xref: /openbsd/regress/sbin/iked/live/Makefile (revision 5e748b67) 
1#	$OpenBSD: Makefile,v 1.34 2021/12/21 13:50:35 tobhe Exp $
2
3# Copyright (c) 2020 Tobias Heider <tobhe@openbsd.org>
4#
5# Permission to use, copy, modify, and distribute this software for any
6# purpose with or without fee is hereby granted, provided that the above
7# copyright notice and this permission notice appear in all copies.
8#
9# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16
17REGRESS_SETUP_ONCE =	setup
18REGRESS_CLEANUP =	cleanup
19CLEANFILES =		*.conf *.cnf *.csr *.key *.crt *.srl
20
21LEFT_SSH ?=
22RIGHT_SSH ?=
23LEFT_ADDR ?=
24RIGHT_ADDR ?=
25
26.if empty(LEFT_SSH) || empty(RIGHT_SSH) || empty(LEFT_ADDR) || empty(RIGHT_ADDR)
27regress:
28	@echo this test needs two remote machines to operate
29	@echo LEFT_SSH RIGHT_SSH RIGHT_ADDR LEFT_ADDR are not defined
30	@echo SKIPPED
31.endif
32
33TEST_FLOWS = \
34	[ -z $$tmode ] && tmode=tunnel; \
35	_ret=1; \
36	count=0; \
37	dynamic=${RIGHT_ADDR}; \
38	if [ -n "$$config_address" ]; then \
39		dynamic="172.16.13.[0-9]+"; \
40	fi; \
41	[ -z "$$maxwait" ] && maxwait=3; \
42	while [[ $$count -le $$maxwait ]]; do \
43		ipsecctlleft=`ssh ${LEFT_SSH} ipsecctl -sa`; \
44		ipsecctlright=`ssh ${RIGHT_SSH} ipsecctl -sa`; \
45		flowleft=`echo "$$ipsecctlleft" \
46		    | sed -E -n "/^flow $$flowtype in from $$dynamic\
47		    to ${LEFT_ADDR} peer ${RIGHT_ADDR} srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]*\
48		    dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; \
49		flowright=`echo "$$ipsecctlright" \
50		    | sed -E -n "/^flow $$flowtype in from ${LEFT_ADDR}\
51		    to $$dynamic peer ${LEFT_ADDR} srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]*\
52		    dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; \
53		saleft_rtol=`echo "$$ipsecctlleft" \
54		    | sed -n "/^$$flowtype $$tmode from ${RIGHT_ADDR} to ${LEFT_ADDR}/p"`; \
55		saleft_ltor=`echo "$$ipsecctlleft" \
56		    | sed -n "/^$$flowtype $$tmode from ${LEFT_ADDR} to ${RIGHT_ADDR}/p"`; \
57		saright_rtol=`echo "$$ipsecctlright" \
58		    | sed -n "/^$$flowtype $$tmode from ${RIGHT_ADDR} to ${LEFT_ADDR}/p"`; \
59		saright_ltor=`echo "$$ipsecctlright" \
60		    | sed -n "/^$$flowtype $$tmode from ${LEFT_ADDR} to ${RIGHT_ADDR}/p"`; \
61		if [[ -n "$$saleft_ltor" && -n "$$saleft_rtol" && \
62		     -n "$$saright_ltor" && -n "$$saright_rtol" && \
63		     -n "$$flowleft" && -n "$$flowright" ]]; then \
64			 _ret=0; \
65			 break; \
66		fi; \
67		let count=$$count+1; \
68	done; \
69	if [[ "$${_ret}" -ne 0 ]]; then \
70		echo "SAs not found:\n$$ipsecctlleft\n$$ipsecctlright"; \
71	fi
72
73TEST_PING = \
74	_ret=1; \
75	if [[ "${IPV}" == "6" ]]; then ping="ping6"; else ping="ping"; fi; \
76	dump=`ssh ${LEFT_SSH} "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & \
77	    $$ping -w 1 -n -c 5 ${RIGHT_ADDR} > /dev/null && \
78	    tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; \
79	    kill -9 \\$$! > /dev/null 2>&1 || true"`; \
80	rtol=`echo "$$dump" \
81	    | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: ${LEFT_ADDR} > ${RIGHT_ADDR}/p"`; \
82	ltor=`echo "$$dump" \
83	    | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: ${RIGHT_ADDR} > ${LEFT_ADDR}/p"`; \
84	if [[ -z "$$rtol" || -z "$$ltor" ]]; then \
85		_ret=1; \
86	else \
87		_ret=0; \
88	fi; \
89	echo "$$dump"
90
91TEST_SINGLEIKESA = \
92	count=`ssh ${LEFT_SSH} "ikectl show sa | grep -c iked_sas"`; \
93	if [[ "$$count" != "1" ]]; then \
94		echo "error: too many IKE SAs."; \
95		exit 1; \
96	fi
97
98SETUP_CONFIG = \
99	from=$$local; \
100	to=$$peer; \
101	if [[ -z "$$mode" ]]; then mode="active"; fi; \
102	authstr=""; \
103	if [[ "$$auth" = "psk" ]]; then \
104		authstr="psk $$psk"; \
105	fi; \
106	ipcomp=""; \
107	if [[ "$$flowtype" = "ipcomp" ]]; then \
108		ipcomp="ipcomp"; \
109	fi; \
110	global=""; \
111	if [ "$$fragmentation" = true ]; then \
112		global="$${global}set fragmentation\n"; \
113	fi; \
114	if [ "$$singleikesa" = true ]; then \
115		global="$${global}set enforcesingleikesa\n"; \
116	fi; \
117	if [ "$$intermediate" = true ]; then \
118		global="$${global}set cert_partial_chain\n"; \
119	fi; \
120	confstr=""; \
121	if [ -n "$$config_address" ]; then \
122		if [ "$$side" = left ]; then \
123			mode=passive; \
124			confstr="config address $$config_address"; \
125			if [[ "$$config_address" == */* ]]; then \
126				to="dynamic"; \
127			else \
128				to="$$config_address"; \
129			fi; \
130		else \
131			mode=active; \
132			confstr="request address any"; \
133			if [[ "$$config_address" == */* ]]; then \
134				from="dynamic"; \
135			else \
136				from="$$config_address"; \
137			fi; \
138		fi; \
139	fi; \
140	echo "MODE=\"$$mode\"" >> $@_$$side.conf; \
141	echo "TMODE=\"$$tmode\"" >> $@_$$side.conf; \
142	echo "FROM=\"$$from\"" >> $@_$$side.conf; \
143	echo "TO=\"$$to\"" >> $@_$$side.conf; \
144	echo "LOCAL_ADDR=\"$$local\"" >> $@_$$side.conf; \
145	echo "PEER_ADDR=\"$$peer\"" >> $@_$$side.conf; \
146	echo "IPCOMP=\"$$ipcomp\"" >> $@_$$side.conf; \
147	echo "SRCID=\"\\\"$$srcid\\\"\"" >> $@_$$side.conf; \
148	echo "DSTID=\"$$dstid\"" >> $@_$$side.conf; \
149	echo "AUTH=\"$$authstr\"" >> $@_$$side.conf; \
150	echo "CONFIG=\"$$confstr\"" >> $@_$$side.conf; \
151	echo "IKESA=\"$$ikesa\"" >> $@_$$side.conf; \
152	echo "$$global" >> $@_$$side.conf; \
153	cat ${.CURDIR}/iked.in >> $@_$$side.conf
154
155DEPLOY_CONFIGS = \
156	chmod 0600 $@_left.conf; \
157	echo "cd /tmp\nput $@_left.conf test.conf" | sftp -q ${LEFT_SSH}; \
158	chmod 0600 $@_right.conf; \
159	echo "cd /tmp\nput $@_right.conf test.conf" | sftp -q ${RIGHT_SSH}; \
160	rm -f $@_left.conf $@_right.conf
161
162SETUP_CONFIGS = \
163	if [[ "$$auth" = "psk" ]]; then \
164		psk=`openssl rand -hex 20`; \
165	fi; \
166	side=left; \
167	srcid=$$leftid; \
168	local=${LEFT_ADDR}; \
169	peer=${RIGHT_ADDR}; \
170	    ${SETUP_CONFIG}; \
171	side=right; \
172	srcid=$$rightid; \
173	local=${RIGHT_ADDR}; \
174	peer=${LEFT_ADDR}; \
175	    ${SETUP_CONFIG}; \
176	${DEPLOY_CONFIGS}
177
178SETUP_SYSCTL = \
179	ssh ${LEFT_SSH} "sysctl $$sysctl"; \
180	ssh ${RIGHT_SSH} "sysctl $$sysctl"
181
182SETUP_START = \
183	ssh ${LEFT_SSH} "ipsecctl -F; pkill iked; iked $$iked_flags -f /tmp/test.conf"; \
184	ssh ${RIGHT_SSH} "ipsecctl -F; pkill iked; iked $$iked_flags -f /tmp/test.conf"
185
186SETUP_RELOAD_RIGHT = \
187	ssh ${RIGHT_SSH} "ikectl reload"
188
189SETUP_CERT = \
190	echo "ALTNAME = $$name-from-$$caname" > $$name-from-$$caname.cnf; \
191	cat ${.CURDIR}/crt.in >> $$name-from-$$caname.cnf; \
192	openssl req -config $$name-from-$$caname.cnf -new -key $$name.key -nodes \
193	    -out $$name-from-$$caname.csr; \
194	openssl x509 -extfile $$name-from-$$caname.cnf -extensions req_cert_extensions \
195	     -req -in $$name-from-$$caname.csr -CA $$caname.crt -CAkey $$caname.key \
196	     -CAcreateserial -out $$name-from-$$caname.crt
197
198SETUP_INTERMEDIATE = \
199	echo "ALTNAME = $$name-from-$$caname" > $$name-from-$$caname.cnf; \
200	cat ${.CURDIR}/crt.in >> $$name-from-$$caname.cnf; \
201	openssl genrsa -out $$name-from-$$caname.key 2048; \
202	openssl req -config $$name-from-$$caname.cnf -new -key $$name-from-$$caname.key -nodes \
203	    -out $$name-from-$$caname.csr; \
204	openssl x509 -extfile $$name-from-$$caname.cnf -extensions v3_intermediate_ca \
205	    -req -in $$name-from-$$caname.csr -CA $$caname.crt -CAkey $$caname.key \
206	    -CAcreateserial -out $$name-from-$$caname.crt
207
208SETUP_CA = \
209	openssl genrsa -out $$caname.key 2048; \
210	openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$$caname" \
211	     -new -x509 -key $$caname.key -out $$caname.crt
212
213cleanup:
214	-ssh ${LEFT_SSH} 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; \
215	    rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; \
216	    sysctl "net.inet.esp.udpencap_port=4500"; \
217	    rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;'
218	-ssh ${RIGHT_SSH} 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; \
219	    rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; \
220	    sysctl "net.inet.esp.udpencap_port=4500"; \
221	    rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;'
222
223setup_certs: ca-both.crt left-from-ca-both.crt left.key right-from-ca-both.crt \
224    right.key ca-left.crt right-from-ca-left.crt ca-right.crt left-from-ca-right.crt \
225    ca-none.crt left-from-ca-none.crt right-from-ca-none.crt \
226    intermediate-from-ca-none.crt left-from-intermediate-from-ca-none.crt \
227    right-from-intermediate-from-ca-none.crt
228	echo "cd /etc/iked\n \
229	    put left-from-ca-both.crt certs\n \
230	    put left-from-ca-right.crt certs\n \
231	    put left-from-ca-none.crt certs\n \
232	    put left-from-intermediate-from-ca-none.crt certs\n \
233	    put right-from-ca-none.crt certs\n \
234	    put left.key private/local.key\n \
235	    put intermediate-from-ca-none.crt ca\n \
236	    put ca-left.crt ca\n \
237	    put ca-both.crt ca\n" | sftp ${LEFT_SSH} -q; \
238	echo "cd /etc/iked\n \
239	    put right-from-ca-both.crt certs\n \
240	    put right-from-ca-left.crt certs\n \
241	    put right-from-ca-none.crt certs\n \
242	    put right-from-intermediate-from-ca-none.crt certs\n \
243	    put left-from-ca-none.crt certs\n \
244	    put right.key private/local.key\n \
245	    put intermediate-from-ca-none.crt ca\n \
246	    put ca-right.crt ca\n \
247	    put ca-both.crt ca\n" | sftp ${RIGHT_SSH} -q; \
248	ssh ${LEFT_SSH} "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"; \
249	ssh ${RIGHT_SSH} "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"
250
251setup_pf: pf.in
252	echo "cd /tmp\nput ${.CURDIR}/pf.in pf.conf" | sftp -q ${LEFT_SSH}
253	echo "cd /tmp\nput ${.CURDIR}/pf.in pf.conf" | sftp -q ${RIGHT_SSH}
254	-ssh ${LEFT_SSH} "pfctl -f /tmp/pf.conf; pfctl -e"
255	-ssh ${RIGHT_SSH} "pfctl -f /tmp/pf.conf; pfctl -e"
256
257setup: setup_pf setup_certs
258
259.PHONY: setup_certs
260
261test_flows:
262	${TEST_FLOWS}
263
264left.key right.key:
265	openssl genrsa -out $@ 2048
266
267ca-both.crt ca-both.key:
268	caname=ca-both; ${SETUP_CA}
269
270left-from-ca-both.crt: ca-both.crt ca-both.key left.key
271	caname=ca-both; name=left; ${SETUP_CERT}
272
273right-from-ca-both.crt: ca-both.crt ca-both.key right.key
274	caname=ca-both; name=right; ${SETUP_CERT}
275
276ca-left.crt ca-left.key:
277	caname=ca-left; ${SETUP_CA}
278
279right-from-ca-left.crt right.key: ca-left.crt ca-left.key
280	caname=ca-left; name=right; ${SETUP_CERT}
281
282ca-right.crt ca-right.key:
283	caname=ca-right; ${SETUP_CA}
284
285left-from-ca-right.crt left.key: ca-right.crt ca-right.key
286	caname=ca-right; name=left; ${SETUP_CERT}
287
288ca-none.crt ca-none.key:
289	caname=ca-none; ${SETUP_CA}
290
291left-from-ca-none.crt left.key: ca-none.crt ca-none.key
292	caname=ca-none; name=left; ${SETUP_CERT}
293
294right-from-ca-none.crt right.key: ca-none.crt ca-none.key
295	caname=ca-none; name=right; ${SETUP_CERT}
296
297intermediate-from-ca-none.crt intermediate-from-ca-none.key:
298	caname=ca-none name=intermediate; ${SETUP_INTERMEDIATE}
299
300left-from-intermediate-from-ca-none.crt left.key: \
301     intermediate-from-ca-none.crt intermediate-from-ca-none.key
302	caname=intermediate-from-ca-none; name=left; ${SETUP_CERT}
303
304right-from-intermediate-from-ca-none.crt right.key: \
305     intermediate-from-ca-none.crt intermediate-from-ca-none.key
306	caname=intermediate-from-ca-none; name=right; ${SETUP_CERT}
307
308REGRESS_TARGETS = run-ping-fail
309run-ping-fail:
310	ssh ${LEFT_SSH} "ipsecctl -F; pkill iked || true"
311	ssh ${RIGHT_SSH} "ipsecctl -F; pkill iked || true"
312	${TEST_PING}; \
313	if [[ $$_ret -ne 1 ]]; then exit 1; fi
314
315REGRESS_TARGETS += run-cert-single-ca
316run-cert-single-ca:
317	leftid=left-from-ca-both; \
318	rightid=right-from-ca-both; \
319	    ${SETUP_CONFIGS}
320	${SETUP_START}
321	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
322	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
323
324REGRESS_TARGETS += run-cert-single-ca-asn1dn
325run-cert-single-ca-asn1dn:
326	leftid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both"; \
327	rightid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both"; \
328	    ${SETUP_CONFIGS}
329	${SETUP_START}
330	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
331	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
332
333REGRESS_TARGETS += run-cert-no-ca
334run-cert-no-ca:
335	leftid=left-from-ca-none; \
336	rightid=right-from-ca-none; \
337	    ${SETUP_CONFIGS}
338	${SETUP_START}
339	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
340	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
341
342REGRESS_TARGETS += run-config-address
343run-config-address:
344	flowtype=esp; \
345	config_address=172.16.13.36; \
346	leftid=left-from-ca-both; \
347	rightid=right-from-ca-both; \
348	    ${SETUP_CONFIGS}
349	${SETUP_START}
350	config_address=172.16.13.36; \
351	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
352
353REGRESS_TARGETS += run-config-address-pool
354run-config-address-pool:
355	flowtype=esp; \
356	config_address=172.16.13.36/31; \
357	leftid=left-from-ca-both; \
358	rightid=right-from-ca-both; \
359	    ${SETUP_CONFIGS}
360	${SETUP_START}
361	config_address=172.16.13.36/31; \
362	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
363
364REGRESS_TARGETS += run-dstid-fail
365run-dstid-fail:
366	leftid=left-from-ca-both; \
367	rightid=right-from-ca-both; \
368	    side=left; \
369	    srcid=$$leftid; \
370	    local=${LEFT_ADDR}; \
371	    peer=${RIGHT_ADDR}; \
372	    ${SETUP_CONFIG}; \
373	    side=right; \
374	    mode=passive; \
375	    srcid=$$rightid; \
376	    local=${RIGHT_ADDR}; \
377	    peer=${LEFT_ADDR}; \
378	    dstid="dstid invalid"; \
379	    ${SETUP_CONFIG}; \
380	    ${DEPLOY_CONFIGS}
381	${SETUP_START}
382	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
383	${TEST_PING}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
384
385REGRESS_TARGETS += run-dstid
386run-dstid:
387	flowtype=esp; \
388	leftid=left-from-ca-both; \
389	rightid=right-from-ca-both; \
390	    side=left; \
391	    srcid=$$leftid; \
392	    local=${LEFT_ADDR}; \
393	    peer=${RIGHT_ADDR}; \
394	    dstid="dstid $$rightid"; \
395	    ${SETUP_CONFIG}; \
396	    side=right; \
397	    srcid=$$rightid; \
398	    local=${RIGHT_ADDR}; \
399	    peer=${LEFT_ADDR}; \
400	    dstid="dstid $$leftid"; \
401	    ${SETUP_CONFIG}; \
402	    ${DEPLOY_CONFIGS}
403	${SETUP_START}
404	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
405	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
406
407REGRESS_TARGETS += run-dstid-multi
408run-dstid-multi:
409	flowtype=esp; \
410	leftid=left-from-ca-both; \
411	rightid=right-from-ca-both; \
412	    side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \
413	    dstid="dstid $$rightid"; \
414	    ${SETUP_CONFIG}; \
415	    side=right; mode=passive; srcid=$$rightid; local=${RIGHT_ADDR}; \
416	    peer=${LEFT_ADDR}; dstid="dstid $$leftid"; \
417	    ${SETUP_CONFIG}; \
418	    dstid="dstid roflol"; \
419	    ${SETUP_CONFIG}; \
420	    ${DEPLOY_CONFIGS}
421	${SETUP_START}
422	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
423	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
424
425REGRESS_TARGETS += run-srcid-multi
426run-srcid-multi:
427	flowtype=esp; \
428	leftid=left-from-ca-both; \
429	rightid=right-from-ca-both; \
430	    side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \
431	    dstid="dstid $$rightid"; \
432	    ${SETUP_CONFIG}; \
433	    side=right; mode=passive; srcid="borked"; local=${RIGHT_ADDR}; \
434	    peer=${LEFT_ADDR}; dstid=""; \
435	    ${SETUP_CONFIG}; \
436	    srcid=$$rightid; \
437	    ${SETUP_CONFIG}; \
438	    srcid="roflol"; \
439	    ${SETUP_CONFIG}; \
440	    ${DEPLOY_CONFIGS}
441	${SETUP_START}
442	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
443	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
444
445REGRESS_TARGETS += run-cert-multi-ca
446run-cert-multi-ca:
447	flowtype=esp; \
448	leftid=left-from-ca-right; \
449	rightid=right-from-ca-left; \
450	    ${SETUP_CONFIGS}
451	${SETUP_START}
452	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
453	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
454
455REGRESS_TARGETS += run-cert-second-altname
456run-cert-second-altname:
457	flowtype=esp; \
458	leftid=left-from-ca-both-alternative; \
459	rightid=right-from-ca-both@openbsd.org; \
460	    ${SETUP_CONFIGS}
461	${SETUP_START}
462	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
463	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
464
465REGRESS_TARGETS += run-invalid-ke
466run-invalid-ke:
467	flowtype=esp; \
468	leftid=left-from-ca-both; \
469	rightid=right-from-ca-both; \
470	    side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \
471	    dstid="dstid $$rightid"; \
472	    ikesa="ikesa group ecp256 group curve25519"; \
473	    ${SETUP_CONFIG}; \
474	    side=right; mode=passive; srcid=$$rightid; local=${RIGHT_ADDR}; \
475	    peer=${LEFT_ADDR}; dstid="dstid $$leftid"; \
476	    ikesa="ikesa group curve25519"; \
477	    ${SETUP_CONFIG}; \
478	    ${DEPLOY_CONFIGS}
479	${SETUP_START}
480	flowtype=esp; maxwait=6; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
481	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
482
483REGRESS_TARGETS += run-psk-fail
484run-psk-fail:
485	auth=psk; \
486	leftid=left-from-ca-both; \
487	rightid=right-from-ca-both; \
488	flowtype=esp; \
489	    side=left; \
490	    srcid=$$leftid; \
491	    local=${LEFT_ADDR}; \
492	    peer=${RIGHT_ADDR}; \
493	    dstid="dstid $$rightid"; \
494	    psk=`openssl rand -hex 20`; \
495	    ${SETUP_CONFIG}; \
496	    side=right; \
497	    srcid=$$rightid; \
498	    local=${RIGHT_ADDR}; \
499	    peer=${LEFT_ADDR}; \
500	    dstid="dstid $$leftid"; \
501	    psk=`openssl rand -hex 20`; \
502	    ${SETUP_CONFIG}; \
503	    ${DEPLOY_CONFIGS}
504	${SETUP_START}
505	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
506	${TEST_PING}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
507
508REGRESS_TARGETS += run-psk
509run-psk:
510	auth=psk; \
511	leftid=left; \
512	rightid=right; \
513	flowtype=esp; \
514	    ${SETUP_CONFIGS}
515	${SETUP_START}
516	flowtype=esp; ${TEST_FLOWS}; \
517	if [[ $$_ret -ne 0 ]]; then exit 1; fi
518	${TEST_PING}; \
519	if [[ $$_ret -ne 0 ]]; then exit 1; fi
520
521REGRESS_TARGETS += run-intermediate-fail
522run-intermediate-fail:
523	leftid=left-from-intermediate-from-ca-none; \
524	rightid=right-from-intermediate-from-ca-none; \
525	    ${SETUP_CONFIGS}
526	${SETUP_START}
527	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
528	${TEST_PING}; if [[ $$_ret -ne 1 ]]; then exit 1; fi
529
530REGRESS_TARGETS += run-intermediate
531run-intermediate:
532	intermediate=true; \
533	leftid=left-from-intermediate-from-ca-none; \
534	rightid=right-from-intermediate-from-ca-none; \
535	    ${SETUP_CONFIGS}
536	${SETUP_START}
537	if [[ $$_ret -ne 0 ]]; then exit 1; fi
538	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
539
540REGRESS_TARGETS += run-fragmentation
541run-fragmentation:
542	flowtype=esp; \
543	fragmentation=true; \
544	leftid=left-from-ca-both; \
545	rightid=right-from-ca-both; \
546	    ${SETUP_CONFIGS}
547	${SETUP_START}
548	flowtype=esp; ${TEST_FLOWS}; \
549	if [[ $$_ret -ne 0 ]]; then exit 1; fi
550	${TEST_PING}; \
551	if [[ $$_ret -ne 0 ]]; then exit 1; fi
552
553REGRESS_TARGETS += run-transport
554run-transport:
555	flowtype=esp; \
556	tmode=transport; \
557	leftid=left-from-ca-both; \
558	rightid=right-from-ca-both; \
559	    ${SETUP_CONFIGS}
560	${SETUP_START}
561	tmode=transport; flowtype=esp; \
562	    ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
563	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
564
565REGRESS_TARGETS += run-singleikesa
566run-singleikesa:
567	flowtype=esp; \
568	singleikesa=true; \
569	leftid=left-from-ca-both; \
570	rightid=right-from-ca-both; \
571	    ${SETUP_CONFIGS}
572	${SETUP_START}
573	sleep 1; ${SETUP_RELOAD_RIGHT}; \
574	sleep 3; ${TEST_SINGLEIKESA}
575
576REGRESS_TARGETS += run-ipcomp
577run-ipcomp:
578	flowtype=ipcomp; \
579	leftid=left-from-ca-both; \
580	rightid=right-from-ca-both; \
581	    ${SETUP_CONFIGS}
582	sysctl="net.inet.ipcomp.enable=1"; \
583	    ${SETUP_SYSCTL}
584	${SETUP_START}
585	flowtype=ipcomp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
586	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
587
588REGRESS_TARGETS += run-udpencap-port
589run-udpencap-port:
590	flowtype=esp; \
591	leftid=left-from-ca-both; \
592	rightid=right-from-ca-both; \
593	    ${SETUP_CONFIGS}; \
594	sysctl="net.inet.esp.udpencap_port=9999"; \
595	    ${SETUP_SYSCTL};
596	iked_flags=-p9999; \
597	    ${SETUP_START};
598	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
599	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
600	sysctl="net.inet.esp.udpencap_port=4500"; \
601	    ${SETUP_SYSCTL};
602
603.include <bsd.regress.mk>
604