CVS commit: src

Wed, 26 Apr 2017 23:54:07 -0700 

Module Name:    src
Committed By:   ozaki-r
Date:           Thu Apr 27 06:53:44 UTC 2017

Modified Files:
        src/distrib/sets/lists/tests: mi
        src/tests/net/ipsec: Makefile
Added Files:
        src/tests/net/ipsec: t_ipsec_l2tp.sh

Log Message:
Add test cases for L2TP/IPsec


To generate a diff of this commit:
cvs rdiff -u -r1.736 -r1.737 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/net/ipsec/t_ipsec_l2tp.sh

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/distrib/sets/lists/tests/mi
diff -u src/distrib/sets/lists/tests/mi:1.736 src/distrib/sets/lists/tests/mi:1.737
--- src/distrib/sets/lists/tests/mi:1.736	Thu Apr 27 06:52:45 2017
+++ src/distrib/sets/lists/tests/mi	Thu Apr 27 06:53:44 2017
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.736 2017/04/27 06:52:45 ozaki-r Exp $
+# $NetBSD: mi,v 1.737 2017/04/27 06:53:44 ozaki-r Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@@ -3304,6 +3304,7 @@
 ./usr/tests/net/ipsec/t_ipsec_transport		tests-net-tests		atf,rump
 ./usr/tests/net/ipsec/t_ipsec_tunnel		tests-net-tests		atf,rump
 ./usr/tests/net/ipsec/t_ipsec_gif		tests-net-tests		atf,rump
+./usr/tests/net/ipsec/t_ipsec_l2tp		tests-net-tests		atf,rump
 ./usr/tests/net/mcast				tests-net-tests		compattestfile,atf
 ./usr/tests/net/mcast/Atffile			tests-net-tests		atf,rump
 ./usr/tests/net/mcast/Kyuafile			tests-net-tests		atf,rump,kyua

Index: src/tests/net/ipsec/Makefile
diff -u src/tests/net/ipsec/Makefile:1.2 src/tests/net/ipsec/Makefile:1.3
--- src/tests/net/ipsec/Makefile:1.2	Thu Apr 27 06:52:45 2017
+++ src/tests/net/ipsec/Makefile	Thu Apr 27 06:53:44 2017
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.2 2017/04/27 06:52:45 ozaki-r Exp $
+# $NetBSD: Makefile,v 1.3 2017/04/27 06:53:44 ozaki-r Exp $
 #
 
 .include <bsd.own.mk>
 
 TESTSDIR=	${TESTSBASE}/net/ipsec
 
-.for name in ipsec_ah_keys ipsec_esp_keys ipsec_gif ipsec_sysctl \
+.for name in ipsec_ah_keys ipsec_esp_keys ipsec_gif ipsec_l2tp ipsec_sysctl \
     ipsec_transport ipsec_tunnel
 TESTS_SH+=		t_${name}
 TESTS_SH_SRC_t_${name}=	../net_common.sh ./algorithms.sh t_${name}.sh

Added files:

Index: src/tests/net/ipsec/t_ipsec_l2tp.sh
diff -u /dev/null src/tests/net/ipsec/t_ipsec_l2tp.sh:1.1
--- /dev/null	Thu Apr 27 06:53:44 2017
+++ src/tests/net/ipsec/t_ipsec_l2tp.sh	Thu Apr 27 06:53:44 2017
@@ -0,0 +1,370 @@
+#	$NetBSD: t_ipsec_l2tp.sh,v 1.1 2017/04/27 06:53:44 ozaki-r Exp $
+#
+# Copyright (c) 2017 Internet Initiative Japan Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+SOCK_LOCAL=unix://ipsec_l2tp_local
+SOCK_TUN_LOCAL=unix://ipsec_l2tp_tunel_local
+SOCK_TUN_REMOTE=unix://ipsec_l2tp_tunnel_remote
+SOCK_REMOTE=unix://ipsec_l2tp_remote
+BUS_LOCAL=./bus_ipsec_local
+BUS_TUNNEL=./bus_ipsec_tunnel
+BUS_REMOTE=./bus_ipsec_remote
+
+DEBUG=${DEBUG:-false}
+
+make_l2tp_pktstr()
+{
+	local src=$1
+	local dst=$2
+	local proto=$3
+	local ipproto=$4
+	local proto_cap= proto_str=
+
+	if [ $proto = esp ]; then
+		proto_cap=ESP
+	else
+		proto_cap=AH
+		if [ $ipproto = ipv4 ]; then
+			proto_str="ip-proto-115 102 \(ipip-proto-4\)"
+		else
+			proto_str="ip-proto-115"
+		fi
+	fi
+
+	echo "$src > $dst: $proto_cap.+$proto_str"
+}
+
+test_ipsec4_l2tp()
+{
+	local proto=$1
+	local algo=$2
+	local ip_local=10.0.0.1
+	local ip_gw_local_tun=20.0.0.1
+	local ip_gw_remote_tun=20.0.0.2
+	local ip_remote=10.0.0.2
+	local subnet_local=20.0.0.0
+	local subnet_remote=20.0.0.0
+	local keylen=$(get_one_valid_keylen $algo)
+	local key=$(generate_key $keylen)
+	local tmpfile=./tmp
+	local outfile=./out
+	local opt= str=
+
+	if [ $proto = esp ]; then
+		opt=-E
+	else
+		opt=-A
+	fi
+
+	# See https://www.netbsd.org/docs/network/ipsec/#sample_vpn
+	rump_server_crypto_start $SOCK_LOCAL
+	rump_server_crypto_start $SOCK_TUN_LOCAL netipsec l2tp bridge
+	rump_server_crypto_start $SOCK_TUN_REMOTE netipsec l2tp bridge
+	rump_server_crypto_start $SOCK_REMOTE
+	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
+	rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
+	rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL
+	rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE
+	rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL
+	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
+
+	export RUMP_SERVER=$SOCK_LOCAL
+	atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
+
+	export RUMP_SERVER=$SOCK_TUN_LOCAL
+	atf_check -s exit:0 rump.ifconfig shmif0 up
+	atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_local_tun/24
+	atf_check -s exit:0 rump.ifconfig l2tp0 create
+	atf_check -s exit:0 rump.ifconfig l2tp0 \
+	    tunnel $ip_gw_local_tun $ip_gw_remote_tun
+	atf_check -s exit:0 rump.ifconfig l2tp0 session 1234 4321
+	atf_check -s exit:0 rump.ifconfig l2tp0 up
+	atf_check -s exit:0 rump.ifconfig bridge0 create
+	atf_check -s exit:0 rump.ifconfig bridge0 up
+	atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0
+	atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0
+
+	export RUMP_SERVER=$SOCK_TUN_REMOTE
+	atf_check -s exit:0 rump.ifconfig shmif0 up
+	atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_remote_tun/24
+	atf_check -s exit:0 rump.ifconfig l2tp0 create
+	atf_check -s exit:0 rump.ifconfig l2tp0 \
+	    tunnel $ip_gw_remote_tun $ip_gw_local_tun
+	atf_check -s exit:0 rump.ifconfig l2tp0 session 4321 1234
+	atf_check -s exit:0 rump.ifconfig l2tp0 up
+	atf_check -s exit:0 rump.ifconfig bridge0 create
+	atf_check -s exit:0 rump.ifconfig bridge0 up
+	atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0
+	atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0
+
+	export RUMP_SERVER=$SOCK_REMOTE
+	atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24
+	# Run ifconfig -w 10 just once for optimization
+	atf_check -s exit:0 rump.ifconfig -w 10
+
+	extract_new_packets $BUS_TUNNEL > $outfile
+
+	export RUMP_SERVER=$SOCK_LOCAL
+	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
+
+	extract_new_packets $BUS_TUNNEL > $outfile
+	atf_check -s exit:0 \
+	    -o match:"$ip_gw_local_tun > $ip_gw_remote_tun: +ip-proto-115" \
+	    cat $outfile
+	atf_check -s exit:0 \
+	    -o match:"$ip_gw_remote_tun > $ip_gw_local_tun: +ip-proto-115" \
+	    cat $outfile
+
+	export RUMP_SERVER=$SOCK_TUN_LOCAL
+	# from https://www.netbsd.org/docs/network/ipsec/
+	cat > $tmpfile <<-EOF
+	add $ip_gw_local_tun $ip_gw_remote_tun $proto 10000 $opt $algo $key;
+	add $ip_gw_remote_tun $ip_gw_local_tun $proto 10001 $opt $algo $key;
+	spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec
+	    $proto/tunnel/$ip_gw_local_tun-$ip_gw_remote_tun/require;
+	spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec
+	    $proto/tunnel/$ip_gw_remote_tun-$ip_gw_local_tun/require;
+	EOF
+	$DEBUG && cat $tmpfile
+	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+	$DEBUG && $HIJACKING setkey -D
+	atf_check -s exit:0 -o match:"$ip_gw_local_tun $ip_gw_remote_tun" \
+	    $HIJACKING setkey -D
+	atf_check -s exit:0 -o match:"$ip_gw_remote_tun $ip_gw_local_tun" \
+	    $HIJACKING setkey -D
+	# TODO: more detail checks
+
+	export RUMP_SERVER=$SOCK_TUN_REMOTE
+	cat > $tmpfile <<-EOF
+	add $ip_gw_local_tun $ip_gw_remote_tun $proto 10000 $opt $algo $key;
+	add $ip_gw_remote_tun $ip_gw_local_tun $proto 10001 $opt $algo $key;
+	spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec
+	    $proto/tunnel/$ip_gw_remote_tun-$ip_gw_local_tun/require;
+	spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec
+	    $proto/tunnel/$ip_gw_local_tun-$ip_gw_remote_tun/require;
+	EOF
+	$DEBUG && cat $tmpfile
+	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+	$DEBUG && $HIJACKING setkey -D
+	atf_check -s exit:0 -o match:"$ip_gw_local_tun $ip_gw_remote_tun" \
+	    $HIJACKING setkey -D
+	atf_check -s exit:0 -o match:"$ip_gw_remote_tun $ip_gw_local_tun" \
+	    $HIJACKING setkey -D
+	# TODO: more detail checks
+
+	export RUMP_SERVER=$SOCK_LOCAL
+	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
+
+	extract_new_packets $BUS_TUNNEL > $outfile
+	str=$(make_l2tp_pktstr $ip_gw_local_tun $ip_gw_remote_tun $proto ipv4)
+	atf_check -s exit:0 -o match:"$str" cat $outfile
+	str=$(make_l2tp_pktstr $ip_gw_remote_tun $ip_gw_local_tun $proto ipv4)
+	atf_check -s exit:0 -o match:"$str" cat $outfile
+}
+
+test_ipsec6_l2tp()
+{
+	local proto=$1
+	local algo=$2
+	local ip_local=fd00::1
+	local ip_gw_local_tun=fc00::1
+	local ip_gw_remote_tun=fc00::2
+	local ip_remote=fd00::2
+	local subnet_local=fc00::
+	local subnet_remote=fc00::
+	local keylen=$(get_one_valid_keylen $algo)
+	local key=$(generate_key $keylen)
+	local tmpfile=./tmp
+	local outfile=./out
+	local opt= str=
+
+	if [ $proto = esp ]; then
+		opt=-E
+	else
+		opt=-A
+	fi
+
+	rump_server_crypto_start $SOCK_LOCAL netinet6
+	rump_server_crypto_start $SOCK_TUN_LOCAL netipsec netinet6 l2tp bridge
+	rump_server_crypto_start $SOCK_TUN_REMOTE netipsec netinet6 l2tp bridge
+	rump_server_crypto_start $SOCK_REMOTE netinet6
+	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
+	rump_server_add_iface $SOCK_TUN_LOCAL shmif0 $BUS_LOCAL
+	rump_server_add_iface $SOCK_TUN_LOCAL shmif1 $BUS_TUNNEL
+	rump_server_add_iface $SOCK_TUN_REMOTE shmif0 $BUS_REMOTE
+	rump_server_add_iface $SOCK_TUN_REMOTE shmif1 $BUS_TUNNEL
+	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
+
+	export RUMP_SERVER=$SOCK_LOCAL
+	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64
+
+	export RUMP_SERVER=$SOCK_TUN_LOCAL
+	atf_check -s exit:0 rump.ifconfig shmif0 up
+	atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_local_tun/64
+	atf_check -s exit:0 rump.ifconfig l2tp0 create
+	atf_check -s exit:0 rump.ifconfig l2tp0 \
+	    tunnel $ip_gw_local_tun $ip_gw_remote_tun
+	atf_check -s exit:0 rump.ifconfig l2tp0 session 1234 4321
+	atf_check -s exit:0 rump.ifconfig l2tp0 up
+	atf_check -s exit:0 rump.ifconfig bridge0 create
+	atf_check -s exit:0 rump.ifconfig bridge0 up
+	atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0
+	atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0
+
+	export RUMP_SERVER=$SOCK_TUN_REMOTE
+	atf_check -s exit:0 rump.ifconfig shmif0 up
+	atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_remote_tun/64
+	atf_check -s exit:0 rump.ifconfig l2tp0 create
+	atf_check -s exit:0 rump.ifconfig l2tp0 \
+	    tunnel $ip_gw_remote_tun $ip_gw_local_tun
+	atf_check -s exit:0 rump.ifconfig l2tp0 session 4321 1234
+	atf_check -s exit:0 rump.ifconfig l2tp0 up
+	atf_check -s exit:0 rump.ifconfig bridge0 create
+	atf_check -s exit:0 rump.ifconfig bridge0 up
+	atf_check -s exit:0 $HIJACKING brconfig bridge0 add l2tp0
+	atf_check -s exit:0 $HIJACKING brconfig bridge0 add shmif0
+
+	export RUMP_SERVER=$SOCK_REMOTE
+	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote
+	# Run ifconfig -w 10 just once for optimization
+	atf_check -s exit:0 rump.ifconfig -w 10
+
+	extract_new_packets $BUS_TUNNEL > $outfile
+
+	export RUMP_SERVER=$SOCK_LOCAL
+	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
+
+	extract_new_packets $BUS_TUNNEL > $outfile
+	atf_check -s exit:0 \
+	    -o match:"$ip_gw_local_tun > $ip_gw_remote_tun: +ip-proto-115" \
+	    cat $outfile
+	atf_check -s exit:0 \
+	    -o match:"$ip_gw_remote_tun > $ip_gw_local_tun: +ip-proto-115" \
+	    cat $outfile
+
+	export RUMP_SERVER=$SOCK_TUN_LOCAL
+	# from https://www.netbsd.org/docs/network/ipsec/
+	cat > $tmpfile <<-EOF
+	add $ip_gw_local_tun $ip_gw_remote_tun $proto 10000 $opt $algo $key;
+	add $ip_gw_remote_tun $ip_gw_local_tun $proto 10001 $opt $algo $key;
+	spdadd $subnet_local/64 $subnet_remote/64 any -P out ipsec
+	    $proto/tunnel/$ip_gw_local_tun-$ip_gw_remote_tun/require;
+	spdadd $subnet_remote/64 $subnet_local/64 any -P in ipsec
+	    $proto/tunnel/$ip_gw_remote_tun-$ip_gw_local_tun/require;
+	EOF
+	$DEBUG && cat $tmpfile
+	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+	$DEBUG && $HIJACKING setkey -D
+	atf_check -s exit:0 -o match:"$ip_gw_local_tun $ip_gw_remote_tun" \
+	    $HIJACKING setkey -D
+	atf_check -s exit:0 -o match:"$ip_gw_remote_tun $ip_gw_local_tun" \
+	    $HIJACKING setkey -D
+	# TODO: more detail checks
+
+	export RUMP_SERVER=$SOCK_TUN_REMOTE
+	cat > $tmpfile <<-EOF
+	add $ip_gw_local_tun $ip_gw_remote_tun $proto 10000 $opt $algo $key;
+	add $ip_gw_remote_tun $ip_gw_local_tun $proto 10001 $opt $algo $key;
+	spdadd $subnet_remote/64 $subnet_local/64 any -P out ipsec
+	    $proto/tunnel/$ip_gw_remote_tun-$ip_gw_local_tun/require;
+	spdadd $subnet_local/64 $subnet_remote/64 any -P in ipsec
+	    $proto/tunnel/$ip_gw_local_tun-$ip_gw_remote_tun/require;
+	EOF
+	$DEBUG && cat $tmpfile
+	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+	$DEBUG && $HIJACKING setkey -D
+	atf_check -s exit:0 -o match:"$ip_gw_local_tun $ip_gw_remote_tun" \
+	    $HIJACKING setkey -D
+	atf_check -s exit:0 -o match:"$ip_gw_remote_tun $ip_gw_local_tun" \
+	    $HIJACKING setkey -D
+	# TODO: more detail checks
+
+	export RUMP_SERVER=$SOCK_LOCAL
+	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
+
+	extract_new_packets $BUS_TUNNEL > $outfile
+	str=$(make_l2tp_pktstr $ip_gw_local_tun $ip_gw_remote_tun $proto ipv6)
+	atf_check -s exit:0 -o match:"$str" cat $outfile
+	str=$(make_l2tp_pktstr $ip_gw_remote_tun $ip_gw_local_tun $proto ipv6)
+	atf_check -s exit:0 -o match:"$str" cat $outfile
+}
+
+test_ipsec_l2tp_common()
+{
+	local ipproto=$1
+	local proto=$2
+	local algo=$3
+
+	if [ $ipproto = ipv4 ]; then
+		test_ipsec4_l2tp $proto $algo
+	else
+		test_ipsec6_l2tp $proto $algo
+	fi
+}
+
+add_test_ipsec_l2tp()
+{
+	local ipproto=$1
+	local proto=$2
+	local algo=$3
+	local _algo=$(echo $algo | sed 's/-//g')
+	local name= desc=
+
+	name="ipsec_l2tp_${ipproto}_${proto}_${_algo}"
+	desc="Tests of IPsec ($ipproto) tunnel mode (l2tp) with $proto ($algo)"
+
+	atf_test_case ${name} cleanup
+	eval "								\
+	    ${name}_head() {						\
+	        atf_set \"descr\" \"$desc\";				\
+	        atf_set \"require.progs\" \"rump_server\" \"setkey\";	\
+	    };								\
+	    ${name}_body() {						\
+	        test_ipsec_l2tp_common $ipproto $proto $algo;		\
+	        rump_server_destroy_ifaces;				\
+	    };								\
+	    ${name}_cleanup() {						\
+	        $DEBUG && dump;						\
+	        cleanup;						\
+	    }								\
+	"
+	atf_add_test_case ${name}
+}
+
+atf_init_test_cases()
+{
+	local algo=
+
+	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
+		add_test_ipsec_l2tp ipv4 esp $algo
+		add_test_ipsec_l2tp ipv6 esp $algo
+	done
+
+	for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do
+		add_test_ipsec_l2tp ipv4 ah $algo
+		add_test_ipsec_l2tp ipv6 ah $algo
+	done
+}

Reply via email to