xref: /freebsd/lib/libipsec/test-policy.c (revision 884a2a699669ec61e2366e3e358342dbc94be24a)
1 /*	$KAME: test-policy.c,v 1.16 2003/08/26 03:24:08 itojun Exp $	*/
2 
3 /*
4  * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. Neither the name of the project nor the names of its contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  */
31 
32 #include <sys/cdefs.h>
33 __FBSDID("$FreeBSD$");
34 
35 #include <sys/types.h>
36 #include <sys/param.h>
37 #include <sys/socket.h>
38 
39 #include <netinet/in.h>
40 #include <net/pfkeyv2.h>
41 #include <netipsec/key_debug.h>
42 #include <netipsec/ipsec.h>
43 
44 #include <stdio.h>
45 #include <stdlib.h>
46 #include <unistd.h>
47 #include <string.h>
48 #include <errno.h>
49 #include <err.h>
50 
51 #include "libpfkey.h"
52 
53 struct req_t {
54 	int result;	/* expected result; 0:ok 1:ng */
55 	char *str;
56 } reqs[] = {
57 { 0, "out ipsec" },
58 { 1, "must_error" },
59 { 1, "in ipsec must_error" },
60 { 1, "out ipsec esp/must_error" },
61 { 1, "out discard" },
62 { 1, "out none" },
63 { 0, "in entrust" },
64 { 0, "out entrust" },
65 { 1, "out ipsec esp" },
66 { 0, "in ipsec ah/transport" },
67 { 1, "in ipsec ah/tunnel" },
68 { 0, "out ipsec ah/transport/" },
69 { 1, "out ipsec ah/tunnel/" },
70 { 0, "in ipsec esp / transport / 10.0.0.1-10.0.0.2" },
71 { 0, "in ipsec esp/tunnel/::1-::2" },
72 { 1, "in ipsec esp/tunnel/10.0.0.1-::2" },
73 { 0, "in ipsec esp/tunnel/::1-::2/require" },
74 { 0, "out ipsec ah/transport//use" },
75 { 1, "out ipsec ah/transport esp/use" },
76 { 1, "in ipsec ah/transport esp/tunnel" },
77 { 0, "in ipsec ah/transport esp/tunnel/::1-::1" },
78 { 0, "in ipsec
79 	ah / transport
80 	esp / tunnel / ::1-::2" },
81 { 0, "out ipsec
82 	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
83 	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
84 	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
85 	" },
86 { 0, "out ipsec esp/transport/fec0::10-fec0::11/use" },
87 };
88 
89 int test1(void);
90 int test1sub1(struct req_t *);
91 int test1sub2(char *, int);
92 int test2(void);
93 int test2sub(int);
94 
95 int
96 main(ac, av)
97 	int ac;
98 	char **av;
99 {
100 	test1();
101 	test2();
102 
103 	exit(0);
104 }
105 
106 int
107 test1()
108 {
109 	int i;
110 	int result;
111 
112 	printf("TEST1\n");
113 	for (i = 0; i < sizeof(reqs)/sizeof(reqs[0]); i++) {
114 		printf("#%d [%s]\n", i + 1, reqs[i].str);
115 
116 		result = test1sub1(&reqs[i]);
117 		if (result == 0 && reqs[i].result == 1) {
118 			warnx("ERROR: expecting failure.");
119 		} else if (result == 1 && reqs[i].result == 0) {
120 			warnx("ERROR: expecting success.");
121 		}
122 	}
123 
124 	return 0;
125 }
126 
127 int
128 test1sub1(req)
129 	struct req_t *req;
130 {
131 	char *buf;
132 
133 	buf = ipsec_set_policy(req->str, strlen(req->str));
134 	if (buf == NULL) {
135 		printf("ipsec_set_policy: %s\n", ipsec_strerror());
136 		return 1;
137 	}
138 
139 	if (test1sub2(buf, PF_INET) != 0
140 	 || test1sub2(buf, PF_INET6) != 0) {
141 		free(buf);
142 		return 1;
143 	}
144 #if 0
145 	kdebug_sadb_x_policy((struct sadb_ext *)buf);
146 #endif
147 
148 	free(buf);
149 	return 0;
150 }
151 
152 int
153 test1sub2(policy, family)
154 	char *policy;
155 	int family;
156 {
157 	int so;
158 	int proto = 0, optname = 0;
159 	int len;
160 	char getbuf[1024];
161 
162 	switch (family) {
163 	case PF_INET:
164 		proto = IPPROTO_IP;
165 		optname = IP_IPSEC_POLICY;
166 		break;
167 	case PF_INET6:
168 		proto = IPPROTO_IPV6;
169 		optname = IPV6_IPSEC_POLICY;
170 		break;
171 	}
172 
173 	if ((so = socket(family, SOCK_DGRAM, 0)) < 0)
174 		err(1, "socket");
175 
176 	len = ipsec_get_policylen(policy);
177 #if 0
178 	printf("\tsetlen:%d\n", len);
179 #endif
180 
181 	if (setsockopt(so, proto, optname, policy, len) < 0) {
182 		printf("fail to set sockopt; %s\n", strerror(errno));
183 		close(so);
184 		return 1;
185 	}
186 
187 	memset(getbuf, 0, sizeof(getbuf));
188 	memcpy(getbuf, policy, sizeof(struct sadb_x_policy));
189 	if (getsockopt(so, proto, optname, getbuf, &len) < 0) {
190 		printf("fail to get sockopt; %s\n", strerror(errno));
191 		close(so);
192 		return 1;
193 	}
194 
195     {
196 	char *buf = NULL;
197 
198 #if 0
199 	printf("\tgetlen:%d\n", len);
200 #endif
201 
202 	if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) {
203 		printf("%s\n", ipsec_strerror());
204 		close(so);
205 		return 1;
206 	}
207 #if 0
208 	printf("\t[%s]\n", buf);
209 #endif
210 	free(buf);
211     }
212 
213 	close (so);
214 	return 0;
215 }
216 
217 char addr[] = {
218 	28, 28, 0, 0,
219 	0, 0, 0, 0,
220 	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1,
221 	0, 0, 0, 0,
222 };
223 
224 int
225 test2()
226 {
227 	int so;
228 	char *pol1 = "out ipsec";
229 	char *pol2 = "out ipsec ah/transport//use";
230 	char *sp1, *sp2;
231 	int splen1, splen2;
232 	int spid;
233 	struct sadb_msg *m;
234 
235 	printf("TEST2\n");
236 	if (getuid() != 0)
237 		errx(1, "root privilege required.");
238 
239 	sp1 = ipsec_set_policy(pol1, strlen(pol1));
240 	splen1 = ipsec_get_policylen(sp1);
241 	sp2 = ipsec_set_policy(pol2, strlen(pol2));
242 	splen2 = ipsec_get_policylen(sp2);
243 
244 	if ((so = pfkey_open()) < 0)
245 		errx(1, "ERROR: %s", ipsec_strerror());
246 
247 	printf("spdflush()\n");
248 	if (pfkey_send_spdflush(so) < 0)
249 		errx(1, "ERROR: %s", ipsec_strerror());
250 	m = pfkey_recv(so);
251 	free(m);
252 
253 	printf("spdsetidx()\n");
254 	if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128,
255 				(struct sockaddr *)addr, 128,
256 				255, sp1, splen1, 0) < 0)
257 		errx(1, "ERROR: %s", ipsec_strerror());
258 	m = pfkey_recv(so);
259 	free(m);
260 
261 	printf("spdupdate()\n");
262 	if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
263 				(struct sockaddr *)addr, 128,
264 				255, sp2, splen2, 0) < 0)
265 		errx(1, "ERROR: %s", ipsec_strerror());
266 	m = pfkey_recv(so);
267 	free(m);
268 
269 	printf("sleep(4)\n");
270 	sleep(4);
271 
272 	printf("spddelete()\n");
273 	if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128,
274 				(struct sockaddr *)addr, 128,
275 				255, sp1, splen1, 0) < 0)
276 		errx(1, "ERROR: %s", ipsec_strerror());
277 	m = pfkey_recv(so);
278 	free(m);
279 
280 	printf("spdadd()\n");
281 	if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128,
282 				(struct sockaddr *)addr, 128,
283 				255, sp2, splen2, 0) < 0)
284 		errx(1, "ERROR: %s", ipsec_strerror());
285 	spid = test2sub(so);
286 
287 	printf("spdget(%u)\n", spid);
288 	if (pfkey_send_spdget(so, spid) < 0)
289 		errx(1, "ERROR: %s", ipsec_strerror());
290 	m = pfkey_recv(so);
291 	free(m);
292 
293 	printf("sleep(4)\n");
294 	sleep(4);
295 
296 	printf("spddelete2()\n");
297 	if (pfkey_send_spddelete2(so, spid) < 0)
298 		errx(1, "ERROR: %s", ipsec_strerror());
299 	m = pfkey_recv(so);
300 	free(m);
301 
302 	printf("spdadd() with lifetime's 10(s)\n");
303 	if (pfkey_send_spdadd2(so, (struct sockaddr *)addr, 128,
304 				(struct sockaddr *)addr, 128,
305 				255, 0, 10, sp2, splen2, 0) < 0)
306 		errx(1, "ERROR: %s", ipsec_strerror());
307 	spid = test2sub(so);
308 
309 	/* expecting failure */
310 	printf("spdupdate()\n");
311 	if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
312 				(struct sockaddr *)addr, 128,
313 				255, sp2, splen2, 0) == 0) {
314 		warnx("ERROR: expecting failure.");
315 	}
316 
317 	return 0;
318 }
319 
320 int
321 test2sub(so)
322 	int so;
323 {
324 	struct sadb_msg *msg;
325 	caddr_t mhp[SADB_EXT_MAX + 1];
326 
327 	if ((msg = pfkey_recv(so)) == NULL)
328 		errx(1, "ERROR: pfkey_recv failure.");
329 	if (pfkey_align(msg, mhp) < 0)
330 		errx(1, "ERROR: pfkey_align failure.");
331 
332 	return ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id;
333 }
334 
335