11837 tests/pf_key/acquire-compare is racy
Reviewed by: Robert Mustacchi <rm@fingolfin.org>

          --- old/usr/src/test/os-tests/tests/pf_key/acquire-compare.sh
          +++ new/usr/src/test/os-tests/tests/pf_key/acquire-compare.sh

   1    1  #!/usr/bin/ksh
   2    2  
   3    3  #
   4    4  # This file and its contents are supplied under the terms of the

   5    5  # Common Development and Distribution License ("CDDL"), version 1.0.
   6    6  # You may only use this file in accordance with the terms of version
   7    7  # 1.0 of the CDDL.
   8    8  #
   9    9  # A full copy of the text of the CDDL should have accompanied this
  10   10  # source.  A copy of the CDDL is also available via the Internet at
  11   11  # http://www.illumos.org/license/CDDL.
  12   12  #
  13   13  
  14   14  #
  15      -# Copyright (c) 2017 Joyent, Inc.
       15 +# Copyright 2019 Joyent, Inc.
  16   16  #
  17   17  
  18      -if [ `id -u` -ne 0 ]; then
  19      -        echo "Need to be root or have effective UID of root."
  20      -        exit 255
       18 +# we can't presume /usr/bin/timeout is there
       19 +timeout_cmd() {
       20 +    $* &
       21 +    sleep 3
       22 +    kill $!
       23 +    # we want to pause a while to make sure the monitor log is
       24 +    # updated...
       25 +    sleep 2
       26 +}
       27 +
       28 +if [[ `id -u` -ne 0 ]]; then
       29 +    echo "Error: need to be root or have effective UID of root." >&2
       30 +    exit 255
  21   31  fi
  22   32  
       33 +if [[ ! -x "$(type -p curl)" ]]; then
       34 +    echo "Error: curl binary not found." >&2
       35 +    exit 255
       36 +fi
       37 +
  23   38  # NOTE: If multihomed, this may fail in interesting ways...
  24   39  MY_IP=`netstat -in -f inet | egrep -v "Name|lo0" | awk '{print $4}' | head -1`
  25   40  TEST_REMOTE_DST1=10.90.1.25
  26   41  TEST_REMOTE_DST2=10.19.84.2
  27   42  TEST_REMOTE_DST3=10.19.84.3
  28   43  TEST_REMOTE_DST4=10.19.84.4
  29   44  
  30   45  T1_SRC=10.21.12.4
  31   46  T1_DST=10.21.12.5
  32   47  T1_PREFIX=10.21.12.0/24
  33   48  T2_SRC=10.51.50.4
  34   49  T2_DST=10.51.50.5
  35   50  T2_PREFIX=10.51.50.0/24
  36   51  
       52 +CURL_DST3_LPORT=10001
       53 +CURL_DST4_LPORT=10002
       54 +CURL_DST1_LPORT=10003
       55 +CURL_PORT=80
       56 +
  37   57  MONITOR_LOG=/tmp/ipseckey-monitor.$$
  38   58  
  39   59  EACQ_PROG=/opt/os-tests/tests/pf_key/eacq-enabler
  40   60  
  41   61  $EACQ_PROG &
  42   62  eapid=$!
  43   63  
  44   64  echo "Warning, this trashes IPsec policy."
  45   65  ipsecconf -Fq
  46   66  
  47   67  # Setup the IPsec policy...
  48   68  ipsecconf -qa - << EOF
  49   69  # Global policy...
  50   70  # Remote-port-based policy.  Use different algorithms...
  51      -{ raddr $TEST_REMOTE_DST3 rport 23 ulp tcp } ipsec { encr_algs aes encr_auth_algs sha512 }
       71 +{ raddr $TEST_REMOTE_DST3 rport $CURL_PORT ulp tcp } ipsec { encr_algs aes encr_auth_algs sha512 }
  52   72  
  53   73  # Unique policy...
  54      -{ raddr $TEST_REMOTE_DST4 rport 23 ulp tcp } ipsec { encr_algs aes encr_auth_algs sha256 sa unique }
       74 +{ raddr $TEST_REMOTE_DST4 rport $CURL_PORT ulp tcp } ipsec { encr_algs aes encr_auth_algs sha256 sa unique }
  55   75  
  56   76  # Simple IP address policy.  Use an AH + ESP for it.
  57   77  { raddr $TEST_REMOTE_DST1 } ipsec { auth_algs sha512 encr_algs aes(256) }
  58   78  { raddr $TEST_REMOTE_DST2 } ipsec { auth_algs sha384 encr_algs aes(256) }
  59   79  
  60   80  # Tunnel policy...
  61   81  { tunnel rush0 raddr $T1_PREFIX negotiate tunnel } ipsec { encr_algs aes-gcm(256) }
  62   82  # NULL-encryption...
  63   83  { tunnel vh0 raddr $T2_PREFIX negotiate tunnel } ipsec {encr_auth_algs hmac-sha384 }
  64   84  EOF

  65   85  
  66   86  # Plumb the tunnels
  67   87  dladm create-iptun -t -T ipv4 -a local=$MY_IP -a remote=$TEST_REMOTE_DST1 rush0

  68   88  dladm create-iptun -t -T ipv4 -a local=$MY_IP -a remote=$TEST_REMOTE_DST2 vh0
  69   89  ipadm create-addr -t -T static -a local=$T1_SRC,remote=$T1_DST rush0/v4
  70   90  ipadm create-addr -t -T static -a local=$T2_SRC,remote=$T2_DST vh0/v4
  71   91  route add $T1_PREFIX $T1_DST
  72   92  route add $T2_PREFIX $T2_DST
  73   93  
  74   94  ipseckey flush
  75   95  ipseckey -np monitor > $MONITOR_LOG &
  76   96  IPSECKEY_PID=$!
  77   97  
  78      -# Launch pings and telnets to different addresses (each requiring an ACQUIRE).
  79      -ping -svn $TEST_REMOTE_DST1 1024 1 2>&1 > /dev/null &
  80      -p1=$!
  81      -ping -svn $TEST_REMOTE_DST2 1024 1 2>&1 > /dev/null &
  82      -p2=$!
  83      -ping -svn $T1_DST 1024 1 2>&1 > /dev/null &
  84      -p3=$!
  85      -ping -svn $T2_DST 1024 1 2>&1 > /dev/null &
  86      -p4=$!
       98 +# give the monitor some time to get set up
       99 +sleep 3
  87  100  
  88      -echo "Waiting for pings..."
  89      -pwait $p1 $p2 $p3 $p4
      101 +# Launch pings to various addresses (each requiring an ACQUIRE).
  90  102  
  91      -# Now try some telnets to trigger port and unique policy.
      103 +timeout_cmd ping -svn $TEST_REMOTE_DST1 1024 1
      104 +timeout_cmd ping -svn $TEST_REMOTE_DST2 1024 1
      105 +timeout_cmd ping -svn $T1_DST 1024 1
      106 +timeout_cmd ping -svn $T2_DST 1024 1
      107 +
      108 +# Now try some curls to trigger local port and unique policy.
      109 +
  92  110  # port-only for DST3
  93      -telnet $TEST_REMOTE_DST3 &
  94      -tpid=$!
  95      -t1port=`pfiles $tpid | grep sockname | awk '{print $5}'`
  96      -echo "First local port == $t1port"
  97      -sleep 10 ; kill $tpid
      111 +timeout_cmd curl --local-port $CURL_DST3_LPORT \
      112 +    http://$TEST_REMOTE_DST3:$CURL_PORT
  98  113  # unique for DST4
  99      -telnet $TEST_REMOTE_DST4 &
 100      -tpid=$!
 101      -t2port=`pfiles $tpid | grep sockname | awk '{print $5}'`
 102      -echo "Second local port == $t2port"
 103      -sleep 10 ; kill $tpid
      114 +timeout_cmd curl --local-port $CURL_DST4_LPORT \
      115 +    http://$TEST_REMOTE_DST4:$CURL_PORT
 104  116  # Nothing specced for DST1
 105      -telnet $TEST_REMOTE_DST1 &
 106      -tpid=$!
 107      -t3port=`pfiles $tpid | grep sockname | awk '{print $5}'`
 108      -echo "Third local port == $t3port"
 109      -sleep 10 ; kill $tpid
      117 +timeout_cmd curl --local-port $CURL_DST1_LPORT \
      118 +    http://$TEST_REMOTE_DST1:$CURL_PORT
 110  119  
 111  120  # Clean up.
 112  121  kill $IPSECKEY_PID
 113  122  kill $eapid
 114  123  # Unplumb the tunnels
 115  124  route delete $T2_PREFIX $T2_DST
 116  125  route delete $T1_PREFIX $T1_DST
 117  126  ipadm delete-addr vh0/v4
 118  127  ipadm delete-addr rush0/v4
 119  128  ipadm delete-if vh0
 120  129  ipadm delete-if rush0
 121  130  dladm delete-iptun vh0
 122  131  dladm delete-iptun rush0
 123  132  # Flush policy
 124  133  ipsecconf -Fq
 125  134  # Use SMF to restore anything that may have been there.  "restart" on
 126  135  # a disabled service is a NOP, but an enabled one will get
 127  136  # /etc/inet/ipsecinit.conf reloaded.
 128  137  svcadm restart ipsec/policy
 129  138  
      139 +# give the monitor some time to finish up
      140 +sleep 5
      141 +
 130  142  # Process MONITOR_LOG's output...
 131  143  echo "Checking for unique local port only in one ACQUIRE case."
 132      -egrep "$t1port|$t2port|$t3port" $MONITOR_LOG > /tmp/egrep.$$
 133      -grep $t2port $MONITOR_LOG > /tmp/grep.$$
      144 +egrep "$CURL_DST3_LPORT|$CURL_DST4_LPORT|$CURL_DST1_LPORT" \
      145 +    $MONITOR_LOG > /tmp/egrep.$$
      146 +grep $CURL_DST4_LPORT $MONITOR_LOG > /tmp/grep.$$ || {
      147 +    echo "unique port $CURL_DST4_LPORT missing from monitor log."
      148 +    exit 1
      149 +}
 134  150  diff /tmp/grep.$$ /tmp/egrep.$$
 135  151  if [[ $? != 0 ]]; then
 136      -    echo "More than just the one unique port, $tport2, found in monitor output."
 137      -    /bin/rm -f /tmp/grep.$$ /tmp/egrep.$$ $MONITOR_LOG
      152 +    echo "More than just the one unique port $CURL_DST4_LPORT found."
 138  153      exit 1
 139  154  fi
 140  155  
 141  156  # Split out extended (file.0) and regular (file.1) ACQUIREs.
 142  157  # NOTE: "+7" is dependent on "ipseckey monitor"'s first output where it gets
 143  158  # the "PROMISC" reply.
 144  159  
 145  160  mkdir /tmp/raw.$$
 146  161  savedir=$PWD
 147  162  cd /tmp/raw.$$

 148  163  tail +7 $MONITOR_LOG | \
 149  164      awk 'BEGIN { out=0; } /Read/ {out++;} { print >> (out % 2) }'
 150  165  cd $savedir
 151  166  
 152  167  # Pluck out the address extension from the two ACQUIRE types.
 153  168  # NOTE: Add any new in-ACQUIRE address types here if more arrive.
 154  169  egrep "DST:|SRC:|INS:|IND:" /tmp/raw.$$/0 > /tmp/extended-addresses.$$
 155  170  egrep "DST:|SRC:|INS:|IND:" /tmp/raw.$$/1 > /tmp/regular-addresses.$$
 156  171  
 157  172  # There should be NO differences between address fields from regular vs.
 158  173  # extended ACQUIREs. If there are, it's a bug (or an older version of illumos).
 159  174  diff /tmp/extended-addresses.$$ /tmp/regular-addresses.$$
 160  175  if [[ $? != 0 ]]; then
 161  176      echo "Address fields in ACQUIRE differ."
 162  177      rc=1
 163  178  else
 164  179      rc=0
 165  180  fi
 166  181  
 167  182  /bin/rm -rf /tmp/*-addresses.$$ /tmp/raw.$$
 168  183  /bin/rm -f /tmp/grep.$$ /tmp/egrep.$$ /tmp/addrs.$$ $MONITOR_LOG
 169  184  
 170  185  exit $rc

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX