Module Name: src
Committed By: ozaki-r
Date: Thu Apr 27 06:52:45 UTC 2017
Modified Files:
src/distrib/sets/lists/tests: mi
src/tests/net/ipsec: Makefile
Added Files:
src/tests/net/ipsec: t_ipsec_gif.sh
Log Message:
Add test cases for gif/IPsec
To generate a diff of this commit:
cvs rdiff -u -r1.735 -r1.736 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/net/ipsec/t_ipsec_gif.sh
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/distrib/sets/lists/tests/mi
diff -u src/distrib/sets/lists/tests/mi:1.735 src/distrib/sets/lists/tests/mi:1.736
--- src/distrib/sets/lists/tests/mi:1.735 Mon Apr 17 09:06:55 2017
+++ src/distrib/sets/lists/tests/mi Thu Apr 27 06:52:45 2017
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.735 2017/04/17 09:06:55 knakahara Exp $
+# $NetBSD: mi,v 1.736 2017/04/27 06:52:45 ozaki-r Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -3303,6 +3303,7 @@
./usr/tests/net/ipsec/t_ipsec_sysctl tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_transport tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_tunnel tests-net-tests atf,rump
+./usr/tests/net/ipsec/t_ipsec_gif tests-net-tests atf,rump
./usr/tests/net/mcast tests-net-tests compattestfile,atf
./usr/tests/net/mcast/Atffile tests-net-tests atf,rump
./usr/tests/net/mcast/Kyuafile tests-net-tests atf,rump,kyua
Index: src/tests/net/ipsec/Makefile
diff -u src/tests/net/ipsec/Makefile:1.1 src/tests/net/ipsec/Makefile:1.2
--- src/tests/net/ipsec/Makefile:1.1 Fri Apr 14 02:56:49 2017
+++ src/tests/net/ipsec/Makefile Thu Apr 27 06:52:45 2017
@@ -1,12 +1,12 @@
-# $NetBSD: Makefile,v 1.1 2017/04/14 02:56:49 ozaki-r Exp $
+# $NetBSD: Makefile,v 1.2 2017/04/27 06:52:45 ozaki-r Exp $
#
.include <bsd.own.mk>
TESTSDIR= ${TESTSBASE}/net/ipsec
-.for name in ipsec_ah_keys ipsec_esp_keys ipsec_sysctl ipsec_transport \
- ipsec_tunnel
+.for name in ipsec_ah_keys ipsec_esp_keys ipsec_gif ipsec_sysctl \
+ ipsec_transport ipsec_tunnel
TESTS_SH+= t_${name}
TESTS_SH_SRC_t_${name}= ../net_common.sh ./algorithms.sh t_${name}.sh
.endfor
Added files:
Index: src/tests/net/ipsec/t_ipsec_gif.sh
diff -u /dev/null src/tests/net/ipsec/t_ipsec_gif.sh:1.1
--- /dev/null Thu Apr 27 06:52:45 2017
+++ src/tests/net/ipsec/t_ipsec_gif.sh Thu Apr 27 06:52:45 2017
@@ -0,0 +1,389 @@
+# $NetBSD: t_ipsec_gif.sh,v 1.1 2017/04/27 06:52:45 ozaki-r Exp $
+#
+# Copyright (c) 2017 Internet Initiative Japan Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+SOCK_LOCAL=unix://ipsec_gif_local
+SOCK_TUN_LOCAL=unix://ipsec_gif_tunel_local
+SOCK_TUN_REMOTE=unix://ipsec_gif_tunnel_remote
+SOCK_REMOTE=unix://ipsec_gif_remote
+BUS_LOCAL=./bus_ipsec_local
+BUS_TUNNEL=./bus_ipsec_tunnel
+BUS_REMOTE=./bus_ipsec_remote
+
+DEBUG=${DEBUG:-false}
+
+make_gif_pktstr()
+{
+ local src=$1
+ local dst=$2
+ local src_inner=$3
+ local dst_inner=$4
+ local proto=$5
+ local ipproto=$6
+ local proto_cap= inner_str=
+
+ if [ $proto = esp ]; then
+ proto_cap=ESP
+ else
+ proto_cap=AH
+ if [ $ipproto = ipv4 ]; then
+ inner_str="$src_inner > $dst_inner:.+\(ipip-proto-4\)"
+ else
+ inner_str="$src_inner > $dst_inner"
+ fi
+ fi
+
+ echo "$src > $dst: $proto_cap.+$inner_str"
+}
+
+test_ipsec4_gif()
+{
+ local proto=$1
+ local algo=$2
+ local ip_local=10.0.1.2
+ local ip_gw_local=10.0.1.1
+ local ip_gw_local_tun=20.0.0.1
+ local ip_gw_local_gif=20.1.0.1
+ local ip_gw_remote_gif=20.1.0.2
+ local ip_gw_remote_tun=20.0.0.2
+ local ip_gw_remote=10.0.2.1
+ local ip_remote=10.0.2.2
+ local subnet_local=10.0.1.0
+ local subnet_remote=10.0.2.0
+ local keylen=$(get_one_valid_keylen $algo)
+ local key=$(generate_key $keylen)
+ local tmpfile=./tmp
+ local outfile=./out
+ local opt= str=
+
+ if [ $proto = esp ]; then
+ opt=-E
+ else
+ opt=-A
+ fi
+
+ rump_server_crypto_start $SOCK_LOCAL
+ rump_server_crypto_start $SOCK_TUN_LOCAL netipsec gif
+ rump_server_crypto_start $SOCK_TUN_REMOTE netipsec gif
+ rump_server_crypto_start $SOCK_REMOTE
+ rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
+ rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
+ rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL
+ rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE
+ rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL
+ rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
+ atf_check -s exit:0 -o ignore \
+ rump.route -n add -net $subnet_remote $ip_gw_local
+
+ export RUMP_SERVER=$SOCK_TUN_LOCAL
+ atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_local/24
+ atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_local_tun/24
+ atf_check -s exit:0 rump.ifconfig gif0 create
+ atf_check -s exit:0 rump.ifconfig gif0 \
+ tunnel $ip_gw_local_tun $ip_gw_remote_tun
+ atf_check -s exit:0 rump.ifconfig gif0 \
+ inet $ip_gw_local_gif/32 $ip_gw_remote_gif
+ atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1
+ atf_check -s exit:0 -o ignore \
+ rump.route -n add -net $subnet_remote $ip_gw_remote_gif
+
+ export RUMP_SERVER=$SOCK_TUN_REMOTE
+ atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_remote/24
+ atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_remote_tun/24
+ atf_check -s exit:0 rump.ifconfig gif0 create
+ atf_check -s exit:0 rump.ifconfig gif0 \
+ tunnel $ip_gw_remote_tun $ip_gw_local_tun
+ atf_check -s exit:0 rump.ifconfig gif0 \
+ inet $ip_gw_remote_gif/32 $ip_gw_local_gif
+ atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1
+ atf_check -s exit:0 -o ignore \
+ rump.route -n add -net $subnet_local $ip_gw_local_gif
+
+ export RUMP_SERVER=$SOCK_REMOTE
+ atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24
+ # Run ifconfig -w 10 just once for optimization
+ atf_check -s exit:0 rump.ifconfig -w 10
+ atf_check -s exit:0 -o ignore \
+ rump.route -n add -net $subnet_local $ip_gw_remote
+
+ extract_new_packets $BUS_TUNNEL > $outfile
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
+
+ extract_new_packets $BUS_TUNNEL > $outfile
+ str="$ip_gw_local_tun > $ip_gw_remote_tun:"
+ str="$str $ip_local > $ip_remote: ICMP echo request,"
+ str="$str .+ \(ipip-proto-4\)"
+ atf_check -s exit:0 -o match:"$str" cat $outfile
+ str="$ip_gw_remote_tun > $ip_gw_local_tun:"
+ str="$str $ip_remote > $ip_local: ICMP echo reply,"
+ str="$str .+ \(ipip-proto-4\)"
+ atf_check -s exit:0 -o match:"$str" cat $outfile
+
+ export RUMP_SERVER=$SOCK_TUN_LOCAL
+ # from https://www.netbsd.org/docs/network/ipsec/
+ cat > $tmpfile <<-EOF
+ add $ip_gw_local_tun $ip_gw_remote_tun $proto 10000 $opt $algo $key;
+ add $ip_gw_remote_tun $ip_gw_local_tun $proto 10001 $opt $algo $key;
+ spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec
+ $proto/tunnel/$ip_gw_local_tun-$ip_gw_remote_tun/require;
+ spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec
+ $proto/tunnel/$ip_gw_remote_tun-$ip_gw_local_tun/require;
+ EOF
+ $DEBUG && cat $tmpfile
+ atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+ $DEBUG && $HIJACKING setkey -D
+ atf_check -s exit:0 -o match:"$ip_gw_local_tun $ip_gw_remote_tun" \
+ $HIJACKING setkey -D
+ atf_check -s exit:0 -o match:"$ip_gw_remote_tun $ip_gw_local_tun" \
+ $HIJACKING setkey -D
+ # TODO: more detail checks
+
+ export RUMP_SERVER=$SOCK_TUN_REMOTE
+ cat > $tmpfile <<-EOF
+ add $ip_gw_local_tun $ip_gw_remote_tun $proto 10000 $opt $algo $key;
+ add $ip_gw_remote_tun $ip_gw_local_tun $proto 10001 $opt $algo $key;
+ spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec
+ $proto/tunnel/$ip_gw_remote_tun-$ip_gw_local_tun/require;
+ spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec
+ $proto/tunnel/$ip_gw_local_tun-$ip_gw_remote_tun/require;
+ EOF
+ $DEBUG && cat $tmpfile
+ atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+ $DEBUG && $HIJACKING setkey -D
+ atf_check -s exit:0 -o match:"$ip_gw_local_tun $ip_gw_remote_tun" \
+ $HIJACKING setkey -D
+ atf_check -s exit:0 -o match:"$ip_gw_remote_tun $ip_gw_local_tun" \
+ $HIJACKING setkey -D
+ # TODO: more detail checks
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
+
+ extract_new_packets $BUS_TUNNEL > $outfile
+ str=$(make_gif_pktstr $ip_gw_local_tun $ip_gw_remote_tun \
+ $ip_local $ip_remote $proto ipv4)
+ atf_check -s exit:0 -o match:"$str" cat $outfile
+ str=$(make_gif_pktstr $ip_gw_remote_tun $ip_gw_local_tun \
+ $ip_remote $ip_local $proto ipv4)
+ atf_check -s exit:0 -o match:"$str" cat $outfile
+}
+
+test_ipsec6_gif()
+{
+ local proto=$1
+ local algo=$2
+ local ip_local=fd00:1::2
+ local ip_gw_local=fd00:1::1
+ local ip_gw_local_tun=fc00::1
+ local ip_gw_local_gif=fc01::1
+ local ip_gw_remote_gif=fc01::2
+ local ip_gw_remote_tun=fc00::2
+ local ip_gw_remote=fd00:2::1
+ local ip_remote=fd00:2::2
+ local subnet_local=fd00:1::
+ local subnet_remote=fd00:2::
+ local keylen=$(get_one_valid_keylen $algo)
+ local key=$(generate_key $keylen)
+ local tmpfile=./tmp
+ local outfile=./out
+ local opt= str=
+
+ if [ $proto = esp ]; then
+ opt=-E
+ else
+ opt=-A
+ fi
+
+ rump_server_crypto_start $SOCK_LOCAL netinet6
+ rump_server_crypto_start $SOCK_TUN_LOCAL netipsec netinet6 gif
+ rump_server_crypto_start $SOCK_TUN_REMOTE netipsec netinet6 gif
+ rump_server_crypto_start $SOCK_REMOTE netinet6
+ rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
+ rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
+ rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL
+ rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE
+ rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL
+ rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64
+ atf_check -s exit:0 -o ignore \
+ rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_local
+
+ export RUMP_SERVER=$SOCK_TUN_LOCAL
+ atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_local/64
+ atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_local_tun/64
+ atf_check -s exit:0 rump.ifconfig gif0 create
+ atf_check -s exit:0 rump.ifconfig gif0 \
+ tunnel $ip_gw_local_tun $ip_gw_remote_tun
+ atf_check -s exit:0 rump.ifconfig gif0 \
+ inet6 $ip_gw_local_gif/128 $ip_gw_remote_gif
+ atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1
+ atf_check -s exit:0 -o ignore \
+ rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_local_gif
+
+ export RUMP_SERVER=$SOCK_TUN_REMOTE
+ atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_remote/64
+ atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_remote_tun/64
+ atf_check -s exit:0 rump.ifconfig gif0 create
+ atf_check -s exit:0 rump.ifconfig gif0 \
+ tunnel $ip_gw_remote_tun $ip_gw_local_tun
+ atf_check -s exit:0 rump.ifconfig gif0 \
+ inet6 $ip_gw_remote_gif/128 $ip_gw_local_gif
+ atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1
+ atf_check -s exit:0 -o ignore \
+ rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_remote_gif
+
+ export RUMP_SERVER=$SOCK_REMOTE
+ atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote
+ # Run ifconfig -w 10 just once for optimization
+ atf_check -s exit:0 rump.ifconfig -w 10
+ atf_check -s exit:0 -o ignore \
+ rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_remote
+
+ extract_new_packets $BUS_TUNNEL > $outfile
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
+
+ extract_new_packets $BUS_TUNNEL > $outfile
+ str="$ip_gw_local_tun > $ip_gw_remote_tun:"
+ str="$str $ip_local > $ip_remote: ICMP6, echo request"
+ atf_check -s exit:0 -o match:"$str" cat $outfile
+ str="$ip_gw_remote_tun > $ip_gw_local_tun:"
+ str="$str $ip_remote > $ip_local: ICMP6, echo reply,"
+ atf_check -s exit:0 -o match:"$str" cat $outfile
+
+ export RUMP_SERVER=$SOCK_TUN_LOCAL
+ # from https://www.netbsd.org/docs/network/ipsec/
+ cat > $tmpfile <<-EOF
+ add $ip_gw_local_tun $ip_gw_remote_tun $proto 10000 $opt $algo $key;
+ add $ip_gw_remote_tun $ip_gw_local_tun $proto 10001 $opt $algo $key;
+ spdadd $subnet_local/64 $subnet_remote/64 any -P out ipsec
+ $proto/tunnel/$ip_gw_local_tun-$ip_gw_remote_tun/require;
+ spdadd $subnet_remote/64 $subnet_local/64 any -P in ipsec
+ $proto/tunnel/$ip_gw_remote_tun-$ip_gw_local_tun/require;
+ EOF
+ $DEBUG && cat $tmpfile
+ atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+ $DEBUG && $HIJACKING setkey -D
+ atf_check -s exit:0 -o match:"$ip_gw_local_tun $ip_gw_remote_tun" \
+ $HIJACKING setkey -D
+ atf_check -s exit:0 -o match:"$ip_gw_remote_tun $ip_gw_local_tun" \
+ $HIJACKING setkey -D
+ # TODO: more detail checks
+
+ export RUMP_SERVER=$SOCK_TUN_REMOTE
+ cat > $tmpfile <<-EOF
+ add $ip_gw_local_tun $ip_gw_remote_tun $proto 10000 $opt $algo $key;
+ add $ip_gw_remote_tun $ip_gw_local_tun $proto 10001 $opt $algo $key;
+ spdadd $subnet_remote/64 $subnet_local/64 any -P out ipsec
+ $proto/tunnel/$ip_gw_remote_tun-$ip_gw_local_tun/require;
+ spdadd $subnet_local/64 $subnet_remote/64 any -P in ipsec
+ $proto/tunnel/$ip_gw_local_tun-$ip_gw_remote_tun/require;
+ EOF
+ $DEBUG && cat $tmpfile
+ atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+ $DEBUG && $HIJACKING setkey -D
+ atf_check -s exit:0 -o match:"$ip_gw_local_tun $ip_gw_remote_tun" \
+ $HIJACKING setkey -D
+ atf_check -s exit:0 -o match:"$ip_gw_remote_tun $ip_gw_local_tun" \
+ $HIJACKING setkey -D
+ # TODO: more detail checks
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
+
+ extract_new_packets $BUS_TUNNEL > $outfile
+ str=$(make_gif_pktstr $ip_gw_local_tun $ip_gw_remote_tun \
+ $ip_local $ip_remote $proto ipv6)
+ atf_check -s exit:0 -o match:"$str" cat $outfile
+ str=$(make_gif_pktstr $ip_gw_remote_tun $ip_gw_local_tun \
+ $ip_remote $ip_local $proto ipv6)
+ atf_check -s exit:0 -o match:"$str" cat $outfile
+}
+
+test_ipsec_gif_common()
+{
+ local ipproto=$1
+ local proto=$2
+ local algo=$3
+
+ if [ $ipproto = ipv4 ]; then
+ test_ipsec4_gif $proto $algo
+ else
+ test_ipsec6_gif $proto $algo
+ fi
+}
+
+add_test_ipsec_gif()
+{
+ local ipproto=$1
+ local proto=$2
+ local algo=$3
+ local _algo=$(echo $algo | sed 's/-//g')
+ local name= desc=
+
+ name="ipsec_gif_${ipproto}_${proto}_${_algo}"
+ desc="Tests of IPsec ($ipproto) tunnel mode (gif) with $proto ($algo)"
+
+ atf_test_case ${name} cleanup
+ eval " \
+ ${name}_head() { \
+ atf_set \"descr\" \"$desc\"; \
+ atf_set \"require.progs\" \"rump_server\" \"setkey\"; \
+ }; \
+ ${name}_body() { \
+ test_ipsec_gif_common $ipproto $proto $algo; \
+ rump_server_destroy_ifaces; \
+ }; \
+ ${name}_cleanup() { \
+ $DEBUG && dump; \
+ cleanup; \
+ } \
+ "
+ atf_add_test_case ${name}
+}
+
+atf_init_test_cases()
+{
+ local algo=
+
+ for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
+ add_test_ipsec_gif ipv4 esp $algo
+ add_test_ipsec_gif ipv6 esp $algo
+ done
+
+ for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do
+ add_test_ipsec_gif ipv4 ah $algo
+ add_test_ipsec_gif ipv6 ah $algo
+ done
+}
