1# $OpenBSD: Makefile,v 1.28 2020/12/17 00:51:12 bluhm Exp $ 2 3# Copyright (c) 2020 Tobias Heider <tobhe@openbsd.org> 4# 5# Permission to use, copy, modify, and distribute this software for any 6# purpose with or without fee is hereby granted, provided that the above 7# copyright notice and this permission notice appear in all copies. 8# 9# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 17REGRESS_SETUP_ONCE = setup 18REGRESS_CLEANUP = cleanup 19CLEANFILES = *.conf *.cnf *.csr *.key *.crt *.srl 20 21LEFT_SSH ?= 22RIGHT_SSH ?= 23LEFT_ADDR ?= 24RIGHT_ADDR ?= 25 26.if empty(LEFT_SSH) || empty(RIGHT_SSH) || empty(LEFT_ADDR) || empty(RIGHT_ADDR) 27regress: 28 @echo this test needs two remote machines to operate 29 @echo LEFT_SSH RIGHT_SSH RIGHT_ADDR LEFT_ADDR are not defined 30 @echo SKIPPED 31.endif 32 33TEST_FLOWS = \ 34 [ -z $$tmode ] && tmode=tunnel; \ 35 _ret=1; \ 36 count=0; \ 37 dynamic=${RIGHT_ADDR}; \ 38 if [ "$$config_address" = true ]; then \ 39 dynamic="172.16.13.37"; \ 40 fi; \ 41 while [[ $$count -le 3 ]]; do \ 42 ipsecctlleft=`ssh ${LEFT_SSH} ipsecctl -sa`; \ 43 ipsecctlright=`ssh ${RIGHT_SSH} ipsecctl -sa`; \ 44 flowleft=`echo "$$ipsecctlleft" \ 45 | sed -E -n "/^flow $$flowtype in from $$dynamic\ 46 to ${LEFT_ADDR} peer ${RIGHT_ADDR} srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]*\ 47 dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; \ 48 flowright=`echo "$$ipsecctlright" \ 49 | sed -E -n "/^flow $$flowtype in from ${LEFT_ADDR}\ 50 to $$dynamic peer ${LEFT_ADDR} srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]*\ 51 dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; \ 52 saleft_rtol=`echo "$$ipsecctlleft" \ 53 | sed -n "/^$$flowtype $$tmode from ${RIGHT_ADDR} to ${LEFT_ADDR}/p"`; \ 54 saleft_ltor=`echo "$$ipsecctlleft" \ 55 | sed -n "/^$$flowtype $$tmode from ${LEFT_ADDR} to ${RIGHT_ADDR}/p"`; \ 56 saright_rtol=`echo "$$ipsecctlright" \ 57 | sed -n "/^$$flowtype $$tmode from ${RIGHT_ADDR} to ${LEFT_ADDR}/p"`; \ 58 saright_ltor=`echo "$$ipsecctlright" \ 59 | sed -n "/^$$flowtype $$tmode from ${LEFT_ADDR} to ${RIGHT_ADDR}/p"`; \ 60 if [[ -n "$$saleft_ltor" && -n "$$saleft_rtol" && \ 61 -n "$$saright_ltor" && -n "$$saright_rtol" && \ 62 -n "$$flowleft" && -n "$$flowright" ]]; then \ 63 _ret=0; \ 64 break; \ 65 fi; \ 66 let count=$$count+1; \ 67 done; \ 68 if [[ "$${_ret}" -ne 0 ]]; then \ 69 echo "SAs not found:\n$$ipsecctlleft\n$$ipsecctlright"; \ 70 fi 71 72TEST_PING = \ 73 _ret=1; \ 74 if [[ "${IPV}" == "6" ]]; then ping="ping6"; else ping="ping"; fi; \ 75 dump=`ssh ${LEFT_SSH} "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & \ 76 $$ping -w 1 -n -c 5 ${RIGHT_ADDR} > /dev/null && \ 77 tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; \ 78 kill -9 \\$$! > /dev/null 2>&1 || true"`; \ 79 rtol=`echo "$$dump" \ 80 | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: ${LEFT_ADDR} > ${RIGHT_ADDR}/p"`; \ 81 ltor=`echo "$$dump" \ 82 | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: ${RIGHT_ADDR} > ${LEFT_ADDR}/p"`; \ 83 if [[ -z "$$rtol" || -z "$$ltor" ]]; then \ 84 _ret=1; \ 85 else \ 86 _ret=0; \ 87 fi; \ 88 echo "$$dump" 89 90TEST_SINGLEIKESA = \ 91 count=`ssh ${LEFT_SSH} "ikectl show sa | grep -c iked_sas"`; \ 92 if [[ "$$count" != "1" ]]; then \ 93 echo "error: too many IKE SAs."; \ 94 exit 1; \ 95 fi 96 97SETUP_CONFIG = \ 98 from=$$local; \ 99 to=$$peer; \ 100 if [[ -z "$$mode" ]]; then mode="active"; fi; \ 101 authstr=""; \ 102 if [[ "$$auth" = "psk" ]]; then \ 103 authstr="psk $$psk"; \ 104 fi; \ 105 ipcomp=""; \ 106 if [[ "$$flowtype" = "ipcomp" ]]; then \ 107 ipcomp="ipcomp"; \ 108 fi; \ 109 global=""; \ 110 if [ "$$fragmentation" = true ]; then \ 111 global="$${global}set fragmentation\n"; \ 112 fi; \ 113 if [ "$$singleikesa" = true ]; then \ 114 global="$${global}set enforcesingleikesa\n"; \ 115 fi; \ 116 confstr=""; \ 117 if [ "$$config_address" = true ]; then \ 118 if [ "$$side" = left ]; then \ 119 mode=passive; \ 120 confstr="config address 172.16.13.36/31"; \ 121 to="dynamic"; \ 122 else \ 123 mode=active; \ 124 confstr="request address any"; \ 125 from="dynamic"; \ 126 fi; \ 127 fi; \ 128 echo "MODE=\"$$mode\"" >> $@_$$side.conf; \ 129 echo "TMODE=\"$$tmode\"" >> $@_$$side.conf; \ 130 echo "FROM=\"$$from\"" >> $@_$$side.conf; \ 131 echo "TO=\"$$to\"" >> $@_$$side.conf; \ 132 echo "LOCAL_ADDR=\"$$local\"" >> $@_$$side.conf; \ 133 echo "PEER_ADDR=\"$$peer\"" >> $@_$$side.conf; \ 134 echo "IPCOMP=\"$$ipcomp\"" >> $@_$$side.conf; \ 135 echo "SRCID=\"\\\"$$srcid\\\"\"" >> $@_$$side.conf; \ 136 echo "DSTID=\"$$dstid\"" >> $@_$$side.conf; \ 137 echo "AUTH=\"$$authstr\"" >> $@_$$side.conf; \ 138 echo "CONFIG=\"$$confstr\"" >> $@_$$side.conf; \ 139 echo "$$global" >> $@_$$side.conf; \ 140 cat ${.CURDIR}/iked.in >> $@_$$side.conf 141 142DEPLOY_CONFIGS = \ 143 chmod 0600 $@_left.conf; \ 144 echo "cd /tmp\nput $@_left.conf test.conf" | sftp -q ${LEFT_SSH}; \ 145 chmod 0600 $@_right.conf; \ 146 echo "cd /tmp\nput $@_right.conf test.conf" | sftp -q ${RIGHT_SSH}; \ 147 rm -f $@_left.conf $@_right.conf 148 149SETUP_CONFIGS = \ 150 if [[ "$$auth" = "psk" ]]; then \ 151 psk=`openssl rand -hex 20`; \ 152 fi; \ 153 side=left; \ 154 srcid=$$leftid; \ 155 local=${LEFT_ADDR}; \ 156 peer=${RIGHT_ADDR}; \ 157 ${SETUP_CONFIG}; \ 158 side=right; \ 159 srcid=$$rightid; \ 160 local=${RIGHT_ADDR}; \ 161 peer=${LEFT_ADDR}; \ 162 ${SETUP_CONFIG}; \ 163 ${DEPLOY_CONFIGS} 164 165SETUP_SYSCTL = \ 166 ssh ${LEFT_SSH} "sysctl $$sysctl"; \ 167 ssh ${RIGHT_SSH} "sysctl $$sysctl" 168 169SETUP_START = \ 170 ssh ${LEFT_SSH} "ipsecctl -F; pkill iked; iked $$iked_flags -f /tmp/test.conf"; \ 171 ssh ${RIGHT_SSH} "ipsecctl -F; pkill iked; iked $$iked_flags -f /tmp/test.conf" 172 173SETUP_RELOAD_RIGHT = \ 174 ssh ${RIGHT_SSH} "ikectl reload" 175 176SETUP_CERT = \ 177 echo "ALTNAME = $$name-from-$$caname" > $$name-from-$$caname.cnf; \ 178 cat ${.CURDIR}/crt.in >> $$name-from-$$caname.cnf; \ 179 openssl req -config $$name-from-$$caname.cnf -new -key $$name.key -nodes \ 180 -out $$name-from-$$caname.csr; \ 181 openssl x509 -extfile $$name-from-$$caname.cnf -extensions req_cert_extensions \ 182 -req -in $$name-from-$$caname.csr -CA $$caname.crt -CAkey $$caname.key \ 183 -CAcreateserial -out $$name-from-$$caname.crt 184 185SETUP_CA = \ 186 openssl genrsa -out $$caname.key 2048; \ 187 openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$$caname" \ 188 -new -x509 -key $$caname.key -out $$caname.crt 189 190cleanup: 191 -ssh ${LEFT_SSH} 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; \ 192 rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; \ 193 sysctl "net.inet.esp.udpencap_port=4500"; \ 194 rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;' 195 -ssh ${RIGHT_SSH} 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; \ 196 rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; \ 197 sysctl "net.inet.esp.udpencap_port=4500"; \ 198 rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;' 199 200setup_certs: ca-both.crt left-from-ca-both.crt left.key right-from-ca-both.crt \ 201 right.key ca-left.crt right-from-ca-left.crt ca-right.crt left-from-ca-right.crt 202 echo "cd /etc/iked\n \ 203 put left-from-ca-both.crt certs\n \ 204 put left-from-ca-right.crt certs\n \ 205 put left.key private/local.key\n \ 206 put ca-left.crt ca\n \ 207 put ca-both.crt ca\n" | sftp ${LEFT_SSH} -q; \ 208 echo "cd /etc/iked\n \ 209 put right-from-ca-both.crt certs\n \ 210 put right-from-ca-left.crt certs\n \ 211 put right.key private/local.key\n \ 212 put ca-right.crt ca\n \ 213 put ca-both.crt ca\n" | sftp ${RIGHT_SSH} -q; \ 214 ssh ${LEFT_SSH} "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"; \ 215 ssh ${RIGHT_SSH} "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub" 216 217setup_pf: pf.in 218 echo "cd /tmp\nput ${.CURDIR}/pf.in pf.conf" | sftp -q ${LEFT_SSH} 219 echo "cd /tmp\nput ${.CURDIR}/pf.in pf.conf" | sftp -q ${RIGHT_SSH} 220 -ssh ${LEFT_SSH} "pfctl -f /tmp/pf.conf; pfctl -e" 221 -ssh ${RIGHT_SSH} "pfctl -f /tmp/pf.conf; pfctl -e" 222 223setup: setup_pf setup_certs 224 225.PHONY: setup_certs 226 227test_flows: 228 ${TEST_FLOWS} 229 230left.key right.key: 231 openssl genrsa -out $@ 2048 232 233ca-both.crt ca-both.key: 234 caname=ca-both; ${SETUP_CA} 235 236left-from-ca-both.crt: ca-both.crt ca-both.key left.key 237 caname=ca-both; name=left; ${SETUP_CERT} 238 239right-from-ca-both.crt: ca-both.crt ca-both.key right.key 240 caname=ca-both; name=right; ${SETUP_CERT} 241 242ca-left.crt ca-left.key: 243 caname=ca-left; ${SETUP_CA} 244 245right-from-ca-left.crt right.key: ca-left.crt ca-left.key 246 caname=ca-left; name=right; ${SETUP_CERT} 247 248ca-right.crt ca-right.key: 249 caname=ca-right; ${SETUP_CA} 250 251left-from-ca-right.crt left.key: ca-right.crt ca-right.key 252 caname=ca-right; name=left; ${SETUP_CERT} 253 254REGRESS_TARGETS = run-ping-fail 255run-ping-fail: 256 ssh ${LEFT_SSH} "ipsecctl -F; pkill iked || true" 257 ssh ${RIGHT_SSH} "ipsecctl -F; pkill iked || true" 258 ${TEST_PING}; \ 259 if [[ $$_ret -ne 1 ]]; then exit 1; fi 260 261REGRESS_TARGETS += run-cert-single-ca 262run-cert-single-ca: 263 leftid=left-from-ca-both; \ 264 rightid=right-from-ca-both; \ 265 ${SETUP_CONFIGS} 266 ${SETUP_START} 267 flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 268 ${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 269 270REGRESS_TARGETS += run-cert-single-ca-asn1dn 271run-cert-single-ca-asn1dn: 272 leftid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both"; \ 273 rightid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both"; \ 274 ${SETUP_CONFIGS} 275 ${SETUP_START} 276 flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 277 ${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 278 279REGRESS_TARGETS += run-config-address 280run-config-address: 281 flowtype=esp; \ 282 config_address=true; \ 283 leftid=left-from-ca-both; \ 284 rightid=right-from-ca-both; \ 285 ${SETUP_CONFIGS} 286 ${SETUP_START} 287 config_address=true; \ 288 flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 289 290REGRESS_TARGETS += run-dstid-fail 291run-dstid-fail: 292 leftid=left-from-ca-both; \ 293 rightid=right-from-ca-both; \ 294 side=left; \ 295 srcid=$$leftid; \ 296 local=${LEFT_ADDR}; \ 297 peer=${RIGHT_ADDR}; \ 298 ${SETUP_CONFIG}; \ 299 side=right; \ 300 mode=passive; \ 301 srcid=$$rightid; \ 302 local=${RIGHT_ADDR}; \ 303 peer=${LEFT_ADDR}; \ 304 dstid="dstid invalid"; \ 305 ${SETUP_CONFIG}; \ 306 ${DEPLOY_CONFIGS} 307 ${SETUP_START} 308 flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 1 ]]; then exit 1; fi 309 ${TEST_PING}; if [[ $$_ret -ne 1 ]]; then exit 1; fi 310 311REGRESS_TARGETS += run-dstid 312run-dstid: 313 flowtype=esp; \ 314 leftid=left-from-ca-both; \ 315 rightid=right-from-ca-both; \ 316 side=left; \ 317 srcid=$$leftid; \ 318 local=${LEFT_ADDR}; \ 319 peer=${RIGHT_ADDR}; \ 320 dstid="dstid $$rightid"; \ 321 ${SETUP_CONFIG}; \ 322 side=right; \ 323 srcid=$$rightid; \ 324 local=${RIGHT_ADDR}; \ 325 peer=${LEFT_ADDR}; \ 326 dstid="dstid $$leftid"; \ 327 ${SETUP_CONFIG}; \ 328 ${DEPLOY_CONFIGS} 329 ${SETUP_START} 330 flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 331 ${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 332 333REGRESS_TARGETS += run-dstid-multi 334run-dstid-multi: 335 flowtype=esp; \ 336 leftid=left-from-ca-both; \ 337 rightid=right-from-ca-both; \ 338 side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \ 339 dstid="dstid $$rightid"; \ 340 ${SETUP_CONFIG}; \ 341 side=right; mode=passive; srcid=$$rightid; local=${RIGHT_ADDR}; \ 342 peer=${LEFT_ADDR}; dstid="dstid $$leftid"; \ 343 ${SETUP_CONFIG}; \ 344 dstid="dstid roflol"; \ 345 ${SETUP_CONFIG}; \ 346 ${DEPLOY_CONFIGS} 347 ${SETUP_START} 348 flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 349 ${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 350 351REGRESS_TARGETS += run-cert-multi-ca 352run-cert-multi-ca: 353 flowtype=esp; \ 354 leftid=left-from-ca-right; \ 355 rightid=right-from-ca-left; \ 356 ${SETUP_CONFIGS} 357 ${SETUP_START} 358 flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 359 ${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 360 361REGRESS_TARGETS += run-cert-second-altname 362run-cert-second-altname: 363 flowtype=esp; \ 364 leftid=left-from-ca-both-alternative; \ 365 rightid=right-from-ca-both@openbsd.org; \ 366 ${SETUP_CONFIGS} 367 ${SETUP_START} 368 flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 369 ${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 370 371REGRESS_TARGETS += run-psk-fail 372run-psk-fail: 373 auth=psk; \ 374 leftid=left-from-ca-both; \ 375 rightid=right-from-ca-both; \ 376 flowtype=esp; \ 377 side=left; psk=`openssl rand -hex 20`; \ 378 ${SETUP_CONFIG}; \ 379 side=right; psk=`openssl rand -hex 20`; \ 380 ${SETUP_CONFIG}; \ 381 ${DEPLOY_CONFIGS} 382 ${SETUP_START} 383 flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 1 ]]; then exit 1; fi 384 ${TEST_PING}; if [[ $$_ret -ne 1 ]]; then exit 1; fi 385 386REGRESS_TARGETS += run-psk 387run-psk: 388 auth=psk; \ 389 leftid=left; \ 390 rightid=right; \ 391 flowtype=esp; \ 392 ${SETUP_CONFIGS} 393 ${SETUP_START} 394 flowtype=esp; ${TEST_FLOWS}; \ 395 if [[ $$_ret -ne 0 ]]; then exit 1; fi 396 ${TEST_PING}; \ 397 if [[ $$_ret -ne 0 ]]; then exit 1; fi 398 399REGRESS_TARGETS += run-fragmentation 400run-fragmentation: 401 flowtype=esp; \ 402 fragmentation=true; \ 403 leftid=left-from-ca-both; \ 404 rightid=right-from-ca-both; \ 405 ${SETUP_CONFIGS} 406 ${SETUP_START} 407 flowtype=esp; ${TEST_FLOWS}; \ 408 if [[ $$_ret -ne 0 ]]; then exit 1; fi 409 ${TEST_PING}; \ 410 if [[ $$_ret -ne 0 ]]; then exit 1; fi 411 412REGRESS_TARGETS += run-transport 413run-transport: 414 flowtype=esp; \ 415 tmode=transport; \ 416 leftid=left-from-ca-both; \ 417 rightid=right-from-ca-both; \ 418 ${SETUP_CONFIGS} 419 ${SETUP_START} 420 tmode=transport; flowtype=esp; \ 421 ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 422 ${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 423 424REGRESS_TARGETS += run-singleikesa 425run-singleikesa: 426 flowtype=esp; \ 427 singleikesa=true; \ 428 leftid=left-from-ca-both; \ 429 rightid=right-from-ca-both; \ 430 ${SETUP_CONFIGS} 431 ${SETUP_START} 432 sleep 1; ${SETUP_RELOAD_RIGHT}; \ 433 sleep 3; ${TEST_SINGLEIKESA} 434 435REGRESS_TARGETS += run-ipcomp 436run-ipcomp: 437 flowtype=ipcomp; \ 438 leftid=left-from-ca-both; \ 439 rightid=right-from-ca-both; \ 440 ${SETUP_CONFIGS} 441 sysctl="net.inet.ipcomp.enable=1"; \ 442 ${SETUP_SYSCTL} 443 ${SETUP_START} 444 flowtype=ipcomp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 445 ${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 446 447REGRESS_TARGETS += run-udpencap-port 448run-udpencap-port: 449 flowtype=esp; \ 450 leftid=left-from-ca-both; \ 451 rightid=right-from-ca-both; \ 452 ${SETUP_CONFIGS}; \ 453 sysctl="net.inet.esp.udpencap_port=9999"; \ 454 ${SETUP_SYSCTL}; 455 iked_flags=-p9999; \ 456 ${SETUP_START}; 457 flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 458 ${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi 459 sysctl="net.inet.esp.udpencap_port=4500"; \ 460 ${SETUP_SYSCTL}; 461 462.include <bsd.regress.mk> 463