# $NetBSD: t_ipsec_ah_keys.sh,v 1.2 2017/08/03 03:16:27 ozaki-r Exp $
#
# Copyright (c) 2017 Internet Initiative Japan Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
SOCK_LOCAL=unix://ipsec_local
DEBUG=${DEBUG:-false}
test_ah_valid_keys_common()
{
local aalgo=$1
local key=
local tmpfile=./tmp
local len=
rump_server_crypto_start $SOCK_LOCAL netipsec
export RUMP_SERVER=$SOCK_LOCAL
for len in $(get_valid_keylengths $aalgo); do
key=$(generate_key $len)
cat > $tmpfile <<-EOF
add 10.0.0.1 10.0.0.2 ah 10000 -A $aalgo $key;
EOF
$DEBUG && cat $tmpfile
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
atf_check -s exit:0 -o match:'10.0.0.1 10.0.0.2' \
$HIJACKING setkey -D
# TODO: more detail checks
cat > $tmpfile <<-EOF
delete 10.0.0.1 10.0.0.2 ah 10000;
EOF
$DEBUG && cat $tmpfile
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
atf_check -s exit:0 -o match:'No SAD entries.' \
$HIJACKING setkey -D
done
rm -f $tmpfile
}
add_test_valid_keys()
{
local aalgo=$1
local _aalgo=$(echo $aalgo | sed 's/-//g')
local name= desc=
name="ipsec_ah_${_aalgo}_valid_keys"
desc="Tests AH ($aalgo) valid keys"
atf_test_case ${name} cleanup
eval "
${name}_head() {
atf_set descr \"$desc\"
atf_set require.progs rump_server setkey
}
${name}_body() {
test_ah_valid_keys_common $aalgo
}
${name}_cleanup() {
\$DEBUG && dump
cleanup
}
"
atf_add_test_case ${name}
}
test_ah_invalid_keys_common()
{
local aalgo=$1
local key=
local tmpfile=./tmp
local len=
rump_server_crypto_start $SOCK_LOCAL netipsec
export RUMP_SERVER=$SOCK_LOCAL
for len in $(get_invalid_keylengths $aalgo); do
key=$(generate_key $len)
cat > $tmpfile <<-EOF
add 10.0.0.1 10.0.0.2 ah 10000 -A $aalgo $key;
EOF
$DEBUG && cat $tmpfile
if [ $aalgo = null ]; then
# null doesn't accept any keys
atf_check -s exit:0 \
-o match:'syntax error' -e ignore \
$HIJACKING setkey -c < $tmpfile
else
atf_check -s exit:0 \
-o match:'Invalid (key length|argument)' -e ignore \
$HIJACKING setkey -c < $tmpfile
fi
atf_check -s exit:0 -o match:'No SAD entries.' \
$HIJACKING setkey -D
done
rm -f $tmpfile
}
add_test_invalid_keys()
{
local aalgo=$1
local _aalgo=$(echo $aalgo | sed 's/-//g')
local name= desc=
name="ipsec_ah_${_aalgo}_invalid_keys"
desc="Tests AH ($aalgo) invalid keys"
atf_test_case ${name} cleanup
eval " \
${name}_head() { \
atf_set \"descr\" \"$desc\"; \
atf_set \"require.progs\" \"rump_server\" \"setkey\"; \
}; \
${name}_body() { \
test_ah_invalid_keys_common $aalgo; \
}; \
${name}_cleanup() { \
$DEBUG && dump; \
cleanup; \
} \
"
atf_add_test_case ${name}
}
atf_init_test_cases()
{
for aalgo in $AH_AUTHENTICATION_ALGORITHMS; do
add_test_valid_keys $aalgo
add_test_invalid_keys $aalgo
done
}