Annotation of embedaddon/ipsec-tools/src/libipsec/test-policy.c, revision 1.1.1.1
1.1 misho 1: /* $NetBSD: test-policy.c,v 1.4 2006/09/09 16:22:09 manu Exp $ */
2:
3: /* $KAME: test-policy.c,v 1.16 2003/08/26 03:24:08 itojun Exp $ */
4:
5: /*
6: * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
7: * All rights reserved.
8: *
9: * Redistribution and use in source and binary forms, with or without
10: * modification, are permitted provided that the following conditions
11: * are met:
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: * 2. Redistributions in binary form must reproduce the above copyright
15: * notice, this list of conditions and the following disclaimer in the
16: * documentation and/or other materials provided with the distribution.
17: * 3. Neither the name of the project nor the names of its contributors
18: * may be used to endorse or promote products derived from this software
19: * without specific prior written permission.
20: *
21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31: * SUCH DAMAGE.
32: */
33:
34: #include <sys/types.h>
35: #include <sys/param.h>
36: #include <sys/socket.h>
37:
38: #include <netinet/in.h>
39: #include <net/pfkeyv2.h>
40: #include <netinet/ipsec.h>
41:
42: #include <stdio.h>
43: #include <stdlib.h>
44: #include <unistd.h>
45: #include <string.h>
46: #include <errno.h>
47: #include <err.h>
48:
49: #include "libpfkey.h"
50:
51: struct req_t {
52: int result; /* expected result; 0:ok 1:ng */
53: char *str;
54: } reqs[] = {
55: { 0, "out ipsec" },
56: { 1, "must_error" },
57: { 1, "in ipsec must_error" },
58: { 1, "out ipsec esp/must_error" },
59: { 1, "out discard" },
60: { 1, "out none" },
61: { 0, "in entrust" },
62: { 0, "out entrust" },
63: { 1, "out ipsec esp" },
64: { 0, "in ipsec ah/transport" },
65: { 1, "in ipsec ah/tunnel" },
66: { 0, "out ipsec ah/transport/" },
67: { 1, "out ipsec ah/tunnel/" },
68: { 0, "in ipsec esp / transport / 10.0.0.1-10.0.0.2" },
69: { 0, "in ipsec esp/tunnel/::1-::2" },
70: { 1, "in ipsec esp/tunnel/10.0.0.1-::2" },
71: { 0, "in ipsec esp/tunnel/::1-::2/require" },
72: { 0, "out ipsec ah/transport//use" },
73: { 1, "out ipsec ah/transport esp/use" },
74: { 1, "in ipsec ah/transport esp/tunnel" },
75: { 0, "in ipsec ah/transport esp/tunnel/::1-::1" },
76: { 0, "in ipsec
77: ah / transport
78: esp / tunnel / ::1-::2" },
79: { 0, "out ipsec
80: ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
81: ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
82: ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
83: " },
84: { 0, "out ipsec esp/transport/fec0::10-fec0::11/use" },
85: };
86:
87: int test1 __P((void));
88: int test1sub1 __P((struct req_t *));
89: int test1sub2 __P((char *, int));
90: int test2 __P((void));
91: int test2sub __P((int));
92:
93: int
94: main(ac, av)
95: int ac;
96: char **av;
97: {
98: test1();
99: test2();
100:
101: exit(0);
102: }
103:
104: int
105: test1()
106: {
107: int i;
108: int result;
109:
110: printf("TEST1\n");
111: for (i = 0; i < sizeof(reqs)/sizeof(reqs[0]); i++) {
112: printf("#%d [%s]\n", i + 1, reqs[i].str);
113:
114: result = test1sub1(&reqs[i]);
115: if (result == 0 && reqs[i].result == 1) {
116: warnx("ERROR: expecting failure.");
117: } else if (result == 1 && reqs[i].result == 0) {
118: warnx("ERROR: expecting success.");
119: }
120: }
121:
122: return 0;
123: }
124:
125: int
126: test1sub1(req)
127: struct req_t *req;
128: {
129: char *buf;
130:
131: buf = ipsec_set_policy(req->str, strlen(req->str));
132: if (buf == NULL) {
133: printf("ipsec_set_policy: %s\n", ipsec_strerror());
134: return 1;
135: }
136:
137: if (test1sub2(buf, PF_INET) != 0
138: || test1sub2(buf, PF_INET6) != 0) {
139: free(buf);
140: return 1;
141: }
142: #if 0
143: kdebug_sadb_x_policy((struct sadb_ext *)buf);
144: #endif
145:
146: free(buf);
147: return 0;
148: }
149:
150: int
151: test1sub2(policy, family)
152: char *policy;
153: int family;
154: {
155: int so;
156: int proto = 0, optname = 0;
157: int len;
158: char getbuf[1024];
159:
160: switch (family) {
161: case PF_INET:
162: proto = IPPROTO_IP;
163: optname = IP_IPSEC_POLICY;
164: break;
165: case PF_INET6:
166: proto = IPPROTO_IPV6;
167: optname = IPV6_IPSEC_POLICY;
168: break;
169: }
170:
171: if ((so = socket(family, SOCK_DGRAM, 0)) < 0)
172: err(1, "socket");
173:
174: len = ipsec_get_policylen(policy);
175: #if 0
176: printf("\tsetlen:%d\n", len);
177: #endif
178:
179: if (setsockopt(so, proto, optname, policy, len) < 0) {
180: printf("fail to set sockopt; %s\n", strerror(errno));
181: close(so);
182: return 1;
183: }
184:
185: memset(getbuf, 0, sizeof(getbuf));
186: memcpy(getbuf, policy, sizeof(struct sadb_x_policy));
187: if (getsockopt(so, proto, optname, getbuf, &len) < 0) {
188: printf("fail to get sockopt; %s\n", strerror(errno));
189: close(so);
190: return 1;
191: }
192:
193: {
194: char *buf = NULL;
195:
196: #if 0
197: printf("\tgetlen:%d\n", len);
198: #endif
199:
200: if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) {
201: printf("%s\n", ipsec_strerror());
202: close(so);
203: return 1;
204: }
205: #if 0
206: printf("\t[%s]\n", buf);
207: #endif
208: free(buf);
209: }
210:
211: close (so);
212: return 0;
213: }
214:
215: char addr[] = {
216: 28, 28, 0, 0,
217: 0, 0, 0, 0,
218: 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1,
219: 0, 0, 0, 0,
220: };
221:
222: int
223: test2()
224: {
225: int so;
226: char *pol1 = "out ipsec";
227: char *pol2 = "out ipsec ah/transport//use";
228: char *sp1, *sp2;
229: int splen1, splen2;
230: int spid;
231: struct sadb_msg *m;
232:
233: printf("TEST2\n");
234: if (getuid() != 0)
235: errx(1, "root privilege required.");
236:
237: sp1 = ipsec_set_policy(pol1, strlen(pol1));
238: splen1 = ipsec_get_policylen(sp1);
239: sp2 = ipsec_set_policy(pol2, strlen(pol2));
240: splen2 = ipsec_get_policylen(sp2);
241:
242: if ((so = pfkey_open()) < 0)
243: errx(1, "ERROR: %s", ipsec_strerror());
244:
245: printf("spdflush()\n");
246: if (pfkey_send_spdflush(so) < 0)
247: errx(1, "ERROR: %s", ipsec_strerror());
248: m = pfkey_recv(so);
249: free(m);
250:
251: printf("spdsetidx()\n");
252: if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128,
253: (struct sockaddr *)addr, 128,
254: 255, sp1, splen1, 0) < 0)
255: errx(1, "ERROR: %s", ipsec_strerror());
256: m = pfkey_recv(so);
257: free(m);
258:
259: printf("spdupdate()\n");
260: if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
261: (struct sockaddr *)addr, 128,
262: 255, sp2, splen2, 0) < 0)
263: errx(1, "ERROR: %s", ipsec_strerror());
264: m = pfkey_recv(so);
265: free(m);
266:
267: printf("sleep(4)\n");
268: sleep(4);
269:
270: printf("spddelete()\n");
271: if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128,
272: (struct sockaddr *)addr, 128,
273: 255, sp1, splen1, 0) < 0)
274: errx(1, "ERROR: %s", ipsec_strerror());
275: m = pfkey_recv(so);
276: free(m);
277:
278: printf("spdadd()\n");
279: if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128,
280: (struct sockaddr *)addr, 128,
281: 255, sp2, splen2, 0) < 0)
282: errx(1, "ERROR: %s", ipsec_strerror());
283: spid = test2sub(so);
284:
285: printf("spdget(%u)\n", spid);
286: if (pfkey_send_spdget(so, spid) < 0)
287: errx(1, "ERROR: %s", ipsec_strerror());
288: m = pfkey_recv(so);
289: free(m);
290:
291: printf("sleep(4)\n");
292: sleep(4);
293:
294: printf("spddelete2()\n");
295: if (pfkey_send_spddelete2(so, spid) < 0)
296: errx(1, "ERROR: %s", ipsec_strerror());
297: m = pfkey_recv(so);
298: free(m);
299:
300: printf("spdadd() with lifetime's 10(s)\n");
301: if (pfkey_send_spdadd2(so, (struct sockaddr *)addr, 128,
302: (struct sockaddr *)addr, 128,
303: 255, 0, 10, sp2, splen2, 0) < 0)
304: errx(1, "ERROR: %s", ipsec_strerror());
305: spid = test2sub(so);
306:
307: /* expecting failure */
308: printf("spdupdate()\n");
309: if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
310: (struct sockaddr *)addr, 128,
311: 255, sp2, splen2, 0) == 0) {
312: warnx("ERROR: expecting failure.");
313: }
314:
315: return 0;
316: }
317:
318: int
319: test2sub(so)
320: int so;
321: {
322: struct sadb_msg *msg;
323: caddr_t mhp[SADB_EXT_MAX + 1];
324:
325: if ((msg = pfkey_recv(so)) == NULL)
326: errx(1, "ERROR: pfkey_recv failure.");
327: if (pfkey_align(msg, mhp) < 0)
328: errx(1, "ERROR: pfkey_align failure.");
329:
330: return ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id;
331: }
332:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>