xref: /netbsd-src/tests/net/ipsec/t_ipsec_gif.sh (revision bdc22b2e01993381dcefeff2bc9b56ca75a4235c) 
1#	$NetBSD: t_ipsec_gif.sh,v 1.7 2017/08/03 03:16:27 ozaki-r Exp $
2#
3# Copyright (c) 2017 Internet Initiative Japan Inc.
4# All rights reserved.
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
18# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25# POSSIBILITY OF SUCH DAMAGE.
26#
27
28SOCK_LOCAL=unix://ipsec_gif_local
29SOCK_TUN_LOCAL=unix://ipsec_gif_tunel_local
30SOCK_TUN_REMOTE=unix://ipsec_gif_tunnel_remote
31SOCK_REMOTE=unix://ipsec_gif_remote
32BUS_LOCAL=./bus_ipsec_local
33BUS_TUNNEL=./bus_ipsec_tunnel
34BUS_REMOTE=./bus_ipsec_remote
35
36DEBUG=${DEBUG:-true}
37
38make_gif_pktstr()
39{
40	local src=$1
41	local dst=$2
42	local src_inner=$3
43	local dst_inner=$4
44	local proto=$5
45	local ipproto=$6
46	local proto_cap= inner_str=
47
48	if [ $proto = esp ]; then
49		proto_cap=ESP
50	else
51		proto_cap=AH
52		if [ $ipproto = ipv4 ]; then
53			inner_str="$src_inner > $dst_inner:.+\(ipip-proto-4\)"
54		else
55			inner_str="$src_inner > $dst_inner"
56		fi
57	fi
58
59	echo "$src > $dst: $proto_cap.+$inner_str"
60}
61
62test_ipsec4_gif()
63{
64	local mode=$1
65	local proto=$2
66	local algo=$3
67	local ip_local=10.0.1.2
68	local ip_gw_local=10.0.1.1
69	local ip_gwlo_tun=20.0.0.1
70	local ip_gwlo_gif=20.1.0.1
71	local ip_gwre_gif=20.1.0.2
72	local ip_gwre_tun=20.0.0.2
73	local ip_gw_remote=10.0.2.1
74	local ip_remote=10.0.2.2
75	local subnet_local=10.0.1.0
76	local subnet_remote=10.0.2.0
77	local tmpfile=./tmp
78	local outfile=./out
79	local str=
80	local algo_args="$(generate_algo_args $proto $algo)"
81
82	rump_server_crypto_start $SOCK_LOCAL
83	rump_server_crypto_start $SOCK_TUN_LOCAL netipsec gif
84	rump_server_crypto_start $SOCK_TUN_REMOTE netipsec gif
85	rump_server_crypto_start $SOCK_REMOTE
86	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
87	rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
88	rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL
89	rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE
90	rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL
91	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
92
93	export RUMP_SERVER=$SOCK_LOCAL
94	atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
95	atf_check -s exit:0 -o ignore \
96	    rump.route -n add -net $subnet_remote $ip_gw_local
97
98	export RUMP_SERVER=$SOCK_TUN_LOCAL
99	atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_local/24
100	atf_check -s exit:0 rump.ifconfig shmif1 $ip_gwlo_tun/24
101	atf_check -s exit:0 rump.ifconfig gif0 create
102	atf_check -s exit:0 rump.ifconfig gif0 \
103	    tunnel $ip_gwlo_tun $ip_gwre_tun
104	atf_check -s exit:0 rump.ifconfig gif0 \
105	    inet $ip_gwlo_gif/32 $ip_gwre_gif
106	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1
107	atf_check -s exit:0 -o ignore \
108	    rump.route -n add -net $subnet_remote $ip_gwre_gif
109
110	export RUMP_SERVER=$SOCK_TUN_REMOTE
111	atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_remote/24
112	atf_check -s exit:0 rump.ifconfig shmif1 $ip_gwre_tun/24
113	atf_check -s exit:0 rump.ifconfig gif0 create
114	atf_check -s exit:0 rump.ifconfig gif0 \
115	    tunnel $ip_gwre_tun $ip_gwlo_tun
116	atf_check -s exit:0 rump.ifconfig gif0 \
117	    inet $ip_gwre_gif/32 $ip_gwlo_gif
118	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1
119	atf_check -s exit:0 -o ignore \
120	    rump.route -n add -net $subnet_local $ip_gwlo_gif
121
122	export RUMP_SERVER=$SOCK_REMOTE
123	atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24
124	# Run ifconfig -w 10 just once for optimization
125	atf_check -s exit:0 rump.ifconfig -w 10
126	atf_check -s exit:0 -o ignore \
127	    rump.route -n add -net $subnet_local $ip_gw_remote
128
129	extract_new_packets $BUS_TUNNEL > $outfile
130
131	export RUMP_SERVER=$SOCK_LOCAL
132	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
133
134	extract_new_packets $BUS_TUNNEL > $outfile
135	str="$ip_gwlo_tun > $ip_gwre_tun:"
136	str="$str $ip_local > $ip_remote: ICMP echo request,"
137	str="$str .+ \(ipip-proto-4\)"
138	atf_check -s exit:0 -o match:"$str" cat $outfile
139	str="$ip_gwre_tun > $ip_gwlo_tun:"
140	str="$str $ip_remote > $ip_local: ICMP echo reply,"
141	str="$str .+ \(ipip-proto-4\)"
142	atf_check -s exit:0 -o match:"$str" cat $outfile
143
144	if [ $mode = tunnel ]; then
145		export RUMP_SERVER=$SOCK_TUN_LOCAL
146		# from https://www.netbsd.org/docs/network/ipsec/
147		cat > $tmpfile <<-EOF
148		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
149		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
150		spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec
151		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
152		spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec
153		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
154		EOF
155		$DEBUG && cat $tmpfile
156		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
157
158		export RUMP_SERVER=$SOCK_TUN_REMOTE
159		cat > $tmpfile <<-EOF
160		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
161		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
162		spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec
163		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
164		spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec
165		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
166		EOF
167		$DEBUG && cat $tmpfile
168		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
169	else # transport mode
170		export RUMP_SERVER=$SOCK_TUN_LOCAL
171		# from https://www.netbsd.org/docs/network/ipsec/
172		cat > $tmpfile <<-EOF
173		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
174		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
175		spdadd $ip_gwlo_tun/32 $ip_gwre_tun/32 any -P out ipsec
176		    $proto/transport//require;
177		spdadd $ip_gwre_tun/32 $ip_gwlo_tun/32 any -P in ipsec
178		    $proto/transport//require;
179		EOF
180		$DEBUG && cat $tmpfile
181		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
182
183		export RUMP_SERVER=$SOCK_TUN_REMOTE
184		cat > $tmpfile <<-EOF
185		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
186		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
187		spdadd $ip_gwre_tun/32 $ip_gwlo_tun/32 any -P out ipsec
188		    $proto/transport//require;
189		spdadd $ip_gwlo_tun/32 $ip_gwre_tun/32 any -P in ipsec
190		    $proto/transport//require;
191		EOF
192		$DEBUG && cat $tmpfile
193		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
194	fi
195
196	check_sa_entries $SOCK_TUN_LOCAL $ip_gwlo_tun $ip_gwre_tun
197	check_sa_entries $SOCK_TUN_REMOTE $ip_gwlo_tun $ip_gwre_tun
198
199	export RUMP_SERVER=$SOCK_LOCAL
200	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
201
202	extract_new_packets $BUS_TUNNEL > $outfile
203	str=$(make_gif_pktstr $ip_gwlo_tun $ip_gwre_tun \
204	    $ip_local $ip_remote $proto ipv4)
205	atf_check -s exit:0 -o match:"$str" cat $outfile
206	str=$(make_gif_pktstr $ip_gwre_tun $ip_gwlo_tun \
207	    $ip_remote $ip_local $proto ipv4)
208	atf_check -s exit:0 -o match:"$str" cat $outfile
209
210	test_flush_entries $SOCK_TUN_LOCAL
211	test_flush_entries $SOCK_TUN_REMOTE
212}
213
214test_ipsec6_gif()
215{
216	local mode=$1
217	local proto=$2
218	local algo=$3
219	local ip_local=fd00:1::2
220	local ip_gw_local=fd00:1::1
221	local ip_gwlo_tun=fc00::1
222	local ip_gwlo_gif=fc01::1
223	local ip_gwre_gif=fc01::2
224	local ip_gwre_tun=fc00::2
225	local ip_gw_remote=fd00:2::1
226	local ip_remote=fd00:2::2
227	local subnet_local=fd00:1::
228	local subnet_remote=fd00:2::
229	local tmpfile=./tmp
230	local outfile=./out
231	local str=
232	local algo_args="$(generate_algo_args $proto $algo)"
233
234	rump_server_crypto_start $SOCK_LOCAL netinet6
235	rump_server_crypto_start $SOCK_TUN_LOCAL netipsec netinet6 gif
236	rump_server_crypto_start $SOCK_TUN_REMOTE netipsec netinet6 gif
237	rump_server_crypto_start $SOCK_REMOTE netinet6
238	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
239	rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
240	rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL
241	rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE
242	rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL
243	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
244
245	export RUMP_SERVER=$SOCK_LOCAL
246	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64
247	atf_check -s exit:0 -o ignore \
248	    rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_local
249
250	export RUMP_SERVER=$SOCK_TUN_LOCAL
251	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_local/64
252	atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gwlo_tun/64
253	atf_check -s exit:0 rump.ifconfig gif0 create
254	atf_check -s exit:0 rump.ifconfig gif0 \
255	    tunnel $ip_gwlo_tun $ip_gwre_tun
256	atf_check -s exit:0 rump.ifconfig gif0 \
257	    inet6 $ip_gwlo_gif/128 $ip_gwre_gif
258	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1
259	atf_check -s exit:0 -o ignore \
260	    rump.route -n add -inet6 -net $subnet_remote/64 $ip_gwlo_gif
261
262	export RUMP_SERVER=$SOCK_TUN_REMOTE
263	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_remote/64
264	atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gwre_tun/64
265	atf_check -s exit:0 rump.ifconfig gif0 create
266	atf_check -s exit:0 rump.ifconfig gif0 \
267	    tunnel $ip_gwre_tun $ip_gwlo_tun
268	atf_check -s exit:0 rump.ifconfig gif0 \
269	    inet6 $ip_gwre_gif/128 $ip_gwlo_gif
270	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1
271	atf_check -s exit:0 -o ignore \
272	    rump.route -n add -inet6 -net $subnet_local/64 $ip_gwre_gif
273
274	export RUMP_SERVER=$SOCK_REMOTE
275	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote
276	# Run ifconfig -w 10 just once for optimization
277	atf_check -s exit:0 rump.ifconfig -w 10
278	atf_check -s exit:0 -o ignore \
279	    rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_remote
280
281	extract_new_packets $BUS_TUNNEL > $outfile
282
283	export RUMP_SERVER=$SOCK_LOCAL
284	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
285
286	extract_new_packets $BUS_TUNNEL > $outfile
287	str="$ip_gwlo_tun > $ip_gwre_tun:"
288	str="$str $ip_local > $ip_remote: ICMP6, echo request"
289	atf_check -s exit:0 -o match:"$str" cat $outfile
290	str="$ip_gwre_tun > $ip_gwlo_tun:"
291	str="$str $ip_remote > $ip_local: ICMP6, echo reply,"
292	atf_check -s exit:0 -o match:"$str" cat $outfile
293
294	if [ $mode = tunnel ]; then
295		export RUMP_SERVER=$SOCK_TUN_LOCAL
296		# from https://www.netbsd.org/docs/network/ipsec/
297		cat > $tmpfile <<-EOF
298		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
299		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
300		spdadd $subnet_local/64 $subnet_remote/64 any -P out ipsec
301		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
302		spdadd $subnet_remote/64 $subnet_local/64 any -P in ipsec
303		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
304		EOF
305		$DEBUG && cat $tmpfile
306		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
307
308		export RUMP_SERVER=$SOCK_TUN_REMOTE
309		cat > $tmpfile <<-EOF
310		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
311		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
312		spdadd $subnet_remote/64 $subnet_local/64 any -P out ipsec
313		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
314		spdadd $subnet_local/64 $subnet_remote/64 any -P in ipsec
315		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
316		EOF
317		$DEBUG && cat $tmpfile
318		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
319	else # transport mode
320		export RUMP_SERVER=$SOCK_TUN_LOCAL
321		# from https://www.netbsd.org/docs/network/ipsec/
322		cat > $tmpfile <<-EOF
323		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
324		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
325		spdadd $ip_gwlo_tun/128 $ip_gwre_tun/128 any -P out ipsec
326		    $proto/transport//require;
327		spdadd $ip_gwre_tun/128 $ip_gwlo_tun/128 any -P in ipsec
328		    $proto/transport//require;
329		EOF
330		$DEBUG && cat $tmpfile
331		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
332
333		export RUMP_SERVER=$SOCK_TUN_REMOTE
334		cat > $tmpfile <<-EOF
335		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
336		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
337		spdadd $ip_gwre_tun/128 $ip_gwlo_tun/128 any -P out ipsec
338		    $proto/transport//require;
339		spdadd $ip_gwlo_tun/128 $ip_gwre_tun/128 any -P in ipsec
340		    $proto/transport//require;
341		EOF
342		$DEBUG && cat $tmpfile
343		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
344	fi
345
346	check_sa_entries $SOCK_TUN_LOCAL $ip_gwlo_tun $ip_gwre_tun
347	check_sa_entries $SOCK_TUN_REMOTE $ip_gwlo_tun $ip_gwre_tun
348
349	export RUMP_SERVER=$SOCK_LOCAL
350	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
351
352	extract_new_packets $BUS_TUNNEL > $outfile
353	str=$(make_gif_pktstr $ip_gwlo_tun $ip_gwre_tun \
354	    $ip_local $ip_remote $proto ipv6)
355	atf_check -s exit:0 -o match:"$str" cat $outfile
356	str=$(make_gif_pktstr $ip_gwre_tun $ip_gwlo_tun \
357	    $ip_remote $ip_local $proto ipv6)
358	atf_check -s exit:0 -o match:"$str" cat $outfile
359
360	test_flush_entries $SOCK_TUN_LOCAL
361	test_flush_entries $SOCK_TUN_REMOTE
362}
363
364test_ipsec_gif_common()
365{
366	local ipproto=$1
367	local mode=$2
368	local proto=$3
369	local algo=$4
370
371	if [ $ipproto = ipv4 ]; then
372		test_ipsec4_gif $mode $proto $algo
373	else
374		test_ipsec6_gif $mode $proto $algo
375	fi
376}
377
378add_test_ipsec_gif()
379{
380	local ipproto=$1
381	local mode=$2
382	local proto=$3
383	local algo=$4
384	local _algo=$(echo $algo | sed 's/-//g')
385	local name= desc=
386
387	name="ipsec_gif_${ipproto}_${mode}_${proto}_${_algo}"
388	desc="Tests of gif/IPsec ($ipproto) ${mode} mode with $proto ($algo)"
389
390	atf_test_case ${name} cleanup
391	eval "
392	    ${name}_head() {
393	        atf_set descr \"$desc\"
394	        atf_set require.progs rump_server setkey
395	    }
396	    ${name}_body() {
397	        test_ipsec_gif_common $ipproto $mode $proto $algo
398	        rump_server_destroy_ifaces
399	    }
400	    ${name}_cleanup() {
401	        \$DEBUG && dump
402	        cleanup
403	    }
404	"
405	atf_add_test_case ${name}
406}
407
408atf_init_test_cases()
409{
410	local algo=
411
412	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
413		add_test_ipsec_gif ipv4 tunnel esp $algo
414		add_test_ipsec_gif ipv6 tunnel esp $algo
415		add_test_ipsec_gif ipv4 transport esp $algo
416		add_test_ipsec_gif ipv6 transport esp $algo
417	done
418
419	for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do
420		add_test_ipsec_gif ipv4 tunnel ah $algo
421		add_test_ipsec_gif ipv6 tunnel ah $algo
422		add_test_ipsec_gif ipv4 transport ah $algo
423		add_test_ipsec_gif ipv6 transport ah $algo
424	done
425}
426