1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * ipsec.c - Check xfrm on veth inside a net-ns.
4 * Copyright (c) 2018 Dmitry Safonov
5 */
6
7 #define _GNU_SOURCE
8
9 #include <arpa/inet.h>
10 #include <asm/types.h>
11 #include <errno.h>
12 #include <fcntl.h>
13 #include <limits.h>
14 #include <linux/limits.h>
15 #include <linux/netlink.h>
16 #include <linux/random.h>
17 #include <linux/rtnetlink.h>
18 #include <linux/veth.h>
19 #include <linux/xfrm.h>
20 #include <netinet/in.h>
21 #include <net/if.h>
22 #include <sched.h>
23 #include <stdbool.h>
24 #include <stdint.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <sys/mman.h>
29 #include <sys/socket.h>
30 #include <sys/stat.h>
31 #include <sys/syscall.h>
32 #include <sys/types.h>
33 #include <sys/wait.h>
34 #include <time.h>
35 #include <unistd.h>
36
37 #include "../kselftest.h"
38
39 #define printk(fmt, ...) \
40 ksft_print_msg("%d[%u] " fmt "\n", getpid(), __LINE__, ##__VA_ARGS__)
41
42 #define pr_err(fmt, ...) printk(fmt ": %m", ##__VA_ARGS__)
43
44 #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
45 #define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)]))
46
47 #define IPV4_STR_SZ 16 /* xxx.xxx.xxx.xxx is longest + \0 */
48 #define MAX_PAYLOAD 2048
49 #define XFRM_ALGO_KEY_BUF_SIZE 512
50 #define MAX_PROCESSES (1 << 14) /* /16 mask divided by /30 subnets */
51 #define INADDR_A ((in_addr_t) 0x0a000000) /* 10.0.0.0 */
52 #define INADDR_B ((in_addr_t) 0xc0a80000) /* 192.168.0.0 */
53
54 /* /30 mask for one veth connection */
55 #define PREFIX_LEN 30
56 #define child_ip(nr) (4*nr + 1)
57 #define grchild_ip(nr) (4*nr + 2)
58
59 #define VETH_FMT "ktst-%d"
60 #define VETH_LEN 12
61
62 static int nsfd_parent = -1;
63 static int nsfd_childa = -1;
64 static int nsfd_childb = -1;
65 static long page_size;
66
67 /*
68 * ksft_cnt is static in kselftest, so isn't shared with children.
69 * We have to send a test result back to parent and count there.
70 * results_fd is a pipe with test feedback from children.
71 */
72 static int results_fd[2];
73
74 const unsigned int ping_delay_nsec = 50 * 1000 * 1000;
75 const unsigned int ping_timeout = 300;
76 const unsigned int ping_count = 100;
77 const unsigned int ping_success = 80;
78
randomize_buffer(void * buf,size_t buflen)79 static void randomize_buffer(void *buf, size_t buflen)
80 {
81 int *p = (int *)buf;
82 size_t words = buflen / sizeof(int);
83 size_t leftover = buflen % sizeof(int);
84
85 if (!buflen)
86 return;
87
88 while (words--)
89 *p++ = rand();
90
91 if (leftover) {
92 int tmp = rand();
93
94 memcpy(buf + buflen - leftover, &tmp, leftover);
95 }
96
97 return;
98 }
99
unshare_open(void)100 static int unshare_open(void)
101 {
102 const char *netns_path = "/proc/self/ns/net";
103 int fd;
104
105 if (unshare(CLONE_NEWNET) != 0) {
106 pr_err("unshare()");
107 return -1;
108 }
109
110 fd = open(netns_path, O_RDONLY);
111 if (fd <= 0) {
112 pr_err("open(%s)", netns_path);
113 return -1;
114 }
115
116 return fd;
117 }
118
switch_ns(int fd)119 static int switch_ns(int fd)
120 {
121 if (setns(fd, CLONE_NEWNET)) {
122 pr_err("setns()");
123 return -1;
124 }
125 return 0;
126 }
127
128 /*
129 * Running the test inside a new parent net namespace to bother less
130 * about cleanup on error-path.
131 */
init_namespaces(void)132 static int init_namespaces(void)
133 {
134 nsfd_parent = unshare_open();
135 if (nsfd_parent <= 0)
136 return -1;
137
138 nsfd_childa = unshare_open();
139 if (nsfd_childa <= 0)
140 return -1;
141
142 if (switch_ns(nsfd_parent))
143 return -1;
144
145 nsfd_childb = unshare_open();
146 if (nsfd_childb <= 0)
147 return -1;
148
149 if (switch_ns(nsfd_parent))
150 return -1;
151 return 0;
152 }
153
netlink_sock(int * sock,uint32_t * seq_nr,int proto)154 static int netlink_sock(int *sock, uint32_t *seq_nr, int proto)
155 {
156 if (*sock > 0) {
157 seq_nr++;
158 return 0;
159 }
160
161 *sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, proto);
162 if (*sock <= 0) {
163 pr_err("socket(AF_NETLINK)");
164 return -1;
165 }
166
167 randomize_buffer(seq_nr, sizeof(*seq_nr));
168
169 return 0;
170 }
171
rtattr_hdr(struct nlmsghdr * nh)172 static inline struct rtattr *rtattr_hdr(struct nlmsghdr *nh)
173 {
174 return (struct rtattr *)((char *)(nh) + RTA_ALIGN((nh)->nlmsg_len));
175 }
176
rtattr_pack(struct nlmsghdr * nh,size_t req_sz,unsigned short rta_type,const void * payload,size_t size)177 static int rtattr_pack(struct nlmsghdr *nh, size_t req_sz,
178 unsigned short rta_type, const void *payload, size_t size)
179 {
180 /* NLMSG_ALIGNTO == RTA_ALIGNTO, nlmsg_len already aligned */
181 struct rtattr *attr = rtattr_hdr(nh);
182 size_t nl_size = RTA_ALIGN(nh->nlmsg_len) + RTA_LENGTH(size);
183
184 if (req_sz < nl_size) {
185 printk("req buf is too small: %zu < %zu", req_sz, nl_size);
186 return -1;
187 }
188 nh->nlmsg_len = nl_size;
189
190 attr->rta_len = RTA_LENGTH(size);
191 attr->rta_type = rta_type;
192 memcpy(RTA_DATA(attr), payload, size);
193
194 return 0;
195 }
196
_rtattr_begin(struct nlmsghdr * nh,size_t req_sz,unsigned short rta_type,const void * payload,size_t size)197 static struct rtattr *_rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
198 unsigned short rta_type, const void *payload, size_t size)
199 {
200 struct rtattr *ret = rtattr_hdr(nh);
201
202 if (rtattr_pack(nh, req_sz, rta_type, payload, size))
203 return 0;
204
205 return ret;
206 }
207
rtattr_begin(struct nlmsghdr * nh,size_t req_sz,unsigned short rta_type)208 static inline struct rtattr *rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
209 unsigned short rta_type)
210 {
211 return _rtattr_begin(nh, req_sz, rta_type, 0, 0);
212 }
213
rtattr_end(struct nlmsghdr * nh,struct rtattr * attr)214 static inline void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr)
215 {
216 char *nlmsg_end = (char *)nh + nh->nlmsg_len;
217
218 attr->rta_len = nlmsg_end - (char *)attr;
219 }
220
veth_pack_peerb(struct nlmsghdr * nh,size_t req_sz,const char * peer,int ns)221 static int veth_pack_peerb(struct nlmsghdr *nh, size_t req_sz,
222 const char *peer, int ns)
223 {
224 struct ifinfomsg pi;
225 struct rtattr *peer_attr;
226
227 memset(&pi, 0, sizeof(pi));
228 pi.ifi_family = AF_UNSPEC;
229 pi.ifi_change = 0xFFFFFFFF;
230
231 peer_attr = _rtattr_begin(nh, req_sz, VETH_INFO_PEER, &pi, sizeof(pi));
232 if (!peer_attr)
233 return -1;
234
235 if (rtattr_pack(nh, req_sz, IFLA_IFNAME, peer, strlen(peer)))
236 return -1;
237
238 if (rtattr_pack(nh, req_sz, IFLA_NET_NS_FD, &ns, sizeof(ns)))
239 return -1;
240
241 rtattr_end(nh, peer_attr);
242
243 return 0;
244 }
245
netlink_check_answer(int sock)246 static int netlink_check_answer(int sock)
247 {
248 struct nlmsgerror {
249 struct nlmsghdr hdr;
250 int error;
251 struct nlmsghdr orig_msg;
252 } answer;
253
254 if (recv(sock, &answer, sizeof(answer), 0) < 0) {
255 pr_err("recv()");
256 return -1;
257 } else if (answer.hdr.nlmsg_type != NLMSG_ERROR) {
258 printk("expected NLMSG_ERROR, got %d", (int)answer.hdr.nlmsg_type);
259 return -1;
260 } else if (answer.error) {
261 printk("NLMSG_ERROR: %d: %s",
262 answer.error, strerror(-answer.error));
263 return answer.error;
264 }
265
266 return 0;
267 }
268
veth_add(int sock,uint32_t seq,const char * peera,int ns_a,const char * peerb,int ns_b)269 static int veth_add(int sock, uint32_t seq, const char *peera, int ns_a,
270 const char *peerb, int ns_b)
271 {
272 uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
273 struct {
274 struct nlmsghdr nh;
275 struct ifinfomsg info;
276 char attrbuf[MAX_PAYLOAD];
277 } req;
278 const char veth_type[] = "veth";
279 struct rtattr *link_info, *info_data;
280
281 memset(&req, 0, sizeof(req));
282 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
283 req.nh.nlmsg_type = RTM_NEWLINK;
284 req.nh.nlmsg_flags = flags;
285 req.nh.nlmsg_seq = seq;
286 req.info.ifi_family = AF_UNSPEC;
287 req.info.ifi_change = 0xFFFFFFFF;
288
289 if (rtattr_pack(&req.nh, sizeof(req), IFLA_IFNAME, peera, strlen(peera)))
290 return -1;
291
292 if (rtattr_pack(&req.nh, sizeof(req), IFLA_NET_NS_FD, &ns_a, sizeof(ns_a)))
293 return -1;
294
295 link_info = rtattr_begin(&req.nh, sizeof(req), IFLA_LINKINFO);
296 if (!link_info)
297 return -1;
298
299 if (rtattr_pack(&req.nh, sizeof(req), IFLA_INFO_KIND, veth_type, sizeof(veth_type)))
300 return -1;
301
302 info_data = rtattr_begin(&req.nh, sizeof(req), IFLA_INFO_DATA);
303 if (!info_data)
304 return -1;
305
306 if (veth_pack_peerb(&req.nh, sizeof(req), peerb, ns_b))
307 return -1;
308
309 rtattr_end(&req.nh, info_data);
310 rtattr_end(&req.nh, link_info);
311
312 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
313 pr_err("send()");
314 return -1;
315 }
316 return netlink_check_answer(sock);
317 }
318
ip4_addr_set(int sock,uint32_t seq,const char * intf,struct in_addr addr,uint8_t prefix)319 static int ip4_addr_set(int sock, uint32_t seq, const char *intf,
320 struct in_addr addr, uint8_t prefix)
321 {
322 uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
323 struct {
324 struct nlmsghdr nh;
325 struct ifaddrmsg info;
326 char attrbuf[MAX_PAYLOAD];
327 } req;
328
329 memset(&req, 0, sizeof(req));
330 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
331 req.nh.nlmsg_type = RTM_NEWADDR;
332 req.nh.nlmsg_flags = flags;
333 req.nh.nlmsg_seq = seq;
334 req.info.ifa_family = AF_INET;
335 req.info.ifa_prefixlen = prefix;
336 req.info.ifa_index = if_nametoindex(intf);
337
338 #ifdef DEBUG
339 {
340 char addr_str[IPV4_STR_SZ] = {};
341
342 strncpy(addr_str, inet_ntoa(addr), IPV4_STR_SZ - 1);
343
344 printk("ip addr set %s", addr_str);
345 }
346 #endif
347
348 if (rtattr_pack(&req.nh, sizeof(req), IFA_LOCAL, &addr, sizeof(addr)))
349 return -1;
350
351 if (rtattr_pack(&req.nh, sizeof(req), IFA_ADDRESS, &addr, sizeof(addr)))
352 return -1;
353
354 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
355 pr_err("send()");
356 return -1;
357 }
358 return netlink_check_answer(sock);
359 }
360
link_set_up(int sock,uint32_t seq,const char * intf)361 static int link_set_up(int sock, uint32_t seq, const char *intf)
362 {
363 struct {
364 struct nlmsghdr nh;
365 struct ifinfomsg info;
366 char attrbuf[MAX_PAYLOAD];
367 } req;
368
369 memset(&req, 0, sizeof(req));
370 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
371 req.nh.nlmsg_type = RTM_NEWLINK;
372 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
373 req.nh.nlmsg_seq = seq;
374 req.info.ifi_family = AF_UNSPEC;
375 req.info.ifi_change = 0xFFFFFFFF;
376 req.info.ifi_index = if_nametoindex(intf);
377 req.info.ifi_flags = IFF_UP;
378 req.info.ifi_change = IFF_UP;
379
380 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
381 pr_err("send()");
382 return -1;
383 }
384 return netlink_check_answer(sock);
385 }
386
ip4_route_set(int sock,uint32_t seq,const char * intf,struct in_addr src,struct in_addr dst)387 static int ip4_route_set(int sock, uint32_t seq, const char *intf,
388 struct in_addr src, struct in_addr dst)
389 {
390 struct {
391 struct nlmsghdr nh;
392 struct rtmsg rt;
393 char attrbuf[MAX_PAYLOAD];
394 } req;
395 unsigned int index = if_nametoindex(intf);
396
397 memset(&req, 0, sizeof(req));
398 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.rt));
399 req.nh.nlmsg_type = RTM_NEWROUTE;
400 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE;
401 req.nh.nlmsg_seq = seq;
402 req.rt.rtm_family = AF_INET;
403 req.rt.rtm_dst_len = 32;
404 req.rt.rtm_table = RT_TABLE_MAIN;
405 req.rt.rtm_protocol = RTPROT_BOOT;
406 req.rt.rtm_scope = RT_SCOPE_LINK;
407 req.rt.rtm_type = RTN_UNICAST;
408
409 if (rtattr_pack(&req.nh, sizeof(req), RTA_DST, &dst, sizeof(dst)))
410 return -1;
411
412 if (rtattr_pack(&req.nh, sizeof(req), RTA_PREFSRC, &src, sizeof(src)))
413 return -1;
414
415 if (rtattr_pack(&req.nh, sizeof(req), RTA_OIF, &index, sizeof(index)))
416 return -1;
417
418 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
419 pr_err("send()");
420 return -1;
421 }
422
423 return netlink_check_answer(sock);
424 }
425
tunnel_set_route(int route_sock,uint32_t * route_seq,char * veth,struct in_addr tunsrc,struct in_addr tundst)426 static int tunnel_set_route(int route_sock, uint32_t *route_seq, char *veth,
427 struct in_addr tunsrc, struct in_addr tundst)
428 {
429 if (ip4_addr_set(route_sock, (*route_seq)++, "lo",
430 tunsrc, PREFIX_LEN)) {
431 printk("Failed to set ipv4 addr");
432 return -1;
433 }
434
435 if (ip4_route_set(route_sock, (*route_seq)++, veth, tunsrc, tundst)) {
436 printk("Failed to set ipv4 route");
437 return -1;
438 }
439
440 return 0;
441 }
442
init_child(int nsfd,char * veth,unsigned int src,unsigned int dst)443 static int init_child(int nsfd, char *veth, unsigned int src, unsigned int dst)
444 {
445 struct in_addr intsrc = inet_makeaddr(INADDR_B, src);
446 struct in_addr tunsrc = inet_makeaddr(INADDR_A, src);
447 struct in_addr tundst = inet_makeaddr(INADDR_A, dst);
448 int route_sock = -1, ret = -1;
449 uint32_t route_seq;
450
451 if (switch_ns(nsfd))
452 return -1;
453
454 if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE)) {
455 printk("Failed to open netlink route socket in child");
456 return -1;
457 }
458
459 if (ip4_addr_set(route_sock, route_seq++, veth, intsrc, PREFIX_LEN)) {
460 printk("Failed to set ipv4 addr");
461 goto err;
462 }
463
464 if (link_set_up(route_sock, route_seq++, veth)) {
465 printk("Failed to bring up %s", veth);
466 goto err;
467 }
468
469 if (tunnel_set_route(route_sock, &route_seq, veth, tunsrc, tundst)) {
470 printk("Failed to add tunnel route on %s", veth);
471 goto err;
472 }
473 ret = 0;
474
475 err:
476 close(route_sock);
477 return ret;
478 }
479
480 #define ALGO_LEN 64
481 enum desc_type {
482 CREATE_TUNNEL = 0,
483 ALLOCATE_SPI,
484 MONITOR_ACQUIRE,
485 EXPIRE_STATE,
486 EXPIRE_POLICY,
487 };
488 const char *desc_name[] = {
489 "create tunnel",
490 "alloc spi",
491 "monitor acquire",
492 "expire state",
493 "expire policy"
494 };
495 struct xfrm_desc {
496 enum desc_type type;
497 uint8_t proto;
498 char a_algo[ALGO_LEN];
499 char e_algo[ALGO_LEN];
500 char c_algo[ALGO_LEN];
501 char ae_algo[ALGO_LEN];
502 unsigned int icv_len;
503 /* unsigned key_len; */
504 };
505
506 enum msg_type {
507 MSG_ACK = 0,
508 MSG_EXIT,
509 MSG_PING,
510 MSG_XFRM_PREPARE,
511 MSG_XFRM_ADD,
512 MSG_XFRM_DEL,
513 MSG_XFRM_CLEANUP,
514 };
515
516 struct test_desc {
517 enum msg_type type;
518 union {
519 struct {
520 in_addr_t reply_ip;
521 unsigned int port;
522 } ping;
523 struct xfrm_desc xfrm_desc;
524 } body;
525 };
526
527 struct test_result {
528 struct xfrm_desc desc;
529 unsigned int res;
530 };
531
write_test_result(unsigned int res,struct xfrm_desc * d)532 static void write_test_result(unsigned int res, struct xfrm_desc *d)
533 {
534 struct test_result tr = {};
535 ssize_t ret;
536
537 tr.desc = *d;
538 tr.res = res;
539
540 ret = write(results_fd[1], &tr, sizeof(tr));
541 if (ret != sizeof(tr))
542 pr_err("Failed to write the result in pipe %zd", ret);
543 }
544
write_msg(int fd,struct test_desc * msg,bool exit_of_fail)545 static void write_msg(int fd, struct test_desc *msg, bool exit_of_fail)
546 {
547 ssize_t bytes = write(fd, msg, sizeof(*msg));
548
549 /* Make sure that write/read is atomic to a pipe */
550 BUILD_BUG_ON(sizeof(struct test_desc) > PIPE_BUF);
551
552 if (bytes < 0) {
553 pr_err("write()");
554 if (exit_of_fail)
555 exit(KSFT_FAIL);
556 }
557 if (bytes != sizeof(*msg)) {
558 pr_err("sent part of the message %zd/%zu", bytes, sizeof(*msg));
559 if (exit_of_fail)
560 exit(KSFT_FAIL);
561 }
562 }
563
read_msg(int fd,struct test_desc * msg,bool exit_of_fail)564 static void read_msg(int fd, struct test_desc *msg, bool exit_of_fail)
565 {
566 ssize_t bytes = read(fd, msg, sizeof(*msg));
567
568 if (bytes < 0) {
569 pr_err("read()");
570 if (exit_of_fail)
571 exit(KSFT_FAIL);
572 }
573 if (bytes != sizeof(*msg)) {
574 pr_err("got incomplete message %zd/%zu", bytes, sizeof(*msg));
575 if (exit_of_fail)
576 exit(KSFT_FAIL);
577 }
578 }
579
udp_ping_init(struct in_addr listen_ip,unsigned int u_timeout,unsigned int * server_port,int sock[2])580 static int udp_ping_init(struct in_addr listen_ip, unsigned int u_timeout,
581 unsigned int *server_port, int sock[2])
582 {
583 struct sockaddr_in server;
584 struct timeval t = { .tv_sec = 0, .tv_usec = u_timeout };
585 socklen_t s_len = sizeof(server);
586
587 sock[0] = socket(AF_INET, SOCK_DGRAM, 0);
588 if (sock[0] < 0) {
589 pr_err("socket()");
590 return -1;
591 }
592
593 server.sin_family = AF_INET;
594 server.sin_port = 0;
595 memcpy(&server.sin_addr.s_addr, &listen_ip, sizeof(struct in_addr));
596
597 if (bind(sock[0], (struct sockaddr *)&server, s_len)) {
598 pr_err("bind()");
599 goto err_close_server;
600 }
601
602 if (getsockname(sock[0], (struct sockaddr *)&server, &s_len)) {
603 pr_err("getsockname()");
604 goto err_close_server;
605 }
606
607 *server_port = ntohs(server.sin_port);
608
609 if (setsockopt(sock[0], SOL_SOCKET, SO_RCVTIMEO, (const char *)&t, sizeof t)) {
610 pr_err("setsockopt()");
611 goto err_close_server;
612 }
613
614 sock[1] = socket(AF_INET, SOCK_DGRAM, 0);
615 if (sock[1] < 0) {
616 pr_err("socket()");
617 goto err_close_server;
618 }
619
620 return 0;
621
622 err_close_server:
623 close(sock[0]);
624 return -1;
625 }
626
udp_ping_send(int sock[2],in_addr_t dest_ip,unsigned int port,char * buf,size_t buf_len)627 static int udp_ping_send(int sock[2], in_addr_t dest_ip, unsigned int port,
628 char *buf, size_t buf_len)
629 {
630 struct sockaddr_in server;
631 const struct sockaddr *dest_addr = (struct sockaddr *)&server;
632 char *sock_buf[buf_len];
633 ssize_t r_bytes, s_bytes;
634
635 server.sin_family = AF_INET;
636 server.sin_port = htons(port);
637 server.sin_addr.s_addr = dest_ip;
638
639 s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
640 if (s_bytes < 0) {
641 pr_err("sendto()");
642 return -1;
643 } else if (s_bytes != buf_len) {
644 printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
645 return -1;
646 }
647
648 r_bytes = recv(sock[0], sock_buf, buf_len, 0);
649 if (r_bytes < 0) {
650 if (errno != EAGAIN)
651 pr_err("recv()");
652 return -1;
653 } else if (r_bytes == 0) { /* EOF */
654 printk("EOF on reply to ping");
655 return -1;
656 } else if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
657 printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
658 return -1;
659 }
660
661 return 0;
662 }
663
udp_ping_reply(int sock[2],in_addr_t dest_ip,unsigned int port,char * buf,size_t buf_len)664 static int udp_ping_reply(int sock[2], in_addr_t dest_ip, unsigned int port,
665 char *buf, size_t buf_len)
666 {
667 struct sockaddr_in server;
668 const struct sockaddr *dest_addr = (struct sockaddr *)&server;
669 char *sock_buf[buf_len];
670 ssize_t r_bytes, s_bytes;
671
672 server.sin_family = AF_INET;
673 server.sin_port = htons(port);
674 server.sin_addr.s_addr = dest_ip;
675
676 r_bytes = recv(sock[0], sock_buf, buf_len, 0);
677 if (r_bytes < 0) {
678 if (errno != EAGAIN)
679 pr_err("recv()");
680 return -1;
681 }
682 if (r_bytes == 0) { /* EOF */
683 printk("EOF on reply to ping");
684 return -1;
685 }
686 if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
687 printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
688 return -1;
689 }
690
691 s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
692 if (s_bytes < 0) {
693 pr_err("sendto()");
694 return -1;
695 } else if (s_bytes != buf_len) {
696 printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
697 return -1;
698 }
699
700 return 0;
701 }
702
703 typedef int (*ping_f)(int sock[2], in_addr_t dest_ip, unsigned int port,
704 char *buf, size_t buf_len);
do_ping(int cmd_fd,char * buf,size_t buf_len,struct in_addr from,bool init_side,int d_port,in_addr_t to,ping_f func)705 static int do_ping(int cmd_fd, char *buf, size_t buf_len, struct in_addr from,
706 bool init_side, int d_port, in_addr_t to, ping_f func)
707 {
708 struct test_desc msg;
709 unsigned int s_port, i, ping_succeeded = 0;
710 int ping_sock[2];
711 char to_str[IPV4_STR_SZ] = {}, from_str[IPV4_STR_SZ] = {};
712
713 if (udp_ping_init(from, ping_timeout, &s_port, ping_sock)) {
714 printk("Failed to init ping");
715 return -1;
716 }
717
718 memset(&msg, 0, sizeof(msg));
719 msg.type = MSG_PING;
720 msg.body.ping.port = s_port;
721 memcpy(&msg.body.ping.reply_ip, &from, sizeof(from));
722
723 write_msg(cmd_fd, &msg, 0);
724 if (init_side) {
725 /* The other end sends ip to ping */
726 read_msg(cmd_fd, &msg, 0);
727 if (msg.type != MSG_PING)
728 return -1;
729 to = msg.body.ping.reply_ip;
730 d_port = msg.body.ping.port;
731 }
732
733 for (i = 0; i < ping_count ; i++) {
734 struct timespec sleep_time = {
735 .tv_sec = 0,
736 .tv_nsec = ping_delay_nsec,
737 };
738
739 ping_succeeded += !func(ping_sock, to, d_port, buf, page_size);
740 nanosleep(&sleep_time, 0);
741 }
742
743 close(ping_sock[0]);
744 close(ping_sock[1]);
745
746 strncpy(to_str, inet_ntoa(*(struct in_addr *)&to), IPV4_STR_SZ - 1);
747 strncpy(from_str, inet_ntoa(from), IPV4_STR_SZ - 1);
748
749 if (ping_succeeded < ping_success) {
750 printk("ping (%s) %s->%s failed %u/%u times",
751 init_side ? "send" : "reply", from_str, to_str,
752 ping_count - ping_succeeded, ping_count);
753 return -1;
754 }
755
756 #ifdef DEBUG
757 printk("ping (%s) %s->%s succeeded %u/%u times",
758 init_side ? "send" : "reply", from_str, to_str,
759 ping_succeeded, ping_count);
760 #endif
761
762 return 0;
763 }
764
xfrm_fill_key(char * name,char * buf,size_t buf_len,unsigned int * key_len)765 static int xfrm_fill_key(char *name, char *buf,
766 size_t buf_len, unsigned int *key_len)
767 {
768 /* TODO: use set/map instead */
769 if (strncmp(name, "digest_null", ALGO_LEN) == 0)
770 *key_len = 0;
771 else if (strncmp(name, "ecb(cipher_null)", ALGO_LEN) == 0)
772 *key_len = 0;
773 else if (strncmp(name, "cbc(des)", ALGO_LEN) == 0)
774 *key_len = 64;
775 else if (strncmp(name, "hmac(md5)", ALGO_LEN) == 0)
776 *key_len = 128;
777 else if (strncmp(name, "cmac(aes)", ALGO_LEN) == 0)
778 *key_len = 128;
779 else if (strncmp(name, "xcbc(aes)", ALGO_LEN) == 0)
780 *key_len = 128;
781 else if (strncmp(name, "cbc(cast5)", ALGO_LEN) == 0)
782 *key_len = 128;
783 else if (strncmp(name, "cbc(serpent)", ALGO_LEN) == 0)
784 *key_len = 128;
785 else if (strncmp(name, "hmac(sha1)", ALGO_LEN) == 0)
786 *key_len = 160;
787 else if (strncmp(name, "hmac(rmd160)", ALGO_LEN) == 0)
788 *key_len = 160;
789 else if (strncmp(name, "cbc(des3_ede)", ALGO_LEN) == 0)
790 *key_len = 192;
791 else if (strncmp(name, "hmac(sha256)", ALGO_LEN) == 0)
792 *key_len = 256;
793 else if (strncmp(name, "cbc(aes)", ALGO_LEN) == 0)
794 *key_len = 256;
795 else if (strncmp(name, "cbc(camellia)", ALGO_LEN) == 0)
796 *key_len = 256;
797 else if (strncmp(name, "cbc(twofish)", ALGO_LEN) == 0)
798 *key_len = 256;
799 else if (strncmp(name, "rfc3686(ctr(aes))", ALGO_LEN) == 0)
800 *key_len = 288;
801 else if (strncmp(name, "hmac(sha384)", ALGO_LEN) == 0)
802 *key_len = 384;
803 else if (strncmp(name, "cbc(blowfish)", ALGO_LEN) == 0)
804 *key_len = 448;
805 else if (strncmp(name, "hmac(sha512)", ALGO_LEN) == 0)
806 *key_len = 512;
807 else if (strncmp(name, "rfc4106(gcm(aes))-128", ALGO_LEN) == 0)
808 *key_len = 160;
809 else if (strncmp(name, "rfc4543(gcm(aes))-128", ALGO_LEN) == 0)
810 *key_len = 160;
811 else if (strncmp(name, "rfc4309(ccm(aes))-128", ALGO_LEN) == 0)
812 *key_len = 152;
813 else if (strncmp(name, "rfc4106(gcm(aes))-192", ALGO_LEN) == 0)
814 *key_len = 224;
815 else if (strncmp(name, "rfc4543(gcm(aes))-192", ALGO_LEN) == 0)
816 *key_len = 224;
817 else if (strncmp(name, "rfc4309(ccm(aes))-192", ALGO_LEN) == 0)
818 *key_len = 216;
819 else if (strncmp(name, "rfc4106(gcm(aes))-256", ALGO_LEN) == 0)
820 *key_len = 288;
821 else if (strncmp(name, "rfc4543(gcm(aes))-256", ALGO_LEN) == 0)
822 *key_len = 288;
823 else if (strncmp(name, "rfc4309(ccm(aes))-256", ALGO_LEN) == 0)
824 *key_len = 280;
825 else if (strncmp(name, "rfc7539(chacha20,poly1305)-128", ALGO_LEN) == 0)
826 *key_len = 0;
827
828 if (*key_len > buf_len) {
829 printk("Can't pack a key - too big for buffer");
830 return -1;
831 }
832
833 randomize_buffer(buf, *key_len);
834
835 return 0;
836 }
837
xfrm_state_pack_algo(struct nlmsghdr * nh,size_t req_sz,struct xfrm_desc * desc)838 static int xfrm_state_pack_algo(struct nlmsghdr *nh, size_t req_sz,
839 struct xfrm_desc *desc)
840 {
841 struct {
842 union {
843 struct xfrm_algo alg;
844 struct xfrm_algo_aead aead;
845 struct xfrm_algo_auth auth;
846 } u;
847 char buf[XFRM_ALGO_KEY_BUF_SIZE];
848 } alg = {};
849 size_t alen, elen, clen, aelen;
850 unsigned short type;
851
852 alen = strlen(desc->a_algo);
853 elen = strlen(desc->e_algo);
854 clen = strlen(desc->c_algo);
855 aelen = strlen(desc->ae_algo);
856
857 /* Verify desc */
858 switch (desc->proto) {
859 case IPPROTO_AH:
860 if (!alen || elen || clen || aelen) {
861 printk("BUG: buggy ah desc");
862 return -1;
863 }
864 strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN - 1);
865 if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
866 sizeof(alg.buf), &alg.u.alg.alg_key_len))
867 return -1;
868 type = XFRMA_ALG_AUTH;
869 break;
870 case IPPROTO_COMP:
871 if (!clen || elen || alen || aelen) {
872 printk("BUG: buggy comp desc");
873 return -1;
874 }
875 strncpy(alg.u.alg.alg_name, desc->c_algo, ALGO_LEN - 1);
876 if (xfrm_fill_key(desc->c_algo, alg.u.alg.alg_key,
877 sizeof(alg.buf), &alg.u.alg.alg_key_len))
878 return -1;
879 type = XFRMA_ALG_COMP;
880 break;
881 case IPPROTO_ESP:
882 if (!((alen && elen) ^ aelen) || clen) {
883 printk("BUG: buggy esp desc");
884 return -1;
885 }
886 if (aelen) {
887 alg.u.aead.alg_icv_len = desc->icv_len;
888 strncpy(alg.u.aead.alg_name, desc->ae_algo, ALGO_LEN - 1);
889 if (xfrm_fill_key(desc->ae_algo, alg.u.aead.alg_key,
890 sizeof(alg.buf), &alg.u.aead.alg_key_len))
891 return -1;
892 type = XFRMA_ALG_AEAD;
893 } else {
894
895 strncpy(alg.u.alg.alg_name, desc->e_algo, ALGO_LEN - 1);
896 type = XFRMA_ALG_CRYPT;
897 if (xfrm_fill_key(desc->e_algo, alg.u.alg.alg_key,
898 sizeof(alg.buf), &alg.u.alg.alg_key_len))
899 return -1;
900 if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
901 return -1;
902
903 strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN);
904 type = XFRMA_ALG_AUTH;
905 if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
906 sizeof(alg.buf), &alg.u.alg.alg_key_len))
907 return -1;
908 }
909 break;
910 default:
911 printk("BUG: unknown proto in desc");
912 return -1;
913 }
914
915 if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
916 return -1;
917
918 return 0;
919 }
920
gen_spi(struct in_addr src)921 static inline uint32_t gen_spi(struct in_addr src)
922 {
923 return htonl(inet_lnaof(src));
924 }
925
xfrm_state_add(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,struct xfrm_desc * desc)926 static int xfrm_state_add(int xfrm_sock, uint32_t seq, uint32_t spi,
927 struct in_addr src, struct in_addr dst,
928 struct xfrm_desc *desc)
929 {
930 struct {
931 struct nlmsghdr nh;
932 struct xfrm_usersa_info info;
933 char attrbuf[MAX_PAYLOAD];
934 } req;
935
936 memset(&req, 0, sizeof(req));
937 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
938 req.nh.nlmsg_type = XFRM_MSG_NEWSA;
939 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
940 req.nh.nlmsg_seq = seq;
941
942 /* Fill selector. */
943 memcpy(&req.info.sel.daddr, &dst, sizeof(dst));
944 memcpy(&req.info.sel.saddr, &src, sizeof(src));
945 req.info.sel.family = AF_INET;
946 req.info.sel.prefixlen_d = PREFIX_LEN;
947 req.info.sel.prefixlen_s = PREFIX_LEN;
948
949 /* Fill id */
950 memcpy(&req.info.id.daddr, &dst, sizeof(dst));
951 /* Note: zero-spi cannot be deleted */
952 req.info.id.spi = spi;
953 req.info.id.proto = desc->proto;
954
955 memcpy(&req.info.saddr, &src, sizeof(src));
956
957 /* Fill lifteme_cfg */
958 req.info.lft.soft_byte_limit = XFRM_INF;
959 req.info.lft.hard_byte_limit = XFRM_INF;
960 req.info.lft.soft_packet_limit = XFRM_INF;
961 req.info.lft.hard_packet_limit = XFRM_INF;
962
963 req.info.family = AF_INET;
964 req.info.mode = XFRM_MODE_TUNNEL;
965
966 if (xfrm_state_pack_algo(&req.nh, sizeof(req), desc))
967 return -1;
968
969 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
970 pr_err("send()");
971 return -1;
972 }
973
974 return netlink_check_answer(xfrm_sock);
975 }
976
xfrm_usersa_found(struct xfrm_usersa_info * info,uint32_t spi,struct in_addr src,struct in_addr dst,struct xfrm_desc * desc)977 static bool xfrm_usersa_found(struct xfrm_usersa_info *info, uint32_t spi,
978 struct in_addr src, struct in_addr dst,
979 struct xfrm_desc *desc)
980 {
981 if (memcmp(&info->sel.daddr, &dst, sizeof(dst)))
982 return false;
983
984 if (memcmp(&info->sel.saddr, &src, sizeof(src)))
985 return false;
986
987 if (info->sel.family != AF_INET ||
988 info->sel.prefixlen_d != PREFIX_LEN ||
989 info->sel.prefixlen_s != PREFIX_LEN)
990 return false;
991
992 if (info->id.spi != spi || info->id.proto != desc->proto)
993 return false;
994
995 if (memcmp(&info->id.daddr, &dst, sizeof(dst)))
996 return false;
997
998 if (memcmp(&info->saddr, &src, sizeof(src)))
999 return false;
1000
1001 if (info->lft.soft_byte_limit != XFRM_INF ||
1002 info->lft.hard_byte_limit != XFRM_INF ||
1003 info->lft.soft_packet_limit != XFRM_INF ||
1004 info->lft.hard_packet_limit != XFRM_INF)
1005 return false;
1006
1007 if (info->family != AF_INET || info->mode != XFRM_MODE_TUNNEL)
1008 return false;
1009
1010 /* XXX: check xfrm algo, see xfrm_state_pack_algo(). */
1011
1012 return true;
1013 }
1014
xfrm_state_check(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,struct xfrm_desc * desc)1015 static int xfrm_state_check(int xfrm_sock, uint32_t seq, uint32_t spi,
1016 struct in_addr src, struct in_addr dst,
1017 struct xfrm_desc *desc)
1018 {
1019 struct {
1020 struct nlmsghdr nh;
1021 char attrbuf[MAX_PAYLOAD];
1022 } req;
1023 struct {
1024 struct nlmsghdr nh;
1025 union {
1026 struct xfrm_usersa_info info;
1027 int error;
1028 };
1029 char attrbuf[MAX_PAYLOAD];
1030 } answer;
1031 struct xfrm_address_filter filter = {};
1032 bool found = false;
1033
1034
1035 memset(&req, 0, sizeof(req));
1036 req.nh.nlmsg_len = NLMSG_LENGTH(0);
1037 req.nh.nlmsg_type = XFRM_MSG_GETSA;
1038 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
1039 req.nh.nlmsg_seq = seq;
1040
1041 /*
1042 * Add dump filter by source address as there may be other tunnels
1043 * in this netns (if tests run in parallel).
1044 */
1045 filter.family = AF_INET;
1046 filter.splen = 0x1f; /* 0xffffffff mask see addr_match() */
1047 memcpy(&filter.saddr, &src, sizeof(src));
1048 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_ADDRESS_FILTER,
1049 &filter, sizeof(filter)))
1050 return -1;
1051
1052 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1053 pr_err("send()");
1054 return -1;
1055 }
1056
1057 while (1) {
1058 if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
1059 pr_err("recv()");
1060 return -1;
1061 }
1062 if (answer.nh.nlmsg_type == NLMSG_ERROR) {
1063 printk("NLMSG_ERROR: %d: %s",
1064 answer.error, strerror(-answer.error));
1065 return -1;
1066 } else if (answer.nh.nlmsg_type == NLMSG_DONE) {
1067 if (found)
1068 return 0;
1069 printk("didn't find allocated xfrm state in dump");
1070 return -1;
1071 } else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
1072 if (xfrm_usersa_found(&answer.info, spi, src, dst, desc))
1073 found = true;
1074 }
1075 }
1076 }
1077
xfrm_set(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst,struct xfrm_desc * desc)1078 static int xfrm_set(int xfrm_sock, uint32_t *seq,
1079 struct in_addr src, struct in_addr dst,
1080 struct in_addr tunsrc, struct in_addr tundst,
1081 struct xfrm_desc *desc)
1082 {
1083 int err;
1084
1085 err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
1086 if (err) {
1087 printk("Failed to add xfrm state");
1088 return -1;
1089 }
1090
1091 err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
1092 if (err) {
1093 printk("Failed to add xfrm state");
1094 return -1;
1095 }
1096
1097 /* Check dumps for XFRM_MSG_GETSA */
1098 err = xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
1099 err |= xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
1100 if (err) {
1101 printk("Failed to check xfrm state");
1102 return -1;
1103 }
1104
1105 return 0;
1106 }
1107
xfrm_policy_add(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,uint8_t dir,struct in_addr tunsrc,struct in_addr tundst,uint8_t proto)1108 static int xfrm_policy_add(int xfrm_sock, uint32_t seq, uint32_t spi,
1109 struct in_addr src, struct in_addr dst, uint8_t dir,
1110 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1111 {
1112 struct {
1113 struct nlmsghdr nh;
1114 struct xfrm_userpolicy_info info;
1115 char attrbuf[MAX_PAYLOAD];
1116 } req;
1117 struct xfrm_user_tmpl tmpl;
1118
1119 memset(&req, 0, sizeof(req));
1120 memset(&tmpl, 0, sizeof(tmpl));
1121 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
1122 req.nh.nlmsg_type = XFRM_MSG_NEWPOLICY;
1123 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1124 req.nh.nlmsg_seq = seq;
1125
1126 /* Fill selector. */
1127 memcpy(&req.info.sel.daddr, &dst, sizeof(tundst));
1128 memcpy(&req.info.sel.saddr, &src, sizeof(tunsrc));
1129 req.info.sel.family = AF_INET;
1130 req.info.sel.prefixlen_d = PREFIX_LEN;
1131 req.info.sel.prefixlen_s = PREFIX_LEN;
1132
1133 /* Fill lifteme_cfg */
1134 req.info.lft.soft_byte_limit = XFRM_INF;
1135 req.info.lft.hard_byte_limit = XFRM_INF;
1136 req.info.lft.soft_packet_limit = XFRM_INF;
1137 req.info.lft.hard_packet_limit = XFRM_INF;
1138
1139 req.info.dir = dir;
1140
1141 /* Fill tmpl */
1142 memcpy(&tmpl.id.daddr, &dst, sizeof(dst));
1143 /* Note: zero-spi cannot be deleted */
1144 tmpl.id.spi = spi;
1145 tmpl.id.proto = proto;
1146 tmpl.family = AF_INET;
1147 memcpy(&tmpl.saddr, &src, sizeof(src));
1148 tmpl.mode = XFRM_MODE_TUNNEL;
1149 tmpl.aalgos = (~(uint32_t)0);
1150 tmpl.ealgos = (~(uint32_t)0);
1151 tmpl.calgos = (~(uint32_t)0);
1152
1153 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &tmpl, sizeof(tmpl)))
1154 return -1;
1155
1156 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1157 pr_err("send()");
1158 return -1;
1159 }
1160
1161 return netlink_check_answer(xfrm_sock);
1162 }
1163
xfrm_prepare(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst,uint8_t proto)1164 static int xfrm_prepare(int xfrm_sock, uint32_t *seq,
1165 struct in_addr src, struct in_addr dst,
1166 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1167 {
1168 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
1169 XFRM_POLICY_OUT, tunsrc, tundst, proto)) {
1170 printk("Failed to add xfrm policy");
1171 return -1;
1172 }
1173
1174 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src,
1175 XFRM_POLICY_IN, tunsrc, tundst, proto)) {
1176 printk("Failed to add xfrm policy");
1177 return -1;
1178 }
1179
1180 return 0;
1181 }
1182
xfrm_policy_del(int xfrm_sock,uint32_t seq,struct in_addr src,struct in_addr dst,uint8_t dir,struct in_addr tunsrc,struct in_addr tundst)1183 static int xfrm_policy_del(int xfrm_sock, uint32_t seq,
1184 struct in_addr src, struct in_addr dst, uint8_t dir,
1185 struct in_addr tunsrc, struct in_addr tundst)
1186 {
1187 struct {
1188 struct nlmsghdr nh;
1189 struct xfrm_userpolicy_id id;
1190 char attrbuf[MAX_PAYLOAD];
1191 } req;
1192
1193 memset(&req, 0, sizeof(req));
1194 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.id));
1195 req.nh.nlmsg_type = XFRM_MSG_DELPOLICY;
1196 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1197 req.nh.nlmsg_seq = seq;
1198
1199 /* Fill id */
1200 memcpy(&req.id.sel.daddr, &dst, sizeof(tundst));
1201 memcpy(&req.id.sel.saddr, &src, sizeof(tunsrc));
1202 req.id.sel.family = AF_INET;
1203 req.id.sel.prefixlen_d = PREFIX_LEN;
1204 req.id.sel.prefixlen_s = PREFIX_LEN;
1205 req.id.dir = dir;
1206
1207 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1208 pr_err("send()");
1209 return -1;
1210 }
1211
1212 return netlink_check_answer(xfrm_sock);
1213 }
1214
xfrm_cleanup(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst)1215 static int xfrm_cleanup(int xfrm_sock, uint32_t *seq,
1216 struct in_addr src, struct in_addr dst,
1217 struct in_addr tunsrc, struct in_addr tundst)
1218 {
1219 if (xfrm_policy_del(xfrm_sock, (*seq)++, src, dst,
1220 XFRM_POLICY_OUT, tunsrc, tundst)) {
1221 printk("Failed to add xfrm policy");
1222 return -1;
1223 }
1224
1225 if (xfrm_policy_del(xfrm_sock, (*seq)++, dst, src,
1226 XFRM_POLICY_IN, tunsrc, tundst)) {
1227 printk("Failed to add xfrm policy");
1228 return -1;
1229 }
1230
1231 return 0;
1232 }
1233
xfrm_state_del(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,uint8_t proto)1234 static int xfrm_state_del(int xfrm_sock, uint32_t seq, uint32_t spi,
1235 struct in_addr src, struct in_addr dst, uint8_t proto)
1236 {
1237 struct {
1238 struct nlmsghdr nh;
1239 struct xfrm_usersa_id id;
1240 char attrbuf[MAX_PAYLOAD];
1241 } req;
1242 xfrm_address_t saddr = {};
1243
1244 memset(&req, 0, sizeof(req));
1245 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.id));
1246 req.nh.nlmsg_type = XFRM_MSG_DELSA;
1247 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1248 req.nh.nlmsg_seq = seq;
1249
1250 memcpy(&req.id.daddr, &dst, sizeof(dst));
1251 req.id.family = AF_INET;
1252 req.id.proto = proto;
1253 /* Note: zero-spi cannot be deleted */
1254 req.id.spi = spi;
1255
1256 memcpy(&saddr, &src, sizeof(src));
1257 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SRCADDR, &saddr, sizeof(saddr)))
1258 return -1;
1259
1260 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1261 pr_err("send()");
1262 return -1;
1263 }
1264
1265 return netlink_check_answer(xfrm_sock);
1266 }
1267
xfrm_delete(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst,uint8_t proto)1268 static int xfrm_delete(int xfrm_sock, uint32_t *seq,
1269 struct in_addr src, struct in_addr dst,
1270 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1271 {
1272 if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), src, dst, proto)) {
1273 printk("Failed to remove xfrm state");
1274 return -1;
1275 }
1276
1277 if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), dst, src, proto)) {
1278 printk("Failed to remove xfrm state");
1279 return -1;
1280 }
1281
1282 return 0;
1283 }
1284
xfrm_state_allocspi(int xfrm_sock,uint32_t * seq,uint32_t spi,uint8_t proto)1285 static int xfrm_state_allocspi(int xfrm_sock, uint32_t *seq,
1286 uint32_t spi, uint8_t proto)
1287 {
1288 struct {
1289 struct nlmsghdr nh;
1290 struct xfrm_userspi_info spi;
1291 } req;
1292 struct {
1293 struct nlmsghdr nh;
1294 union {
1295 struct xfrm_usersa_info info;
1296 int error;
1297 };
1298 } answer;
1299
1300 memset(&req, 0, sizeof(req));
1301 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.spi));
1302 req.nh.nlmsg_type = XFRM_MSG_ALLOCSPI;
1303 req.nh.nlmsg_flags = NLM_F_REQUEST;
1304 req.nh.nlmsg_seq = (*seq)++;
1305
1306 req.spi.info.family = AF_INET;
1307 req.spi.min = spi;
1308 req.spi.max = spi;
1309 req.spi.info.id.proto = proto;
1310
1311 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1312 pr_err("send()");
1313 return KSFT_FAIL;
1314 }
1315
1316 if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
1317 pr_err("recv()");
1318 return KSFT_FAIL;
1319 } else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
1320 uint32_t new_spi = htonl(answer.info.id.spi);
1321
1322 if (new_spi != spi) {
1323 printk("allocated spi is different from requested: %#x != %#x",
1324 new_spi, spi);
1325 return KSFT_FAIL;
1326 }
1327 return KSFT_PASS;
1328 } else if (answer.nh.nlmsg_type != NLMSG_ERROR) {
1329 printk("expected NLMSG_ERROR, got %d", (int)answer.nh.nlmsg_type);
1330 return KSFT_FAIL;
1331 }
1332
1333 printk("NLMSG_ERROR: %d: %s", answer.error, strerror(-answer.error));
1334 return (answer.error) ? KSFT_FAIL : KSFT_PASS;
1335 }
1336
netlink_sock_bind(int * sock,uint32_t * seq,int proto,uint32_t groups)1337 static int netlink_sock_bind(int *sock, uint32_t *seq, int proto, uint32_t groups)
1338 {
1339 struct sockaddr_nl snl = {};
1340 socklen_t addr_len;
1341 int ret = -1;
1342
1343 snl.nl_family = AF_NETLINK;
1344 snl.nl_groups = groups;
1345
1346 if (netlink_sock(sock, seq, proto)) {
1347 printk("Failed to open xfrm netlink socket");
1348 return -1;
1349 }
1350
1351 if (bind(*sock, (struct sockaddr *)&snl, sizeof(snl)) < 0) {
1352 pr_err("bind()");
1353 goto out_close;
1354 }
1355
1356 addr_len = sizeof(snl);
1357 if (getsockname(*sock, (struct sockaddr *)&snl, &addr_len) < 0) {
1358 pr_err("getsockname()");
1359 goto out_close;
1360 }
1361 if (addr_len != sizeof(snl)) {
1362 printk("Wrong address length %d", addr_len);
1363 goto out_close;
1364 }
1365 if (snl.nl_family != AF_NETLINK) {
1366 printk("Wrong address family %d", snl.nl_family);
1367 goto out_close;
1368 }
1369 return 0;
1370
1371 out_close:
1372 close(*sock);
1373 return ret;
1374 }
1375
xfrm_monitor_acquire(int xfrm_sock,uint32_t * seq,unsigned int nr)1376 static int xfrm_monitor_acquire(int xfrm_sock, uint32_t *seq, unsigned int nr)
1377 {
1378 struct {
1379 struct nlmsghdr nh;
1380 union {
1381 struct xfrm_user_acquire acq;
1382 int error;
1383 };
1384 char attrbuf[MAX_PAYLOAD];
1385 } req;
1386 struct xfrm_user_tmpl xfrm_tmpl = {};
1387 int xfrm_listen = -1, ret = KSFT_FAIL;
1388 uint32_t seq_listen;
1389
1390 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_ACQUIRE))
1391 return KSFT_FAIL;
1392
1393 memset(&req, 0, sizeof(req));
1394 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.acq));
1395 req.nh.nlmsg_type = XFRM_MSG_ACQUIRE;
1396 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1397 req.nh.nlmsg_seq = (*seq)++;
1398
1399 req.acq.policy.sel.family = AF_INET;
1400 req.acq.aalgos = 0xfeed;
1401 req.acq.ealgos = 0xbaad;
1402 req.acq.calgos = 0xbabe;
1403
1404 xfrm_tmpl.family = AF_INET;
1405 xfrm_tmpl.id.proto = IPPROTO_ESP;
1406 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &xfrm_tmpl, sizeof(xfrm_tmpl)))
1407 goto out_close;
1408
1409 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1410 pr_err("send()");
1411 goto out_close;
1412 }
1413
1414 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1415 pr_err("recv()");
1416 goto out_close;
1417 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1418 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1419 goto out_close;
1420 }
1421
1422 if (req.error) {
1423 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1424 ret = req.error;
1425 goto out_close;
1426 }
1427
1428 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1429 pr_err("recv()");
1430 goto out_close;
1431 }
1432
1433 if (req.acq.aalgos != 0xfeed || req.acq.ealgos != 0xbaad
1434 || req.acq.calgos != 0xbabe) {
1435 printk("xfrm_user_acquire has changed %x %x %x",
1436 req.acq.aalgos, req.acq.ealgos, req.acq.calgos);
1437 goto out_close;
1438 }
1439
1440 ret = KSFT_PASS;
1441 out_close:
1442 close(xfrm_listen);
1443 return ret;
1444 }
1445
xfrm_expire_state(int xfrm_sock,uint32_t * seq,unsigned int nr,struct xfrm_desc * desc)1446 static int xfrm_expire_state(int xfrm_sock, uint32_t *seq,
1447 unsigned int nr, struct xfrm_desc *desc)
1448 {
1449 struct {
1450 struct nlmsghdr nh;
1451 union {
1452 struct xfrm_user_expire expire;
1453 int error;
1454 };
1455 } req;
1456 struct in_addr src, dst;
1457 int xfrm_listen = -1, ret = KSFT_FAIL;
1458 uint32_t seq_listen;
1459
1460 src = inet_makeaddr(INADDR_B, child_ip(nr));
1461 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1462
1463 if (xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc)) {
1464 printk("Failed to add xfrm state");
1465 return KSFT_FAIL;
1466 }
1467
1468 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
1469 return KSFT_FAIL;
1470
1471 memset(&req, 0, sizeof(req));
1472 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.expire));
1473 req.nh.nlmsg_type = XFRM_MSG_EXPIRE;
1474 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1475 req.nh.nlmsg_seq = (*seq)++;
1476
1477 memcpy(&req.expire.state.id.daddr, &dst, sizeof(dst));
1478 req.expire.state.id.spi = gen_spi(src);
1479 req.expire.state.id.proto = desc->proto;
1480 req.expire.state.family = AF_INET;
1481 req.expire.hard = 0xff;
1482
1483 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1484 pr_err("send()");
1485 goto out_close;
1486 }
1487
1488 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1489 pr_err("recv()");
1490 goto out_close;
1491 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1492 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1493 goto out_close;
1494 }
1495
1496 if (req.error) {
1497 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1498 ret = req.error;
1499 goto out_close;
1500 }
1501
1502 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1503 pr_err("recv()");
1504 goto out_close;
1505 }
1506
1507 if (req.expire.hard != 0x1) {
1508 printk("expire.hard is not set: %x", req.expire.hard);
1509 goto out_close;
1510 }
1511
1512 ret = KSFT_PASS;
1513 out_close:
1514 close(xfrm_listen);
1515 return ret;
1516 }
1517
xfrm_expire_policy(int xfrm_sock,uint32_t * seq,unsigned int nr,struct xfrm_desc * desc)1518 static int xfrm_expire_policy(int xfrm_sock, uint32_t *seq,
1519 unsigned int nr, struct xfrm_desc *desc)
1520 {
1521 struct {
1522 struct nlmsghdr nh;
1523 union {
1524 struct xfrm_user_polexpire expire;
1525 int error;
1526 };
1527 } req;
1528 struct in_addr src, dst, tunsrc, tundst;
1529 int xfrm_listen = -1, ret = KSFT_FAIL;
1530 uint32_t seq_listen;
1531
1532 src = inet_makeaddr(INADDR_B, child_ip(nr));
1533 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1534 tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
1535 tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
1536
1537 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
1538 XFRM_POLICY_OUT, tunsrc, tundst, desc->proto)) {
1539 printk("Failed to add xfrm policy");
1540 return KSFT_FAIL;
1541 }
1542
1543 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
1544 return KSFT_FAIL;
1545
1546 memset(&req, 0, sizeof(req));
1547 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.expire));
1548 req.nh.nlmsg_type = XFRM_MSG_POLEXPIRE;
1549 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1550 req.nh.nlmsg_seq = (*seq)++;
1551
1552 /* Fill selector. */
1553 memcpy(&req.expire.pol.sel.daddr, &dst, sizeof(tundst));
1554 memcpy(&req.expire.pol.sel.saddr, &src, sizeof(tunsrc));
1555 req.expire.pol.sel.family = AF_INET;
1556 req.expire.pol.sel.prefixlen_d = PREFIX_LEN;
1557 req.expire.pol.sel.prefixlen_s = PREFIX_LEN;
1558 req.expire.pol.dir = XFRM_POLICY_OUT;
1559 req.expire.hard = 0xff;
1560
1561 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1562 pr_err("send()");
1563 goto out_close;
1564 }
1565
1566 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1567 pr_err("recv()");
1568 goto out_close;
1569 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1570 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1571 goto out_close;
1572 }
1573
1574 if (req.error) {
1575 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1576 ret = req.error;
1577 goto out_close;
1578 }
1579
1580 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1581 pr_err("recv()");
1582 goto out_close;
1583 }
1584
1585 if (req.expire.hard != 0x1) {
1586 printk("expire.hard is not set: %x", req.expire.hard);
1587 goto out_close;
1588 }
1589
1590 ret = KSFT_PASS;
1591 out_close:
1592 close(xfrm_listen);
1593 return ret;
1594 }
1595
child_serv(int xfrm_sock,uint32_t * seq,unsigned int nr,int cmd_fd,void * buf,struct xfrm_desc * desc)1596 static int child_serv(int xfrm_sock, uint32_t *seq,
1597 unsigned int nr, int cmd_fd, void *buf, struct xfrm_desc *desc)
1598 {
1599 struct in_addr src, dst, tunsrc, tundst;
1600 struct test_desc msg;
1601 int ret = KSFT_FAIL;
1602
1603 src = inet_makeaddr(INADDR_B, child_ip(nr));
1604 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1605 tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
1606 tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
1607
1608 /* UDP pinging without xfrm */
1609 if (do_ping(cmd_fd, buf, page_size, src, true, 0, 0, udp_ping_send)) {
1610 printk("ping failed before setting xfrm");
1611 return KSFT_FAIL;
1612 }
1613
1614 memset(&msg, 0, sizeof(msg));
1615 msg.type = MSG_XFRM_PREPARE;
1616 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1617 write_msg(cmd_fd, &msg, 1);
1618
1619 if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
1620 printk("failed to prepare xfrm");
1621 goto cleanup;
1622 }
1623
1624 memset(&msg, 0, sizeof(msg));
1625 msg.type = MSG_XFRM_ADD;
1626 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1627 write_msg(cmd_fd, &msg, 1);
1628 if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
1629 printk("failed to set xfrm");
1630 goto delete;
1631 }
1632
1633 /* UDP pinging with xfrm tunnel */
1634 if (do_ping(cmd_fd, buf, page_size, tunsrc,
1635 true, 0, 0, udp_ping_send)) {
1636 printk("ping failed for xfrm");
1637 goto delete;
1638 }
1639
1640 ret = KSFT_PASS;
1641 delete:
1642 /* xfrm delete */
1643 memset(&msg, 0, sizeof(msg));
1644 msg.type = MSG_XFRM_DEL;
1645 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1646 write_msg(cmd_fd, &msg, 1);
1647
1648 if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
1649 printk("failed ping to remove xfrm");
1650 ret = KSFT_FAIL;
1651 }
1652
1653 cleanup:
1654 memset(&msg, 0, sizeof(msg));
1655 msg.type = MSG_XFRM_CLEANUP;
1656 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1657 write_msg(cmd_fd, &msg, 1);
1658 if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
1659 printk("failed ping to cleanup xfrm");
1660 ret = KSFT_FAIL;
1661 }
1662 return ret;
1663 }
1664
child_f(unsigned int nr,int test_desc_fd,int cmd_fd,void * buf)1665 static int child_f(unsigned int nr, int test_desc_fd, int cmd_fd, void *buf)
1666 {
1667 struct xfrm_desc desc;
1668 struct test_desc msg;
1669 int xfrm_sock = -1;
1670 uint32_t seq;
1671
1672 if (switch_ns(nsfd_childa))
1673 exit(KSFT_FAIL);
1674
1675 if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
1676 printk("Failed to open xfrm netlink socket");
1677 exit(KSFT_FAIL);
1678 }
1679
1680 /* Check that seq sock is ready, just for sure. */
1681 memset(&msg, 0, sizeof(msg));
1682 msg.type = MSG_ACK;
1683 write_msg(cmd_fd, &msg, 1);
1684 read_msg(cmd_fd, &msg, 1);
1685 if (msg.type != MSG_ACK) {
1686 printk("Ack failed");
1687 exit(KSFT_FAIL);
1688 }
1689
1690 for (;;) {
1691 ssize_t received = read(test_desc_fd, &desc, sizeof(desc));
1692 int ret;
1693
1694 if (received == 0) /* EOF */
1695 break;
1696
1697 if (received != sizeof(desc)) {
1698 pr_err("read() returned %zd", received);
1699 exit(KSFT_FAIL);
1700 }
1701
1702 switch (desc.type) {
1703 case CREATE_TUNNEL:
1704 ret = child_serv(xfrm_sock, &seq, nr,
1705 cmd_fd, buf, &desc);
1706 break;
1707 case ALLOCATE_SPI:
1708 ret = xfrm_state_allocspi(xfrm_sock, &seq,
1709 -1, desc.proto);
1710 break;
1711 case MONITOR_ACQUIRE:
1712 ret = xfrm_monitor_acquire(xfrm_sock, &seq, nr);
1713 break;
1714 case EXPIRE_STATE:
1715 ret = xfrm_expire_state(xfrm_sock, &seq, nr, &desc);
1716 break;
1717 case EXPIRE_POLICY:
1718 ret = xfrm_expire_policy(xfrm_sock, &seq, nr, &desc);
1719 break;
1720 default:
1721 printk("Unknown desc type %d", desc.type);
1722 exit(KSFT_FAIL);
1723 }
1724 write_test_result(ret, &desc);
1725 }
1726
1727 close(xfrm_sock);
1728
1729 msg.type = MSG_EXIT;
1730 write_msg(cmd_fd, &msg, 1);
1731 exit(KSFT_PASS);
1732 }
1733
grand_child_serv(unsigned int nr,int cmd_fd,void * buf,struct test_desc * msg,int xfrm_sock,uint32_t * seq)1734 static void grand_child_serv(unsigned int nr, int cmd_fd, void *buf,
1735 struct test_desc *msg, int xfrm_sock, uint32_t *seq)
1736 {
1737 struct in_addr src, dst, tunsrc, tundst;
1738 bool tun_reply;
1739 struct xfrm_desc *desc = &msg->body.xfrm_desc;
1740
1741 src = inet_makeaddr(INADDR_B, grchild_ip(nr));
1742 dst = inet_makeaddr(INADDR_B, child_ip(nr));
1743 tunsrc = inet_makeaddr(INADDR_A, grchild_ip(nr));
1744 tundst = inet_makeaddr(INADDR_A, child_ip(nr));
1745
1746 switch (msg->type) {
1747 case MSG_EXIT:
1748 exit(KSFT_PASS);
1749 case MSG_ACK:
1750 write_msg(cmd_fd, msg, 1);
1751 break;
1752 case MSG_PING:
1753 tun_reply = memcmp(&dst, &msg->body.ping.reply_ip, sizeof(in_addr_t));
1754 /* UDP pinging without xfrm */
1755 if (do_ping(cmd_fd, buf, page_size, tun_reply ? tunsrc : src,
1756 false, msg->body.ping.port,
1757 msg->body.ping.reply_ip, udp_ping_reply)) {
1758 printk("ping failed before setting xfrm");
1759 }
1760 break;
1761 case MSG_XFRM_PREPARE:
1762 if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst,
1763 desc->proto)) {
1764 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1765 printk("failed to prepare xfrm");
1766 }
1767 break;
1768 case MSG_XFRM_ADD:
1769 if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
1770 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1771 printk("failed to set xfrm");
1772 }
1773 break;
1774 case MSG_XFRM_DEL:
1775 if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst,
1776 desc->proto)) {
1777 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1778 printk("failed to remove xfrm");
1779 }
1780 break;
1781 case MSG_XFRM_CLEANUP:
1782 if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
1783 printk("failed to cleanup xfrm");
1784 }
1785 break;
1786 default:
1787 printk("got unknown msg type %d", msg->type);
1788 };
1789 }
1790
grand_child_f(unsigned int nr,int cmd_fd,void * buf)1791 static int grand_child_f(unsigned int nr, int cmd_fd, void *buf)
1792 {
1793 struct test_desc msg;
1794 int xfrm_sock = -1;
1795 uint32_t seq;
1796
1797 if (switch_ns(nsfd_childb))
1798 exit(KSFT_FAIL);
1799
1800 if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
1801 printk("Failed to open xfrm netlink socket");
1802 exit(KSFT_FAIL);
1803 }
1804
1805 do {
1806 read_msg(cmd_fd, &msg, 1);
1807 grand_child_serv(nr, cmd_fd, buf, &msg, xfrm_sock, &seq);
1808 } while (1);
1809
1810 close(xfrm_sock);
1811 exit(KSFT_FAIL);
1812 }
1813
start_child(unsigned int nr,char * veth,int test_desc_fd[2])1814 static int start_child(unsigned int nr, char *veth, int test_desc_fd[2])
1815 {
1816 int cmd_sock[2];
1817 void *data_map;
1818 pid_t child;
1819
1820 if (init_child(nsfd_childa, veth, child_ip(nr), grchild_ip(nr)))
1821 return -1;
1822
1823 if (init_child(nsfd_childb, veth, grchild_ip(nr), child_ip(nr)))
1824 return -1;
1825
1826 child = fork();
1827 if (child < 0) {
1828 pr_err("fork()");
1829 return -1;
1830 } else if (child) {
1831 /* in parent - selftest */
1832 return switch_ns(nsfd_parent);
1833 }
1834
1835 if (close(test_desc_fd[1])) {
1836 pr_err("close()");
1837 return -1;
1838 }
1839
1840 /* child */
1841 data_map = mmap(0, page_size, PROT_READ | PROT_WRITE,
1842 MAP_SHARED | MAP_ANONYMOUS, -1, 0);
1843 if (data_map == MAP_FAILED) {
1844 pr_err("mmap()");
1845 return -1;
1846 }
1847
1848 randomize_buffer(data_map, page_size);
1849
1850 if (socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, cmd_sock)) {
1851 pr_err("socketpair()");
1852 return -1;
1853 }
1854
1855 child = fork();
1856 if (child < 0) {
1857 pr_err("fork()");
1858 return -1;
1859 } else if (child) {
1860 if (close(cmd_sock[0])) {
1861 pr_err("close()");
1862 return -1;
1863 }
1864 return child_f(nr, test_desc_fd[0], cmd_sock[1], data_map);
1865 }
1866 if (close(cmd_sock[1])) {
1867 pr_err("close()");
1868 return -1;
1869 }
1870 return grand_child_f(nr, cmd_sock[0], data_map);
1871 }
1872
exit_usage(char ** argv)1873 static void exit_usage(char **argv)
1874 {
1875 printk("Usage: %s [nr_process]", argv[0]);
1876 exit(KSFT_FAIL);
1877 }
1878
__write_desc(int test_desc_fd,struct xfrm_desc * desc)1879 static int __write_desc(int test_desc_fd, struct xfrm_desc *desc)
1880 {
1881 ssize_t ret;
1882
1883 ret = write(test_desc_fd, desc, sizeof(*desc));
1884
1885 if (ret == sizeof(*desc))
1886 return 0;
1887
1888 pr_err("Writing test's desc failed %ld", ret);
1889
1890 return -1;
1891 }
1892
write_desc(int proto,int test_desc_fd,char * a,char * e,char * c,char * ae)1893 static int write_desc(int proto, int test_desc_fd,
1894 char *a, char *e, char *c, char *ae)
1895 {
1896 struct xfrm_desc desc = {};
1897
1898 desc.type = CREATE_TUNNEL;
1899 desc.proto = proto;
1900
1901 if (a)
1902 strncpy(desc.a_algo, a, ALGO_LEN - 1);
1903 if (e)
1904 strncpy(desc.e_algo, e, ALGO_LEN - 1);
1905 if (c)
1906 strncpy(desc.c_algo, c, ALGO_LEN - 1);
1907 if (ae)
1908 strncpy(desc.ae_algo, ae, ALGO_LEN - 1);
1909
1910 return __write_desc(test_desc_fd, &desc);
1911 }
1912
1913 int proto_list[] = { IPPROTO_AH, IPPROTO_COMP, IPPROTO_ESP };
1914 char *ah_list[] = {
1915 "digest_null", "hmac(md5)", "hmac(sha1)", "hmac(sha256)",
1916 "hmac(sha384)", "hmac(sha512)", "hmac(rmd160)",
1917 "xcbc(aes)", "cmac(aes)"
1918 };
1919 char *comp_list[] = {
1920 "deflate",
1921 #if 0
1922 /* No compression backend realization */
1923 "lzs", "lzjh"
1924 #endif
1925 };
1926 char *e_list[] = {
1927 "ecb(cipher_null)", "cbc(des)", "cbc(des3_ede)", "cbc(cast5)",
1928 "cbc(blowfish)", "cbc(aes)", "cbc(serpent)", "cbc(camellia)",
1929 "cbc(twofish)", "rfc3686(ctr(aes))"
1930 };
1931 char *ae_list[] = {
1932 #if 0
1933 /* not implemented */
1934 "rfc4106(gcm(aes))", "rfc4309(ccm(aes))", "rfc4543(gcm(aes))",
1935 "rfc7539esp(chacha20,poly1305)"
1936 #endif
1937 };
1938
1939 const unsigned int proto_plan = ARRAY_SIZE(ah_list) + ARRAY_SIZE(comp_list) \
1940 + (ARRAY_SIZE(ah_list) * ARRAY_SIZE(e_list)) \
1941 + ARRAY_SIZE(ae_list);
1942
write_proto_plan(int fd,int proto)1943 static int write_proto_plan(int fd, int proto)
1944 {
1945 unsigned int i;
1946
1947 switch (proto) {
1948 case IPPROTO_AH:
1949 for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
1950 if (write_desc(proto, fd, ah_list[i], 0, 0, 0))
1951 return -1;
1952 }
1953 break;
1954 case IPPROTO_COMP:
1955 for (i = 0; i < ARRAY_SIZE(comp_list); i++) {
1956 if (write_desc(proto, fd, 0, 0, comp_list[i], 0))
1957 return -1;
1958 }
1959 break;
1960 case IPPROTO_ESP:
1961 for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
1962 int j;
1963
1964 for (j = 0; j < ARRAY_SIZE(e_list); j++) {
1965 if (write_desc(proto, fd, ah_list[i],
1966 e_list[j], 0, 0))
1967 return -1;
1968 }
1969 }
1970 for (i = 0; i < ARRAY_SIZE(ae_list); i++) {
1971 if (write_desc(proto, fd, 0, 0, 0, ae_list[i]))
1972 return -1;
1973 }
1974 break;
1975 default:
1976 printk("BUG: Specified unknown proto %d", proto);
1977 return -1;
1978 }
1979
1980 return 0;
1981 }
1982
1983 /*
1984 * Some structures in xfrm uapi header differ in size between
1985 * 64-bit and 32-bit ABI:
1986 *
1987 * 32-bit UABI | 64-bit UABI
1988 * -------------------------------------|-------------------------------------
1989 * sizeof(xfrm_usersa_info) = 220 | sizeof(xfrm_usersa_info) = 224
1990 * sizeof(xfrm_userpolicy_info) = 164 | sizeof(xfrm_userpolicy_info) = 168
1991 * sizeof(xfrm_userspi_info) = 228 | sizeof(xfrm_userspi_info) = 232
1992 * sizeof(xfrm_user_acquire) = 276 | sizeof(xfrm_user_acquire) = 280
1993 * sizeof(xfrm_user_expire) = 224 | sizeof(xfrm_user_expire) = 232
1994 * sizeof(xfrm_user_polexpire) = 168 | sizeof(xfrm_user_polexpire) = 176
1995 *
1996 * Check the affected by the UABI difference structures.
1997 */
1998 const unsigned int compat_plan = 4;
write_compat_struct_tests(int test_desc_fd)1999 static int write_compat_struct_tests(int test_desc_fd)
2000 {
2001 struct xfrm_desc desc = {};
2002
2003 desc.type = ALLOCATE_SPI;
2004 desc.proto = IPPROTO_AH;
2005 strncpy(desc.a_algo, ah_list[0], ALGO_LEN - 1);
2006
2007 if (__write_desc(test_desc_fd, &desc))
2008 return -1;
2009
2010 desc.type = MONITOR_ACQUIRE;
2011 if (__write_desc(test_desc_fd, &desc))
2012 return -1;
2013
2014 desc.type = EXPIRE_STATE;
2015 if (__write_desc(test_desc_fd, &desc))
2016 return -1;
2017
2018 desc.type = EXPIRE_POLICY;
2019 if (__write_desc(test_desc_fd, &desc))
2020 return -1;
2021
2022 return 0;
2023 }
2024
write_test_plan(int test_desc_fd)2025 static int write_test_plan(int test_desc_fd)
2026 {
2027 unsigned int i;
2028 pid_t child;
2029
2030 child = fork();
2031 if (child < 0) {
2032 pr_err("fork()");
2033 return -1;
2034 }
2035 if (child) {
2036 if (close(test_desc_fd))
2037 printk("close(): %m");
2038 return 0;
2039 }
2040
2041 if (write_compat_struct_tests(test_desc_fd))
2042 exit(KSFT_FAIL);
2043
2044 for (i = 0; i < ARRAY_SIZE(proto_list); i++) {
2045 if (write_proto_plan(test_desc_fd, proto_list[i]))
2046 exit(KSFT_FAIL);
2047 }
2048
2049 exit(KSFT_PASS);
2050 }
2051
children_cleanup(void)2052 static int children_cleanup(void)
2053 {
2054 unsigned ret = KSFT_PASS;
2055
2056 while (1) {
2057 int status;
2058 pid_t p = wait(&status);
2059
2060 if ((p < 0) && errno == ECHILD)
2061 break;
2062
2063 if (p < 0) {
2064 pr_err("wait()");
2065 return KSFT_FAIL;
2066 }
2067
2068 if (!WIFEXITED(status)) {
2069 ret = KSFT_FAIL;
2070 continue;
2071 }
2072
2073 if (WEXITSTATUS(status) == KSFT_FAIL)
2074 ret = KSFT_FAIL;
2075 }
2076
2077 return ret;
2078 }
2079
2080 typedef void (*print_res)(const char *, ...);
2081
check_results(void)2082 static int check_results(void)
2083 {
2084 struct test_result tr = {};
2085 struct xfrm_desc *d = &tr.desc;
2086 int ret = KSFT_PASS;
2087
2088 while (1) {
2089 ssize_t received = read(results_fd[0], &tr, sizeof(tr));
2090 print_res result;
2091
2092 if (received == 0) /* EOF */
2093 break;
2094
2095 if (received != sizeof(tr)) {
2096 pr_err("read() returned %zd", received);
2097 return KSFT_FAIL;
2098 }
2099
2100 switch (tr.res) {
2101 case KSFT_PASS:
2102 result = ksft_test_result_pass;
2103 break;
2104 case KSFT_FAIL:
2105 default:
2106 result = ksft_test_result_fail;
2107 ret = KSFT_FAIL;
2108 }
2109
2110 result(" %s: [%u, '%s', '%s', '%s', '%s', %u]\n",
2111 desc_name[d->type], (unsigned int)d->proto, d->a_algo,
2112 d->e_algo, d->c_algo, d->ae_algo, d->icv_len);
2113 }
2114
2115 return ret;
2116 }
2117
main(int argc,char ** argv)2118 int main(int argc, char **argv)
2119 {
2120 unsigned int nr_process = 1;
2121 int route_sock = -1, ret = KSFT_SKIP;
2122 int test_desc_fd[2];
2123 uint32_t route_seq;
2124 unsigned int i;
2125
2126 if (argc > 2)
2127 exit_usage(argv);
2128
2129 if (argc > 1) {
2130 char *endptr;
2131
2132 errno = 0;
2133 nr_process = strtol(argv[1], &endptr, 10);
2134 if ((errno == ERANGE && (nr_process == LONG_MAX || nr_process == LONG_MIN))
2135 || (errno != 0 && nr_process == 0)
2136 || (endptr == argv[1]) || (*endptr != '\0')) {
2137 printk("Failed to parse [nr_process]");
2138 exit_usage(argv);
2139 }
2140
2141 if (nr_process > MAX_PROCESSES || !nr_process) {
2142 printk("nr_process should be between [1; %u]",
2143 MAX_PROCESSES);
2144 exit_usage(argv);
2145 }
2146 }
2147
2148 srand(time(NULL));
2149 page_size = sysconf(_SC_PAGESIZE);
2150 if (page_size < 1)
2151 ksft_exit_skip("sysconf(): %m\n");
2152
2153 if (pipe2(test_desc_fd, O_DIRECT) < 0)
2154 ksft_exit_skip("pipe(): %m\n");
2155
2156 if (pipe2(results_fd, O_DIRECT) < 0)
2157 ksft_exit_skip("pipe(): %m\n");
2158
2159 if (init_namespaces())
2160 ksft_exit_skip("Failed to create namespaces\n");
2161
2162 if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE))
2163 ksft_exit_skip("Failed to open netlink route socket\n");
2164
2165 for (i = 0; i < nr_process; i++) {
2166 char veth[VETH_LEN];
2167
2168 snprintf(veth, VETH_LEN, VETH_FMT, i);
2169
2170 if (veth_add(route_sock, route_seq++, veth, nsfd_childa, veth, nsfd_childb)) {
2171 close(route_sock);
2172 ksft_exit_fail_msg("Failed to create veth device");
2173 }
2174
2175 if (start_child(i, veth, test_desc_fd)) {
2176 close(route_sock);
2177 ksft_exit_fail_msg("Child %u failed to start", i);
2178 }
2179 }
2180
2181 if (close(route_sock) || close(test_desc_fd[0]) || close(results_fd[1]))
2182 ksft_exit_fail_msg("close(): %m");
2183
2184 ksft_set_plan(proto_plan + compat_plan);
2185
2186 if (write_test_plan(test_desc_fd[1]))
2187 ksft_exit_fail_msg("Failed to write test plan to pipe");
2188
2189 ret = check_results();
2190
2191 if (children_cleanup() == KSFT_FAIL)
2192 exit(KSFT_FAIL);
2193
2194 exit(ret);
2195 }
2196