projects / linux-block.git / blame
| Commit | Line | Data |
|---|---|---|
| 6f0c472a DS |
1 | // SPDX-License-Identifier: GPL-2.0 |
| 2 | /* Author: Dmitry Safonov <dima@arista.com> */ | |
| 3 | #include <inttypes.h> | |
| 4 | #include "aolib.h" | |
| 5 | ||
| 6 | #define fault(type) (inj == FAULT_ ## type) | |
| 7 | static const char *md5_password = "Some evil genius, enemy to mankind, must have been the first contriver."; | |
| 8 | static const char *ao_password = DEFAULT_TEST_PASSWORD; | |
| 9 | ||
| 10 | static union tcp_addr client2; | |
| 11 | static union tcp_addr client3; | |
| 12 | ||
| 13 | static const int test_vrf_ifindex = 200; | |
| 14 | static const uint8_t test_vrf_tabid = 42; | |
| 15 | static void setup_vrfs(void) | |
| 16 | { | |
| 17 | int err; | |
| 18 | ||
| 19 | if (!kernel_config_has(KCONFIG_NET_VRF)) | |
| 20 | return; | |
| 21 | ||
| 22 | err = add_vrf("ksft-vrf", test_vrf_tabid, test_vrf_ifindex, -1); | |
| 23 | if (err) | |
| 24 | test_error("Failed to add a VRF: %d", err); | |
| 25 | ||
| 26 | err = link_set_up("ksft-vrf"); | |
| 27 | if (err) | |
| 28 | test_error("Failed to bring up a VRF"); | |
| 29 | ||
| 30 | err = ip_route_add_vrf(veth_name, TEST_FAMILY, | |
| 31 | this_ip_addr, this_ip_dest, test_vrf_tabid); | |
| 32 | if (err) | |
| 72cd9f8d | 33 | test_error("Failed to add a route to VRF: %d", err); |
| 6f0c472a DS |
34 | } |
| 35 | ||
| 36 | static void try_accept(const char *tst_name, unsigned int port, | |
| 37 | union tcp_addr *md5_addr, uint8_t md5_prefix, | |
| 38 | union tcp_addr *ao_addr, uint8_t ao_prefix, | |
| 39 | bool set_ao_required, | |
| 40 | uint8_t sndid, uint8_t rcvid, uint8_t vrf, | |
| 41 | const char *cnt_name, test_cnt cnt_expected, | |
| 42 | int needs_tcp_md5, fault_t inj) | |
| 43 | { | |
| 44 | struct tcp_ao_counters ao_cnt1, ao_cnt2; | |
| 45 | uint64_t before_cnt = 0, after_cnt = 0; /* silence GCC */ | |
| 46 | int lsk, err, sk = 0; | |
| 47 | time_t timeout; | |
| 48 | ||
| 49 | if (needs_tcp_md5 && should_skip_test(tst_name, KCONFIG_TCP_MD5)) | |
| 50 | return; | |
| 51 | ||
| 52 | lsk = test_listen_socket(this_ip_addr, port, 1); | |
| 53 | ||
| 54 | if (md5_addr && test_set_md5(lsk, *md5_addr, md5_prefix, -1, md5_password)) | |
| 55 | test_error("setsockopt(TCP_MD5SIG_EXT)"); | |
| 56 | ||
| 57 | if (ao_addr && test_add_key(lsk, ao_password, | |
| 58 | *ao_addr, ao_prefix, sndid, rcvid)) | |
| 59 | test_error("setsockopt(TCP_AO_ADD_KEY)"); | |
| 60 | ||
| 61 | if (set_ao_required && test_set_ao_flags(lsk, true, false)) | |
| 62 | test_error("setsockopt(TCP_AO_INFO)"); | |
| 63 | ||
| 64 | if (cnt_name) | |
| 65 | before_cnt = netstat_get_one(cnt_name, NULL); | |
| 66 | if (ao_addr && test_get_tcp_ao_counters(lsk, &ao_cnt1)) | |
| 67 | test_error("test_get_tcp_ao_counters()"); | |
| 68 | ||
| 69 | synchronize_threads(); /* preparations done */ | |
| 70 | ||
| 71 | timeout = fault(TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; | |
| 72 | err = test_wait_fd(lsk, timeout, 0); | |
| 73 | if (err == -ETIMEDOUT) { | |
| 74 | if (!fault(TIMEOUT)) | |
| 67f440c0 | 75 | test_fail("timed out for accept()"); |
| 6f0c472a DS |
76 | } else if (err < 0) { |
| 77 | test_error("test_wait_fd()"); | |
| 78 | } else { | |
| 79 | if (fault(TIMEOUT)) | |
| 80 | test_fail("ready to accept"); | |
| 81 | ||
| 82 | sk = accept(lsk, NULL, NULL); | |
| 83 | if (sk < 0) { | |
| 84 | test_error("accept()"); | |
| 85 | } else { | |
| 86 | if (fault(TIMEOUT)) | |
| 87 | test_fail("%s: accepted", tst_name); | |
| 88 | } | |
| 89 | } | |
| 90 | ||
| 91 | if (ao_addr && test_get_tcp_ao_counters(lsk, &ao_cnt2)) | |
| 92 | test_error("test_get_tcp_ao_counters()"); | |
| 93 | close(lsk); | |
| 94 | ||
| 95 | if (!cnt_name) { | |
| 96 | test_ok("%s: no counter checks", tst_name); | |
| 97 | goto out; | |
| 98 | } | |
| 99 | ||
| 100 | after_cnt = netstat_get_one(cnt_name, NULL); | |
| 101 | ||
| 102 | if (after_cnt <= before_cnt) { | |
| 103 | test_fail("%s: %s counter did not increase: %zu <= %zu", | |
| 104 | tst_name, cnt_name, after_cnt, before_cnt); | |
| 105 | } else { | |
| 106 | test_ok("%s: counter %s increased %zu => %zu", | |
| 107 | tst_name, cnt_name, before_cnt, after_cnt); | |
| 108 | } | |
| 109 | if (ao_addr) | |
| 110 | test_tcp_ao_counters_cmp(tst_name, &ao_cnt1, &ao_cnt2, cnt_expected); | |
| 111 | ||
| 112 | out: | |
| b083d24f | 113 | synchronize_threads(); /* test_kill_sk() */ |
| 6f0c472a | 114 | if (sk > 0) |
| b083d24f | 115 | test_kill_sk(sk); |
| 6f0c472a DS |
116 | } |
| 117 | ||
| 118 | static void server_add_routes(void) | |
| 119 | { | |
| 120 | int family = TEST_FAMILY; | |
| 121 | ||
| 122 | synchronize_threads(); /* client_add_ips() */ | |
| 123 | ||
| 124 | if (ip_route_add(veth_name, family, this_ip_addr, client2)) | |
| 125 | test_error("Failed to add route"); | |
| 126 | if (ip_route_add(veth_name, family, this_ip_addr, client3)) | |
| 127 | test_error("Failed to add route"); | |
| 128 | } | |
| 129 | ||
| 130 | static void server_add_fail_tests(unsigned int *port) | |
| 131 | { | |
| 132 | union tcp_addr addr_any = {}; | |
| 133 | ||
| 134 | try_accept("TCP-AO established: add TCP-MD5 key", (*port)++, NULL, 0, | |
| 135 | &addr_any, 0, 0, 100, 100, 0, "TCPAOGood", TEST_CNT_GOOD, | |
| 136 | 1, 0); | |
| 137 | try_accept("TCP-MD5 established: add TCP-AO key", (*port)++, &addr_any, | |
| 138 | 0, NULL, 0, 0, 0, 0, 0, NULL, 0, 1, 0); | |
| 139 | try_accept("non-signed established: add TCP-AO key", (*port)++, NULL, 0, | |
| 140 | NULL, 0, 0, 0, 0, 0, "CurrEstab", 0, 0, 0); | |
| 141 | } | |
| 142 | ||
| 143 | static void server_vrf_tests(unsigned int *port) | |
| 144 | { | |
| 145 | setup_vrfs(); | |
| 146 | } | |
| 147 | ||
| 148 | static void *server_fn(void *arg) | |
| 149 | { | |
| 150 | unsigned int port = test_server_port; | |
| 151 | union tcp_addr addr_any = {}; | |
| 152 | ||
| 153 | server_add_routes(); | |
| 154 | ||
| 155 | try_accept("AO server (INADDR_ANY): AO client", port++, NULL, 0, | |
| 156 | &addr_any, 0, 0, 100, 100, 0, "TCPAOGood", | |
| 157 | TEST_CNT_GOOD, 0, 0); | |
| 158 | try_accept("AO server (INADDR_ANY): MD5 client", port++, NULL, 0, | |
| 159 | &addr_any, 0, 0, 100, 100, 0, "TCPMD5Unexpected", | |
| 160 | 0, 1, FAULT_TIMEOUT); | |
| 161 | try_accept("AO server (INADDR_ANY): no sign client", port++, NULL, 0, | |
| 162 | &addr_any, 0, 0, 100, 100, 0, "TCPAORequired", | |
| 163 | TEST_CNT_AO_REQUIRED, 0, FAULT_TIMEOUT); | |
| 164 | try_accept("AO server (AO_REQUIRED): AO client", port++, NULL, 0, | |
| 165 | &this_ip_dest, TEST_PREFIX, true, | |
| 166 | 100, 100, 0, "TCPAOGood", TEST_CNT_GOOD, 0, 0); | |
| 167 | try_accept("AO server (AO_REQUIRED): unsigned client", port++, NULL, 0, | |
| 168 | &this_ip_dest, TEST_PREFIX, true, | |
| 169 | 100, 100, 0, "TCPAORequired", | |
| 170 | TEST_CNT_AO_REQUIRED, 0, FAULT_TIMEOUT); | |
| 171 | ||
| 172 | try_accept("MD5 server (INADDR_ANY): AO client", port++, &addr_any, 0, | |
| 173 | NULL, 0, 0, 0, 0, 0, "TCPAOKeyNotFound", | |
| 174 | 0, 1, FAULT_TIMEOUT); | |
| 175 | try_accept("MD5 server (INADDR_ANY): MD5 client", port++, &addr_any, 0, | |
| 176 | NULL, 0, 0, 0, 0, 0, NULL, 0, 1, 0); | |
| 177 | try_accept("MD5 server (INADDR_ANY): no sign client", port++, &addr_any, | |
| 178 | 0, NULL, 0, 0, 0, 0, 0, "TCPMD5NotFound", | |
| 179 | 0, 1, FAULT_TIMEOUT); | |
| 180 | ||
| 181 | try_accept("no sign server: AO client", port++, NULL, 0, | |
| 182 | NULL, 0, 0, 0, 0, 0, "TCPAOKeyNotFound", | |
| 183 | TEST_CNT_AO_KEY_NOT_FOUND, 0, FAULT_TIMEOUT); | |
| 184 | try_accept("no sign server: MD5 client", port++, NULL, 0, | |
| 185 | NULL, 0, 0, 0, 0, 0, "TCPMD5Unexpected", | |
| 186 | 0, 1, FAULT_TIMEOUT); | |
| 187 | try_accept("no sign server: no sign client", port++, NULL, 0, | |
| 188 | NULL, 0, 0, 0, 0, 0, "CurrEstab", 0, 0, 0); | |
| 189 | ||
| 190 | try_accept("AO+MD5 server: AO client (matching)", port++, | |
| 191 | &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
| 192 | 100, 100, 0, "TCPAOGood", TEST_CNT_GOOD, 1, 0); | |
| 193 | try_accept("AO+MD5 server: AO client (misconfig, matching MD5)", port++, | |
| 194 | &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
| 195 | 100, 100, 0, "TCPAOKeyNotFound", TEST_CNT_AO_KEY_NOT_FOUND, | |
| 196 | 1, FAULT_TIMEOUT); | |
| 197 | try_accept("AO+MD5 server: AO client (misconfig, non-matching)", port++, | |
| 198 | &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
| 199 | 100, 100, 0, "TCPAOKeyNotFound", TEST_CNT_AO_KEY_NOT_FOUND, | |
| 200 | 1, FAULT_TIMEOUT); | |
| 201 | try_accept("AO+MD5 server: MD5 client (matching)", port++, | |
| 202 | &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
| 203 | 100, 100, 0, NULL, 0, 1, 0); | |
| 204 | try_accept("AO+MD5 server: MD5 client (misconfig, matching AO)", port++, | |
| 205 | &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
| 206 | 100, 100, 0, "TCPMD5Unexpected", 0, 1, FAULT_TIMEOUT); | |
| 207 | try_accept("AO+MD5 server: MD5 client (misconfig, non-matching)", port++, | |
| 208 | &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
| 209 | 100, 100, 0, "TCPMD5Unexpected", 0, 1, FAULT_TIMEOUT); | |
| 210 | try_accept("AO+MD5 server: no sign client (unmatched)", port++, | |
| 211 | &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
| 212 | 100, 100, 0, "CurrEstab", 0, 1, 0); | |
| 213 | try_accept("AO+MD5 server: no sign client (misconfig, matching AO)", | |
| 214 | port++, &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
| 215 | 100, 100, 0, "TCPAORequired", | |
| 216 | TEST_CNT_AO_REQUIRED, 1, FAULT_TIMEOUT); | |
| 217 | try_accept("AO+MD5 server: no sign client (misconfig, matching MD5)", | |
| 218 | port++, &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
| 219 | 100, 100, 0, "TCPMD5NotFound", 0, 1, FAULT_TIMEOUT); | |
| 220 | ||
| 221 | try_accept("AO+MD5 server: client with both [TCP-MD5] and TCP-AO keys", | |
| 222 | port++, &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
| 223 | 100, 100, 0, NULL, 0, 1, FAULT_TIMEOUT); | |
| 224 | try_accept("AO+MD5 server: client with both TCP-MD5 and [TCP-AO] keys", | |
| 225 | port++, &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
| 226 | 100, 100, 0, NULL, 0, 1, FAULT_TIMEOUT); | |
| 227 | ||
| 228 | server_add_fail_tests(&port); | |
| 229 | ||
| 230 | server_vrf_tests(&port); | |
| 231 | ||
| 232 | /* client exits */ | |
| 233 | synchronize_threads(); | |
| 234 | return NULL; | |
| 235 | } | |
| 236 | ||
| 237 | static int client_bind(int sk, union tcp_addr bind_addr) | |
| 238 | { | |
| 239 | #ifdef IPV6_TEST | |
| 240 | struct sockaddr_in6 addr = { | |
| 241 | .sin6_family = AF_INET6, | |
| 242 | .sin6_port = 0, | |
| 243 | .sin6_addr = bind_addr.a6, | |
| 244 | }; | |
| 245 | #else | |
| 246 | struct sockaddr_in addr = { | |
| 247 | .sin_family = AF_INET, | |
| 248 | .sin_port = 0, | |
| 249 | .sin_addr = bind_addr.a4, | |
| 250 | }; | |
| 251 | #endif | |
| 252 | return bind(sk, &addr, sizeof(addr)); | |
| 253 | } | |
| 254 | ||
| 255 | static void try_connect(const char *tst_name, unsigned int port, | |
| 256 | union tcp_addr *md5_addr, uint8_t md5_prefix, | |
| 257 | union tcp_addr *ao_addr, uint8_t ao_prefix, | |
| 258 | uint8_t sndid, uint8_t rcvid, uint8_t vrf, | |
| 259 | fault_t inj, int needs_tcp_md5, union tcp_addr *bind_addr) | |
| 260 | { | |
| 261 | time_t timeout; | |
| 262 | int sk, ret; | |
| 263 | ||
| 264 | if (needs_tcp_md5 && should_skip_test(tst_name, KCONFIG_TCP_MD5)) | |
| 265 | return; | |
| 266 | ||
| 267 | sk = socket(test_family, SOCK_STREAM, IPPROTO_TCP); | |
| 268 | if (sk < 0) | |
| 269 | test_error("socket()"); | |
| 270 | ||
| 271 | if (bind_addr && client_bind(sk, *bind_addr)) | |
| 272 | test_error("bind()"); | |
| 273 | ||
| 274 | if (md5_addr && test_set_md5(sk, *md5_addr, md5_prefix, -1, md5_password)) | |
| 275 | test_error("setsockopt(TCP_MD5SIG_EXT)"); | |
| 276 | ||
| 277 | if (ao_addr && test_add_key(sk, ao_password, *ao_addr, | |
| 278 | ao_prefix, sndid, rcvid)) | |
| 279 | test_error("setsockopt(TCP_AO_ADD_KEY)"); | |
| 280 | ||
| 281 | synchronize_threads(); /* preparations done */ | |
| 282 | ||
| 283 | timeout = fault(TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; | |
| 284 | ret = _test_connect_socket(sk, this_ip_dest, port, timeout); | |
| 285 | ||
| 286 | if (ret < 0) { | |
| 287 | if (fault(KEYREJECT) && ret == -EKEYREJECTED) | |
| 288 | test_ok("%s: connect() was prevented", tst_name); | |
| 289 | else if (ret == -ETIMEDOUT && fault(TIMEOUT)) | |
| 290 | test_ok("%s", tst_name); | |
| 291 | else if (ret == -ECONNREFUSED && | |
| 292 | (fault(TIMEOUT) || fault(KEYREJECT))) | |
| 293 | test_ok("%s: refused to connect", tst_name); | |
| 294 | else | |
| 295 | test_error("%s: connect() returned %d", tst_name, ret); | |
| 296 | goto out; | |
| 297 | } | |
| 298 | ||
| 299 | if (fault(TIMEOUT) || fault(KEYREJECT)) | |
| 300 | test_fail("%s: connected", tst_name); | |
| 301 | else | |
| 302 | test_ok("%s: connected", tst_name); | |
| 303 | ||
| 304 | out: | |
| b083d24f | 305 | synchronize_threads(); /* test_kill_sk() */ |
| 6f0c472a DS |
306 | /* _test_connect_socket() cleans up on failure */ |
| 307 | if (ret > 0) | |
| b083d24f | 308 | test_kill_sk(sk); |
| 6f0c472a DS |
309 | } |
| 310 | ||
| 311 | #define PREINSTALL_MD5_FIRST BIT(0) | |
| 312 | #define PREINSTALL_AO BIT(1) | |
| 313 | #define POSTINSTALL_AO BIT(2) | |
| 314 | #define PREINSTALL_MD5 BIT(3) | |
| 315 | #define POSTINSTALL_MD5 BIT(4) | |
| 316 | ||
| 317 | static int try_add_key_vrf(int sk, union tcp_addr in_addr, uint8_t prefix, | |
| 318 | int vrf, uint8_t sndid, uint8_t rcvid, | |
| 319 | bool set_ao_required) | |
| 320 | { | |
| 321 | uint8_t keyflags = 0; | |
| 322 | ||
| 323 | if (vrf >= 0) | |
| 324 | keyflags |= TCP_AO_KEYF_IFINDEX; | |
| 325 | else | |
| 326 | vrf = 0; | |
| 327 | if (set_ao_required) { | |
| 328 | int err = test_set_ao_flags(sk, true, 0); | |
| 329 | ||
| 330 | if (err) | |
| 331 | return err; | |
| 332 | } | |
| 333 | return test_add_key_vrf(sk, ao_password, keyflags, in_addr, prefix, | |
| 334 | (uint8_t)vrf, sndid, rcvid); | |
| 335 | } | |
| 336 | ||
| 337 | static bool test_continue(const char *tst_name, int err, | |
| 338 | fault_t inj, bool added_ao) | |
| 339 | { | |
| 340 | bool expected_to_fail; | |
| 341 | ||
| 342 | expected_to_fail = fault(PREINSTALL_AO) && added_ao; | |
| 343 | expected_to_fail |= fault(PREINSTALL_MD5) && !added_ao; | |
| 344 | ||
| 345 | if (!err) { | |
| 346 | if (!expected_to_fail) | |
| 347 | return true; | |
| 348 | test_fail("%s: setsockopt()s were expected to fail", tst_name); | |
| 349 | return false; | |
| 350 | } | |
| 351 | if (err != -EKEYREJECTED || !expected_to_fail) { | |
| 352 | test_error("%s: setsockopt(%s) = %d", tst_name, | |
| 353 | added_ao ? "TCP_AO_ADD_KEY" : "TCP_MD5SIG_EXT", err); | |
| 354 | return false; | |
| 355 | } | |
| 356 | test_ok("%s: prefailed as expected: %m", tst_name); | |
| 357 | return false; | |
| 358 | } | |
| 359 | ||
| 360 | static int open_add(const char *tst_name, unsigned int port, | |
| 361 | unsigned int strategy, | |
| 362 | union tcp_addr md5_addr, uint8_t md5_prefix, int md5_vrf, | |
| 363 | union tcp_addr ao_addr, uint8_t ao_prefix, | |
| 364 | int ao_vrf, bool set_ao_required, | |
| 365 | uint8_t sndid, uint8_t rcvid, | |
| 366 | fault_t inj) | |
| 367 | { | |
| 368 | int sk; | |
| 369 | ||
| 370 | sk = socket(test_family, SOCK_STREAM, IPPROTO_TCP); | |
| 371 | if (sk < 0) | |
| 372 | test_error("socket()"); | |
| 373 | ||
| 374 | if (client_bind(sk, this_ip_addr)) | |
| 375 | test_error("bind()"); | |
| 376 | ||
| 377 | if (strategy & PREINSTALL_MD5_FIRST) { | |
| 378 | if (test_set_md5(sk, md5_addr, md5_prefix, md5_vrf, md5_password)) | |
| 379 | test_error("setsockopt(TCP_MD5SIG_EXT)"); | |
| 380 | } | |
| 381 | ||
| 382 | if (strategy & PREINSTALL_AO) { | |
| 383 | int err = try_add_key_vrf(sk, ao_addr, ao_prefix, ao_vrf, | |
| 384 | sndid, rcvid, set_ao_required); | |
| 385 | ||
| 386 | if (!test_continue(tst_name, err, inj, true)) { | |
| 387 | close(sk); | |
| 388 | return -1; | |
| 389 | } | |
| 390 | } | |
| 391 | ||
| 392 | if (strategy & PREINSTALL_MD5) { | |
| 393 | errno = 0; | |
| 394 | test_set_md5(sk, md5_addr, md5_prefix, md5_vrf, md5_password); | |
| 395 | if (!test_continue(tst_name, -errno, inj, false)) { | |
| 396 | close(sk); | |
| 397 | return -1; | |
| 398 | } | |
| 399 | } | |
| 400 | ||
| 401 | return sk; | |
| 402 | } | |
| 403 | ||
| 404 | static void try_to_preadd(const char *tst_name, unsigned int port, | |
| 405 | unsigned int strategy, | |
| 406 | union tcp_addr md5_addr, uint8_t md5_prefix, | |
| 407 | int md5_vrf, | |
| 408 | union tcp_addr ao_addr, uint8_t ao_prefix, | |
| 409 | int ao_vrf, bool set_ao_required, | |
| 410 | uint8_t sndid, uint8_t rcvid, | |
| 411 | int needs_tcp_md5, int needs_vrf, fault_t inj) | |
| 412 | { | |
| 413 | int sk; | |
| 414 | ||
| 415 | if (needs_tcp_md5 && should_skip_test(tst_name, KCONFIG_TCP_MD5)) | |
| 416 | return; | |
| 417 | if (needs_vrf && should_skip_test(tst_name, KCONFIG_NET_VRF)) | |
| 418 | return; | |
| 419 | ||
| 420 | sk = open_add(tst_name, port, strategy, md5_addr, md5_prefix, md5_vrf, | |
| 421 | ao_addr, ao_prefix, ao_vrf, set_ao_required, | |
| 422 | sndid, rcvid, inj); | |
| 423 | if (sk < 0) | |
| 424 | return; | |
| 425 | ||
| 426 | test_ok("%s", tst_name); | |
| 427 | close(sk); | |
| 428 | } | |
| 429 | ||
| 430 | static void try_to_add(const char *tst_name, unsigned int port, | |
| 431 | unsigned int strategy, | |
| 432 | union tcp_addr md5_addr, uint8_t md5_prefix, | |
| 433 | int md5_vrf, | |
| 434 | union tcp_addr ao_addr, uint8_t ao_prefix, | |
| 435 | int ao_vrf, uint8_t sndid, uint8_t rcvid, | |
| 436 | int needs_tcp_md5, fault_t inj) | |
| 437 | { | |
| 438 | time_t timeout; | |
| 439 | int sk, ret; | |
| 440 | ||
| 441 | if (needs_tcp_md5 && should_skip_test(tst_name, KCONFIG_TCP_MD5)) | |
| 442 | return; | |
| 443 | ||
| 444 | sk = open_add(tst_name, port, strategy, md5_addr, md5_prefix, md5_vrf, | |
| 445 | ao_addr, ao_prefix, ao_vrf, 0, sndid, rcvid, inj); | |
| 446 | if (sk < 0) | |
| 447 | return; | |
| 448 | ||
| 449 | synchronize_threads(); /* preparations done */ | |
| 450 | ||
| 451 | timeout = fault(TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; | |
| 452 | ret = _test_connect_socket(sk, this_ip_dest, port, timeout); | |
| 453 | ||
| 454 | if (ret <= 0) { | |
| 455 | test_error("%s: connect() returned %d", tst_name, ret); | |
| 456 | goto out; | |
| 457 | } | |
| 458 | ||
| 459 | if (strategy & POSTINSTALL_MD5) { | |
| 460 | if (test_set_md5(sk, md5_addr, md5_prefix, md5_vrf, md5_password)) { | |
| 461 | if (fault(POSTINSTALL)) { | |
| 462 | test_ok("%s: postfailed as expected", tst_name); | |
| 463 | goto out; | |
| 464 | } else { | |
| 465 | test_error("setsockopt(TCP_MD5SIG_EXT)"); | |
| 466 | } | |
| 467 | } else if (fault(POSTINSTALL)) { | |
| 468 | test_fail("%s: post setsockopt() was expected to fail", tst_name); | |
| 469 | goto out; | |
| 470 | } | |
| 471 | } | |
| 472 | ||
| 473 | if (strategy & POSTINSTALL_AO) { | |
| 474 | if (try_add_key_vrf(sk, ao_addr, ao_prefix, ao_vrf, | |
| 475 | sndid, rcvid, 0)) { | |
| 476 | if (fault(POSTINSTALL)) { | |
| 477 | test_ok("%s: postfailed as expected", tst_name); | |
| 478 | goto out; | |
| 479 | } else { | |
| 480 | test_error("setsockopt(TCP_AO_ADD_KEY)"); | |
| 481 | } | |
| 482 | } else if (fault(POSTINSTALL)) { | |
| 483 | test_fail("%s: post setsockopt() was expected to fail", tst_name); | |
| 484 | goto out; | |
| 485 | } | |
| 486 | } | |
| 487 | ||
| 488 | out: | |
| b083d24f | 489 | synchronize_threads(); /* test_kill_sk() */ |
| 6f0c472a DS |
490 | /* _test_connect_socket() cleans up on failure */ |
| 491 | if (ret > 0) | |
| b083d24f | 492 | test_kill_sk(sk); |
| 6f0c472a DS |
493 | } |
| 494 | ||
| 495 | static void client_add_ip(union tcp_addr *client, const char *ip) | |
| 496 | { | |
| 72cd9f8d | 497 | int err, family = TEST_FAMILY; |
| 6f0c472a DS |
498 | |
| 499 | if (inet_pton(family, ip, client) != 1) | |
| 500 | test_error("Can't convert ip address %s", ip); | |
| 501 | ||
| 72cd9f8d DS |
502 | err = ip_addr_add(veth_name, family, *client, TEST_PREFIX); |
| 503 | if (err) | |
| 504 | test_error("Failed to add ip address: %d", err); | |
| 6f0c472a DS |
505 | } |
| 506 | ||
| 507 | static void client_add_ips(void) | |
| 508 | { | |
| 509 | client_add_ip(&client2, __TEST_CLIENT_IP(2)); | |
| 510 | client_add_ip(&client3, __TEST_CLIENT_IP(3)); | |
| 511 | synchronize_threads(); /* server_add_routes() */ | |
| 512 | } | |
| 513 | ||
| 514 | static void client_add_fail_tests(unsigned int *port) | |
| 515 | { | |
| 516 | try_to_add("TCP-AO established: add TCP-MD5 key", | |
| 517 | (*port)++, POSTINSTALL_MD5 | PREINSTALL_AO, | |
| 518 | this_ip_dest, TEST_PREFIX, -1, this_ip_dest, TEST_PREFIX, 0, | |
| 519 | 100, 100, 1, FAULT_POSTINSTALL); | |
| 520 | try_to_add("TCP-MD5 established: add TCP-AO key", | |
| 521 | (*port)++, PREINSTALL_MD5 | POSTINSTALL_AO, | |
| 522 | this_ip_dest, TEST_PREFIX, -1, this_ip_dest, TEST_PREFIX, 0, | |
| 523 | 100, 100, 1, FAULT_POSTINSTALL); | |
| 524 | try_to_add("non-signed established: add TCP-AO key", | |
| 525 | (*port)++, POSTINSTALL_AO, | |
| 526 | this_ip_dest, TEST_PREFIX, -1, this_ip_dest, TEST_PREFIX, 0, | |
| 527 | 100, 100, 0, FAULT_POSTINSTALL); | |
| 528 | ||
| 529 | try_to_add("TCP-AO key intersects with existing TCP-MD5 key", | |
| 530 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
| 531 | this_ip_addr, TEST_PREFIX, -1, this_ip_addr, TEST_PREFIX, -1, | |
| 532 | 100, 100, 1, FAULT_PREINSTALL_AO); | |
| 533 | try_to_add("TCP-MD5 key intersects with existing TCP-AO key", | |
| 534 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
| 535 | this_ip_addr, TEST_PREFIX, -1, this_ip_addr, TEST_PREFIX, -1, | |
| 536 | 100, 100, 1, FAULT_PREINSTALL_MD5); | |
| 537 | ||
| 538 | try_to_preadd("TCP-MD5 key + TCP-AO required", | |
| 539 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
| 540 | this_ip_addr, TEST_PREFIX, -1, | |
| 541 | this_ip_addr, TEST_PREFIX, -1, true, | |
| 542 | 100, 100, 1, 0, FAULT_PREINSTALL_AO); | |
| 543 | try_to_preadd("TCP-AO required on socket + TCP-MD5 key", | |
| 544 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
| 545 | this_ip_addr, TEST_PREFIX, -1, | |
| 546 | this_ip_addr, TEST_PREFIX, -1, true, | |
| 547 | 100, 100, 1, 0, FAULT_PREINSTALL_MD5); | |
| 548 | } | |
| 549 | ||
| 550 | static void client_vrf_tests(unsigned int *port) | |
| 551 | { | |
| 552 | setup_vrfs(); | |
| 553 | ||
| 554 | /* The following restrictions for setsockopt()s are expected: | |
| 555 | * | |
| 556 | * |--------------|-----------------|-------------|-------------| | |
| 557 | * | | MD5 key without | MD5 key | MD5 key | | |
| 558 | * | | l3index | l3index=0 | l3index=N | | |
| 559 | * |--------------|-----------------|-------------|-------------| | |
| 560 | * | TCP-AO key | | | | | |
| 561 | * | without | reject | reject | reject | | |
| 562 | * | l3index | | | | | |
| 563 | * |--------------|-----------------|-------------|-------------| | |
| 564 | * | TCP-AO key | | | | | |
| 565 | * | l3index=0 | reject | reject | allow | | |
| 566 | * |--------------|-----------------|-------------|-------------| | |
| 567 | * | TCP-AO key | | | | | |
| 568 | * | l3index=N | reject | allow | reject | | |
| 569 | * |--------------|-----------------|-------------|-------------| | |
| 570 | */ | |
| 571 | try_to_preadd("VRF: TCP-AO key (no l3index) + TCP-MD5 key (no l3index)", | |
| 572 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
| 573 | this_ip_addr, TEST_PREFIX, -1, | |
| 574 | this_ip_addr, TEST_PREFIX, -1, 0, 100, 100, | |
| 575 | 1, 1, FAULT_PREINSTALL_MD5); | |
| 576 | try_to_preadd("VRF: TCP-MD5 key (no l3index) + TCP-AO key (no l3index)", | |
| 577 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
| 578 | this_ip_addr, TEST_PREFIX, -1, | |
| 579 | this_ip_addr, TEST_PREFIX, -1, 0, 100, 100, | |
| 580 | 1, 1, FAULT_PREINSTALL_AO); | |
| 581 | try_to_preadd("VRF: TCP-AO key (no l3index) + TCP-MD5 key (l3index=0)", | |
| 582 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
| 583 | this_ip_addr, TEST_PREFIX, 0, | |
| 584 | this_ip_addr, TEST_PREFIX, -1, 0, 100, 100, | |
| 585 | 1, 1, FAULT_PREINSTALL_MD5); | |
| 586 | try_to_preadd("VRF: TCP-MD5 key (l3index=0) + TCP-AO key (no l3index)", | |
| 587 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
| 588 | this_ip_addr, TEST_PREFIX, 0, | |
| 589 | this_ip_addr, TEST_PREFIX, -1, 0, 100, 100, | |
| 590 | 1, 1, FAULT_PREINSTALL_AO); | |
| 591 | try_to_preadd("VRF: TCP-AO key (no l3index) + TCP-MD5 key (l3index=N)", | |
| 592 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
| 593 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, | |
| 594 | this_ip_addr, TEST_PREFIX, -1, 0, 100, 100, | |
| 595 | 1, 1, FAULT_PREINSTALL_MD5); | |
| 596 | try_to_preadd("VRF: TCP-MD5 key (l3index=N) + TCP-AO key (no l3index)", | |
| 597 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
| 598 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, | |
| 599 | this_ip_addr, TEST_PREFIX, -1, 0, 100, 100, | |
| 600 | 1, 1, FAULT_PREINSTALL_AO); | |
| 601 | ||
| 602 | try_to_preadd("VRF: TCP-AO key (l3index=0) + TCP-MD5 key (no l3index)", | |
| 603 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
| 604 | this_ip_addr, TEST_PREFIX, -1, | |
| 605 | this_ip_addr, TEST_PREFIX, 0, 0, 100, 100, | |
| 606 | 1, 1, FAULT_PREINSTALL_MD5); | |
| 607 | try_to_preadd("VRF: TCP-MD5 key (no l3index) + TCP-AO key (l3index=0)", | |
| 608 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
| 609 | this_ip_addr, TEST_PREFIX, -1, | |
| 610 | this_ip_addr, TEST_PREFIX, 0, 0, 100, 100, | |
| 611 | 1, 1, FAULT_PREINSTALL_AO); | |
| 612 | try_to_preadd("VRF: TCP-AO key (l3index=0) + TCP-MD5 key (l3index=0)", | |
| 613 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
| 614 | this_ip_addr, TEST_PREFIX, 0, | |
| 615 | this_ip_addr, TEST_PREFIX, 0, 0, 100, 100, | |
| 616 | 1, 1, FAULT_PREINSTALL_MD5); | |
| 617 | try_to_preadd("VRF: TCP-MD5 key (l3index=0) + TCP-AO key (l3index=0)", | |
| 618 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
| 619 | this_ip_addr, TEST_PREFIX, 0, | |
| 620 | this_ip_addr, TEST_PREFIX, 0, 0, 100, 100, | |
| 621 | 1, 1, FAULT_PREINSTALL_AO); | |
| 622 | try_to_preadd("VRF: TCP-AO key (l3index=0) + TCP-MD5 key (l3index=N)", | |
| 623 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
| 624 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, | |
| 625 | this_ip_addr, TEST_PREFIX, 0, 0, 100, 100, | |
| 626 | 1, 1, 0); | |
| 627 | try_to_preadd("VRF: TCP-MD5 key (l3index=N) + TCP-AO key (l3index=0)", | |
| 628 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
| 629 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, | |
| 630 | this_ip_addr, TEST_PREFIX, 0, 0, 100, 100, | |
| 631 | 1, 1, 0); | |
| 632 | ||
| 633 | try_to_preadd("VRF: TCP-AO key (l3index=N) + TCP-MD5 key (no l3index)", | |
| 634 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
| 635 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, | |
| 636 | this_ip_addr, TEST_PREFIX, -1, 0, 100, 100, | |
| 637 | 1, 1, FAULT_PREINSTALL_MD5); | |
| 638 | try_to_preadd("VRF: TCP-MD5 key (no l3index) + TCP-AO key (l3index=N)", | |
| 639 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
| 640 | this_ip_addr, TEST_PREFIX, -1, | |
| 641 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, 0, 100, 100, | |
| 642 | 1, 1, FAULT_PREINSTALL_AO); | |
| 643 | try_to_preadd("VRF: TCP-AO key (l3index=N) + TCP-MD5 key (l3index=0)", | |
| 644 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
| 645 | this_ip_addr, TEST_PREFIX, 0, | |
| 646 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, 0, 100, 100, | |
| 647 | 1, 1, 0); | |
| 648 | try_to_preadd("VRF: TCP-MD5 key (l3index=0) + TCP-AO key (l3index=N)", | |
| 649 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
| 650 | this_ip_addr, TEST_PREFIX, 0, | |
| 651 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, 0, 100, 100, | |
| 652 | 1, 1, 0); | |
| 653 | try_to_preadd("VRF: TCP-AO key (l3index=N) + TCP-MD5 key (l3index=N)", | |
| 654 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
| 655 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, | |
| 656 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, 0, 100, 100, | |
| 657 | 1, 1, FAULT_PREINSTALL_MD5); | |
| 658 | try_to_preadd("VRF: TCP-MD5 key (l3index=N) + TCP-AO key (l3index=N)", | |
| 659 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
| 660 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, | |
| 661 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, 0, 100, 100, | |
| 662 | 1, 1, FAULT_PREINSTALL_AO); | |
| 663 | } | |
| 664 | ||
| 665 | static void *client_fn(void *arg) | |
| 666 | { | |
| 667 | unsigned int port = test_server_port; | |
| 668 | union tcp_addr addr_any = {}; | |
| 669 | ||
| 670 | client_add_ips(); | |
| 671 | ||
| 672 | try_connect("AO server (INADDR_ANY): AO client", port++, NULL, 0, | |
| 673 | &addr_any, 0, 100, 100, 0, 0, 0, &this_ip_addr); | |
| 674 | try_connect("AO server (INADDR_ANY): MD5 client", port++, &addr_any, 0, | |
| 675 | NULL, 0, 100, 100, 0, FAULT_TIMEOUT, 1, &this_ip_addr); | |
| 676 | try_connect("AO server (INADDR_ANY): unsigned client", port++, NULL, 0, | |
| 677 | NULL, 0, 100, 100, 0, FAULT_TIMEOUT, 0, &this_ip_addr); | |
| 678 | try_connect("AO server (AO_REQUIRED): AO client", port++, NULL, 0, | |
| 679 | &addr_any, 0, 100, 100, 0, 0, 0, &this_ip_addr); | |
| 680 | try_connect("AO server (AO_REQUIRED): unsigned client", port++, NULL, 0, | |
| 681 | NULL, 0, 100, 100, 0, FAULT_TIMEOUT, 0, &client2); | |
| 682 | ||
| 683 | try_connect("MD5 server (INADDR_ANY): AO client", port++, NULL, 0, | |
| 684 | &addr_any, 0, 100, 100, 0, FAULT_TIMEOUT, 1, &this_ip_addr); | |
| 685 | try_connect("MD5 server (INADDR_ANY): MD5 client", port++, &addr_any, 0, | |
| 686 | NULL, 0, 100, 100, 0, 0, 1, &this_ip_addr); | |
| 687 | try_connect("MD5 server (INADDR_ANY): no sign client", port++, NULL, 0, | |
| 688 | NULL, 0, 100, 100, 0, FAULT_TIMEOUT, 1, &this_ip_addr); | |
| 689 | ||
| 690 | try_connect("no sign server: AO client", port++, NULL, 0, | |
| 691 | &addr_any, 0, 100, 100, 0, FAULT_TIMEOUT, 0, &this_ip_addr); | |
| 692 | try_connect("no sign server: MD5 client", port++, &addr_any, 0, | |
| 693 | NULL, 0, 100, 100, 0, FAULT_TIMEOUT, 1, &this_ip_addr); | |
| 694 | try_connect("no sign server: no sign client", port++, NULL, 0, | |
| 695 | NULL, 0, 100, 100, 0, 0, 0, &this_ip_addr); | |
| 696 | ||
| 697 | try_connect("AO+MD5 server: AO client (matching)", port++, NULL, 0, | |
| 698 | &addr_any, 0, 100, 100, 0, 0, 1, &client2); | |
| 699 | try_connect("AO+MD5 server: AO client (misconfig, matching MD5)", | |
| 700 | port++, NULL, 0, &addr_any, 0, 100, 100, 0, | |
| 701 | FAULT_TIMEOUT, 1, &this_ip_addr); | |
| 702 | try_connect("AO+MD5 server: AO client (misconfig, non-matching)", | |
| 703 | port++, NULL, 0, &addr_any, 0, 100, 100, 0, | |
| 704 | FAULT_TIMEOUT, 1, &client3); | |
| 705 | try_connect("AO+MD5 server: MD5 client (matching)", port++, &addr_any, 0, | |
| 706 | NULL, 0, 100, 100, 0, 0, 1, &this_ip_addr); | |
| 707 | try_connect("AO+MD5 server: MD5 client (misconfig, matching AO)", | |
| 708 | port++, &addr_any, 0, NULL, 0, 100, 100, 0, FAULT_TIMEOUT, | |
| 709 | 1, &client2); | |
| 710 | try_connect("AO+MD5 server: MD5 client (misconfig, non-matching)", | |
| 711 | port++, &addr_any, 0, NULL, 0, 100, 100, 0, FAULT_TIMEOUT, | |
| 712 | 1, &client3); | |
| 713 | try_connect("AO+MD5 server: no sign client (unmatched)", | |
| 714 | port++, NULL, 0, NULL, 0, 100, 100, 0, 0, 1, &client3); | |
| 715 | try_connect("AO+MD5 server: no sign client (misconfig, matching AO)", | |
| 716 | port++, NULL, 0, NULL, 0, 100, 100, 0, FAULT_TIMEOUT, | |
| 717 | 1, &client2); | |
| 718 | try_connect("AO+MD5 server: no sign client (misconfig, matching MD5)", | |
| 719 | port++, NULL, 0, NULL, 0, 100, 100, 0, FAULT_TIMEOUT, | |
| 720 | 1, &this_ip_addr); | |
| 721 | ||
| 722 | try_connect("AO+MD5 server: client with both [TCP-MD5] and TCP-AO keys", | |
| 723 | port++, &this_ip_addr, TEST_PREFIX, | |
| 724 | &client2, TEST_PREFIX, 100, 100, 0, FAULT_KEYREJECT, | |
| 725 | 1, &this_ip_addr); | |
| 726 | try_connect("AO+MD5 server: client with both TCP-MD5 and [TCP-AO] keys", | |
| 727 | port++, &this_ip_addr, TEST_PREFIX, | |
| 728 | &client2, TEST_PREFIX, 100, 100, 0, FAULT_KEYREJECT, | |
| 729 | 1, &client2); | |
| 730 | ||
| 731 | client_add_fail_tests(&port); | |
| 732 | client_vrf_tests(&port); | |
| 733 | ||
| 734 | return NULL; | |
| 735 | } | |
| 736 | ||
| 737 | int main(int argc, char *argv[]) | |
| 738 | { | |
| 739 | test_init(72, server_fn, client_fn); | |
| 740 | return 0; | |
| 741 | } |