1 /* $KAME: test-policy.c,v 1.14 2000/12/27 11:38:11 sakane Exp $ */ 2 3 /* 4 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the project nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 __FBSDID("$FreeBSD$"); 34 35 #include <sys/types.h> 36 #include <sys/param.h> 37 #include <sys/socket.h> 38 39 #include <netinet/in.h> 40 #include <net/pfkeyv2.h> 41 #include <netkey/key_debug.h> 42 #include <netinet6/ipsec.h> 43 44 #include <stdio.h> 45 #include <stdlib.h> 46 #include <unistd.h> 47 #include <string.h> 48 #include <errno.h> 49 #include <err.h> 50 51 #include "libpfkey.h" 52 53 struct req_t { 54 int result; /* expected result; 0:ok 1:ng */ 55 char *str; 56 } reqs[] = { 57 { 0, "out ipsec" }, 58 { 1, "must_error" }, 59 { 1, "in ipsec must_error" }, 60 { 1, "out ipsec esp/must_error" }, 61 { 1, "out discard" }, 62 { 1, "out none" }, 63 { 0, "in entrust" }, 64 { 0, "out entrust" }, 65 { 1, "out ipsec esp" }, 66 { 0, "in ipsec ah/transport" }, 67 { 1, "in ipsec ah/tunnel" }, 68 { 0, "out ipsec ah/transport/" }, 69 { 1, "out ipsec ah/tunnel/" }, 70 { 0, "in ipsec esp / transport / 10.0.0.1-10.0.0.2" }, 71 { 0, "in ipsec esp/tunnel/::1-::2" }, 72 { 1, "in ipsec esp/tunnel/10.0.0.1-::2" }, 73 { 0, "in ipsec esp/tunnel/::1-::2/require" }, 74 { 0, "out ipsec ah/transport//use" }, 75 { 1, "out ipsec ah/transport esp/use" }, 76 { 1, "in ipsec ah/transport esp/tunnel" }, 77 { 0, "in ipsec ah/transport esp/tunnel/::1-::1" }, 78 { 0, "in ipsec 79 ah / transport 80 esp / tunnel / ::1-::2" }, 81 { 0, "out ipsec 82 ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require 83 ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require 84 ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require 85 " }, 86 { 0, "out ipsec esp/transport/fec0::10-fec0::11/use" }, 87 }; 88 89 int test1(void); 90 int test1sub1(struct req_t *); 91 int test1sub2(char *, int); 92 int test2(void); 93 int test2sub(int); 94 95 int 96 main(ac, av) 97 int ac; 98 char **av; 99 { 100 test1(); 101 test2(); 102 103 exit(0); 104 } 105 106 int 107 test1() 108 { 109 int i; 110 int result; 111 112 printf("TEST1\n"); 113 for (i = 0; i < sizeof(reqs)/sizeof(reqs[0]); i++) { 114 printf("#%d [%s]\n", i + 1, reqs[i].str); 115 116 result = test1sub1(&reqs[i]); 117 if (result == 0 && reqs[i].result == 1) { 118 warnx("ERROR: expecting failure.\n"); 119 } else if (result == 1 && reqs[i].result == 0) { 120 warnx("ERROR: expecting success.\n"); 121 } 122 } 123 124 return 0; 125 } 126 127 int 128 test1sub1(req) 129 struct req_t *req; 130 { 131 char *buf; 132 133 buf = ipsec_set_policy(req->str, strlen(req->str)); 134 if (buf == NULL) { 135 printf("ipsec_set_policy: %s\n", ipsec_strerror()); 136 return 1; 137 } 138 139 if (test1sub2(buf, PF_INET) != 0 140 || test1sub2(buf, PF_INET6) != 0) { 141 free(buf); 142 return 1; 143 } 144 #if 0 145 kdebug_sadb_x_policy((struct sadb_ext *)buf); 146 #endif 147 148 free(buf); 149 return 0; 150 } 151 152 int 153 test1sub2(policy, family) 154 char *policy; 155 int family; 156 { 157 int so; 158 int proto = 0, optname = 0; 159 int len; 160 char getbuf[1024]; 161 162 switch (family) { 163 case PF_INET: 164 proto = IPPROTO_IP; 165 optname = IP_IPSEC_POLICY; 166 break; 167 case PF_INET6: 168 proto = IPPROTO_IPV6; 169 optname = IPV6_IPSEC_POLICY; 170 break; 171 } 172 173 if ((so = socket(family, SOCK_DGRAM, 0)) < 0) 174 err(1, "socket"); 175 176 len = ipsec_get_policylen(policy); 177 #if 0 178 printf("\tsetlen:%d\n", len); 179 #endif 180 181 if (setsockopt(so, proto, optname, policy, len) < 0) { 182 printf("fail to set sockopt; %s\n", strerror(errno)); 183 close(so); 184 return 1; 185 } 186 187 memset(getbuf, 0, sizeof(getbuf)); 188 memcpy(getbuf, policy, sizeof(struct sadb_x_policy)); 189 if (getsockopt(so, proto, optname, getbuf, &len) < 0) { 190 printf("fail to get sockopt; %s\n", strerror(errno)); 191 close(so); 192 return 1; 193 } 194 195 { 196 char *buf = NULL; 197 198 #if 0 199 printf("\tgetlen:%d\n", len); 200 #endif 201 202 if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) { 203 printf("%s\n", ipsec_strerror()); 204 close(so); 205 return 1; 206 } 207 #if 0 208 printf("\t[%s]\n", buf); 209 #endif 210 free(buf); 211 } 212 213 close (so); 214 return 0; 215 } 216 217 char addr[] = { 218 28, 28, 0, 0, 219 0, 0, 0, 0, 220 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 221 0, 0, 0, 0, 222 }; 223 224 int 225 test2() 226 { 227 int so; 228 char *pol1 = "out ipsec"; 229 char *pol2 = "out ipsec ah/transport//use"; 230 char *sp1, *sp2; 231 int splen1, splen2; 232 int spid; 233 struct sadb_msg *m; 234 235 printf("TEST2\n"); 236 if (getuid() != 0) 237 errx(1, "root privilege required.\n"); 238 239 sp1 = ipsec_set_policy(pol1, strlen(pol1)); 240 splen1 = ipsec_get_policylen(sp1); 241 sp2 = ipsec_set_policy(pol2, strlen(pol2)); 242 splen2 = ipsec_get_policylen(sp2); 243 244 if ((so = pfkey_open()) < 0) 245 errx(1, "ERROR: %s\n", ipsec_strerror()); 246 247 printf("spdflush()\n"); 248 if (pfkey_send_spdflush(so) < 0) 249 errx(1, "ERROR: %s\n", ipsec_strerror()); 250 m = pfkey_recv(so); 251 free(m); 252 253 #if 0 254 printf("spdsetidx()\n"); 255 if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128, 256 (struct sockaddr *)addr, 128, 257 255, sp1, splen1, 0) < 0) 258 errx(1, "ERROR: %s\n", ipsec_strerror()); 259 m = pfkey_recv(so); 260 free(m); 261 262 printf("spdupdate()\n"); 263 if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128, 264 (struct sockaddr *)addr, 128, 265 255, sp2, splen2, 0) < 0) 266 errx(1, "ERROR: %s\n", ipsec_strerror()); 267 m = pfkey_recv(so); 268 free(m); 269 270 sleep(4); 271 272 printf("spddelete()\n"); 273 if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128, 274 (struct sockaddr *)addr, 128, 275 255, sp1, splen1, 0) < 0) 276 errx(1, "ERROR: %s\n", ipsec_strerror()); 277 m = pfkey_recv(so); 278 free(m); 279 280 printf("spdadd()\n"); 281 if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128, 282 (struct sockaddr *)addr, 128, 283 255, sp2, splen2, 0) < 0) 284 errx(1, "ERROR: %s\n", ipsec_strerror()); 285 spid = test2sub(so); 286 287 printf("spdget(%u)\n", spid); 288 if (pfkey_send_spdget(so, spid) < 0) 289 errx(1, "ERROR: %s\n", ipsec_strerror()); 290 m = pfkey_recv(so); 291 free(m); 292 293 sleep(4); 294 295 printf("spddelete2()\n"); 296 if (pfkey_send_spddelete2(so, spid) < 0) 297 errx(1, "ERROR: %s\n", ipsec_strerror()); 298 m = pfkey_recv(so); 299 free(m); 300 #endif 301 302 printf("spdadd() with lifetime's 10(s)\n"); 303 if (pfkey_send_spdadd2(so, (struct sockaddr *)addr, 128, 304 (struct sockaddr *)addr, 128, 305 255, 0, 10, sp2, splen2, 0) < 0) 306 errx(1, "ERROR: %s\n", ipsec_strerror()); 307 spid = test2sub(so); 308 309 #if 0 310 /* expecting failure */ 311 printf("spdupdate()\n"); 312 if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128, 313 (struct sockaddr *)addr, 128, 314 255, sp2, splen2, 0) == 0) { 315 warnx("ERROR: expecting failure.\n"); 316 } 317 #endif 318 319 return 0; 320 } 321 322 int 323 test2sub(so) 324 int so; 325 { 326 struct sadb_msg *msg; 327 caddr_t mhp[SADB_EXT_MAX + 1]; 328 329 if ((msg = pfkey_recv(so)) == NULL) 330 errx(1, "ERROR: pfkey_recv failure.\n"); 331 if (pfkey_align(msg, mhp) < 0) 332 errx(1, "ERROR: pfkey_align failure.\n"); 333 334 return ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id; 335 } 336 337