1# $NetBSD: t_ipsec_sockopt.sh,v 1.2 2017/08/03 03:16:27 ozaki-r Exp $ 2# 3# Copyright (c) 2017 Internet Initiative Japan Inc. 4# All rights reserved. 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25# POSSIBILITY OF SUCH DAMAGE. 26# 27 28SOCK_LOCAL=unix://ipsec_local 29SOCK_PEER=unix://ipsec_peer 30BUS=./bus_ipsec 31 32DEBUG=${DEBUG:-false} 33 34check_packets() 35{ 36 local outfile=$1 37 local src=$2 38 local dst=$3 39 local pktproto_out=$4 40 local pktproto_in=${5:-$4} 41 42 atf_check -s exit:0 -o match:"$src > $dst: $pktproto_out" cat $outfile 43 atf_check -s exit:0 -o match:"$dst > $src: $pktproto_in" cat $outfile 44} 45 46test_ipsec4_IP_IPSEC_POLICY() 47{ 48 local proto=$1 49 local algo=$2 50 local ip_local=10.0.0.1 51 local ip_peer=10.0.0.2 52 local tmpfile=./tmp 53 local outfile=./out 54 local pktproto=$(generate_pktproto $proto) 55 local algo_args="$(generate_algo_args $proto $algo)" 56 local pktsizeopt= 57 local pingopt= pingopt2= 58 59 rump_server_crypto_start $SOCK_LOCAL netipsec 60 rump_server_crypto_start $SOCK_PEER netipsec 61 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 62 rump_server_add_iface $SOCK_PEER shmif0 $BUS 63 64 export RUMP_SERVER=$SOCK_LOCAL 65 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 66 atf_check -s exit:0 rump.ifconfig -w 10 67 68 export RUMP_SERVER=$SOCK_PEER 69 atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 70 atf_check -s exit:0 rump.ifconfig -w 10 71 72 extract_new_packets $BUS > $outfile 73 74 export RUMP_SERVER=$SOCK_LOCAL 75 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer 76 77 extract_new_packets $BUS > $outfile 78 check_packets $outfile $ip_local $ip_peer ICMP 79 80 pingopt_out="out ipsec $proto/transport//require" 81 pingopt_in="in ipsec $proto/transport//require" 82 83 atf_check -s not-exit:0 -o ignore \ 84 rump.ping -c 1 -n -w 3 -E "$pingopt_out" $ip_peer 85 86 # Setup only SAs 87 export RUMP_SERVER=$SOCK_LOCAL 88 cat > $tmpfile <<-EOF 89 add $ip_local $ip_peer $proto 10000 $algo_args; 90 add $ip_peer $ip_local $proto 10001 $algo_args; 91 EOF 92 $DEBUG && cat $tmpfile 93 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 94 check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 95 96 export RUMP_SERVER=$SOCK_PEER 97 cat > $tmpfile <<-EOF 98 add $ip_local $ip_peer $proto 10000 $algo_args; 99 add $ip_peer $ip_local $proto 10001 $algo_args; 100 EOF 101 $DEBUG && cat $tmpfile 102 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 103 check_sa_entries $SOCK_PEER $ip_local $ip_peer 104 105 export RUMP_SERVER=$SOCK_LOCAL 106 if [ $proto = ipcomp ]; then 107 pktsizeopt="-s $(($(get_minlen $algo) - 8)) -p ff" 108 fi 109 110 # The outgoing packet is matched and IPsec is applied 111 # The reply packet isn't applied 112 atf_check -s exit:0 -o ignore \ 113 rump.ping -c 1 -n -w 3 $pktsizeopt -E "$pingopt_out" $ip_peer 114 extract_new_packets $BUS > $outfile 115 check_packets $outfile $ip_local $ip_peer $pktproto "ICMP" 116 117 if [ $proto = ipcomp ]; then 118 # The outgoing packet is matched and IPsec is applied 119 # The reply packet isn't applied but IPComp doesn't care 120 atf_check -s exit:0 -o ignore \ 121 rump.ping -c 1 -n -w 3 $pktsizeopt \ 122 -E "$pingopt_out" -E "$pingopt_in" $ip_peer 123 extract_new_packets $BUS > $outfile 124 check_packets $outfile $ip_local $ip_peer $pktproto "ICMP" 125 else 126 # The outgoing packet is matched and IPsec is applied 127 # The reply packet isn't applied but matched then discarded 128 atf_check -s not-exit:0 -o ignore \ 129 rump.ping -c 1 -n -w 3 $pktsizeopt \ 130 -E "$pingopt_out" -E "$pingopt_in" $ip_peer 131 fi 132 133 # Setup an SP only on the source node 134 export RUMP_SERVER=$SOCK_LOCAL 135 cat > $tmpfile <<-EOF 136 spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 137 EOF 138 $DEBUG && cat $tmpfile 139 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 140 141 # The outgoing packet is matched and IPsec is applied 142 # The reply packet isn't applied and thus discarded 143 atf_check -s exit:0 -o ignore \ 144 rump.ping -c 1 -n -w 3 $pktsizeopt -E "$pingopt_out" $ip_peer 145 extract_new_packets $BUS > $outfile 146 check_packets $outfile $ip_local $ip_peer $pktproto "ICMP" 147 if [ $proto = ipcomp ]; then 148 # The outgoing packet is matched and IPsec is applied 149 # The reply packet isn't applied but IPComp doesn't care 150 atf_check -s exit:0 -o ignore \ 151 rump.ping -c 1 -n -w 3 $pktsizeopt \ 152 -E "$pingopt_out" -E "$pingopt_in" $ip_peer 153 extract_new_packets $BUS > $outfile 154 check_packets $outfile $ip_local $ip_peer $pktproto "ICMP" 155 else 156 # The outgoing packet is matched and IPsec is applied 157 # The reply packet isn't applied but matched then discarded 158 atf_check -s not-exit:0 -o ignore \ 159 rump.ping -c 1 -n -w 3 $pktsizeopt \ 160 -E "$pingopt_out" -E "$pingopt_in" $ip_peer 161 fi 162 163 # Setup SPs on the both nodes 164 export RUMP_SERVER=$SOCK_PEER 165 cat > $tmpfile <<-EOF 166 spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 167 EOF 168 $DEBUG && cat $tmpfile 169 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 170 171 export RUMP_SERVER=$SOCK_LOCAL 172 # The outgoing packet is matched and IPsec is applied 173 # The reply packet is matched and IPsec is applied 174 atf_check -s exit:0 -o ignore \ 175 rump.ping -c 1 -n -w 3 $pktsizeopt -E "$pingopt_out" $ip_peer 176 extract_new_packets $BUS > $outfile 177 check_packets $outfile $ip_local $ip_peer $pktproto 178 # The outgoing packet is matched and IPsec is applied 179 # The reply packet is matched and IPsec is applied 180 atf_check -s exit:0 -o ignore \ 181 rump.ping -c 1 -n -w 3 $pktsizeopt -E "$pingopt_in" $ip_peer 182 extract_new_packets $BUS > $outfile 183 check_packets $outfile $ip_local $ip_peer $pktproto 184 185 test_flush_entries $SOCK_LOCAL 186 test_flush_entries $SOCK_PEER 187} 188 189test_ipsec6_IP_IPSEC_POLICY() 190{ 191 local proto=$1 192 local algo=$2 193 local ip_local=fd00::1 194 local ip_peer=fd00::2 195 local tmpfile=./tmp 196 local outfile=./out 197 local pktproto=$(generate_pktproto $proto) 198 local algo_args="$(generate_algo_args $proto $algo)" 199 local pktsizeopt= 200 local pingopt= pingopt2= 201 202 rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec 203 rump_server_crypto_start $SOCK_PEER netinet6 netipsec 204 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS 205 rump_server_add_iface $SOCK_PEER shmif0 $BUS 206 207 export RUMP_SERVER=$SOCK_LOCAL 208 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local 209 atf_check -s exit:0 rump.ifconfig -w 10 210 211 export RUMP_SERVER=$SOCK_PEER 212 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer 213 atf_check -s exit:0 rump.ifconfig -w 10 214 215 extract_new_packets $BUS > $outfile 216 217 export RUMP_SERVER=$SOCK_LOCAL 218 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer 219 220 extract_new_packets $BUS > $outfile 221 check_packets $outfile $ip_local $ip_peer ICMP6 222 223 pingopt_out="out ipsec $proto/transport//require" 224 pingopt_in="in ipsec $proto/transport//require" 225 226 atf_check -s not-exit:0 -o ignore \ 227 rump.ping6 -c 1 -n -X 3 -P "$pingopt_out" $ip_peer 228 229 # Setup only SAs 230 export RUMP_SERVER=$SOCK_LOCAL 231 cat > $tmpfile <<-EOF 232 add $ip_local $ip_peer $proto 10000 $algo_args; 233 add $ip_peer $ip_local $proto 10001 $algo_args; 234 EOF 235 $DEBUG && cat $tmpfile 236 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 237 check_sa_entries $SOCK_LOCAL $ip_local $ip_peer 238 239 export RUMP_SERVER=$SOCK_PEER 240 cat > $tmpfile <<-EOF 241 add $ip_local $ip_peer $proto 10000 $algo_args; 242 add $ip_peer $ip_local $proto 10001 $algo_args; 243 EOF 244 $DEBUG && cat $tmpfile 245 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 246 check_sa_entries $SOCK_PEER $ip_local $ip_peer 247 248 export RUMP_SERVER=$SOCK_LOCAL 249 if [ $proto = ipcomp ]; then 250 pktsizeopt="-s $(($(get_minlen $algo) - 8)) -p ff" 251 fi 252 253 # The outgoing packet is matched and IPsec is applied 254 # The reply packet isn't applied 255 atf_check -s exit:0 -o ignore \ 256 rump.ping6 -c 1 -n -X 3 $pktsizeopt -P "$pingopt_out" $ip_peer 257 extract_new_packets $BUS > $outfile 258 check_packets $outfile $ip_local $ip_peer $pktproto "ICMP6" 259 260 if [ $proto = ipcomp ]; then 261 # The outgoing packet is matched and IPsec is applied 262 # The reply packet isn't applied but IPComp doesn't care 263 atf_check -s exit:0 -o ignore \ 264 rump.ping6 -c 1 -n -X 3 $pktsizeopt \ 265 -P "$pingopt_out" -P "$pingopt_in" $ip_peer 266 extract_new_packets $BUS > $outfile 267 check_packets $outfile $ip_local $ip_peer $pktproto "ICMP6" 268 else 269 # The outgoing packet is matched and IPsec is applied 270 # The reply packet isn't applied but matched then discarded 271 atf_check -s not-exit:0 -o ignore \ 272 rump.ping6 -c 1 -n -X 3 $pktsizeopt \ 273 -P "$pingopt_out" -P "$pingopt_in" $ip_peer 274 fi 275 276 # Setup an SP only on the source node 277 export RUMP_SERVER=$SOCK_LOCAL 278 cat > $tmpfile <<-EOF 279 spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; 280 EOF 281 $DEBUG && cat $tmpfile 282 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 283 284 # The outgoing packet is matched and IPsec is applied 285 # The reply packet isn't applied and thus discarded 286 atf_check -s exit:0 -o ignore \ 287 rump.ping6 -c 1 -n -X 3 $pktsizeopt -P "$pingopt_out" $ip_peer 288 extract_new_packets $BUS > $outfile 289 check_packets $outfile $ip_local $ip_peer $pktproto "ICMP6" 290 if [ $proto = ipcomp ]; then 291 # The outgoing packet is matched and IPsec is applied 292 # The reply packet isn't applied but IPComp doesn't care 293 atf_check -s exit:0 -o ignore \ 294 rump.ping6 -c 1 -n -X 3 $pktsizeopt \ 295 -P "$pingopt_out" -P "$pingopt_in" $ip_peer 296 extract_new_packets $BUS > $outfile 297 check_packets $outfile $ip_local $ip_peer $pktproto "ICMP6" 298 else 299 # The outgoing packet is matched and IPsec is applied 300 # The reply packet isn't applied but matched then discarded 301 atf_check -s not-exit:0 -o ignore \ 302 rump.ping6 -c 1 -n -X 3 $pktsizeopt \ 303 -P "$pingopt_out" -P "$pingopt_in" $ip_peer 304 fi 305 306 # Setup SPs on the both nodes 307 export RUMP_SERVER=$SOCK_PEER 308 cat > $tmpfile <<-EOF 309 spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; 310 EOF 311 $DEBUG && cat $tmpfile 312 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 313 314 export RUMP_SERVER=$SOCK_LOCAL 315 # The outgoing packet is matched and IPsec is applied 316 # The reply packet is matched and IPsec is applied 317 atf_check -s exit:0 -o ignore \ 318 rump.ping6 -c 1 -n -X 3 $pktsizeopt -P "$pingopt_out" $ip_peer 319 extract_new_packets $BUS > $outfile 320 check_packets $outfile $ip_local $ip_peer $pktproto 321 # The outgoing packet is matched and IPsec is applied 322 # The reply packet is matched and IPsec is applied 323 atf_check -s exit:0 -o ignore \ 324 rump.ping6 -c 1 -n -X 3 $pktsizeopt -P "$pingopt_in" $ip_peer 325 extract_new_packets $BUS > $outfile 326 check_packets $outfile $ip_local $ip_peer $pktproto 327 328 test_flush_entries $SOCK_LOCAL 329 test_flush_entries $SOCK_PEER 330} 331 332test_IP_IPSEC_POLICY_common() 333{ 334 local ipproto=$1 335 local proto=$2 336 local algo=$3 337 338 if [ $ipproto = ipv4 ]; then 339 test_ipsec4_IP_IPSEC_POLICY $proto $algo 340 else 341 test_ipsec6_IP_IPSEC_POLICY $proto $algo 342 fi 343} 344 345add_test_IP_IPSEC_POLICY() 346{ 347 local ipproto=$1 348 local proto=$2 349 local algo=$3 350 local _algo=$(echo $algo | sed 's/-//g') 351 local name= desc= 352 353 name="ipsec_IP_IPSEC_POLICY_${ipproto}_${proto}_${_algo}" 354 desc="Tests of IP_IPSEC_POLICY socket option (${ipproto}, ${proto}, ${_algo})" 355 356 atf_test_case ${name} cleanup 357 eval " 358 ${name}_head() { 359 atf_set descr \"$desc\" 360 atf_set require.progs rump_server setkey 361 } 362 ${name}_body() { 363 test_IP_IPSEC_POLICY_common $ipproto $proto $algo 364 rump_server_destroy_ifaces 365 } 366 ${name}_cleanup() { 367 \$DEBUG && dump 368 cleanup 369 } 370 " 371 atf_add_test_case ${name} 372} 373 374atf_init_test_cases() 375{ 376 local algo= 377 378 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 379 add_test_IP_IPSEC_POLICY ipv4 esp $algo 380 add_test_IP_IPSEC_POLICY ipv6 esp $algo 381 done 382 for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do 383 add_test_IP_IPSEC_POLICY ipv4 ah $algo 384 add_test_IP_IPSEC_POLICY ipv6 ah $algo 385 done 386 for algo in $IPCOMP_COMPRESSION_ALGORITHMS_MINIMUM; do 387 add_test_IP_IPSEC_POLICY ipv4 ipcomp $algo 388 add_test_IP_IPSEC_POLICY ipv6 ipcomp $algo 389 done 390} 391