export RUMP_SERVER=$SOCK_PEER 597dfda6b6aSozaki-r atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 598dfda6b6aSozaki-r atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 599dfda6b6aSozaki-r if [ $preferred = old ]; then 600dfda6b6aSozaki-r atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 601dfda6b6aSozaki-r fi 602dfda6b6aSozaki-r 603dfda6b6aSozaki-r setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 604dfda6b6aSozaki-r 605dfda6b6aSozaki-r extract_new_packets $BUS > $outfile 606dfda6b6aSozaki-r 607dfda6b6aSozaki-r export RUMP_SERVER=$SOCK_LOCAL 608dfda6b6aSozaki-r atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 609dfda6b6aSozaki-r extract_new_packets $BUS > $outfile 610dfda6b6aSozaki-r check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 611dfda6b6aSozaki-r 612dfda6b6aSozaki-r # Add a new SA with a different SPI 613a9fb96bdSozaki-r add_sa $proto "$algo_args" $ip_local $ip_peer $longtime 10010 614dfda6b6aSozaki-r 615dfda6b6aSozaki-r export RUMP_SERVER=$SOCK_LOCAL 616dfda6b6aSozaki-r atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 617dfda6b6aSozaki-r extract_new_packets $BUS > $outfile 618dfda6b6aSozaki-r if [ $preferred = old ]; then 619dfda6b6aSozaki-r check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 620dfda6b6aSozaki-r else 621dfda6b6aSozaki-r # The new SA is preferred 622dfda6b6aSozaki-r check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 623dfda6b6aSozaki-r fi 624dfda6b6aSozaki-r 625dfda6b6aSozaki-r # Add another SA with a different SPI 626a9fb96bdSozaki-r add_sa $proto "$algo_args" $ip_local $ip_peer $shorttime 10020 627dfda6b6aSozaki-r 628dfda6b6aSozaki-r export RUMP_SERVER=$SOCK_LOCAL 629dfda6b6aSozaki-r atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 630dfda6b6aSozaki-r extract_new_packets $BUS > $outfile 631dfda6b6aSozaki-r if [ $preferred = old ]; then 632dfda6b6aSozaki-r check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 633dfda6b6aSozaki-r else 634dfda6b6aSozaki-r # The newest SA is preferred 635dfda6b6aSozaki-r check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10020 636dfda6b6aSozaki-r fi 637dfda6b6aSozaki-r 63838d6ad3aSozaki-r if [ $method = delete ]; then 63938d6ad3aSozaki-r delete_sa $proto $ip_local $ip_peer 10020 64038d6ad3aSozaki-r else 64180503e64Sozaki-r wait_sa_disappeared 10020 64238d6ad3aSozaki-r fi 643dfda6b6aSozaki-r 644dfda6b6aSozaki-r export RUMP_SERVER=$SOCK_LOCAL 645dfda6b6aSozaki-r atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 646dfda6b6aSozaki-r extract_new_packets $BUS > $outfile 647dfda6b6aSozaki-r if [ $preferred = old ]; then 648dfda6b6aSozaki-r check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 649dfda6b6aSozaki-r else 650dfda6b6aSozaki-r # The newest one is removed and the second one is used 651dfda6b6aSozaki-r check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 652dfda6b6aSozaki-r fi 653dfda6b6aSozaki-r 65438d6ad3aSozaki-r if [ $method = delete ]; then 65538d6ad3aSozaki-r delete_sa $proto $ip_local $ip_peer 10010 65638d6ad3aSozaki-r else 65780503e64Sozaki-r wait_sa_disappeared 10010 65838d6ad3aSozaki-r fi 659dfda6b6aSozaki-r 660dfda6b6aSozaki-r export RUMP_SERVER=$SOCK_LOCAL 661dfda6b6aSozaki-r atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 662dfda6b6aSozaki-r extract_new_packets $BUS > $outfile 663dfda6b6aSozaki-r if [ $preferred = old ]; then 664dfda6b6aSozaki-r check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 665dfda6b6aSozaki-r else 666dfda6b6aSozaki-r # The second one is removed and the original one is used 667dfda6b6aSozaki-r check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10000 668dfda6b6aSozaki-r fi 669dfda6b6aSozaki-r} 670dfda6b6aSozaki-r 671dfda6b6aSozaki-radd_test_spi() 672dfda6b6aSozaki-r{ 673dfda6b6aSozaki-r local proto=$1 674dfda6b6aSozaki-r local algo=$2 675dfda6b6aSozaki-r local preferred=$3 67638d6ad3aSozaki-r local method=$4 677dfda6b6aSozaki-r local _algo=$(echo $algo | sed 's/-//g') 678dfda6b6aSozaki-r local name= desc= 679dfda6b6aSozaki-r 68038d6ad3aSozaki-r desc="Tests SAs with different SPIs of $proto ($algo) ($preferred SA preferred) ($method)" 68138d6ad3aSozaki-r name="ipsec_spi_${proto}_${_algo}_preferred_${preferred}_${method}" 682dfda6b6aSozaki-r 683dfda6b6aSozaki-r atf_test_case ${name} cleanup 6843f30ca4eSozaki-r eval " 6853f30ca4eSozaki-r ${name}_head() { 6863f30ca4eSozaki-r atf_set descr \"$desc\" 6873f30ca4eSozaki-r atf_set require.progs rump_server setkey 6883f30ca4eSozaki-r } 6893f30ca4eSozaki-r ${name}_body() { 6903f30ca4eSozaki-r test_spi $proto $algo $preferred $method 6913f30ca4eSozaki-r rump_server_destroy_ifaces 6923f30ca4eSozaki-r } 6933f30ca4eSozaki-r ${name}_cleanup() { 6943f30ca4eSozaki-r \$DEBUG && dump 6953f30ca4eSozaki-r cleanup 6963f30ca4eSozaki-r } 697dfda6b6aSozaki-r " 698dfda6b6aSozaki-r atf_add_test_case ${name} 699dfda6b6aSozaki-r} 700dfda6b6aSozaki-r 70150843297Sozaki-rsetup_sp() 70250843297Sozaki-r{ 70350843297Sozaki-r local proto=$1 70450843297Sozaki-r local algo_args="$2" 70550843297Sozaki-r local ip_local=$3 70650843297Sozaki-r local ip_peer=$4 70750843297Sozaki-r local tmpfile=./tmp 70850843297Sozaki-r 70950843297Sozaki-r export RUMP_SERVER=$SOCK_LOCAL 71050843297Sozaki-r cat > $tmpfile <<-EOF 71150843297Sozaki-r spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 712101922ebSozaki-r spdadd $ip_peer $ip_local any -P in ipsec $proto/transport//require; 71350843297Sozaki-r EOF 71450843297Sozaki-r $DEBUG && cat $tmpfile 71550843297Sozaki-r atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 71650843297Sozaki-r check_sp_entries $SOCK_LOCAL $ip_local $ip_peer 71750843297Sozaki-r 71850843297Sozaki-r export RUMP_SERVER=$SOCK_PEER 71950843297Sozaki-r cat > $tmpfile <<-EOF 72050843297Sozaki-r spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 721101922ebSozaki-r spdadd $ip_local $ip_peer any -P in ipsec $proto/transport//require; 72250843297Sozaki-r EOF 72350843297Sozaki-r $DEBUG && cat $tmpfile 72450843297Sozaki-r atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 72550843297Sozaki-r check_sp_entries $SOCK_PEER $ip_peer $ip_local 72650843297Sozaki-r} 72750843297Sozaki-r 72850843297Sozaki-rtest_nosa() 72950843297Sozaki-r{ 73050843297Sozaki-r local proto=$1 73150843297Sozaki-r local algo=$2 73250843297Sozaki-r local update=$3 73350843297Sozaki-r local ip_local=10.0.0.1 73450843297Sozaki-r local ip_peer=10.0.0.2 73550843297Sozaki-r local algo_args="$(generate_algo_args $proto $algo)" 73650843297Sozaki-r local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 73750843297Sozaki-r local outfile=./out 73850843297Sozaki-r 73950843297Sozaki-r rump_server_crypto_start $SOCK_LOCAL netipsec 74050843297Sozaki-r rump_server_crypto_start $SOCK_PEER netipsec 74150843297Sozaki-r rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 74250843297Sozaki-r rump_server_add_iface $SOCK_PEER shmif0 $BUS 74350843297Sozaki-r 74450843297Sozaki-r export RUMP_SERVER=$SOCK_LOCAL 74550843297Sozaki-r atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 74650843297Sozaki-r atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 74750843297Sozaki-r 74850843297Sozaki-r export RUMP_SERVER=$SOCK_PEER 74950843297Sozaki-r atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 75050843297Sozaki-r atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 75150843297Sozaki-r 75250843297Sozaki-r setup_sp $proto "$algo_args" $ip_local $ip_peer 75350843297Sozaki-r 75450843297Sozaki-r extract_new_packets $BUS > $outfile 75550843297Sozaki-r 75650843297Sozaki-r export RUMP_SERVER=$SOCK_LOCAL 75750843297Sozaki-r # It doesn't work because there is no SA 75850843297Sozaki-r atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 75950843297Sozaki-r} 76050843297Sozaki-r 76150843297Sozaki-radd_test_nosa() 76250843297Sozaki-r{ 76350843297Sozaki-r local proto=$1 76450843297Sozaki-r local algo=$2 76550843297Sozaki-r local _algo=$(echo $algo | sed 's/-//g') 76650843297Sozaki-r local name= desc= 76750843297Sozaki-r 76850843297Sozaki-r desc="Tests SPs with no relevant SAs with $proto ($algo)" 76950843297Sozaki-r name="ipsec_nosa_${proto}_${_algo}" 77050843297Sozaki-r 77150843297Sozaki-r atf_test_case ${name} cleanup 7723f30ca4eSozaki-r eval " 7733f30ca4eSozaki-r ${name}_head() { 7743f30ca4eSozaki-r atf_set descr \"$desc\" 7753f30ca4eSozaki-r atf_set require.progs rump_server setkey 7763f30ca4eSozaki-r } 7773f30ca4eSozaki-r ${name}_body() { 7783f30ca4eSozaki-r test_nosa $proto $algo 7793f30ca4eSozaki-r rump_server_destroy_ifaces 7803f30ca4eSozaki-r } 7813f30ca4eSozaki-r ${name}_cleanup() { 7823f30ca4eSozaki-r \$DEBUG && dump 7833f30ca4eSozaki-r cleanup 7843f30ca4eSozaki-r } 78550843297Sozaki-r " 78650843297Sozaki-r atf_add_test_case ${name} 78750843297Sozaki-r} 78850843297Sozaki-r 789690df934Sozaki-rtest_multiple_sa() 790690df934Sozaki-r{ 791690df934Sozaki-r local proto=$1 792690df934Sozaki-r local algo=$2 793690df934Sozaki-r local update=$3 794690df934Sozaki-r local ip_local=10.0.0.1 795690df934Sozaki-r local ip_peer=10.0.0.2 796690df934Sozaki-r local ip_peer2=10.0.0.3 797690df934Sozaki-r local algo_args="$(generate_algo_args $proto $algo)" 798690df934Sozaki-r local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') 799690df934Sozaki-r local outfile=./out 800690df934Sozaki-r 801690df934Sozaki-r rump_server_crypto_start $SOCK_LOCAL netipsec 802690df934Sozaki-r rump_server_crypto_start $SOCK_PEER netipsec 803690df934Sozaki-r rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 804690df934Sozaki-r rump_server_add_iface $SOCK_PEER shmif0 $BUS 805690df934Sozaki-r 806690df934Sozaki-r export RUMP_SERVER=$SOCK_LOCAL 807690df934Sozaki-r atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 808690df934Sozaki-r atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 809690df934Sozaki-r 810690df934Sozaki-r export RUMP_SERVER=$SOCK_PEER 811690df934Sozaki-r atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 812690df934Sozaki-r atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 813690df934Sozaki-r atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer2/24 alias 814690df934Sozaki-r 815690df934Sozaki-r setup_sp $proto "$algo_args" "$ip_local" "0.0.0.0/0" 816690df934Sozaki-r 817690df934Sozaki-r extract_new_packets $BUS > $outfile 818690df934Sozaki-r 819690df934Sozaki-r export RUMP_SERVER=$SOCK_LOCAL 820690df934Sozaki-r # There is no SA, so ping should fail 821690df934Sozaki-r atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 822690df934Sozaki-r atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2 823690df934Sozaki-r 824690df934Sozaki-r add_sa $proto "$algo_args" $ip_local $ip_peer 100 10000 825690df934Sozaki-r 826690df934Sozaki-r export RUMP_SERVER=$SOCK_LOCAL 827690df934Sozaki-r # There is only an SA for $ip_peer, so ping to $ip_peer2 should fail 828690df934Sozaki-r atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 829690df934Sozaki-r atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2 830690df934Sozaki-r 831690df934Sozaki-r add_sa $proto "$algo_args" $ip_local $ip_peer2 100 10010 832690df934Sozaki-r 833690df934Sozaki-r export RUMP_SERVER=$SOCK_LOCAL 834690df934Sozaki-r atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 835690df934Sozaki-r atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2 836690df934Sozaki-r 837690df934Sozaki-r export RUMP_SERVER=$SOCK_LOCAL 838690df934Sozaki-r atf_check -s exit:0 -o match:"$proto/transport//require" \ 839690df934Sozaki-r $HIJACKING setkey -D -P 840690df934Sozaki-r # Check if the policy isn't modified accidentally 841690df934Sozaki-r atf_check -s exit:0 -o not-match:"$proto/transport/.+\-.+/require" \ 842690df934Sozaki-r $HIJACKING setkey -D -P 843690df934Sozaki-r export RUMP_SERVER=$SOCK_PEER 844690df934Sozaki-r atf_check -s exit:0 -o match:"$proto/transport//require" \ 845690df934Sozaki-r $HIJACKING setkey -D -P 846690df934Sozaki-r # Check if the policy isn't modified accidentally 847690df934Sozaki-r atf_check -s exit:0 -o not-match:"$proto/transport/.+\-.+/require" \ 848690df934Sozaki-r $HIJACKING setkey -D -P 849690df934Sozaki-r} 850690df934Sozaki-r 851690df934Sozaki-radd_test_multiple_sa() 852690df934Sozaki-r{ 853690df934Sozaki-r local proto=$1 854690df934Sozaki-r local algo=$2 855690df934Sozaki-r local _algo=$(echo $algo | sed 's/-//g') 856690df934Sozaki-r local name= desc= 857690df934Sozaki-r 858690df934Sozaki-r desc="Tests multiple SAs with $proto ($algo)" 859690df934Sozaki-r name="ipsec_multiple_sa_${proto}_${_algo}" 860690df934Sozaki-r 861690df934Sozaki-r atf_test_case ${name} cleanup 862690df934Sozaki-r eval " 863690df934Sozaki-r ${name}_head() { 864690df934Sozaki-r atf_set descr \"$desc\" 865690df934Sozaki-r atf_set require.progs rump_server setkey 866690df934Sozaki-r } 867690df934Sozaki-r ${name}_body() { 868690df934Sozaki-r test_multiple_sa $proto $algo 869690df934Sozaki-r rump_server_destroy_ifaces 870690df934Sozaki-r } 871690df934Sozaki-r ${name}_cleanup() { 872690df934Sozaki-r \$DEBUG && dump 873690df934Sozaki-r cleanup 874690df934Sozaki-r } 875690df934Sozaki-r " 876690df934Sozaki-r atf_add_test_case ${name} 877690df934Sozaki-r} 878690df934Sozaki-r 879fe20eadbSozaki-ratf_init_test_cases() 880fe20eadbSozaki-r{ 881fe20eadbSozaki-r local algo= 882fe20eadbSozaki-r 883fe20eadbSozaki-r for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 884fe20eadbSozaki-r add_test_lifetime ipv4 esp $algo 885fe20eadbSozaki-r add_test_lifetime ipv6 esp $algo 8869f04f77dSozaki-r add_test_update esp $algo sa 8879f04f77dSozaki-r add_test_update esp $algo sp 888ac002ee3Sozaki-r add_test_getspi_update esp $algo 88938d6ad3aSozaki-r add_test_spi esp $algo new delete 89038d6ad3aSozaki-r add_test_spi esp $algo old delete 89138d6ad3aSozaki-r add_test_spi esp $algo new timeout 89238d6ad3aSozaki-r add_test_spi esp $algo old timeout 89350843297Sozaki-r add_test_nosa esp $algo 894690df934Sozaki-r add_test_multiple_sa esp $algo 895fe20eadbSozaki-r done 896fe20eadbSozaki-r for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do 897fe20eadbSozaki-r add_test_lifetime ipv4 ah $algo 898fe20eadbSozaki-r add_test_lifetime ipv6 ah $algo 8999f04f77dSozaki-r add_test_update ah $algo sa 9009f04f77dSozaki-r add_test_update ah $algo sp 901ac002ee3Sozaki-r add_test_getspi_update ah $algo 90238d6ad3aSozaki-r add_test_spi ah $algo new delete 90338d6ad3aSozaki-r add_test_spi ah $algo old delete 90438d6ad3aSozaki-r add_test_spi ah $algo new timeout 90538d6ad3aSozaki-r add_test_spi ah $algo old timeout 90650843297Sozaki-r add_test_nosa ah $algo 907690df934Sozaki-r add_test_multiple_sa ah $algo 908fe20eadbSozaki-r done 909fe20eadbSozaki-r} 910