1 #!/usr/bin/ksh
2
3 #
4 # This file and its contents are supplied under the terms of the
5 # Common Development and Distribution License ("CDDL"), version 1.0.
6 # You may only use this file in accordance with the terms of version
7 # 1.0 of the CDDL.
8 #
9 # A full copy of the text of the CDDL should have accompanied this
10 # source. A copy of the CDDL is also available via the Internet at
11 # http://www.illumos.org/license/CDDL.
12 #
13
14 #
15 # Copyright (c) 2017 Joyent, Inc.
16 #
17
18 if [ `id -u` -ne 0 ]; then
19 echo "Need to be root or have effective UID of root."
20 exit 255
21 fi
22
23 # NOTE: If multihomed, this may fail in interesting ways...
24 MY_IP=`netstat -in -f inet | egrep -v "Name|lo0" | awk '{print $4}' | head -1`
25 TEST_REMOTE_DST1=10.90.1.25
26 TEST_REMOTE_DST2=10.19.84.2
27 TEST_REMOTE_DST3=10.19.84.3
28 TEST_REMOTE_DST4=10.19.84.4
29
30 T1_SRC=10.21.12.4
31 T1_DST=10.21.12.5
32 T1_PREFIX=10.21.12.0/24
33 T2_SRC=10.51.50.4
34 T2_DST=10.51.50.5
35 T2_PREFIX=10.51.50.0/24
36
37 MONITOR_LOG=/tmp/ipseckey-monitor.$$
38
39 EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler
40
41 $EACQ_PROG &
42 eapid=$!
43
44 echo "Warning, this trashes IPsec policy."
45 ipsecconf -Fq
46
47 # Setup the IPsec policy...
48 ipsecconf -qa - << EOF
49 # Global policy...
50 # Remote-port-based policy. Use different algorithms...
51 { raddr $TEST_REMOTE_DST3 rport 23 ulp tcp } ipsec { encr_algs aes encr_auth_algs sha512 }
52
53 # Unique policy...
54 { raddr $TEST_REMOTE_DST4 rport 23 ulp tcp } ipsec { encr_algs aes encr_auth_algs sha256 sa unique }
55
56 # Simple IP address policy. Use an AH + ESP for it.
57 { raddr $TEST_REMOTE_DST1 } ipsec { auth_algs sha512 encr_algs aes(256) }
58 { raddr $TEST_REMOTE_DST2 } ipsec { auth_algs sha384 encr_algs aes(256) }
59
60 # Tunnel policy...
61 { tunnel rush0 raddr $T1_PREFIX negotiate tunnel } ipsec { encr_algs aes-gcm(256) }
62 # NULL-encryption...
63 { tunnel vh0 raddr $T2_PREFIX negotiate tunnel } ipsec {encr_auth_algs hmac-sha384 }
64 EOF
65
66 # Plumb the tunnels
67 dladm create-iptun -t -T ipv4 -a local=$MY_IP -a remote=$TEST_REMOTE_DST1 rush0
68 dladm create-iptun -t -T ipv4 -a local=$MY_IP -a remote=$TEST_REMOTE_DST2 vh0
69 ipadm create-addr -t -T static -a local=$T1_SRC,remote=$T1_DST rush0/v4
70 ipadm create-addr -t -T static -a local=$T2_SRC,remote=$T2_DST vh0/v4
71 route add $T1_PREFIX $T1_DST
72 route add $T2_PREFIX $T2_DST
73
74 ipseckey flush
75 ipseckey -np monitor > $MONITOR_LOG &
76 IPSECKEY_PID=$!
77
78 # Launch pings and telnets to different addresses (each requiring an ACQUIRE).
79 ping -svn $TEST_REMOTE_DST1 1024 1 2>&1 > /dev/null &
80 p1=$!
81 ping -svn $TEST_REMOTE_DST2 1024 1 2>&1 > /dev/null &
82 p2=$!
83 ping -svn $T1_DST 1024 1 2>&1 > /dev/null &
84 p3=$!
85 ping -svn $T2_DST 1024 1 2>&1 > /dev/null &
86 p4=$!
87
88 echo "Waiting for pings..."
89 pwait $p1 $p2 $p3 $p4
90
91 # Now try some telnets to trigger port and unique policy.
92 # port-only for DST3
93 telnet $TEST_REMOTE_DST3 &
94 tpid=$!
95 t1port=`pfiles $tpid | grep sockname | awk '{print $5}'`
96 echo "First local port == $t1port"
97 sleep 10 ; kill $tpid
98 # unique for DST4
99 telnet $TEST_REMOTE_DST4 &
100 tpid=$!
101 t2port=`pfiles $tpid | grep sockname | awk '{print $5}'`
102 echo "Second local port == $t2port"
103 sleep 10 ; kill $tpid
104 # Nothing specced for DST1
105 telnet $TEST_REMOTE_DST1 &
106 tpid=$!
107 t3port=`pfiles $tpid | grep sockname | awk '{print $5}'`
108 echo "Third local port == $t3port"
109 sleep 10 ; kill $tpid
110
111 # Clean up.
112 kill $IPSECKEY_PID
113 kill $eapid
114 # Unplumb the tunnels
115 route delete $T2_PREFIX $T2_DST
116 route delete $T1_PREFIX $T1_DST
117 ipadm delete-addr vh0/v4
118 ipadm delete-addr rush0/v4
119 ipadm delete-if vh0
120 ipadm delete-if rush0
121 dladm delete-iptun vh0
122 dladm delete-iptun rush0
123 # Flush policy
124 ipsecconf -Fq
125 # Use SMF to restore anything that may have been there. "restart" on
126 # a disabled service is a NOP, but an enabled one will get
127 # /etc/inet/ipsecinit.conf reloaded.
128 svcadm restart ipsec/policy
129
130 # Process MONITOR_LOG's output...
131 echo "Checking for unique local port only in one ACQUIRE case."
132 egrep "$t1port|$t2port|$t3port" $MONITOR_LOG > /tmp/egrep.$$
133 grep $t2port $MONITOR_LOG > /tmp/grep.$$
134 diff /tmp/grep.$$ /tmp/egrep.$$
135 if [[ $? != 0 ]]; then
136 echo "More than just the one unique port, $tport2, found in monitor output."
137 /bin/rm -f /tmp/grep.$$ /tmp/egrep.$$ $MONITOR_LOG
138 exit 1
139 fi
140
141 # Split out extended (file.0) and regular (file.1) ACQUIREs.
142 # NOTE: "+7" is dependent on "ipseckey monitor"'s first output where it gets
143 # the "PROMISC" reply.
144
145 mkdir /tmp/raw.$$
146 savedir=$PWD
147 cd /tmp/raw.$$
148 tail +7 $MONITOR_LOG | \
149 awk 'BEGIN { out=0; } /Read/ {out++;} { print >> (out % 2) }'
150 cd $savedir
151
152 # Pluck out the address extension from the two ACQUIRE types.
153 # NOTE: Add any new in-ACQUIRE address types here if more arrive.
154 egrep "DST:|SRC:|INS:|IND:" /tmp/raw.$$/0 > /tmp/extended-addresses.$$
155 egrep "DST:|SRC:|INS:|IND:" /tmp/raw.$$/1 > /tmp/regular-addresses.$$
156
157 # There should be NO differences between address fields from regular vs.
158 # extended ACQUIREs. If there are, it's a bug (or an older version of illumos).
159 diff /tmp/extended-addresses.$$ /tmp/regular-addresses.$$
160 if [[ $? != 0 ]]; then
161 echo "Address fields in ACQUIRE differ."
162 rc=1
163 else
164 rc=0
165 fi
166
167 /bin/rm -rf /tmp/*-addresses.$$ /tmp/raw.$$
168 /bin/rm -f /tmp/grep.$$ /tmp/egrep.$$ /tmp/addrs.$$ $MONITOR_LOG
169
170 exit $rc