Add test case for INVALID_KE in IKE_SA_INIT fallback.

diff --git a/regress/sbin/iked/live/Makefile b/regress/sbin/iked/live/Makefile
index d5b7a44..ac48876 100644 (file)
--- a/regress/sbin/iked/live/Makefile
+++ b/regress/sbin/iked/live/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.30 2021/07/10 15:05:22 tobhe Exp $
+#      $OpenBSD: Makefile,v 1.31 2021/11/11 22:12:52 tobhe Exp $
 
 # Copyright (c) 2020 Tobias Heider <tobhe@openbsd.org>
 #
@@ -38,7 +38,8 @@ TEST_FLOWS = \
        if [ -n "$$config_address" ]; then \
                dynamic="172.16.13.[0-9]+"; \
        fi; \
-       while [[ $$count -le 3 ]]; do \
+       [ -z "$$maxwait" ] && maxwait=3; \
+       while [[ $$count -le $$maxwait ]]; do \
                ipsecctlleft=`ssh ${LEFT_SSH} ipsecctl -sa`; \
                ipsecctlright=`ssh ${RIGHT_SSH} ipsecctl -sa`; \
                flowleft=`echo "$$ipsecctlleft" \
@@ -144,6 +145,7 @@ SETUP_CONFIG = \
        echo "DSTID=\"$$dstid\"" >> $@_$$side.conf; \
        echo "AUTH=\"$$authstr\"" >> $@_$$side.conf; \
        echo "CONFIG=\"$$confstr\"" >> $@_$$side.conf; \
+       echo "IKESA=\"$$ikesa\"" >> $@_$$side.conf; \
        echo "$$global" >> $@_$$side.conf; \
        cat ${.CURDIR}/iked.in >> $@_$$side.conf
 
@@ -387,6 +389,24 @@ run-cert-second-altname:
        flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
        ${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
 
+REGRESS_TARGETS += run-invalid-ke
+run-invalid-ke:
+       flowtype=esp; \
+       leftid=left-from-ca-both; \
+       rightid=right-from-ca-both; \
+           side=left; srcid=$$leftid; local=${LEFT_ADDR}; peer=${RIGHT_ADDR}; \
+           dstid="dstid $$rightid"; \
+           ikesa="ikesa group ecp256 group curve25519"; \
+           ${SETUP_CONFIG}; \
+           side=right; mode=passive; srcid=$$rightid; local=${RIGHT_ADDR}; \
+           peer=${LEFT_ADDR}; dstid="dstid $$leftid"; \
+           ikesa="ikesa group curve25519"; \
+           ${SETUP_CONFIG}; \
+           ${DEPLOY_CONFIGS}
+       ${SETUP_START}
+       flowtype=esp; maxwait=6; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
+       ${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
+
 REGRESS_TARGETS += run-psk-fail
 run-psk-fail:
        auth=psk; \

diff --git a/regress/sbin/iked/live/iked.in b/regress/sbin/iked/live/iked.in
index 694ce99..2631e6b 100644 (file)
--- a/regress/sbin/iked/live/iked.in
+++ b/regress/sbin/iked/live/iked.in
@@ -1,5 +1,6 @@
 ikev2 "test" $MODE $IPCOMP $TMODE esp from $FROM to $TO \
        peer $PEER_ADDR \
+       $IKESA \
        srcid $SRCID $DSTID \
        $AUTH \
        $CONFIG