Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp1290973rwi; Thu, 27 Oct 2022 13:54:09 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7+T+i/in6ZYsr04VK3/zrfzpq0CoSeiawxzYXvntHghbtSpIbiQUS9PqZQ1yLMlZpRVo5V X-Received: by 2002:a17:907:a057:b0:7ac:8e6a:8cd7 with SMTP id gz23-20020a170907a05700b007ac8e6a8cd7mr13858998ejc.678.1666904048867; Thu, 27 Oct 2022 13:54:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666904048; cv=none; d=google.com; s=arc-20160816; b=GtFwbbNV4g0laKSzmkym3D6qUmtM2CEZ0yz6RGyGkiobytsA2N+jzs9+1NgfdcWj4K CehSpss2NbC+D/Y6QOaDrVz8q+Dl8+uU/jpIAGB3+HxmGK5uWAnGC/xD7Hl8bPi94D+y N8IwBrWuLWw5XK0u76U3Npj91r6I/1LQVc42eBBlxkJ/JbNHwlkmMxwUhlNFDkMZeO6J Cj0xg9HGVGWAT7aS6TSQAeMcXxXrBEs4rvXFXvOBQ63GuZJf/gBiHrMb0/Wxy+feQJDi 37jhuRQbC6eLESEP5N/vJXegxSrYmjp6Pw80Po0Ixp5iU4NumAfq52dv6sMXJ7/oTH6r LRCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=lp2VxXZrnF/kw40YEQ4TVBQpSqwfLCviQOCTAxoI/HQ=; b=y+WBqwQuZ3iLS1qsECHAg1sKwTylva2wfy9d6GpJE6kOMC1s99jGG59EJe0VUC2AY7 FaU8SouDu9Cft8tzzcoVP2voWNWxULaY0cnp3APlHETeypjlcGjSwVXQgrl7+IJUxOtJ Nh1XzUqqc/MkekkLAiU7Kj6TII79dSfPBV+6LfOFesUhU/GisH1hu+hBmveWu8iKKXzr E308389nZuFJXJXrl56NQzFo1lJqVhgwGJjgClFoPmnr/fq2K4MJZw6oY/kd2vgJFZYV SEMzprNPcWsaEcmy+Dn0wzNb1jJdAOiIcNkaeAZeZiz1siZBZfVMlnWRtf1A+7BvcfEf TVgQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b="TY/MbBMi"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i15-20020a50c3cf000000b0044e8fe826a0si2332922edf.156.2022.10.27.13.53.45; Thu, 27 Oct 2022 13:54:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b="TY/MbBMi"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237231AbiJ0Uwh (ORCPT + 99 others); Thu, 27 Oct 2022 16:52:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46876 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237223AbiJ0Uv4 (ORCPT ); Thu, 27 Oct 2022 16:51:56 -0400 Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 08173923F4 for ; Thu, 27 Oct 2022 13:45:25 -0700 (PDT) Received: by mail-wm1-x32a.google.com with SMTP id 14-20020a05600c228e00b003cf4eaef74eso2532556wmf.0 for ; Thu, 27 Oct 2022 13:45:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lp2VxXZrnF/kw40YEQ4TVBQpSqwfLCviQOCTAxoI/HQ=; b=TY/MbBMiIMB3eZjGCYvQoY0BlWIrl7u4BfmqoJbw+su0aVxHFBVYk/5H9FIbQy9oeU grras9Br2xg6oTogFbxkBxqLVTH7zvbLMYu3TG5B81UhKzOCGuaESe9nI0LiH3ZhtDb5 43+luKtGhD9QZFBRfzQqOIKc2b6ThuwrvI9whwmFNvaeO2QDyYX+prsMSZ/U7LENOFW2 k7V9Bf27h/lhdxtCrWCKw8HGQ47d7C2AYzLE2uoXqOhns826Q+RLH0wtTnkzV7kNOU42 P8OqTay2Y353lxY2KLQefhf6ROz0jWlzxnQ38kdHs3PxxoXkqhaERpf5bhTxZU9fThZP m44Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lp2VxXZrnF/kw40YEQ4TVBQpSqwfLCviQOCTAxoI/HQ=; b=4X39WGGVcpzLf7vpVy7mgNPehGxUW+GILAkCZGYbwPnMumBGEA4/2h8OltD/4zbWzQ abooXtu4OFjNTM+vERs9VV3G90zruhDecRiFhXWj5VlUWEHdGlRFw9LA6I6Uzr1Oc+h8 9eafG9cyqWZMrz3aPxlNpLQP9nR7DID+zWF4yQJ55ketpIpW51WyYL5zhA1IN6hHJ8ym xIObYH6FCMp/SBt1IKQ8nJQgydDq1gWHChxNif1FGoOpDHmnYx/7y2c4iL/jucFd8NKW PbULzERCaKP1hfLIYBGf9S/EEq7nGkMTRh2VeWJcBUBI2c45Ix6Vv8aPwqmbWDhbgySF aRUg== X-Gm-Message-State: ACrzQf1IzKbQnG2FVlgE/JcXRIs+eFrANUBjgt3NSABLF+xXYkbw/g48 I/7R116aJQxipYQ7uvnhry3qtg== X-Received: by 2002:a1c:7215:0:b0:3c7:130c:a77f with SMTP id n21-20020a1c7215000000b003c7130ca77fmr7446309wmc.151.1666903479106; Thu, 27 Oct 2022 13:44:39 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id n3-20020a5d6b83000000b00236644228besm1968739wrx.40.2022.10.27.13.44.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Oct 2022 13:44:38 -0700 (PDT) From: Dmitry Safonov To: linux-kernel@vger.kernel.org, David Ahern , Eric Dumazet Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , Dan Carpenter , "David S. Miller" , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , "Eric W. Biederman" , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH v3 29/36] selftest/tcp-ao: Add a test for MKT matching Date: Thu, 27 Oct 2022 21:43:40 +0100 Message-Id: <20221027204347.529913-30-dima@arista.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221027204347.529913-1-dima@arista.com> References: <20221027204347.529913-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add TCP-AO tests on connect()/accept() pair. SNMP counters exposed by kernel are very useful here to verify the expected behavior of TCP-AO. Signed-off-by: Dmitry Safonov --- tools/testing/selftests/net/tcp_ao/Makefile | 2 +- .../selftests/net/tcp_ao/connect-deny.c | 217 ++++++++++++++++++ 2 files changed, 218 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/net/tcp_ao/connect-deny.c diff --git a/tools/testing/selftests/net/tcp_ao/Makefile b/tools/testing/selftests/net/tcp_ao/Makefile index a178bde0af08..5064e34ebe38 100644 --- a/tools/testing/selftests/net/tcp_ao/Makefile +++ b/tools/testing/selftests/net/tcp_ao/Makefile @@ -1,5 +1,5 @@ # SPDX-License-Identifier: GPL-2.0 -TEST_BOTH_AF := connect icmps-discard icmps-accept +TEST_BOTH_AF := connect icmps-discard icmps-accept connect-deny TEST_IPV4_PROGS := $(TEST_BOTH_AF:%=%_ipv4) TEST_IPV6_PROGS := $(TEST_BOTH_AF:%=%_ipv6) diff --git a/tools/testing/selftests/net/tcp_ao/connect-deny.c b/tools/testing/selftests/net/tcp_ao/connect-deny.c new file mode 100644 index 000000000000..8f1b067e611f --- /dev/null +++ b/tools/testing/selftests/net/tcp_ao/connect-deny.c @@ -0,0 +1,217 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Author: Dmitry Safonov */ +#include +#include "aolib.h" + +typedef uint8_t fault_t; +#define F_TIMEOUT 1 +#define F_KEYREJECT 2 + +#define fault(type) (inj == type) + +static void try_accept(const char *tst_name, unsigned int port, const char *pwd, + union tcp_addr addr, uint8_t prefix, + uint8_t sndid, uint8_t rcvid, const char *cnt_name, + fault_t inj) +{ + uint64_t before_cnt, after_cnt; + int lsk, err, sk = 0; + time_t timeout; + + lsk = test_listen_socket(this_ip_addr, port, 1); + + if (pwd && test_set_ao(lsk, pwd, 0, addr, prefix, sndid, rcvid)) + test_error("setsockopt(TCP_AO)"); + + if (cnt_name) + before_cnt = netstat_get_one(cnt_name, NULL); + + synchronize_threads(); /* preparations done */ + + timeout = fault(F_TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; + err = test_wait_fd(lsk, timeout, 0); + if (err < 0) + test_error("test_wait_fd()"); + else if (!err) { + if (!fault(F_TIMEOUT)) + test_fail("timeouted for accept()"); + } else { + if (fault(F_TIMEOUT)) + test_fail("ready to accept"); + + sk = accept(lsk, NULL, NULL); + if (sk < 0) { + test_error("accept()"); + } else { + if (fault(F_TIMEOUT)) + test_fail("%s: accepted", tst_name); + } + } + + close(lsk); + + if (!cnt_name) + goto out; + + after_cnt = netstat_get_one(cnt_name, NULL); + + if (after_cnt <= before_cnt) { + test_fail("%s: %s counter did not increase: %zu <= %zu", + tst_name, cnt_name, after_cnt, before_cnt); + } else { + test_ok("%s: counter %s increased %zu => %zu", + tst_name, cnt_name, before_cnt, after_cnt); + } + +out: + synchronize_threads(); /* close() */ + if (sk > 0) + close(sk); +} + +static void *server_fn(void *arg) +{ + union tcp_addr wrong_addr, network_addr; + unsigned int port = test_server_port; + + if (inet_pton(TEST_FAMILY, TEST_WRONG_IP, &wrong_addr) != 1) + test_error("Can't convert ip address %s", TEST_WRONG_IP); + + try_accept("Non-AO server + AO client", port++, NULL, + this_ip_dest, -1, 100, 100, "TCPAOKeyNotFound", F_TIMEOUT); + + try_accept("AO server + Non-AO client", port++, "password", + this_ip_dest, -1, 100, 100, "TCPAORequired", F_TIMEOUT); + + try_accept("Wrong password", port++, "password2", + this_ip_dest, -1, 100, 100, "TCPAOBad", F_TIMEOUT); + + try_accept("Wrong rcv id", port++, "password", + this_ip_dest, -1, 100, 101, "TCPAOKeyNotFound", F_TIMEOUT); + + try_accept("Wrong snd id", port++, "password", + this_ip_dest, -1, 101, 100, "TCPAOGood", F_TIMEOUT); + + try_accept("Server: Wrong addr", port++, "password", + wrong_addr, -1, 100, 100, "TCPAOKeyNotFound", F_TIMEOUT); + + try_accept("Client: Wrong addr", port++, NULL, + this_ip_dest, -1, 100, 100, NULL, F_TIMEOUT); + + try_accept("rcv id != snd id", port++, "password", + this_ip_dest, -1, 200, 100, "TCPAOGood", 0); + + if (inet_pton(TEST_FAMILY, TEST_NETWORK, &network_addr) != 1) + test_error("Can't convert ip address %s", TEST_NETWORK); + + try_accept("Server: prefix match", port++, "password", + network_addr, 16, 100, 100, "TCPAOGood", 0); + + try_accept("Client: prefix match", port++, "password", + this_ip_dest, -1, 100, 100, "TCPAOGood", 0); + + /* client exits */ + synchronize_threads(); + return NULL; +} + +static void try_connect(const char *tst_name, unsigned int port, + const char *pwd, union tcp_addr addr, uint8_t prefix, + uint8_t sndid, uint8_t rcvid, fault_t inj) +{ + time_t timeout; + int sk, ret; + + sk = socket(test_family, SOCK_STREAM, IPPROTO_TCP); + if (sk < 0) + test_error("socket()"); + + if (pwd && test_set_ao(sk, pwd, 0, addr, prefix, sndid, rcvid)) + test_error("setsockopt(TCP_AO)"); + + synchronize_threads(); /* preparations done */ + + timeout = fault(F_TIMEOUT) ? TEST_RETRANSMIT_SEC : TEST_TIMEOUT_SEC; + ret = _test_connect_socket(sk, this_ip_dest, port, timeout); + + if (ret < 0) { + if (fault(F_KEYREJECT) && ret == -EKEYREJECTED) { + test_ok("%s: connect() was prevented", tst_name); + goto out; + } else if (ret == -ECONNREFUSED && + (fault(F_TIMEOUT) || fault(F_KEYREJECT))) { + test_ok("%s: refused to connect", tst_name); + goto out; + } else { + test_error("%s: connect() returned %d", tst_name, ret); + } + } + + if (ret == 0) { + if (fault(F_TIMEOUT)) + test_ok("%s", tst_name); + else + test_fail("%s: failed to connect()", tst_name); + } else { + if (fault(F_TIMEOUT) || fault(F_KEYREJECT)) + test_fail("%s: connected", tst_name); + else + test_ok("%s: connected", tst_name); + } + +out: + synchronize_threads(); /* close() */ + + if (ret > 0) + close(sk); +} + +static void *client_fn(void *arg) +{ + union tcp_addr wrong_addr, network_addr; + unsigned int port = test_server_port; + + if (inet_pton(TEST_FAMILY, TEST_WRONG_IP, &wrong_addr) != 1) + test_error("Can't convert ip address %s", TEST_WRONG_IP); + + try_connect("Non-AO server + AO client", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("AO server + Non-AO client", port++, NULL, + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Wrong password", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Wrong rcv id", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Wrong snd id", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Server: Wrong addr", port++, "password", + this_ip_dest, -1, 100, 100, F_TIMEOUT); + + try_connect("Client: Wrong addr", port++, "password", + wrong_addr, -1, 100, 100, F_KEYREJECT); + + try_connect("rcv id != snd id", port++, "password", + this_ip_dest, -1, 100, 200, 0); + + if (inet_pton(TEST_FAMILY, TEST_NETWORK, &network_addr) != 1) + test_error("Can't convert ip address %s", TEST_NETWORK); + + try_connect("Server: prefix match", port++, "password", + this_ip_dest, -1, 100, 100, 0); + + try_connect("Client: prefix match", port++, "password", + network_addr, 16, 100, 100, 0); + + return NULL; +} + +int main(int argc, char *argv[]) +{ + test_init(19, server_fn, client_fn); + return 0; +} -- 2.38.1