synchronize with latest kame tree.

behavior change: policy syntax was changed. you may need to update your setkey(8) configuration files.
author: itojun <itojun@FreeBSD.org> 2000-07-04 16:22:05 +0000
committer: itojun <itojun@FreeBSD.org> 2000-07-04 16:22:05 +0000
commit: 0bbd943f404b5100a81abdec2bd8519971e0c58e (patch)
tree: b98b84ed27cb35ed58163ab9530a39ecc47f3254 /lib/libipsec/test-policy.c
parent: 993cb1d94fc91849b548394143e230fa61400d5b (diff)
download: FreeBSD-src-0bbd943f404b5100a81abdec2bd8519971e0c58e.zip
FreeBSD-src-0bbd943f404b5100a81abdec2bd8519971e0c58e.tar.gz
1 files changed, 207 insertions, 69 deletions
diff --git a/lib/libipsec/test-policy.c b/lib/libipsec/test-policy.c
index c8fd727..5a4faf5 100644
--- a/lib/libipsec/test-policy.c
+++ b/lib/libipsec/test-policy.c
@@ -1,3 +1,6 @@
+/*	$FreeBSD$	*/
+/*	$KAME: test-policy.c,v 1.13 2000/05/07 05:25:03 itojun Exp $	*/
+
 /*
  * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
  * All rights reserved.
@@ -25,8 +28,6 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
- *
- * $FreeBSD$
  */
 
 #include <sys/types.h>
@@ -34,7 +35,6 @@
 #include <sys/socket.h>
 
 #include <netinet/in.h>
-#include <netinet6/in6.h>
 #include <net/pfkeyv2.h>
 #include <netkey/key_debug.h>
 #include <netinet6/ipsec.h>
@@ -43,90 +43,115 @@
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
+#include <errno.h>
 #include <err.h>
 
-char *requests[] = {
-"must_error",				/* error */
-"in ipsec must_error",			/* error */
-"out ipsec esp/must_error",		/* error */
-"out discard",
-"out none",
-"in entrust",
-"out entrust",
-"in bypass",				/* may be error */
-"out ipsec esp",			/* error */
-"in ipsec ah/transport",
-"in ipsec ah/tunnel",			/* error */
-"out ipsec ah/transport/",
-"out ipsec ah/tunnel/",			/* error */
-"in ipsec esp / transport / 10.0.0.1-10.0.0.2",
-"in ipsec esp/tunnel/::1-::2",
-"in ipsec esp/tunnel/10.0.0.1-::2",	/* error */
-"in ipsec esp/tunnel/::1-::2/require",
-"out ipsec ah/transport//use",
-"out ipsec ah/transport esp/use",
-"in ipsec ah/transport esp/tunnel",	/* error */
-"in ipsec
+struct req_t {
+	int result;	/* expected result; 0:ok 1:ng */
+	char *str;
+} reqs[] = {
+{ 0, "out ipsec" },
+{ 1, "must_error" },
+{ 1, "in ipsec must_error" },
+{ 1, "out ipsec esp/must_error" },
+{ 1, "out discard" },
+{ 1, "out none" },
+{ 0, "in entrust" },
+{ 0, "out entrust" },
+{ 1, "out ipsec esp" },
+{ 0, "in ipsec ah/transport" },
+{ 1, "in ipsec ah/tunnel" },
+{ 0, "out ipsec ah/transport/" },
+{ 1, "out ipsec ah/tunnel/" },
+{ 0, "in ipsec esp / transport / 10.0.0.1-10.0.0.2" },
+{ 0, "in ipsec esp/tunnel/::1-::2" },
+{ 1, "in ipsec esp/tunnel/10.0.0.1-::2" },
+{ 0, "in ipsec esp/tunnel/::1-::2/require" },
+{ 0, "out ipsec ah/transport//use" },
+{ 1, "out ipsec ah/transport esp/use" },
+{ 1, "in ipsec ah/transport esp/tunnel" },
+{ 0, "in ipsec ah/transport esp/tunnel/::1-::1" },
+{ 0, "in ipsec
 	ah / transport
-	esp / tunnel / ::1-::2",
-"
-out ipsec
-ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
-ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
-ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
-",
-"out ipsec esp/transport/fec0::10-fec0::11/use",
+	esp / tunnel / ::1-::2" },
+{ 0, "out ipsec
+	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
+	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
+	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
+	" },
+{ 0, "out ipsec esp/transport/fec0::10-fec0::11/use" },
 };
 
-int test(char *buf, int family);
+int test1 __P((void));
+int test1sub1 __P((struct req_t *));
+int test1sub2 __P((char *, int));
+int test2 __P((void));
+int test2sub __P((int));
 
 int
 main(ac, av)
 	int ac;
 	char **av;
 {
-	int do_setsockopt;
-	char *buf;
-	int i;
+	test1();
+	test2();
 
-	if (ac != 1)
-		do_setsockopt = 1;
-	else
-		do_setsockopt = 0;
+	exit(0);
+}
 
-	for (i = 0; i < sizeof(requests)/sizeof(requests[0]); i++) {
-		printf("*** requests ***\n");
-		printf("\t[%s]\n", requests[i]);
+int
+test1()
+{
+	int i;
+	int result;
+
+	printf("TEST1\n");
+	for (i = 0; i < sizeof(reqs)/sizeof(reqs[0]); i++) {
+		printf("#%d [%s]\n", i + 1, reqs[i].str);
 
-		buf = ipsec_set_policy(requests[i], strlen(requests[i]));
-		if (buf == NULL) {
-			printf("ipsec_set_policy: %s\n", ipsec_strerror());
-			continue;
+		result = test1sub1(&reqs[i]);
+		if (result == 0 && reqs[i].result == 1) {
+			errx(1, "ERROR: expecting failure.\n");
+		} else if (result == 1 && reqs[i].result == 0) {
+			errx(1, "ERROR: expecting success.\n");
 		}
+	}
+
+	return 0;
+}
 
-		printf("\tsetlen:%d\n", ipsec_get_policylen(buf));
+int
+test1sub1(req)
+	struct req_t *req;
+{
+	char *buf;
 
-		if (do_setsockopt) {
-			printf("\tPF_INET:\n");
-			test(buf, PF_INET);
+	buf = ipsec_set_policy(req->str, strlen(req->str));
+	if (buf == NULL) {
+		printf("ipsec_set_policy: %s\n", ipsec_strerror());
+		return 1;
+	}
 
-			printf("\tPF_INET6:\n");
-			test(buf, PF_INET6);
-		} else {
-			kdebug_sadb_x_policy((struct sadb_ext *)buf);
-		}
+	if (test1sub2(buf, PF_INET) != 0
+	 || test1sub2(buf, PF_INET6) != 0) {
 		free(buf);
+		return 1;
 	}
+#if 0
+	kdebug_sadb_x_policy((struct sadb_ext *)buf);
+#endif
 
+	free(buf);
 	return 0;
 }
 
 int
-test(policy, family)
+test1sub2(policy, family)
 	char *policy;
 	int family;
 {
-	int so, proto, optname;
+	int so;
+	int proto = 0, optname = 0;
 	int len;
 	char getbuf[1024];
 
@@ -145,35 +170,148 @@ test(policy, family)
 		err(1, "socket");
 
 	len = ipsec_get_policylen(policy);
+#if 0
+	printf("\tsetlen:%d\n", len);
+#endif
+
 	if (setsockopt(so, proto, optname, policy, len) < 0) {
-		printf("error on setsockopt");
-		goto end;
+		printf("fail to set sockopt; %s\n", strerror(errno));
+		close(so);
+		return 1;
 	}
 
-	len = sizeof(getbuf);
 	memset(getbuf, 0, sizeof(getbuf));
+	memcpy(getbuf, policy, sizeof(struct sadb_x_policy));
 	if (getsockopt(so, proto, optname, getbuf, &len) < 0) {
-		printf("error on getsockopt");
-		goto end;
+		printf("fail to get sockopt; %s\n", strerror(errno));
+		close(so);
+		return 1;
 	}
 
     {
 	char *buf = NULL;
 
+#if 0
 	printf("\tgetlen:%d\n", len);
+#endif
 
 	if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) {
 		printf("%s\n", ipsec_strerror());
-		goto end;
-	} else {
-		printf("\t[%s]\n", buf);
-		free(buf);
+		close(so);
+		return 1;
 	}
+#if 0
+	printf("\t[%s]\n", buf);
+#endif
+	free(buf);
     }
 
-    end:
 	close (so);
+	return 0;
+}
+
+char addr[] = {
+	28, 28, 0, 0,
+	0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1,
+	0, 0, 0, 0,
+};
+
+int
+test2()
+{
+	int so;
+	char *pol1 = "out ipsec";
+	char *pol2 = "out ipsec ah/transport//use";
+	char *sp1, *sp2;
+	int splen1, splen2;
+	int spid;
+	struct sadb_msg *m;
+
+	printf("TEST2\n");
+	if (getuid() != 0)
+		errx(1, "root privilege required.\n");
+
+	sp1 = ipsec_set_policy(pol1, strlen(pol1));
+	splen1 = ipsec_get_policylen(sp1);
+	sp2 = ipsec_set_policy(pol2, strlen(pol2));
+	splen2 = ipsec_get_policylen(sp2);
+
+	if ((so = pfkey_open()) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+
+	printf("spdflush()\n");
+	if (pfkey_send_spdflush(so) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	m = pfkey_recv(so);
+	free(m);
+	
+	printf("spdsetidx()\n");
+	if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128,
+				(struct sockaddr *)addr, 128,
+				255, sp1, splen1, 0) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	m = pfkey_recv(so);
+	free(m);
+	
+	printf("spdupdate()\n");
+	if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
+				(struct sockaddr *)addr, 128,
+				255, sp2, splen2, 0) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	m = pfkey_recv(so);
+	free(m);
+
+	printf("spddelete()\n");
+	if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128,
+				(struct sockaddr *)addr, 128,
+				255, sp1, splen1, 0) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	m = pfkey_recv(so);
+	free(m);
+
+	printf("spdadd()\n");
+	if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128,
+				(struct sockaddr *)addr, 128,
+				255, sp2, splen2, 0) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	spid = test2sub(so);
+
+	printf("spdget(%u)\n", spid);
+	if (pfkey_send_spdget(so, spid) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	m = pfkey_recv(so);
+	free(m);
+
+	printf("spddelete2()\n");
+	if (pfkey_send_spddelete2(so, spid) < 0)
+		errx(1, "ERROR: %s\n", ipsec_strerror());
+	m = pfkey_recv(so);
+	free(m);
+
+	/* expecting failure */
+	printf("spdupdate()\n");
+	if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
+				(struct sockaddr *)addr, 128,
+				255, sp2, splen2, 0) == 0) {
+		errx(1, "ERROR: expecting failure.\n");
+	}
 
 	return 0;
 }
 
+int
+test2sub(so)
+	int so;
+{
+	struct sadb_msg *msg;
+	caddr_t mhp[SADB_EXT_MAX + 1];
+
+	if ((msg = pfkey_recv(so)) == NULL)
+		errx(1, "ERROR: pfkey_recv failure.\n");
+	if (pfkey_align(msg, mhp) < 0)
+		errx(1, "ERROR: pfkey_align failure.\n");
+
+	return ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id;
+}
+
author	itojun <itojun@FreeBSD.org>	2000-07-04 16:22:05 +0000
committer	itojun <itojun@FreeBSD.org>	2000-07-04 16:22:05 +0000
commit	0bbd943f404b5100a81abdec2bd8519971e0c58e (patch)
tree	b98b84ed27cb35ed58163ab9530a39ecc47f3254 /lib/libipsec/test-policy.c
parent	993cb1d94fc91849b548394143e230fa61400d5b (diff)
download	FreeBSD-src-0bbd943f404b5100a81abdec2bd8519971e0c58e.zip FreeBSD-src-0bbd943f404b5100a81abdec2bd8519971e0c58e.tar.gz