[PATCH v2 14/15] testsuite/ipsec01: Add.
Christian Mauderer
christian.mauderer at embedded-brains.de
Thu Aug 2 08:55:46 UTC 2018
---
libbsd.py | 1 +
.../include/rtems/bsd/test/network-config.h.in | 2 +
testsuite/ipsec01/README | 5 +
.../setup_FreeBSD_as_communication_partner.sh | 82 +++++++
testsuite/ipsec01/test_main.c | 258 +++++++++++++++++++++
5 files changed, 348 insertions(+)
create mode 100644 testsuite/ipsec01/README
create mode 100644 testsuite/ipsec01/setup_FreeBSD_as_communication_partner.sh
create mode 100644 testsuite/ipsec01/test_main.c
diff --git a/libbsd.py b/libbsd.py
index d12987ce..08c8918f 100644
--- a/libbsd.py
+++ b/libbsd.py
@@ -4926,6 +4926,7 @@ class tests(builder.Module):
['test_main'], runTest = False, netTest = True,
extraLibs = ['debugger']))
self.addTest(mm.generator['test']('crypto01', ['test_main']))
+ self.addTest(mm.generator['test']('ipsec01', ['test_main']))
def load(mm):
diff --git a/testsuite/include/rtems/bsd/test/network-config.h.in b/testsuite/include/rtems/bsd/test/network-config.h.in
index 2cef97db..0b1e0aa3 100755
--- a/testsuite/include/rtems/bsd/test/network-config.h.in
+++ b/testsuite/include/rtems/bsd/test/network-config.h.in
@@ -50,6 +50,8 @@
#else
#define NET_CFG_INTERFACE_0 "tsec0"
#endif
+#elif defined(LIBBSP_ARM_ATSAM_BSP_H)
+ #define NET_CFG_INTERFACE_0 "if_atsam0"
#else
#define NET_CFG_INTERFACE_0 "lo0"
#endif
diff --git a/testsuite/ipsec01/README b/testsuite/ipsec01/README
new file mode 100644
index 00000000..1ba35412
--- /dev/null
+++ b/testsuite/ipsec01/README
@@ -0,0 +1,5 @@
+Note that this tests needs some communication partner. You can use the
+`setup_FreeBSD_as_communication_partner.sh` script to set up a FreeBSD as this
+partner. The interface that is connected to the RTEMS system should have an IP
+set up to the IPSEC_LOC_EXT of the script. Note that the script is quite
+reckless in creating config files. Don't use it on some production system.
diff --git a/testsuite/ipsec01/setup_FreeBSD_as_communication_partner.sh b/testsuite/ipsec01/setup_FreeBSD_as_communication_partner.sh
new file mode 100644
index 00000000..744c80fa
--- /dev/null
+++ b/testsuite/ipsec01/setup_FreeBSD_as_communication_partner.sh
@@ -0,0 +1,82 @@
+#!/bin/sh -x
+
+if ! which racoon >/dev/null 2>&1
+then
+ echo "You have to install security/ipsec-tools from ports collection!"
+ exit 1
+fi
+
+IPSEC_REM_INT="10.10.1.1"
+IPSEC_REM_NET="10.10.1.0/24"
+IPSEC_REM_EXT="192.168.10.1"
+IPSEC_LOC_INT="172.24.0.1"
+IPSEC_LOC_NET="172.24.0.0/24"
+IPSEC_LOC_EXT="192.168.10.10"
+RACOON_PSK_FILE="/etc/racoon_psk.txt"
+RACOON_CONFIG_FILE="/etc/racoon.conf"
+SETKEY_CONF="/etc/setkey.conf"
+GIF="gif0"
+
+ifconfig $GIF create
+ifconfig $GIF $IPSEC_LOC_INT $IPSEC_REM_INT
+ifconfig $GIF tunnel $IPSEC_LOC_EXT $IPSEC_REM_EXT
+route add $IPSEC_REM_NET $IPSEC_REM_INT
+
+cat <<EOF > $RACOON_CONFIG_FILE
+path pre_shared_key "$RACOON_PSK_FILE";
+log debug;
+
+padding # options are not to be changed
+{
+ maximum_length 20;
+ randomize off;
+ strict_check off;
+ exclusive_tail off;
+}
+
+listen # address [port] that racoon will listen on
+{
+ isakmp $IPSEC_LOC_EXT [500];
+}
+
+remote $IPSEC_REM_EXT [500]
+{
+ exchange_mode main;
+ my_identifier address $IPSEC_LOC_EXT;
+ peers_identifier address $IPSEC_REM_EXT;
+ proposal_check obey;
+
+ proposal {
+ encryption_algorithm 3des;
+ hash_algorithm md5;
+ authentication_method pre_shared_key;
+ lifetime time 3600 sec;
+ dh_group 2;
+ }
+}
+
+sainfo (address $IPSEC_LOC_NET any address $IPSEC_REM_NET any)
+{
+ pfs_group 2;
+ lifetime time 28800 sec;
+ encryption_algorithm 3des;
+ authentication_algorithm hmac_md5;
+ compression_algorithm deflate;
+}
+EOF
+
+cat <<EOF > $RACOON_PSK_FILE
+$IPSEC_REM_EXT mysecretkey
+EOF
+
+chmod 600 $RACOON_PSK_FILE
+
+cat <<EOF > $SETKEY_CONF
+flush;
+spdflush;
+spdadd $IPSEC_LOC_NET $IPSEC_REM_NET any -P out ipsec esp/tunnel/$IPSEC_LOC_EXT-$IPSEC_REM_EXT/use;
+spdadd $IPSEC_REM_NET $IPSEC_LOC_NET any -P in ipsec esp/tunnel/$IPSEC_REM_EXT-$IPSEC_LOC_EXT/use;
+EOF
+
+setkey -f /etc/setkey.conf
+racoon -F -f /etc/racoon.conf
diff --git a/testsuite/ipsec01/test_main.c b/testsuite/ipsec01/test_main.c
new file mode 100644
index 00000000..4bce3be7
--- /dev/null
+++ b/testsuite/ipsec01/test_main.c
@@ -0,0 +1,258 @@
+/*
+ * Copyright (c) 2018 embedded brains GmbH. All rights reserved.
+ *
+ * embedded brains GmbH
+ * Dornierstr. 4
+ * 82178 Puchheim
+ * Germany
+ * <rtems at embedded-brains.de>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#define TEST_NAME "LIBBSD IPSEC 1"
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <rtems/bsd/modules.h>
+#ifdef RTEMS_BSD_MODULE_NETIPSEC
+
+#include <assert.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <machine/rtems-bsd-commands.h>
+#include <machine/rtems-bsd-rc-conf.h>
+
+#include <rtems/bsd/bsd.h>
+#include <rtems/bsd/test/network-config.h>
+#include <rtems/console.h>
+#include <rtems/shell.h>
+
+
+#define IPSEC_LOC_INT "10.10.1.1"
+#define IPSEC_LOC_NET "10.10.1.0/24"
+#define IPSEC_LOC_EXT "192.168.10.1"
+#define IPSEC_REM_INT "172.24.0.1"
+#define IPSEC_REM_NET "172.24.0.0/24"
+#define IPSEC_REM_EXT "192.168.10.10"
+#define RACOON_PSK_FILE "/etc/racoon_psk.txt"
+#define RACOON_CONFIG_FILE "/etc/racoon.conf"
+#define SETKEY_CONFIG_FILE "/etc/setkey.conf"
+#define RC_CONF "/etc/rc.conf"
+
+static const char racoon_psk[] =
+ IPSEC_REM_EXT " mysecretkey\n";
+static const char racoon_config[] =
+ "path pre_shared_key \"" RACOON_PSK_FILE "\";\n"
+ "log debug;\n"
+ "\n"
+ "padding # options are not to be changed\n"
+ "{\n"
+ " maximum_length 20;\n"
+ " randomize off;\n"
+ " strict_check off;\n"
+ " exclusive_tail off;\n"
+ "}\n"
+ "\n"
+ "listen # address [port] that racoon will listen on\n"
+ "{\n"
+ " isakmp " IPSEC_LOC_EXT "[500];\n"
+ "}\n"
+ "\n"
+ "remote " IPSEC_REM_EXT " [500]\n"
+ "{\n"
+ " exchange_mode main;\n"
+ " my_identifier address " IPSEC_LOC_EXT ";\n"
+ " peers_identifier address " IPSEC_REM_EXT ";\n"
+ " proposal_check obey;\n"
+ "\n"
+ " proposal {\n"
+ " encryption_algorithm 3des;\n"
+ " hash_algorithm md5;\n"
+ " authentication_method pre_shared_key;\n"
+ " lifetime time 3600 sec;\n"
+ " dh_group 2;\n"
+ " }\n"
+ "}\n"
+ "\n"
+ "sainfo (address " IPSEC_LOC_NET " any address " IPSEC_REM_NET " any)\n"
+ "{\n"
+ " pfs_group 2;\n"
+ " lifetime time 28800 sec;\n"
+ " encryption_algorithm 3des;\n"
+ " authentication_algorithm hmac_md5;\n"
+ " compression_algorithm deflate;\n"
+ "}\n";
+static const char setkey_config[] =
+ "flush;\n"
+ "spdflush;\n"
+ "spdadd " IPSEC_LOC_NET " " IPSEC_REM_NET " any -P out ipsec esp/tunnel/" IPSEC_LOC_EXT "-" IPSEC_REM_EXT"/use;\n"
+ "spdadd " IPSEC_REM_NET " " IPSEC_LOC_NET " any -P in ipsec esp/tunnel/" IPSEC_REM_EXT "-" IPSEC_LOC_EXT"/use;\n";
+static const char rc_conf[] =
+ "cloned_interfaces=\"gif0\"\n"
+ "ifconfig_gif0=\"10.10.1.1 172.24.0.1 tunnel 192.168.10.1 192.168.10.10\"\n"
+ "ike_enable=\"YES\"\n"
+ "ike_program=\"racoon\"\n"
+ "ike_flags=\"-F -f /etc/racoon.conf\"\n"
+ "ike_priority=\"250\"\n"
+ "\n"
+ "ipsec_enable=\"YES\"\n"
+ "ipsec_file=\"/etc/setkey.conf\"\n"
+ "\n"
+ "ifconfig_" NET_CFG_INTERFACE_0 "=\"inet " IPSEC_LOC_EXT " netmask 255.255.255.0\"\n";
+
+static const struct {
+ const char *name;
+ const char *content;
+} init_files[] = {
+ {.name = RACOON_PSK_FILE, .content = racoon_psk},
+ {.name = RACOON_CONFIG_FILE, .content = racoon_config},
+ {.name = SETKEY_CONFIG_FILE, .content = setkey_config},
+ {.name = RC_CONF, .content = rc_conf},
+};
+
+static void
+prepare_files()
+{
+ size_t i;
+ struct stat sb;
+ int rv;
+ int fd;
+ size_t written;
+
+ /* Create /etc if necessary */
+ rv = mkdir("/etc", S_IRWXU | S_IRWXG | S_IRWXO);
+ /* ignore errors, check the dir after. */
+ assert(stat("/etc", &sb) == 0);
+ assert(S_ISDIR(sb.st_mode));
+
+ /* Create files */
+ for(i = 0; i < (sizeof(init_files)/sizeof(init_files[0])); ++i) {
+ const char *content;
+ size_t len;
+
+ content = init_files[i].content;
+ len = strlen(content);
+
+ fd = open(init_files[i].name, O_WRONLY | O_CREAT,
+ S_IRWXU | S_IRWXG | S_IRWXO);
+ assert(fd != -1);
+
+ written = write(fd, content, len);
+ assert(written == len);
+
+ rv = close(fd);
+ assert(rv == 0);
+ }
+}
+
+static void
+test_main(void)
+{
+ int rv;
+ rtems_status_code sc;
+
+ rv = rtems_bsd_run_rc_conf(RC_CONF, 15, true);
+ assert(rv == 0);
+
+ /* Wait for initial racoon messages. */
+ sleep(2);
+ puts("--------------------------------------------------");
+ puts("Everything should be prepared now.");
+ puts("As soon as you communicate with someone in " IPSEC_REM_NET
+ " the IPSEC connection should be established.");
+ puts("--------------------------------------------------");
+
+ sc = rtems_shell_init("SHLL", 32 * 1024, 1, CONSOLE_DEVICE_NAME,
+ false, true, NULL);
+ assert(sc == RTEMS_SUCCESSFUL);
+
+ exit(0);
+}
+
+#define DEFAULT_EARLY_INITIALIZATION
+
+static void
+early_initialization(void)
+{
+ prepare_files();
+}
+
+#include <machine/rtems-bsd-sysinit.h>
+
+#define RTEMS_BSD_CONFIG_IPSEC
+/* Software crypto should work on all devices. */
+RTEMS_BSD_DEFINE_NEXUS_DEVICE(cryptosoft, 0, 0, NULL);
+#define RTEMS_BSD_CONFIG_BSP_CONFIG
+
+#include <rtems/bsd/test/default-init.h>
+
+#define CONFIGURE_SHELL_COMMANDS_INIT
+#include <rtems/netcmds-config.h>
+
+#define CONFIGURE_SHELL_USER_COMMANDS \
+ &rtems_shell_ARP_Command, \
+ &rtems_shell_HOSTNAME_Command, \
+ &rtems_shell_PING_Command, \
+ &rtems_shell_ROUTE_Command, \
+ &rtems_shell_NETSTAT_Command, \
+ &rtems_shell_SYSCTL_Command, \
+ &rtems_shell_IFCONFIG_Command, \
+ &rtems_shell_VMSTAT_Command
+
+#define CONFIGURE_SHELL_COMMAND_CPUINFO
+#define CONFIGURE_SHELL_COMMAND_CPUUSE
+#define CONFIGURE_SHELL_COMMAND_PERIODUSE
+#define CONFIGURE_SHELL_COMMAND_STACKUSE
+#define CONFIGURE_SHELL_COMMAND_PROFREPORT
+
+#define CONFIGURE_SHELL_COMMAND_CP
+#define CONFIGURE_SHELL_COMMAND_PWD
+#define CONFIGURE_SHELL_COMMAND_LS
+#define CONFIGURE_SHELL_COMMAND_LN
+#define CONFIGURE_SHELL_COMMAND_LSOF
+#define CONFIGURE_SHELL_COMMAND_CHDIR
+#define CONFIGURE_SHELL_COMMAND_CD
+#define CONFIGURE_SHELL_COMMAND_MKDIR
+#define CONFIGURE_SHELL_COMMAND_RMDIR
+#define CONFIGURE_SHELL_COMMAND_CAT
+#define CONFIGURE_SHELL_COMMAND_MV
+#define CONFIGURE_SHELL_COMMAND_RM
+#define CONFIGURE_SHELL_COMMAND_MALLOC_INFO
+
+#include <rtems/shellconfig.h>
+
+#else /* RTEMS_BSD_MODULE_NETIPSEC */
+
+static void
+test_main(void)
+{
+ puts("IPSec not enabled in the current build set.");
+ exit(0);
+}
+
+#include <rtems/bsd/test/default-init.h>
+
+#endif /* RTEMS_BSD_MODULE_NETIPSEC */
--
2.13.7
More information about the devel
mailing list