xref: /illumos-gate/usr/src/test/os-tests/tests/pf_key/kmc-update.sh (revision f20211217f12ce291fd518e61065cd273f23e4ea)
1#!/usr/bin/ksh
2
3#
4# This file and its contents are supplied under the terms of the
5# Common Development and Distribution License ("CDDL"), version 1.0.
6# You may only use this file in accordance with the terms of version
7# 1.0 of the CDDL.
8#
9# A full copy of the text of the CDDL should have accompanied this
10# source.  A copy of the CDDL is also available via the Internet at
11# http://www.illumos.org/license/CDDL.
12#
13
14#
15# Copyright (c) 2018, Joyent, Inc.
16#
17
18if [[ `id -u` -ne 0 ]]; then
19	echo "Need to be root or have effective UID of root."
20	exit 255
21fi
22
23#
24# Two birds with one stone.
25#
26# 1.) Add some simple SAs.
27# 2.) Run C programs that use SADB_UPDATE to alter the SAs' KM cookies.
28#
29# This tests both SADB_UPDATE of an SA's KM cookie, and the C programs can
30# test (or not) cookie/cookie64 and the IKEv1 exception.
31#
32
33SADB_X_KMP_KINK=2
34SADB_X_KMP_IKEV2=3
35COOKIE_IKEV2="0x111770171170"
36EINVAL=22
37
38# Add three simple SAs.  Will delete them first, out of paranoia.
39
40ipseckey 2>&1 >/dev/null <<EOF
41delete ah spi 0x2112 dst 127.0.0.1
42delete ah spi 0x5150 dst 127.0.0.1
43delete ah spi 0x6768 dst 127.0.0.1
44add ah spi 0x2112 dst 127.0.0.1 authalg md5 authkey \
45	1234567890abcdeffedcba0987654321
46add ah spi 0x5150 dst 127.0.0.1 authalg md5 authkey \
47	abcdef01234567890123456789abcdef
48add ah spi 0x6768 dst 127.0.0.1 authalg md5 authkey \
49	fedcbafedcba01234567890123456789
50EOF
51
52# Run programs to see if UPDATE on their KM cookies works.  Both test
53# programs take an SPI value, and assume dst=127.0.0.1.
54
55TESTPATH=/opt/os-tests/tests/pf_key
56
57# Test IKEv1, including masking of the reserved 32-bits.
58$TESTPATH/kmc-updater 0x2112
59if [[ $? != 0 ]]; then
60    echo "IKEv1 32-bit KMC test failed."
61    exit 1
62fi
63echo "Passed IKEv1 32-bit KMC test."
64
65# Test that once set, an IKEv1 KMC cannot be changed
66$TESTPATH/kmc-updater -e $EINVAL -k 0x12345 0x2112
67if [[ $? != 0 ]]; then
68    echo "IKEv1 32-bit KMC update test failed."
69    exit 1
70fi
71echo "Passed IKEv1 32-bit KMC update test."
72
73# Test that IKEv1 KMCs once set, cannot be changed to a different type
74$TESTPATH/kmc-updater -e $EINVAL -p $SADB_X_KMP_IKEV2 0x2112
75if [[ $? != 0 ]]; then
76    echo "IKEv1 32-bit KMC protocol update test failed."
77    exit 1
78fi
79echo "Passed IKEv1 32-bit KMC protocol update test."
80
81# Test a different one, using all 64-bits.
82$TESTPATH/kmc-updater 0x5150 64
83if [[ $? != 0 ]]; then
84    echo "64-bit KMC test failed."
85    exit 1
86fi
87echo "Passed 64-bit KMC test."
88
89# Test that non IKEv2 64-bit KMCs also cannot be changed once set
90$TESTPATH/kmc-updater -e $EINVAL -k "0x12345678abcdef" 0x5150 64
91if [[ $? != 0 ]]; then
92    echo "64-bit KMC update test failed."
93    exit 1
94fi
95echo "Passed 64-bit KMC update test."
96
97# Test that non-IKEv2 KMCs cannot be changed to a different type
98$TESTPATH/kmc-updater -e $EINVAL -p $SADB_X_KMP_IKEV2 0x5150 64
99if [[ $? != 0 ]]; then
100    echo "64-bit non-IKEv2 KMC protocol update test failed."
101    exit 1
102fi
103echo "Passed 64-bit non-IKEv2 KMC protocol update test."
104
105# Test allowing the update of IKEv2 KMCs
106$TESTPATH/kmc-updater -p $SADB_X_KMP_IKEV2 0x6768 64
107if [[ $? != 0 ]]; then
108    echo "Failed to set KMC for IKEV2 test."
109    exit 1
110fi
111$TESTPATH/kmc-updater -p $SADB_X_KMP_IKEV2 -k "$COOKIE_IKEV2" 0x6768 64
112if [[ $? != 0 ]]; then
113    echo "Failed to update IKEv2 KMC."
114    exit 1
115fi
116echo "Passed IKEv2 KMC test."
117
118# Test that IKEv2 KMCs cannot be changed to a different type
119$TESTPATH/kmc-updater -e $EINVAL -p $SADB_X_KMP_KINK -k "$COOKIE_IKEV2" \
120    0x6768 64
121if [[ $? != 0 ]]; then
122    echo "64-bit IKEv2 KMC protocol update test failed."
123    exit 1
124fi
125echo "Passed 64-bit IKEv2 KMC protocol update test."
126
127# Test that IKEv2 KMCs cannot be changed to a different type even w/ new KMC
128$TESTPATH/kmc-updater -e $EINVAL -p $SADB_X_KMP_KINK 0x6768 64
129if [[ $? != 0 ]]; then
130    echo "64-bit IKEv2 KMC protocol + KMC update test failed."
131    exit 1
132fi
133echo "Passed 64-bit IKEv2 KMC protocol + KMC update test."
134
135ipseckey delete ah spi 0x2112 dst 127.0.0.1
136ipseckey delete ah spi 0x5150 dst 127.0.0.1
137ipseckey delete ah spi 0x6768 dst 127.0.0.1
138
139exit 0
140