CVS commit: src/tests/net/ipsec
Module Name:src Committed By: rin Date: Tue Aug 22 05:40:50 UTC 2023 Modified Files: src/tests/net/ipsec: t_ipsec_gif.sh t_ipsec_l2tp.sh Log Message: t_ipsec_{gif,l2tp}: Adjust for tcpdump 4.99.4 It does not longer output redundant `` (ipip-proto-4)'': https://github.com/the-tcpdump-group/tcpdump/commit/cba9b77a98e9dde764abde71a899ee8937ca56e8 Now, these tests become passing again. Thanks mlelstv@ for finding out upstream commit. OK ozaki-r@ To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/tests/net/ipsec/t_ipsec_gif.sh \ src/tests/net/ipsec/t_ipsec_l2tp.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_gif.sh diff -u src/tests/net/ipsec/t_ipsec_gif.sh:1.9 src/tests/net/ipsec/t_ipsec_gif.sh:1.10 --- src/tests/net/ipsec/t_ipsec_gif.sh:1.9 Mon Feb 17 08:46:10 2020 +++ src/tests/net/ipsec/t_ipsec_gif.sh Tue Aug 22 05:40:50 2023 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_gif.sh,v 1.9 2020/02/17 08:46:10 ozaki-r Exp $ +# $NetBSD: t_ipsec_gif.sh,v 1.10 2023/08/22 05:40:50 rin Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -49,11 +49,7 @@ make_gif_pktstr() proto_cap=ESP else proto_cap=AH - if [ $ipproto = ipv4 ]; then - inner_str="$src_inner > $dst_inner:.+\(ipip-proto-4\)" - else - inner_str="$src_inner > $dst_inner" - fi + inner_str="$src_inner > $dst_inner" fi echo "$src > $dst: $proto_cap.+$inner_str" @@ -144,11 +140,9 @@ test_ipsec4_gif() extract_new_packets $BUS_TUNNEL > $outfile str="$ip_gwlo_tun > $ip_gwre_tun:" str="$str $ip_local > $ip_remote: ICMP echo request," - str="$str .+ \(ipip-proto-4\)" atf_check -s exit:0 -o match:"$str" cat $outfile str="$ip_gwre_tun > $ip_gwlo_tun:" str="$str $ip_remote > $ip_local: ICMP echo reply," - str="$str .+ \(ipip-proto-4\)" atf_check -s exit:0 -o match:"$str" cat $outfile if [ $mode = tunnel ]; then Index: src/tests/net/ipsec/t_ipsec_l2tp.sh diff -u src/tests/net/ipsec/t_ipsec_l2tp.sh:1.9 src/tests/net/ipsec/t_ipsec_l2tp.sh:1.10 --- src/tests/net/ipsec/t_ipsec_l2tp.sh:1.9 Mon Feb 17 08:46:10 2020 +++ src/tests/net/ipsec/t_ipsec_l2tp.sh Tue Aug 22 05:40:50 2023 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_l2tp.sh,v 1.9 2020/02/17 08:46:10 ozaki-r Exp $ +# $NetBSD: t_ipsec_l2tp.sh,v 1.10 2023/08/22 05:40:50 rin Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -49,11 +49,7 @@ make_l2tp_pktstr() else proto_cap=AH if [ $ipproto = ipv4 ]; then - if [ $mode = tunnel ]; then -proto_str="ip-proto-115 102 \(ipip-proto-4\)" - else -proto_str="ip-proto-115 102" - fi + proto_str="ip-proto-115 102" else proto_str="ip-proto-115" fi
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: rin Date: Tue Aug 22 05:40:50 UTC 2023 Modified Files: src/tests/net/ipsec: t_ipsec_gif.sh t_ipsec_l2tp.sh Log Message: t_ipsec_{gif,l2tp}: Adjust for tcpdump 4.99.4 It does not longer output redundant `` (ipip-proto-4)'': https://github.com/the-tcpdump-group/tcpdump/commit/cba9b77a98e9dde764abde71a899ee8937ca56e8 Now, these tests become passing again. Thanks mlelstv@ for finding out upstream commit. OK ozaki-r@ To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/tests/net/ipsec/t_ipsec_gif.sh \ src/tests/net/ipsec/t_ipsec_l2tp.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: knakahara Date: Mon Jun 19 08:28:09 UTC 2023 Modified Files: src/tests/net/ipsec: t_ipsec_ah_keys.sh t_ipsec_esp_keys.sh t_ipsec_transport.sh t_ipsec_tunnel.sh t_ipsec_tunnel_ipcomp.sh t_ipsec_tunnel_odd.sh Log Message: Repair test coverage. I revert by proxy as the committer seems too busy to even reply mail. TODO: Provide some way for small machines to run subset test so that they get shorter run time at the expense of test coverage. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/tests/net/ipsec/t_ipsec_ah_keys.sh \ src/tests/net/ipsec/t_ipsec_esp_keys.sh \ src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh cvs rdiff -u -r1.7 -r1.8 src/tests/net/ipsec/t_ipsec_transport.sh cvs rdiff -u -r1.10 -r1.11 src/tests/net/ipsec/t_ipsec_tunnel.sh cvs rdiff -u -r1.4 -r1.5 src/tests/net/ipsec/t_ipsec_tunnel_odd.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_ah_keys.sh diff -u src/tests/net/ipsec/t_ipsec_ah_keys.sh:1.3 src/tests/net/ipsec/t_ipsec_ah_keys.sh:1.4 --- src/tests/net/ipsec/t_ipsec_ah_keys.sh:1.3 Sun Jun 4 22:18:47 2023 +++ src/tests/net/ipsec/t_ipsec_ah_keys.sh Mon Jun 19 08:28:09 2023 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_ah_keys.sh,v 1.3 2023/06/04 22:18:47 chs Exp $ +# $NetBSD: t_ipsec_ah_keys.sh,v 1.4 2023/06/19 08:28:09 knakahara Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -152,7 +152,7 @@ add_test_invalid_keys() atf_init_test_cases() { - for aalgo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do + for aalgo in $AH_AUTHENTICATION_ALGORITHMS; do add_test_valid_keys $aalgo add_test_invalid_keys $aalgo done Index: src/tests/net/ipsec/t_ipsec_esp_keys.sh diff -u src/tests/net/ipsec/t_ipsec_esp_keys.sh:1.3 src/tests/net/ipsec/t_ipsec_esp_keys.sh:1.4 --- src/tests/net/ipsec/t_ipsec_esp_keys.sh:1.3 Sun Jun 4 22:18:47 2023 +++ src/tests/net/ipsec/t_ipsec_esp_keys.sh Mon Jun 19 08:28:09 2023 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_esp_keys.sh,v 1.3 2023/06/04 22:18:47 chs Exp $ +# $NetBSD: t_ipsec_esp_keys.sh,v 1.4 2023/06/19 08:28:09 knakahara Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -152,7 +152,7 @@ add_test_invalid_keys() atf_init_test_cases() { - for ealgo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do + for ealgo in $ESP_ENCRYPTION_ALGORITHMS; do add_test_valid_keys $ealgo add_test_invalid_keys $ealgo done Index: src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh diff -u src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh:1.3 src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh:1.4 --- src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh:1.3 Sun Jun 4 22:18:47 2023 +++ src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh Mon Jun 19 08:28:09 2023 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_tunnel_ipcomp.sh,v 1.3 2023/06/04 22:18:47 chs Exp $ +# $NetBSD: t_ipsec_tunnel_ipcomp.sh,v 1.4 2023/06/19 08:28:09 knakahara Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -395,7 +395,7 @@ atf_init_test_cases() { local calgo= algo= - for calgo in $IPCOMP_COMPRESSION_ALGORITHMS_MINIMUM; do + for calgo in $IPCOMP_COMPRESSION_ALGORITHMS; do for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do add_test_tunnel_mode ipv4 esp $algo $calgo add_test_tunnel_mode ipv6 esp $algo $calgo Index: src/tests/net/ipsec/t_ipsec_transport.sh diff -u src/tests/net/ipsec/t_ipsec_transport.sh:1.7 src/tests/net/ipsec/t_ipsec_transport.sh:1.8 --- src/tests/net/ipsec/t_ipsec_transport.sh:1.7 Sun Jun 4 22:18:47 2023 +++ src/tests/net/ipsec/t_ipsec_transport.sh Mon Jun 19 08:28:09 2023 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_transport.sh,v 1.7 2023/06/04 22:18:47 chs Exp $ +# $NetBSD: t_ipsec_transport.sh,v 1.8 2023/06/19 08:28:09 knakahara Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -261,15 +261,15 @@ atf_init_test_cases() { local algo= - for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do + for algo in $ESP_ENCRYPTION_ALGORITHMS; do add_test_transport_mode ipv4 esp $algo add_test_transport_mode ipv6 esp $algo done - for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do + for algo in $AH_AUTHENTICATION_ALGORITHMS; do add_test_transport_mode ipv4 ah $algo add_test_transport_mode ipv6 ah $algo done - for algo in $IPCOMP_COMPRESSION_ALGORITHMS_MINIMUM; do + for algo in $IPCOMP_COMPRESSION_ALGORITHMS; do add_test_transport_mode ipv4 ipcomp $algo add_test_transport_mode ipv6 ipcomp $algo done Index: src/tests/net/ipsec/t_ipsec_tunnel.sh diff -u src/tests/net/ipsec/t_ipsec_tunnel.sh:1.10 src/tests/net/ipsec/t_ipsec_tunnel.sh:1.11 --- src/tests/net/ipsec/t_ipsec_tunnel.sh:1.10 Sun Jun 4 22:18:47 2023 +++ src/tests/net/ipsec/t_ipsec_tunnel.sh Mon Jun 19 08:28:09 2023 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_tunnel.sh,v 1.10 2023/06/04 22:18:47 chs Exp $
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: knakahara Date: Mon Jun 19 08:28:09 UTC 2023 Modified Files: src/tests/net/ipsec: t_ipsec_ah_keys.sh t_ipsec_esp_keys.sh t_ipsec_transport.sh t_ipsec_tunnel.sh t_ipsec_tunnel_ipcomp.sh t_ipsec_tunnel_odd.sh Log Message: Repair test coverage. I revert by proxy as the committer seems too busy to even reply mail. TODO: Provide some way for small machines to run subset test so that they get shorter run time at the expense of test coverage. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/tests/net/ipsec/t_ipsec_ah_keys.sh \ src/tests/net/ipsec/t_ipsec_esp_keys.sh \ src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh cvs rdiff -u -r1.7 -r1.8 src/tests/net/ipsec/t_ipsec_transport.sh cvs rdiff -u -r1.10 -r1.11 src/tests/net/ipsec/t_ipsec_tunnel.sh cvs rdiff -u -r1.4 -r1.5 src/tests/net/ipsec/t_ipsec_tunnel_odd.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: chs Date: Sun Jun 4 22:18:47 UTC 2023 Modified Files: src/tests/net/ipsec: t_ipsec_ah_keys.sh t_ipsec_esp_keys.sh t_ipsec_transport.sh t_ipsec_tunnel.sh t_ipsec_tunnel_ipcomp.sh t_ipsec_tunnel_odd.sh Log Message: The ATF design is O(N^2) in the number of TCs in one TP, which on some slower platforms causes the net/ipsec tests to take as much as 30% of the total time to run all of the ATF tests. Reduce the number of TCs in various net/ipsec TPs by iterating over *_ALGORITHMS_MINIMUM rather than *_ALGORITHMS. Various of the net/ipsec tests already use the smaller lists, so change the rest of them to do so as well. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/t_ipsec_ah_keys.sh \ src/tests/net/ipsec/t_ipsec_esp_keys.sh \ src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh cvs rdiff -u -r1.6 -r1.7 src/tests/net/ipsec/t_ipsec_transport.sh cvs rdiff -u -r1.9 -r1.10 src/tests/net/ipsec/t_ipsec_tunnel.sh cvs rdiff -u -r1.3 -r1.4 src/tests/net/ipsec/t_ipsec_tunnel_odd.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_ah_keys.sh diff -u src/tests/net/ipsec/t_ipsec_ah_keys.sh:1.2 src/tests/net/ipsec/t_ipsec_ah_keys.sh:1.3 --- src/tests/net/ipsec/t_ipsec_ah_keys.sh:1.2 Thu Aug 3 03:16:27 2017 +++ src/tests/net/ipsec/t_ipsec_ah_keys.sh Sun Jun 4 22:18:47 2023 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_ah_keys.sh,v 1.2 2017/08/03 03:16:27 ozaki-r Exp $ +# $NetBSD: t_ipsec_ah_keys.sh,v 1.3 2023/06/04 22:18:47 chs Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -152,7 +152,7 @@ add_test_invalid_keys() atf_init_test_cases() { - for aalgo in $AH_AUTHENTICATION_ALGORITHMS; do + for aalgo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do add_test_valid_keys $aalgo add_test_invalid_keys $aalgo done Index: src/tests/net/ipsec/t_ipsec_esp_keys.sh diff -u src/tests/net/ipsec/t_ipsec_esp_keys.sh:1.2 src/tests/net/ipsec/t_ipsec_esp_keys.sh:1.3 --- src/tests/net/ipsec/t_ipsec_esp_keys.sh:1.2 Thu Aug 3 03:16:27 2017 +++ src/tests/net/ipsec/t_ipsec_esp_keys.sh Sun Jun 4 22:18:47 2023 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_esp_keys.sh,v 1.2 2017/08/03 03:16:27 ozaki-r Exp $ +# $NetBSD: t_ipsec_esp_keys.sh,v 1.3 2023/06/04 22:18:47 chs Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -152,7 +152,7 @@ add_test_invalid_keys() atf_init_test_cases() { - for ealgo in $ESP_ENCRYPTION_ALGORITHMS; do + for ealgo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do add_test_valid_keys $ealgo add_test_invalid_keys $ealgo done Index: src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh diff -u src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh:1.2 src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh:1.3 --- src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh:1.2 Thu Aug 3 03:16:27 2017 +++ src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh Sun Jun 4 22:18:47 2023 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_tunnel_ipcomp.sh,v 1.2 2017/08/03 03:16:27 ozaki-r Exp $ +# $NetBSD: t_ipsec_tunnel_ipcomp.sh,v 1.3 2023/06/04 22:18:47 chs Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -395,7 +395,7 @@ atf_init_test_cases() { local calgo= algo= - for calgo in $IPCOMP_COMPRESSION_ALGORITHMS; do + for calgo in $IPCOMP_COMPRESSION_ALGORITHMS_MINIMUM; do for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do add_test_tunnel_mode ipv4 esp $algo $calgo add_test_tunnel_mode ipv6 esp $algo $calgo Index: src/tests/net/ipsec/t_ipsec_transport.sh diff -u src/tests/net/ipsec/t_ipsec_transport.sh:1.6 src/tests/net/ipsec/t_ipsec_transport.sh:1.7 --- src/tests/net/ipsec/t_ipsec_transport.sh:1.6 Thu Aug 3 03:16:27 2017 +++ src/tests/net/ipsec/t_ipsec_transport.sh Sun Jun 4 22:18:47 2023 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_transport.sh,v 1.6 2017/08/03 03:16:27 ozaki-r Exp $ +# $NetBSD: t_ipsec_transport.sh,v 1.7 2023/06/04 22:18:47 chs Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -261,15 +261,15 @@ atf_init_test_cases() { local algo= - for algo in $ESP_ENCRYPTION_ALGORITHMS; do + for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do add_test_transport_mode ipv4 esp $algo add_test_transport_mode ipv6 esp $algo done - for algo in $AH_AUTHENTICATION_ALGORITHMS; do + for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do add_test_transport_mode ipv4 ah $algo add_test_transport_mode ipv6 ah $algo done - for algo in $IPCOMP_COMPRESSION_ALGORITHMS; do + for algo in $IPCOMP_COMPRESSION_ALGORITHMS_MINIMUM; do add_test_transport_mode ipv4 ipcomp $algo add_test_transport_mode ipv6 ipcomp $algo done Index: src/tests/net/ipsec/t_ipsec_tunnel.sh diff -u src/tests/net/ipsec/t_ipsec_tunnel.sh:1.9 src/tests/net/ipsec/t_ipsec_tunnel.sh:1.10 --- src/tests/net/ipsec/t_ipsec_tunnel.sh:1.9 Thu
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: chs Date: Sun Jun 4 22:18:47 UTC 2023 Modified Files: src/tests/net/ipsec: t_ipsec_ah_keys.sh t_ipsec_esp_keys.sh t_ipsec_transport.sh t_ipsec_tunnel.sh t_ipsec_tunnel_ipcomp.sh t_ipsec_tunnel_odd.sh Log Message: The ATF design is O(N^2) in the number of TCs in one TP, which on some slower platforms causes the net/ipsec tests to take as much as 30% of the total time to run all of the ATF tests. Reduce the number of TCs in various net/ipsec TPs by iterating over *_ALGORITHMS_MINIMUM rather than *_ALGORITHMS. Various of the net/ipsec tests already use the smaller lists, so change the rest of them to do so as well. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/t_ipsec_ah_keys.sh \ src/tests/net/ipsec/t_ipsec_esp_keys.sh \ src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh cvs rdiff -u -r1.6 -r1.7 src/tests/net/ipsec/t_ipsec_transport.sh cvs rdiff -u -r1.9 -r1.10 src/tests/net/ipsec/t_ipsec_tunnel.sh cvs rdiff -u -r1.3 -r1.4 src/tests/net/ipsec/t_ipsec_tunnel_odd.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: knakahara Date: Thu Nov 24 02:58:28 UTC 2022 Modified Files: src/tests/net/ipsec: t_ipsec_forwarding.sh Log Message: clean up To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/t_ipsec_forwarding.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: knakahara Date: Thu Nov 24 02:58:28 UTC 2022 Modified Files: src/tests/net/ipsec: t_ipsec_forwarding.sh Log Message: clean up To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/t_ipsec_forwarding.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_forwarding.sh diff -u src/tests/net/ipsec/t_ipsec_forwarding.sh:1.1 src/tests/net/ipsec/t_ipsec_forwarding.sh:1.2 --- src/tests/net/ipsec/t_ipsec_forwarding.sh:1.1 Wed Nov 9 08:21:20 2022 +++ src/tests/net/ipsec/t_ipsec_forwarding.sh Thu Nov 24 02:58:28 2022 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_forwarding.sh,v 1.1 2022/11/09 08:21:20 knakahara Exp $ +# $NetBSD: t_ipsec_forwarding.sh,v 1.2 2022/11/24 02:58:28 knakahara Exp $ # # Copyright (c) 2022 Internet Initiative Japan Inc. # All rights reserved. @@ -456,33 +456,6 @@ test_ipsec_sp_port_ipv6() atf_check -s exit:0 \ -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ cat $routfile - -# # Check TCP communications from remote to local -# start_nc_server $SOCK_LOCAL $port $file_recv ipv6 -# prepare_file $file_send -# export RUMP_SERVER=$SOCK_REMOTE -# atf_check -s exit:0 $HIJACKING nc -w 3 $ip_local_i $port < $file_send -# atf_check -s exit:0 diff -q $file_send $file_recv -# stop_nc_server -# -# extract_new_packets $BUS_LOCAL_F > $loutfile -# extract_new_packets $BUS_REMOTE_F > $routfile -# $DEBUG && cat $loutfile -# atf_check -s exit:0 \ -# -o match:"${ip_local_f}\.[0-9]+ > ${ip_remote_i}\.$port" \ -# cat $loutfile -# atf_check -s exit:0 \ -# -o match:"${ip_remote_i}\.$port > ${ip_local_f}\.[0-9]+" \ -# cat $loutfile -# $DEBUG && cat $routfile -# atf_check -s exit:0 \ -# -o match:"${ip_forward_l} > ${ip_remote_i}: ESP" \ -# cat $routfile -# atf_check -s exit:0 \ -# -o match:"${ip_remote_i} > ${ip_forward_l}: ESP" \ -# cat $routfile - - } add_test_ipsec_sp_port()
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: msaitoh Date: Sun Dec 5 02:49:21 UTC 2021 Modified Files: src/tests/net/ipsec: algorithms.sh Log Message: s/encript/encrypt/ in comment. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/tests/net/ipsec/algorithms.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/algorithms.sh diff -u src/tests/net/ipsec/algorithms.sh:1.6 src/tests/net/ipsec/algorithms.sh:1.7 --- src/tests/net/ipsec/algorithms.sh:1.6 Fri Oct 27 04:31:50 2017 +++ src/tests/net/ipsec/algorithms.sh Sun Dec 5 02:49:21 2021 @@ -1,4 +1,4 @@ -# $NetBSD: algorithms.sh,v 1.6 2017/10/27 04:31:50 ozaki-r Exp $ +# $NetBSD: algorithms.sh,v 1.7 2021/12/05 02:49:21 msaitoh Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -29,7 +29,7 @@ ESP_ENCRYPTION_ALGORITHMS="des-cbc 3des- des-deriv rijndael-cbc aes-ctr camellia-cbc aes-gcm-16 aes-gmac" ESP_ENCRYPTION_ALGORITHMS_MINIMUM="null rijndael-cbc" -# Valid key lengths of ESP encription algorithms +# Valid key lengths of ESP encryption algorithms #des-cbc 64 #3des-cbc192 #null0 to 2048 XXX only accept 0 length
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: msaitoh Date: Sun Dec 5 02:49:21 UTC 2021 Modified Files: src/tests/net/ipsec: algorithms.sh Log Message: s/encript/encrypt/ in comment. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/tests/net/ipsec/algorithms.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: martin Date: Mon Aug 31 14:03:56 UTC 2020 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Skip timeout tests, pointing to PR 55632. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: martin Date: Mon Aug 31 14:03:56 UTC 2020 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Skip timeout tests, pointing to PR 55632. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.23 src/tests/net/ipsec/t_ipsec_misc.sh:1.24 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.23 Tue Jul 23 04:31:25 2019 +++ src/tests/net/ipsec/t_ipsec_misc.sh Mon Aug 31 14:03:56 2020 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.23 2019/07/23 04:31:25 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.24 2020/08/31 14:03:56 martin Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -565,6 +565,10 @@ test_spi() local spistr= local longtime= shorttime= + if [ $method = timeout ]; then + atf_skip \ + "PR 55632: test fails randomly, leaving spurious rump_server around" + fi if [ $method = timeout -a $preferred = new ]; then skip_if_qemu fi
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Mon Feb 17 08:46:10 UTC 2020 Modified Files: src/tests/net/ipsec: t_ipsec_gif.sh t_ipsec_l2tp.sh Log Message: tests: add missing ifconfig -w This change mitigates PR kern/54897. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/tests/net/ipsec/t_ipsec_gif.sh \ src/tests/net/ipsec/t_ipsec_l2tp.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Mon Feb 17 08:46:10 UTC 2020 Modified Files: src/tests/net/ipsec: t_ipsec_gif.sh t_ipsec_l2tp.sh Log Message: tests: add missing ifconfig -w This change mitigates PR kern/54897. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/tests/net/ipsec/t_ipsec_gif.sh \ src/tests/net/ipsec/t_ipsec_l2tp.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_gif.sh diff -u src/tests/net/ipsec/t_ipsec_gif.sh:1.8 src/tests/net/ipsec/t_ipsec_gif.sh:1.9 --- src/tests/net/ipsec/t_ipsec_gif.sh:1.8 Mon Aug 19 03:22:05 2019 +++ src/tests/net/ipsec/t_ipsec_gif.sh Mon Feb 17 08:46:10 2020 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_gif.sh,v 1.8 2019/08/19 03:22:05 ozaki-r Exp $ +# $NetBSD: t_ipsec_gif.sh,v 1.9 2020/02/17 08:46:10 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -59,6 +59,15 @@ make_gif_pktstr() echo "$src > $dst: $proto_cap.+$inner_str" } +wait_for_all_dad_completions() +{ + + for sock in $SOCK_LOCAL $SOCK_TUN_LOCAL $SOCK_TUN_REMOTE $SOCK_REMOTE; do + export RUMP_SERVER=$sock + atf_check -s exit:0 rump.ifconfig -w 10 + done +} + test_ipsec4_gif() { local mode=$1 @@ -121,8 +130,9 @@ test_ipsec4_gif() export RUMP_SERVER=$SOCK_REMOTE atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 - # Run ifconfig -w 10 just once for optimization - atf_check -s exit:0 rump.ifconfig -w 10 + + wait_for_all_dad_completions + atf_check -s exit:0 -o ignore \ rump.route -n add -net $subnet_local $ip_gw_remote @@ -273,8 +283,9 @@ test_ipsec6_gif() export RUMP_SERVER=$SOCK_REMOTE atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote - # Run ifconfig -w 10 just once for optimization - atf_check -s exit:0 rump.ifconfig -w 10 + + wait_for_all_dad_completions + atf_check -s exit:0 -o ignore \ rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_remote Index: src/tests/net/ipsec/t_ipsec_l2tp.sh diff -u src/tests/net/ipsec/t_ipsec_l2tp.sh:1.8 src/tests/net/ipsec/t_ipsec_l2tp.sh:1.9 --- src/tests/net/ipsec/t_ipsec_l2tp.sh:1.8 Mon Aug 19 03:22:05 2019 +++ src/tests/net/ipsec/t_ipsec_l2tp.sh Mon Feb 17 08:46:10 2020 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_l2tp.sh,v 1.8 2019/08/19 03:22:05 ozaki-r Exp $ +# $NetBSD: t_ipsec_l2tp.sh,v 1.9 2020/02/17 08:46:10 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -62,6 +62,15 @@ make_l2tp_pktstr() echo "$src > $dst: $proto_cap.+$proto_str" } +wait_for_all_dad_completions() +{ + + for sock in $SOCK_LOCAL $SOCK_TUN_LOCAL $SOCK_TUN_REMOTE $SOCK_REMOTE; do + export RUMP_SERVER=$sock + atf_check -s exit:0 rump.ifconfig -w 10 + done +} + test_ipsec4_l2tp() { local mode=$1 @@ -121,8 +130,8 @@ test_ipsec4_l2tp() export RUMP_SERVER=$SOCK_REMOTE atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 - # Run ifconfig -w 10 just once for optimization - atf_check -s exit:0 rump.ifconfig -w 10 + + wait_for_all_dad_completions extract_new_packets $BUS_TUNNEL > $outfile @@ -263,8 +272,8 @@ test_ipsec6_l2tp() export RUMP_SERVER=$SOCK_REMOTE atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote - # Run ifconfig -w 10 just once for optimization - atf_check -s exit:0 rump.ifconfig -w 10 + + wait_for_all_dad_completions extract_new_packets $BUS_TUNNEL > $outfile
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Tue Jul 23 04:31:25 UTC 2019 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: tests: add tests for getspi and udpate To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.22 src/tests/net/ipsec/t_ipsec_misc.sh:1.23 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.22 Thu Nov 9 04:51:07 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Tue Jul 23 04:31:25 2019 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.22 2017/11/09 04:51:07 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.23 2019/07/23 04:31:25 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -40,9 +40,16 @@ setup_sasp() local lifetime=$5 local update=$6 local tmpfile=./tmp + local saadd=add + local saadd_algo_args="$algo_args" local extra= - if [ "$update" = sa ]; then + if [ "$update" = getspi ]; then + saadd=getspi + saadd_algo_args= + fi + + if [ "$update" = sa -o "$update" = getspi ]; then extra="update $ip_local $ip_peer $proto 1 $algo_args; update $ip_peer $ip_local $proto 10001 $algo_args;" elif [ "$update" = sp ]; then @@ -51,8 +58,8 @@ setup_sasp() export RUMP_SERVER=$SOCK_LOCAL cat > $tmpfile <<-EOF - add $ip_local $ip_peer $proto 1 -lh $lifetime -ls $lifetime $algo_args; - add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; + $saadd $ip_local $ip_peer $proto 1 -lh $lifetime -ls $lifetime $saadd_algo_args; + $saadd $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $saadd_algo_args; spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; $extra EOF @@ -67,8 +74,8 @@ setup_sasp() export RUMP_SERVER=$SOCK_PEER cat > $tmpfile <<-EOF - add $ip_local $ip_peer $proto 1 -lh $lifetime -ls $lifetime $algo_args; - add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; + $saadd $ip_local $ip_peer $proto 1 -lh $lifetime -ls $lifetime $saadd_algo_args; + $saadd $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $saadd_algo_args; spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; $extra EOF @@ -370,6 +377,71 @@ add_test_update() atf_add_test_case ${name} } +test_getspi_update() +{ + local proto=$1 + local algo=$2 + local ip_local=10.0.0.1 + local ip_peer=10.0.0.2 + local algo_args="$(generate_algo_args $proto $algo)" + local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') + local outfile=./out + + rump_server_crypto_start $SOCK_LOCAL netipsec + rump_server_crypto_start $SOCK_PEER netipsec + rump_server_add_iface $SOCK_LOCAL shmif0 $BUS + rump_server_add_iface $SOCK_PEER shmif0 $BUS + + export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 + atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 + + export RUMP_SERVER=$SOCK_PEER + atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 + atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 + + setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 getspi + + extract_new_packets $BUS > $outfile + + export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer + + extract_new_packets $BUS > $outfile + atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ + cat $outfile + atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ + cat $outfile +} + +add_test_getspi_update() +{ + local proto=$1 + local algo=$2 + local _algo=$(echo $algo | sed 's/-//g') + local name= desc= + + desc="Tests trying to getspi and udpate SA of $proto ($algo)" + name="ipsec_getspi_update_sa_${proto}_${_algo}" + + atf_test_case ${name} cleanup + eval " + ${name}_head() { + atf_set descr \"$desc\" + atf_set require.progs rump_server setkey + } + ${name}_body() { + test_getspi_update $proto $algo + rump_server_destroy_ifaces + } + ${name}_cleanup() { + \$DEBUG && dump + cleanup + } + " + atf_add_test_case ${name} +} + add_sa() { local proto=$1 @@ -809,6 +881,7 @@ atf_init_test_cases() add_test_lifetime ipv6 esp $algo add_test_update esp $algo sa add_test_update esp $algo sp + add_test_getspi_update esp $algo add_test_spi esp $algo new delete add_test_spi esp $algo old delete add_test_spi esp $algo new timeout @@ -821,6 +894,7 @@ atf_init_test_cases() add_test_lifetime ipv6 ah $algo add_test_update ah $algo sa add_test_update ah $algo sp + add_test_getspi_update ah $algo add_test_spi ah $algo new delete add_test_spi ah $algo old delete add_test_spi ah $algo new timeout
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: knakahara Date: Thu Nov 22 04:51:41 UTC 2018 Modified Files: src/tests/net/ipsec: natt_terminator.c t_ipsec_natt.sh Log Message: Add ATF for IPv6 NAT-T. We use IPv6 NAT-T to avoid IPsec slowing down caused by dropping ESP packets by some Customer Premises Equipments (CPE). I implement ATF to test such situation. I think it can also work with nat66, but I have not tested to the fine details. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/natt_terminator.c \ src/tests/net/ipsec/t_ipsec_natt.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: knakahara Date: Thu Nov 22 04:51:41 UTC 2018 Modified Files: src/tests/net/ipsec: natt_terminator.c t_ipsec_natt.sh Log Message: Add ATF for IPv6 NAT-T. We use IPv6 NAT-T to avoid IPsec slowing down caused by dropping ESP packets by some Customer Premises Equipments (CPE). I implement ATF to test such situation. I think it can also work with nat66, but I have not tested to the fine details. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/natt_terminator.c \ src/tests/net/ipsec/t_ipsec_natt.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/natt_terminator.c diff -u src/tests/net/ipsec/natt_terminator.c:1.1 src/tests/net/ipsec/natt_terminator.c:1.2 --- src/tests/net/ipsec/natt_terminator.c:1.1 Mon Oct 30 15:59:23 2017 +++ src/tests/net/ipsec/natt_terminator.c Thu Nov 22 04:51:41 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: natt_terminator.c,v 1.1 2017/10/30 15:59:23 ozaki-r Exp $ */ +/* $NetBSD: natt_terminator.c,v 1.2 2018/11/22 04:51:41 knakahara Exp $ */ /*- * Copyright (c) 2017 Internet Initiative Japan Inc. @@ -41,6 +41,14 @@ #include #include +static void +usage(void) +{ + const char *prog = "natt_terminator"; + + fprintf(stderr, "Usage: %s [-46] \n", prog); +} + int main(int argc, char **argv) { @@ -49,17 +57,34 @@ main(int argc, char **argv) int s, e; const char *addr, *port; int option; + int c, family = AF_INET; + + while ((c = getopt(argc, argv, "46")) != -1) { + switch (c) { + case '4': + family = AF_INET; + break; + case '6': + family = AF_INET6; + break; + default: + usage(); + return 1; + } + } + argc -= optind; + argv += optind; - if (argc != 3) { - fprintf(stderr, "Usage: %s \n", argv[0]); + if (argc != 2) { + usage(); return 1; } - addr = argv[1]; - port = argv[2]; + addr = argv[0]; + port = argv[1]; memset(, 0, sizeof(hints)); - hints.ai_family = AF_INET; + hints.ai_family = family; hints.ai_socktype = SOCK_DGRAM; hints.ai_protocol = IPPROTO_UDP; hints.ai_flags = 0; Index: src/tests/net/ipsec/t_ipsec_natt.sh diff -u src/tests/net/ipsec/t_ipsec_natt.sh:1.1 src/tests/net/ipsec/t_ipsec_natt.sh:1.2 --- src/tests/net/ipsec/t_ipsec_natt.sh:1.1 Mon Oct 30 15:59:23 2017 +++ src/tests/net/ipsec/t_ipsec_natt.sh Thu Nov 22 04:51:41 2018 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_natt.sh,v 1.1 2017/10/30 15:59:23 ozaki-r Exp $ +# $NetBSD: t_ipsec_natt.sh,v 1.2 2018/11/22 04:51:41 knakahara Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -31,11 +31,12 @@ SOCK_REMOTE=unix://ipsec_natt_remote BUS_LOCAL=./bus_ipsec_natt_local BUS_NAT=./bus_ipsec_natt_nat BUS_REMOTE=./bus_ipsec_natt_remote +BUS_GLOBAL=./bus_ipsec_natt_global DEBUG=${DEBUG:-false} HIJACKING_NPF="${HIJACKING},blanket=/dev/npf" -setup_servers() +setup_servers_ipv4() { rump_server_crypto_start $SOCK_LOCAL netipsec @@ -47,6 +48,22 @@ setup_servers() rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_NAT } +setup_servers_ipv6() +{ + + rump_server_crypto_start $SOCK_LOCAL netipsec netinet6 ipsec + rump_server_crypto_start $SOCK_REMOTE netipsec netinet6 ipsec + rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_GLOBAL + rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_GLOBAL +} + +setup_servers() +{ + local proto=$1 + + setup_servers_$proto +} + setup_sp() { local proto=$1 @@ -151,17 +168,24 @@ PIDSFILE=./terminator.pids start_natt_terminator() { local sock=$1 - local ip=$2 - local port=$3 - local pidsfile=$4 + local proto=$2 + local ip=$3 + local port=$4 + local pidsfile=$5 local backup=$RUMP_SERVER - local pid= + local pid= opt= local terminator="$(atf_get_srcdir)/natt_terminator" + if [ "$proto" = "ipv6" ]; then + opt="-6" + else + opt="-4" + fi + export RUMP_SERVER=$sock env LD_PRELOAD=/usr/lib/librumphijack.so \ - $terminator $ip $port & + $terminator $opt $ip $port & pid=$! if [ ! -f $PIDSFILE ]; then touch $PIDSFILE @@ -189,7 +213,7 @@ stop_natt_terminators() rm -f $PIDSFILE } -test_ipsec_natt_transport() +test_ipsec_natt_transport_ipv4() { local algo=$1 local ip_local=10.0.1.2 @@ -204,7 +228,7 @@ test_ipsec_natt_transport() local algo_args="$(generate_algo_args esp-udp $algo)" local pid= port= - setup_servers + setup_servers ipv4 export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 @@ -278,7 +302,7 @@ test_ipsec_natt_transport() cat $outfile # Launch a nc server as a terminator of NAT-T on outside the NAPT - start_natt_terminator $SOCK_REMOTE $ip_remote 4500 + start_natt_terminator $SOCK_REMOTE ipv4 $ip_remote 4500 echo zzz > $file_send export RUMP_SERVER=$SOCK_LOCAL @@ -288,7 +312,7 @@ test_ipsec_natt_transport() nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send # Launch a nc server as a terminator of NAT-T on inside the
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Nov 9 04:51:07 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Dedup some checks And the change a bit optimizes checks of SA expirations, which may shorten testing time. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.21 src/tests/net/ipsec/t_ipsec_misc.sh:1.22 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.21 Thu Nov 9 04:50:37 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Thu Nov 9 04:51:07 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.21 2017/11/09 04:50:37 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.22 2017/11/09 04:51:07 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -78,6 +78,42 @@ setup_sasp() #check_sa_entries $SOCK_PEER $ip_local $ip_peer } +test_sad_disapper_until() +{ + local time=$1 + local check_dead_sa=$2 + local setkey_opts= + local n=$time + local tmpfile=./__tmp + local sock= ok= + + if $check_dead_sa; then + setkey_opts="-D -a" + else + setkey_opts="-D" + fi + + while [ $n -ne 0 ]; do + ok=0 + sleep 1 + for sock in $SOCK_LOCAL $SOCK_PEER; do + export RUMP_SERVER=$sock + $HIJACKING setkey $setkey_opts > $tmpfile + $DEBUG && cat $tmpfile + if grep -q 'No SAD entries.' $tmpfile; then +ok=$((ok + 1)) + fi + done + if [ $ok -eq 2 ]; then + return + fi + + n=$((n - 1)) + done + + atf_fail "SAs didn't disappear after $time sec." +} + test_ipsec4_lifetime() { local proto=$1 @@ -119,16 +155,8 @@ test_ipsec4_lifetime() # Set up SAs with lifetime 1 sec. setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 - # Wait for the SAs to be expired - atf_check -s exit:0 sleep $((1 + $buffertime)) - # Check the SAs have been expired - export RUMP_SERVER=$SOCK_LOCAL - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D - export RUMP_SERVER=$SOCK_PEER - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D + test_sad_disapper_until $((1 + $buffertime)) false # Clean up SPs export RUMP_SERVER=$SOCK_LOCAL @@ -149,15 +177,8 @@ test_ipsec4_lifetime() atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ cat $outfile - atf_check -s exit:0 sleep $((lifetime + $buffertime)) - - export RUMP_SERVER=$SOCK_LOCAL - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a - - export RUMP_SERVER=$SOCK_PEER - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a + # Check the SAs have been expired + test_sad_disapper_until $((lifetime + $buffertime)) true export RUMP_SERVER=$SOCK_LOCAL atf_check -s not-exit:0 -o match:'0 packets received' \ @@ -206,16 +227,8 @@ test_ipsec6_lifetime() # Set up SAs with lifetime 1 sec. setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 - # Wait for the SAs to be expired - atf_check -s exit:0 sleep $((1 + $buffertime)) - # Check the SAs have been expired - export RUMP_SERVER=$SOCK_LOCAL - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D - export RUMP_SERVER=$SOCK_PEER - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D + test_sad_disapper_until $((1 + $buffertime)) false # Clean up SPs export RUMP_SERVER=$SOCK_LOCAL @@ -236,15 +249,8 @@ test_ipsec6_lifetime() atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ cat $outfile - atf_check -s exit:0 sleep $((lifetime + $buffertime)) - - export RUMP_SERVER=$SOCK_LOCAL - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a - - export RUMP_SERVER=$SOCK_PEER - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:'No SAD entries.' $HIJACKING setkey -D -a + # Check the SAs have been expired + test_sad_disapper_until $((lifetime + $buffertime)) true export RUMP_SERVER=$SOCK_LOCAL atf_check -s not-exit:0 -o match:'0 packets received' \
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Nov 9 04:51:07 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Dedup some checks And the change a bit optimizes checks of SA expirations, which may shorten testing time. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Nov 9 04:50:37 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: "Mark key_timehandler_ch callout as MP-safe" change needs one more sec to make lifetime tests stable To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Nov 9 04:50:37 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: "Mark key_timehandler_ch callout as MP-safe" change needs one more sec to make lifetime tests stable To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.20 src/tests/net/ipsec/t_ipsec_misc.sh:1.21 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.20 Fri Oct 20 03:45:47 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Thu Nov 9 04:50:37 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.20 2017/10/20 03:45:47 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.21 2017/11/09 04:50:37 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -88,6 +88,7 @@ test_ipsec4_lifetime() local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') local algo_args="$(generate_algo_args $proto $algo)" local lifetime=3 + local buffertime=2 rump_server_crypto_start $SOCK_LOCAL netipsec rump_server_crypto_start $SOCK_PEER netipsec @@ -119,7 +120,7 @@ test_ipsec4_lifetime() setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 # Wait for the SAs to be expired - atf_check -s exit:0 sleep 2 + atf_check -s exit:0 sleep $((1 + $buffertime)) # Check the SAs have been expired export RUMP_SERVER=$SOCK_LOCAL @@ -148,7 +149,7 @@ test_ipsec4_lifetime() atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ cat $outfile - atf_check -s exit:0 sleep $((lifetime + 1)) + atf_check -s exit:0 sleep $((lifetime + $buffertime)) export RUMP_SERVER=$SOCK_LOCAL $DEBUG && $HIJACKING setkey -D @@ -176,6 +177,7 @@ test_ipsec6_lifetime() local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') local algo_args="$(generate_algo_args $proto $algo)" local lifetime=3 + local buffertime=2 rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec rump_server_crypto_start $SOCK_PEER netinet6 netipsec @@ -205,7 +207,7 @@ test_ipsec6_lifetime() setup_sasp $proto "$algo_args" $ip_local $ip_peer 1 # Wait for the SAs to be expired - atf_check -s exit:0 sleep 2 + atf_check -s exit:0 sleep $((1 + $buffertime)) # Check the SAs have been expired export RUMP_SERVER=$SOCK_LOCAL @@ -234,7 +236,7 @@ test_ipsec6_lifetime() atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ cat $outfile - atf_check -s exit:0 sleep $((lifetime + 1)) + atf_check -s exit:0 sleep $((lifetime + $buffertime)) export RUMP_SERVER=$SOCK_LOCAL $DEBUG && $HIJACKING setkey -D
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Fri Oct 27 04:31:50 UTC 2017 Modified Files: src/tests/net/ipsec: algorithms.sh Log Message: Handle esp-udp for NAT-T To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/tests/net/ipsec/algorithms.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/algorithms.sh diff -u src/tests/net/ipsec/algorithms.sh:1.5 src/tests/net/ipsec/algorithms.sh:1.6 --- src/tests/net/ipsec/algorithms.sh:1.5 Mon Jul 3 06:01:16 2017 +++ src/tests/net/ipsec/algorithms.sh Fri Oct 27 04:31:50 2017 @@ -1,4 +1,4 @@ -# $NetBSD: algorithms.sh,v 1.5 2017/07/03 06:01:16 ozaki-r Exp $ +# $NetBSD: algorithms.sh,v 1.6 2017/10/27 04:31:50 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -174,7 +174,7 @@ generate_algo_args() local keylen=$(get_one_valid_keylen $algo) local key=$(generate_key $keylen) - if [ $proto = esp ]; then + if [ $proto = esp -o $proto = "esp-udp" ]; then echo "-E $algo $key" elif [ $proto = ah ]; then echo "-A $algo $key"
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Fri Oct 27 04:31:50 UTC 2017 Modified Files: src/tests/net/ipsec: algorithms.sh Log Message: Handle esp-udp for NAT-T To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/tests/net/ipsec/algorithms.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Fri Oct 20 03:45:47 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Add test cases for one SP with multiple SAs These are for a bug reported recently which modifies SPs accidentally. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.19 src/tests/net/ipsec/t_ipsec_misc.sh:1.20 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.19 Fri Oct 20 03:43:51 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Fri Oct 20 03:45:47 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.19 2017/10/20 03:43:51 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.20 2017/10/20 03:45:47 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -702,6 +702,96 @@ add_test_nosa() atf_add_test_case ${name} } +test_multiple_sa() +{ + local proto=$1 + local algo=$2 + local update=$3 + local ip_local=10.0.0.1 + local ip_peer=10.0.0.2 + local ip_peer2=10.0.0.3 + local algo_args="$(generate_algo_args $proto $algo)" + local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') + local outfile=./out + + rump_server_crypto_start $SOCK_LOCAL netipsec + rump_server_crypto_start $SOCK_PEER netipsec + rump_server_add_iface $SOCK_LOCAL shmif0 $BUS + rump_server_add_iface $SOCK_PEER shmif0 $BUS + + export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 + atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 + + export RUMP_SERVER=$SOCK_PEER + atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 + atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 + atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer2/24 alias + + setup_sp $proto "$algo_args" "$ip_local" "0.0.0.0/0" + + extract_new_packets $BUS > $outfile + + export RUMP_SERVER=$SOCK_LOCAL + # There is no SA, so ping should fail + atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer + atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2 + + add_sa $proto "$algo_args" $ip_local $ip_peer 100 1 + + export RUMP_SERVER=$SOCK_LOCAL + # There is only an SA for $ip_peer, so ping to $ip_peer2 should fail + atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer + atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2 + + add_sa $proto "$algo_args" $ip_local $ip_peer2 100 10010 + + export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer + atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer2 + + export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 -o match:"$proto/transport//require" \ + $HIJACKING setkey -D -P + # Check if the policy isn't modified accidentally + atf_check -s exit:0 -o not-match:"$proto/transport/.+\-.+/require" \ + $HIJACKING setkey -D -P + export RUMP_SERVER=$SOCK_PEER + atf_check -s exit:0 -o match:"$proto/transport//require" \ + $HIJACKING setkey -D -P + # Check if the policy isn't modified accidentally + atf_check -s exit:0 -o not-match:"$proto/transport/.+\-.+/require" \ + $HIJACKING setkey -D -P +} + +add_test_multiple_sa() +{ + local proto=$1 + local algo=$2 + local _algo=$(echo $algo | sed 's/-//g') + local name= desc= + + desc="Tests multiple SAs with $proto ($algo)" + name="ipsec_multiple_sa_${proto}_${_algo}" + + atf_test_case ${name} cleanup + eval " + ${name}_head() { + atf_set descr \"$desc\" + atf_set require.progs rump_server setkey + } + ${name}_body() { + test_multiple_sa $proto $algo + rump_server_destroy_ifaces + } + ${name}_cleanup() { + \$DEBUG && dump + cleanup + } + " + atf_add_test_case ${name} +} + atf_init_test_cases() { local algo= @@ -716,6 +806,7 @@ atf_init_test_cases() add_test_spi esp $algo new timeout add_test_spi esp $algo old timeout add_test_nosa esp $algo + add_test_multiple_sa esp $algo done for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do add_test_lifetime ipv4 ah $algo @@ -727,5 +818,6 @@ atf_init_test_cases() add_test_spi ah $algo new timeout add_test_spi ah $algo old timeout add_test_nosa ah $algo + add_test_multiple_sa ah $algo done }
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Fri Oct 20 03:45:47 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Add test cases for one SP with multiple SAs These are for a bug reported recently which modifies SPs accidentally. To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Fri Oct 20 03:43:51 UTC 2017 Modified Files: src/tests/net/ipsec: common.sh t_ipsec_misc.sh Log Message: Fix incomplete SP setups To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/tests/net/ipsec/common.sh cvs rdiff -u -r1.18 -r1.19 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/common.sh diff -u src/tests/net/ipsec/common.sh:1.6 src/tests/net/ipsec/common.sh:1.7 --- src/tests/net/ipsec/common.sh:1.6 Tue Aug 8 02:27:03 2017 +++ src/tests/net/ipsec/common.sh Fri Oct 20 03:43:51 2017 @@ -1,4 +1,4 @@ -# $NetBSD: common.sh,v 1.6 2017/08/08 02:27:03 ozaki-r Exp $ +# $NetBSD: common.sh,v 1.7 2017/10/20 03:43:51 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -67,6 +67,9 @@ check_sp_entries() atf_check -s exit:0 \ -o match:"$local_addr\[any\] $remote_addr\[any\] 255\(reserved\)" \ $HIJACKING setkey -D -P + atf_check -s exit:0 \ + -o match:"$remote_addr\[any\] $local_addr\[any\] 255\(reserved\)" \ + $HIJACKING setkey -D -P # TODO: more detail checks } Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.18 src/tests/net/ipsec/t_ipsec_misc.sh:1.19 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.18 Thu Aug 3 03:16:27 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Fri Oct 20 03:43:51 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.18 2017/08/03 03:16:27 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.19 2017/10/20 03:43:51 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -625,6 +625,7 @@ setup_sp() export RUMP_SERVER=$SOCK_LOCAL cat > $tmpfile <<-EOF spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; + spdadd $ip_peer $ip_local any -P in ipsec $proto/transport//require; EOF $DEBUG && cat $tmpfile atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile @@ -633,6 +634,7 @@ setup_sp() export RUMP_SERVER=$SOCK_PEER cat > $tmpfile <<-EOF spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; + spdadd $ip_local $ip_peer any -P in ipsec $proto/transport//require; EOF $DEBUG && cat $tmpfile atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Fri Oct 20 03:43:51 UTC 2017 Modified Files: src/tests/net/ipsec: common.sh t_ipsec_misc.sh Log Message: Fix incomplete SP setups To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/tests/net/ipsec/common.sh cvs rdiff -u -r1.18 -r1.19 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Tue Aug 8 02:27:03 UTC 2017 Modified Files: src/tests/net/ipsec: common.sh Log Message: Fix setkey -D -P outputs The outputs were tweaked (by me), but I forgot updating libipsec in my local ATF environment... To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/tests/net/ipsec/common.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/common.sh diff -u src/tests/net/ipsec/common.sh:1.5 src/tests/net/ipsec/common.sh:1.6 --- src/tests/net/ipsec/common.sh:1.5 Wed Aug 2 06:30:00 2017 +++ src/tests/net/ipsec/common.sh Tue Aug 8 02:27:03 2017 @@ -1,4 +1,4 @@ -# $NetBSD: common.sh,v 1.5 2017/08/02 06:30:00 ozaki-r Exp $ +# $NetBSD: common.sh,v 1.6 2017/08/08 02:27:03 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -65,7 +65,7 @@ check_sp_entries() $DEBUG && $HIJACKING setkey -D -P atf_check -s exit:0 \ - -o match:"$local_addr\[any\] $remote_addr\[any\] reserved" \ + -o match:"$local_addr\[any\] $remote_addr\[any\] 255\(reserved\)" \ $HIJACKING setkey -D -P # TODO: more detail checks }
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Tue Aug 8 02:27:03 UTC 2017 Modified Files: src/tests/net/ipsec: common.sh Log Message: Fix setkey -D -P outputs The outputs were tweaked (by me), but I forgot updating libipsec in my local ATF environment... To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/tests/net/ipsec/common.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed Aug 2 06:30:00 UTC 2017 Modified Files: src/tests/net/ipsec: common.sh t_ipsec_misc.sh Log Message: Add test cases that there are SPs but no relevant SAs To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/tests/net/ipsec/common.sh cvs rdiff -u -r1.16 -r1.17 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/common.sh diff -u src/tests/net/ipsec/common.sh:1.4 src/tests/net/ipsec/common.sh:1.5 --- src/tests/net/ipsec/common.sh:1.4 Mon Jul 3 06:01:16 2017 +++ src/tests/net/ipsec/common.sh Wed Aug 2 06:30:00 2017 @@ -1,4 +1,4 @@ -# $NetBSD: common.sh,v 1.4 2017/07/03 06:01:16 ozaki-r Exp $ +# $NetBSD: common.sh,v 1.5 2017/08/02 06:30:00 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -54,6 +54,22 @@ check_sa_entries() # TODO: more detail checks } +check_sp_entries() +{ + local sock=$1 + local local_addr=$2 + local remote_addr=$3 + + export RUMP_SERVER=$sock + + $DEBUG && $HIJACKING setkey -D -P + + atf_check -s exit:0 \ + -o match:"$local_addr\[any\] $remote_addr\[any\] reserved" \ + $HIJACKING setkey -D -P + # TODO: more detail checks +} + generate_pktproto() { local proto=$1 Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.16 src/tests/net/ipsec/t_ipsec_misc.sh:1.17 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.16 Mon Jul 24 02:07:43 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Wed Aug 2 06:30:00 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.16 2017/07/24 02:07:43 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.17 2017/08/02 06:30:00 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -614,6 +614,92 @@ add_test_spi() atf_add_test_case ${name} } +setup_sp() +{ + local proto=$1 + local algo_args="$2" + local ip_local=$3 + local ip_peer=$4 + local tmpfile=./tmp + + export RUMP_SERVER=$SOCK_LOCAL + cat > $tmpfile <<-EOF + spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; + EOF + $DEBUG && cat $tmpfile + atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile + check_sp_entries $SOCK_LOCAL $ip_local $ip_peer + + export RUMP_SERVER=$SOCK_PEER + cat > $tmpfile <<-EOF + spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; + EOF + $DEBUG && cat $tmpfile + atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile + check_sp_entries $SOCK_PEER $ip_peer $ip_local +} + +test_nosa() +{ + local proto=$1 + local algo=$2 + local update=$3 + local ip_local=10.0.0.1 + local ip_peer=10.0.0.2 + local algo_args="$(generate_algo_args $proto $algo)" + local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') + local outfile=./out + + rump_server_crypto_start $SOCK_LOCAL netipsec + rump_server_crypto_start $SOCK_PEER netipsec + rump_server_add_iface $SOCK_LOCAL shmif0 $BUS + rump_server_add_iface $SOCK_PEER shmif0 $BUS + + export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 + atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 + + export RUMP_SERVER=$SOCK_PEER + atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 + atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 + + setup_sp $proto "$algo_args" $ip_local $ip_peer + + extract_new_packets $BUS > $outfile + + export RUMP_SERVER=$SOCK_LOCAL + # It doesn't work because there is no SA + atf_check -s not-exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer +} + +add_test_nosa() +{ + local proto=$1 + local algo=$2 + local _algo=$(echo $algo | sed 's/-//g') + local name= desc= + + desc="Tests SPs with no relevant SAs with $proto ($algo)" + name="ipsec_nosa_${proto}_${_algo}" + + atf_test_case ${name} cleanup + eval "\ + ${name}_head() { \ + atf_set \"descr\" \"$desc\";\ + atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ + };\ + ${name}_body() { \ + test_nosa $proto $algo; \ + rump_server_destroy_ifaces;\ + };\ + ${name}_cleanup() { \ + $DEBUG && dump; \ + cleanup; \ + }\ + " + atf_add_test_case ${name} +} + atf_init_test_cases() { local algo= @@ -627,6 +713,7 @@ atf_init_test_cases() add_test_spi esp $algo old delete add_test_spi esp $algo new timeout add_test_spi esp $algo old timeout + add_test_nosa esp $algo done for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do add_test_lifetime ipv4 ah $algo @@ -637,5 +724,6 @@ atf_init_test_cases() add_test_spi ah $algo old delete add_test_spi ah $algo new timeout add_test_spi ah $algo old timeout + add_test_nosa ah $algo done }
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed Aug 2 06:30:00 UTC 2017 Modified Files: src/tests/net/ipsec: common.sh t_ipsec_misc.sh Log Message: Add test cases that there are SPs but no relevant SAs To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/tests/net/ipsec/common.sh cvs rdiff -u -r1.16 -r1.17 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Jul 20 01:10:57 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Don't make SAs expired on tests that delete SAs explicitly To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.14 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.13 src/tests/net/ipsec/t_ipsec_misc.sh:1.14 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.13 Wed Jul 19 02:06:47 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Thu Jul 20 01:10:57 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.13 2017/07/19 02:06:47 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.14 2017/07/20 01:10:57 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -503,6 +503,15 @@ test_spi() local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') local outfile=./out local spistr= + local longtime= shorttime= + + if [ $method = delete ]; then + shorttime=100 + longtime=100 + else + shorttime=3 + longtime=6 + fi rump_server_crypto_start $SOCK_LOCAL netipsec rump_server_crypto_start $SOCK_PEER netipsec @@ -533,7 +542,7 @@ test_spi() check_packet_spi $outfile $ip_local $ip_peer $proto_cap 1 # Add a new SA with a different SPI - add_sa $proto "$algo_args" $ip_local $ip_peer 6 10010 + add_sa $proto "$algo_args" $ip_local $ip_peer $longtime 10010 export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer @@ -546,7 +555,7 @@ test_spi() fi # Add another SA with a different SPI - add_sa $proto "$algo_args" $ip_local $ip_peer 3 10020 + add_sa $proto "$algo_args" $ip_local $ip_peer $shorttime 10020 export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Jul 20 01:10:57 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Don't make SAs expired on tests that delete SAs explicitly To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.14 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed Jul 19 02:06:47 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Add tests that explicitly delete SAs instead of waiting for expirations To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.12 src/tests/net/ipsec/t_ipsec_misc.sh:1.13 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.12 Wed Jul 19 02:06:11 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Wed Jul 19 02:06:47 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.12 2017/07/19 02:06:11 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.13 2017/07/19 02:06:47 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -418,6 +418,34 @@ add_sa() #check_sa_entries $SOCK_PEER $ip_local $ip_peer } +delete_sa() +{ + local proto=$1 + local ip_local=$2 + local ip_peer=$3 + local spi=$4 + local tmpfile=./tmp + local extra= + + export RUMP_SERVER=$SOCK_LOCAL + cat > $tmpfile <<-EOF + delete $ip_local $ip_peer $proto $((spi)); + delete $ip_peer $ip_local $proto $((spi + 1)); + EOF + $DEBUG && cat $tmpfile + atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile + $DEBUG && $HIJACKING setkey -D + + export RUMP_SERVER=$SOCK_PEER + cat > $tmpfile <<-EOF + delete $ip_local $ip_peer $proto $((spi)); + delete $ip_peer $ip_local $proto $((spi + 1)); + EOF + $DEBUG && cat $tmpfile + atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile + $DEBUG && $HIJACKING setkey -D +} + check_packet_spi() { local outfile=$1 @@ -468,6 +496,7 @@ test_spi() local proto=$1 local algo=$2 local preferred=$3 + local method=$4 local ip_local=10.0.0.1 local ip_peer=10.0.0.2 local algo_args="$(generate_algo_args $proto $algo)" @@ -529,7 +558,11 @@ test_spi() check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10020 fi - wait_sa_disappeared 10020 + if [ $method = delete ]; then + delete_sa $proto $ip_local $ip_peer 10020 + else + wait_sa_disappeared 10020 + fi export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer @@ -541,7 +574,11 @@ test_spi() check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 fi - wait_sa_disappeared 10010 + if [ $method = delete ]; then + delete_sa $proto $ip_local $ip_peer 10010 + else + wait_sa_disappeared 10010 + fi export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer @@ -559,11 +596,12 @@ add_test_spi() local proto=$1 local algo=$2 local preferred=$3 + local method=$4 local _algo=$(echo $algo | sed 's/-//g') local name= desc= - desc="Tests SAs with different SPIs of $proto ($algo) ($preferred SA preferred)" - name="ipsec_spi_${proto}_${_algo}_preferred_${preferred}" + desc="Tests SAs with different SPIs of $proto ($algo) ($preferred SA preferred) ($method)" + name="ipsec_spi_${proto}_${_algo}_preferred_${preferred}_${method}" atf_test_case ${name} cleanup eval "\ @@ -572,7 +610,7 @@ add_test_spi() atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ };\ ${name}_body() { \ - test_spi $proto $algo $preferred; \ + test_spi $proto $algo $preferred $method; \ rump_server_destroy_ifaces;\ };\ ${name}_cleanup() { \ @@ -592,15 +630,19 @@ atf_init_test_cases() add_test_lifetime ipv6 esp $algo add_test_update esp $algo sa add_test_update esp $algo sp - add_test_spi esp $algo new - add_test_spi esp $algo old + add_test_spi esp $algo new delete + add_test_spi esp $algo old delete + add_test_spi esp $algo new timeout + add_test_spi esp $algo old timeout done for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do add_test_lifetime ipv4 ah $algo add_test_lifetime ipv6 ah $algo add_test_update ah $algo sa add_test_update ah $algo sp - add_test_spi ah $algo new - add_test_spi ah $algo old + add_test_spi ah $algo new delete + add_test_spi ah $algo old delete + add_test_spi ah $algo new timeout + add_test_spi ah $algo old timeout done }
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed Jul 19 02:06:47 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Add tests that explicitly delete SAs instead of waiting for expirations To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed Jul 19 02:06:11 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Make tests more stable sleep command seems to wait longer than expected on anita so use polling to wait for a state change. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.11 src/tests/net/ipsec/t_ipsec_misc.sh:1.12 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.11 Tue Jul 18 02:16:07 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Wed Jul 19 02:06:11 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.11 2017/07/18 02:16:07 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.12 2017/07/19 02:06:11 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -438,6 +438,31 @@ check_packet_spi() cat $outfile } +wait_sa_disappeared() +{ + local spi=$1 + local i= + + export RUMP_SERVER=$SOCK_LOCAL + for i in $(seq 1 10); do + $HIJACKING setkey -D |grep -q "spi=$spi" + [ $? != 0 ] && break + sleep 1 + done + if [ $i -eq 10 ]; then + atf_fail "SA (spi=$spi) didn't disappear in 10s" + fi + export RUMP_SERVER=$SOCK_PEER + for i in $(seq 1 10); do + $HIJACKING setkey -D |grep -q "spi=$spi" + [ $? != 0 ] && break + sleep 1 + done + if [ $i -eq 10 ]; then + atf_fail "SA (spi=$spi) didn't disappear in 10s" + fi +} + test_spi() { local proto=$1 @@ -504,7 +529,7 @@ test_spi() check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10020 fi - sleep $((3 + 1)) + wait_sa_disappeared 10020 export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer @@ -516,7 +541,7 @@ test_spi() check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 fi - sleep $((6 + 1 - (3 + 1))) + wait_sa_disappeared 10010 export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed Jul 19 02:06:11 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Make tests more stable sleep command seems to wait longer than expected on anita so use polling to wait for a state change. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Sat Jul 15 07:26:02 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Fix wrong argument handling To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.9 src/tests/net/ipsec/t_ipsec_misc.sh:1.10 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.9 Fri Jul 14 11:54:52 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Sat Jul 15 07:26:02 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.9 2017/07/14 11:54:52 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.10 2017/07/15 07:26:02 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -655,8 +655,7 @@ test_spi() { local proto=$1 local algo=$2 - local update=$3 - local preferred=$4 + local preferred=$3 local ip_local=10.0.0.1 local ip_peer=10.0.0.2 local algo_args="$(generate_algo_args $proto $algo)"
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Sat Jul 15 07:26:02 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Fix wrong argument handling To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Fri Jul 14 11:54:52 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Add test cases for SAs with different SPIs To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.8 src/tests/net/ipsec/t_ipsec_misc.sh:1.9 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.8 Wed Jul 5 01:25:03 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Fri Jul 14 11:54:52 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.8 2017/07/05 01:25:03 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.9 2017/07/14 11:54:52 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -595,6 +595,183 @@ add_test_update() atf_add_test_case ${name} } +add_sa() +{ + local proto=$1 + local algo_args="$2" + local ip_local=$3 + local ip_peer=$4 + local lifetime=$5 + local spi=$6 + local tmpfile=./tmp + local extra= + + export RUMP_SERVER=$SOCK_LOCAL + cat > $tmpfile <<-EOF + add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; + add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; + $extra + EOF + $DEBUG && cat $tmpfile + atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile + $DEBUG && $HIJACKING setkey -D + # XXX it can be expired if $lifetime is very short + #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer + + export RUMP_SERVER=$SOCK_PEER + cat > $tmpfile <<-EOF + add $ip_local $ip_peer $proto $((spi)) -lh $lifetime -ls $lifetime $algo_args; + add $ip_peer $ip_local $proto $((spi + 1)) -lh $lifetime -ls $lifetime $algo_args; + $extra + EOF + $DEBUG && cat $tmpfile + atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile + $DEBUG && $HIJACKING setkey -D + # XXX it can be expired if $lifetime is very short + #check_sa_entries $SOCK_PEER $ip_local $ip_peer +} + +check_packet_spi() +{ + local outfile=$1 + local ip_local=$2 + local ip_peer=$3 + local proto=$4 + local spi=$5 + local spistr= + + $DEBUG && cat $outfile + spistr=$(printf "%08x" $spi) + atf_check -s exit:0 \ + -o match:"$ip_local > $ip_peer: $proto_cap\(spi=0x$spistr," \ + cat $outfile + spistr=$(printf "%08x" $((spi + 1))) + atf_check -s exit:0 \ + -o match:"$ip_peer > $ip_local: $proto_cap\(spi=0x$spistr," \ + cat $outfile +} + +test_spi() +{ + local proto=$1 + local algo=$2 + local update=$3 + local preferred=$4 + local ip_local=10.0.0.1 + local ip_peer=10.0.0.2 + local algo_args="$(generate_algo_args $proto $algo)" + local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') + local outfile=./out + local spistr= + + rump_server_crypto_start $SOCK_LOCAL netipsec + rump_server_crypto_start $SOCK_PEER netipsec + rump_server_add_iface $SOCK_LOCAL shmif0 $BUS + rump_server_add_iface $SOCK_PEER shmif0 $BUS + + export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 + atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 + if [ $preferred = old ]; then + atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 + fi + + export RUMP_SERVER=$SOCK_PEER + atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 + atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 + if [ $preferred = old ]; then + atf_check -s exit:0 rump.sysctl -q -w net.key.prefered_oldsa=1 + fi + + setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 + + extract_new_packets $BUS > $outfile + + export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer + extract_new_packets $BUS > $outfile + check_packet_spi $outfile $ip_local $ip_peer $proto_cap 1 + + # Add a new SA with a different SPI + add_sa $proto "$algo_args" $ip_local $ip_peer 6 10010 + + export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer + extract_new_packets $BUS > $outfile + if [ $preferred = old ]; then + check_packet_spi $outfile $ip_local $ip_peer $proto_cap 1 + else + # The new SA is preferred + check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10010 + fi + + # Add another SA with a different SPI + add_sa $proto "$algo_args" $ip_local $ip_peer 3 10020 + + export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer + extract_new_packets $BUS > $outfile + if [ $preferred = old ]; then + check_packet_spi $outfile $ip_local $ip_peer $proto_cap 1 + else + # The newest SA is preferred + check_packet_spi $outfile $ip_local $ip_peer $proto_cap 10020 + fi + + sleep $((3 + 1)) + + export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer + extract_new_packets $BUS > $outfile + if [ $preferred = old ]; then + check_packet_spi $outfile $ip_local $ip_peer $proto_cap 1 + else + # The newest
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Fri Jul 14 11:54:52 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Add test cases for SAs with different SPIs To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed Jul 5 01:25:03 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Add test cases for updating SA/SP The tests require newly-added udpate command of setkey. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed Jul 5 01:25:03 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Add test cases for updating SA/SP The tests require newly-added udpate command of setkey. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.7 src/tests/net/ipsec/t_ipsec_misc.sh:1.8 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.7 Mon Jun 19 10:05:04 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Wed Jul 5 01:25:03 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.7 2017/06/19 10:05:04 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.8 2017/07/05 01:25:03 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -38,24 +38,39 @@ setup_sasp() local ip_local=$3 local ip_peer=$4 local lifetime=$5 + local update=$6 local tmpfile=./tmp + local extra= + + if [ "$update" = sa ]; then + extra="update $ip_local $ip_peer $proto 1 $algo_args; + update $ip_peer $ip_local $proto 10001 $algo_args;" + elif [ "$update" = sp ]; then + extra="spdupdate $ip_local $ip_peer any -P out ipsec $proto/transport//require;" + fi export RUMP_SERVER=$SOCK_LOCAL cat > $tmpfile <<-EOF add $ip_local $ip_peer $proto 1 -lh $lifetime -ls $lifetime $algo_args; add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; + $extra EOF $DEBUG && cat $tmpfile atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile # XXX it can be expired if $lifetime is very short #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer + if [ "$update" = sp ]; then + extra="spdupdate $ip_peer $ip_local any -P out ipsec $proto/transport//require;" + fi + export RUMP_SERVER=$SOCK_PEER cat > $tmpfile <<-EOF add $ip_local $ip_peer $proto 1 -lh $lifetime -ls $lifetime $algo_args; add $ip_peer $ip_local $proto 10001 -lh $lifetime -ls $lifetime $algo_args; spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; + $extra EOF $DEBUG && cat $tmpfile atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile @@ -512,6 +527,74 @@ add_test_tcp() atf_add_test_case ${name} } +test_update() +{ + local proto=$1 + local algo=$2 + local update=$3 + local ip_local=10.0.0.1 + local ip_peer=10.0.0.2 + local algo_args="$(generate_algo_args $proto $algo)" + local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') + local outfile=./out + + rump_server_crypto_start $SOCK_LOCAL netipsec + rump_server_crypto_start $SOCK_PEER netipsec + rump_server_add_iface $SOCK_LOCAL shmif0 $BUS + rump_server_add_iface $SOCK_PEER shmif0 $BUS + + export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 + atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 + + export RUMP_SERVER=$SOCK_PEER + atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 + atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 + + setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 $update + + extract_new_packets $BUS > $outfile + + export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer + + extract_new_packets $BUS > $outfile + atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \ + cat $outfile + atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \ + cat $outfile +} + +add_test_update() +{ + local proto=$1 + local algo=$2 + local update=$3 + local _update=$(echo $update |tr 'a-z' 'A-Z') + local _algo=$(echo $algo | sed 's/-//g') + local name= desc= + + desc="Tests trying to udpate $_update of $proto ($algo)" + name="ipsec_update_${update}_${proto}_${_algo}" + + atf_test_case ${name} cleanup + eval "\ + ${name}_head() { \ + atf_set \"descr\" \"$desc\";\ + atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ + };\ + ${name}_body() { \ + test_update $proto $algo $update; \ + rump_server_destroy_ifaces;\ + };\ + ${name}_cleanup() { \ + $DEBUG && dump; \ + cleanup; \ + }\ + " + atf_add_test_case ${name} +} + atf_init_test_cases() { local algo= @@ -522,6 +605,8 @@ atf_init_test_cases() add_test_tcp ipv4 esp $algo add_test_tcp ipv6 esp $algo add_test_tcp ipv4mappedipv6 esp $algo + add_test_update esp $algo sa + add_test_update esp $algo sp done for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do add_test_lifetime ipv4 ah $algo @@ -529,6 +614,8 @@ atf_init_test_cases() add_test_tcp ipv4 ah $algo add_test_tcp ipv6 ah $algo add_test_tcp ipv4mappedipv6 ah $algo + add_test_update ah $algo sa + add_test_update ah $algo sp done
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Mon Jun 19 10:05:04 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Add test cases of TCP/IPsec on an IPv4-mapped IPv6 address It reproduces the same panic reported in PR kern/52304 (but not sure that its cause is also same). To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Mon Jun 19 10:05:04 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Add test cases of TCP/IPsec on an IPv4-mapped IPv6 address It reproduces the same panic reported in PR kern/52304 (but not sure that its cause is also same). To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.6 src/tests/net/ipsec/t_ipsec_misc.sh:1.7 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.6 Thu Jun 1 03:56:47 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Mon Jun 19 10:05:04 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.6 2017/06/01 03:56:47 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.7 2017/06/19 10:05:04 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -313,22 +313,23 @@ prepare_file() test_tcp() { - local proto=$1 + local local_proto=$1 local ip_local=$2 - local ip_peer=$3 + local peer_proto=$3 + local ip_peer=$4 local port=1234 local file_send=./file.send local file_recv=./file.recv local opts= - if [ $proto = ipv4 ]; then + if [ $local_proto = ipv4 ]; then opts="-N -w 3 -4" else opts="-N -w 3 -6" fi # Start nc server - start_nc_server $SOCK_PEER $port $file_recv $proto + start_nc_server $SOCK_PEER $port $file_recv $peer_proto export RUMP_SERVER=$SOCK_LOCAL # Send a file to the server @@ -371,7 +372,7 @@ test_tcp_ipv4() extract_new_packets $BUS > $outfile - test_tcp ipv4 $ip_local $ip_peer + test_tcp ipv4 $ip_local ipv4 $ip_peer extract_new_packets $BUS > $outfile $DEBUG && cat $outfile @@ -415,7 +416,54 @@ test_tcp_ipv6() extract_new_packets $BUS > $outfile - test_tcp ipv6 $ip_local $ip_peer + test_tcp ipv6 $ip_local ipv6 $ip_peer + + extract_new_packets $BUS > $outfile + $DEBUG && cat $outfile + + if [ $proto != none ]; then + atf_check -s exit:0 \ + -o match:"$ip_local > $ip_peer: $proto_cap" \ + cat $outfile + atf_check -s exit:0 \ + -o match:"$ip_peer > $ip_local: $proto_cap" \ + cat $outfile + fi +} + +test_tcp_ipv4mappedipv6() +{ + local proto=$1 + local algo=$2 + local ip_local=10.0.0.1 + local ip_peer=10.0.0.2 + local ip6_peer=:::10.0.0.2 + local algo_args="$(generate_algo_args $proto $algo)" + local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') + local outfile=./out + + rump_server_crypto_start $SOCK_LOCAL netipsec + rump_server_crypto_start $SOCK_PEER netipsec netinet6 + rump_server_add_iface $SOCK_LOCAL shmif0 $BUS + rump_server_add_iface $SOCK_PEER shmif0 $BUS + + export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 + atf_check -s exit:0 rump.ifconfig -w 10 + + export RUMP_SERVER=$SOCK_PEER + atf_check -s exit:0 -o ignore rump.sysctl -w net.inet6.ip6.v6only=0 + atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 + atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip6_peer/96 + atf_check -s exit:0 rump.ifconfig -w 10 + + if [ $proto != none ]; then + setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 + fi + + extract_new_packets $BUS > $outfile + + test_tcp ipv4 $ip_local ipv6 $ip_peer extract_new_packets $BUS > $outfile $DEBUG && cat $outfile @@ -473,14 +521,17 @@ atf_init_test_cases() add_test_lifetime ipv6 esp $algo add_test_tcp ipv4 esp $algo add_test_tcp ipv6 esp $algo + add_test_tcp ipv4mappedipv6 esp $algo done for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do add_test_lifetime ipv4 ah $algo add_test_lifetime ipv6 ah $algo add_test_tcp ipv4 ah $algo add_test_tcp ipv6 ah $algo + add_test_tcp ipv4mappedipv6 ah $algo done add_test_tcp ipv4 none add_test_tcp ipv6 none + add_test_tcp ipv4mappedipv6 none }
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed Jun 14 02:33:37 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_gif.sh t_ipsec_l2tp.sh Log Message: Enable DEBUG for babylon5 To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/tests/net/ipsec/t_ipsec_gif.sh \ src/tests/net/ipsec/t_ipsec_l2tp.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_gif.sh diff -u src/tests/net/ipsec/t_ipsec_gif.sh:1.5 src/tests/net/ipsec/t_ipsec_gif.sh:1.6 --- src/tests/net/ipsec/t_ipsec_gif.sh:1.5 Fri May 12 02:34:45 2017 +++ src/tests/net/ipsec/t_ipsec_gif.sh Wed Jun 14 02:33:37 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_gif.sh,v 1.5 2017/05/12 02:34:45 ozaki-r Exp $ +# $NetBSD: t_ipsec_gif.sh,v 1.6 2017/06/14 02:33:37 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -33,7 +33,7 @@ BUS_LOCAL=./bus_ipsec_local BUS_TUNNEL=./bus_ipsec_tunnel BUS_REMOTE=./bus_ipsec_remote -DEBUG=${DEBUG:-false} +DEBUG=${DEBUG:-true} make_gif_pktstr() { Index: src/tests/net/ipsec/t_ipsec_l2tp.sh diff -u src/tests/net/ipsec/t_ipsec_l2tp.sh:1.5 src/tests/net/ipsec/t_ipsec_l2tp.sh:1.6 --- src/tests/net/ipsec/t_ipsec_l2tp.sh:1.5 Fri May 12 02:34:45 2017 +++ src/tests/net/ipsec/t_ipsec_l2tp.sh Wed Jun 14 02:33:37 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_l2tp.sh,v 1.5 2017/05/12 02:34:45 ozaki-r Exp $ +# $NetBSD: t_ipsec_l2tp.sh,v 1.6 2017/06/14 02:33:37 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -33,7 +33,7 @@ BUS_LOCAL=./bus_ipsec_local BUS_TUNNEL=./bus_ipsec_tunnel BUS_REMOTE=./bus_ipsec_remote -DEBUG=${DEBUG:-false} +DEBUG=${DEBUG:-true} make_l2tp_pktstr() {
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed Jun 14 02:33:37 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_gif.sh t_ipsec_l2tp.sh Log Message: Enable DEBUG for babylon5 To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/tests/net/ipsec/t_ipsec_gif.sh \ src/tests/net/ipsec/t_ipsec_l2tp.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Jun 1 03:56:47 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Test TCP communications over IPsec transport mode with ESP or AH This tests SP caches of PCB. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.5 src/tests/net/ipsec/t_ipsec_misc.sh:1.6 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.5 Thu Jun 1 03:51:47 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Thu Jun 1 03:56:47 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.5 2017/06/01 03:51:47 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.6 2017/06/01 03:56:47 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -344,8 +344,13 @@ test_tcp() test_tcp_ipv4() { + local proto=$1 + local algo=$2 local ip_local=10.0.0.1 local ip_peer=10.0.0.2 + local algo_args="$(generate_algo_args $proto $algo)" + local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') + local outfile=./out rump_server_crypto_start $SOCK_LOCAL netipsec rump_server_crypto_start $SOCK_PEER netipsec @@ -360,13 +365,36 @@ test_tcp_ipv4() atf_check -s exit:0 rump.ifconfig shmif0 $ip_peer/24 atf_check -s exit:0 rump.ifconfig -w 10 + if [ $proto != none ]; then + setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 + fi + + extract_new_packets $BUS > $outfile + test_tcp ipv4 $ip_local $ip_peer + + extract_new_packets $BUS > $outfile + $DEBUG && cat $outfile + + if [ $proto != none ]; then + atf_check -s exit:0 \ + -o match:"$ip_local > $ip_peer: $proto_cap" \ + cat $outfile + atf_check -s exit:0 \ + -o match:"$ip_peer > $ip_local: $proto_cap" \ + cat $outfile + fi } test_tcp_ipv6() { + local proto=$1 + local algo=$2 local ip_local=fd00::1 local ip_peer=fd00::2 + local algo_args="$(generate_algo_args $proto $algo)" + local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') + local outfile=./out rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec rump_server_crypto_start $SOCK_PEER netinet6 netipsec @@ -381,16 +409,42 @@ test_tcp_ipv6() atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_peer atf_check -s exit:0 rump.ifconfig -w 10 + if [ $proto != none ]; then + setup_sasp $proto "$algo_args" $ip_local $ip_peer 100 + fi + + extract_new_packets $BUS > $outfile + test_tcp ipv6 $ip_local $ip_peer + + extract_new_packets $BUS > $outfile + $DEBUG && cat $outfile + + if [ $proto != none ]; then + atf_check -s exit:0 \ + -o match:"$ip_local > $ip_peer: $proto_cap" \ + cat $outfile + atf_check -s exit:0 \ + -o match:"$ip_peer > $ip_local: $proto_cap" \ + cat $outfile + fi } add_test_tcp() { local ipproto=$1 + local proto=$2 + local algo=$3 + local _algo=$(echo $algo | sed 's/-//g') local name= desc= - name="ipsec_tcp_${ipproto}" - desc="Tests of TCP with IPsec enabled ($ipproto)" + if [ $proto = none ]; then + desc="Tests of TCP with IPsec enabled ($ipproto)" + name="ipsec_tcp_${ipproto}_${proto}" + else + desc="Tests of TCP with IPsec ($ipproto) $proto $algo" + name="ipsec_tcp_${ipproto}_${proto}_${_algo}" + fi atf_test_case ${name} cleanup eval "\ @@ -399,7 +453,7 @@ add_test_tcp() atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ };\ ${name}_body() { \ - test_tcp_${ipproto}; \ + test_tcp_${ipproto} $proto $algo; \ rump_server_destroy_ifaces;\ };\ ${name}_cleanup() { \ @@ -417,12 +471,16 @@ atf_init_test_cases() for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do add_test_lifetime ipv4 esp $algo add_test_lifetime ipv6 esp $algo + add_test_tcp ipv4 esp $algo + add_test_tcp ipv6 esp $algo done for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do add_test_lifetime ipv4 ah $algo add_test_lifetime ipv6 ah $algo + add_test_tcp ipv4 ah $algo + add_test_tcp ipv6 ah $algo done - add_test_tcp ipv4 - add_test_tcp ipv6 + add_test_tcp ipv4 none + add_test_tcp ipv6 none }
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Jun 1 03:56:47 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Test TCP communications over IPsec transport mode with ESP or AH This tests SP caches of PCB. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Jun 1 03:51:47 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Remove a unused local variable To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Jun 1 03:51:47 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Remove a unused local variable To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.4 src/tests/net/ipsec/t_ipsec_misc.sh:1.5 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.4 Wed May 24 09:34:48 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Thu Jun 1 03:51:47 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.4 2017/05/24 09:34:48 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.5 2017/06/01 03:51:47 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -167,7 +167,6 @@ test_ipsec6_lifetime() local algo=$2 local ip_local=fd00::1 local ip_peer=fd00::2 - local tmpfile=./tmp local outfile=./out local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') local algo_args="$(generate_algo_args $proto $algo)"
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed May 24 09:34:48 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Enable DEBUG to know what is happening on anita/sparc To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.3 src/tests/net/ipsec/t_ipsec_misc.sh:1.4 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.3 Thu May 18 14:43:42 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Wed May 24 09:34:48 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.3 2017/05/18 14:43:42 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.4 2017/05/24 09:34:48 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -29,7 +29,7 @@ SOCK_LOCAL=unix://ipsec_local SOCK_PEER=unix://ipsec_peer BUS=./bus_ipsec -DEBUG=${DEBUG:-false} +DEBUG=${DEBUG:-true} setup_sasp() {
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed May 24 09:34:48 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Enable DEBUG to know what is happening on anita/sparc To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu May 18 14:43:42 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Don't check the existence of SA entries eagerly They can be expired at that point if their lifetime is very short. This may fix unexpected failures of tests running on anita. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu May 18 14:43:42 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_misc.sh Log Message: Don't check the existence of SA entries eagerly They can be expired at that point if their lifetime is very short. This may fix unexpected failures of tests running on anita. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/t_ipsec_misc.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_misc.sh diff -u src/tests/net/ipsec/t_ipsec_misc.sh:1.2 src/tests/net/ipsec/t_ipsec_misc.sh:1.3 --- src/tests/net/ipsec/t_ipsec_misc.sh:1.2 Wed May 17 06:30:15 2017 +++ src/tests/net/ipsec/t_ipsec_misc.sh Thu May 18 14:43:42 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_misc.sh,v 1.2 2017/05/17 06:30:15 ozaki-r Exp $ +# $NetBSD: t_ipsec_misc.sh,v 1.3 2017/05/18 14:43:42 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -48,7 +48,8 @@ setup_sasp() EOF $DEBUG && cat $tmpfile atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile - check_sa_entries $SOCK_LOCAL $ip_local $ip_peer + # XXX it can be expired if $lifetime is very short + #check_sa_entries $SOCK_LOCAL $ip_local $ip_peer export RUMP_SERVER=$SOCK_PEER cat > $tmpfile <<-EOF @@ -58,7 +59,8 @@ setup_sasp() EOF $DEBUG && cat $tmpfile atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile - check_sa_entries $SOCK_PEER $ip_local $ip_peer + # XXX it can be expired if $lifetime is very short + #check_sa_entries $SOCK_PEER $ip_local $ip_peer } test_ipsec4_lifetime()
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Mon May 15 09:56:47 UTC 2017 Modified Files: src/tests/net/ipsec: common.sh Log Message: Fix typo To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/common.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/common.sh diff -u src/tests/net/ipsec/common.sh:1.2 src/tests/net/ipsec/common.sh:1.3 --- src/tests/net/ipsec/common.sh:1.2 Wed May 10 04:46:13 2017 +++ src/tests/net/ipsec/common.sh Mon May 15 09:56:47 2017 @@ -1,4 +1,4 @@ -# $NetBSD: common.sh,v 1.2 2017/05/10 04:46:13 ozaki-r Exp $ +# $NetBSD: common.sh,v 1.3 2017/05/15 09:56:47 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -47,7 +47,7 @@ check_sa_entries() $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$local_addr $rmote_addr" \ + atf_check -s exit:0 -o match:"$local_addr $remote_addr" \ $HIJACKING setkey -D atf_check -s exit:0 -o match:"$remote_addr $local_addr" \ $HIJACKING setkey -D
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Mon May 15 09:56:47 UTC 2017 Modified Files: src/tests/net/ipsec: common.sh Log Message: Fix typo To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/common.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Fri May 12 02:34:46 UTC 2017 Modified Files: src/tests/net/ipsec: algorithms.sh t_ipsec_gif.sh t_ipsec_l2tp.sh t_ipsec_transport.sh t_ipsec_tunnel.sh t_ipsec_tunnel_odd.sh Log Message: Dedup some routines To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/tests/net/ipsec/algorithms.sh \ src/tests/net/ipsec/t_ipsec_transport.sh cvs rdiff -u -r1.4 -r1.5 src/tests/net/ipsec/t_ipsec_gif.sh \ src/tests/net/ipsec/t_ipsec_l2tp.sh cvs rdiff -u -r1.7 -r1.8 src/tests/net/ipsec/t_ipsec_tunnel.sh cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/t_ipsec_tunnel_odd.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/algorithms.sh diff -u src/tests/net/ipsec/algorithms.sh:1.3 src/tests/net/ipsec/algorithms.sh:1.4 --- src/tests/net/ipsec/algorithms.sh:1.3 Thu Apr 27 08:06:59 2017 +++ src/tests/net/ipsec/algorithms.sh Fri May 12 02:34:45 2017 @@ -1,4 +1,4 @@ -# $NetBSD: algorithms.sh,v 1.3 2017/04/27 08:06:59 ozaki-r Exp $ +# $NetBSD: algorithms.sh,v 1.4 2017/05/12 02:34:45 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -160,3 +160,17 @@ generate_key() echo $key } + +generate_algo_args() +{ + local proto=$1 + local algo=$2 + local keylen=$(get_one_valid_keylen $algo) + local key=$(generate_key $keylen) + + if [ $proto = esp ]; then + echo "-E $algo $key" + else + echo "-A $algo $key" + fi +} Index: src/tests/net/ipsec/t_ipsec_transport.sh diff -u src/tests/net/ipsec/t_ipsec_transport.sh:1.3 src/tests/net/ipsec/t_ipsec_transport.sh:1.4 --- src/tests/net/ipsec/t_ipsec_transport.sh:1.3 Wed May 10 04:46:13 2017 +++ src/tests/net/ipsec/t_ipsec_transport.sh Fri May 12 02:34:45 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_transport.sh,v 1.3 2017/05/10 04:46:13 ozaki-r Exp $ +# $NetBSD: t_ipsec_transport.sh,v 1.4 2017/05/12 02:34:45 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -37,19 +37,10 @@ test_ipsec4_transport() local algo=$2 local ip_local=10.0.0.1 local ip_peer=10.0.0.2 - local keylen=$(get_one_valid_keylen $algo) - local key=$(generate_key $keylen) local tmpfile=./tmp local outfile=./out - local opt= proto_cap= - - if [ $proto = esp ]; then - opt=-E - proto_cap=ESP - else - opt=-A - proto_cap=AH - fi + local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') + local algo_args="$(generate_algo_args $proto $algo)" rump_server_crypto_start $SOCK_LOCAL netipsec rump_server_crypto_start $SOCK_PEER netipsec @@ -78,8 +69,8 @@ test_ipsec4_transport() export RUMP_SERVER=$SOCK_LOCAL # from https://www.netbsd.org/docs/network/ipsec/ cat > $tmpfile <<-EOF - add $ip_local $ip_peer $proto 1 $opt $algo $key; - add $ip_peer $ip_local $proto 10001 $opt $algo $key; + add $ip_local $ip_peer $proto 1 $algo_args; + add $ip_peer $ip_local $proto 10001 $algo_args; spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; EOF $DEBUG && cat $tmpfile @@ -88,8 +79,8 @@ test_ipsec4_transport() export RUMP_SERVER=$SOCK_PEER cat > $tmpfile <<-EOF - add $ip_local $ip_peer $proto 1 $opt $algo $key; - add $ip_peer $ip_local $proto 10001 $opt $algo $key; + add $ip_local $ip_peer $proto 1 $algo_args; + add $ip_peer $ip_local $proto 10001 $algo_args; spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; EOF $DEBUG && cat $tmpfile @@ -115,19 +106,10 @@ test_ipsec6_transport() local algo=$2 local ip_local=fd00::1 local ip_peer=fd00::2 - local keylen=$(get_one_valid_keylen $algo) - local key=$(generate_key $keylen) local tmpfile=./tmp local outfile=./out - local opt= proto_cap= - - if [ $proto = esp ]; then - opt=-E - proto_cap=ESP - else - opt=-A - proto_cap=AH - fi + local proto_cap=$(echo $proto | tr 'a-z' 'A-Z') + local algo_args="$(generate_algo_args $proto $algo)" rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec rump_server_crypto_start $SOCK_PEER netinet6 netipsec @@ -156,8 +138,8 @@ test_ipsec6_transport() export RUMP_SERVER=$SOCK_LOCAL # from https://www.netbsd.org/docs/network/ipsec/ cat > $tmpfile <<-EOF - add $ip_local $ip_peer $proto 1 $opt $algo $key; - add $ip_peer $ip_local $proto 10001 $opt $algo $key; + add $ip_local $ip_peer $proto 1 $algo_args; + add $ip_peer $ip_local $proto 10001 $algo_args; spdadd $ip_local $ip_peer any -P out ipsec $proto/transport//require; EOF $DEBUG && cat $tmpfile @@ -166,8 +148,8 @@ test_ipsec6_transport() export RUMP_SERVER=$SOCK_PEER cat > $tmpfile <<-EOF - add $ip_local $ip_peer $proto 1 $opt $algo $key; - add $ip_peer $ip_local $proto 10001 $opt $algo $key; + add $ip_local $ip_peer $proto 1 $algo_args; + add $ip_peer $ip_local $proto 10001 $algo_args; spdadd $ip_peer $ip_local any -P out ipsec $proto/transport//require; EOF $DEBUG && cat $tmpfile Index:
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Fri May 12 02:34:46 UTC 2017 Modified Files: src/tests/net/ipsec: algorithms.sh t_ipsec_gif.sh t_ipsec_l2tp.sh t_ipsec_transport.sh t_ipsec_tunnel.sh t_ipsec_tunnel_odd.sh Log Message: Dedup some routines To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/tests/net/ipsec/algorithms.sh \ src/tests/net/ipsec/t_ipsec_transport.sh cvs rdiff -u -r1.4 -r1.5 src/tests/net/ipsec/t_ipsec_gif.sh \ src/tests/net/ipsec/t_ipsec_l2tp.sh cvs rdiff -u -r1.7 -r1.8 src/tests/net/ipsec/t_ipsec_tunnel.sh cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/t_ipsec_tunnel_odd.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed May 10 09:00:29 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_tunnel.sh Log Message: Disable DAD rather than waiting its completion every time To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/tests/net/ipsec/t_ipsec_tunnel.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed May 10 09:00:29 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_tunnel.sh Log Message: Disable DAD rather than waiting its completion every time To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/tests/net/ipsec/t_ipsec_tunnel.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_tunnel.sh diff -u src/tests/net/ipsec/t_ipsec_tunnel.sh:1.6 src/tests/net/ipsec/t_ipsec_tunnel.sh:1.7 --- src/tests/net/ipsec/t_ipsec_tunnel.sh:1.6 Wed May 10 08:59:40 2017 +++ src/tests/net/ipsec/t_ipsec_tunnel.sh Wed May 10 09:00:29 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_tunnel.sh,v 1.6 2017/05/10 08:59:40 ozaki-r Exp $ +# $NetBSD: t_ipsec_tunnel.sh,v 1.7 2017/05/10 09:00:29 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -91,11 +91,13 @@ test_ipsec4_tunnel() setup_servers export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 atf_check -s exit:0 -o ignore \ rump.route -n add -net $subnet_remote $ip_gw_local export RUMP_SERVER=$SOCK_TUNNEL_LOCAL + atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_local/24 atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_local_tunnel/24 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 @@ -103,6 +105,7 @@ test_ipsec4_tunnel() rump.route -n add -net $subnet_remote $ip_gw_remote_tunnel export RUMP_SERVER=$SOCK_TUNNEL_REMOTE + atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_remote/24 atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_remote_tunnel/24 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 @@ -110,9 +113,8 @@ test_ipsec4_tunnel() rump.route -n add -net $subnet_local $ip_gw_local_tunnel export RUMP_SERVER=$SOCK_REMOTE + atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 - # Run ifconfig -w 10 just once for optimization - atf_check -s exit:0 rump.ifconfig -w 10 atf_check -s exit:0 -o ignore \ rump.route -n add -net $subnet_local $ip_gw_remote @@ -198,11 +200,13 @@ test_ipsec6_tunnel() setup_servers export RUMP_SERVER=$SOCK_LOCAL + atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64 atf_check -s exit:0 -o ignore \ rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_local export RUMP_SERVER=$SOCK_TUNNEL_LOCAL + atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_local/64 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_local_tunnel/64 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1 @@ -210,6 +214,7 @@ test_ipsec6_tunnel() rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_remote_tunnel export RUMP_SERVER=$SOCK_TUNNEL_REMOTE + atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_remote/64 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_remote_tunnel/64 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1 @@ -217,9 +222,8 @@ test_ipsec6_tunnel() rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_local_tunnel export RUMP_SERVER=$SOCK_REMOTE + atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote - # Run ifconfig -w 10 just once for optimization - atf_check -s exit:0 rump.ifconfig -w 10 atf_check -s exit:0 -o ignore \ rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_remote
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed May 10 08:59:40 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_tunnel.sh Log Message: Dedup some routines To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/tests/net/ipsec/t_ipsec_tunnel.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_tunnel.sh diff -u src/tests/net/ipsec/t_ipsec_tunnel.sh:1.5 src/tests/net/ipsec/t_ipsec_tunnel.sh:1.6 --- src/tests/net/ipsec/t_ipsec_tunnel.sh:1.5 Wed May 10 04:46:13 2017 +++ src/tests/net/ipsec/t_ipsec_tunnel.sh Wed May 10 08:59:40 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_tunnel.sh,v 1.5 2017/05/10 04:46:13 ozaki-r Exp $ +# $NetBSD: t_ipsec_tunnel.sh,v 1.6 2017/05/10 08:59:40 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -35,6 +35,33 @@ BUS_REMOTE=./bus_ipsec_remote DEBUG=${DEBUG:-false} +setup_servers() +{ + + # See https://www.netbsd.org/docs/network/ipsec/#sample_vpn + rump_server_crypto_start $SOCK_LOCAL netinet6 + rump_server_crypto_start $SOCK_TUNNEL_LOCAL netipsec netinet6 + rump_server_crypto_start $SOCK_TUNNEL_REMOTE netipsec netinet6 + rump_server_crypto_start $SOCK_REMOTE netinet6 + rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL + rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif0 $BUS_LOCAL + rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif1 $BUS_TUNNEL + rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif0 $BUS_REMOTE + rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif1 $BUS_TUNNEL + rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE +} + +check_tunnel_packets() +{ + local outfile=$1 + local src=$2 + local dst=$3 + local proto=$4 + + atf_check -s exit:0 -o match:"$src > $dst: $proto" cat $outfile + atf_check -s exit:0 -o match:"$dst > $src: $proto" cat $outfile +} + test_ipsec4_tunnel() { local proto=$1 @@ -61,17 +88,7 @@ test_ipsec4_tunnel() proto_cap=AH fi - # See https://www.netbsd.org/docs/network/ipsec/#sample_vpn - rump_server_crypto_start $SOCK_LOCAL - rump_server_crypto_start $SOCK_TUNNEL_LOCAL netipsec - rump_server_crypto_start $SOCK_TUNNEL_REMOTE netipsec - rump_server_crypto_start $SOCK_REMOTE - rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL - rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif0 $BUS_LOCAL - rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif1 $BUS_TUNNEL - rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif0 $BUS_REMOTE - rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif1 $BUS_TUNNEL - rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE + setup_servers export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 @@ -145,12 +162,8 @@ test_ipsec4_tunnel() atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote extract_new_packets $BUS_TUNNEL > $outfile - atf_check -s exit:0 \ - -o match:"$ip_gw_local_tunnel > $ip_gw_remote_tunnel: $proto_cap" \ - cat $outfile - atf_check -s exit:0 \ - -o match:"$ip_gw_remote_tunnel > $ip_gw_local_tunnel: $proto_cap" \ - cat $outfile + check_tunnel_packets $outfile $ip_gw_local_tunnel $ip_gw_remote_tunnel \ + $proto_cap test_flush_entries $SOCK_TUNNEL_LOCAL test_flush_entries $SOCK_TUNNEL_REMOTE @@ -182,16 +195,7 @@ test_ipsec6_tunnel() proto_cap=AH fi - rump_server_crypto_start $SOCK_LOCAL netinet6 - rump_server_crypto_start $SOCK_TUNNEL_LOCAL netipsec netinet6 - rump_server_crypto_start $SOCK_TUNNEL_REMOTE netipsec netinet6 - rump_server_crypto_start $SOCK_REMOTE netinet6 - rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL - rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif0 $BUS_LOCAL - rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif1 $BUS_TUNNEL - rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif0 $BUS_REMOTE - rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif1 $BUS_TUNNEL - rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE + setup_servers export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64 @@ -265,12 +269,8 @@ test_ipsec6_tunnel() atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote extract_new_packets $BUS_TUNNEL > $outfile - atf_check -s exit:0 \ - -o match:"$ip_gw_local_tunnel > $ip_gw_remote_tunnel: $proto_cap" \ - cat $outfile - atf_check -s exit:0 \ - -o match:"$ip_gw_remote_tunnel > $ip_gw_local_tunnel: $proto_cap" \ - cat $outfile + check_tunnel_packets $outfile $ip_gw_local_tunnel $ip_gw_remote_tunnel \ + $proto_cap test_flush_entries $SOCK_TUNNEL_LOCAL test_flush_entries $SOCK_TUNNEL_REMOTE
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed May 10 08:59:40 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_tunnel.sh Log Message: Dedup some routines To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/tests/net/ipsec/t_ipsec_tunnel.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed May 10 04:46:13 UTC 2017 Modified Files: src/tests/net/ipsec: common.sh t_ipsec_gif.sh t_ipsec_l2tp.sh t_ipsec_transport.sh t_ipsec_tunnel.sh Log Message: Introduce check_sa_entries to remove lots of duplicated codes To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/common.sh cvs rdiff -u -r1.3 -r1.4 src/tests/net/ipsec/t_ipsec_gif.sh \ src/tests/net/ipsec/t_ipsec_l2tp.sh cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/t_ipsec_transport.sh cvs rdiff -u -r1.4 -r1.5 src/tests/net/ipsec/t_ipsec_tunnel.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/common.sh diff -u src/tests/net/ipsec/common.sh:1.1 src/tests/net/ipsec/common.sh:1.2 --- src/tests/net/ipsec/common.sh:1.1 Tue May 9 04:25:28 2017 +++ src/tests/net/ipsec/common.sh Wed May 10 04:46:13 2017 @@ -1,4 +1,4 @@ -# $NetBSD: common.sh,v 1.1 2017/05/09 04:25:28 ozaki-r Exp $ +# $NetBSD: common.sh,v 1.2 2017/05/10 04:46:13 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -36,3 +36,20 @@ test_flush_entries() atf_check -s exit:0 -o match:"No SAD entries." $HIJACKING setkey -D -a atf_check -s exit:0 -o match:"No SPD entries." $HIJACKING setkey -D -P } + +check_sa_entries() +{ + local sock=$1 + local local_addr=$2 + local remote_addr=$3 + + export RUMP_SERVER=$sock + + $DEBUG && $HIJACKING setkey -D + + atf_check -s exit:0 -o match:"$local_addr $rmote_addr" \ + $HIJACKING setkey -D + atf_check -s exit:0 -o match:"$remote_addr $local_addr" \ + $HIJACKING setkey -D + # TODO: more detail checks +} Index: src/tests/net/ipsec/t_ipsec_gif.sh diff -u src/tests/net/ipsec/t_ipsec_gif.sh:1.3 src/tests/net/ipsec/t_ipsec_gif.sh:1.4 --- src/tests/net/ipsec/t_ipsec_gif.sh:1.3 Tue May 9 04:25:28 2017 +++ src/tests/net/ipsec/t_ipsec_gif.sh Wed May 10 04:46:13 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_gif.sh,v 1.3 2017/05/09 04:25:28 ozaki-r Exp $ +# $NetBSD: t_ipsec_gif.sh,v 1.4 2017/05/10 04:46:13 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -161,12 +161,6 @@ test_ipsec4_gif() EOF $DEBUG && cat $tmpfile atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$ip_gwlo_tun $ip_gwre_tun" \ - $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$ip_gwre_tun $ip_gwlo_tun" \ - $HIJACKING setkey -D - # TODO: more detail checks export RUMP_SERVER=$SOCK_TUN_REMOTE cat > $tmpfile <<-EOF @@ -179,12 +173,6 @@ test_ipsec4_gif() EOF $DEBUG && cat $tmpfile atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$ip_gwlo_tun $ip_gwre_tun" \ - $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$ip_gwre_tun $ip_gwlo_tun" \ - $HIJACKING setkey -D - # TODO: more detail checks else # transport mode export RUMP_SERVER=$SOCK_TUN_LOCAL # from https://www.netbsd.org/docs/network/ipsec/ @@ -198,12 +186,6 @@ test_ipsec4_gif() EOF $DEBUG && cat $tmpfile atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$ip_gwlo_tun $ip_gwre_tun" \ - $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$ip_gwre_tun $ip_gwlo_tun" \ - $HIJACKING setkey -D - # TODO: more detail checks export RUMP_SERVER=$SOCK_TUN_REMOTE cat > $tmpfile <<-EOF @@ -216,14 +198,11 @@ test_ipsec4_gif() EOF $DEBUG && cat $tmpfile atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$ip_gwlo_tun $ip_gwre_tun" \ - $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$ip_gwre_tun $ip_gwlo_tun" \ - $HIJACKING setkey -D - # TODO: more detail checks fi + check_sa_entries $SOCK_TUN_LOCAL $ip_gwlo_tun $ip_gwre_tun + check_sa_entries $SOCK_TUN_REMOTE $ip_gwlo_tun $ip_gwre_tun + export RUMP_SERVER=$SOCK_LOCAL atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote @@ -378,21 +357,8 @@ test_ipsec6_gif() atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile fi - export RUMP_SERVER=$SOCK_TUN_LOCAL - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$ip_gwlo_tun $ip_gwre_tun" \ - $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$ip_gwre_tun $ip_gwlo_tun" \ - $HIJACKING setkey -D - # TODO: more detail checks - - export RUMP_SERVER=$SOCK_TUN_REMOTE - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$ip_gwlo_tun $ip_gwre_tun" \ - $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$ip_gwre_tun $ip_gwlo_tun" \ - $HIJACKING setkey -D - # TODO: more detail checks + check_sa_entries $SOCK_TUN_LOCAL $ip_gwlo_tun $ip_gwre_tun + check_sa_entries
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Wed May 10 04:46:13 UTC 2017 Modified Files: src/tests/net/ipsec: common.sh t_ipsec_gif.sh t_ipsec_l2tp.sh t_ipsec_transport.sh t_ipsec_tunnel.sh Log Message: Introduce check_sa_entries to remove lots of duplicated codes To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/common.sh cvs rdiff -u -r1.3 -r1.4 src/tests/net/ipsec/t_ipsec_gif.sh \ src/tests/net/ipsec/t_ipsec_l2tp.sh cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/t_ipsec_transport.sh cvs rdiff -u -r1.4 -r1.5 src/tests/net/ipsec/t_ipsec_tunnel.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Tue May 9 04:25:28 UTC 2017 Modified Files: src/tests/net/ipsec: Makefile t_ipsec_gif.sh t_ipsec_l2tp.sh t_ipsec_transport.sh t_ipsec_tunnel.sh Added Files: src/tests/net/ipsec: common.sh Log Message: Test flushing SAD/SPD entries To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/tests/net/ipsec/Makefile \ src/tests/net/ipsec/t_ipsec_tunnel.sh cvs rdiff -u -r0 -r1.1 src/tests/net/ipsec/common.sh cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/t_ipsec_gif.sh \ src/tests/net/ipsec/t_ipsec_l2tp.sh cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/t_ipsec_transport.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/Makefile diff -u src/tests/net/ipsec/Makefile:1.3 src/tests/net/ipsec/Makefile:1.4 --- src/tests/net/ipsec/Makefile:1.3 Thu Apr 27 06:53:44 2017 +++ src/tests/net/ipsec/Makefile Tue May 9 04:25:28 2017 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.3 2017/04/27 06:53:44 ozaki-r Exp $ +# $NetBSD: Makefile,v 1.4 2017/05/09 04:25:28 ozaki-r Exp $ # .include @@ -8,7 +8,8 @@ TESTSDIR= ${TESTSBASE}/net/ipsec .for name in ipsec_ah_keys ipsec_esp_keys ipsec_gif ipsec_l2tp ipsec_sysctl \ ipsec_transport ipsec_tunnel TESTS_SH+= t_${name} -TESTS_SH_SRC_t_${name}= ../net_common.sh ./algorithms.sh t_${name}.sh +TESTS_SH_SRC_t_${name}= ../net_common.sh ./common.sh ./algorithms.sh \ +t_${name}.sh .endfor .include Index: src/tests/net/ipsec/t_ipsec_tunnel.sh diff -u src/tests/net/ipsec/t_ipsec_tunnel.sh:1.3 src/tests/net/ipsec/t_ipsec_tunnel.sh:1.4 --- src/tests/net/ipsec/t_ipsec_tunnel.sh:1.3 Sun Apr 16 10:34:49 2017 +++ src/tests/net/ipsec/t_ipsec_tunnel.sh Tue May 9 04:25:28 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_tunnel.sh,v 1.3 2017/04/16 10:34:49 ozaki-r Exp $ +# $NetBSD: t_ipsec_tunnel.sh,v 1.4 2017/05/09 04:25:28 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -163,6 +163,9 @@ test_ipsec4_tunnel() atf_check -s exit:0 \ -o match:"$ip_gw_remote_tunnel > $ip_gw_local_tunnel: $proto_cap" \ cat $outfile + + test_flush_entries $SOCK_TUNNEL_LOCAL + test_flush_entries $SOCK_TUNNEL_REMOTE } test_ipsec6_tunnel() @@ -292,6 +295,9 @@ test_ipsec6_tunnel() atf_check -s exit:0 \ -o match:"$ip_gw_remote_tunnel > $ip_gw_local_tunnel: $proto_cap" \ cat $outfile + + test_flush_entries $SOCK_TUNNEL_LOCAL + test_flush_entries $SOCK_TUNNEL_REMOTE } test_tunnel_common() Index: src/tests/net/ipsec/t_ipsec_gif.sh diff -u src/tests/net/ipsec/t_ipsec_gif.sh:1.2 src/tests/net/ipsec/t_ipsec_gif.sh:1.3 --- src/tests/net/ipsec/t_ipsec_gif.sh:1.2 Thu Apr 27 10:17:12 2017 +++ src/tests/net/ipsec/t_ipsec_gif.sh Tue May 9 04:25:28 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_gif.sh,v 1.2 2017/04/27 10:17:12 ozaki-r Exp $ +# $NetBSD: t_ipsec_gif.sh,v 1.3 2017/05/09 04:25:28 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -234,6 +234,9 @@ test_ipsec4_gif() str=$(make_gif_pktstr $ip_gwre_tun $ip_gwlo_tun \ $ip_remote $ip_local $proto ipv4) atf_check -s exit:0 -o match:"$str" cat $outfile + + test_flush_entries $SOCK_TUN_LOCAL + test_flush_entries $SOCK_TUN_REMOTE } test_ipsec6_gif() @@ -401,6 +404,9 @@ test_ipsec6_gif() str=$(make_gif_pktstr $ip_gwre_tun $ip_gwlo_tun \ $ip_remote $ip_local $proto ipv6) atf_check -s exit:0 -o match:"$str" cat $outfile + + test_flush_entries $SOCK_TUN_LOCAL + test_flush_entries $SOCK_TUN_REMOTE } test_ipsec_gif_common() Index: src/tests/net/ipsec/t_ipsec_l2tp.sh diff -u src/tests/net/ipsec/t_ipsec_l2tp.sh:1.2 src/tests/net/ipsec/t_ipsec_l2tp.sh:1.3 --- src/tests/net/ipsec/t_ipsec_l2tp.sh:1.2 Thu Apr 27 10:17:12 2017 +++ src/tests/net/ipsec/t_ipsec_l2tp.sh Tue May 9 04:25:28 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_l2tp.sh,v 1.2 2017/04/27 10:17:12 ozaki-r Exp $ +# $NetBSD: t_ipsec_l2tp.sh,v 1.3 2017/05/09 04:25:28 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -220,6 +220,9 @@ test_ipsec4_l2tp() atf_check -s exit:0 -o match:"$str" cat $outfile str=$(make_l2tp_pktstr $ip_gwre_tun $ip_gwlo_tun $proto ipv4 $mode) atf_check -s exit:0 -o match:"$str" cat $outfile + + test_flush_entries $SOCK_TUN_LOCAL + test_flush_entries $SOCK_TUN_REMOTE } test_ipsec6_l2tp() @@ -387,6 +390,9 @@ test_ipsec6_l2tp() atf_check -s exit:0 -o match:"$str" cat $outfile str=$(make_l2tp_pktstr $ip_gwre_tun $ip_gwlo_tun $proto ipv6 $mode) atf_check -s exit:0 -o match:"$str" cat $outfile + + test_flush_entries $SOCK_TUN_LOCAL + test_flush_entries $SOCK_TUN_REMOTE } test_ipsec_l2tp_common() Index: src/tests/net/ipsec/t_ipsec_transport.sh diff -u src/tests/net/ipsec/t_ipsec_transport.sh:1.1 src/tests/net/ipsec/t_ipsec_transport.sh:1.2 --- src/tests/net/ipsec/t_ipsec_transport.sh:1.1 Fri
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Tue May 9 04:25:28 UTC 2017 Modified Files: src/tests/net/ipsec: Makefile t_ipsec_gif.sh t_ipsec_l2tp.sh t_ipsec_transport.sh t_ipsec_tunnel.sh Added Files: src/tests/net/ipsec: common.sh Log Message: Test flushing SAD/SPD entries To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/tests/net/ipsec/Makefile \ src/tests/net/ipsec/t_ipsec_tunnel.sh cvs rdiff -u -r0 -r1.1 src/tests/net/ipsec/common.sh cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/t_ipsec_gif.sh \ src/tests/net/ipsec/t_ipsec_l2tp.sh cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/t_ipsec_transport.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Apr 27 10:17:12 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_gif.sh t_ipsec_l2tp.sh Log Message: Test transport mode as well as tunnel mode To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/t_ipsec_gif.sh \ src/tests/net/ipsec/t_ipsec_l2tp.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_gif.sh diff -u src/tests/net/ipsec/t_ipsec_gif.sh:1.1 src/tests/net/ipsec/t_ipsec_gif.sh:1.2 --- src/tests/net/ipsec/t_ipsec_gif.sh:1.1 Thu Apr 27 06:52:45 2017 +++ src/tests/net/ipsec/t_ipsec_gif.sh Thu Apr 27 10:17:12 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_gif.sh,v 1.1 2017/04/27 06:52:45 ozaki-r Exp $ +# $NetBSD: t_ipsec_gif.sh,v 1.2 2017/04/27 10:17:12 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -61,14 +61,15 @@ make_gif_pktstr() test_ipsec4_gif() { - local proto=$1 - local algo=$2 + local mode=$1 + local proto=$2 + local algo=$3 local ip_local=10.0.1.2 local ip_gw_local=10.0.1.1 - local ip_gw_local_tun=20.0.0.1 - local ip_gw_local_gif=20.1.0.1 - local ip_gw_remote_gif=20.1.0.2 - local ip_gw_remote_tun=20.0.0.2 + local ip_gwlo_tun=20.0.0.1 + local ip_gwlo_gif=20.1.0.1 + local ip_gwre_gif=20.1.0.2 + local ip_gwre_tun=20.0.0.2 local ip_gw_remote=10.0.2.1 local ip_remote=10.0.2.2 local subnet_local=10.0.1.0 @@ -103,27 +104,27 @@ test_ipsec4_gif() export RUMP_SERVER=$SOCK_TUN_LOCAL atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_local/24 - atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_local_tun/24 + atf_check -s exit:0 rump.ifconfig shmif1 $ip_gwlo_tun/24 atf_check -s exit:0 rump.ifconfig gif0 create atf_check -s exit:0 rump.ifconfig gif0 \ - tunnel $ip_gw_local_tun $ip_gw_remote_tun + tunnel $ip_gwlo_tun $ip_gwre_tun atf_check -s exit:0 rump.ifconfig gif0 \ - inet $ip_gw_local_gif/32 $ip_gw_remote_gif + inet $ip_gwlo_gif/32 $ip_gwre_gif atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 atf_check -s exit:0 -o ignore \ - rump.route -n add -net $subnet_remote $ip_gw_remote_gif + rump.route -n add -net $subnet_remote $ip_gwre_gif export RUMP_SERVER=$SOCK_TUN_REMOTE atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_remote/24 - atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_remote_tun/24 + atf_check -s exit:0 rump.ifconfig shmif1 $ip_gwre_tun/24 atf_check -s exit:0 rump.ifconfig gif0 create atf_check -s exit:0 rump.ifconfig gif0 \ - tunnel $ip_gw_remote_tun $ip_gw_local_tun + tunnel $ip_gwre_tun $ip_gwlo_tun atf_check -s exit:0 rump.ifconfig gif0 \ - inet $ip_gw_remote_gif/32 $ip_gw_local_gif + inet $ip_gwre_gif/32 $ip_gwlo_gif atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 atf_check -s exit:0 -o ignore \ - rump.route -n add -net $subnet_local $ip_gw_local_gif + rump.route -n add -net $subnet_local $ip_gwlo_gif export RUMP_SERVER=$SOCK_REMOTE atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 @@ -138,74 +139,114 @@ test_ipsec4_gif() atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote extract_new_packets $BUS_TUNNEL > $outfile - str="$ip_gw_local_tun > $ip_gw_remote_tun:" + str="$ip_gwlo_tun > $ip_gwre_tun:" str="$str $ip_local > $ip_remote: ICMP echo request," str="$str .+ \(ipip-proto-4\)" atf_check -s exit:0 -o match:"$str" cat $outfile - str="$ip_gw_remote_tun > $ip_gw_local_tun:" + str="$ip_gwre_tun > $ip_gwlo_tun:" str="$str $ip_remote > $ip_local: ICMP echo reply," str="$str .+ \(ipip-proto-4\)" atf_check -s exit:0 -o match:"$str" cat $outfile - export RUMP_SERVER=$SOCK_TUN_LOCAL - # from https://www.netbsd.org/docs/network/ipsec/ - cat > $tmpfile <<-EOF - add $ip_gw_local_tun $ip_gw_remote_tun $proto 1 $opt $algo $key; - add $ip_gw_remote_tun $ip_gw_local_tun $proto 10001 $opt $algo $key; - spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec - $proto/tunnel/$ip_gw_local_tun-$ip_gw_remote_tun/require; - spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec - $proto/tunnel/$ip_gw_remote_tun-$ip_gw_local_tun/require; - EOF - $DEBUG && cat $tmpfile - atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile - $DEBUG && $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$ip_gw_local_tun $ip_gw_remote_tun" \ - $HIJACKING setkey -D - atf_check -s exit:0 -o match:"$ip_gw_remote_tun $ip_gw_local_tun" \ - $HIJACKING setkey -D - # TODO: more detail checks - - export RUMP_SERVER=$SOCK_TUN_REMOTE - cat > $tmpfile <<-EOF - add $ip_gw_local_tun $ip_gw_remote_tun $proto 1 $opt $algo $key; - add $ip_gw_remote_tun $ip_gw_local_tun $proto 10001 $opt $algo $key; - spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec - $proto/tunnel/$ip_gw_remote_tun-$ip_gw_local_tun/require; - spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec -
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Apr 27 10:17:12 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_gif.sh t_ipsec_l2tp.sh Log Message: Test transport mode as well as tunnel mode To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/t_ipsec_gif.sh \ src/tests/net/ipsec/t_ipsec_l2tp.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Apr 27 08:06:59 UTC 2017 Modified Files: src/tests/net/ipsec: algorithms.sh Log Message: Prefer rijndael-cbc To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/algorithms.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/algorithms.sh diff -u src/tests/net/ipsec/algorithms.sh:1.2 src/tests/net/ipsec/algorithms.sh:1.3 --- src/tests/net/ipsec/algorithms.sh:1.2 Thu Apr 27 06:50:42 2017 +++ src/tests/net/ipsec/algorithms.sh Thu Apr 27 08:06:59 2017 @@ -1,4 +1,4 @@ -# $NetBSD: algorithms.sh,v 1.2 2017/04/27 06:50:42 ozaki-r Exp $ +# $NetBSD: algorithms.sh,v 1.3 2017/04/27 08:06:59 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -27,7 +27,7 @@ ESP_ENCRYPTION_ALGORITHMS="des-cbc 3des-cbc null blowfish-cbc cast128-cbc \ des-deriv rijndael-cbc aes-ctr camellia-cbc aes-gcm-16 aes-gmac" -ESP_ENCRYPTION_ALGORITHMS_MINIMUM="null aes-ctr" +ESP_ENCRYPTION_ALGORITHMS_MINIMUM="null rijndael-cbc" # Valid key lengths of ESP encription algorithms #des-cbc 64
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Apr 27 08:06:59 UTC 2017 Modified Files: src/tests/net/ipsec: algorithms.sh Log Message: Prefer rijndael-cbc To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/algorithms.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Apr 27 06:50:42 UTC 2017 Modified Files: src/tests/net/ipsec: algorithms.sh Log Message: Add minimum sets of algorithms for testing To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/algorithms.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/algorithms.sh diff -u src/tests/net/ipsec/algorithms.sh:1.1 src/tests/net/ipsec/algorithms.sh:1.2 --- src/tests/net/ipsec/algorithms.sh:1.1 Fri Apr 14 02:56:49 2017 +++ src/tests/net/ipsec/algorithms.sh Thu Apr 27 06:50:42 2017 @@ -1,4 +1,4 @@ -# $NetBSD: algorithms.sh,v 1.1 2017/04/14 02:56:49 ozaki-r Exp $ +# $NetBSD: algorithms.sh,v 1.2 2017/04/27 06:50:42 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -27,6 +27,7 @@ ESP_ENCRYPTION_ALGORITHMS="des-cbc 3des-cbc null blowfish-cbc cast128-cbc \ des-deriv rijndael-cbc aes-ctr camellia-cbc aes-gcm-16 aes-gmac" +ESP_ENCRYPTION_ALGORITHMS_MINIMUM="null aes-ctr" # Valid key lengths of ESP encription algorithms #des-cbc 64 @@ -72,6 +73,7 @@ invalid_keys_aesgmac="152 168 216 232 28 AH_AUTHENTICATION_ALGORITHMS="hmac-md5 hmac-sha1 keyed-md5 keyed-sha1 null \ hmac-sha256 hmac-sha384 hmac-sha512 hmac-ripemd160 aes-xcbc-mac" +AH_AUTHENTICATION_ALGORITHMS_MINIMUM="null hmac-sha512" # Valid key lengths of AH authentication algorithms #hmac-md5128
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Thu Apr 27 06:50:42 UTC 2017 Modified Files: src/tests/net/ipsec: algorithms.sh Log Message: Add minimum sets of algorithms for testing To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/algorithms.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Sun Apr 16 10:34:49 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_tunnel.sh Log Message: Revert "Mark tests of tunnel/AH/IPv6 as expected failure (PR kern/52161)" The issue was fixed by christos@ To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/t_ipsec_tunnel.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_tunnel.sh diff -u src/tests/net/ipsec/t_ipsec_tunnel.sh:1.2 src/tests/net/ipsec/t_ipsec_tunnel.sh:1.3 --- src/tests/net/ipsec/t_ipsec_tunnel.sh:1.2 Fri Apr 14 03:35:40 2017 +++ src/tests/net/ipsec/t_ipsec_tunnel.sh Sun Apr 16 10:34:49 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_tunnel.sh,v 1.2 2017/04/14 03:35:40 ozaki-r Exp $ +# $NetBSD: t_ipsec_tunnel.sh,v 1.3 2017/04/16 10:34:49 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -312,15 +312,11 @@ add_test_tunnel_mode() local ipproto=$1 local proto=$2 local algo=$3 - local expected_failure=$4 local _algo=$(echo $algo | sed 's/-//g') - local name= desc= expected_failure_code= + local name= desc= name="ipsec_tunnel_${ipproto}_${proto}_${_algo}" desc="Tests of IPsec ($ipproto) tunnel mode with $proto ($algo)" - if [ "$expected_failure" = yes ]; then - expected_failure_code="atf_expect_fail 'PR kern/52161';" - fi atf_test_case ${name} cleanup eval "\ @@ -329,7 +325,6 @@ add_test_tunnel_mode() atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ };\ ${name}_body() { \ - $expected_failure_code \ test_tunnel_common $ipproto $proto $algo; \ rump_server_destroy_ifaces;\ };\ @@ -352,10 +347,6 @@ atf_init_test_cases() for algo in $AH_AUTHENTICATION_ALGORITHMS; do add_test_tunnel_mode ipv4 ah $algo - if [ $algo = null ]; then - add_test_tunnel_mode ipv6 ah $algo - else - add_test_tunnel_mode ipv6 ah $algo yes - fi + add_test_tunnel_mode ipv6 ah $algo done }
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Sun Apr 16 10:34:49 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_tunnel.sh Log Message: Revert "Mark tests of tunnel/AH/IPv6 as expected failure (PR kern/52161)" The issue was fixed by christos@ To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/tests/net/ipsec/t_ipsec_tunnel.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Fri Apr 14 03:35:40 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_tunnel.sh Log Message: Mark tests of tunnel/AH/IPv6 as expected failure (PR kern/52161) To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/t_ipsec_tunnel.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/tests/net/ipsec/t_ipsec_tunnel.sh diff -u src/tests/net/ipsec/t_ipsec_tunnel.sh:1.1 src/tests/net/ipsec/t_ipsec_tunnel.sh:1.2 --- src/tests/net/ipsec/t_ipsec_tunnel.sh:1.1 Fri Apr 14 02:56:49 2017 +++ src/tests/net/ipsec/t_ipsec_tunnel.sh Fri Apr 14 03:35:40 2017 @@ -1,4 +1,4 @@ -# $NetBSD: t_ipsec_tunnel.sh,v 1.1 2017/04/14 02:56:49 ozaki-r Exp $ +# $NetBSD: t_ipsec_tunnel.sh,v 1.2 2017/04/14 03:35:40 ozaki-r Exp $ # # Copyright (c) 2017 Internet Initiative Japan Inc. # All rights reserved. @@ -312,11 +312,15 @@ add_test_tunnel_mode() local ipproto=$1 local proto=$2 local algo=$3 + local expected_failure=$4 local _algo=$(echo $algo | sed 's/-//g') - local name= desc= + local name= desc= expected_failure_code= name="ipsec_tunnel_${ipproto}_${proto}_${_algo}" desc="Tests of IPsec ($ipproto) tunnel mode with $proto ($algo)" + if [ "$expected_failure" = yes ]; then + expected_failure_code="atf_expect_fail 'PR kern/52161';" + fi atf_test_case ${name} cleanup eval "\ @@ -325,6 +329,7 @@ add_test_tunnel_mode() atf_set \"require.progs\" \"rump_server\" \"setkey\"; \ };\ ${name}_body() { \ + $expected_failure_code \ test_tunnel_common $ipproto $proto $algo; \ rump_server_destroy_ifaces;\ };\ @@ -347,6 +352,10 @@ atf_init_test_cases() for algo in $AH_AUTHENTICATION_ALGORITHMS; do add_test_tunnel_mode ipv4 ah $algo - add_test_tunnel_mode ipv6 ah $algo + if [ $algo = null ]; then + add_test_tunnel_mode ipv6 ah $algo + else + add_test_tunnel_mode ipv6 ah $algo yes + fi done }
CVS commit: src/tests/net/ipsec
Module Name:src Committed By: ozaki-r Date: Fri Apr 14 03:35:40 UTC 2017 Modified Files: src/tests/net/ipsec: t_ipsec_tunnel.sh Log Message: Mark tests of tunnel/AH/IPv6 as expected failure (PR kern/52161) To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/tests/net/ipsec/t_ipsec_tunnel.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.