testsuite/ipsec01: Add.

libbsd.py

@@ -4926,6 +4926,7 @@ class tests(builder.Module):
                                                     ['test_main'], runTest = False, netTest = True,
                                                     extraLibs = ['debugger']))
         self.addTest(mm.generator['test']('crypto01', ['test_main']))
+        self.addTest(mm.generator['test']('ipsec01', ['test_main']))
 
 def load(mm):
 

testsuite/include/rtems/bsd/test/network-config.h.in

@@ -50,6 +50,8 @@
   #else
     #define NET_CFG_INTERFACE_0 "tsec0"
   #endif
+#elif defined(LIBBSP_ARM_ATSAM_BSP_H)
+  #define NET_CFG_INTERFACE_0 "if_atsam0"
 #else
   #define NET_CFG_INTERFACE_0 "lo0"
 #endif

testsuite/ipsec01/README

@@ -0,0 +1,5 @@
+Note that this tests needs some communication partner. You can use the
+`setup_FreeBSD_as_communication_partner.sh` script to set up a FreeBSD as this
+partner. The interface that is connected to the RTEMS system should have an IP
+set up to the IPSEC_LOC_EXT of the script. Note that the script is quite
+reckless in creating config files. Don't use it on some production system.

testsuite/ipsec01/setup_FreeBSD_as_communication_partner.sh

@@ -0,0 +1,82 @@
+#!/bin/sh -x
+
+if ! which racoon >/dev/null 2>&1
+then
+	echo "You have to install security/ipsec-tools from ports collection!"
+	exit 1
+fi
+
+IPSEC_REM_INT="10.10.1.1"
+IPSEC_REM_NET="10.10.1.0/24"
+IPSEC_REM_EXT="192.168.10.1"
+IPSEC_LOC_INT="172.24.0.1"
+IPSEC_LOC_NET="172.24.0.0/24"
+IPSEC_LOC_EXT="192.168.10.10"
+RACOON_PSK_FILE="/etc/racoon_psk.txt"
+RACOON_CONFIG_FILE="/etc/racoon.conf"
+SETKEY_CONF="/etc/setkey.conf"
+GIF="gif0"
+
+ifconfig $GIF create
+ifconfig $GIF $IPSEC_LOC_INT $IPSEC_REM_INT
+ifconfig $GIF tunnel $IPSEC_LOC_EXT $IPSEC_REM_EXT
+route add $IPSEC_REM_NET $IPSEC_REM_INT
+
+cat <<EOF > $RACOON_CONFIG_FILE
+path   pre_shared_key "$RACOON_PSK_FILE";
+log    debug;
+
+padding	# options are not to be changed
+{
+        maximum_length  20;
+        randomize       off;
+        strict_check    off;
+        exclusive_tail  off;
+}
+
+listen	# address [port] that racoon will listen on
+{
+        isakmp          $IPSEC_LOC_EXT [500];
+}
+
+remote $IPSEC_REM_EXT [500]
+{
+       exchange_mode                   main;
+       my_identifier                   address $IPSEC_LOC_EXT;
+       peers_identifier                address $IPSEC_REM_EXT;
+       proposal_check                  obey;
+
+       proposal {
+               encryption_algorithm    3des;
+               hash_algorithm          md5;
+               authentication_method   pre_shared_key;
+               lifetime time           3600 sec;
+               dh_group                2;
+       }
+}
+
+sainfo (address $IPSEC_LOC_NET any address $IPSEC_REM_NET any)
+{
+       pfs_group                       2;
+       lifetime                        time 28800 sec;
+       encryption_algorithm            3des;
+       authentication_algorithm        hmac_md5;
+       compression_algorithm           deflate;
+}
+EOF
+
+cat <<EOF > $RACOON_PSK_FILE
+$IPSEC_REM_EXT mysecretkey
+EOF
+
+chmod 600 $RACOON_PSK_FILE
+
+cat <<EOF > $SETKEY_CONF
+flush;
+spdflush;
+spdadd $IPSEC_LOC_NET $IPSEC_REM_NET any -P out ipsec esp/tunnel/$IPSEC_LOC_EXT-$IPSEC_REM_EXT/use;
+spdadd $IPSEC_REM_NET $IPSEC_LOC_NET any -P in  ipsec esp/tunnel/$IPSEC_REM_EXT-$IPSEC_LOC_EXT/use;
+EOF
+
+setkey -f /etc/setkey.conf
+racoon -F -f /etc/racoon.conf

testsuite/ipsec01/test_main.c

@@ -0,0 +1,258 @@
+/*
+ * Copyright (c) 2018 embedded brains GmbH.  All rights reserved.
+ *
+ *  embedded brains GmbH
+ *  Dornierstr. 4
+ *  82178 Puchheim
+ *  Germany
+ *  <rtems@embedded-brains.de>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#define TEST_NAME "LIBBSD IPSEC 1"
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <rtems/bsd/modules.h>
+#ifdef RTEMS_BSD_MODULE_NETIPSEC
+
+#include <assert.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <machine/rtems-bsd-commands.h>
+#include <machine/rtems-bsd-rc-conf.h>
+
+#include <rtems/bsd/bsd.h>
+#include <rtems/bsd/test/network-config.h>
+#include <rtems/console.h>
+#include <rtems/shell.h>
+
+
+#define IPSEC_LOC_INT "10.10.1.1"
+#define IPSEC_LOC_NET "10.10.1.0/24"
+#define IPSEC_LOC_EXT "192.168.10.1"
+#define IPSEC_REM_INT "172.24.0.1"
+#define IPSEC_REM_NET "172.24.0.0/24"
+#define IPSEC_REM_EXT "192.168.10.10"
+#define RACOON_PSK_FILE "/etc/racoon_psk.txt"
+#define RACOON_CONFIG_FILE "/etc/racoon.conf"
+#define SETKEY_CONFIG_FILE "/etc/setkey.conf"
+#define RC_CONF "/etc/rc.conf"
+
+static const char racoon_psk[] =
+	IPSEC_REM_EXT "	mysecretkey\n";
+static const char racoon_config[] =
+	"path	pre_shared_key \"" RACOON_PSK_FILE "\";\n"
+	"log	debug;\n"
+	"\n"
+	"padding	# options are not to be changed\n"
+	"{\n"
+	"	maximum_length			20;\n"
+	"	randomize			off;\n"
+	"	strict_check			off;\n"
+	"	exclusive_tail			off;\n"
+	"}\n"
+	"\n"
+	"listen	# address [port] that racoon will listen on\n"
+	"{\n"
+	"	isakmp				" IPSEC_LOC_EXT "[500];\n"
+	"}\n"
+	"\n"
+	"remote " IPSEC_REM_EXT " [500]\n"
+	"{\n"
+	"	exchange_mode			main;\n"
+	"	my_identifier			address " IPSEC_LOC_EXT ";\n"
+	"	peers_identifier		address " IPSEC_REM_EXT ";\n"
+	"	proposal_check			obey;\n"
+	"\n"
+	"	proposal {\n"
+	"		encryption_algorithm	3des;\n"
+	"		hash_algorithm		md5;\n"
+	"		authentication_method	pre_shared_key;\n"
+	"		lifetime time		3600 sec;\n"
+	"		dh_group		2;\n"
+	"	}\n"
+	"}\n"
+	"\n"
+	"sainfo (address " IPSEC_LOC_NET " any address " IPSEC_REM_NET " any)\n"
+	"{\n"
+	"	pfs_group			2;\n"
+	"	lifetime			time 28800 sec;\n"
+	"	encryption_algorithm		3des;\n"
+	"	authentication_algorithm	hmac_md5;\n"
+	"	compression_algorithm		deflate;\n"
+	"}\n";
+static const char setkey_config[] =
+	"flush;\n"
+	"spdflush;\n"
+	"spdadd " IPSEC_LOC_NET " " IPSEC_REM_NET " any -P out ipsec esp/tunnel/" IPSEC_LOC_EXT "-" IPSEC_REM_EXT"/use;\n"
+	"spdadd " IPSEC_REM_NET " " IPSEC_LOC_NET " any -P in  ipsec esp/tunnel/" IPSEC_REM_EXT "-" IPSEC_LOC_EXT"/use;\n";
+static const char rc_conf[] =
+	"cloned_interfaces=\"gif0\"\n"
+	"ifconfig_gif0=\"10.10.1.1 172.24.0.1 tunnel 192.168.10.1 192.168.10.10\"\n"
+	"ike_enable=\"YES\"\n"
+	"ike_program=\"racoon\"\n"
+	"ike_flags=\"-F -f /etc/racoon.conf\"\n"
+	"ike_priority=\"250\"\n"
+	"\n"
+	"ipsec_enable=\"YES\"\n"
+	"ipsec_file=\"/etc/setkey.conf\"\n"
+	"\n"
+	"ifconfig_" NET_CFG_INTERFACE_0 "=\"inet " IPSEC_LOC_EXT " netmask 255.255.255.0\"\n";
+
+static const struct {
+	const char *name;
+	const char *content;
+} init_files[] = {
+	{.name = RACOON_PSK_FILE, .content = racoon_psk},
+	{.name = RACOON_CONFIG_FILE, .content = racoon_config},
+	{.name = SETKEY_CONFIG_FILE, .content = setkey_config},
+	{.name = RC_CONF, .content = rc_conf},
+};
+
+static void
+prepare_files()
+{
+	size_t i;
+	struct stat sb;
+	int rv;
+	int fd;
+	size_t written;
+
+	/* Create /etc if necessary */
+	rv = mkdir("/etc", S_IRWXU | S_IRWXG | S_IRWXO);
+	/* ignore errors, check the dir after. */
+	assert(stat("/etc", &sb) == 0);
+	assert(S_ISDIR(sb.st_mode));
+
+	/* Create files */
+	for(i = 0; i < (sizeof(init_files)/sizeof(init_files[0])); ++i) {
+		const char *content;
+		size_t len;
+
+		content = init_files[i].content;
+		len = strlen(content);
+
+		fd = open(init_files[i].name, O_WRONLY | O_CREAT,
+		    S_IRWXU | S_IRWXG | S_IRWXO);
+		assert(fd != -1);
+
+		written = write(fd, content, len);
+		assert(written == len);
+
+		rv = close(fd);
+		assert(rv == 0);
+	}
+}
+
+static void
+test_main(void)
+{
+	int rv;
+	rtems_status_code sc;
+
+	rv = rtems_bsd_run_rc_conf(RC_CONF, 15, true);
+	assert(rv == 0);
+
+	/* Wait for initial racoon messages. */
+	sleep(2);
+	puts("--------------------------------------------------");
+	puts("Everything should be prepared now.");
+	puts("As soon as you communicate with someone in " IPSEC_REM_NET
+	    " the IPSEC connection should be established.");
+	puts("--------------------------------------------------");
+
+	sc = rtems_shell_init("SHLL", 32 * 1024, 1, CONSOLE_DEVICE_NAME,
+	    false, true, NULL);
+	assert(sc == RTEMS_SUCCESSFUL);
+
+	exit(0);
+}
+
+#define DEFAULT_EARLY_INITIALIZATION
+
+static void
+early_initialization(void)
+{
+	prepare_files();
+}
+
+#include <machine/rtems-bsd-sysinit.h>
+
+#define RTEMS_BSD_CONFIG_IPSEC
+/* Software crypto should work on all devices. */
+RTEMS_BSD_DEFINE_NEXUS_DEVICE(cryptosoft, 0, 0, NULL);
+#define RTEMS_BSD_CONFIG_BSP_CONFIG
+
+#include <rtems/bsd/test/default-init.h>
+
+#define CONFIGURE_SHELL_COMMANDS_INIT
+#include <rtems/netcmds-config.h>
+
+#define CONFIGURE_SHELL_USER_COMMANDS \
+  &rtems_shell_ARP_Command, \
+  &rtems_shell_HOSTNAME_Command, \
+  &rtems_shell_PING_Command, \
+  &rtems_shell_ROUTE_Command, \
+  &rtems_shell_NETSTAT_Command, \
+  &rtems_shell_SYSCTL_Command, \
+  &rtems_shell_IFCONFIG_Command, \
+  &rtems_shell_VMSTAT_Command
+
+#define CONFIGURE_SHELL_COMMAND_CPUINFO
+#define CONFIGURE_SHELL_COMMAND_CPUUSE
+#define CONFIGURE_SHELL_COMMAND_PERIODUSE
+#define CONFIGURE_SHELL_COMMAND_STACKUSE
+#define CONFIGURE_SHELL_COMMAND_PROFREPORT
+
+#define CONFIGURE_SHELL_COMMAND_CP
+#define CONFIGURE_SHELL_COMMAND_PWD
+#define CONFIGURE_SHELL_COMMAND_LS
+#define CONFIGURE_SHELL_COMMAND_LN
+#define CONFIGURE_SHELL_COMMAND_LSOF
+#define CONFIGURE_SHELL_COMMAND_CHDIR
+#define CONFIGURE_SHELL_COMMAND_CD
+#define CONFIGURE_SHELL_COMMAND_MKDIR
+#define CONFIGURE_SHELL_COMMAND_RMDIR
+#define CONFIGURE_SHELL_COMMAND_CAT
+#define CONFIGURE_SHELL_COMMAND_MV
+#define CONFIGURE_SHELL_COMMAND_RM
+#define CONFIGURE_SHELL_COMMAND_MALLOC_INFO
+
+#include <rtems/shellconfig.h>
+
+#else /* RTEMS_BSD_MODULE_NETIPSEC */
+
+static void
+test_main(void)
+{
+	puts("IPSec not enabled in the current build set.");
+	exit(0);
+}
+
+#include <rtems/bsd/test/default-init.h>
+
+#endif /* RTEMS_BSD_MODULE_NETIPSEC */