[BACK]Return to t_ipsec_sockopt.sh CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / src / tests / net / ipsec

File: [cvs.NetBSD.org] / src / tests / net / ipsec / t_ipsec_sockopt.sh (download)

Revision 1.2, Thu Aug 3 03:16:27 2017 UTC (3 years, 7 months ago) by ozaki-r
Branch: MAIN
CVS Tags: phil-wifi-base, phil-wifi-20200421, phil-wifi-20200411, phil-wifi-20200406, phil-wifi-20191119, phil-wifi-20190609, phil-wifi, pgoyette-compat-merge-20190127, pgoyette-compat-base, pgoyette-compat-20190127, pgoyette-compat-20190118, pgoyette-compat-1226, pgoyette-compat-1126, pgoyette-compat-1020, pgoyette-compat-0930, pgoyette-compat-0906, pgoyette-compat-0728, pgoyette-compat-0625, pgoyette-compat-0521, pgoyette-compat-0502, pgoyette-compat-0422, pgoyette-compat-0415, pgoyette-compat-0407, pgoyette-compat-0330, pgoyette-compat-0322, pgoyette-compat-0315, pgoyette-compat, netbsd-9-base, netbsd-9-1-RELEASE, netbsd-9-0-RELEASE, netbsd-9-0-RC2, netbsd-9-0-RC1, netbsd-9, is-mlppp-base, is-mlppp, HEAD
Branch point for: netbsd-8
Changes since 1.1: +14 -14 lines

Clean up clunky eval strings

- Remove unnecessary \ at EOL
  - This allows to omit ; too
- Remove unnecessary quotes for arguments of atf_set
- Don't expand $DEBUG in eval
  - We expect it's expanded on execution

Suggested by kre@

#	$NetBSD: t_ipsec_sockopt.sh,v 1.2 2017/08/03 03:16:27 ozaki-r Exp $
#
# Copyright (c) 2017 Internet Initiative Japan Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#

SOCK_LOCAL=unix://ipsec_local
SOCK_PEER=unix://ipsec_peer
BUS=./bus_ipsec

DEBUG=${DEBUG:-false}

check_packets()
{
	local outfile=$1
	local src=$2
	local dst=$3
	local pktproto_out=$4
	local pktproto_in=${5:-$4}

	atf_check -s exit:0 -o match:"$src > $dst: $pktproto_out" cat $outfile
	atf_check -s exit:0 -o match:"$dst > $src: $pktproto_in" cat $outfile
}

test_ipsec4_IP_IPSEC_POLICY()
{
	local proto=$1
	local algo=$2
	local ip_local=10.0.0.1
	local ip_peer=10.0.0.2
	local tmpfile=./tmp
	local outfile=./out
	local pktproto=$(generate_pktproto $proto)
	local algo_args="$(generate_algo_args $proto $algo)"
	local pktsizeopt=
	local pingopt= pingopt2=

	rump_server_crypto_start $SOCK_LOCAL netipsec
	rump_server_crypto_start $SOCK_PEER netipsec
	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
	rump_server_add_iface $SOCK_PEER shmif0 $BUS

	export RUMP_SERVER=$SOCK_LOCAL
	atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
	atf_check -s exit:0 rump.ifconfig -w 10

	export RUMP_SERVER=$SOCK_PEER
	atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24
	atf_check -s exit:0 rump.ifconfig -w 10

	extract_new_packets $BUS > $outfile

	export RUMP_SERVER=$SOCK_LOCAL
	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer

	extract_new_packets $BUS > $outfile
	check_packets $outfile $ip_local $ip_peer ICMP

	pingopt_out="out ipsec $proto/transport//require"
	pingopt_in="in ipsec $proto/transport//require"

	atf_check -s not-exit:0 -o ignore \
	    rump.ping -c 1 -n -w 3 -E "$pingopt_out" $ip_peer

	# Setup only SAs
	export RUMP_SERVER=$SOCK_LOCAL
	cat > $tmpfile <<-EOF
	add $ip_local $ip_peer $proto 10000 $algo_args;
	add $ip_peer $ip_local $proto 10001 $algo_args;
	EOF
	$DEBUG && cat $tmpfile
	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
	check_sa_entries $SOCK_LOCAL $ip_local $ip_peer

	export RUMP_SERVER=$SOCK_PEER
	cat > $tmpfile <<-EOF
	add $ip_local $ip_peer $proto 10000 $algo_args;
	add $ip_peer $ip_local $proto 10001 $algo_args;
	EOF
	$DEBUG && cat $tmpfile
	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
	check_sa_entries $SOCK_PEER $ip_local $ip_peer

	export RUMP_SERVER=$SOCK_LOCAL
	if [ $proto = ipcomp ]; then
		pktsizeopt="-s $(($(get_minlen $algo) - 8)) -p ff"
	fi

	# The outgoing packet is matched and IPsec is applied
	# The reply packet isn't applied
	atf_check -s exit:0 -o ignore \
	    rump.ping -c 1 -n -w 3 $pktsizeopt -E "$pingopt_out" $ip_peer
	extract_new_packets $BUS > $outfile
	check_packets $outfile $ip_local $ip_peer $pktproto "ICMP"

	if [ $proto = ipcomp ]; then
		# The outgoing packet is matched and IPsec is applied
		# The reply packet isn't applied but IPComp doesn't care
		atf_check -s exit:0 -o ignore \
		    rump.ping -c 1 -n -w 3 $pktsizeopt \
		    -E "$pingopt_out" -E "$pingopt_in" $ip_peer
		extract_new_packets $BUS > $outfile
		check_packets $outfile $ip_local $ip_peer $pktproto "ICMP"
	else
		# The outgoing packet is matched and IPsec is applied
		# The reply packet isn't applied but matched then discarded
		atf_check -s not-exit:0 -o ignore \
		    rump.ping -c 1 -n -w 3 $pktsizeopt \
		    -E "$pingopt_out" -E "$pingopt_in" $ip_peer
	fi

	# Setup an SP only on the source node
	export RUMP_SERVER=$SOCK_LOCAL
	cat > $tmpfile <<-EOF
	spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require;
	EOF
	$DEBUG && cat $tmpfile
	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile

	# The outgoing packet is matched and IPsec is applied
	# The reply packet isn't applied and thus discarded
	atf_check -s exit:0 -o ignore \
	    rump.ping -c 1 -n -w 3 $pktsizeopt -E "$pingopt_out" $ip_peer
	extract_new_packets $BUS > $outfile
	check_packets $outfile $ip_local $ip_peer $pktproto "ICMP"
	if [ $proto = ipcomp ]; then
		# The outgoing packet is matched and IPsec is applied
		# The reply packet isn't applied but IPComp doesn't care
		atf_check -s exit:0 -o ignore \
		    rump.ping -c 1 -n -w 3 $pktsizeopt \
		    -E "$pingopt_out" -E "$pingopt_in" $ip_peer
		extract_new_packets $BUS > $outfile
		check_packets $outfile $ip_local $ip_peer $pktproto "ICMP"
	else
		# The outgoing packet is matched and IPsec is applied
		# The reply packet isn't applied but matched then discarded
		atf_check -s not-exit:0 -o ignore \
		    rump.ping -c 1 -n -w 3 $pktsizeopt \
		    -E "$pingopt_out" -E "$pingopt_in" $ip_peer
	fi

	# Setup SPs on the both nodes
	export RUMP_SERVER=$SOCK_PEER
	cat > $tmpfile <<-EOF
	spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require;
	EOF
	$DEBUG && cat $tmpfile
	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile

	export RUMP_SERVER=$SOCK_LOCAL
	# The outgoing packet is matched and IPsec is applied
	# The reply packet is matched and IPsec is applied
	atf_check -s exit:0 -o ignore \
	    rump.ping -c 1 -n -w 3 $pktsizeopt -E "$pingopt_out" $ip_peer
	extract_new_packets $BUS > $outfile
	check_packets $outfile $ip_local $ip_peer $pktproto
	# The outgoing packet is matched and IPsec is applied
	# The reply packet is matched and IPsec is applied
	atf_check -s exit:0 -o ignore \
	    rump.ping -c 1 -n -w 3 $pktsizeopt -E "$pingopt_in" $ip_peer
	extract_new_packets $BUS > $outfile
	check_packets $outfile $ip_local $ip_peer $pktproto

	test_flush_entries $SOCK_LOCAL
	test_flush_entries $SOCK_PEER
}

test_ipsec6_IP_IPSEC_POLICY()
{
	local proto=$1
	local algo=$2
	local ip_local=fd00::1
	local ip_peer=fd00::2
	local tmpfile=./tmp
	local outfile=./out
	local pktproto=$(generate_pktproto $proto)
	local algo_args="$(generate_algo_args $proto $algo)"
	local pktsizeopt=
	local pingopt= pingopt2=

	rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec
	rump_server_crypto_start $SOCK_PEER netinet6 netipsec
	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
	rump_server_add_iface $SOCK_PEER shmif0 $BUS

	export RUMP_SERVER=$SOCK_LOCAL
	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local
	atf_check -s exit:0 rump.ifconfig -w 10

	export RUMP_SERVER=$SOCK_PEER
	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer
	atf_check -s exit:0 rump.ifconfig -w 10

	extract_new_packets $BUS > $outfile

	export RUMP_SERVER=$SOCK_LOCAL
	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer

	extract_new_packets $BUS > $outfile
	check_packets $outfile $ip_local $ip_peer ICMP6

	pingopt_out="out ipsec $proto/transport//require"
	pingopt_in="in ipsec $proto/transport//require"

	atf_check -s not-exit:0 -o ignore \
	    rump.ping6 -c 1 -n -X 3 -P "$pingopt_out" $ip_peer

	# Setup only SAs
	export RUMP_SERVER=$SOCK_LOCAL
	cat > $tmpfile <<-EOF
	add $ip_local $ip_peer $proto 10000 $algo_args;
	add $ip_peer $ip_local $proto 10001 $algo_args;
	EOF
	$DEBUG && cat $tmpfile
	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
	check_sa_entries $SOCK_LOCAL $ip_local $ip_peer

	export RUMP_SERVER=$SOCK_PEER
	cat > $tmpfile <<-EOF
	add $ip_local $ip_peer $proto 10000 $algo_args;
	add $ip_peer $ip_local $proto 10001 $algo_args;
	EOF
	$DEBUG && cat $tmpfile
	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
	check_sa_entries $SOCK_PEER $ip_local $ip_peer

	export RUMP_SERVER=$SOCK_LOCAL
	if [ $proto = ipcomp ]; then
		pktsizeopt="-s $(($(get_minlen $algo) - 8)) -p ff"
	fi

	# The outgoing packet is matched and IPsec is applied
	# The reply packet isn't applied
	atf_check -s exit:0 -o ignore \
	    rump.ping6 -c 1 -n -X 3 $pktsizeopt -P "$pingopt_out" $ip_peer
	extract_new_packets $BUS > $outfile
	check_packets $outfile $ip_local $ip_peer $pktproto "ICMP6"

	if [ $proto = ipcomp ]; then
		# The outgoing packet is matched and IPsec is applied
		# The reply packet isn't applied but IPComp doesn't care
		atf_check -s exit:0 -o ignore \
		    rump.ping6 -c 1 -n -X 3 $pktsizeopt \
		    -P "$pingopt_out" -P "$pingopt_in" $ip_peer
		extract_new_packets $BUS > $outfile
		check_packets $outfile $ip_local $ip_peer $pktproto "ICMP6"
	else
		# The outgoing packet is matched and IPsec is applied
		# The reply packet isn't applied but matched then discarded
		atf_check -s not-exit:0 -o ignore \
		    rump.ping6 -c 1 -n -X 3 $pktsizeopt \
		    -P "$pingopt_out" -P "$pingopt_in" $ip_peer
	fi

	# Setup an SP only on the source node
	export RUMP_SERVER=$SOCK_LOCAL
	cat > $tmpfile <<-EOF
	spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require;
	EOF
	$DEBUG && cat $tmpfile
	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile

	# The outgoing packet is matched and IPsec is applied
	# The reply packet isn't applied and thus discarded
	atf_check -s exit:0 -o ignore \
	    rump.ping6 -c 1 -n -X 3 $pktsizeopt -P "$pingopt_out" $ip_peer
	extract_new_packets $BUS > $outfile
	check_packets $outfile $ip_local $ip_peer $pktproto "ICMP6"
	if [ $proto = ipcomp ]; then
		# The outgoing packet is matched and IPsec is applied
		# The reply packet isn't applied but IPComp doesn't care
		atf_check -s exit:0 -o ignore \
		    rump.ping6 -c 1 -n -X 3 $pktsizeopt \
		    -P "$pingopt_out" -P "$pingopt_in" $ip_peer
		extract_new_packets $BUS > $outfile
		check_packets $outfile $ip_local $ip_peer $pktproto "ICMP6"
	else
		# The outgoing packet is matched and IPsec is applied
		# The reply packet isn't applied but matched then discarded
		atf_check -s not-exit:0 -o ignore \
		    rump.ping6 -c 1 -n -X 3 $pktsizeopt \
		    -P "$pingopt_out" -P "$pingopt_in" $ip_peer
	fi

	# Setup SPs on the both nodes
	export RUMP_SERVER=$SOCK_PEER
	cat > $tmpfile <<-EOF
	spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require;
	EOF
	$DEBUG && cat $tmpfile
	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile

	export RUMP_SERVER=$SOCK_LOCAL
	# The outgoing packet is matched and IPsec is applied
	# The reply packet is matched and IPsec is applied
	atf_check -s exit:0 -o ignore \
	    rump.ping6 -c 1 -n -X 3 $pktsizeopt -P "$pingopt_out" $ip_peer
	extract_new_packets $BUS > $outfile
	check_packets $outfile $ip_local $ip_peer $pktproto
	# The outgoing packet is matched and IPsec is applied
	# The reply packet is matched and IPsec is applied
	atf_check -s exit:0 -o ignore \
	    rump.ping6 -c 1 -n -X 3 $pktsizeopt -P "$pingopt_in" $ip_peer
	extract_new_packets $BUS > $outfile
	check_packets $outfile $ip_local $ip_peer $pktproto

	test_flush_entries $SOCK_LOCAL
	test_flush_entries $SOCK_PEER
}

test_IP_IPSEC_POLICY_common()
{
	local ipproto=$1
	local proto=$2
	local algo=$3

	if [ $ipproto = ipv4 ]; then
		test_ipsec4_IP_IPSEC_POLICY $proto $algo
	else
		test_ipsec6_IP_IPSEC_POLICY $proto $algo
	fi
}

add_test_IP_IPSEC_POLICY()
{
	local ipproto=$1
	local proto=$2
	local algo=$3
	local _algo=$(echo $algo | sed 's/-//g')
	local name= desc=

	name="ipsec_IP_IPSEC_POLICY_${ipproto}_${proto}_${_algo}"
	desc="Tests of IP_IPSEC_POLICY socket option (${ipproto}, ${proto}, ${_algo})"

	atf_test_case ${name} cleanup
	eval "
	    ${name}_head() {
	        atf_set descr \"$desc\"
	        atf_set require.progs rump_server setkey
	    }
	    ${name}_body() {
	        test_IP_IPSEC_POLICY_common $ipproto $proto $algo
	        rump_server_destroy_ifaces
	    }
	    ${name}_cleanup() {
	        \$DEBUG && dump
	        cleanup
	    }
	"
	atf_add_test_case ${name}
}

atf_init_test_cases()
{
	local algo=

	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
		add_test_IP_IPSEC_POLICY ipv4 esp $algo
		add_test_IP_IPSEC_POLICY ipv6 esp $algo
	done
	for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do
		add_test_IP_IPSEC_POLICY ipv4 ah $algo
		add_test_IP_IPSEC_POLICY ipv6 ah $algo
	done
	for algo in $IPCOMP_COMPRESSION_ALGORITHMS_MINIMUM; do
		add_test_IP_IPSEC_POLICY ipv4 ipcomp $algo
		add_test_IP_IPSEC_POLICY ipv6 ipcomp $algo
	done
}