Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src Add tests for ipsec
details: https://anonhg.NetBSD.org/src/rev/3f3d5cb3f0c9
branches: trunk
changeset: 823156:3f3d5cb3f0c9
user: ozaki-r <ozaki-r%NetBSD.org@localhost>
date: Fri Apr 14 02:56:48 2017 +0000
description:
Add tests for ipsec
- Check if setkey correctly handles algorithms for AH/ESP
- Check IPsec of transport mode with AH/ESP over IPv4/IPv6
- Check IPsec of tunnel mode with AH/ESP over IPv4/IPv6
diffstat:
distrib/sets/lists/tests/mi | 10 +-
etc/mtree/NetBSD.dist.tests | 3 +-
tests/net/Makefile | 6 +-
tests/net/ipsec/Makefile | 14 +
tests/net/ipsec/algorithms.sh | 160 +++++++++++++++
tests/net/ipsec/t_ipsec_ah_keys.sh | 159 +++++++++++++++
tests/net/ipsec/t_ipsec_esp_keys.sh | 159 +++++++++++++++
tests/net/ipsec/t_ipsec_sysctl.sh | 161 ++++++++++++++++
tests/net/ipsec/t_ipsec_transport.sh | 258 +++++++++++++++++++++++++
tests/net/ipsec/t_ipsec_tunnel.sh | 352 +++++++++++++++++++++++++++++++++++
tests/net/net_common.sh | 22 ++-
11 files changed, 1298 insertions(+), 6 deletions(-)
diffs (truncated from 1395 to 300 lines):
diff -r 1bfb5cee4780 -r 3f3d5cb3f0c9 distrib/sets/lists/tests/mi
--- a/distrib/sets/lists/tests/mi Fri Apr 14 02:43:27 2017 +0000
+++ b/distrib/sets/lists/tests/mi Fri Apr 14 02:56:48 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.733 2017/04/03 05:06:28 kamil Exp $
+# $NetBSD: mi,v 1.734 2017/04/14 02:56:48 ozaki-r Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -3293,6 +3293,14 @@
./usr/tests/net/in_cksum/Kyuafile tests-net-tests compattestfile,atf,kyua
./usr/tests/net/in_cksum/in_cksum tests-net-tests compattestfile,atf
./usr/tests/net/in_cksum/t_in_cksum tests-net-tests compattestfile,atf
+./usr/tests/net/ipsec tests-net-tests compattestfile,atf
+./usr/tests/net/ipsec/Atffile tests-net-tests atf,rump
+./usr/tests/net/ipsec/Kyuafile tests-net-tests atf,rump,kyua
+./usr/tests/net/ipsec/t_ipsec_ah_keys tests-net-tests atf,rump
+./usr/tests/net/ipsec/t_ipsec_esp_keys tests-net-tests atf,rump
+./usr/tests/net/ipsec/t_ipsec_sysctl tests-net-tests atf,rump
+./usr/tests/net/ipsec/t_ipsec_transport tests-net-tests atf,rump
+./usr/tests/net/ipsec/t_ipsec_tunnel tests-net-tests atf,rump
./usr/tests/net/mcast tests-net-tests compattestfile,atf
./usr/tests/net/mcast/Atffile tests-net-tests atf,rump
./usr/tests/net/mcast/Kyuafile tests-net-tests atf,rump,kyua
diff -r 1bfb5cee4780 -r 3f3d5cb3f0c9 etc/mtree/NetBSD.dist.tests
--- a/etc/mtree/NetBSD.dist.tests Fri Apr 14 02:43:27 2017 +0000
+++ b/etc/mtree/NetBSD.dist.tests Fri Apr 14 02:56:48 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: NetBSD.dist.tests,v 1.144 2017/04/03 04:33:32 kamil Exp $
+# $NetBSD: NetBSD.dist.tests,v 1.145 2017/04/14 02:56:48 ozaki-r Exp $
./usr/libdata/debug/usr/tests
./usr/libdata/debug/usr/tests/atf
@@ -338,6 +338,7 @@
./usr/tests/net/if_tun
./usr/tests/net/if_vlan
./usr/tests/net/in_cksum
+./usr/tests/net/ipsec
./usr/tests/net/mcast
./usr/tests/net/mpls
./usr/tests/net/net
diff -r 1bfb5cee4780 -r 3f3d5cb3f0c9 tests/net/Makefile
--- a/tests/net/Makefile Fri Apr 14 02:43:27 2017 +0000
+++ b/tests/net/Makefile Fri Apr 14 02:56:48 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.31 2017/02/16 08:44:47 knakahara Exp $
+# $NetBSD: Makefile,v 1.32 2017/04/14 02:56:48 ozaki-r Exp $
.include <bsd.own.mk>
@@ -7,8 +7,8 @@
TESTS_SUBDIRS= fdpass in_cksum net sys
.if (${MKRUMP} != "no") && !defined(BSD_MK_COMPAT_FILE)
TESTS_SUBDIRS+= arp bpf bpfilter carp icmp if if_bridge if_gif if_l2tp
-TESTS_SUBDIRS+= if_loop if_pppoe if_tap if_tun mcast mpls ndp npf route
-TESTS_SUBDIRS+= if_vlan
+TESTS_SUBDIRS+= if_loop if_pppoe if_tap if_tun ipsec mcast mpls ndp npf
+TESTS_SUBDIRS+= route if_vlan
.if (${MKSLJIT} != "no")
TESTS_SUBDIRS+= bpfjit
.endif
diff -r 1bfb5cee4780 -r 3f3d5cb3f0c9 tests/net/ipsec/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/net/ipsec/Makefile Fri Apr 14 02:56:48 2017 +0000
@@ -0,0 +1,14 @@
+# $NetBSD: Makefile,v 1.1 2017/04/14 02:56:49 ozaki-r Exp $
+#
+
+.include <bsd.own.mk>
+
+TESTSDIR= ${TESTSBASE}/net/ipsec
+
+.for name in ipsec_ah_keys ipsec_esp_keys ipsec_sysctl ipsec_transport \
+ ipsec_tunnel
+TESTS_SH+= t_${name}
+TESTS_SH_SRC_t_${name}= ../net_common.sh ./algorithms.sh t_${name}.sh
+.endfor
+
+.include <bsd.test.mk>
diff -r 1bfb5cee4780 -r 3f3d5cb3f0c9 tests/net/ipsec/algorithms.sh
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/net/ipsec/algorithms.sh Fri Apr 14 02:56:48 2017 +0000
@@ -0,0 +1,160 @@
+# $NetBSD: algorithms.sh,v 1.1 2017/04/14 02:56:49 ozaki-r Exp $
+#
+# Copyright (c) 2017 Internet Initiative Japan Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+ESP_ENCRYPTION_ALGORITHMS="des-cbc 3des-cbc null blowfish-cbc cast128-cbc \
+ des-deriv rijndael-cbc aes-ctr camellia-cbc aes-gcm-16 aes-gmac"
+
+# Valid key lengths of ESP encription algorithms
+# des-cbc 64
+# 3des-cbc 192
+# null 0 to 2048 XXX only accept 0 length
+# blowfish-cbc 40 to 448
+# cast128-cbc 40 to 128
+# des-deriv 64
+# 3des-deriv 192 XXX not implemented
+# rijndael-cbc 128/192/256
+# twofish-cbc 0 to 256 XXX not supported
+# aes-ctr 160/224/288
+# camellia-cbc 128/192/256
+# aes-gcm-16 160/224/288
+# aes-gmac 160/224/288
+valid_keys_descbc="64"
+invalid_keys_descbc="56 72"
+valid_keys_3descbc="192"
+invalid_keys_3descbc="184 200"
+#valid_keys_null="0 2048"
+valid_keys_null="0"
+invalid_keys_null="8"
+valid_keys_blowfishcbc="40 448"
+invalid_keys_blowfishcbc="32 456"
+valid_keys_cast128cbc="40 128"
+invalid_keys_cast128cbc="32 136"
+valid_keys_desderiv="64"
+invalid_keys_desderiv="56 72"
+#valid_keys_3desderiv="192"
+#invalid_keys_3desderiv="184 200"
+valid_keys_rijndaelcbc="128 192 256"
+invalid_keys_rijndaelcbc="120 136 184 200 248 264"
+#valid_keys_twofishcbc="0 256"
+#invalid_keys_twofishcbc="264"
+valid_keys_aesctr="160 224 288"
+invalid_keys_aesctr="152 168 216 232 280 296"
+valid_keys_camelliacbc="128 192 256"
+invalid_keys_camelliacbc="120 136 184 200 248 264"
+valid_keys_aesgcm16="160 224 288"
+invalid_keys_aesgcm16="152 168 216 232 280 296"
+valid_keys_aesgmac="160 224 288"
+invalid_keys_aesgmac="152 168 216 232 280 296"
+
+AH_AUTHENTICATION_ALGORITHMS="hmac-md5 hmac-sha1 keyed-md5 keyed-sha1 null \
+ hmac-sha256 hmac-sha384 hmac-sha512 hmac-ripemd160 aes-xcbc-mac"
+
+# Valid key lengths of AH authentication algorithms
+# hmac-md5 128
+# hmac-sha1 160
+# keyed-md5 128
+# keyed-sha1 160
+# null 0 to 2048
+# hmac-sha256 256
+# hmac-sha384 384
+# hmac-sha512 512
+# hmac-ripemd160 160
+# aes-xcbc-mac 128
+# tcp-md5 8 to 640 XXX not enabled in rump kernels
+valid_keys_hmacmd5="128"
+invalid_keys_hmacmd5="120 136"
+valid_keys_hmacsha1="160"
+invalid_keys_hmacsha1="152 168"
+valid_keys_keyedmd5="128"
+invalid_keys_keyedmd5="120 136"
+valid_keys_keyedsha1="160"
+invalid_keys_keyedsha1="152 168"
+#valid_keys_null="0 2048"
+valid_keys_null="0"
+invalid_keys_null="8"
+valid_keys_hmacsha256="256"
+invalid_keys_hmacsha256="248 264"
+valid_keys_hmacsha384="384"
+invalid_keys_hmacsha384="376 392"
+valid_keys_hmacsha512="512"
+invalid_keys_hmacsha512="504 520"
+valid_keys_hmacripemd160="160"
+invalid_keys_hmacripemd160="152 168"
+valid_keys_aesxcbcmac="128"
+invalid_keys_aesxcbcmac="120 136"
+#valid_keys_tcpmd5="8 640"
+#invalid_keys_tcpmd5="648"
+
+get_one_valid_keylen()
+{
+ local algo=$1
+ local _algo=$(echo $algo | sed 's/-//g')
+ local len=
+ local keylengths=
+
+ eval keylengths="\$valid_keys_${_algo}"
+
+ for len in $(echo $keylengths); do
+ break;
+ done
+
+ echo $len
+}
+
+get_valid_keylengths()
+{
+ local algo=$1
+ local _algo=$(echo $algo | sed 's/-//g')
+
+ eval keylengths="\$valid_keys_${_algo}"
+ echo $keylengths
+}
+
+get_invalid_keylengths()
+{
+ local algo=$1
+ local _algo=$(echo $algo | sed 's/-//g')
+
+ eval keylengths="\$invalid_keys_${_algo}"
+ echo $keylengths
+}
+
+generate_key()
+{
+ local keylen=$(($1 / 8))
+ local key=
+
+ while [ $keylen -gt 0 ]; do
+ key="${key}a"
+ keylen=$((keylen - 1))
+ done
+ if [ ! -z "$key" ]; then
+ key="\"$key\""
+ fi
+
+ echo $key
+}
diff -r 1bfb5cee4780 -r 3f3d5cb3f0c9 tests/net/ipsec/t_ipsec_ah_keys.sh
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/net/ipsec/t_ipsec_ah_keys.sh Fri Apr 14 02:56:48 2017 +0000
@@ -0,0 +1,159 @@
+# $NetBSD: t_ipsec_ah_keys.sh,v 1.1 2017/04/14 02:56:49 ozaki-r Exp $
+#
+# Copyright (c) 2017 Internet Initiative Japan Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+SOCK_LOCAL=unix://ipsec_local
+
+DEBUG=${DEBUG:-false}
+
+test_ah_valid_keys_common()
+{
+ local aalgo=$1
+ local key=
+ local tmpfile=./tmp
+ local len=
+
+ rump_server_crypto_start $SOCK_LOCAL netipsec
+
+ export RUMP_SERVER=$SOCK_LOCAL
+
+ for len in $(get_valid_keylengths $aalgo); do
+ key=$(generate_key $len)
+ cat > $tmpfile <<-EOF
+ add 10.0.0.1 10.0.0.2 ah 10000 -A $aalgo $key;
+ EOF
+ $DEBUG && cat $tmpfile
+ atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+ atf_check -s exit:0 -o match:'10.0.0.1 10.0.0.2' \
+ $HIJACKING setkey -D
+ # TODO: more detail checks
+
Home |
Main Index |
Thread Index |
Old Index