Commit | Line | Data |
---|---|---|
6f0c472a DS |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* Author: Dmitry Safonov <dima@arista.com> */ | |
3 | #include <inttypes.h> | |
4 | #include "aolib.h" | |
5 | ||
6 | #define fault(type) (inj == FAULT_ ## type) | |
7 | static const char *md5_password = "Some evil genius, enemy to mankind, must have been the first contriver."; | |
8 | static const char *ao_password = DEFAULT_TEST_PASSWORD; | |
9 | ||
10 | static union tcp_addr client2; | |
11 | static union tcp_addr client3; | |
12 | ||
13 | static const int test_vrf_ifindex = 200; | |
14 | static const uint8_t test_vrf_tabid = 42; | |
15 | static void setup_vrfs(void) | |
16 | { | |
17 | int err; | |
18 | ||
19 | if (!kernel_config_has(KCONFIG_NET_VRF)) | |
20 | return; | |
21 | ||
22 | err = add_vrf("ksft-vrf", test_vrf_tabid, test_vrf_ifindex, -1); | |
23 | if (err) | |
24 | test_error("Failed to add a VRF: %d", err); | |
25 | ||
26 | err = link_set_up("ksft-vrf"); | |
27 | if (err) | |
28 | test_error("Failed to bring up a VRF"); | |
29 | ||
30 | err = ip_route_add_vrf(veth_name, TEST_FAMILY, | |
31 | this_ip_addr, this_ip_dest, test_vrf_tabid); | |
32 | if (err) | |
72cd9f8d | 33 | test_error("Failed to add a route to VRF: %d", err); |
6f0c472a DS |
34 | } |
35 | ||
36 | static void try_accept(const char *tst_name, unsigned int port, | |
37 | union tcp_addr *md5_addr, uint8_t md5_prefix, | |
38 | union tcp_addr *ao_addr, uint8_t ao_prefix, | |
39 | bool set_ao_required, | |
40 | uint8_t sndid, uint8_t rcvid, uint8_t vrf, | |
41 | const char *cnt_name, test_cnt cnt_expected, | |
42 | int needs_tcp_md5, fault_t inj) | |
43 | { | |
44 | struct tcp_ao_counters ao_cnt1, ao_cnt2; | |
45 | uint64_t before_cnt = 0, after_cnt = 0; /* silence GCC */ | |
46 | int lsk, err, sk = 0; | |
47 | time_t timeout; | |
48 | ||
49 | if (needs_tcp_md5 && should_skip_test(tst_name, KCONFIG_TCP_MD5)) | |
50 | return; | |
51 | ||
52 | lsk = test_listen_socket(this_ip_addr, port, 1); | |
53 | ||
54 | if (md5_addr && test_set_md5(lsk, *md5_addr, md5_prefix, -1, md5_password)) | |
55 | test_error("setsockopt(TCP_MD5SIG_EXT)"); | |
56 | ||
57 | if (ao_addr && test_add_key(lsk, ao_password, | |
58 | *ao_addr, ao_prefix, sndid, rcvid)) | |
59 | test_error("setsockopt(TCP_AO_ADD_KEY)"); | |
60 | ||
61 | if (set_ao_required && test_set_ao_flags(lsk, true, false)) | |
62 | test_error("setsockopt(TCP_AO_INFO)"); | |
63 | ||
64 | if (cnt_name) | |
65 | before_cnt = netstat_get_one(cnt_name, NULL); | |
66 | if (ao_addr && test_get_tcp_ao_counters(lsk, &ao_cnt1)) | |
67 | test_error("test_get_tcp_ao_counters()"); | |
68 | ||
69 | synchronize_threads(); /* preparations done */ | |
70 | ||
71 | timeout = fault(TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; | |
72 | err = test_wait_fd(lsk, timeout, 0); | |
73 | if (err == -ETIMEDOUT) { | |
74 | if (!fault(TIMEOUT)) | |
67f440c0 | 75 | test_fail("timed out for accept()"); |
6f0c472a DS |
76 | } else if (err < 0) { |
77 | test_error("test_wait_fd()"); | |
78 | } else { | |
79 | if (fault(TIMEOUT)) | |
80 | test_fail("ready to accept"); | |
81 | ||
82 | sk = accept(lsk, NULL, NULL); | |
83 | if (sk < 0) { | |
84 | test_error("accept()"); | |
85 | } else { | |
86 | if (fault(TIMEOUT)) | |
87 | test_fail("%s: accepted", tst_name); | |
88 | } | |
89 | } | |
90 | ||
91 | if (ao_addr && test_get_tcp_ao_counters(lsk, &ao_cnt2)) | |
92 | test_error("test_get_tcp_ao_counters()"); | |
93 | close(lsk); | |
94 | ||
95 | if (!cnt_name) { | |
96 | test_ok("%s: no counter checks", tst_name); | |
97 | goto out; | |
98 | } | |
99 | ||
100 | after_cnt = netstat_get_one(cnt_name, NULL); | |
101 | ||
102 | if (after_cnt <= before_cnt) { | |
103 | test_fail("%s: %s counter did not increase: %zu <= %zu", | |
104 | tst_name, cnt_name, after_cnt, before_cnt); | |
105 | } else { | |
106 | test_ok("%s: counter %s increased %zu => %zu", | |
107 | tst_name, cnt_name, before_cnt, after_cnt); | |
108 | } | |
109 | if (ao_addr) | |
110 | test_tcp_ao_counters_cmp(tst_name, &ao_cnt1, &ao_cnt2, cnt_expected); | |
111 | ||
112 | out: | |
b083d24f | 113 | synchronize_threads(); /* test_kill_sk() */ |
6f0c472a | 114 | if (sk > 0) |
b083d24f | 115 | test_kill_sk(sk); |
6f0c472a DS |
116 | } |
117 | ||
118 | static void server_add_routes(void) | |
119 | { | |
120 | int family = TEST_FAMILY; | |
121 | ||
122 | synchronize_threads(); /* client_add_ips() */ | |
123 | ||
124 | if (ip_route_add(veth_name, family, this_ip_addr, client2)) | |
125 | test_error("Failed to add route"); | |
126 | if (ip_route_add(veth_name, family, this_ip_addr, client3)) | |
127 | test_error("Failed to add route"); | |
128 | } | |
129 | ||
130 | static void server_add_fail_tests(unsigned int *port) | |
131 | { | |
132 | union tcp_addr addr_any = {}; | |
133 | ||
134 | try_accept("TCP-AO established: add TCP-MD5 key", (*port)++, NULL, 0, | |
135 | &addr_any, 0, 0, 100, 100, 0, "TCPAOGood", TEST_CNT_GOOD, | |
136 | 1, 0); | |
137 | try_accept("TCP-MD5 established: add TCP-AO key", (*port)++, &addr_any, | |
138 | 0, NULL, 0, 0, 0, 0, 0, NULL, 0, 1, 0); | |
139 | try_accept("non-signed established: add TCP-AO key", (*port)++, NULL, 0, | |
140 | NULL, 0, 0, 0, 0, 0, "CurrEstab", 0, 0, 0); | |
141 | } | |
142 | ||
143 | static void server_vrf_tests(unsigned int *port) | |
144 | { | |
145 | setup_vrfs(); | |
146 | } | |
147 | ||
148 | static void *server_fn(void *arg) | |
149 | { | |
150 | unsigned int port = test_server_port; | |
151 | union tcp_addr addr_any = {}; | |
152 | ||
153 | server_add_routes(); | |
154 | ||
155 | try_accept("AO server (INADDR_ANY): AO client", port++, NULL, 0, | |
156 | &addr_any, 0, 0, 100, 100, 0, "TCPAOGood", | |
157 | TEST_CNT_GOOD, 0, 0); | |
158 | try_accept("AO server (INADDR_ANY): MD5 client", port++, NULL, 0, | |
159 | &addr_any, 0, 0, 100, 100, 0, "TCPMD5Unexpected", | |
160 | 0, 1, FAULT_TIMEOUT); | |
161 | try_accept("AO server (INADDR_ANY): no sign client", port++, NULL, 0, | |
162 | &addr_any, 0, 0, 100, 100, 0, "TCPAORequired", | |
163 | TEST_CNT_AO_REQUIRED, 0, FAULT_TIMEOUT); | |
164 | try_accept("AO server (AO_REQUIRED): AO client", port++, NULL, 0, | |
165 | &this_ip_dest, TEST_PREFIX, true, | |
166 | 100, 100, 0, "TCPAOGood", TEST_CNT_GOOD, 0, 0); | |
167 | try_accept("AO server (AO_REQUIRED): unsigned client", port++, NULL, 0, | |
168 | &this_ip_dest, TEST_PREFIX, true, | |
169 | 100, 100, 0, "TCPAORequired", | |
170 | TEST_CNT_AO_REQUIRED, 0, FAULT_TIMEOUT); | |
171 | ||
172 | try_accept("MD5 server (INADDR_ANY): AO client", port++, &addr_any, 0, | |
173 | NULL, 0, 0, 0, 0, 0, "TCPAOKeyNotFound", | |
174 | 0, 1, FAULT_TIMEOUT); | |
175 | try_accept("MD5 server (INADDR_ANY): MD5 client", port++, &addr_any, 0, | |
176 | NULL, 0, 0, 0, 0, 0, NULL, 0, 1, 0); | |
177 | try_accept("MD5 server (INADDR_ANY): no sign client", port++, &addr_any, | |
178 | 0, NULL, 0, 0, 0, 0, 0, "TCPMD5NotFound", | |
179 | 0, 1, FAULT_TIMEOUT); | |
180 | ||
181 | try_accept("no sign server: AO client", port++, NULL, 0, | |
182 | NULL, 0, 0, 0, 0, 0, "TCPAOKeyNotFound", | |
183 | TEST_CNT_AO_KEY_NOT_FOUND, 0, FAULT_TIMEOUT); | |
184 | try_accept("no sign server: MD5 client", port++, NULL, 0, | |
185 | NULL, 0, 0, 0, 0, 0, "TCPMD5Unexpected", | |
186 | 0, 1, FAULT_TIMEOUT); | |
187 | try_accept("no sign server: no sign client", port++, NULL, 0, | |
188 | NULL, 0, 0, 0, 0, 0, "CurrEstab", 0, 0, 0); | |
189 | ||
190 | try_accept("AO+MD5 server: AO client (matching)", port++, | |
191 | &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
192 | 100, 100, 0, "TCPAOGood", TEST_CNT_GOOD, 1, 0); | |
193 | try_accept("AO+MD5 server: AO client (misconfig, matching MD5)", port++, | |
194 | &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
195 | 100, 100, 0, "TCPAOKeyNotFound", TEST_CNT_AO_KEY_NOT_FOUND, | |
196 | 1, FAULT_TIMEOUT); | |
197 | try_accept("AO+MD5 server: AO client (misconfig, non-matching)", port++, | |
198 | &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
199 | 100, 100, 0, "TCPAOKeyNotFound", TEST_CNT_AO_KEY_NOT_FOUND, | |
200 | 1, FAULT_TIMEOUT); | |
201 | try_accept("AO+MD5 server: MD5 client (matching)", port++, | |
202 | &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
203 | 100, 100, 0, NULL, 0, 1, 0); | |
204 | try_accept("AO+MD5 server: MD5 client (misconfig, matching AO)", port++, | |
205 | &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
206 | 100, 100, 0, "TCPMD5Unexpected", 0, 1, FAULT_TIMEOUT); | |
207 | try_accept("AO+MD5 server: MD5 client (misconfig, non-matching)", port++, | |
208 | &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
209 | 100, 100, 0, "TCPMD5Unexpected", 0, 1, FAULT_TIMEOUT); | |
210 | try_accept("AO+MD5 server: no sign client (unmatched)", port++, | |
211 | &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
212 | 100, 100, 0, "CurrEstab", 0, 1, 0); | |
213 | try_accept("AO+MD5 server: no sign client (misconfig, matching AO)", | |
214 | port++, &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
215 | 100, 100, 0, "TCPAORequired", | |
216 | TEST_CNT_AO_REQUIRED, 1, FAULT_TIMEOUT); | |
217 | try_accept("AO+MD5 server: no sign client (misconfig, matching MD5)", | |
218 | port++, &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
219 | 100, 100, 0, "TCPMD5NotFound", 0, 1, FAULT_TIMEOUT); | |
220 | ||
221 | try_accept("AO+MD5 server: client with both [TCP-MD5] and TCP-AO keys", | |
222 | port++, &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
223 | 100, 100, 0, NULL, 0, 1, FAULT_TIMEOUT); | |
224 | try_accept("AO+MD5 server: client with both TCP-MD5 and [TCP-AO] keys", | |
225 | port++, &this_ip_dest, TEST_PREFIX, &client2, TEST_PREFIX, 0, | |
226 | 100, 100, 0, NULL, 0, 1, FAULT_TIMEOUT); | |
227 | ||
228 | server_add_fail_tests(&port); | |
229 | ||
230 | server_vrf_tests(&port); | |
231 | ||
232 | /* client exits */ | |
233 | synchronize_threads(); | |
234 | return NULL; | |
235 | } | |
236 | ||
237 | static int client_bind(int sk, union tcp_addr bind_addr) | |
238 | { | |
239 | #ifdef IPV6_TEST | |
240 | struct sockaddr_in6 addr = { | |
241 | .sin6_family = AF_INET6, | |
242 | .sin6_port = 0, | |
243 | .sin6_addr = bind_addr.a6, | |
244 | }; | |
245 | #else | |
246 | struct sockaddr_in addr = { | |
247 | .sin_family = AF_INET, | |
248 | .sin_port = 0, | |
249 | .sin_addr = bind_addr.a4, | |
250 | }; | |
251 | #endif | |
252 | return bind(sk, &addr, sizeof(addr)); | |
253 | } | |
254 | ||
255 | static void try_connect(const char *tst_name, unsigned int port, | |
256 | union tcp_addr *md5_addr, uint8_t md5_prefix, | |
257 | union tcp_addr *ao_addr, uint8_t ao_prefix, | |
258 | uint8_t sndid, uint8_t rcvid, uint8_t vrf, | |
259 | fault_t inj, int needs_tcp_md5, union tcp_addr *bind_addr) | |
260 | { | |
261 | time_t timeout; | |
262 | int sk, ret; | |
263 | ||
264 | if (needs_tcp_md5 && should_skip_test(tst_name, KCONFIG_TCP_MD5)) | |
265 | return; | |
266 | ||
267 | sk = socket(test_family, SOCK_STREAM, IPPROTO_TCP); | |
268 | if (sk < 0) | |
269 | test_error("socket()"); | |
270 | ||
271 | if (bind_addr && client_bind(sk, *bind_addr)) | |
272 | test_error("bind()"); | |
273 | ||
274 | if (md5_addr && test_set_md5(sk, *md5_addr, md5_prefix, -1, md5_password)) | |
275 | test_error("setsockopt(TCP_MD5SIG_EXT)"); | |
276 | ||
277 | if (ao_addr && test_add_key(sk, ao_password, *ao_addr, | |
278 | ao_prefix, sndid, rcvid)) | |
279 | test_error("setsockopt(TCP_AO_ADD_KEY)"); | |
280 | ||
281 | synchronize_threads(); /* preparations done */ | |
282 | ||
283 | timeout = fault(TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; | |
284 | ret = _test_connect_socket(sk, this_ip_dest, port, timeout); | |
285 | ||
286 | if (ret < 0) { | |
287 | if (fault(KEYREJECT) && ret == -EKEYREJECTED) | |
288 | test_ok("%s: connect() was prevented", tst_name); | |
289 | else if (ret == -ETIMEDOUT && fault(TIMEOUT)) | |
290 | test_ok("%s", tst_name); | |
291 | else if (ret == -ECONNREFUSED && | |
292 | (fault(TIMEOUT) || fault(KEYREJECT))) | |
293 | test_ok("%s: refused to connect", tst_name); | |
294 | else | |
295 | test_error("%s: connect() returned %d", tst_name, ret); | |
296 | goto out; | |
297 | } | |
298 | ||
299 | if (fault(TIMEOUT) || fault(KEYREJECT)) | |
300 | test_fail("%s: connected", tst_name); | |
301 | else | |
302 | test_ok("%s: connected", tst_name); | |
303 | ||
304 | out: | |
b083d24f | 305 | synchronize_threads(); /* test_kill_sk() */ |
6f0c472a DS |
306 | /* _test_connect_socket() cleans up on failure */ |
307 | if (ret > 0) | |
b083d24f | 308 | test_kill_sk(sk); |
6f0c472a DS |
309 | } |
310 | ||
311 | #define PREINSTALL_MD5_FIRST BIT(0) | |
312 | #define PREINSTALL_AO BIT(1) | |
313 | #define POSTINSTALL_AO BIT(2) | |
314 | #define PREINSTALL_MD5 BIT(3) | |
315 | #define POSTINSTALL_MD5 BIT(4) | |
316 | ||
317 | static int try_add_key_vrf(int sk, union tcp_addr in_addr, uint8_t prefix, | |
318 | int vrf, uint8_t sndid, uint8_t rcvid, | |
319 | bool set_ao_required) | |
320 | { | |
321 | uint8_t keyflags = 0; | |
322 | ||
323 | if (vrf >= 0) | |
324 | keyflags |= TCP_AO_KEYF_IFINDEX; | |
325 | else | |
326 | vrf = 0; | |
327 | if (set_ao_required) { | |
328 | int err = test_set_ao_flags(sk, true, 0); | |
329 | ||
330 | if (err) | |
331 | return err; | |
332 | } | |
333 | return test_add_key_vrf(sk, ao_password, keyflags, in_addr, prefix, | |
334 | (uint8_t)vrf, sndid, rcvid); | |
335 | } | |
336 | ||
337 | static bool test_continue(const char *tst_name, int err, | |
338 | fault_t inj, bool added_ao) | |
339 | { | |
340 | bool expected_to_fail; | |
341 | ||
342 | expected_to_fail = fault(PREINSTALL_AO) && added_ao; | |
343 | expected_to_fail |= fault(PREINSTALL_MD5) && !added_ao; | |
344 | ||
345 | if (!err) { | |
346 | if (!expected_to_fail) | |
347 | return true; | |
348 | test_fail("%s: setsockopt()s were expected to fail", tst_name); | |
349 | return false; | |
350 | } | |
351 | if (err != -EKEYREJECTED || !expected_to_fail) { | |
352 | test_error("%s: setsockopt(%s) = %d", tst_name, | |
353 | added_ao ? "TCP_AO_ADD_KEY" : "TCP_MD5SIG_EXT", err); | |
354 | return false; | |
355 | } | |
356 | test_ok("%s: prefailed as expected: %m", tst_name); | |
357 | return false; | |
358 | } | |
359 | ||
360 | static int open_add(const char *tst_name, unsigned int port, | |
361 | unsigned int strategy, | |
362 | union tcp_addr md5_addr, uint8_t md5_prefix, int md5_vrf, | |
363 | union tcp_addr ao_addr, uint8_t ao_prefix, | |
364 | int ao_vrf, bool set_ao_required, | |
365 | uint8_t sndid, uint8_t rcvid, | |
366 | fault_t inj) | |
367 | { | |
368 | int sk; | |
369 | ||
370 | sk = socket(test_family, SOCK_STREAM, IPPROTO_TCP); | |
371 | if (sk < 0) | |
372 | test_error("socket()"); | |
373 | ||
374 | if (client_bind(sk, this_ip_addr)) | |
375 | test_error("bind()"); | |
376 | ||
377 | if (strategy & PREINSTALL_MD5_FIRST) { | |
378 | if (test_set_md5(sk, md5_addr, md5_prefix, md5_vrf, md5_password)) | |
379 | test_error("setsockopt(TCP_MD5SIG_EXT)"); | |
380 | } | |
381 | ||
382 | if (strategy & PREINSTALL_AO) { | |
383 | int err = try_add_key_vrf(sk, ao_addr, ao_prefix, ao_vrf, | |
384 | sndid, rcvid, set_ao_required); | |
385 | ||
386 | if (!test_continue(tst_name, err, inj, true)) { | |
387 | close(sk); | |
388 | return -1; | |
389 | } | |
390 | } | |
391 | ||
392 | if (strategy & PREINSTALL_MD5) { | |
393 | errno = 0; | |
394 | test_set_md5(sk, md5_addr, md5_prefix, md5_vrf, md5_password); | |
395 | if (!test_continue(tst_name, -errno, inj, false)) { | |
396 | close(sk); | |
397 | return -1; | |
398 | } | |
399 | } | |
400 | ||
401 | return sk; | |
402 | } | |
403 | ||
404 | static void try_to_preadd(const char *tst_name, unsigned int port, | |
405 | unsigned int strategy, | |
406 | union tcp_addr md5_addr, uint8_t md5_prefix, | |
407 | int md5_vrf, | |
408 | union tcp_addr ao_addr, uint8_t ao_prefix, | |
409 | int ao_vrf, bool set_ao_required, | |
410 | uint8_t sndid, uint8_t rcvid, | |
411 | int needs_tcp_md5, int needs_vrf, fault_t inj) | |
412 | { | |
413 | int sk; | |
414 | ||
415 | if (needs_tcp_md5 && should_skip_test(tst_name, KCONFIG_TCP_MD5)) | |
416 | return; | |
417 | if (needs_vrf && should_skip_test(tst_name, KCONFIG_NET_VRF)) | |
418 | return; | |
419 | ||
420 | sk = open_add(tst_name, port, strategy, md5_addr, md5_prefix, md5_vrf, | |
421 | ao_addr, ao_prefix, ao_vrf, set_ao_required, | |
422 | sndid, rcvid, inj); | |
423 | if (sk < 0) | |
424 | return; | |
425 | ||
426 | test_ok("%s", tst_name); | |
427 | close(sk); | |
428 | } | |
429 | ||
430 | static void try_to_add(const char *tst_name, unsigned int port, | |
431 | unsigned int strategy, | |
432 | union tcp_addr md5_addr, uint8_t md5_prefix, | |
433 | int md5_vrf, | |
434 | union tcp_addr ao_addr, uint8_t ao_prefix, | |
435 | int ao_vrf, uint8_t sndid, uint8_t rcvid, | |
436 | int needs_tcp_md5, fault_t inj) | |
437 | { | |
438 | time_t timeout; | |
439 | int sk, ret; | |
440 | ||
441 | if (needs_tcp_md5 && should_skip_test(tst_name, KCONFIG_TCP_MD5)) | |
442 | return; | |
443 | ||
444 | sk = open_add(tst_name, port, strategy, md5_addr, md5_prefix, md5_vrf, | |
445 | ao_addr, ao_prefix, ao_vrf, 0, sndid, rcvid, inj); | |
446 | if (sk < 0) | |
447 | return; | |
448 | ||
449 | synchronize_threads(); /* preparations done */ | |
450 | ||
451 | timeout = fault(TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; | |
452 | ret = _test_connect_socket(sk, this_ip_dest, port, timeout); | |
453 | ||
454 | if (ret <= 0) { | |
455 | test_error("%s: connect() returned %d", tst_name, ret); | |
456 | goto out; | |
457 | } | |
458 | ||
459 | if (strategy & POSTINSTALL_MD5) { | |
460 | if (test_set_md5(sk, md5_addr, md5_prefix, md5_vrf, md5_password)) { | |
461 | if (fault(POSTINSTALL)) { | |
462 | test_ok("%s: postfailed as expected", tst_name); | |
463 | goto out; | |
464 | } else { | |
465 | test_error("setsockopt(TCP_MD5SIG_EXT)"); | |
466 | } | |
467 | } else if (fault(POSTINSTALL)) { | |
468 | test_fail("%s: post setsockopt() was expected to fail", tst_name); | |
469 | goto out; | |
470 | } | |
471 | } | |
472 | ||
473 | if (strategy & POSTINSTALL_AO) { | |
474 | if (try_add_key_vrf(sk, ao_addr, ao_prefix, ao_vrf, | |
475 | sndid, rcvid, 0)) { | |
476 | if (fault(POSTINSTALL)) { | |
477 | test_ok("%s: postfailed as expected", tst_name); | |
478 | goto out; | |
479 | } else { | |
480 | test_error("setsockopt(TCP_AO_ADD_KEY)"); | |
481 | } | |
482 | } else if (fault(POSTINSTALL)) { | |
483 | test_fail("%s: post setsockopt() was expected to fail", tst_name); | |
484 | goto out; | |
485 | } | |
486 | } | |
487 | ||
488 | out: | |
b083d24f | 489 | synchronize_threads(); /* test_kill_sk() */ |
6f0c472a DS |
490 | /* _test_connect_socket() cleans up on failure */ |
491 | if (ret > 0) | |
b083d24f | 492 | test_kill_sk(sk); |
6f0c472a DS |
493 | } |
494 | ||
495 | static void client_add_ip(union tcp_addr *client, const char *ip) | |
496 | { | |
72cd9f8d | 497 | int err, family = TEST_FAMILY; |
6f0c472a DS |
498 | |
499 | if (inet_pton(family, ip, client) != 1) | |
500 | test_error("Can't convert ip address %s", ip); | |
501 | ||
72cd9f8d DS |
502 | err = ip_addr_add(veth_name, family, *client, TEST_PREFIX); |
503 | if (err) | |
504 | test_error("Failed to add ip address: %d", err); | |
6f0c472a DS |
505 | } |
506 | ||
507 | static void client_add_ips(void) | |
508 | { | |
509 | client_add_ip(&client2, __TEST_CLIENT_IP(2)); | |
510 | client_add_ip(&client3, __TEST_CLIENT_IP(3)); | |
511 | synchronize_threads(); /* server_add_routes() */ | |
512 | } | |
513 | ||
514 | static void client_add_fail_tests(unsigned int *port) | |
515 | { | |
516 | try_to_add("TCP-AO established: add TCP-MD5 key", | |
517 | (*port)++, POSTINSTALL_MD5 | PREINSTALL_AO, | |
518 | this_ip_dest, TEST_PREFIX, -1, this_ip_dest, TEST_PREFIX, 0, | |
519 | 100, 100, 1, FAULT_POSTINSTALL); | |
520 | try_to_add("TCP-MD5 established: add TCP-AO key", | |
521 | (*port)++, PREINSTALL_MD5 | POSTINSTALL_AO, | |
522 | this_ip_dest, TEST_PREFIX, -1, this_ip_dest, TEST_PREFIX, 0, | |
523 | 100, 100, 1, FAULT_POSTINSTALL); | |
524 | try_to_add("non-signed established: add TCP-AO key", | |
525 | (*port)++, POSTINSTALL_AO, | |
526 | this_ip_dest, TEST_PREFIX, -1, this_ip_dest, TEST_PREFIX, 0, | |
527 | 100, 100, 0, FAULT_POSTINSTALL); | |
528 | ||
529 | try_to_add("TCP-AO key intersects with existing TCP-MD5 key", | |
530 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
531 | this_ip_addr, TEST_PREFIX, -1, this_ip_addr, TEST_PREFIX, -1, | |
532 | 100, 100, 1, FAULT_PREINSTALL_AO); | |
533 | try_to_add("TCP-MD5 key intersects with existing TCP-AO key", | |
534 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
535 | this_ip_addr, TEST_PREFIX, -1, this_ip_addr, TEST_PREFIX, -1, | |
536 | 100, 100, 1, FAULT_PREINSTALL_MD5); | |
537 | ||
538 | try_to_preadd("TCP-MD5 key + TCP-AO required", | |
539 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
540 | this_ip_addr, TEST_PREFIX, -1, | |
541 | this_ip_addr, TEST_PREFIX, -1, true, | |
542 | 100, 100, 1, 0, FAULT_PREINSTALL_AO); | |
543 | try_to_preadd("TCP-AO required on socket + TCP-MD5 key", | |
544 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
545 | this_ip_addr, TEST_PREFIX, -1, | |
546 | this_ip_addr, TEST_PREFIX, -1, true, | |
547 | 100, 100, 1, 0, FAULT_PREINSTALL_MD5); | |
548 | } | |
549 | ||
550 | static void client_vrf_tests(unsigned int *port) | |
551 | { | |
552 | setup_vrfs(); | |
553 | ||
554 | /* The following restrictions for setsockopt()s are expected: | |
555 | * | |
556 | * |--------------|-----------------|-------------|-------------| | |
557 | * | | MD5 key without | MD5 key | MD5 key | | |
558 | * | | l3index | l3index=0 | l3index=N | | |
559 | * |--------------|-----------------|-------------|-------------| | |
560 | * | TCP-AO key | | | | | |
561 | * | without | reject | reject | reject | | |
562 | * | l3index | | | | | |
563 | * |--------------|-----------------|-------------|-------------| | |
564 | * | TCP-AO key | | | | | |
565 | * | l3index=0 | reject | reject | allow | | |
566 | * |--------------|-----------------|-------------|-------------| | |
567 | * | TCP-AO key | | | | | |
568 | * | l3index=N | reject | allow | reject | | |
569 | * |--------------|-----------------|-------------|-------------| | |
570 | */ | |
571 | try_to_preadd("VRF: TCP-AO key (no l3index) + TCP-MD5 key (no l3index)", | |
572 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
573 | this_ip_addr, TEST_PREFIX, -1, | |
574 | this_ip_addr, TEST_PREFIX, -1, 0, 100, 100, | |
575 | 1, 1, FAULT_PREINSTALL_MD5); | |
576 | try_to_preadd("VRF: TCP-MD5 key (no l3index) + TCP-AO key (no l3index)", | |
577 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
578 | this_ip_addr, TEST_PREFIX, -1, | |
579 | this_ip_addr, TEST_PREFIX, -1, 0, 100, 100, | |
580 | 1, 1, FAULT_PREINSTALL_AO); | |
581 | try_to_preadd("VRF: TCP-AO key (no l3index) + TCP-MD5 key (l3index=0)", | |
582 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
583 | this_ip_addr, TEST_PREFIX, 0, | |
584 | this_ip_addr, TEST_PREFIX, -1, 0, 100, 100, | |
585 | 1, 1, FAULT_PREINSTALL_MD5); | |
586 | try_to_preadd("VRF: TCP-MD5 key (l3index=0) + TCP-AO key (no l3index)", | |
587 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
588 | this_ip_addr, TEST_PREFIX, 0, | |
589 | this_ip_addr, TEST_PREFIX, -1, 0, 100, 100, | |
590 | 1, 1, FAULT_PREINSTALL_AO); | |
591 | try_to_preadd("VRF: TCP-AO key (no l3index) + TCP-MD5 key (l3index=N)", | |
592 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
593 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, | |
594 | this_ip_addr, TEST_PREFIX, -1, 0, 100, 100, | |
595 | 1, 1, FAULT_PREINSTALL_MD5); | |
596 | try_to_preadd("VRF: TCP-MD5 key (l3index=N) + TCP-AO key (no l3index)", | |
597 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
598 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, | |
599 | this_ip_addr, TEST_PREFIX, -1, 0, 100, 100, | |
600 | 1, 1, FAULT_PREINSTALL_AO); | |
601 | ||
602 | try_to_preadd("VRF: TCP-AO key (l3index=0) + TCP-MD5 key (no l3index)", | |
603 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
604 | this_ip_addr, TEST_PREFIX, -1, | |
605 | this_ip_addr, TEST_PREFIX, 0, 0, 100, 100, | |
606 | 1, 1, FAULT_PREINSTALL_MD5); | |
607 | try_to_preadd("VRF: TCP-MD5 key (no l3index) + TCP-AO key (l3index=0)", | |
608 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
609 | this_ip_addr, TEST_PREFIX, -1, | |
610 | this_ip_addr, TEST_PREFIX, 0, 0, 100, 100, | |
611 | 1, 1, FAULT_PREINSTALL_AO); | |
612 | try_to_preadd("VRF: TCP-AO key (l3index=0) + TCP-MD5 key (l3index=0)", | |
613 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
614 | this_ip_addr, TEST_PREFIX, 0, | |
615 | this_ip_addr, TEST_PREFIX, 0, 0, 100, 100, | |
616 | 1, 1, FAULT_PREINSTALL_MD5); | |
617 | try_to_preadd("VRF: TCP-MD5 key (l3index=0) + TCP-AO key (l3index=0)", | |
618 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
619 | this_ip_addr, TEST_PREFIX, 0, | |
620 | this_ip_addr, TEST_PREFIX, 0, 0, 100, 100, | |
621 | 1, 1, FAULT_PREINSTALL_AO); | |
622 | try_to_preadd("VRF: TCP-AO key (l3index=0) + TCP-MD5 key (l3index=N)", | |
623 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
624 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, | |
625 | this_ip_addr, TEST_PREFIX, 0, 0, 100, 100, | |
626 | 1, 1, 0); | |
627 | try_to_preadd("VRF: TCP-MD5 key (l3index=N) + TCP-AO key (l3index=0)", | |
628 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
629 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, | |
630 | this_ip_addr, TEST_PREFIX, 0, 0, 100, 100, | |
631 | 1, 1, 0); | |
632 | ||
633 | try_to_preadd("VRF: TCP-AO key (l3index=N) + TCP-MD5 key (no l3index)", | |
634 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
635 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, | |
636 | this_ip_addr, TEST_PREFIX, -1, 0, 100, 100, | |
637 | 1, 1, FAULT_PREINSTALL_MD5); | |
638 | try_to_preadd("VRF: TCP-MD5 key (no l3index) + TCP-AO key (l3index=N)", | |
639 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
640 | this_ip_addr, TEST_PREFIX, -1, | |
641 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, 0, 100, 100, | |
642 | 1, 1, FAULT_PREINSTALL_AO); | |
643 | try_to_preadd("VRF: TCP-AO key (l3index=N) + TCP-MD5 key (l3index=0)", | |
644 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
645 | this_ip_addr, TEST_PREFIX, 0, | |
646 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, 0, 100, 100, | |
647 | 1, 1, 0); | |
648 | try_to_preadd("VRF: TCP-MD5 key (l3index=0) + TCP-AO key (l3index=N)", | |
649 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
650 | this_ip_addr, TEST_PREFIX, 0, | |
651 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, 0, 100, 100, | |
652 | 1, 1, 0); | |
653 | try_to_preadd("VRF: TCP-AO key (l3index=N) + TCP-MD5 key (l3index=N)", | |
654 | (*port)++, PREINSTALL_MD5 | PREINSTALL_AO, | |
655 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, | |
656 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, 0, 100, 100, | |
657 | 1, 1, FAULT_PREINSTALL_MD5); | |
658 | try_to_preadd("VRF: TCP-MD5 key (l3index=N) + TCP-AO key (l3index=N)", | |
659 | (*port)++, PREINSTALL_MD5_FIRST | PREINSTALL_AO, | |
660 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, | |
661 | this_ip_addr, TEST_PREFIX, test_vrf_ifindex, 0, 100, 100, | |
662 | 1, 1, FAULT_PREINSTALL_AO); | |
663 | } | |
664 | ||
665 | static void *client_fn(void *arg) | |
666 | { | |
667 | unsigned int port = test_server_port; | |
668 | union tcp_addr addr_any = {}; | |
669 | ||
670 | client_add_ips(); | |
671 | ||
672 | try_connect("AO server (INADDR_ANY): AO client", port++, NULL, 0, | |
673 | &addr_any, 0, 100, 100, 0, 0, 0, &this_ip_addr); | |
674 | try_connect("AO server (INADDR_ANY): MD5 client", port++, &addr_any, 0, | |
675 | NULL, 0, 100, 100, 0, FAULT_TIMEOUT, 1, &this_ip_addr); | |
676 | try_connect("AO server (INADDR_ANY): unsigned client", port++, NULL, 0, | |
677 | NULL, 0, 100, 100, 0, FAULT_TIMEOUT, 0, &this_ip_addr); | |
678 | try_connect("AO server (AO_REQUIRED): AO client", port++, NULL, 0, | |
679 | &addr_any, 0, 100, 100, 0, 0, 0, &this_ip_addr); | |
680 | try_connect("AO server (AO_REQUIRED): unsigned client", port++, NULL, 0, | |
681 | NULL, 0, 100, 100, 0, FAULT_TIMEOUT, 0, &client2); | |
682 | ||
683 | try_connect("MD5 server (INADDR_ANY): AO client", port++, NULL, 0, | |
684 | &addr_any, 0, 100, 100, 0, FAULT_TIMEOUT, 1, &this_ip_addr); | |
685 | try_connect("MD5 server (INADDR_ANY): MD5 client", port++, &addr_any, 0, | |
686 | NULL, 0, 100, 100, 0, 0, 1, &this_ip_addr); | |
687 | try_connect("MD5 server (INADDR_ANY): no sign client", port++, NULL, 0, | |
688 | NULL, 0, 100, 100, 0, FAULT_TIMEOUT, 1, &this_ip_addr); | |
689 | ||
690 | try_connect("no sign server: AO client", port++, NULL, 0, | |
691 | &addr_any, 0, 100, 100, 0, FAULT_TIMEOUT, 0, &this_ip_addr); | |
692 | try_connect("no sign server: MD5 client", port++, &addr_any, 0, | |
693 | NULL, 0, 100, 100, 0, FAULT_TIMEOUT, 1, &this_ip_addr); | |
694 | try_connect("no sign server: no sign client", port++, NULL, 0, | |
695 | NULL, 0, 100, 100, 0, 0, 0, &this_ip_addr); | |
696 | ||
697 | try_connect("AO+MD5 server: AO client (matching)", port++, NULL, 0, | |
698 | &addr_any, 0, 100, 100, 0, 0, 1, &client2); | |
699 | try_connect("AO+MD5 server: AO client (misconfig, matching MD5)", | |
700 | port++, NULL, 0, &addr_any, 0, 100, 100, 0, | |
701 | FAULT_TIMEOUT, 1, &this_ip_addr); | |
702 | try_connect("AO+MD5 server: AO client (misconfig, non-matching)", | |
703 | port++, NULL, 0, &addr_any, 0, 100, 100, 0, | |
704 | FAULT_TIMEOUT, 1, &client3); | |
705 | try_connect("AO+MD5 server: MD5 client (matching)", port++, &addr_any, 0, | |
706 | NULL, 0, 100, 100, 0, 0, 1, &this_ip_addr); | |
707 | try_connect("AO+MD5 server: MD5 client (misconfig, matching AO)", | |
708 | port++, &addr_any, 0, NULL, 0, 100, 100, 0, FAULT_TIMEOUT, | |
709 | 1, &client2); | |
710 | try_connect("AO+MD5 server: MD5 client (misconfig, non-matching)", | |
711 | port++, &addr_any, 0, NULL, 0, 100, 100, 0, FAULT_TIMEOUT, | |
712 | 1, &client3); | |
713 | try_connect("AO+MD5 server: no sign client (unmatched)", | |
714 | port++, NULL, 0, NULL, 0, 100, 100, 0, 0, 1, &client3); | |
715 | try_connect("AO+MD5 server: no sign client (misconfig, matching AO)", | |
716 | port++, NULL, 0, NULL, 0, 100, 100, 0, FAULT_TIMEOUT, | |
717 | 1, &client2); | |
718 | try_connect("AO+MD5 server: no sign client (misconfig, matching MD5)", | |
719 | port++, NULL, 0, NULL, 0, 100, 100, 0, FAULT_TIMEOUT, | |
720 | 1, &this_ip_addr); | |
721 | ||
722 | try_connect("AO+MD5 server: client with both [TCP-MD5] and TCP-AO keys", | |
723 | port++, &this_ip_addr, TEST_PREFIX, | |
724 | &client2, TEST_PREFIX, 100, 100, 0, FAULT_KEYREJECT, | |
725 | 1, &this_ip_addr); | |
726 | try_connect("AO+MD5 server: client with both TCP-MD5 and [TCP-AO] keys", | |
727 | port++, &this_ip_addr, TEST_PREFIX, | |
728 | &client2, TEST_PREFIX, 100, 100, 0, FAULT_KEYREJECT, | |
729 | 1, &client2); | |
730 | ||
731 | client_add_fail_tests(&port); | |
732 | client_vrf_tests(&port); | |
733 | ||
734 | return NULL; | |
735 | } | |
736 | ||
737 | int main(int argc, char *argv[]) | |
738 | { | |
739 | test_init(72, server_fn, client_fn); | |
740 | return 0; | |
741 | } |