dowhack

openswan

# stipple: test opportunism by trying a bunch of targets
# Too slow so not automatically run.

dstipple-serial|dstipple-parallel)
	# self
	me --name ipsec-oppo-me --delete --rsa --pfs \
		$WESTHOST --nexthop %direct \
		$TO $OPPO \
		--encrypt $TIMES2
	;;
xstipple-serial)
	n=10
	a=192.139.70.1
	while expr $n > 0 >/dev/null
	do
		n=`expr $n - 1`
		me --oppohere $WESTIP --oppothere $a
		a=`ipnext $a`
	done
	;;
xstipple-parallel)
	n=10
	a=192.139.70.1
	while expr $n > 0 >/dev/null
	do
		n=`expr $n - 1`
		me --oppohere $WESTIP --oppothere $a &
		a=`ipnext $a`
	done
	wait
	;;

# foodgroups tests

# oe food group
# no actual negotiation, just --listen, --add, --route
doe)
	# self
	me --name oe --delete --rsa --pfs \
		$WESTHOST --nexthop $ROUTER \
		$TO $OPPOGROUP \
		--encrypt $TIMES2
	# this won't do anything since there is no ipsec.d/east/oe
	him --name oe --delete --rsa --pfs \
		$EASTHOST --nexthop $ROUTER \
		$TO $OPPOGROUP \
		--encrypt $TIMES2
	;;
xoe)
	both --route --name oe
	both_status
	;;

# oe food group, but unoriented, so nothing should happen
# Regression test for Pluto crash found by MCR 2002 December 11:
# add_group_instance() demands that the connection be oriented.
doe-noo)
	# note: although we are WEST, use EASTHOST as our address so we won't orient
	me --name oe --delete --rsa --pfs \
		$EASTHOST --nexthop $ROUTER \
		$TO $OPPOGROUP \
		--encrypt $TIMES2
	;;
xoe-noo)
	me --route --name oe
	;;

# clear food group
dclear)
	me --name clear --delete \
		$WESTHOST --nexthop $ROUTER \
		$TO $GROUP \
		--pass
	him --name clear --delete \
		$EASTHOST --nexthop $ROUTER \
		$TO $GROUP \
		--pass
	;;
xclear)
	both --route --name clear
	both_status
	;;

# See what happens when we initiate against a clear, #1.
# This should be slow because the responder won't respond.
# Regression test for Pluto crash found by MCR 2002 December 10:
# instantiate() demands that the connection be CK_TEMPLATE.
# When fixed, Responder should complain about "no connection has been authorized"
dclear-neg-nc-pl)
	me --name isakmp-rsa --rsa $EASTHOST \
		$TO_RSA --id=@west.example.com $WESTHOST $TIMES2
	him --name clear --delete \
		$EASTHOST --nexthop $ROUTER \
		$TO $GROUP \
		--pass
	;;
xclear-neg-nc-pl)
	me --initiate --name isakmp-rsa 
	him --route --name clear
	;;

# See what happens when we initiate against a clear, #2
# This should be slow because the responder won't respond.
# Regression test for Pluto crash found by MCR 2002 December 10:
# instantiate() demands that the connection be CK_TEMPLATE.
# When fixed, Responder should complain about "no connection has been authorized"
dclear-neg-fc-pl)
	me --name isakmp-rsa --rsa $EASTHOST \
		$TO_RSA --id=@west.example.com $WESTHOST $TIMES2
	him --name clear-west --delete \
		$EASTHOST --nexthop $ROUTER \
		$TO $GROUP \
		--pass
	;;
xclear-neg-fc-pl)
	me --initiate --name isakmp-rsa 
	him --route --name clear
	;;

# block food group
# just --add and --route, no negotiation
dblock-pl)
	me --name block --delete \
		$WESTHOST --nexthop $ROUTER \
		$TO $GROUP \
		--drop
	him --name block --delete \
		$EASTHOST --nexthop $ROUTER \
		$TO $GROUP \
		--drop
	;;
xblock-pl)
	both --route --name block
	;;

# reject food group
# just --add and --route, no negotiation
dreject-pl)
	me --name reject --delete \
		$WESTHOST --nexthop $ROUTER \
		$TO $GROUP \
		--reject
	him --name reject --delete \
		$EASTHOST --nexthop $ROUTER \
		$TO $GROUP \
		--reject
	;;
xreject-pl)
	both --route --name reject
	;;

# exactly like ipsec-oppo-narrow, except real target comes from foodgroup
dipsec-oppo-group)
	# self
	me --name opportunity --delete --rsa --pfs \
		$WESTHOST --nexthop $ROUTER \
		$TO $OPPOGROUP \
		--encrypt $TIMES2
	# clients
	me --name opportunity-mine --delete --rsa --pfs \
		$WESTNET --nexthop $ROUTER \
		$TO $OPPOGROUP \
		--encrypt $TIMES2
	# self
	him --name opportunity --delete --rsa --pfs \
		$OPPOGROUP \
		$TO $EASTHOST --nexthop $ROUTER \
		--encrypt $TIMES2
	# clients
	him --name opportunity-mine --delete --rsa --pfs \
		$OPPOGROUP \
		$TO $EASTNET --nexthop $ROUTER \
		--encrypt $TIMES2
	;;
xipsec-oppo-group)
	both --name opportunity --route
	both --name opportunity-mine --route
	both_status
	# host to host
	me --oppohere $WESTIP --oppothere $EASTIP

	# host to client
	me --oppohere $WESTIP --oppothere $TRURO

	# client to host
	me --oppohere $VANCOUVER --oppothere $EASTIP

	# client to client
	me --oppohere $VICTORIA --oppothere $ANTIGONISH

	## whack error: 0.0.0.0 or 0::0 isn't a valid client address "0.0.0.0"
	# me --oppohere 0.0.0.0 --oppothere $ANTIGONISH

	## whack error: 0.0.0.0 or 0::0 isn't a valid client address "0.0.0.0"
	# me --oppohere $VICTORIA --oppothere 0.0.0.0

	# 033 Can't Opportunistically initiate for 127.95.7.22 to 127.95.7.10: no routed Opportunistic template covers them
	me --oppohere $ANTIGONISH --oppothere $VICTORIA

	# 033 Can't Opportunistically initiate for 127.95.7.10 to 127.95.7.23: no host 23.7.95.127.in-addr.arpa. for TXT record
	me --oppohere $VICTORIA --oppothere $ATLANTIS

	## Responder says: "ipsec-oppo-me" 127.95.7.1 0.0.0.0/32 #1: gateway 127.95.7.1 claims client 127.95.7.8, but DNS for client fails to confirm: no host 8.7.95.127.in-addr.arpa. for TXT record
	## Initiator slowly times out.
	# me --oppohere $VANISHED --oppothere $ANTIGONISH
	;;

# don't pick a shunt-only connection for opportunism
# regression test for bug CS found 2003 Jan 16
dregr-shunt-oppo)
	me --name clear-west-east --delete \
		$WESTNET --nexthop $ROUTER \
		$TO --host %any --client $EASTSUBNET \
		--pass
	him --name clear-west-east --delete \
		$EASTNET --nexthop $ROUTER \
		$TO --host %any --client $WESTSUBNET \
		--pass
	;;
xregr-shunt-oppo)
	both --name clear-west-east --route
	me_status
	# 033 Can't Opportunistically initiate for 127.95.7.10 to 127.95.7.21: a shunt-only connection covers this pair
	me --oppohere $VICTORIA --oppothere $TRURO
	;;

# Do a fancy dance with eroutes for instances of a /32 -> /32
# This is required because the template's eroute clashes with
# the instance's (or even a %hold!)
# Based on ipsec-oppo-narrow.
# Regression test.
dregr-template-32-32)
	# self
	me --name ipsec-oppo-me --delete --rsa --pfs \
		$WESTHOST --nexthop  $ROUTER \
		$TO $OPPO --client $EASTIP/32 \
		--encrypt $TIMES2

	# self
	him --name ipsec-oppo-me --delete --rsa --pfs \
		$OPPO --client $WESTIP/32 \
		$TO $EASTHOST --nexthop $ROUTER \
		--encrypt $TIMES2
	;;
xregr-template-32-32)
	both --route --name ipsec-oppo-me
	both_status

	# host to host
	me --oppohere $WESTIP --oppothere $EASTIP
	both_status
	me --deletestate 2
	me_status
	me --deletestate 1
	me_status
	## now that we have delete messages, these are redundant
	# him --deletestate 2
	# him_status
	# him --deletestate 1
	him_status
	;;

# Check that opportunism selects the most specific connection
# Meant to demonstrate PR#177.
# Gets to CPU lockup part anyway.
dregr-oppo-narrow)
	# self to easthalfsubnet
	me --name ipsec-oppo-halfbroad --delete --rsa --pfs \
		$WESTHOST --nexthop  $ROUTER \
		$TO $OPPO --client $EASTHALFSUBNET \
		--encrypt $TIMES2
	# self to truro only
	me --name ipsec-oppo --delete --rsa --pfs \
		$WESTHOST --nexthop  $ROUTER \
		$TO $OPPO --client $TRURO/32 \
		--encrypt $TIMES2
	# self to eastsubnet
	me --name ipsec-oppo-broad --delete --rsa --pfs \
		$WESTHOST --nexthop  $ROUTER \
		$TO $OPPO --client $EASTSUBNET \
		--encrypt $TIMES2

	# eastsubnet to west
	him --name ipsec-oppo-broad --delete --rsa --pfs \
		$OPPO --client $WESTIP/32 \
		$TO $EASTHOST --client $EASTSUBNET --nexthop $ROUTER \
		--encrypt $TIMES2
	# truro only to west
	him --name ipsec-oppo --delete --rsa --pfs \
		$OPPO --client $WESTIP/32 \
		$TO $EASTHOST --client $TRURO/32 --nexthop $ROUTER \
		--encrypt $TIMES2
	# easthalfsubnet to west
	him --name ipsec-oppo-halfbroad --delete --rsa --pfs \
		$OPPO --client $WESTIP/32 \
		$TO $EASTHOST --client $EASTHALFSUBNET --nexthop $ROUTER \
		--encrypt $TIMES2
	;;
xregr-oppo-narrow)
	both --route --name ipsec-oppo-broad
	both --route --name ipsec-oppo
	both --route --name ipsec-oppo-halfbroad
	both_status

	# host to host
	me --oppohere $WESTIP --oppothere $TRURO
	both_status
	;;

# test new %myid feature.
# based on isakmp-rsa-case for convenience (it used --id)
disakmp-rsa-myid)
	me --name isakmp-rsa --rsa $EASTHOST \
		$TO_RSA --id=@west.example.com $WESTHOST $TIMES2
	him --name isakmp-rsa --rsa $EASTHOST \
		$TO_RSA --id=%myid $WESTHOST $TIMES2
	;;
xisakmp-rsa-myid)
	# see how %myid is displayed when not defined
	him_status
	him --myid @WEST.example.com
	# see how %myid is displayed when defined
	him_status
	me --name isakmp-rsa --initiate ;;

*)
	echo "$0: $i unknown"
	exit 1
	;;
esac
done