Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src Add tests for ipsec



details:   https://anonhg.NetBSD.org/src/rev/5c3cb53551ed
branches:  trunk
changeset: 352905:5c3cb53551ed
user:      ozaki-r <ozaki-r%NetBSD.org@localhost>
date:      Fri Apr 14 02:56:48 2017 +0000

description:
Add tests for ipsec

- Check if setkey correctly handles algorithms for AH/ESP
- Check IPsec of transport mode with AH/ESP over IPv4/IPv6
- Check IPsec of tunnel mode with AH/ESP over IPv4/IPv6

diffstat:

 distrib/sets/lists/tests/mi          |   10 +-
 etc/mtree/NetBSD.dist.tests          |    3 +-
 tests/net/Makefile                   |    6 +-
 tests/net/ipsec/Makefile             |   14 +
 tests/net/ipsec/algorithms.sh        |  160 +++++++++++++++
 tests/net/ipsec/t_ipsec_ah_keys.sh   |  159 +++++++++++++++
 tests/net/ipsec/t_ipsec_esp_keys.sh  |  159 +++++++++++++++
 tests/net/ipsec/t_ipsec_sysctl.sh    |  161 ++++++++++++++++
 tests/net/ipsec/t_ipsec_transport.sh |  258 +++++++++++++++++++++++++
 tests/net/ipsec/t_ipsec_tunnel.sh    |  352 +++++++++++++++++++++++++++++++++++
 tests/net/net_common.sh              |   22 ++-
 11 files changed, 1298 insertions(+), 6 deletions(-)

diffs (truncated from 1395 to 300 lines):

diff -r 0dd471d05684 -r 5c3cb53551ed distrib/sets/lists/tests/mi
--- a/distrib/sets/lists/tests/mi       Fri Apr 14 02:43:27 2017 +0000
+++ b/distrib/sets/lists/tests/mi       Fri Apr 14 02:56:48 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.733 2017/04/03 05:06:28 kamil Exp $
+# $NetBSD: mi,v 1.734 2017/04/14 02:56:48 ozaki-r Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@@ -3293,6 +3293,14 @@
 ./usr/tests/net/in_cksum/Kyuafile              tests-net-tests         compattestfile,atf,kyua
 ./usr/tests/net/in_cksum/in_cksum              tests-net-tests         compattestfile,atf
 ./usr/tests/net/in_cksum/t_in_cksum            tests-net-tests         compattestfile,atf
+./usr/tests/net/ipsec                          tests-net-tests         compattestfile,atf
+./usr/tests/net/ipsec/Atffile                  tests-net-tests         atf,rump
+./usr/tests/net/ipsec/Kyuafile                 tests-net-tests         atf,rump,kyua
+./usr/tests/net/ipsec/t_ipsec_ah_keys          tests-net-tests         atf,rump
+./usr/tests/net/ipsec/t_ipsec_esp_keys         tests-net-tests         atf,rump
+./usr/tests/net/ipsec/t_ipsec_sysctl           tests-net-tests         atf,rump
+./usr/tests/net/ipsec/t_ipsec_transport                tests-net-tests         atf,rump
+./usr/tests/net/ipsec/t_ipsec_tunnel           tests-net-tests         atf,rump
 ./usr/tests/net/mcast                          tests-net-tests         compattestfile,atf
 ./usr/tests/net/mcast/Atffile                  tests-net-tests         atf,rump
 ./usr/tests/net/mcast/Kyuafile                 tests-net-tests         atf,rump,kyua
diff -r 0dd471d05684 -r 5c3cb53551ed etc/mtree/NetBSD.dist.tests
--- a/etc/mtree/NetBSD.dist.tests       Fri Apr 14 02:43:27 2017 +0000
+++ b/etc/mtree/NetBSD.dist.tests       Fri Apr 14 02:56:48 2017 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: NetBSD.dist.tests,v 1.144 2017/04/03 04:33:32 kamil Exp $
+#      $NetBSD: NetBSD.dist.tests,v 1.145 2017/04/14 02:56:48 ozaki-r Exp $
 
 ./usr/libdata/debug/usr/tests
 ./usr/libdata/debug/usr/tests/atf
@@ -338,6 +338,7 @@
 ./usr/tests/net/if_tun
 ./usr/tests/net/if_vlan
 ./usr/tests/net/in_cksum
+./usr/tests/net/ipsec
 ./usr/tests/net/mcast
 ./usr/tests/net/mpls
 ./usr/tests/net/net
diff -r 0dd471d05684 -r 5c3cb53551ed tests/net/Makefile
--- a/tests/net/Makefile        Fri Apr 14 02:43:27 2017 +0000
+++ b/tests/net/Makefile        Fri Apr 14 02:56:48 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.31 2017/02/16 08:44:47 knakahara Exp $
+# $NetBSD: Makefile,v 1.32 2017/04/14 02:56:48 ozaki-r Exp $
 
 .include <bsd.own.mk>
 
@@ -7,8 +7,8 @@
 TESTS_SUBDIRS=         fdpass in_cksum net sys
 .if (${MKRUMP} != "no") && !defined(BSD_MK_COMPAT_FILE)
 TESTS_SUBDIRS+=                arp bpf bpfilter carp icmp if if_bridge if_gif if_l2tp
-TESTS_SUBDIRS+=                 if_loop if_pppoe if_tap if_tun mcast mpls ndp npf route
-TESTS_SUBDIRS+=                 if_vlan
+TESTS_SUBDIRS+=                 if_loop if_pppoe if_tap if_tun ipsec mcast mpls ndp npf
+TESTS_SUBDIRS+=                 route if_vlan
 .if (${MKSLJIT} != "no")
 TESTS_SUBDIRS+=                bpfjit
 .endif
diff -r 0dd471d05684 -r 5c3cb53551ed tests/net/ipsec/Makefile
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/net/ipsec/Makefile  Fri Apr 14 02:56:48 2017 +0000
@@ -0,0 +1,14 @@
+# $NetBSD: Makefile,v 1.1 2017/04/14 02:56:49 ozaki-r Exp $
+#
+
+.include <bsd.own.mk>
+
+TESTSDIR=      ${TESTSBASE}/net/ipsec
+
+.for name in ipsec_ah_keys ipsec_esp_keys ipsec_sysctl ipsec_transport \
+    ipsec_tunnel
+TESTS_SH+=             t_${name}
+TESTS_SH_SRC_t_${name}=        ../net_common.sh ./algorithms.sh t_${name}.sh
+.endfor
+
+.include <bsd.test.mk>
diff -r 0dd471d05684 -r 5c3cb53551ed tests/net/ipsec/algorithms.sh
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/net/ipsec/algorithms.sh     Fri Apr 14 02:56:48 2017 +0000
@@ -0,0 +1,160 @@
+#      $NetBSD: algorithms.sh,v 1.1 2017/04/14 02:56:49 ozaki-r Exp $
+#
+# Copyright (c) 2017 Internet Initiative Japan Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+ESP_ENCRYPTION_ALGORITHMS="des-cbc 3des-cbc null blowfish-cbc cast128-cbc \
+    des-deriv rijndael-cbc aes-ctr camellia-cbc aes-gcm-16 aes-gmac"
+
+# Valid key lengths of ESP encription algorithms
+#    des-cbc         64
+#    3des-cbc        192
+#    null            0 to 2048     XXX only accept 0 length
+#    blowfish-cbc    40 to 448
+#    cast128-cbc     40 to 128
+#    des-deriv       64
+#    3des-deriv      192           XXX not implemented
+#    rijndael-cbc    128/192/256
+#    twofish-cbc     0 to 256      XXX not supported
+#    aes-ctr         160/224/288
+#    camellia-cbc    128/192/256
+#    aes-gcm-16      160/224/288
+#    aes-gmac        160/224/288
+valid_keys_descbc="64"
+invalid_keys_descbc="56 72"
+valid_keys_3descbc="192"
+invalid_keys_3descbc="184 200"
+#valid_keys_null="0 2048"
+valid_keys_null="0"
+invalid_keys_null="8"
+valid_keys_blowfishcbc="40 448"
+invalid_keys_blowfishcbc="32 456"
+valid_keys_cast128cbc="40 128"
+invalid_keys_cast128cbc="32 136"
+valid_keys_desderiv="64"
+invalid_keys_desderiv="56 72"
+#valid_keys_3desderiv="192"
+#invalid_keys_3desderiv="184 200"
+valid_keys_rijndaelcbc="128 192 256"
+invalid_keys_rijndaelcbc="120 136 184 200 248 264"
+#valid_keys_twofishcbc="0 256"
+#invalid_keys_twofishcbc="264"
+valid_keys_aesctr="160 224 288"
+invalid_keys_aesctr="152 168 216 232 280 296"
+valid_keys_camelliacbc="128 192 256"
+invalid_keys_camelliacbc="120 136 184 200 248 264"
+valid_keys_aesgcm16="160 224 288"
+invalid_keys_aesgcm16="152 168 216 232 280 296"
+valid_keys_aesgmac="160 224 288"
+invalid_keys_aesgmac="152 168 216 232 280 296"
+
+AH_AUTHENTICATION_ALGORITHMS="hmac-md5 hmac-sha1 keyed-md5 keyed-sha1 null \
+    hmac-sha256 hmac-sha384 hmac-sha512 hmac-ripemd160 aes-xcbc-mac"
+
+# Valid key lengths of AH authentication algorithms
+#    hmac-md5        128
+#    hmac-sha1       160
+#    keyed-md5       128
+#    keyed-sha1      160
+#    null            0 to 2048
+#    hmac-sha256     256
+#    hmac-sha384     384
+#    hmac-sha512     512
+#    hmac-ripemd160  160
+#    aes-xcbc-mac    128
+#    tcp-md5         8 to 640  XXX not enabled in rump kernels
+valid_keys_hmacmd5="128"
+invalid_keys_hmacmd5="120 136"
+valid_keys_hmacsha1="160"
+invalid_keys_hmacsha1="152 168"
+valid_keys_keyedmd5="128"
+invalid_keys_keyedmd5="120 136"
+valid_keys_keyedsha1="160"
+invalid_keys_keyedsha1="152 168"
+#valid_keys_null="0 2048"
+valid_keys_null="0"
+invalid_keys_null="8"
+valid_keys_hmacsha256="256"
+invalid_keys_hmacsha256="248 264"
+valid_keys_hmacsha384="384"
+invalid_keys_hmacsha384="376 392"
+valid_keys_hmacsha512="512"
+invalid_keys_hmacsha512="504 520"
+valid_keys_hmacripemd160="160"
+invalid_keys_hmacripemd160="152 168"
+valid_keys_aesxcbcmac="128"
+invalid_keys_aesxcbcmac="120 136"
+#valid_keys_tcpmd5="8 640"
+#invalid_keys_tcpmd5="648"
+
+get_one_valid_keylen()
+{
+       local algo=$1
+       local _algo=$(echo $algo | sed 's/-//g')
+       local len=
+       local keylengths=
+
+       eval keylengths="\$valid_keys_${_algo}"
+
+       for len in $(echo $keylengths); do
+               break;
+       done
+
+       echo $len
+}
+
+get_valid_keylengths()
+{
+       local algo=$1
+       local _algo=$(echo $algo | sed 's/-//g')
+
+       eval keylengths="\$valid_keys_${_algo}"
+       echo $keylengths
+}
+
+get_invalid_keylengths()
+{
+       local algo=$1
+       local _algo=$(echo $algo | sed 's/-//g')
+
+       eval keylengths="\$invalid_keys_${_algo}"
+       echo $keylengths
+}
+
+generate_key()
+{
+       local keylen=$(($1 / 8))
+       local key=
+
+       while [ $keylen -gt 0 ]; do
+               key="${key}a"
+               keylen=$((keylen - 1))
+       done
+       if [ ! -z "$key" ]; then
+               key="\"$key\""
+       fi
+
+       echo $key
+}
diff -r 0dd471d05684 -r 5c3cb53551ed tests/net/ipsec/t_ipsec_ah_keys.sh
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/net/ipsec/t_ipsec_ah_keys.sh        Fri Apr 14 02:56:48 2017 +0000
@@ -0,0 +1,159 @@
+#      $NetBSD: t_ipsec_ah_keys.sh,v 1.1 2017/04/14 02:56:49 ozaki-r Exp $
+#
+# Copyright (c) 2017 Internet Initiative Japan Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+SOCK_LOCAL=unix://ipsec_local
+
+DEBUG=${DEBUG:-false}
+
+test_ah_valid_keys_common()
+{
+       local aalgo=$1
+       local key=
+       local tmpfile=./tmp
+       local len=
+
+       rump_server_crypto_start $SOCK_LOCAL netipsec
+
+       export RUMP_SERVER=$SOCK_LOCAL
+
+       for len in $(get_valid_keylengths $aalgo); do
+               key=$(generate_key $len)
+               cat > $tmpfile <<-EOF
+               add 10.0.0.1 10.0.0.2 ah 10000 -A $aalgo $key;
+               EOF
+               $DEBUG && cat $tmpfile
+               atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+               atf_check -s exit:0 -o match:'10.0.0.1 10.0.0.2' \
+                   $HIJACKING setkey -D
+               # TODO: more detail checks
+



Home | Main Index | Thread Index | Old Index