Add IPSec tests in tunnel mode

Some IPSec in tunnel mode allowing to test multiple IPSec
configurations.  These tests are reusing the jail/vnet scripts from pf
tests for generating complex network.

Submitted by:	olivier@
Differential Revision:	https://reviews.freebsd.org/D13017

etc/mtree/BSD.tests.dist

@@ -478,6 +478,10 @@
         ..
         netinet
         ..
+        netipsec
+            tunnel
+            ..
+        ..
         netpfil
             pf
             ..

tests/sys/Makefile

@@ -13,6 +13,7 @@ TESTS_SUBDIRS+=		kqueue
 TESTS_SUBDIRS+=		mac
 TESTS_SUBDIRS+=		mqueue
 TESTS_SUBDIRS+=		netinet
+TESTS_SUBDIRS+=		netipsec
 TESTS_SUBDIRS+=		netpfil
 TESTS_SUBDIRS+=		opencrypto
 TESTS_SUBDIRS+=		posixshm

tests/sys/netipsec/Makefile

@@ -0,0 +1,7 @@
+# $FreeBSD$
+
+TESTSDIR=		${TESTSBASE}/sys/netipsec
+
+TESTS_SUBDIRS+=		tunnel
+
+.include <bsd.test.mk>

tests/sys/netipsec/tunnel/Makefile

@@ -0,0 +1,19 @@
+# $FreeBSD$
+
+PACKAGE=	tests
+
+TESTSDIR=       ${TESTSBASE}/sys/netipsec/tunnel
+
+ATF_TESTS_SH+=	empty \
+		aes_cbc_128_hmac_sha1 \
+		aes_cbc_256_hmac_sha2_256 \
+		aes_gcm_128 \
+		aes_gcm_256 \
+		aesni_aes_cbc_128_hmac_sha1 \
+		aesni_aes_cbc_256_hmac_sha2_256 \
+		aesni_aes_gcm_128 \
+		aesni_aes_gcm_256
+
+${PACKAGE}FILES+=	utils.subr
+
+.include <bsd.test.mk>

tests/sys/netipsec/tunnel/aes_cbc_128_hmac_sha1.sh

@@ -0,0 +1,47 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'IPSec inet4 tunnel using aes-cbc-128-hmac-sha1'
+	atf_set require.user root
+	# Unload AESNI module if loaded
+	kldstat -q -n aesni && kldunload aesni
+}
+
+v4_body()
+{
+	ist_test 4 rijndael-cbc "1234567890123456" hmac-sha1 "12345678901234567890"
+}
+
+v4_cleanup()
+{
+	ist_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'IPSec inet6 tunnel using aes-cbc-128-hmac-sha1'
+	atf_set require.user root
+	# Unload AESNI module if loaded
+	kldstat -q -n aesni && kldunload aesni
+}
+
+v6_body()
+{
+	ist_test 6 rijndael-cbc "1234567890123456" hmac-sha1 "12345678901234567890"
+}
+
+v6_cleanup()
+{
+	ist_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}

tests/sys/netipsec/tunnel/aes_cbc_256_hmac_sha2_256.sh

@@ -0,0 +1,47 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'IPSec inet4 tunnel using aes-cbc-256-hmac-sha2-256'
+	atf_set require.user root
+	# load AESNI module if not already
+	kldstat -q -n aesni || kldload aesni
+}
+
+v4_body()
+{
+	ist_test 4 rijndael-cbc "12345678901234567890123456789012" hmac-sha2-256 "12345678901234567890123456789012"
+}
+
+v4_cleanup()
+{
+	ist_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'IPSec inet6 tunnel using aes-cbc-256-hmac-sha2-256'
+	atf_set require.user root
+	# load AESNI module if not already
+	kldstat -q -n aesni || kldload aesni
+}
+
+v6_body()
+{
+	ist_test 6 rijndael-cbc "12345678901234567890123456789012" hmac-sha2-256 "12345678901234567890123456789012"
+}
+
+v6_cleanup()
+{
+	ist_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}

tests/sys/netipsec/tunnel/aes_gcm_128.sh

@@ -0,0 +1,47 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'IPSec inet4 tunnel using aes-gcm-128'
+	atf_set require.user root
+	# Unload AESNI module if loaded
+	kldstat -q -n aesni && kldunload aesni
+}
+
+v4_body()
+{
+	ist_test 4 aes-gcm-16 "12345678901234567890"
+}
+
+v4_cleanup()
+{
+	ist_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'IPSec inet6 tunnel using aes-gcm-128'
+	atf_set require.user root
+	# Unload AESNI module if loaded
+	kldstat -q -n aesni && kldunload aesni
+}
+
+v6_body()
+{
+	ist_test 6 aes-gcm-16 "12345678901234567890"
+}
+
+v6_cleanup()
+{
+	ist_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}

tests/sys/netipsec/tunnel/aes_gcm_256.sh

@@ -0,0 +1,47 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'IPSec inet4 tunnel using aes-gcm-256'
+	atf_set require.user root
+	# Unload AESNI module if loaded
+	kldstat -q -n aesni && kldunload aesni
+}
+
+v4_body()
+{
+	ist_test 4 aes-gcm-16 "123456789012345678901234567890123456"
+}
+
+v4_cleanup()
+{
+	ist_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'IPSec inet6 tunnel using aes-gcm-256'
+	atf_set require.user root
+	# Unload AESNI module if loaded
+	kldstat -q -n aesni && kldunload aesni
+}
+
+v6_body()
+{
+	ist_test 6 aes-gcm-16 "123456789012345678901234567890123456"
+}
+
+v6_cleanup()
+{
+	ist_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}

tests/sys/netipsec/tunnel/aesni_aes_cbc_128_hmac_sha1.sh

@@ -0,0 +1,47 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'IPSec inet4 tunnel using aes-cbc-128-hmac-sha1 and AESNI'
+	atf_set require.user root
+	# load AESNI module if not already
+	kldstat -q -n aesni || kldload aesni
+}
+
+v4_body()
+{
+	ist_test 4 rijndael-cbc "1234567890123456" hmac-sha1 "12345678901234567890"
+}
+
+v4_cleanup()
+{
+	ist_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'IPSec inet6 tunnel using aes-cbc-128-hmac-sha1 and AESNI'
+	atf_set require.user root
+	# load AESNI module if not already
+	kldstat -q -n aesni || kldload aesni
+}
+
+v6_body()
+{
+	ist_test 6 rijndael-cbc "1234567890123456" hmac-sha1 "12345678901234567890"
+}
+
+v6_cleanup()
+{
+	ist_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}

tests/sys/netipsec/tunnel/aesni_aes_cbc_256_hmac_sha2_256.sh

@@ -0,0 +1,47 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'IPSec inet4 tunnel using aes-cbc-256-hmac-sha2-256 and AESNI'
+	atf_set require.user root
+	# Unload AESNI module if loaded
+	kldstat -q -n aesni && kldunload aesni
+}
+
+v4_body()
+{
+	ist_test 4 rijndael-cbc "12345678901234567890123456789012" hmac-sha2-256 "12345678901234567890123456789012"
+}
+
+v4_cleanup()
+{
+	ist_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'IPSec inet6 tunnel using aes-cbc-256-hmac-sha2-256 and AESNI'
+	atf_set require.user root
+	# Unload AESNI module if loaded
+	kldstat -q -n aesni && kldunload aesni
+}
+
+v6_body()
+{
+	ist_test 6 rijndael-cbc "12345678901234567890123456789012" hmac-sha2-256 "12345678901234567890123456789012"
+}
+
+v6_cleanup()
+{
+	ist_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}

tests/sys/netipsec/tunnel/aesni_aes_gcm_128.sh

@@ -0,0 +1,48 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'IPSec inet4 tunnel using aes-gcm-128 and AESNI'
+	atf_set require.user root
+	# load AESNI module if not already
+	kldstat -q -n aesni || kldload aesni
+}
+
+v4_body()
+{
+	ist_test 4 aes-gcm-16 "12345678901234567890"
+}
+
+v4_cleanup()
+{
+	ist_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'IPSec inet6 tunnel using aes-gcm-128 and AESNI'
+	atf_set require.user root
+	# load AESNI module if not already
+	kldstat -q -n aesni || kldload aesni
+}
+
+v6_body()
+{
+	atf_expect_fail "PR 201447"
+	ist_test 6 aes-gcm-16 "12345678901234567890"
+}
+
+v6_cleanup()
+{
+	ist_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}

tests/sys/netipsec/tunnel/aesni_aes_gcm_256.sh

@@ -0,0 +1,48 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'IPSec inet4 tunnel using aes-gcm-256 and AESNI'
+	atf_set require.user root
+	# load AESNI module if not already
+	kldstat -q -n aesni || kldload aesni
+}
+
+v4_body()
+{
+	ist_test 4 aes-gcm-16 "123456789012345678901234567890123456"
+}
+
+v4_cleanup()
+{
+	ist_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'IPSec inet6 tunnel using aes-gcm-256 and AESNI'
+	atf_set require.user root
+	# load AESNI module if not already
+	kldstat -q -n aesni || kldload aesni
+}
+
+v6_body()
+{
+	atf_expect_fail "PR 201447"
+	ist_test 6 aes-gcm-16 "123456789012345678901234567890123456"
+}
+
+v6_cleanup()
+{
+	ist_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}

tests/sys/netipsec/tunnel/empty.sh

@@ -0,0 +1,44 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "v4" "cleanup"
+v4_head()
+{
+	atf_set descr 'IPSec inet4 tunnel using NULL encryption'
+	atf_set require.user root
+}
+
+v4_body()
+{
+	# Can't use filename "null" for this script: PR 223564
+	ist_test 4 null ""
+}
+
+v4_cleanup()
+{
+	ist_cleanup
+}
+
+atf_test_case "v6" "cleanup"
+v6_head()
+{
+	atf_set descr 'IPSec inet6 tunnel using NULL encryption'
+	atf_set require.user root
+}
+
+v6_body()
+{
+	ist_test 6 null ""
+}
+
+v6_cleanup()
+{
+	ist_cleanup
+}
+
+atf_init_test_cases()
+{
+	atf_add_test_case "v4"
+	atf_add_test_case "v6"
+}

tests/sys/netipsec/tunnel/utils.subr

@@ -0,0 +1,166 @@
+# $FreeBSD$
+# Utility functions (mainly from pf tests, should be merged one day)
+##
+
+: ${TMPDIR=/tmp}
+
+ist_init()
+{
+	if [ "$(sysctl -i -n kern.features.vimage)" != 1 ]; then
+		atf_skip "This test requires VIMAGE"
+	fi
+}
+
+pft_mkepair()
+{
+	ifname=$(ifconfig epair create)
+	echo $ifname >> created_interfaces.lst
+	echo ${ifname%a}
+}
+
+pft_mkjail()
+{
+	jailname=$1
+	shift
+
+	vnet_interfaces=
+	for ifname in $@
+	do
+		vnet_interfaces="${vnet_interfaces} vnet.interface=${ifname}"
+	done
+	jail -c name=${jailname} persist vnet ${vnet_interfaces}
+
+	echo $jailname >> created_jails.lst
+}
+
+ist_labsetup ()
+{
+	epair_LAN_A=$(pft_mkepair)
+	ifconfig ${epair_LAN_A}a up
+	epair_PUB_A=$(pft_mkepair)
+	ifconfig ${epair_PUB_A}a up
+	epair_LAN_B=$(pft_mkepair)
+	ifconfig ${epair_LAN_B}a up
+	epair_PUB_B=$(pft_mkepair)
+	ifconfig ${epair_PUB_B}a up
+
+	pft_mkjail hostA ${epair_LAN_A}a
+	pft_mkjail ipsecA ${epair_LAN_A}b ${epair_PUB_A}a
+	pft_mkjail router ${epair_PUB_A}b ${epair_PUB_B}b
+	pft_mkjail ipsecB ${epair_LAN_B}b ${epair_PUB_B}a
+	pft_mkjail hostB ${epair_LAN_B}a
+}
+
+ist_v4_setup ()
+{
+	jexec hostA ifconfig ${epair_LAN_A}a 192.0.2.1/30 up
+	jexec ipsecA ifconfig ${epair_LAN_A}b 192.0.2.2/30 up
+	jexec ipsecA ifconfig ${epair_PUB_A}a 198.51.100.2/30 up
+	jexec router ifconfig ${epair_PUB_A}b 198.51.100.1/30 up
+	jexec router ifconfig ${epair_PUB_B}b 198.51.100.6/30 up
+	jexec ipsecB ifconfig ${epair_PUB_B}a 198.51.100.7/30 up
+	jexec ipsecB ifconfig ${epair_LAN_B}b 203.0.113.2/30 up
+	jexec hostB ifconfig ${epair_LAN_B}a 203.0.113.1/30 up
+	jexec ipsecA sysctl net.inet.ip.forwarding=1
+	jexec router sysctl net.inet.ip.forwarding=1
+	jexec ipsecB sysctl net.inet.ip.forwarding=1
+	jexec hostA route add default 192.0.2.2
+	jexec ipsecA route add default 198.51.100.1
+	jexec ipsecB route add default 198.51.100.6
+	jexec hostB route add default 203.0.113.2
+}
+
+ist_v6_setup ()
+{
+	jexec hostA ifconfig ${epair_LAN_A}a inet6 2001:db8:1::1/64 up no_dad
+	jexec ipsecA ifconfig ${epair_LAN_A}b inet6 2001:db8:1::2/64 up no_dad
+	jexec ipsecA ifconfig ${epair_PUB_A}a inet6 2001:db8:23::2/64 up no_dad
+	jexec router ifconfig ${epair_PUB_A}b inet6 2001:db8:23::3/64 up no_dad
+	jexec router ifconfig ${epair_PUB_B}b inet6 2001:db8:34::3/64 up no_dad
+	jexec ipsecB ifconfig ${epair_PUB_B}a inet6 2001:db8:34::2/64 up no_dad
+	jexec ipsecB ifconfig ${epair_LAN_B}b inet6 2001:db8:45::2/64 up no_dad
+	jexec hostB ifconfig ${epair_LAN_B}a inet6 2001:db8:45::1/64 up no_dad
+	jexec ipsecA sysctl net.inet6.ip6.forwarding=1
+	jexec router sysctl net.inet6.ip6.forwarding=1
+	jexec ipsecB sysctl net.inet6.ip6.forwarding=1
+	jexec hostA route -6 add default 2001:db8:1::2
+	jexec ipsecA route -6 add default 2001:db8:23::3
+	jexec ipsecB route -6 add default 2001:db8:34::3
+	jexec hostB route -6 add default 2001:db8:45::2
+}
+
+ist_setkey()
+{
+	jname=$1
+	dir=$2
+	afnet=$3
+	enc_algo=$4
+	enc_key=$5
+	auth_algo=$6
+	auth_key=$7
+
+	# Load
+	(
+		printf "#arguments debug: ${jname} ${afnet} ${dir} ${enc_algo} "
+		printf "${enc_key} ${auth_algo} ${auth_key}\n"
+		printf "flush;\n"
+		printf "spdflush;\n"
+		if [ ${afnet} -eq 4 ]; then
+			SRC_LAN="192.0.2.0/24"
+			DST_LAN="203.0.113.0/24"
+			SRC_GW="198.51.100.2"
+			DST_GW="198.51.100.7"
+		else
+			SRC_LAN="2001:db8:1::/64"
+			DST_LAN="2001:db8:45::/64"
+			SRC_GW="2001:db8:23::2"
+			DST_GW="2001:db8:34::2"
+		fi
+		printf "spdadd ${SRC_LAN} ${DST_LAN} any -P "
+		[ ${dir} = "out" ] && printf "out" || printf "in"
+		printf " ipsec esp/tunnel/${SRC_GW}-${DST_GW}/require;\n"
+		printf "spdadd ${DST_LAN} ${SRC_LAN} any -P "
+		[ ${dir} = "out" ] && printf "in" || printf "out"
+		printf " ipsec esp/tunnel/${DST_GW}-${SRC_GW}/require;\n"
+		printf "add ${SRC_GW} ${DST_GW} esp 0x1000 -E ${enc_algo} \"${enc_key}\""
+		[ -n "${auth_algo}" ] && printf " -A ${auth_algo} \"${auth_key}\";\n" || printf ";\n"
+		printf "add ${DST_GW} ${SRC_GW} esp 0x1001 -E ${enc_algo} \"${enc_key}\""
+		[ -n "$auth_algo" ] && printf " -A ${auth_algo} \"${auth_key}\";\n" || printf ";\n"
+	) > ${TMPDIR}/ipsec.${jname}.conf
+}
+
+ist_test()
+{
+	ist_init
+	ist_labsetup
+	[ $1 -eq 4 ] && ist_v4_setup || ist_v6_setup
+	ist_setkey ipsecA out $@
+	atf_check -s exit:0 -o ignore jexec ipsecA setkey -f ${TMPDIR}/ipsec.ipsecA.conf
+	ist_setkey ipsecB in $@
+	atf_check -s exit:0 -o ignore jexec ipsecB setkey -f ${TMPDIR}/ipsec.ipsecB.conf
+	# Check ipsec tunnel
+	if [ $1 -eq 4 ]; then
+		atf_check -s exit:0 -o ignore jexec hostA ping -c 1 203.0.113.1
+	else
+		atf_check -s exit:0 -o ignore jexec hostA ping6 -c 1 2001:db8:45::1
+	fi
+}
+ist_cleanup()
+{
+	if [ -f created_jails.lst ]; then
+		for jailname in $(cat created_jails.lst)
+		do
+			jail -r ${jailname}
+			rm -f ${TMPDIR}/ipsec.${jailname}.conf
+		done
+		rm created_jails.lst
+	fi
+
+	if [ -f created_interfaces.lst ]; then
+		for ifname in $(cat created_interfaces.lst)
+		do
+			ifconfig ${ifname} destroy
+		done
+		rm created_interfaces.lst
+	fi
+}