CVS commit: src

Sun, 02 Jul 2017 23:02:03 -0700 

Module Name:    src
Committed By:   ozaki-r
Date:           Mon Jul  3 06:01:16 UTC 2017

Modified Files:
        src/distrib/sets/lists/tests: mi
        src/tests/net/ipsec: Makefile algorithms.sh common.sh
            t_ipsec_transport.sh
Added Files:
        src/tests/net/ipsec: t_ipsec_tunnel_ipcomp.sh

Log Message:
Add test cases for IPComp


To generate a diff of this commit:
cvs rdiff -u -r1.753 -r1.754 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.6 -r1.7 src/tests/net/ipsec/Makefile
cvs rdiff -u -r1.4 -r1.5 src/tests/net/ipsec/algorithms.sh \
    src/tests/net/ipsec/t_ipsec_transport.sh
cvs rdiff -u -r1.3 -r1.4 src/tests/net/ipsec/common.sh
cvs rdiff -u -r0 -r1.1 src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/distrib/sets/lists/tests/mi
diff -u src/distrib/sets/lists/tests/mi:1.753 src/distrib/sets/lists/tests/mi:1.754
--- src/distrib/sets/lists/tests/mi:1.753	Fri Jun  9 06:09:01 2017
+++ src/distrib/sets/lists/tests/mi	Mon Jul  3 06:01:16 2017
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.753 2017/06/09 06:09:01 knakahara Exp $
+# $NetBSD: mi,v 1.754 2017/07/03 06:01:16 ozaki-r Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@@ -3319,6 +3319,7 @@
 ./usr/tests/net/ipsec/t_ipsec_sysctl		tests-net-tests		atf,rump
 ./usr/tests/net/ipsec/t_ipsec_transport		tests-net-tests		atf,rump
 ./usr/tests/net/ipsec/t_ipsec_tunnel		tests-net-tests		atf,rump
+./usr/tests/net/ipsec/t_ipsec_tunnel_ipcomp	tests-net-tests		atf,rump
 ./usr/tests/net/ipsec/t_ipsec_tunnel_odd	tests-net-tests		atf,rump
 ./usr/tests/net/mcast				tests-net-tests		compattestfile,atf
 ./usr/tests/net/mcast/Atffile			tests-net-tests		atf,rump

Index: src/tests/net/ipsec/Makefile
diff -u src/tests/net/ipsec/Makefile:1.6 src/tests/net/ipsec/Makefile:1.7
--- src/tests/net/ipsec/Makefile:1.6	Mon May 15 09:58:22 2017
+++ src/tests/net/ipsec/Makefile	Mon Jul  3 06:01:16 2017
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.6 2017/05/15 09:58:22 ozaki-r Exp $
+# $NetBSD: Makefile,v 1.7 2017/07/03 06:01:16 ozaki-r Exp $
 #
 
 .include <bsd.own.mk>
@@ -6,7 +6,8 @@
 TESTSDIR=	${TESTSBASE}/net/ipsec
 
 .for name in ipsec_ah_keys ipsec_esp_keys ipsec_gif ipsec_l2tp ipsec_misc \
-    ipsec_sysctl ipsec_transport ipsec_tunnel ipsec_tunnel_odd
+    ipsec_sysctl ipsec_transport ipsec_tunnel ipsec_tunnel_ipcomp \
+    ipsec_tunnel_odd
 TESTS_SH+=		t_${name}
 TESTS_SH_SRC_t_${name}=	../net_common.sh ./common.sh ./algorithms.sh \
     t_${name}.sh

Index: src/tests/net/ipsec/algorithms.sh
diff -u src/tests/net/ipsec/algorithms.sh:1.4 src/tests/net/ipsec/algorithms.sh:1.5
--- src/tests/net/ipsec/algorithms.sh:1.4	Fri May 12 02:34:45 2017
+++ src/tests/net/ipsec/algorithms.sh	Mon Jul  3 06:01:16 2017
@@ -1,4 +1,4 @@
-#	$NetBSD: algorithms.sh,v 1.4 2017/05/12 02:34:45 ozaki-r Exp $
+#	$NetBSD: algorithms.sh,v 1.5 2017/07/03 06:01:16 ozaki-r Exp $
 #
 # Copyright (c) 2017 Internet Initiative Japan Inc.
 # All rights reserved.
@@ -111,6 +111,12 @@ invalid_keys_aesxcbcmac="120 136"
 #valid_keys_tcpmd5="8 640"
 #invalid_keys_tcpmd5="648"
 
+IPCOMP_COMPRESSION_ALGORITHMS="deflate"
+IPCOMP_COMPRESSION_ALGORITHMS_MINIMUM="deflate"
+valid_keys_deflate="0"
+invalid_keys_deflate="8"
+minlen_deflate="90"
+
 get_one_valid_keylen()
 {
 	local algo=$1
@@ -170,7 +176,18 @@ generate_algo_args()
 
 	if [ $proto = esp ]; then
 		echo "-E $algo $key"
-	else
+	elif [ $proto = ah ]; then
 		echo "-A $algo $key"
+	else
+		echo "-C $algo $key"
 	fi
 }
+
+get_minlen()
+{
+	local algo=$1
+	local minlen=
+
+	eval minlen="\$minlen_${algo}"
+	echo $minlen
+}
Index: src/tests/net/ipsec/t_ipsec_transport.sh
diff -u src/tests/net/ipsec/t_ipsec_transport.sh:1.4 src/tests/net/ipsec/t_ipsec_transport.sh:1.5
--- src/tests/net/ipsec/t_ipsec_transport.sh:1.4	Fri May 12 02:34:45 2017
+++ src/tests/net/ipsec/t_ipsec_transport.sh	Mon Jul  3 06:01:16 2017
@@ -1,4 +1,4 @@
-#	$NetBSD: t_ipsec_transport.sh,v 1.4 2017/05/12 02:34:45 ozaki-r Exp $
+#	$NetBSD: t_ipsec_transport.sh,v 1.5 2017/07/03 06:01:16 ozaki-r Exp $
 #
 # Copyright (c) 2017 Internet Initiative Japan Inc.
 # All rights reserved.
@@ -31,6 +31,17 @@ BUS=./bus_ipsec
 
 DEBUG=${DEBUG:-false}
 
+check_packets()
+{
+	local outfile=$1
+	local src=$2
+	local dst=$3
+	local pktproto=$4
+
+	atf_check -s exit:0 -o match:"$src > $dst: $pktproto" cat $outfile
+	atf_check -s exit:0 -o match:"$dst > $src: $pktproto" cat $outfile
+}
+
 test_ipsec4_transport()
 {
 	local proto=$1
@@ -39,8 +50,9 @@ test_ipsec4_transport()
 	local ip_peer=10.0.0.2
 	local tmpfile=./tmp
 	local outfile=./out
-	local proto_cap=$(echo $proto | tr 'a-z' 'A-Z')
+	local pktproto=$(generate_pktproto $proto)
 	local algo_args="$(generate_algo_args $proto $algo)"
+	local pktsize=
 
 	rump_server_crypto_start $SOCK_LOCAL netipsec
 	rump_server_crypto_start $SOCK_PEER netipsec
@@ -88,13 +100,30 @@ test_ipsec4_transport()
 	check_sa_entries $SOCK_PEER $ip_local $ip_peer
 
 	export RUMP_SERVER=$SOCK_LOCAL
-	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
-
-	extract_new_packets $BUS > $outfile
-	atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
-	    cat $outfile
-	atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
-	    cat $outfile
+	if [ $proto = ipcomp ]; then
+		# IPComp sends a packet as-is if a compressed payload of
+		# the packet is greater than or equal to the original payload.
+		# So we have to fill a payload with 1 to let IPComp always send
+		# a compressed packet.
+
+		# pktsize == minlen - 1
+		pktsize=$(($(get_minlen $algo) - 8 - 1))
+		atf_check -s exit:0 -o ignore \
+		    rump.ping -c 1 -n -w 3 -s $pktsize -p ff $ip_peer
+		extract_new_packets $BUS > $outfile
+		check_packets $outfile $ip_local $ip_peer ICMP
+
+		# pktsize == minlen
+		pktsize=$(($(get_minlen $algo) - 8))
+		atf_check -s exit:0 -o ignore \
+		    rump.ping -c 1 -n -w 3 -s $pktsize -p ff $ip_peer
+		extract_new_packets $BUS > $outfile
+		check_packets $outfile $ip_local $ip_peer $pktproto
+	else
+		atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_peer
+		extract_new_packets $BUS > $outfile
+		check_packets $outfile $ip_local $ip_peer $pktproto
+	fi
 
 	test_flush_entries $SOCK_LOCAL
 	test_flush_entries $SOCK_PEER
@@ -108,7 +137,7 @@ test_ipsec6_transport()
 	local ip_peer=fd00::2
 	local tmpfile=./tmp
 	local outfile=./out
-	local proto_cap=$(echo $proto | tr 'a-z' 'A-Z')
+	local pktproto=$(generate_pktproto $proto)
 	local algo_args="$(generate_algo_args $proto $algo)"
 
 	rump_server_crypto_start $SOCK_LOCAL netinet6 netipsec
@@ -157,13 +186,30 @@ test_ipsec6_transport()
 	check_sa_entries $SOCK_PEER $ip_local $ip_peer
 
 	export RUMP_SERVER=$SOCK_LOCAL
-	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer
-
-	extract_new_packets $BUS > $outfile
-	atf_check -s exit:0 -o match:"$ip_local > $ip_peer: $proto_cap" \
-	    cat $outfile
-	atf_check -s exit:0 -o match:"$ip_peer > $ip_local: $proto_cap" \
-	    cat $outfile
+	if [ $proto = ipcomp ]; then
+		# IPComp sends a packet as-is if a compressed payload of
+		# the packet is greater than or equal to the original payload.
+		# So we have to fill a payload with 1 to let IPComp always send
+		# a compressed packet.
+
+		# pktsize == minlen - 1
+		pktsize=$(($(get_minlen $algo) - 8 - 1))
+		atf_check -s exit:0 -o ignore \
+		    rump.ping6 -c 1 -n -X 3 -s $pktsize -p ff $ip_peer
+		extract_new_packets $BUS > $outfile
+		check_packets $outfile $ip_local $ip_peer ICMP6
+
+		# pktsize == minlen
+		pktsize=$(($(get_minlen $algo) - 8))
+		atf_check -s exit:0 -o ignore \
+		    rump.ping6 -c 1 -n -X 3 -s $pktsize -p ff $ip_peer
+		extract_new_packets $BUS > $outfile
+		check_packets $outfile $ip_local $ip_peer $pktproto
+	else
+		atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_peer
+		extract_new_packets $BUS > $outfile
+		check_packets $outfile $ip_local $ip_peer $pktproto
+	fi
 
 	test_flush_entries $SOCK_LOCAL
 	test_flush_entries $SOCK_PEER
@@ -223,4 +269,8 @@ atf_init_test_cases()
 		add_test_transport_mode ipv4 ah $algo
 		add_test_transport_mode ipv6 ah $algo
 	done
+	for algo in $IPCOMP_COMPRESSION_ALGORITHMS; do
+		add_test_transport_mode ipv4 ipcomp $algo
+		add_test_transport_mode ipv6 ipcomp $algo
+	done
 }

Index: src/tests/net/ipsec/common.sh
diff -u src/tests/net/ipsec/common.sh:1.3 src/tests/net/ipsec/common.sh:1.4
--- src/tests/net/ipsec/common.sh:1.3	Mon May 15 09:56:47 2017
+++ src/tests/net/ipsec/common.sh	Mon Jul  3 06:01:16 2017
@@ -1,4 +1,4 @@
-#	$NetBSD: common.sh,v 1.3 2017/05/15 09:56:47 ozaki-r Exp $
+#	$NetBSD: common.sh,v 1.4 2017/07/03 06:01:16 ozaki-r Exp $
 #
 # Copyright (c) 2017 Internet Initiative Japan Inc.
 # All rights reserved.
@@ -53,3 +53,14 @@ check_sa_entries()
 	    $HIJACKING setkey -D
 	# TODO: more detail checks
 }
+
+generate_pktproto()
+{
+	local proto=$1
+
+	if [ $proto = ipcomp ]; then
+		echo IPComp
+	else
+		echo $proto | tr 'a-z' 'A-Z'
+	fi
+}

Added files:

Index: src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh
diff -u /dev/null src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh:1.1
--- /dev/null	Mon Jul  3 06:01:16 2017
+++ src/tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh	Mon Jul  3 06:01:16 2017
@@ -0,0 +1,409 @@
+#	$NetBSD: t_ipsec_tunnel_ipcomp.sh,v 1.1 2017/07/03 06:01:16 ozaki-r Exp $
+#
+# Copyright (c) 2017 Internet Initiative Japan Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+SOCK_LOCAL=unix://ipsec_local
+SOCK_TUNNEL_LOCAL=unix://ipsec_tunel_local
+SOCK_TUNNEL_REMOTE=unix://ipsec_tunnel_remote
+SOCK_REMOTE=unix://ipsec_remote
+BUS_LOCAL=./bus_ipsec_local
+BUS_TUNNEL=./bus_ipsec_tunnel
+BUS_REMOTE=./bus_ipsec_remote
+
+DEBUG=${DEBUG:-false}
+
+setup_servers()
+{
+
+	# See https://www.netbsd.org/docs/network/ipsec/#sample_vpn
+	rump_server_crypto_start $SOCK_LOCAL netinet6
+	rump_server_crypto_start $SOCK_TUNNEL_LOCAL netipsec netinet6
+	rump_server_crypto_start $SOCK_TUNNEL_REMOTE netipsec netinet6
+	rump_server_crypto_start $SOCK_REMOTE netinet6
+	rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
+	rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif0 $BUS_LOCAL
+	rump_server_add_iface $SOCK_TUNNEL_LOCAL shmif1 $BUS_TUNNEL
+	rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif0 $BUS_REMOTE
+	rump_server_add_iface $SOCK_TUNNEL_REMOTE shmif1 $BUS_TUNNEL
+	rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE
+}
+
+check_tunnel_ipcomp_packets()
+{
+	local outfile=$1
+	local osrc=$2
+	local odst=$3
+	local oproto=$4
+	local isrc=$5
+	local idst=$6
+	local iproto=$7
+
+	$DEBUG && cat $outfile
+
+	if [ $oproto = ESP ]; then
+		atf_check -s exit:0 \
+		    -o match:"$osrc > $odst: $oproto" \
+		    cat $outfile
+		atf_check -s exit:0 \
+		    -o match:"$odst > $osrc: $oproto" \
+		    cat $outfile
+		# TODO check the packet lengths to check IPComp is really used
+		return
+	fi
+
+	# AH
+	if [ $iproto = IPComp ]; then
+		atf_check -s exit:0 \
+		    -o match:"$osrc > $odst: $oproto.+: $iproto" \
+		    cat $outfile
+		atf_check -s exit:0 \
+		    -o match:"$odst > $osrc: $oproto.+: $iproto" \
+		    cat $outfile
+	else
+		atf_check -s exit:0 \
+		    -o match:"$osrc > $odst: $oproto.+ $isrc > $idst: $iproto" \
+		    cat $outfile
+		atf_check -s exit:0 \
+		    -o match:"$odst > $osrc: $oproto.+ $idst > $isrc: $iproto" \
+		    cat $outfile
+	fi
+}
+
+test_ipsec4_tunnel_ipcomp()
+{
+	local proto=$1
+	local algo=$2
+	local calgo=$3
+	local ip_local=10.0.1.2
+	local ip_gw_local=10.0.1.1
+	local ip_gw_local_tunnel=20.0.0.1
+	local ip_gw_remote_tunnel=20.0.0.2
+	local ip_gw_remote=10.0.2.1
+	local ip_remote=10.0.2.2
+	local subnet_local=10.0.1.0
+	local subnet_remote=10.0.2.0
+	local tmpfile=./tmp
+	local outfile=./out
+	local pktproto=$(generate_pktproto $proto)
+	local algo_args="$(generate_algo_args $proto $algo)"
+
+	setup_servers
+
+	export RUMP_SERVER=$SOCK_LOCAL
+	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
+	atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
+	atf_check -s exit:0 -o ignore \
+	    rump.route -n add -net $subnet_remote $ip_gw_local
+
+	export RUMP_SERVER=$SOCK_TUNNEL_LOCAL
+	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
+	atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_local/24
+	atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_local_tunnel/24
+	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1
+	atf_check -s exit:0 -o ignore \
+	    rump.route -n add -net $subnet_remote $ip_gw_remote_tunnel
+	rump.sysctl -a |grep ipsec
+
+	export RUMP_SERVER=$SOCK_TUNNEL_REMOTE
+	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
+	atf_check -s exit:0 rump.ifconfig shmif0 $ip_gw_remote/24
+	atf_check -s exit:0 rump.ifconfig shmif1 $ip_gw_remote_tunnel/24
+	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1
+	atf_check -s exit:0 -o ignore \
+	    rump.route -n add -net $subnet_local $ip_gw_local_tunnel
+
+	export RUMP_SERVER=$SOCK_REMOTE
+	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
+	atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24
+	atf_check -s exit:0 -o ignore \
+	    rump.route -n add -net $subnet_local $ip_gw_remote
+
+	extract_new_packets $BUS_TUNNEL > $outfile
+
+	export RUMP_SERVER=$SOCK_LOCAL
+	atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
+
+	extract_new_packets $BUS_TUNNEL > $outfile
+	atf_check -s exit:0 \
+	    -o match:"$ip_local > $ip_remote: ICMP echo request" \
+	    cat $outfile
+	atf_check -s exit:0 \
+	    -o match:"$ip_remote > $ip_local: ICMP echo reply" \
+	    cat $outfile
+
+	export RUMP_SERVER=$SOCK_TUNNEL_LOCAL
+	# from https://www.netbsd.org/docs/network/ipsec/
+	cat > $tmpfile <<-EOF
+	add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args;
+	add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args;
+	add $ip_gw_local_tunnel $ip_gw_remote_tunnel ipcomp 10000 -C $calgo;
+	add $ip_gw_remote_tunnel $ip_gw_local_tunnel ipcomp 10001 -C $calgo;
+	spdadd $subnet_local/24 $subnet_remote/24 any -P out ipsec
+	    ipcomp/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require
+	    $proto/transport//require;
+	spdadd $subnet_remote/24 $subnet_local/24 any -P in ipsec
+	    ipcomp/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require
+	    $proto/transport//require;
+	EOF
+	$DEBUG && cat $tmpfile
+	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+	check_sa_entries $SOCK_TUNNEL_LOCAL $ip_gw_local_tunnel \
+	    $ip_gw_remote_tunnel
+
+	export RUMP_SERVER=$SOCK_TUNNEL_REMOTE
+	cat > $tmpfile <<-EOF
+	add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args;
+	add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args;
+	add $ip_gw_local_tunnel $ip_gw_remote_tunnel ipcomp 10000 -C $calgo;
+	add $ip_gw_remote_tunnel $ip_gw_local_tunnel ipcomp 10001 -C $calgo;
+	spdadd $subnet_remote/24 $subnet_local/24 any -P out ipsec
+	    ipcomp/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require
+	    $proto/transport//require;
+	spdadd $subnet_local/24 $subnet_remote/24 any -P in ipsec
+	    ipcomp/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require
+	    $proto/transport//require;
+	EOF
+	$DEBUG && cat $tmpfile
+	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+	check_sa_entries $SOCK_TUNNEL_REMOTE $ip_gw_local_tunnel \
+	    $ip_gw_remote_tunnel
+
+	export RUMP_SERVER=$SOCK_LOCAL
+	# IPComp sends a packet as-is if a compressed payload of
+	# the packet is greater than or equal to the original payload.
+	# So we have to fill a payload with 1 to let IPComp always send
+	# a compressed packet.
+
+	# pktsize == minlen - 1
+	pktsize=$(($(get_minlen deflate) - 8 - 20 - 1))
+	atf_check -s exit:0 -o ignore \
+	    rump.ping -c 1 -n -w 3 -s $pktsize -p ff $ip_remote
+	extract_new_packets $BUS_TUNNEL > $outfile
+	check_tunnel_ipcomp_packets $outfile \
+	    $ip_gw_local_tunnel $ip_gw_remote_tunnel $pktproto \
+	    $ip_local $ip_remote ICMP
+
+	# pktsize == minlen
+	pktsize=$(($(get_minlen deflate) - 8 - 20))
+	atf_check -s exit:0 -o ignore \
+	    rump.ping -c 1 -n -w 3 -s $pktsize -p ff $ip_remote
+	extract_new_packets $BUS_TUNNEL > $outfile
+	check_tunnel_ipcomp_packets $outfile \
+	    $ip_gw_local_tunnel $ip_gw_remote_tunnel $pktproto \
+	    $ip_local $ip_remote IPComp
+
+	test_flush_entries $SOCK_TUNNEL_LOCAL
+	test_flush_entries $SOCK_TUNNEL_REMOTE
+}
+
+test_ipsec6_tunnel_ipcomp()
+{
+	local proto=$1
+	local algo=$2
+	local calgo=$3
+	local ip_local=fd00:1::2
+	local ip_gw_local=fd00:1::1
+	local ip_gw_local_tunnel=fc00::1
+	local ip_gw_remote_tunnel=fc00::2
+	local ip_gw_remote=fd00:2::1
+	local ip_remote=fd00:2::2
+	local subnet_local=fd00:1::
+	local subnet_remote=fd00:2::
+	local tmpfile=./tmp
+	local outfile=./out
+	local pktproto=$(generate_pktproto $proto)
+	local algo_args="$(generate_algo_args $proto $algo)"
+
+	setup_servers
+
+	export RUMP_SERVER=$SOCK_LOCAL
+	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
+	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local/64
+	atf_check -s exit:0 -o ignore \
+	    rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_local
+
+	export RUMP_SERVER=$SOCK_TUNNEL_LOCAL
+	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
+	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_local/64
+	atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_local_tunnel/64
+	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1
+	atf_check -s exit:0 -o ignore \
+	    rump.route -n add -inet6 -net $subnet_remote/64 $ip_gw_remote_tunnel
+
+	export RUMP_SERVER=$SOCK_TUNNEL_REMOTE
+	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
+	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_gw_remote/64
+	atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_gw_remote_tunnel/64
+	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1
+	atf_check -s exit:0 -o ignore \
+	    rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_local_tunnel
+
+	export RUMP_SERVER=$SOCK_REMOTE
+	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
+	atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote
+	atf_check -s exit:0 -o ignore \
+	    rump.route -n add -inet6 -net $subnet_local/64 $ip_gw_remote
+
+	extract_new_packets $BUS_TUNNEL > $outfile
+
+	export RUMP_SERVER=$SOCK_LOCAL
+	atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote
+
+	extract_new_packets $BUS_TUNNEL > $outfile
+	atf_check -s exit:0 \
+	    -o match:"$ip_local > $ip_remote: ICMP6, echo request" \
+	    cat $outfile
+	atf_check -s exit:0 \
+	    -o match:"$ip_remote > $ip_local: ICMP6, echo reply" \
+	    cat $outfile
+
+	export RUMP_SERVER=$SOCK_TUNNEL_LOCAL
+	# from https://www.netbsd.org/docs/network/ipsec/
+	cat > $tmpfile <<-EOF
+	add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args;
+	add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args;
+	add $ip_gw_local_tunnel $ip_gw_remote_tunnel ipcomp 10000 -C $calgo;
+	add $ip_gw_remote_tunnel $ip_gw_local_tunnel ipcomp 10001 -C $calgo;
+	spdadd $subnet_local/64 $subnet_remote/64 any -P out ipsec
+	    ipcomp/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require
+	    $proto/transport//require;
+	spdadd $subnet_remote/64 $subnet_local/64 any -P in ipsec
+	    ipcomp/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require
+	    $proto/transport//require;
+	EOF
+	$DEBUG && cat $tmpfile
+	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+	check_sa_entries $SOCK_TUNNEL_LOCAL $ip_gw_local_tunnel \
+	    $ip_gw_remote_tunnel
+
+	export RUMP_SERVER=$SOCK_TUNNEL_REMOTE
+	cat > $tmpfile <<-EOF
+	add $ip_gw_local_tunnel $ip_gw_remote_tunnel $proto 10000 $algo_args;
+	add $ip_gw_remote_tunnel $ip_gw_local_tunnel $proto 10001 $algo_args;
+	add $ip_gw_local_tunnel $ip_gw_remote_tunnel ipcomp 10000 -C $calgo;
+	add $ip_gw_remote_tunnel $ip_gw_local_tunnel ipcomp 10001 -C $calgo;
+	spdadd $subnet_remote/64 $subnet_local/64 any -P out ipsec
+	    ipcomp/tunnel/$ip_gw_remote_tunnel-$ip_gw_local_tunnel/require
+	    $proto/transport//require;
+	spdadd $subnet_local/64 $subnet_remote/64 any -P in ipsec
+	    ipcomp/tunnel/$ip_gw_local_tunnel-$ip_gw_remote_tunnel/require
+	    $proto/transport//require;
+	EOF
+	$DEBUG && cat $tmpfile
+	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+	check_sa_entries $SOCK_TUNNEL_REMOTE $ip_gw_local_tunnel \
+	    $ip_gw_remote_tunnel
+
+	export RUMP_SERVER=$SOCK_LOCAL
+
+	# IPComp sends a packet as-is if a compressed payload of
+	# the packet is greater than or equal to the original payload.
+	# So we have to fill a payload with 1 to let IPComp always send
+	# a compressed packet.
+
+	# pktsize == minlen - 1
+
+	pktsize=$(($(get_minlen deflate) - 8 - 40 - 1))
+	atf_check -s exit:0 -o ignore \
+	    rump.ping6 -c 1 -n -X 3 -s $pktsize -p ff $ip_remote
+	extract_new_packets $BUS_TUNNEL > $outfile
+	check_tunnel_ipcomp_packets $outfile \
+	    $ip_gw_local_tunnel $ip_gw_remote_tunnel $pktproto \
+	    $ip_local $ip_remote ICMP6
+
+	# pktsize == minlen
+	pktsize=$(($(get_minlen deflate) - 8 - 40))
+	atf_check -s exit:0 -o ignore \
+	    rump.ping6 -c 1 -n -X 3 -s $pktsize -p ff $ip_remote
+	extract_new_packets $BUS_TUNNEL > $outfile
+	check_tunnel_ipcomp_packets $outfile \
+	    $ip_gw_local_tunnel $ip_gw_remote_tunnel $pktproto \
+	    $ip_local $ip_remote IPComp
+
+	test_flush_entries $SOCK_TUNNEL_LOCAL
+	test_flush_entries $SOCK_TUNNEL_REMOTE
+}
+
+test_tunnel_ipcomp_common()
+{
+	local ipproto=$1
+	local proto=$2
+	local algo=$3
+	local calgo=$4
+
+	if [ $ipproto = ipv4 ]; then
+		test_ipsec4_tunnel_ipcomp $proto $algo $calgo
+	else
+		test_ipsec6_tunnel_ipcomp $proto $algo $calgo
+	fi
+}
+
+add_test_tunnel_mode()
+{
+	local ipproto=$1
+	local proto=$2
+	local algo=$3
+	local calgo=$4
+	local _algo=$(echo $algo | sed 's/-//g')
+	local name= desc=
+
+	name="ipsec_tunnel_ipcomp_${calgo}_${ipproto}_${proto}_${_algo}"
+	desc="Tests of IPsec ($ipproto) tunnel mode with $proto ($algo) and ipcomp ($calgo)"
+
+	atf_test_case ${name} cleanup
+	eval "								\
+	    ${name}_head() {						\
+	        atf_set \"descr\" \"$desc\";				\
+	        atf_set \"require.progs\" \"rump_server\" \"setkey\";	\
+	    };								\
+	    ${name}_body() {						\
+	        test_tunnel_ipcomp_common $ipproto $proto $algo $calgo;	\
+	        rump_server_destroy_ifaces;				\
+	    };								\
+	    ${name}_cleanup() {						\
+	        $DEBUG && dump;						\
+	        cleanup;						\
+	    }								\
+	"
+	atf_add_test_case ${name}
+}
+
+atf_init_test_cases()
+{
+	local calgo= algo=
+
+	for calgo in $IPCOMP_COMPRESSION_ALGORITHMS; do
+		for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
+			add_test_tunnel_mode ipv4 esp $algo $calgo
+			add_test_tunnel_mode ipv6 esp $algo $calgo
+		done
+
+		for algo in $AH_AUTHENTICATION_ALGORITHMS_MINIMUM; do
+			add_test_tunnel_mode ipv4 ah $algo $calgo
+			add_test_tunnel_mode ipv6 ah $algo $calgo
+		done
+	done
+}

Reply via email to