Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp672004rwb; Thu, 18 Aug 2022 10:06:47 -0700 (PDT) X-Google-Smtp-Source: AA6agR5UrVffbidx18HR4GZIcuebvcJVxbak2IVwVdeAOAqy4KUcynkOKHN9jtsZ6owK6qvplufd X-Received: by 2002:aa7:c78e:0:b0:441:c311:9dcd with SMTP id n14-20020aa7c78e000000b00441c3119dcdmr2917417eds.155.1660842407519; Thu, 18 Aug 2022 10:06:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660842407; cv=none; d=google.com; s=arc-20160816; b=wIxn/5Kbzo8s8IZ5a3oJXD3rdZMf2qXqCafjTC+teWl00GSFrI5DzezC+IyO16j2bz 4N0ALC7AK0d6yOLcWNCJfA7AQ1Gnt1LbR/hAIjabMDjbawdK6ZSX1GwrXSXwEF/iFT+t foo8e96XP+QViTQEStYBg6iaiW2M8dcLb8jAVNpDN+8iaOAk/f7cEahuZpzgsicJLEtw kHpVBmeNn1vbJ/xPuJ/Bl6szYnignqXWKvFLV4kNuxG3VOYcQInQ99xUsk+Ono5hVeCe UlVQCn9VXeS58Pa6BjKmgMoZtqRfrX7BAAba66/8O1inkkwkf4D4pZs2zq6EJDJ7f5gD Zryg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=8ma5Ol24QeG3/DDgAehhLNXstU8Od+DxxiWWftpJxi8=; b=dAJmnwI1reIzQCvM7UcCaxkoY7gUjdT8GjghXEf8M0055jTCTFsLvZwi6WegukBnNv ApbQ1jq6SrNv7LSdxo8LiXNZV5yHKMJrD+yykF+cW5+snJhEY+g1tP6MEGUwj49g4+h4 TJZc32BJx3oVK0ypQhngwr+NbZ+5q/uj6nABcRlfdSu8SKAtcBL5PgssOR7e/uoGiB1a eFdMWYyef8uB2h7JoFJ69VGrhYo/HMRSNjxeXIHGRzJNCYbRggaPOi25e/4EF3VSotOA rqqnhqnN6Kr4B/bnnnbGUYobVLRIqidAMI8doudkernC2u4JgxJXUIYqenKj67gGdRur Jyew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=Dyyr6Tu3; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id js7-20020a17090797c700b007316ac034a5si1779594ejc.844.2022.08.18.10.05.50; Thu, 18 Aug 2022 10:06:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=Dyyr6Tu3; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345209AbiHRRDQ (ORCPT + 99 others); Thu, 18 Aug 2022 13:03:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33862 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345277AbiHRRBK (ORCPT ); Thu, 18 Aug 2022 13:01:10 -0400 Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9EDB3C00CA for ; Thu, 18 Aug 2022 10:00:56 -0700 (PDT) Received: by mail-wm1-x329.google.com with SMTP id k17so1134617wmr.2 for ; Thu, 18 Aug 2022 10:00:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc; bh=8ma5Ol24QeG3/DDgAehhLNXstU8Od+DxxiWWftpJxi8=; b=Dyyr6Tu3fV/nmKH/FomCr8OnALOmbi2GIry7O4qybdOdRKrpHxUf3haR28ScOq4vQp PRuHFb0LhAH6opVwhabnC1gc7myJ0S96G2KBXU/yAePzNLuJQTPytfZV78KOwfQ6AIY3 70QtzUKcIC4ZVPseBJKndk46EC+b82inP4fUkQGqUt8oRTAbDG4VXCTX385NCKYWyzJi rg/H4INIdsyeEOhrO2sjmH2Hxw6hwKnZztxInsPxd9cWE1A2nlJ+dmPmHrwNDe+8LgNY DME9mr8vak39op+HrvHLhrb3mLkGDzuf/CqR+aK0U4Fj793x+b/cw0Qwxe+2gECW8a2x LLkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc; bh=8ma5Ol24QeG3/DDgAehhLNXstU8Od+DxxiWWftpJxi8=; b=YEqkqHWB8m6GvHWNdShbE3wOZRjnR+bRFvRcitnaDG57VNjy+L+LmRvMyPwOhzCYx1 UuWmSLwT2xc2qVeOtkXoTV82UCPvMTxno2/b3WFdKDf2fonryCLJNwtMIRXlHNFJ6GIb vCm64Z0TxowlKWJQe374G3u/nlCFZ+ZhV0okAR+F2tRGsQJeVkRZxQs2d+ITISxVzPhL SdHxEand5LIMno6ocWlh1qCZtuob+P/CdpF8fxFIu54Cn6pmbKFAqb3lhr9JIfPOcDXk HBtA17FXWP7EUErg789/fTe4/22tFfxCsnlreOadFLh7JX7M/4DcCth6YzsmR5n0zTjW l+Jg== X-Gm-Message-State: ACgBeo0eZZ/+CY7Ul5w81Md2XppZCauoVJqnNzcIbpY8sSx9TVXPwr5q fzyMkCj8FuqdS0oBmqt8qKrEuw== X-Received: by 2002:a05:600c:4ec9:b0:3a5:a567:137f with SMTP id g9-20020a05600c4ec900b003a5a567137fmr5725720wmq.46.1660842055023; Thu, 18 Aug 2022 10:00:55 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id be13-20020a05600c1e8d00b003a511e92abcsm2662169wmb.34.2022.08.18.10.00.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Aug 2022 10:00:54 -0700 (PDT) From: Dmitry Safonov To: Eric Dumazet , "David S. Miller" , linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , David Ahern , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH 28/31] selftest/tcp-ao: Add a test for MKT matching Date: Thu, 18 Aug 2022 18:00:02 +0100 Message-Id: <20220818170005.747015-29-dima@arista.com> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220818170005.747015-1-dima@arista.com> References: <20220818170005.747015-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add TCP-AO tests on connect()/accept() pair. SNMP counters exposed by kernel are very useful here to verify the expected behavior of TCP-AO. Signed-off-by: Dmitry Safonov --- tools/testing/selftests/net/tcp_ao/Makefile | 2 +- .../selftests/net/tcp_ao/connect-deny.c | 217 ++++++++++++++++++ 2 files changed, 218 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/net/tcp_ao/connect-deny.c diff --git a/tools/testing/selftests/net/tcp_ao/Makefile b/tools/testing/selftests/net/tcp_ao/Makefile index a178bde0af08..5064e34ebe38 100644 --- a/tools/testing/selftests/net/tcp_ao/Makefile +++ b/tools/testing/selftests/net/tcp_ao/Makefile @@ -1,5 +1,5 @@ # SPDX-License-Identifier: GPL-2.0 -TEST_BOTH_AF := connect icmps-discard icmps-accept +TEST_BOTH_AF := connect icmps-discard icmps-accept connect-deny TEST_IPV4_PROGS := $(TEST_BOTH_AF:%=%_ipv4) TEST_IPV6_PROGS := $(TEST_BOTH_AF:%=%_ipv6) diff --git a/tools/testing/selftests/net/tcp_ao/connect-deny.c b/tools/testing/selftests/net/tcp_ao/connect-deny.c new file mode 100644 index 000000000000..cf71dda52c49 --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/connect-deny.c @@ -0,0 +1,217 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Author: Dmitry Safonov */ +#include +#include "aolib.h" + +typedef uint8_t fault_t; +#define F_TIMEOUT 1 +#define F_KEYREJECT 2 + +#define fault(type) (inj == type) + +static void try_accept(const char *tst_name, unsigned port, const char *pwd, + union tcp_addr addr, uint8_t prefix, + uint8_t sndid, uint8_t rcvid, const char *cnt_name, + fault_t inj) +{ + uint64_t before_cnt, after_cnt; + int lsk, err, sk = 0; + time_t timeout; + + lsk = test_listen_socket(this_ip_addr, port, 1); + + if (pwd && test_set_ao(lsk, pwd, 0, addr, prefix, sndid, rcvid)) + test_error("setsockopt(TCP_AO)"); + + if (cnt_name) + before_cnt = netstat_get_one(cnt_name, NULL); + + synchronize_threads(); /* preparations done */ + + timeout = fault(F_TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; + err = test_wait_fd(lsk, timeout, 0); + if (err < 0) + test_error("test_wait_fd()"); + else if (!err) { + if (!fault(F_TIMEOUT)) + test_fail("timeouted for accept()"); + } else { + if (fault(F_TIMEOUT)) + test_fail("ready to accept"); + + sk = accept(lsk, NULL, NULL); + if (sk < 0) { + test_error("accept()"); + } else { + if (fault(F_TIMEOUT)) + test_fail("%s: accepted", tst_name); + } + } + + close(lsk); + + if (!cnt_name) + goto out; + + after_cnt = netstat_get_one(cnt_name, NULL); + + if (after_cnt <= before_cnt) { + test_fail("%s: %s counter did not increase: %zu <= %zu", + tst_name, cnt_name, after_cnt, before_cnt); + } else { + test_ok("%s: counter %s increased %zu => %zu", + tst_name, cnt_name, before_cnt, after_cnt); + } + +out: + synchronize_threads(); /* close() */ + if (sk > 0) + close(sk); +} + +static void *server_fn(void *arg) +{ + union tcp_addr wrong_addr, network_addr; + unsigned port = test_server_port; + + if (inet_pton(TEST_FAMILY, TEST_WRONG_IP, &wrong_addr) != 1) + test_error("Can't convert ip address %s", TEST_WRONG_IP); + + try_accept("Non-AO server + AO client", port++, NULL, + this_ip_dest, -1, 100, 100, "TCPAOKeyNotFound", F_TIMEOUT); + + try_accept("AO server + Non-AO client", port++, "password", + this_ip_dest, -1, 100, 100, "TCPAORequired", F_TIMEOUT); + + try_accept("Wrong password", port++, "password2", + this_ip_dest, -1, 100, 100, "TCPAOBad", F_TIMEOUT); + + try_accept("Wrong rcv id", port++, "password", + this_ip_dest, -1, 100, 101, "TCPAOKeyNotFound", F_TIMEOUT); + + try_accept("Wrong snd id", port++, "password", + this_ip_dest, -1, 101, 100, "TCPAOGood", F_TIMEOUT); + + try_accept("Server: Wrong addr", port++, "password", + wrong_addr, -1, 100, 100, "TCPAOKeyNotFound", F_TIMEOUT); + + try_accept("Client: Wrong addr", port++, NULL, + this_ip_dest, -1, 100, 100, NULL, F_TIMEOUT); + + try_accept("rcv id != snd id", port++, "password", + this_ip_dest, -1, 200, 100, "TCPAOGood", 0); + + if (inet_pton(TEST_FAMILY, TEST_NETWORK, &network_addr) != 1) + test_error("Can't convert ip address %s", TEST_NETWORK); + + try_accept("Server: prefix match", port++, "password", + network_addr, 16, 100, 100, "TCPAOGood", 0); + + try_accept("Client: prefix match", port++, "password", + this_ip_dest, -1, 100, 100, "TCPAOGood", 0); + + /* client exits */ + synchronize_threads(); + return NULL; +} + +static void try_connect(const char *tst_name, unsigned port, + const char *pwd, union tcp_addr addr, uint8_t prefix, + uint8_t sndid, uint8_t rcvid, fault_t inj) +{ + time_t timeout; + int sk, ret; + + sk = socket(test_family, SOCK_STREAM, IPPROTO_TCP); + if (sk < 0) + test_error("socket()"); + + if (pwd && test_set_ao(sk, pwd, 0, addr, prefix, sndid, rcvid)) + test_error("setsockopt(TCP_AO)"); + + synchronize_threads(); /* preparations done */ + + timeout = fault(F_TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; + ret = _test_connect_socket(sk, this_ip_dest, port, timeout); + + if (ret < 0) { + if (fault(F_KEYREJECT) && ret == -EKEYREJECTED) { + test_ok("%s: connect() was prevented", tst_name); + goto out; + } else if (ret == -ECONNREFUSED && + (fault(F_TIMEOUT) || fault(F_KEYREJECT))) { + test_ok("%s: refused to connect", tst_name); + goto out; + } else { + test_error("%s: connect() returned %d", tst_name, ret); + } + } + + if (ret == 0) { + if (fault(F_TIMEOUT)) + test_ok("%s", tst_name); + else + test_fail("%s: failed to connect()", tst_name); + } else { + if (fault(F_TIMEOUT) || fault(F_KEYREJECT)) + test_fail("%s: connected", tst_name); + else + test_ok("%s: connected", tst_name); + } + +out: + synchronize_threads(); /* close() */ + + if (ret > 0) + close(sk); +} + +static void *client_fn(void *arg) +{ + union tcp_addr wrong_addr, network_addr; + unsigned port = test_server_port; + + if (inet_pton(TEST_FAMILY, TEST_WRONG_IP, &wrong_addr) != 1) + test_error("Can't convert ip address %s", TEST_WRONG_IP); + + try_connect("Non-AO server + AO client", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("AO server + Non-AO client", port++, NULL, + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Wrong password", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Wrong rcv id", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Wrong snd id", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Server: Wrong addr", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Client: Wrong addr", port++, "password", + wrong_addr, -1, 100, 100, F_KEYREJECT); + + try_connect("rcv id != snd id", port++, "password", + this_ip_dest, -1, 100, 200, 0); + + if (inet_pton(TEST_FAMILY, TEST_NETWORK, &network_addr) != 1) + test_error("Can't convert ip address %s", TEST_NETWORK); + + try_connect("Server: prefix match", port++, "password", + this_ip_dest, -1, 100, 100, 0); + + try_connect("Client: prefix match", port++, "password", + network_addr, 16, 100, 100, 0); + + return NULL; +} + +int main(int argc, char *argv[]) +{ + test_init(20, server_fn, client_fn); + return 0; +} -- 2.37.2