1# $OpenBSD: Makefile,v 1.11 2020/04/09 19:59:38 tobhe Exp $ 2 3# Copyright (c) 2020 Tobias Heider <tobhe@openbsd.org> 4# 5# Permission to use, copy, modify, and distribute this software for any 6# purpose with or without fee is hereby granted, provided that the above 7# copyright notice and this permission notice appear in all copies. 8# 9# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 17REGRESS_SETUP_ONCE = setup_certs 18REGRESS_CLEANUP = cleanup 19CLEANFILES = *.conf *.cnf *.csr *.key *.crt *.srl 20 21LEFT_SSH ?= 22RIGHT_SSH ?= 23LEFT_ADDR ?= 24RIGHT_ADDR ?= 25 26.if empty(LEFT_SSH) || empty(RIGHT_SSH) || empty(LEFT_ADDR) || empty(RIGHT_ADDR) 27regress: 28 @echo this test needs two remote machines to operate 29 @echo LEFT_SSH RIGHT_SSH RIGHT_ADDR LEFT_ADDR are not defined 30 @echo SKIPPED 31.endif 32 33TEST_FLOWS = \ 34 [ -z $$tmode ] && tmode=tunnel; \ 35 success=false; \ 36 count=0; \ 37 while [[ $$count -le 3 ]]; do \ 38 ipsecctlleft=`ssh ${LEFT_SSH} ipsecctl -sa`; \ 39 ipsecctlright=`ssh ${RIGHT_SSH} ipsecctl -sa`; \ 40 flowleft=`echo "$$ipsecctlleft" \ 41 | sed -n "/^flow $$flowtype in from ${RIGHT_ADDR} to ${LEFT_ADDR}/p"`; \ 42 flowright=`echo "$$ipsecctlright" \ 43 | sed -n "/^flow $$flowtype in from ${LEFT_ADDR} to ${RIGHT_ADDR}/p"`; \ 44 saleft_rtol=`echo "$$ipsecctlleft" \ 45 | sed -n "/^$$flowtype $$tmode from ${RIGHT_ADDR} to ${LEFT_ADDR}/p"`; \ 46 saleft_ltor=`echo "$$ipsecctlleft" \ 47 | sed -n "/^$$flowtype $$tmode from ${LEFT_ADDR} to ${RIGHT_ADDR}/p"`; \ 48 saright_rtol=`echo "$$ipsecctlright" \ 49 | sed -n "/^$$flowtype $$tmode from ${RIGHT_ADDR} to ${LEFT_ADDR}/p"`; \ 50 saright_ltor=`echo "$$ipsecctlright" \ 51 | sed -n "/^$$flowtype $$tmode from ${LEFT_ADDR} to ${RIGHT_ADDR}/p"`; \ 52 if [[ -n "$$saleft_ltor" && -n "$$saleft_rtol" && \ 53 -n "$$saright_ltor" && -n "$$saright_rtol" && \ 54 -n "$$flowleft" && -n "$$flowright" ]]; then \ 55 success=true; \ 56 break; \ 57 fi; \ 58 let count=$$count+1; \ 59 done; \ 60 if [[ "$$success" = false ]]; then \ 61 echo "error: SAs not found:\n$$ipsecctlleft\n$$ipsecctlright"; \ 62 exit 1; \ 63 fi 64 65TEST_PING = \ 66 dump=`ssh ${LEFT_SSH} "tcpdump -n -c2 -i enc0 -w '/tmp/test.pcap' > /dev/null & \ 67 ping -c 5 ${RIGHT_ADDR} > /dev/null && tcpdump -n -r /tmp/test.pcap" && rm -f /tmp/test.pcap`; \ 68 rtol=`echo "$$dump" \ 69 | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: ${LEFT_ADDR} > ${RIGHT_ADDR}/p"`; \ 70 ltor=`echo "$$dump" \ 71 | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: ${RIGHT_ADDR} > ${LEFT_ADDR}/p"`; \ 72 if [[ -z "$$rtol" || -z "$$ltor" ]]; then \ 73 echo "error: no esp traffic."; \ 74 exit 1; \ 75 fi; \ 76 echo "$$dump" 77 78SETUP_CONFIGS = \ 79 authstr=""; \ 80 if [[ "$$auth" = "psk" ]]; then \ 81 psk=`openssl rand -hex 20`; \ 82 authstr="psk $$psk"; \ 83 fi; \ 84 ipcomp=""; \ 85 if [[ "$$flowtype" = "ipcomp" ]]; then \ 86 ipcomp="ipcomp"; \ 87 fi; \ 88 fragstr=""; \ 89 if [ "$$fragmentation" = true ]; then \ 90 fragstr="set fragmentation"; \ 91 fi; \ 92 echo "FRAGMENTATION=\"$$fragstr\"" > $@_left.conf; \ 93 echo "TMODE=\"$$tmode\"" >> $@_left.conf; \ 94 echo "LOCAL_ADDR=\"${LEFT_ADDR}\"" >> $@_left.conf; \ 95 echo "PEER_ADDR=\"${RIGHT_ADDR}\"" >> $@_left.conf; \ 96 echo "IPCOMP=\"$$ipcomp\"" >> $@_left.conf; \ 97 echo "SRCID=\"$$leftid\"" >> $@_left.conf; \ 98 echo "AUTH=\"$$authstr\"" >> $@_left.conf; \ 99 cat ${.CURDIR}/iked.in >> $@_left.conf; \ 100 chmod 0600 $@_left.conf; \ 101 echo "cd /tmp\nput $@_left.conf test.conf" | sftp -q ${LEFT_SSH}; \ 102 echo "FRAGMENTATION=\"$$fragstr\"" > $@_right.conf; \ 103 echo "TMODE=\"$$tmode\"" >> $@_right.conf; \ 104 echo "LOCAL_ADDR=\"${RIGHT_ADDR}\"" >> $@_right.conf; \ 105 echo "PEER_ADDR=\"${LEFT_ADDR}\"" >> $@_right.conf; \ 106 echo "IPCOMP=\"$$ipcomp\"" >> $@_right.conf; \ 107 echo "SRCID=\"$$rightid\"" >> $@_right.conf; \ 108 echo "AUTH=\"$$authstr\"" >> $@_right.conf; \ 109 cat ${.CURDIR}/iked.in >> $@_right.conf; \ 110 chmod 0600 $@_right.conf; \ 111 echo "cd /tmp\nput $@_right.conf test.conf" | sftp -q ${RIGHT_SSH} 112 113SETUP_SYSCTL = \ 114 ssh ${LEFT_SSH} "sysctl $$sysctl"; \ 115 ssh ${RIGHT_SSH} "sysctl $$sysctl" 116 117SETUP_START = \ 118 ssh ${LEFT_SSH} "ipsecctl -F; pkill iked; iked $$iked_flags -f /tmp/test.conf"; \ 119 ssh ${RIGHT_SSH} "ipsecctl -F; pkill iked; iked $$iked_flags -f /tmp/test.conf" 120 121SETUP_CERT = \ 122 echo "ALTNAME = $$name-from-$$caname" > $$name-from-$$caname.cnf; \ 123 cat ${.CURDIR}/crt.in >> $$name-from-$$caname.cnf; \ 124 openssl req -config $$name-from-$$caname.cnf -new -key $$name.key -nodes \ 125 -out $$name-from-$$caname.csr; \ 126 openssl x509 -extfile $$name-from-$$caname.cnf -extensions req_cert_extensions \ 127 -req -in $$name-from-$$caname.csr -CA $$caname.crt -CAkey $$caname.key \ 128 -CAcreateserial -out $$name-from-$$caname.crt 129 130SETUP_CA = \ 131 openssl genrsa -out $$caname.key 2048; \ 132 openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$$caname" \ 133 -new -x509 -key $$caname.key -out $$caname.crt 134 135cleanup: 136 -ssh ${LEFT_SSH} 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; \ 137 rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; \ 138 sysctl "net.inet.esp.udpencap_port=4500"' 139 -ssh ${RIGHT_SSH} 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; \ 140 rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; \ 141 sysctl "net.inet.esp.udpencap_port=4500"' 142 143setup_certs: ca-both.crt left-from-ca-both.crt left.key right-from-ca-both.crt \ 144 right.key ca-left.crt right-from-ca-left.crt ca-right.crt left-from-ca-right.crt 145 echo "cd /etc/iked\n \ 146 put left-from-ca-both.crt certs\n \ 147 put left-from-ca-right.crt certs\n \ 148 put left.key private/local.key\n \ 149 put ca-left.crt ca\n \ 150 put ca-both.crt ca\n" | sftp ${LEFT_SSH} -q; \ 151 echo "cd /etc/iked\n \ 152 put right-from-ca-both.crt certs\n \ 153 put right-from-ca-left.crt certs\n \ 154 put right.key private/local.key\n \ 155 put ca-right.crt ca\n \ 156 put ca-both.crt ca\n" | sftp ${RIGHT_SSH} -q; \ 157 ssh ${LEFT_SSH} "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"; \ 158 ssh ${RIGHT_SSH} "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub" 159 160.PHONY: setup_certs 161 162test_flows: 163 ${TEST_FLOWS} 164 165left.key right.key: 166 openssl genrsa -out $@ 2048 167 168ca-both.crt ca-both.key: 169 caname=ca-both; ${SETUP_CA} 170 171left-from-ca-both.crt: ca-both.crt ca-both.key left.key 172 caname=ca-both; name=left; ${SETUP_CERT} 173 174right-from-ca-both.crt: ca-both.crt ca-both.key right.key 175 caname=ca-both; name=right; ${SETUP_CERT} 176 177ca-left.crt ca-left.key: 178 caname=ca-left; ${SETUP_CA} 179 180right-from-ca-left.crt right.key: ca-left.crt ca-left.key 181 caname=ca-left; name=right; ${SETUP_CERT} 182 183ca-right.crt ca-right.key: 184 caname=ca-right; ${SETUP_CA} 185 186left-from-ca-right.crt left.key: ca-right.crt ca-right.key 187 caname=ca-right; name=left; ${SETUP_CERT} 188 189REGRESS_TARGETS = run-cert-single-ca 190run-cert-single-ca: 191 @echo '======= $@ ========' 192 flowtype=esp; 193 leftid=left-from-ca-both; \ 194 rightid=right-from-ca-both; \ 195 ${SETUP_CONFIGS} 196 ${SETUP_START} 197 flowtype=esp; ${TEST_FLOWS} 198 ${TEST_PING} 199 200REGRESS_TARGETS += run-cert-multi-ca 201run-cert-multi-ca: 202 @echo '======= $@ ========' 203 flowtype=esp; \ 204 leftid=left-from-ca-right; \ 205 rightid=right-from-ca-left; \ 206 ${SETUP_CONFIGS} 207 ${SETUP_START} 208 flowtype=esp; ${TEST_FLOWS} 209 ${TEST_PING} 210 211REGRESS_TARGETS += run-cert-second-altname 212run-cert-second-altname: 213 @echo '======= $@ ========' 214 flowtype=esp; 215 leftid=left-from-ca-both-alternative; \ 216 rightid=right-from-ca-both@openbsd.org; \ 217 ${SETUP_CONFIGS} 218 ${SETUP_START} 219 flowtype=esp; ${TEST_FLOWS} 220 ${TEST_PING} 221 222REGRESS_TARGETS += run-psk 223run-psk: 224 @echo '======= $@ ========' 225 auth=psk; \ 226 leftid=left; \ 227 rightid=right; \ 228 flowtype=esp; \ 229 ${SETUP_CONFIGS} 230 ${SETUP_START} 231 flowtype=esp; ${TEST_FLOWS} 232 ${TEST_PING} 233 234REGRESS_TARGETS += run-fragmentation 235run-fragmentation: 236 @echo '======= $@ ========' 237 flowtype=esp; \ 238 fragmentation=true; \ 239 leftid=left-from-ca-both; \ 240 rightid=right-from-ca-both; \ 241 ${SETUP_CONFIGS} 242 ${SETUP_START} 243 flowtype=esp; ${TEST_FLOWS} 244 ${TEST_PING} 245 246REGRESS_TARGETS += run-transport 247run-transport: 248 @echo '======= $@ ========' 249 flowtype=esp; \ 250 tmode=transport; \ 251 leftid=left-from-ca-both; \ 252 rightid=right-from-ca-both; \ 253 ${SETUP_CONFIGS} 254 ${SETUP_START} 255 tmode=transport; flowtype=esp; \ 256 ${TEST_FLOWS} 257 ${TEST_PING} 258 259REGRESS_TARGETS += run-ipcomp 260run-ipcomp: 261 @echo '======= $@ ========' 262 flowtype=ipcomp; \ 263 leftid=left-from-ca-both; \ 264 rightid=right-from-ca-both; \ 265 ${SETUP_CONFIGS} 266 sysctl="net.inet.ipcomp.enable=1"; \ 267 ${SETUP_SYSCTL} 268 ${SETUP_START} 269 flowtype=ipcomp; ${TEST_FLOWS} 270 ${TEST_PING} 271 272REGRESS_TARGETS += run-udpencap-port 273run-udpencap-port: 274 @echo '======= $@ ========' 275 flowtype=esp; \ 276 leftid=left-from-ca-both; \ 277 rightid=right-from-ca-both; \ 278 ${SETUP_CONFIGS}; \ 279 sysctl="net.inet.esp.udpencap_port=9999"; \ 280 ${SETUP_SYSCTL}; 281 iked_flags=-p9999; \ 282 ${SETUP_START}; 283 flowtype=esp; ${TEST_FLOWS}; \ 284 ${TEST_PING} 285 sysctl="net.inet.esp.udpencap_port=4500"; \ 286 ${SETUP_SYSCTL}; 287 288.include <bsd.regress.mk> 289