Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/perseant-stdc-iso10646]: src/tests/net/ipsec 301908
details: https://anonhg.NetBSD.org/src/rev/57f75ce3a346
branches: perseant-stdc-iso10646
changeset: 850670:57f75ce3a346
user: ozaki-r <ozaki-r%NetBSD.org@localhost>
date: Tue Jul 18 02:16:08 2017 +0000
description:
301908
diffstat:
tests/net/ipsec/Makefile | 16 +
tests/net/ipsec/t_ipsec_misc.sh | 581 ++++++++++++++++++++++++++++++++++++++++
tests/net/ipsec/t_ipsec_tcp.sh | 299 ++++++++++++++++++++
3 files changed, 896 insertions(+), 0 deletions(-)
diffs (truncated from 908 to 300 lines):
diff -r 5d4aec2bbdf8 -r 57f75ce3a346 tests/net/ipsec/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/net/ipsec/Makefile Tue Jul 18 02:16:08 2017 +0000
@@ -0,0 +1,16 @@
+# $NetBSD: Makefile,v 1.8.2.2 2017/07/18 02:16:08 ozaki-r Exp $
+#
+
+.include <bsd.own.mk>
+
+TESTSDIR= ${TESTSBASE}/net/ipsec
+
+.for name in ipsec_ah_keys ipsec_esp_keys ipsec_gif ipsec_l2tp ipsec_misc \
+ ipsec_sysctl ipsec_tcp ipsec_transport ipsec_tunnel ipsec_tunnel_ipcomp \
+ ipsec_tunnel_odd
+TESTS_SH+= t_${name}
+TESTS_SH_SRC_t_${name}= ../net_common.sh ./common.sh ./algorithms.sh \
+ t_${name}.sh
+.endfor
+
+.include <bsd.test.mk>
diff -r 5d4aec2bbdf8 -r 57f75ce3a346 tests/net/ipsec/t_ipsec_misc.sh
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/net/ipsec/t_ipsec_misc.sh Tue Jul 18 02:16:08 2017 +0000
@@ -0,0 +1,581 @@
+# $NetBSD: t_ipsec_misc.sh,v 1.11.2.2 2017/07/18 02:16:08 ozaki-r Exp $
+#
+# Copyright (c) 2017 Internet Initiative Japan Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+SOCK_LOCAL=unix://ipsec_local
+SOCK_PEER=unix://ipsec_peer
+BUS=./bus_ipsec
+
+DEBUG=${DEBUG:-true}
+
+setup_sasp()
+{
+ local proto=$1
+ local algo_args="$2"
+ local ip_local=$3
+ local ip_peer=$4
+ local lifetime=$5
+ local update=$6
+ local tmpfile=./tmp
+ local extra=
+
+ if [ "$update" = sa ]; then
+ extra="update $ip_local $ip_peer $proto 10000 $algo_args;
+ update $ip_peer $ip_local $proto 10001 $algo_args;"
+ elif [ "$update" = sp ]; then
+ extra="spdupdate $ip_local $ip_peer any -P out ipsec $proto/transport//require;"
+ fi
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ cat > $tmpfile <<-EOF
+ add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args;
+ add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args;
+ spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require;
+ $extra
+ EOF
+ $DEBUG && cat $tmpfile
+ atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+ # XXX it can be expired if $lifetime is very short
+ #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer
+
+ if [ "$update" = sp ]; then
+ extra="spdupdate $ip_peer $ip_local any -P out ipsec $proto/transport//require;"
+ fi
+
+ export RUMP_SERVER=$SOCK_PEER
+ cat > $tmpfile <<-EOF
+ add $ip_local $ip_peer $proto 10000 -lh $lifetime -ls $lifetime $algo_args;
+ add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args;
+ spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require;
+ $extra
+ EOF
+ $DEBUG && cat $tmpfile
+ atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+ # XXX it can be expired if $lifetime is very short
+ #check_sa_entries $SOCK_PEER $ip_local $ip_peer
+}
+
+test_ipsec4_lifetime()
+{
+ local proto=$1
+ local algo=$2
+ local ip_local=10.0.0.1
+ local ip_peer=10.0.0.2
+ local outfile=./out
+ local proto_cap=$(echo $proto | tr 'a-z' 'A-Z')
+ local algo_args="$(generate_algo_args $proto $algo)"
+ local lifetime=3
+
+ rump_server_crypto_start $SOCK_LOCAL netipsec
+ rump_server_crypto_start $SOCK_PEER netipsec
+ rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
+ rump_server_add_iface $SOCK_PEER shmif0 $BUS
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
+ atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
+ #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff
+
+ export RUMP_SERVER=$SOCK_PEER
+ atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
+ atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24
+ #atf_check -s exit:0 -o ignore rump.sysctl -w net.key.debug=0xff
+
+ extract_new_packets $BUS > $outfile
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
+
+ extract_new_packets $BUS > $outfile
+ atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP echo request" \
+ cat $outfile
+ atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP echo reply" \
+ cat $outfile
+
+ # Set up SAs with lifetime 1 sec.
+ setup_sasp $proto "$algo_args" $ip_local $ip_peer 1
+
+ # Wait for the SAs to be expired
+ atf_check -s exit:0 sleep 2
+
+ # Check the SAs have been expired
+ export RUMP_SERVER=$SOCK_LOCAL
+ $DEBUG && $HIJACKING setkey -D
+ atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D
+ export RUMP_SERVER=$SOCK_PEER
+ $DEBUG && $HIJACKING setkey -D
+ atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D
+
+ # Clean up SPs
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 -o empty $HIJACKING setkey -F -P
+ export RUMP_SERVER=$SOCK_PEER
+ atf_check -s exit:0 -o empty $HIJACKING setkey -F -P
+
+ # Set up SAs with lifetime with $lifetime
+ setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime
+
+ # Use the SAs; this will create a reference from an SP to an SA
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
+
+ extract_new_packets $BUS > $outfile
+ atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
+ cat $outfile
+ atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
+ cat $outfile
+
+ atf_check -s exit:0 sleep $((lifetime + 1))
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ $DEBUG && $HIJACKING setkey -D
+ atf_check -s exit:0 -o empty $HIJACKING setkey -D
+ # The SA on output remain because sp/isr still refers it
+ atf_check -s exit:0 -o match:"$ip_local $ip_peer" \
+ $HIJACKING setkey -D -a
+ atf_check -s exit:0 -o not-match:"$ip_peer $ip_local" \
+ $HIJACKING setkey -D -a
+
+ export RUMP_SERVER=$SOCK_PEER
+ $DEBUG && $HIJACKING setkey -D
+ atf_check -s exit:0 -o empty $HIJACKING setkey -D
+ atf_check -s exit:0 -o not-match:"$ip_local $ip_peer" \
+ $HIJACKING setkey -D -a
+ # The SA on output remain because sp/isr still refers it
+ atf_check -s exit:0 -o match:"$ip_peer $ip_local" \
+ $HIJACKING setkey -D -a
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s not-exit:0 -o match:'0 packets received' \
+ rump.ping -c 1 -n -w 1 $ip_peer
+
+ test_flush_entries $SOCK_LOCAL
+ test_flush_entries $SOCK_PEER
+}
+
+test_ipsec6_lifetime()
+{
+ local proto=$1
+ local algo=$2
+ local ip_local=fd00::1
+ local ip_peer=fd00::2
+ local outfile=./out
+ local proto_cap=$(echo $proto | tr 'a-z' 'A-Z')
+ local algo_args="$(generate_algo_args $proto $algo)"
+ local lifetime=3
+
+ rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec
+ rump_server_crypto_start $SOCK_PEER netinet6 netipsec
+ rump_server_add_iface $SOCK_LOCAL shmif0 $BUS
+ rump_server_add_iface $SOCK_PEER shmif0 $BUS
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
+ atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local
+
+ export RUMP_SERVER=$SOCK_PEER
+ atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
+ atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer
+
+ extract_new_packets $BUS > $outfile
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer
+
+ extract_new_packets $BUS > $outfile
+ atf_check -s exit:0 -o match:"$ip_local > $ip_peer: ICMP6, echo request" \
+ cat $outfile
+ atf_check -s exit:0 -o match:"$ip_peer > $ip_local: ICMP6, echo reply" \
+ cat $outfile
+
+ # Set up SAs with lifetime 1 sec.
+ setup_sasp $proto "$algo_args" $ip_local $ip_peer 1
+
+ # Wait for the SAs to be expired
+ atf_check -s exit:0 sleep 2
+
+ # Check the SAs have been expired
+ export RUMP_SERVER=$SOCK_LOCAL
+ $DEBUG && $HIJACKING setkey -D
+ atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D
+ export RUMP_SERVER=$SOCK_PEER
+ $DEBUG && $HIJACKING setkey -D
+ atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D
+
+ # Clean up SPs
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 -o empty $HIJACKING setkey -F -P
+ export RUMP_SERVER=$SOCK_PEER
+ atf_check -s exit:0 -o empty $HIJACKING setkey -F -P
+
+ # Set up SAs with lifetime with $lifetime
+ setup_sasp $proto "$algo_args" $ip_local $ip_peer $lifetime
+
+ # Use the SAs; this will create a reference from an SP to an SA
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer
+
+ extract_new_packets $BUS > $outfile
+ atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
+ cat $outfile
+ atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
+ cat $outfile
+
+ atf_check -s exit:0 sleep $((lifetime + 1))
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ $DEBUG && $HIJACKING setkey -D
+ atf_check -s exit:0 -o empty $HIJACKING setkey -D
+ # The SA on output remain because sp/isr still refers it
+ atf_check -s exit:0 -o match:"$ip_local $ip_peer" \
+ $HIJACKING setkey -D -a
+ atf_check -s exit:0 -o not-match:"$ip_peer $ip_local" \
+ $HIJACKING setkey -D -a
+
+ export RUMP_SERVER=$SOCK_PEER
+ $DEBUG && $HIJACKING setkey -D
+ atf_check -s exit:0 -o empty $HIJACKING setkey -D
+ atf_check -s exit:0 -o not-match:"$ip_local $ip_peer" \
+ $HIJACKING setkey -D -a
+ # The SA on output remain because sp/isr still refers it
+ atf_check -s exit:0 -o match:"$ip_peer $ip_local" \
+ $HIJACKING setkey -D -a
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s not-exit:0 -o match:'0 packets received' \
+ rump.ping6 -c 1 -n -X 1 $ip_peer
+
+ test_flush_entries $SOCK_LOCAL
+ test_flush_entries $SOCK_PEER
+}
+
+test_lifetime_common()
+{
Home |
Main Index |
Thread Index |
Old Index