• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/sh
2# Copyright (c) 2016 Red Hat Inc.,  All Rights Reserved.
3# Copyright (c) 2016 Oracle and/or its affiliates. All Rights Reserved.
4#
5# This program is free software; you can redistribute it and/or
6# modify it under the terms of the GNU General Public License as
7# published by the Free Software Foundation; either version 2 of
8# the License, or (at your option) any later version.
9#
10# This program is distributed in the hope that it would be useful,
11# but WITHOUT ANY WARRANTY; without even the implied warranty of
12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13# GNU General Public License for more details.
14#
15# You should have received a copy of the GNU General Public License
16# along with this program; if not, see <http://www.gnu.org/licenses/>.
17#
18# Author: Hangbin Liu <haliu@redhat.com>
19#
20#######################################################################
21
22. test_net.sh
23
24# Authenticated encryption with associated data
25AEALGO="rfc4106_128"
26# Encryption algorithm
27EALGO="des3_ede"
28# Authentication algorithm
29AALGO="sha1"
30# Compression algorithm
31CALGO="deflate"
32
33while getopts "hl:m:p:s:S:k:A:e:a:c:6" opt; do
34	case "$opt" in
35	h)
36		echo "Usage:"
37		echo "h        help"
38		echo "l n      n is the number of test link when tests run"
39		echo "m x      x is ipsec mode, could be transport / tunnel"
40		echo "p x      x is ipsec protocol, could be ah / esp / ipcomp"
41		echo "s x      x is icmp messge size array"
42		echo "S n      n is IPsec SPI value"
43		echo "k x      key for vti interface"
44		echo "A x      Authenticated encryption with associated data algorithm"
45		echo "e x      Encryption algorithm"
46		echo "a x      Authentication algorithm"
47		echo "c x      Compression algorithm"
48		echo "6        run over IPv6"
49		exit 0
50	;;
51	l) LINK_NUM=$OPTARG ;;
52	m) IPSEC_MODE=$OPTARG ;;
53	p) IPSEC_PROTO=$OPTARG ;;
54	s) IPSEC_SIZE_ARRAY="$OPTARG" ;;
55	S) SPI=$OPTARG ;;
56	k) VTI_KEY=$OPTARG ;;
57	A) AEALGO=$OPTARG ;;
58	e) EALGO=$OPTARG ;;
59	a) AALGO=$OPTARG ;;
60	c) CALGO=$OPTARG ;;
61	6) # skip, test_net library already processed it
62	;;
63	*) tst_brkm TBROK "unknown option: $opt" ;;
64	esac
65done
66
67get_key()
68{
69	local bits=$1
70	local xdg_num=$(( $bits / 4 ))
71	echo "0x$(tr -dc "[:xdigit:]" < /dev/urandom | head -c$xdg_num)"
72}
73
74case $AEALGO in
75rfc4106_128|rfc4543_128) AEALGO_KEY=$(get_key 160) ;;
76rfc4106_192|rfc4543_192) AEALGO_KEY=$(get_key 224) ;;
77rfc4106_256|rfc4543_256) AEALGO_KEY=$(get_key 288) ;;
78rfc4309_128) AEALGO_KEY=$(get_key 152) ;;
79rfc4309_192) AEALGO_KEY=$(get_key 216) ;;
80rfc4309_256) AEALGO_KEY=$(get_key 280) ;;
81esac
82
83case $EALGO in
84des) EALGO_KEY=$(get_key 64) ;;
85des3_ede) EALGO_KEY=$(get_key 192) ;;
86cast5) EALGO_KEY=$(get_key 128) ;;
87blowfish) EALGO_KEY=$(get_key 448) ;;
88aes|twofish|camellia|serpent) EALGO_KEY=$(get_key 256) ;;
89*) tst_brkm TBROK "unknown enc alg: $EALGO" ;;
90esac
91
92case $AALGO in
93sha1|rmd160) AALGO_KEY=$(get_key 160) ;;
94sha256) AALGO_KEY=$(get_key 256) ;;
95sha384) AALGO_KEY=$(get_key 384) ;;
96sha512) AALGO_KEY=$(get_key 512) ;;
97*) tst_brkm TBROK "unknown auth alg: $AALGO" ;;
98esac
99
100SPI=${SPI:-1000}
101VTI_KEY=${VTI_KEY:-10}
102cleanup_vti=
103ALG=
104ALGR=
105
106# tst_ipsec_cleanup: flush ipsec state and policy rules
107tst_ipsec_cleanup()
108{
109	ip xfrm state flush
110	ip xfrm policy flush
111	tst_rhost_run -c "ip xfrm state flush && ip xfrm policy flush"
112
113	if [ -n "$cleanup_vti" ]; then
114		ip li del $cleanup_vti 2>/dev/null
115		tst_rhost_run -c "ip li del $cleanup_vti 2>/dev/null"
116	fi
117}
118
119ipsec_set_algoline()
120{
121	case $IPSEC_PROTO in
122	ah)
123		ALG='auth hmac('$AALGO') '$AALGO_KEY
124		ALGR='auth hmac\('$AALGO'\) '$AALGO_KEY
125		;;
126	esp)
127		ALG="enc $EALGO $EALGO_KEY auth "'hmac('$AALGO') '$AALGO_KEY
128		ALGR="enc $EALGO $EALGO_KEY auth "'hmac\('$AALGO'\) '$AALGO_KEY
129		;;
130	esp_aead)
131		case $AEALGO in
132		rfc4106_128|rfc4106_192|rfc4106_256)
133			ALG="aead "'rfc4106(gcm(aes))'" $AEALGO_KEY 128"
134			ALGR="aead "'rfc4106\(gcm\(aes\)\)'" $AEALGO_KEY 128"
135			;;
136		rfc4309_128|rfc4309_192|rfc4309_256)
137			ALG="aead "'rfc4309(ccm(aes))'" $AEALGO_KEY 128"
138			ALGR="aead "'rfc4309\(ccm\(aes\)\)'" $AEALGO_KEY 128"
139			;;
140		rfc4543_128|rfc4543_192|rfc4543_256)
141			ALG="aead "'rfc4543(gcm(aes))'" $AEALGO_KEY 128"
142			ALGR="aead "'rfc4543\(gcm\(aes\)\)'" $AEALGO_KEY 128"
143			;;
144		esac
145		;;
146	comp)
147		ALG="comp $CALGO"
148		ALGR=$ALG
149		;;
150	*)
151		tst_brkm TCONF "tst_ipsec protocol mismatch"
152		;;
153	esac
154}
155
156# tst_ipsec target src_addr dst_addr: config ipsec
157#
158# target: target of the configuration host ( lhost / rhost )
159# src_addr: source IP address
160# dst_addr: destination IP address
161tst_ipsec()
162{
163	if [ $# -ne 3 ]; then
164		tst_brkm TCONF "tst_ipsec parameter mismatch"
165	fi
166
167	local target=$1
168	local src=$2
169	local dst=$3
170	local mode=$IPSEC_MODE
171	local p="proto $IPSEC_PROTO"
172	[ "$IPSEC_PROTO" = "esp_aead" ] && p="proto esp"
173
174	ipsec_set_algoline
175
176	if [ $target = lhost ]; then
177		local spi_1="0x$SPI"
178		local spi_2="0x$(( $SPI + 1 ))"
179		ROD ip xfrm state add src $src dst $dst spi $spi_1 \
180			$p $ALG mode $mode sel src $src dst $dst
181		ROD ip xfrm state add src $dst dst $src spi $spi_2 \
182			$p $ALG mode $mode sel src $dst dst $src
183
184		ROD ip xfrm policy add src $src dst $dst dir out tmpl src $src \
185			dst $dst $p mode $mode
186		ROD ip xfrm policy add src $dst dst $src dir in tmpl src $dst \
187			dst $src $p mode $mode level use
188	elif [ $target = rhost ]; then
189		local spi_1="0x$(( $SPI + 1 ))"
190		local spi_2="0x$SPI"
191		tst_rhost_run -s -c "ip xfrm state add src $src dst $dst \
192			spi $spi_1 $p $ALGR mode $mode sel src $src dst $dst"
193		tst_rhost_run -s -c "ip xfrm state add src $dst dst $src \
194			spi $spi_2 $p $ALGR mode $mode sel src $dst dst $src"
195
196		tst_rhost_run -s -c "ip xfrm policy add src $src dst $dst \
197			dir out tmpl src $src dst $dst $p mode $mode"
198		tst_rhost_run -s -c "ip xfrm policy add src $dst dst $src dir \
199			in tmpl src $dst dst $src $p mode $mode level use"
200	fi
201}
202
203# tst_ipsec_vti target src_addr dst_addr vti_name
204#
205# target: target of the configuration host ( lhost / rhost )
206# src_addr: source IP address
207# dst_addr: destination IP address
208# vti_name: name of vti interface
209tst_ipsec_vti()
210{
211	if [ $# -ne 4 ]; then
212		tst_brkm TCONF "tst_ipsec_vti parameter mismatch"
213	fi
214
215	local target=$1
216	local src=$2
217	local dst=$3
218	local vti=$4
219	local m="mode $IPSEC_MODE"
220	local p="proto $IPSEC_PROTO"
221	[ "$IPSEC_PROTO" = "esp_aead" ] && p="proto esp"
222
223	local key="key $VTI_KEY"
224	local mrk="mark $VTI_KEY"
225	local type="type vti$TST_IPV6"
226
227	ip li add type vti help 2>&1 | grep -q vti || \
228		tst_brkm TCONF "iproute doesn't support 'vti'"
229
230	ipsec_set_algoline
231
232	local o_dir="src $src dst $dst"
233	local i_dir="src $dst dst $src"
234	local ipx="ip -${TST_IPV6:-4} xf"
235
236	cleanup_vti=$vti
237
238	if [ $target = lhost ]; then
239		ROD ip li add $vti $type local $src remote $dst $key
240		ROD ip li set $vti up
241
242		local spi_1="spi 0x$SPI"
243		local spi_2="spi 0x$(( $SPI + 1 ))"
244		ROD $ipx st add $o_dir $p $spi_1 $ALG $m
245		ROD $ipx st add $i_dir $p $spi_2 $ALG $m
246		ROD $ipx po add dir out tmpl $o_dir $p $m $mrk
247		ROD $ipx po add dir in tmpl $i_dir $p $m $mrk
248	elif [ $target = rhost ]; then
249		tst_rhost_run -s -c \
250			"ip li add $vti $type local $src remote $dst $key"
251		tst_rhost_run -s -c "ip li set $vti up"
252
253		local spi_1="spi 0x$(( $SPI + 1 ))"
254		local spi_2="spi 0x$SPI"
255		tst_rhost_run -s -c "$ipx st add $o_dir $p $spi_1 $ALGR $m"
256		tst_rhost_run -s -c "$ipx st add $i_dir $p $spi_2 $ALGR $m"
257		tst_rhost_run -s -c "$ipx po add dir out tmpl $o_dir $p $m $mrk"
258		tst_rhost_run -s -c "$ipx po add dir in tmpl $i_dir $p $m $mrk"
259	fi
260}
261