xref: /netbsd-src/tests/net/ipsec/t_ipsec_gif.sh (revision d16b7486a53dcb8072b60ec6fcb4373a2d0c27b7) 
1#	$NetBSD: t_ipsec_gif.sh,v 1.9 2020/02/17 08:46:10 ozaki-r Exp $
2#
3# Copyright (c) 2017 Internet Initiative Japan Inc.
4# All rights reserved.
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
18# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25# POSSIBILITY OF SUCH DAMAGE.
26#
27
28SOCK_LOCAL=unix://ipsec_gif_local
29SOCK_TUN_LOCAL=unix://ipsec_gif_tunel_local
30SOCK_TUN_REMOTE=unix://ipsec_gif_tunnel_remote
31SOCK_REMOTE=unix://ipsec_gif_remote
32BUS_LOCAL=./bus_ipsec_local
33BUS_TUNNEL=./bus_ipsec_tunnel
34BUS_REMOTE=./bus_ipsec_remote
35
36DEBUG=${DEBUG:-true}
37
38make_gif_pktstr()
39{
40	local src=$1
41	local dst=$2
42	local src_inner=$3
43	local dst_inner=$4
44	local proto=$5
45	local ipproto=$6
46	local proto_cap= inner_str=
47
48	if [ $proto = esp ]; then
49		proto_cap=ESP
50	else
51		proto_cap=AH
52		if [ $ipproto = ipv4 ]; then
53			inner_str="$src_inner > $dst_inner:.+\(ipip-proto-4\)"
54		else
55			inner_str="$src_inner > $dst_inner"
56		fi
57	fi
58
59	echo "$src > $dst: $proto_cap.+$inner_str"
60}
61
62wait_for_all_dad_completions()
63{
64
65	for sock in $SOCK_LOCAL $SOCK_TUN_LOCAL $SOCK_TUN_REMOTE $SOCK_REMOTE; do
66		export RUMP_SERVER=$sock
67		atf_check -s exit:0 rump.ifconfig -w 10
68	done
69}
70
71test_ipsec4_gif()
72{
73	local mode=$1
74	local proto=$2
75	local algo=$3
76	local ip_local=10.0.1.2
77	local ip_gw_local=10.0.1.1
78	local ip_gwlo_tun=20.0.0.1
79	local ip_gwlo_gif=20.1.0.1
80	local ip_gwre_gif=20.1.0.2
81	local ip_gwre_tun=20.0.0.2
82	local ip_gw_remote=10.0.2.1
83	local ip_remote=10.0.2.2
84	local subnet_local=10.0.1.0
85	local subnet_remote=10.0.2.0
86	local tmpfile=./tmp
87	local outfile=./out
88	local str=
89	local algo_args="$(generate_algo_args $proto $algo)"
90
91	rump_server_crypto_start $SOCK_LOCAL
92	rump_server_crypto_start $SOCK_TUN_LOCAL netipsec gif
93	rump_server_crypto_start $SOCK_TUN_REMOTE netipsec gif
94	rump_server_crypto_start $SOCK_REMOTE
95	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
96	rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
97	rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL
98	rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE
99	rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL
100	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
101
102	export RUMP_SERVER=$SOCK_LOCAL
103	atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
104	atf_check -s exit:0 -o ignore \
105	    rump.route -n add -net $subnet_remote $ip_gw_local
106
107	export RUMP_SERVER=$SOCK_TUN_LOCAL
108	atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_local/24
109	atf_check -s exit:0 rump.ifconfig shmif1 $ip_gwlo_tun/24
110	rump_server_add_iface $SOCK_TUN_LOCAL gif0
111	atf_check -s exit:0 rump.ifconfig gif0 \
112	    tunnel $ip_gwlo_tun $ip_gwre_tun
113	atf_check -s exit:0 rump.ifconfig gif0 \
114	    inet $ip_gwlo_gif/32 $ip_gwre_gif
115	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1
116	atf_check -s exit:0 -o ignore \
117	    rump.route -n add -net $subnet_remote $ip_gwre_gif
118
119	export RUMP_SERVER=$SOCK_TUN_REMOTE
120	atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_remote/24
121	atf_check -s exit:0 rump.ifconfig shmif1 $ip_gwre_tun/24
122	rump_server_add_iface $SOCK_TUN_REMOTE gif0
123	atf_check -s exit:0 rump.ifconfig gif0 \
124	    tunnel $ip_gwre_tun $ip_gwlo_tun
125	atf_check -s exit:0 rump.ifconfig gif0 \
126	    inet $ip_gwre_gif/32 $ip_gwlo_gif
127	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1
128	atf_check -s exit:0 -o ignore \
129	    rump.route -n add -net $subnet_local $ip_gwlo_gif
130
131	export RUMP_SERVER=$SOCK_REMOTE
132	atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24
133
134	wait_for_all_dad_completions
135
136	atf_check -s exit:0 -o ignore \
137	    rump.route -n add -net $subnet_local $ip_gw_remote
138
139	extract_new_packets $BUS_TUNNEL > $outfile
140
141	export RUMP_SERVER=$SOCK_LOCAL
142	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
143
144	extract_new_packets $BUS_TUNNEL > $outfile
145	str="$ip_gwlo_tun > $ip_gwre_tun:"
146	str="$str $ip_local > $ip_remote: ICMP echo request,"
147	str="$str .+ \(ipip-proto-4\)"
148	atf_check -s exit:0 -o match:"$str" cat $outfile
149	str="$ip_gwre_tun > $ip_gwlo_tun:"
150	str="$str $ip_remote > $ip_local: ICMP echo reply,"
151	str="$str .+ \(ipip-proto-4\)"
152	atf_check -s exit:0 -o match:"$str" cat $outfile
153
154	if [ $mode = tunnel ]; then
155		export RUMP_SERVER=$SOCK_TUN_LOCAL
156		# from https://www.netbsd.org/docs/network/ipsec/
157		cat > $tmpfile <<-EOF
158		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
159		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
160		spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec
161		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
162		spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec
163		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
164		EOF
165		$DEBUG && cat $tmpfile
166		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
167
168		export RUMP_SERVER=$SOCK_TUN_REMOTE
169		cat > $tmpfile <<-EOF
170		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
171		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
172		spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec
173		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
174		spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec
175		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
176		EOF
177		$DEBUG && cat $tmpfile
178		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
179	else # transport mode
180		export RUMP_SERVER=$SOCK_TUN_LOCAL
181		# from https://www.netbsd.org/docs/network/ipsec/
182		cat > $tmpfile <<-EOF
183		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
184		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
185		spdadd $ip_gwlo_tun/32 $ip_gwre_tun/32 any -P out ipsec
186		    $proto/transport//require;
187		spdadd $ip_gwre_tun/32 $ip_gwlo_tun/32 any -P in ipsec
188		    $proto/transport//require;
189		EOF
190		$DEBUG && cat $tmpfile
191		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
192
193		export RUMP_SERVER=$SOCK_TUN_REMOTE
194		cat > $tmpfile <<-EOF
195		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
196		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
197		spdadd $ip_gwre_tun/32 $ip_gwlo_tun/32 any -P out ipsec
198		    $proto/transport//require;
199		spdadd $ip_gwlo_tun/32 $ip_gwre_tun/32 any -P in ipsec
200		    $proto/transport//require;
201		EOF
202		$DEBUG && cat $tmpfile
203		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
204	fi
205
206	check_sa_entries $SOCK_TUN_LOCAL $ip_gwlo_tun $ip_gwre_tun
207	check_sa_entries $SOCK_TUN_REMOTE $ip_gwlo_tun $ip_gwre_tun
208
209	export RUMP_SERVER=$SOCK_LOCAL
210	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
211
212	extract_new_packets $BUS_TUNNEL > $outfile
213	str=$(make_gif_pktstr $ip_gwlo_tun $ip_gwre_tun \
214	    $ip_local $ip_remote $proto ipv4)
215	atf_check -s exit:0 -o match:"$str" cat $outfile
216	str=$(make_gif_pktstr $ip_gwre_tun $ip_gwlo_tun \
217	    $ip_remote $ip_local $proto ipv4)
218	atf_check -s exit:0 -o match:"$str" cat $outfile
219
220	test_flush_entries $SOCK_TUN_LOCAL
221	test_flush_entries $SOCK_TUN_REMOTE
222}
223
224test_ipsec6_gif()
225{
226	local mode=$1
227	local proto=$2
228	local algo=$3
229	local ip_local=fd00:1::2
230	local ip_gw_local=fd00:1::1
231	local ip_gwlo_tun=fc00::1
232	local ip_gwlo_gif=fc01::1
233	local ip_gwre_gif=fc01::2
234	local ip_gwre_tun=fc00::2
235	local ip_gw_remote=fd00:2::1
236	local ip_remote=fd00:2::2
237	local subnet_local=fd00:1::
238	local subnet_remote=fd00:2::
239	local tmpfile=./tmp
240	local outfile=./out
241	local str=
242	local algo_args="$(generate_algo_args $proto $algo)"
243
244	rump_server_crypto_start $SOCK_LOCAL netinet6
245	rump_server_crypto_start $SOCK_TUN_LOCAL netipsec netinet6 gif
246	rump_server_crypto_start $SOCK_TUN_REMOTE netipsec netinet6 gif
247	rump_server_crypto_start $SOCK_REMOTE netinet6
248	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
249	rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
250	rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL
251	rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE
252	rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL
253	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
254
255	export RUMP_SERVER=$SOCK_LOCAL
256	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64
257	atf_check -s exit:0 -o ignore \
258	    rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_local
259
260	export RUMP_SERVER=$SOCK_TUN_LOCAL
261	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_local/64
262	atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gwlo_tun/64
263	rump_server_add_iface $SOCK_TUN_LOCAL gif0
264	atf_check -s exit:0 rump.ifconfig gif0 \
265	    tunnel $ip_gwlo_tun $ip_gwre_tun
266	atf_check -s exit:0 rump.ifconfig gif0 \
267	    inet6 $ip_gwlo_gif/128 $ip_gwre_gif
268	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1
269	atf_check -s exit:0 -o ignore \
270	    rump.route -n add -inet6 -net $subnet_remote/64 $ip_gwlo_gif
271
272	export RUMP_SERVER=$SOCK_TUN_REMOTE
273	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_remote/64
274	atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gwre_tun/64
275	rump_server_add_iface $SOCK_TUN_REMOTE gif0
276	atf_check -s exit:0 rump.ifconfig gif0 \
277	    tunnel $ip_gwre_tun $ip_gwlo_tun
278	atf_check -s exit:0 rump.ifconfig gif0 \
279	    inet6 $ip_gwre_gif/128 $ip_gwlo_gif
280	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1
281	atf_check -s exit:0 -o ignore \
282	    rump.route -n add -inet6 -net $subnet_local/64 $ip_gwre_gif
283
284	export RUMP_SERVER=$SOCK_REMOTE
285	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote
286
287	wait_for_all_dad_completions
288
289	atf_check -s exit:0 -o ignore \
290	    rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_remote
291
292	extract_new_packets $BUS_TUNNEL > $outfile
293
294	export RUMP_SERVER=$SOCK_LOCAL
295	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
296
297	extract_new_packets $BUS_TUNNEL > $outfile
298	str="$ip_gwlo_tun > $ip_gwre_tun:"
299	str="$str $ip_local > $ip_remote: ICMP6, echo request"
300	atf_check -s exit:0 -o match:"$str" cat $outfile
301	str="$ip_gwre_tun > $ip_gwlo_tun:"
302	str="$str $ip_remote > $ip_local: ICMP6, echo reply,"
303	atf_check -s exit:0 -o match:"$str" cat $outfile
304
305	if [ $mode = tunnel ]; then
306		export RUMP_SERVER=$SOCK_TUN_LOCAL
307		# from https://www.netbsd.org/docs/network/ipsec/
308		cat > $tmpfile <<-EOF
309		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
310		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
311		spdadd $subnet_local/64 $subnet_remote/64 any -P out ipsec
312		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
313		spdadd $subnet_remote/64 $subnet_local/64 any -P in ipsec
314		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
315		EOF
316		$DEBUG && cat $tmpfile
317		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
318
319		export RUMP_SERVER=$SOCK_TUN_REMOTE
320		cat > $tmpfile <<-EOF
321		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
322		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
323		spdadd $subnet_remote/64 $subnet_local/64 any -P out ipsec
324		    $proto/tunnel/$ip_gwre_tun-$ip_gwlo_tun/require;
325		spdadd $subnet_local/64 $subnet_remote/64 any -P in ipsec
326		    $proto/tunnel/$ip_gwlo_tun-$ip_gwre_tun/require;
327		EOF
328		$DEBUG && cat $tmpfile
329		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
330	else # transport mode
331		export RUMP_SERVER=$SOCK_TUN_LOCAL
332		# from https://www.netbsd.org/docs/network/ipsec/
333		cat > $tmpfile <<-EOF
334		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
335		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
336		spdadd $ip_gwlo_tun/128 $ip_gwre_tun/128 any -P out ipsec
337		    $proto/transport//require;
338		spdadd $ip_gwre_tun/128 $ip_gwlo_tun/128 any -P in ipsec
339		    $proto/transport//require;
340		EOF
341		$DEBUG && cat $tmpfile
342		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
343
344		export RUMP_SERVER=$SOCK_TUN_REMOTE
345		cat > $tmpfile <<-EOF
346		add $ip_gwlo_tun $ip_gwre_tun $proto 10000 $algo_args;
347		add $ip_gwre_tun $ip_gwlo_tun $proto 10001 $algo_args;
348		spdadd $ip_gwre_tun/128 $ip_gwlo_tun/128 any -P out ipsec
349		    $proto/transport//require;
350		spdadd $ip_gwlo_tun/128 $ip_gwre_tun/128 any -P in ipsec
351		    $proto/transport//require;
352		EOF
353		$DEBUG && cat $tmpfile
354		atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
355	fi
356
357	check_sa_entries $SOCK_TUN_LOCAL $ip_gwlo_tun $ip_gwre_tun
358	check_sa_entries $SOCK_TUN_REMOTE $ip_gwlo_tun $ip_gwre_tun
359
360	export RUMP_SERVER=$SOCK_LOCAL
361	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
362
363	extract_new_packets $BUS_TUNNEL > $outfile
364	str=$(make_gif_pktstr $ip_gwlo_tun $ip_gwre_tun \
365	    $ip_local $ip_remote $proto ipv6)
366	atf_check -s exit:0 -o match:"$str" cat $outfile
367	str=$(make_gif_pktstr $ip_gwre_tun $ip_gwlo_tun \
368	    $ip_remote $ip_local $proto ipv6)
369	atf_check -s exit:0 -o match:"$str" cat $outfile
370
371	test_flush_entries $SOCK_TUN_LOCAL
372	test_flush_entries $SOCK_TUN_REMOTE
373}
374
375test_ipsec_gif_common()
376{
377	local ipproto=$1
378	local mode=$2
379	local proto=$3
380	local algo=$4
381
382	if [ $ipproto = ipv4 ]; then
383		test_ipsec4_gif $mode $proto $algo
384	else
385		test_ipsec6_gif $mode $proto $algo
386	fi
387}
388
389add_test_ipsec_gif()
390{
391	local ipproto=$1
392	local mode=$2
393	local proto=$3
394	local algo=$4
395	local _algo=$(echo $algo | sed 's/-//g')
396	local name= desc=
397
398	name="ipsec_gif_${ipproto}_${mode}_${proto}_${_algo}"
399	desc="Tests of gif/IPsec ($ipproto) ${mode} mode with $proto ($algo)"
400
401	atf_test_case ${name} cleanup
402	eval "
403	    ${name}_head() {
404	        atf_set descr \"$desc\"
405	        atf_set require.progs rump_server setkey
406	    }
407	    ${name}_body() {
408	        test_ipsec_gif_common $ipproto $mode $proto $algo
409	        rump_server_destroy_ifaces
410	    }
411	    ${name}_cleanup() {
412	        \$DEBUG && dump
413	        cleanup
414	    }
415	"
416	atf_add_test_case ${name}
417}
418
419atf_init_test_cases()
420{
421	local algo=
422
423	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
424		add_test_ipsec_gif ipv4 tunnel esp $algo
425		add_test_ipsec_gif ipv6 tunnel esp $algo
426		add_test_ipsec_gif ipv4 transport esp $algo
427		add_test_ipsec_gif ipv6 transport esp $algo
428	done
429
430	for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do
431		add_test_ipsec_gif ipv4 tunnel ah $algo
432		add_test_ipsec_gif ipv6 tunnel ah $algo
433		add_test_ipsec_gif ipv4 transport ah $algo
434		add_test_ipsec_gif ipv6 transport ah $algo
435	done
436}
437