unit-tests: Add unit tests for childless IKE_SA initiation
[strongswan.git] / src / libcharon / tests / suites / test_childless.c
1 /*
2 * Copyright (C) 2019 Tobias Brunner
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "test_suite.h"
17
18 #include <daemon.h>
19 #include <tests/utils/exchange_test_helper.h>
20 #include <tests/utils/exchange_test_asserts.h>
21 #include <tests/utils/sa_asserts.h>
22
23 /**
24 * Childless initiation of the IKE_SA. The first CHILD_SA is automatically
25 * initiated in a separate CREATE_CHILD_SA exchange including DH.
26 */
27 START_TEST(test_regular)
28 {
29 exchange_test_sa_conf_t conf = {
30 .initiator = {
31 .childless = CHILDLESS_FORCE,
32 .esp = "aes128-sha256-modp3072",
33 },
34 .responder = {
35 .esp = "aes128-sha256-modp3072",
36 },
37 };
38 ike_sa_t *a, *b;
39 ike_sa_id_t *id_a, *id_b;
40 child_cfg_t *child_cfg;
41
42 child_cfg = exchange_test_helper->create_sa(exchange_test_helper, &a, &b,
43 &conf);
44 id_a = a->get_id(a);
45 id_b = b->get_id(b);
46
47 call_ikesa(a, initiate, child_cfg, 0, NULL, NULL);
48
49 /* IKE_SA_INIT --> */
50 id_b->set_initiator_spi(id_b, id_a->get_initiator_spi(id_a));
51 exchange_test_helper->process_message(exchange_test_helper, b, NULL);
52 /* <-- IKE_SA_INIT */
53 assert_notify(IN, CHILDLESS_IKEV2_SUPPORTED);
54 id_a->set_responder_spi(id_a, id_b->get_responder_spi(id_b));
55 exchange_test_helper->process_message(exchange_test_helper, a, NULL);
56
57 /* IKE_AUTH --> */
58 assert_hook_not_called(child_updown);
59 assert_no_payload(IN, PLV2_SECURITY_ASSOCIATION);
60 assert_no_payload(IN, PLV2_TS_INITIATOR);
61 assert_no_payload(IN, PLV2_TS_RESPONDER);
62 exchange_test_helper->process_message(exchange_test_helper, b, NULL);
63
64 /* <-- IKE_AUTH */
65 assert_no_payload(IN, PLV2_SECURITY_ASSOCIATION);
66 assert_no_payload(IN, PLV2_TS_INITIATOR);
67 assert_no_payload(IN, PLV2_TS_RESPONDER);
68 exchange_test_helper->process_message(exchange_test_helper, a, NULL);
69 assert_child_sa_count(a, 0);
70 assert_child_sa_count(b, 0);
71 assert_hook();
72
73 /* CREATE_CHILD_SA { SA, Ni, KEi, TSi, TSr } --> */
74 assert_hook_called(child_updown);
75 assert_payload(IN, PLV2_KEY_EXCHANGE);
76 exchange_test_helper->process_message(exchange_test_helper, b, NULL);
77 assert_child_sa_count(b, 1);
78 assert_hook();
79
80 /* <-- CREATE_CHILD_SA { SA, Ni, KEi } */
81 assert_hook_called(child_updown);
82 assert_payload(IN, PLV2_KEY_EXCHANGE);
83 exchange_test_helper->process_message(exchange_test_helper, a, NULL);
84 assert_child_sa_count(a, 1);
85 assert_hook();
86
87 assert_sa_idle(a);
88 assert_sa_idle(b);
89
90 call_ikesa(a, destroy);
91 call_ikesa(b, destroy);
92 }
93 END_TEST
94
95 /**
96 * Childless initiation of the IKE_SA, no CHILD_SA created automatically.
97 * It's created with a separate initiation and exchange afterwards.
98 */
99 START_TEST(test_regular_manual)
100 {
101 exchange_test_sa_conf_t conf = {
102 .initiator = {
103 .esp = "aes128-sha256-modp3072",
104 },
105 .responder = {
106 .esp = "aes128-sha256-modp3072",
107 },
108 };
109 ike_sa_t *a, *b;
110 ike_sa_id_t *id_a, *id_b;
111 child_cfg_t *child_cfg;
112
113 child_cfg = exchange_test_helper->create_sa(exchange_test_helper, &a, &b,
114 &conf);
115 id_a = a->get_id(a);
116 id_b = b->get_id(b);
117
118 call_ikesa(a, initiate, NULL, 0, NULL, NULL);
119
120 /* IKE_SA_INIT --> */
121 id_b->set_initiator_spi(id_b, id_a->get_initiator_spi(id_a));
122 exchange_test_helper->process_message(exchange_test_helper, b, NULL);
123 /* <-- IKE_SA_INIT */
124 assert_notify(IN, CHILDLESS_IKEV2_SUPPORTED);
125 id_a->set_responder_spi(id_a, id_b->get_responder_spi(id_b));
126 exchange_test_helper->process_message(exchange_test_helper, a, NULL);
127
128 /* IKE_AUTH --> */
129 assert_hook_not_called(child_updown);
130 assert_no_payload(IN, PLV2_SECURITY_ASSOCIATION);
131 assert_no_payload(IN, PLV2_TS_INITIATOR);
132 assert_no_payload(IN, PLV2_TS_RESPONDER);
133 exchange_test_helper->process_message(exchange_test_helper, b, NULL);
134
135 /* <-- IKE_AUTH */
136 assert_no_payload(IN, PLV2_SECURITY_ASSOCIATION);
137 assert_no_payload(IN, PLV2_TS_INITIATOR);
138 assert_no_payload(IN, PLV2_TS_RESPONDER);
139 exchange_test_helper->process_message(exchange_test_helper, a, NULL);
140 assert_child_sa_count(a, 0);
141 assert_child_sa_count(b, 0);
142 assert_hook();
143
144 assert_sa_idle(a);
145 assert_sa_idle(b);
146
147 call_ikesa(a, initiate, child_cfg, 0, NULL, NULL);
148
149 /* CREATE_CHILD_SA { SA, Ni, KEi, TSi, TSr } --> */
150 assert_hook_called(child_updown);
151 assert_payload(IN, PLV2_KEY_EXCHANGE);
152 exchange_test_helper->process_message(exchange_test_helper, b, NULL);
153 assert_child_sa_count(b, 1);
154 assert_hook();
155
156 /* <-- CREATE_CHILD_SA { SA, Ni, KEi } */
157 assert_hook_called(child_updown);
158 assert_payload(IN, PLV2_KEY_EXCHANGE);
159 exchange_test_helper->process_message(exchange_test_helper, a, NULL);
160 assert_child_sa_count(a, 1);
161 assert_hook();
162
163 assert_sa_idle(a);
164 assert_sa_idle(b);
165
166 call_ikesa(a, destroy);
167 call_ikesa(b, destroy);
168 }
169 END_TEST
170
171 /**
172 * The initiator aborts the initiation once it notices the responder does not
173 * support childless IKE_SAs.
174 */
175 START_TEST(test_failure_init)
176 {
177 exchange_test_sa_conf_t conf = {
178 .initiator = {
179 .childless = CHILDLESS_FORCE,
180 },
181 .responder = {
182 .childless = CHILDLESS_NEVER,
183 },
184 };
185 ike_sa_t *a, *b;
186 ike_sa_id_t *id_a, *id_b;
187 child_cfg_t *child_cfg;
188 status_t status;
189
190 child_cfg = exchange_test_helper->create_sa(exchange_test_helper, &a, &b,
191 &conf);
192 id_a = a->get_id(a);
193 id_b = b->get_id(b);
194
195 call_ikesa(a, initiate, child_cfg, 0, NULL, NULL);
196
197 /* IKE_SA_INIT --> */
198 id_b->set_initiator_spi(id_b, id_a->get_initiator_spi(id_a));
199 exchange_test_helper->process_message(exchange_test_helper, b, NULL);
200 /* <-- IKE_SA_INIT */
201 assert_no_notify(IN, CHILDLESS_IKEV2_SUPPORTED);
202 id_a->set_responder_spi(id_a, id_b->get_responder_spi(id_b));
203 status = exchange_test_helper->process_message(exchange_test_helper, a,
204 NULL);
205 ck_assert_int_eq(DESTROY_ME, status);
206
207 call_ikesa(a, destroy);
208 call_ikesa(b, destroy);
209 }
210 END_TEST
211
212 /**
213 * The responder aborts the initiation once it notices the initiator does not
214 * create a childless IKE_SA.
215 */
216 START_TEST(test_failure_resp)
217 {
218 exchange_test_sa_conf_t conf = {
219 .initiator = {
220 .childless = CHILDLESS_NEVER,
221 },
222 .responder = {
223 .childless = CHILDLESS_FORCE,
224 },
225 };
226 ike_sa_t *a, *b;
227 ike_sa_id_t *id_a, *id_b;
228 child_cfg_t *child_cfg;
229 status_t status;
230
231 child_cfg = exchange_test_helper->create_sa(exchange_test_helper, &a, &b,
232 &conf);
233 id_a = a->get_id(a);
234 id_b = b->get_id(b);
235
236 call_ikesa(a, initiate, child_cfg, 0, NULL, NULL);
237
238 /* IKE_SA_INIT --> */
239 id_b->set_initiator_spi(id_b, id_a->get_initiator_spi(id_a));
240 exchange_test_helper->process_message(exchange_test_helper, b, NULL);
241 /* <-- IKE_SA_INIT */
242 assert_notify(IN, CHILDLESS_IKEV2_SUPPORTED);
243 id_a->set_responder_spi(id_a, id_b->get_responder_spi(id_b));
244 exchange_test_helper->process_message(exchange_test_helper, a, NULL);
245
246 /* IKE_AUTH --> */
247 assert_hook_not_called(child_updown);
248 assert_payload(IN, PLV2_SECURITY_ASSOCIATION);
249 assert_payload(IN, PLV2_TS_INITIATOR);
250 assert_payload(IN, PLV2_TS_RESPONDER);
251 status = exchange_test_helper->process_message(exchange_test_helper, b,
252 NULL);
253 ck_assert_int_eq(DESTROY_ME, status);
254 assert_hook();
255
256 /* <-- IKE_AUTH */
257 assert_hook_not_called(child_updown);
258 assert_no_payload(IN, PLV2_SECURITY_ASSOCIATION);
259 assert_no_payload(IN, PLV2_TS_INITIATOR);
260 assert_no_payload(IN, PLV2_TS_RESPONDER);
261 assert_notify(IN, INVALID_SYNTAX);
262 status = exchange_test_helper->process_message(exchange_test_helper, a,
263 NULL);
264 ck_assert_int_eq(DESTROY_ME, status);
265 assert_hook();
266
267 assert_sa_idle(a);
268 assert_sa_idle(b);
269
270 call_ikesa(a, destroy);
271 call_ikesa(b, destroy);
272 }
273 END_TEST
274
275 Suite *childless_suite_create()
276 {
277 Suite *s;
278 TCase *tc;
279
280 s = suite_create("childless");
281
282 tc = tcase_create("initiation");
283 tcase_add_test(tc, test_regular);
284 tcase_add_test(tc, test_regular_manual);
285 suite_add_tcase(s, tc);
286
287 tc = tcase_create("failure");
288 tcase_add_test(tc, test_failure_init);
289 tcase_add_test(tc, test_failure_resp);
290 suite_add_tcase(s, tc);
291
292 return s;
293 }