Add test case for authentication with locally stored peer certificates.

1 files changed, 25 insertions, 2 deletions

diff --git a/regress/sbin/iked/live/Makefile b/regress/sbin/iked/live/Makefile
index 97100258441..69ad27a2709 100644
--- a/regress/sbin/iked/live/Makefile
+++ b/regress/sbin/iked/live/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.32 2021/12/05 20:21:14 tobhe Exp $
+#	$OpenBSD: Makefile,v 1.33 2021/12/07 17:26:14 tobhe Exp $
 
 # Copyright (c) 2020 Tobias Heider <tobhe@openbsd.org>
 #
@@ -208,16 +208,21 @@ cleanup:
 	    rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;'
 
 setup_certs: ca-both.crt left-from-ca-both.crt left.key right-from-ca-both.crt \
-    right.key ca-left.crt right-from-ca-left.crt ca-right.crt left-from-ca-right.crt
+    right.key ca-left.crt right-from-ca-left.crt ca-right.crt left-from-ca-right.crt \
+    ca-none.crt left-from-ca-none.crt right-from-ca-none.crt
 	echo "cd /etc/iked\n \
 	    put left-from-ca-both.crt certs\n \
 	    put left-from-ca-right.crt certs\n \
+	    put left-from-ca-none.crt certs\n \
+	    put right-from-ca-none.crt certs\n \
 	    put left.key private/local.key\n \
 	    put ca-left.crt ca\n \
 	    put ca-both.crt ca\n" | sftp ${LEFT_SSH} -q; \
 	echo "cd /etc/iked\n \
 	    put right-from-ca-both.crt certs\n \
 	    put right-from-ca-left.crt certs\n \
+	    put right-from-ca-none.crt certs\n \
+	    put left-from-ca-none.crt certs\n \
 	    put right.key private/local.key\n \
 	    put ca-right.crt ca\n \
 	    put ca-both.crt ca\n" | sftp ${RIGHT_SSH} -q; \
@@ -261,6 +266,15 @@ ca-right.crt ca-right.key:
 left-from-ca-right.crt left.key: ca-right.crt ca-right.key
 	caname=ca-right; name=left; ${SETUP_CERT}
 
+ca-none.crt ca-none.key:
+	caname=ca-none; ${SETUP_CA}
+
+left-from-ca-none.crt left.key: ca-none.crt ca-none.key
+	caname=ca-none; name=left; ${SETUP_CERT}
+
+right-from-ca-none.crt right.key: ca-none.crt ca-none.key
+	caname=ca-none; name=right; ${SETUP_CERT}
+
 REGRESS_TARGETS = run-ping-fail
 run-ping-fail:
 	ssh ${LEFT_SSH} "ipsecctl -F; pkill iked || true"
@@ -286,6 +300,15 @@ run-cert-single-ca-asn1dn:
 	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
 	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
 
+REGRESS_TARGETS += run-cert-no-ca
+run-cert-no-ca:
+	leftid=left-from-ca-none; \
+	rightid=right-from-ca-none; \
+	    ${SETUP_CONFIGS}
+	${SETUP_START}
+	flowtype=esp; ${TEST_FLOWS}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
+	${TEST_PING}; if [[ $$_ret -ne 0 ]]; then exit 1; fi
+
 REGRESS_TARGETS += run-config-address
 run-config-address:
 	flowtype=esp; \