1/*	$KAME: test-policy.c,v 1.16 2003/08/26 03:24:08 itojun Exp $	*/
2
3/*
4 * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in the
14 *    documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 *    may be used to endorse or promote products derived from this software
17 *    without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32#include <sys/cdefs.h>
33__FBSDID("$FreeBSD$");
34
35#include <sys/types.h>
36#include <sys/param.h>
37#include <sys/socket.h>
38
39#include <netinet/in.h>
40#include <net/pfkeyv2.h>
41#include <netipsec/key_debug.h>
42#include <netipsec/ipsec.h>
43
44#include <stdio.h>
45#include <stdlib.h>
46#include <unistd.h>
47#include <string.h>
48#include <errno.h>
49#include <err.h>
50
51#include "libpfkey.h"
52
53struct req_t {
54	int result;	/* expected result; 0:ok 1:ng */
55	char *str;
56} reqs[] = {
57{ 0, "out ipsec" },
58{ 1, "must_error" },
59{ 1, "in ipsec must_error" },
60{ 1, "out ipsec esp/must_error" },
61{ 1, "out discard" },
62{ 1, "out none" },
63{ 0, "in entrust" },
64{ 0, "out entrust" },
65{ 1, "out ipsec esp" },
66{ 0, "in ipsec ah/transport" },
67{ 1, "in ipsec ah/tunnel" },
68{ 0, "out ipsec ah/transport/" },
69{ 1, "out ipsec ah/tunnel/" },
70{ 0, "in ipsec esp / transport / 10.0.0.1-10.0.0.2" },
71{ 0, "in ipsec esp/tunnel/::1-::2" },
72{ 1, "in ipsec esp/tunnel/10.0.0.1-::2" },
73{ 0, "in ipsec esp/tunnel/::1-::2/require" },
74{ 0, "out ipsec ah/transport//use" },
75{ 1, "out ipsec ah/transport esp/use" },
76{ 1, "in ipsec ah/transport esp/tunnel" },
77{ 0, "in ipsec ah/transport esp/tunnel/::1-::1" },
78{ 0, "in ipsec
79	ah / transport
80	esp / tunnel / ::1-::2" },
81{ 0, "out ipsec
82	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
83	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
84	ah/transport/::1-::2 esp/tunnel/::3-::4/use ah/transport/::5-::6/require
85	" },
86{ 0, "out ipsec esp/transport/fec0::10-fec0::11/use" },
87};
88
89int test1(void);
90int test1sub1(struct req_t *);
91int test1sub2(char *, int);
92int test2(void);
93int test2sub(int);
94
95int
96main(ac, av)
97	int ac;
98	char **av;
99{
100	test1();
101	test2();
102
103	exit(0);
104}
105
106int
107test1()
108{
109	int i;
110	int result;
111
112	printf("TEST1\n");
113	for (i = 0; i < sizeof(reqs)/sizeof(reqs[0]); i++) {
114		printf("#%d [%s]\n", i + 1, reqs[i].str);
115
116		result = test1sub1(&reqs[i]);
117		if (result == 0 && reqs[i].result == 1) {
118			warnx("ERROR: expecting failure.");
119		} else if (result == 1 && reqs[i].result == 0) {
120			warnx("ERROR: expecting success.");
121		}
122	}
123
124	return 0;
125}
126
127int
128test1sub1(req)
129	struct req_t *req;
130{
131	char *buf;
132
133	buf = ipsec_set_policy(req->str, strlen(req->str));
134	if (buf == NULL) {
135		printf("ipsec_set_policy: %s\n", ipsec_strerror());
136		return 1;
137	}
138
139	if (test1sub2(buf, PF_INET) != 0
140	 || test1sub2(buf, PF_INET6) != 0) {
141		free(buf);
142		return 1;
143	}
144#if 0
145	kdebug_sadb_x_policy((struct sadb_ext *)buf);
146#endif
147
148	free(buf);
149	return 0;
150}
151
152int
153test1sub2(policy, family)
154	char *policy;
155	int family;
156{
157	int so;
158	int proto = 0, optname = 0;
159	int len;
160	char getbuf[1024];
161
162	switch (family) {
163	case PF_INET:
164		proto = IPPROTO_IP;
165		optname = IP_IPSEC_POLICY;
166		break;
167	case PF_INET6:
168		proto = IPPROTO_IPV6;
169		optname = IPV6_IPSEC_POLICY;
170		break;
171	}
172
173	if ((so = socket(family, SOCK_DGRAM, 0)) < 0)
174		err(1, "socket");
175
176	len = ipsec_get_policylen(policy);
177#if 0
178	printf("\tsetlen:%d\n", len);
179#endif
180
181	if (setsockopt(so, proto, optname, policy, len) < 0) {
182		printf("fail to set sockopt; %s\n", strerror(errno));
183		close(so);
184		return 1;
185	}
186
187	memset(getbuf, 0, sizeof(getbuf));
188	memcpy(getbuf, policy, sizeof(struct sadb_x_policy));
189	if (getsockopt(so, proto, optname, getbuf, &len) < 0) {
190		printf("fail to get sockopt; %s\n", strerror(errno));
191		close(so);
192		return 1;
193	}
194
195    {
196	char *buf = NULL;
197
198#if 0
199	printf("\tgetlen:%d\n", len);
200#endif
201
202	if ((buf = ipsec_dump_policy(getbuf, NULL)) == NULL) {
203		printf("%s\n", ipsec_strerror());
204		close(so);
205		return 1;
206	}
207#if 0
208	printf("\t[%s]\n", buf);
209#endif
210	free(buf);
211    }
212
213	close (so);
214	return 0;
215}
216
217char addr[] = {
218	28, 28, 0, 0,
219	0, 0, 0, 0,
220	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1,
221	0, 0, 0, 0,
222};
223
224int
225test2()
226{
227	int so;
228	char *pol1 = "out ipsec";
229	char *pol2 = "out ipsec ah/transport//use";
230	char *sp1, *sp2;
231	int splen1, splen2;
232	int spid;
233	struct sadb_msg *m;
234
235	printf("TEST2\n");
236	if (getuid() != 0)
237		errx(1, "root privilege required.");
238
239	sp1 = ipsec_set_policy(pol1, strlen(pol1));
240	splen1 = ipsec_get_policylen(sp1);
241	sp2 = ipsec_set_policy(pol2, strlen(pol2));
242	splen2 = ipsec_get_policylen(sp2);
243
244	if ((so = pfkey_open()) < 0)
245		errx(1, "ERROR: %s", ipsec_strerror());
246
247	printf("spdflush()\n");
248	if (pfkey_send_spdflush(so) < 0)
249		errx(1, "ERROR: %s", ipsec_strerror());
250	m = pfkey_recv(so);
251	free(m);
252
253	printf("spdsetidx()\n");
254	if (pfkey_send_spdsetidx(so, (struct sockaddr *)addr, 128,
255				(struct sockaddr *)addr, 128,
256				255, sp1, splen1, 0) < 0)
257		errx(1, "ERROR: %s", ipsec_strerror());
258	m = pfkey_recv(so);
259	free(m);
260
261	printf("spdupdate()\n");
262	if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
263				(struct sockaddr *)addr, 128,
264				255, sp2, splen2, 0) < 0)
265		errx(1, "ERROR: %s", ipsec_strerror());
266	m = pfkey_recv(so);
267	free(m);
268
269	printf("sleep(4)\n");
270	sleep(4);
271
272	printf("spddelete()\n");
273	if (pfkey_send_spddelete(so, (struct sockaddr *)addr, 128,
274				(struct sockaddr *)addr, 128,
275				255, sp1, splen1, 0) < 0)
276		errx(1, "ERROR: %s", ipsec_strerror());
277	m = pfkey_recv(so);
278	free(m);
279
280	printf("spdadd()\n");
281	if (pfkey_send_spdadd(so, (struct sockaddr *)addr, 128,
282				(struct sockaddr *)addr, 128,
283				255, sp2, splen2, 0) < 0)
284		errx(1, "ERROR: %s", ipsec_strerror());
285	spid = test2sub(so);
286
287	printf("spdget(%u)\n", spid);
288	if (pfkey_send_spdget(so, spid) < 0)
289		errx(1, "ERROR: %s", ipsec_strerror());
290	m = pfkey_recv(so);
291	free(m);
292
293	printf("sleep(4)\n");
294	sleep(4);
295
296	printf("spddelete2()\n");
297	if (pfkey_send_spddelete2(so, spid) < 0)
298		errx(1, "ERROR: %s", ipsec_strerror());
299	m = pfkey_recv(so);
300	free(m);
301
302	printf("spdadd() with lifetime's 10(s)\n");
303	if (pfkey_send_spdadd2(so, (struct sockaddr *)addr, 128,
304				(struct sockaddr *)addr, 128,
305				255, 0, 10, sp2, splen2, 0) < 0)
306		errx(1, "ERROR: %s", ipsec_strerror());
307	spid = test2sub(so);
308
309	/* expecting failure */
310	printf("spdupdate()\n");
311	if (pfkey_send_spdupdate(so, (struct sockaddr *)addr, 128,
312				(struct sockaddr *)addr, 128,
313				255, sp2, splen2, 0) == 0) {
314		warnx("ERROR: expecting failure.");
315	}
316
317	return 0;
318}
319
320int
321test2sub(so)
322	int so;
323{
324	struct sadb_msg *msg;
325	caddr_t mhp[SADB_EXT_MAX + 1];
326
327	if ((msg = pfkey_recv(so)) == NULL)
328		errx(1, "ERROR: pfkey_recv failure.");
329	if (pfkey_align(msg, mhp) < 0)
330		errx(1, "ERROR: pfkey_align failure.");
331
332	return ((struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY])->sadb_x_policy_id;
333}
334
335