Index: etc/mtree/BSD.tests.dist =================================================================== --- etc/mtree/BSD.tests.dist +++ etc/mtree/BSD.tests.dist @@ -476,6 +476,10 @@ .. netinet .. + netipsec + tunnel + .. + .. netpfil pf .. Index: tests/sys/Makefile =================================================================== --- tests/sys/Makefile +++ tests/sys/Makefile @@ -13,6 +13,7 @@ TESTS_SUBDIRS+= mac TESTS_SUBDIRS+= mqueue TESTS_SUBDIRS+= netinet +TESTS_SUBDIRS+= netipsec TESTS_SUBDIRS+= netpfil TESTS_SUBDIRS+= opencrypto TESTS_SUBDIRS+= posixshm Index: tests/sys/netipsec/Makefile =================================================================== --- /dev/null +++ tests/sys/netipsec/Makefile @@ -0,0 +1,7 @@ +# $FreeBSD$ + +TESTSDIR= ${TESTSBASE}/sys/netipsec + +TESTS_SUBDIRS+= tunnel + +.include Index: tests/sys/netipsec/tunnel/Makefile =================================================================== --- /dev/null +++ tests/sys/netipsec/tunnel/Makefile @@ -0,0 +1,19 @@ +# $FreeBSD$ + +PACKAGE= tests + +TESTSDIR= ${TESTSBASE}/sys/netipsec/tunnel + +ATF_TESTS_SH+= empty \ + aes_cbc_128_hmac_sha1 \ + aes_cbc_256_hmac_sha2_256 \ + aes_gcm_128 \ + aes_gcm_256 \ + aesni_aes_cbc_128_hmac_sha1 \ + aesni_aes_cbc_256_hmac_sha2_256 \ + aesni_aes_gcm_128 \ + aesni_aes_gcm_256 + +${PACKAGE}FILES+= utils.subr + +.include Index: tests/sys/netipsec/tunnel/aes_cbc_128_hmac_sha1.sh =================================================================== --- /dev/null +++ tests/sys/netipsec/tunnel/aes_cbc_128_hmac_sha1.sh @@ -0,0 +1,47 @@ +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "v4" "cleanup" +v4_head() +{ + atf_set descr 'IPSec inet4 tunnel using aes-cbc-128-hmac-sha1' + atf_set require.user root + # Unload AESNI module if loaded + kldstat -q -n aesni && kldunload aesni +} + +v4_body() +{ + ist_test 4 rijndael-cbc "1234567890123456" hmac-sha1 "12345678901234567890" +} + +v4_cleanup() +{ + ist_cleanup +} + +atf_test_case "v6" "cleanup" +v6_head() +{ + atf_set descr 'IPSec inet6 tunnel using aes-cbc-128-hmac-sha1' + atf_set require.user root + # Unload AESNI module if loaded + kldstat -q -n aesni && kldunload aesni +} + +v6_body() +{ + ist_test 6 rijndael-cbc "1234567890123456" hmac-sha1 "12345678901234567890" +} + +v6_cleanup() +{ + ist_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "v4" + atf_add_test_case "v6" +} Index: tests/sys/netipsec/tunnel/aes_cbc_256_hmac_sha2_256.sh =================================================================== --- /dev/null +++ tests/sys/netipsec/tunnel/aes_cbc_256_hmac_sha2_256.sh @@ -0,0 +1,47 @@ +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "v4" "cleanup" +v4_head() +{ + atf_set descr 'IPSec inet4 tunnel using aes-cbc-256-hmac-sha2-256' + atf_set require.user root + # load AESNI module if not already + kldstat -q -n aesni || kldload aesni +} + +v4_body() +{ + ist_test 4 rijndael-cbc "12345678901234567890123456789012" hmac-sha2-256 "12345678901234567890123456789012" +} + +v4_cleanup() +{ + ist_cleanup +} + +atf_test_case "v6" "cleanup" +v6_head() +{ + atf_set descr 'IPSec inet6 tunnel using aes-cbc-256-hmac-sha2-256' + atf_set require.user root + # load AESNI module if not already + kldstat -q -n aesni || kldload aesni +} + +v6_body() +{ + ist_test 6 rijndael-cbc "12345678901234567890123456789012" hmac-sha2-256 "12345678901234567890123456789012" +} + +v6_cleanup() +{ + ist_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "v4" + atf_add_test_case "v6" +} Index: tests/sys/netipsec/tunnel/aes_gcm_128.sh =================================================================== --- /dev/null +++ tests/sys/netipsec/tunnel/aes_gcm_128.sh @@ -0,0 +1,47 @@ +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "v4" "cleanup" +v4_head() +{ + atf_set descr 'IPSec inet4 tunnel using aes-gcm-128' + atf_set require.user root + # Unload AESNI module if loaded + kldstat -q -n aesni && kldunload aesni +} + +v4_body() +{ + ist_test 4 aes-gcm-16 "12345678901234567890" +} + +v4_cleanup() +{ + ist_cleanup +} + +atf_test_case "v6" "cleanup" +v6_head() +{ + atf_set descr 'IPSec inet6 tunnel using aes-gcm-128' + atf_set require.user root + # Unload AESNI module if loaded + kldstat -q -n aesni && kldunload aesni +} + +v6_body() +{ + ist_test 6 aes-gcm-16 "12345678901234567890" +} + +v6_cleanup() +{ + ist_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "v4" + atf_add_test_case "v6" +} Index: tests/sys/netipsec/tunnel/aes_gcm_256.sh =================================================================== --- /dev/null +++ tests/sys/netipsec/tunnel/aes_gcm_256.sh @@ -0,0 +1,47 @@ +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "v4" "cleanup" +v4_head() +{ + atf_set descr 'IPSec inet4 tunnel using aes-gcm-256' + atf_set require.user root + # Unload AESNI module if loaded + kldstat -q -n aesni && kldunload aesni +} + +v4_body() +{ + ist_test 4 aes-gcm-16 "123456789012345678901234567890123456" +} + +v4_cleanup() +{ + ist_cleanup +} + +atf_test_case "v6" "cleanup" +v6_head() +{ + atf_set descr 'IPSec inet6 tunnel using aes-gcm-256' + atf_set require.user root + # Unload AESNI module if loaded + kldstat -q -n aesni && kldunload aesni +} + +v6_body() +{ + ist_test 6 aes-gcm-16 "123456789012345678901234567890123456" +} + +v6_cleanup() +{ + ist_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "v4" + atf_add_test_case "v6" +} Index: tests/sys/netipsec/tunnel/aesni_aes_cbc_128_hmac_sha1.sh =================================================================== --- /dev/null +++ tests/sys/netipsec/tunnel/aesni_aes_cbc_128_hmac_sha1.sh @@ -0,0 +1,47 @@ +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "v4" "cleanup" +v4_head() +{ + atf_set descr 'IPSec inet4 tunnel using aes-cbc-128-hmac-sha1 and AESNI' + atf_set require.user root + # load AESNI module if not already + kldstat -q -n aesni || kldload aesni +} + +v4_body() +{ + ist_test 4 rijndael-cbc "1234567890123456" hmac-sha1 "12345678901234567890" +} + +v4_cleanup() +{ + ist_cleanup +} + +atf_test_case "v6" "cleanup" +v6_head() +{ + atf_set descr 'IPSec inet6 tunnel using aes-cbc-128-hmac-sha1 and AESNI' + atf_set require.user root + # load AESNI module if not already + kldstat -q -n aesni || kldload aesni +} + +v6_body() +{ + ist_test 6 rijndael-cbc "1234567890123456" hmac-sha1 "12345678901234567890" +} + +v6_cleanup() +{ + ist_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "v4" + atf_add_test_case "v6" +} Index: tests/sys/netipsec/tunnel/aesni_aes_cbc_256_hmac_sha2_256.sh =================================================================== --- /dev/null +++ tests/sys/netipsec/tunnel/aesni_aes_cbc_256_hmac_sha2_256.sh @@ -0,0 +1,47 @@ +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "v4" "cleanup" +v4_head() +{ + atf_set descr 'IPSec inet4 tunnel using aes-cbc-256-hmac-sha2-256 and AESNI' + atf_set require.user root + # Unload AESNI module if loaded + kldstat -q -n aesni && kldunload aesni +} + +v4_body() +{ + ist_test 4 rijndael-cbc "12345678901234567890123456789012" hmac-sha2-256 "12345678901234567890123456789012" +} + +v4_cleanup() +{ + ist_cleanup +} + +atf_test_case "v6" "cleanup" +v6_head() +{ + atf_set descr 'IPSec inet6 tunnel using aes-cbc-256-hmac-sha2-256 and AESNI' + atf_set require.user root + # Unload AESNI module if loaded + kldstat -q -n aesni && kldunload aesni +} + +v6_body() +{ + ist_test 6 rijndael-cbc "12345678901234567890123456789012" hmac-sha2-256 "12345678901234567890123456789012" +} + +v6_cleanup() +{ + ist_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "v4" + atf_add_test_case "v6" +} Index: tests/sys/netipsec/tunnel/aesni_aes_gcm_128.sh =================================================================== --- /dev/null +++ tests/sys/netipsec/tunnel/aesni_aes_gcm_128.sh @@ -0,0 +1,47 @@ +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "v4" "cleanup" +v4_head() +{ + atf_set descr 'IPSec inet4 tunnel using aes-gcm-128 and AESNI' + atf_set require.user root + # load AESNI module if not already + kldstat -q -n aesni || kldload aesni +} + +v4_body() +{ + ist_test 4 aes-gcm-16 "12345678901234567890" +} + +v4_cleanup() +{ + ist_cleanup +} + +atf_test_case "v6" "cleanup" +v6_head() +{ + atf_set descr 'IPSec inet6 tunnel using aes-gcm-128 and AESNI' + atf_set require.user root + # load AESNI module if not already + kldstat -q -n aesni || kldload aesni +} + +v6_body() +{ + ist_test 6 aes-gcm-16 "12345678901234567890" +} + +v6_cleanup() +{ + ist_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "v4" + atf_add_test_case "v6" +} Index: tests/sys/netipsec/tunnel/aesni_aes_gcm_256.sh =================================================================== --- /dev/null +++ tests/sys/netipsec/tunnel/aesni_aes_gcm_256.sh @@ -0,0 +1,47 @@ +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "v4" "cleanup" +v4_head() +{ + atf_set descr 'IPSec inet4 tunnel using aes-gcm-256 and AESNI' + atf_set require.user root + # load AESNI module if not already + kldstat -q -n aesni || kldload aesni +} + +v4_body() +{ + ist_test 4 aes-gcm-16 "123456789012345678901234567890123456" +} + +v4_cleanup() +{ + ist_cleanup +} + +atf_test_case "v6" "cleanup" +v6_head() +{ + atf_set descr 'IPSec inet6 tunnel using aes-gcm-256 and AESNI' + atf_set require.user root + # load AESNI module if not already + kldstat -q -n aesni || kldload aesni +} + +v6_body() +{ + ist_test 6 aes-gcm-16 "123456789012345678901234567890123456" +} + +v6_cleanup() +{ + ist_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "v4" + atf_add_test_case "v6" +} Index: tests/sys/netipsec/tunnel/empty.sh =================================================================== --- /dev/null +++ tests/sys/netipsec/tunnel/empty.sh @@ -0,0 +1,44 @@ +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "v4" "cleanup" +v4_head() +{ + atf_set descr 'IPSec inet4 tunnel using NULL encryption' + atf_set require.user root +} + +v4_body() +{ + # Can't use filename "null" for this script: PR 223564 + ist_test 4 null "" +} + +v4_cleanup() +{ + ist_cleanup +} + +atf_test_case "v6" "cleanup" +v6_head() +{ + atf_set descr 'IPSec inet6 tunnel using NULL encryption' + atf_set require.user root +} + +v6_body() +{ + ist_test 6 null "" +} + +v6_cleanup() +{ + ist_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "v4" + atf_add_test_case "v6" +} Index: tests/sys/netipsec/tunnel/utils.subr =================================================================== --- /dev/null +++ tests/sys/netipsec/tunnel/utils.subr @@ -0,0 +1,170 @@ +# $FreeBSD$ +# Utility functions (mainly from pf tests, should be merged one day) +## + +: ${TMPDIR=/tmp} + +ist_init() +{ + if [ "$(sysctl -i -n kern.features.vimage)" != 1 ]; then + atf_skip "This test requires VIMAGE" + fi +} + +pft_mkepair() +{ + ifname=$(ifconfig epair create) + echo $ifname >> created_interfaces.lst + echo ${ifname%a} +} + +pft_mkjail() +{ + jailname=$1 + shift + + vnet_interfaces= + for ifname in $@ + do + vnet_interfaces="${vnet_interfaces} vnet.interface=${ifname}" + done + jail -c name=${jailname} persist vnet ${vnet_interfaces} + + echo $jailname >> created_jails.lst +} + +ist_labsetup () +{ + epair_LAN_A=$(pft_mkepair) + ifconfig ${epair_LAN_A}a up + epair_PUB_A=$(pft_mkepair) + ifconfig ${epair_PUB_A}a up + epair_LAN_B=$(pft_mkepair) + ifconfig ${epair_LAN_B}a up + epair_PUB_B=$(pft_mkepair) + ifconfig ${epair_PUB_B}a up + + pft_mkjail hostA ${epair_LAN_A}a + pft_mkjail ipsecA ${epair_LAN_A}b ${epair_PUB_A}a + pft_mkjail router ${epair_PUB_A}b ${epair_PUB_B}b + pft_mkjail ipsecB ${epair_LAN_B}b ${epair_PUB_B}a + pft_mkjail hostB ${epair_LAN_B}a +} + +ist_v4_setup () +{ + jexec hostA ifconfig ${epair_LAN_A}a 192.0.2.1/30 up + jexec ipsecA ifconfig ${epair_LAN_A}b 192.0.2.2/30 up + jexec ipsecA ifconfig ${epair_PUB_A}a 198.51.100.2/30 up + jexec router ifconfig ${epair_PUB_A}b 198.51.100.1/30 up + jexec router ifconfig ${epair_PUB_B}b 198.51.100.6/30 up + jexec ipsecB ifconfig ${epair_PUB_B}a 198.51.100.7/30 up + jexec ipsecB ifconfig ${epair_LAN_B}b 203.0.113.2/30 up + jexec hostB ifconfig ${epair_LAN_B}a 203.0.113.1/30 up + jexec ipsecA sysctl net.inet.ip.forwarding=1 + jexec router sysctl net.inet.ip.forwarding=1 + jexec ipsecB sysctl net.inet.ip.forwarding=1 + jexec hostA route add default 192.0.2.2 + jexec ipsecA route add default 198.51.100.1 + jexec ipsecB route add default 198.51.100.6 + jexec hostB route add default 203.0.113.2 +} + +ist_v6_setup () +{ + jexec hostA ifconfig ${epair_LAN_A}a inet6 2001:db8:1::1/64 up + jexec ipsecA ifconfig ${epair_LAN_A}b inet6 2001:db8:1::2/64 up + jexec ipsecA ifconfig ${epair_PUB_A}a inet6 2001:db8:23::2/64 up + jexec router ifconfig ${epair_PUB_A}b inet6 2001:db8:23::3/64 up + jexec router ifconfig ${epair_PUB_B}b inet6 2001:db8:34::3/64 up + jexec ipsecB ifconfig ${epair_PUB_B}a inet6 2001:db8:34::2/64 up + jexec ipsecB ifconfig ${epair_LAN_B}b inet6 2001:db8:45::2/64 up + jexec hostB ifconfig ${epair_LAN_B}a inet6 2001:db8:45::1/64 up + jexec ipsecA sysctl net.inet6.ip6.forwarding=1 + jexec router sysctl net.inet6.ip6.forwarding=1 + jexec ipsecB sysctl net.inet6.ip6.forwarding=1 + jexec hostA route -6 add default 2001:db8:1::2 + jexec ipsecA route -6 add default 2001:db8:23::3 + jexec ipsecB route -6 add default 2001:db8:34::3 + jexec hostB route -6 add default 2001:db8:45::2 + # Why do we need to wait before having a working inet6 forwarding? + # without this timer, first ping failed with this error: + # ping6: UDP connect: Can't assign requested address + sleep 2 +} + +ist_setkey() +{ + jname=$1 + dir=$2 + afnet=$3 + enc_algo=$4 + enc_key=$5 + auth_algo=$6 + auth_key=$7 + + # Load + ( + printf "#arguments debug: ${jname} ${afnet} ${dir} ${enc_algo} " + printf "${enc_key} ${auth_algo} ${auth_key}\n" + printf "flush;\n" + printf "spdflush;\n" + if [ ${afnet} -eq 4 ]; then + SRC_LAN="192.0.2.0/24" + DST_LAN="203.0.113.0/24" + SRC_GW="198.51.100.2" + DST_GW="198.51.100.7" + else + SRC_LAN="2001:db8:1::/64" + DST_LAN="2001:db8:45::/64" + SRC_GW="2001:db8:23::2" + DST_GW="2001:db8:34::2" + fi + printf "spdadd ${SRC_LAN} ${DST_LAN} any -P " + [ ${dir} = "out" ] && printf "out" || printf "in" + printf " ipsec esp/tunnel/${SRC_GW}-${DST_GW}/require;\n" + printf "spdadd ${DST_LAN} ${SRC_LAN} any -P " + [ ${dir} = "out" ] && printf "in" || printf "out" + printf " ipsec esp/tunnel/${DST_GW}-${SRC_GW}/require;\n" + printf "add ${SRC_GW} ${DST_GW} esp 0x1000 -E ${enc_algo} \"${enc_key}\"" + [ -n "${auth_algo}" ] && printf " -A ${auth_algo} \"${auth_key}\";\n" || printf ";\n" + printf "add ${DST_GW} ${SRC_GW} esp 0x1001 -E ${enc_algo} \"${enc_key}\"" + [ -n "$auth_algo" ] && printf " -A ${auth_algo} \"${auth_key}\";\n" || printf ";\n" + ) > ${TMPDIR}/ipsec.${jname}.conf +} + +ist_test() +{ + ist_init + ist_labsetup + [ $1 -eq 4 ] && ist_v4_setup || ist_v6_setup + ist_setkey ipsecA out $@ + atf_check -s exit:0 -o ignore jexec ipsecA setkey -f ${TMPDIR}/ipsec.ipsecA.conf + ist_setkey ipsecB in $@ + atf_check -s exit:0 -o ignore jexec ipsecB setkey -f ${TMPDIR}/ipsec.ipsecB.conf + # Check ipsec tunnel + if [ $1 -eq 4 ]; then + atf_check -s exit:0 -o ignore jexec hostA ping -c 1 203.0.113.1 + else + atf_check -s exit:0 -o ignore jexec hostA ping6 -c 1 2001:db8:45::1 + fi +} +ist_cleanup() +{ + if [ -f created_jails.lst ]; then + for jailname in $(cat created_jails.lst) + do + jail -r ${jailname} + rm -f ${TMPDIR}/ipsec.${jailname}.conf + done + rm created_jails.lst + fi + + if [ -f created_interfaces.lst ]; then + for ifname in $(cat created_interfaces.lst) + do + ifconfig ${ifname} destroy + done + rm created_interfaces.lst + fi +}