1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * ipsec.c - Check xfrm on veth inside a net-ns.
4 * Copyright (c) 2018 Dmitry Safonov
5 */
6
7 #define _GNU_SOURCE
8
9 #include <arpa/inet.h>
10 #include <asm/types.h>
11 #include <errno.h>
12 #include <fcntl.h>
13 #include <limits.h>
14 #include <linux/limits.h>
15 #include <linux/netlink.h>
16 #include <linux/random.h>
17 #include <linux/rtnetlink.h>
18 #include <linux/veth.h>
19 #include <linux/xfrm.h>
20 #include <netinet/in.h>
21 #include <net/if.h>
22 #include <sched.h>
23 #include <stdbool.h>
24 #include <stdint.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <sys/mman.h>
29 #include <sys/socket.h>
30 #include <sys/stat.h>
31 #include <sys/syscall.h>
32 #include <sys/types.h>
33 #include <sys/wait.h>
34 #include <time.h>
35 #include <unistd.h>
36
37 #include "../kselftest.h"
38
39 #define printk(fmt, ...) \
40 ksft_print_msg("%d[%u] " fmt "\n", getpid(), __LINE__, ##__VA_ARGS__)
41
42 #define pr_err(fmt, ...) printk(fmt ": %m", ##__VA_ARGS__)
43
44 #define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)]))
45
46 #define IPV4_STR_SZ 16 /* xxx.xxx.xxx.xxx is longest + \0 */
47 #define MAX_PAYLOAD 2048
48 #define XFRM_ALGO_KEY_BUF_SIZE 512
49 #define MAX_PROCESSES (1 << 14) /* /16 mask divided by /30 subnets */
50 #define INADDR_A ((in_addr_t) 0x0a000000) /* 10.0.0.0 */
51 #define INADDR_B ((in_addr_t) 0xc0a80000) /* 192.168.0.0 */
52
53 /* /30 mask for one veth connection */
54 #define PREFIX_LEN 30
55 #define child_ip(nr) (4*nr + 1)
56 #define grchild_ip(nr) (4*nr + 2)
57
58 #define VETH_FMT "ktst-%d"
59 #define VETH_LEN 12
60
61 #define XFRM_ALGO_NR_KEYS 29
62
63 static int nsfd_parent = -1;
64 static int nsfd_childa = -1;
65 static int nsfd_childb = -1;
66 static long page_size;
67
68 /*
69 * ksft_cnt is static in kselftest, so isn't shared with children.
70 * We have to send a test result back to parent and count there.
71 * results_fd is a pipe with test feedback from children.
72 */
73 static int results_fd[2];
74
75 const unsigned int ping_delay_nsec = 50 * 1000 * 1000;
76 const unsigned int ping_timeout = 300;
77 const unsigned int ping_count = 100;
78 const unsigned int ping_success = 80;
79
80 struct xfrm_key_entry {
81 char algo_name[35];
82 int key_len;
83 };
84
85 struct xfrm_key_entry xfrm_key_entries[] = {
86 {"digest_null", 0},
87 {"ecb(cipher_null)", 0},
88 {"cbc(des)", 64},
89 {"hmac(md5)", 128},
90 {"cmac(aes)", 128},
91 {"xcbc(aes)", 128},
92 {"cbc(cast5)", 128},
93 {"cbc(serpent)", 128},
94 {"hmac(sha1)", 160},
95 {"hmac(rmd160)", 160},
96 {"cbc(des3_ede)", 192},
97 {"hmac(sha256)", 256},
98 {"cbc(aes)", 256},
99 {"cbc(camellia)", 256},
100 {"cbc(twofish)", 256},
101 {"rfc3686(ctr(aes))", 288},
102 {"hmac(sha384)", 384},
103 {"cbc(blowfish)", 448},
104 {"hmac(sha512)", 512},
105 {"rfc4106(gcm(aes))-128", 160},
106 {"rfc4543(gcm(aes))-128", 160},
107 {"rfc4309(ccm(aes))-128", 152},
108 {"rfc4106(gcm(aes))-192", 224},
109 {"rfc4543(gcm(aes))-192", 224},
110 {"rfc4309(ccm(aes))-192", 216},
111 {"rfc4106(gcm(aes))-256", 288},
112 {"rfc4543(gcm(aes))-256", 288},
113 {"rfc4309(ccm(aes))-256", 280},
114 {"rfc7539(chacha20,poly1305)-128", 0}
115 };
116
randomize_buffer(void * buf,size_t buflen)117 static void randomize_buffer(void *buf, size_t buflen)
118 {
119 int *p = (int *)buf;
120 size_t words = buflen / sizeof(int);
121 size_t leftover = buflen % sizeof(int);
122
123 if (!buflen)
124 return;
125
126 while (words--)
127 *p++ = rand();
128
129 if (leftover) {
130 int tmp = rand();
131
132 memcpy(buf + buflen - leftover, &tmp, leftover);
133 }
134
135 return;
136 }
137
unshare_open(void)138 static int unshare_open(void)
139 {
140 const char *netns_path = "/proc/self/ns/net";
141 int fd;
142
143 if (unshare(CLONE_NEWNET) != 0) {
144 pr_err("unshare()");
145 return -1;
146 }
147
148 fd = open(netns_path, O_RDONLY);
149 if (fd <= 0) {
150 pr_err("open(%s)", netns_path);
151 return -1;
152 }
153
154 return fd;
155 }
156
switch_ns(int fd)157 static int switch_ns(int fd)
158 {
159 if (setns(fd, CLONE_NEWNET)) {
160 pr_err("setns()");
161 return -1;
162 }
163 return 0;
164 }
165
166 /*
167 * Running the test inside a new parent net namespace to bother less
168 * about cleanup on error-path.
169 */
init_namespaces(void)170 static int init_namespaces(void)
171 {
172 nsfd_parent = unshare_open();
173 if (nsfd_parent <= 0)
174 return -1;
175
176 nsfd_childa = unshare_open();
177 if (nsfd_childa <= 0)
178 return -1;
179
180 if (switch_ns(nsfd_parent))
181 return -1;
182
183 nsfd_childb = unshare_open();
184 if (nsfd_childb <= 0)
185 return -1;
186
187 if (switch_ns(nsfd_parent))
188 return -1;
189 return 0;
190 }
191
netlink_sock(int * sock,uint32_t * seq_nr,int proto)192 static int netlink_sock(int *sock, uint32_t *seq_nr, int proto)
193 {
194 if (*sock > 0) {
195 seq_nr++;
196 return 0;
197 }
198
199 *sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, proto);
200 if (*sock <= 0) {
201 pr_err("socket(AF_NETLINK)");
202 return -1;
203 }
204
205 randomize_buffer(seq_nr, sizeof(*seq_nr));
206
207 return 0;
208 }
209
rtattr_hdr(struct nlmsghdr * nh)210 static inline struct rtattr *rtattr_hdr(struct nlmsghdr *nh)
211 {
212 return (struct rtattr *)((char *)(nh) + RTA_ALIGN((nh)->nlmsg_len));
213 }
214
rtattr_pack(struct nlmsghdr * nh,size_t req_sz,unsigned short rta_type,const void * payload,size_t size)215 static int rtattr_pack(struct nlmsghdr *nh, size_t req_sz,
216 unsigned short rta_type, const void *payload, size_t size)
217 {
218 /* NLMSG_ALIGNTO == RTA_ALIGNTO, nlmsg_len already aligned */
219 struct rtattr *attr = rtattr_hdr(nh);
220 size_t nl_size = RTA_ALIGN(nh->nlmsg_len) + RTA_LENGTH(size);
221
222 if (req_sz < nl_size) {
223 printk("req buf is too small: %zu < %zu", req_sz, nl_size);
224 return -1;
225 }
226 nh->nlmsg_len = nl_size;
227
228 attr->rta_len = RTA_LENGTH(size);
229 attr->rta_type = rta_type;
230 if (payload)
231 memcpy(RTA_DATA(attr), payload, size);
232
233 return 0;
234 }
235
_rtattr_begin(struct nlmsghdr * nh,size_t req_sz,unsigned short rta_type,const void * payload,size_t size)236 static struct rtattr *_rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
237 unsigned short rta_type, const void *payload, size_t size)
238 {
239 struct rtattr *ret = rtattr_hdr(nh);
240
241 if (rtattr_pack(nh, req_sz, rta_type, payload, size))
242 return 0;
243
244 return ret;
245 }
246
rtattr_begin(struct nlmsghdr * nh,size_t req_sz,unsigned short rta_type)247 static inline struct rtattr *rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
248 unsigned short rta_type)
249 {
250 return _rtattr_begin(nh, req_sz, rta_type, 0, 0);
251 }
252
rtattr_end(struct nlmsghdr * nh,struct rtattr * attr)253 static inline void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr)
254 {
255 char *nlmsg_end = (char *)nh + nh->nlmsg_len;
256
257 attr->rta_len = nlmsg_end - (char *)attr;
258 }
259
veth_pack_peerb(struct nlmsghdr * nh,size_t req_sz,const char * peer,int ns)260 static int veth_pack_peerb(struct nlmsghdr *nh, size_t req_sz,
261 const char *peer, int ns)
262 {
263 struct ifinfomsg pi;
264 struct rtattr *peer_attr;
265
266 memset(&pi, 0, sizeof(pi));
267 pi.ifi_family = AF_UNSPEC;
268 pi.ifi_change = 0xFFFFFFFF;
269
270 peer_attr = _rtattr_begin(nh, req_sz, VETH_INFO_PEER, &pi, sizeof(pi));
271 if (!peer_attr)
272 return -1;
273
274 if (rtattr_pack(nh, req_sz, IFLA_IFNAME, peer, strlen(peer)))
275 return -1;
276
277 if (rtattr_pack(nh, req_sz, IFLA_NET_NS_FD, &ns, sizeof(ns)))
278 return -1;
279
280 rtattr_end(nh, peer_attr);
281
282 return 0;
283 }
284
netlink_check_answer(int sock)285 static int netlink_check_answer(int sock)
286 {
287 struct nlmsgerror {
288 struct nlmsghdr hdr;
289 int error;
290 struct nlmsghdr orig_msg;
291 } answer;
292
293 if (recv(sock, &answer, sizeof(answer), 0) < 0) {
294 pr_err("recv()");
295 return -1;
296 } else if (answer.hdr.nlmsg_type != NLMSG_ERROR) {
297 printk("expected NLMSG_ERROR, got %d", (int)answer.hdr.nlmsg_type);
298 return -1;
299 } else if (answer.error) {
300 printk("NLMSG_ERROR: %d: %s",
301 answer.error, strerror(-answer.error));
302 return answer.error;
303 }
304
305 return 0;
306 }
307
veth_add(int sock,uint32_t seq,const char * peera,int ns_a,const char * peerb,int ns_b)308 static int veth_add(int sock, uint32_t seq, const char *peera, int ns_a,
309 const char *peerb, int ns_b)
310 {
311 uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
312 struct {
313 struct nlmsghdr nh;
314 struct ifinfomsg info;
315 char attrbuf[MAX_PAYLOAD];
316 } req;
317 const char veth_type[] = "veth";
318 struct rtattr *link_info, *info_data;
319
320 memset(&req, 0, sizeof(req));
321 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
322 req.nh.nlmsg_type = RTM_NEWLINK;
323 req.nh.nlmsg_flags = flags;
324 req.nh.nlmsg_seq = seq;
325 req.info.ifi_family = AF_UNSPEC;
326 req.info.ifi_change = 0xFFFFFFFF;
327
328 if (rtattr_pack(&req.nh, sizeof(req), IFLA_IFNAME, peera, strlen(peera)))
329 return -1;
330
331 if (rtattr_pack(&req.nh, sizeof(req), IFLA_NET_NS_FD, &ns_a, sizeof(ns_a)))
332 return -1;
333
334 link_info = rtattr_begin(&req.nh, sizeof(req), IFLA_LINKINFO);
335 if (!link_info)
336 return -1;
337
338 if (rtattr_pack(&req.nh, sizeof(req), IFLA_INFO_KIND, veth_type, sizeof(veth_type)))
339 return -1;
340
341 info_data = rtattr_begin(&req.nh, sizeof(req), IFLA_INFO_DATA);
342 if (!info_data)
343 return -1;
344
345 if (veth_pack_peerb(&req.nh, sizeof(req), peerb, ns_b))
346 return -1;
347
348 rtattr_end(&req.nh, info_data);
349 rtattr_end(&req.nh, link_info);
350
351 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
352 pr_err("send()");
353 return -1;
354 }
355 return netlink_check_answer(sock);
356 }
357
ip4_addr_set(int sock,uint32_t seq,const char * intf,struct in_addr addr,uint8_t prefix)358 static int ip4_addr_set(int sock, uint32_t seq, const char *intf,
359 struct in_addr addr, uint8_t prefix)
360 {
361 uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
362 struct {
363 struct nlmsghdr nh;
364 struct ifaddrmsg info;
365 char attrbuf[MAX_PAYLOAD];
366 } req;
367
368 memset(&req, 0, sizeof(req));
369 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
370 req.nh.nlmsg_type = RTM_NEWADDR;
371 req.nh.nlmsg_flags = flags;
372 req.nh.nlmsg_seq = seq;
373 req.info.ifa_family = AF_INET;
374 req.info.ifa_prefixlen = prefix;
375 req.info.ifa_index = if_nametoindex(intf);
376
377 #ifdef DEBUG
378 {
379 char addr_str[IPV4_STR_SZ] = {};
380
381 strncpy(addr_str, inet_ntoa(addr), IPV4_STR_SZ - 1);
382
383 printk("ip addr set %s", addr_str);
384 }
385 #endif
386
387 if (rtattr_pack(&req.nh, sizeof(req), IFA_LOCAL, &addr, sizeof(addr)))
388 return -1;
389
390 if (rtattr_pack(&req.nh, sizeof(req), IFA_ADDRESS, &addr, sizeof(addr)))
391 return -1;
392
393 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
394 pr_err("send()");
395 return -1;
396 }
397 return netlink_check_answer(sock);
398 }
399
link_set_up(int sock,uint32_t seq,const char * intf)400 static int link_set_up(int sock, uint32_t seq, const char *intf)
401 {
402 struct {
403 struct nlmsghdr nh;
404 struct ifinfomsg info;
405 char attrbuf[MAX_PAYLOAD];
406 } req;
407
408 memset(&req, 0, sizeof(req));
409 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
410 req.nh.nlmsg_type = RTM_NEWLINK;
411 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
412 req.nh.nlmsg_seq = seq;
413 req.info.ifi_family = AF_UNSPEC;
414 req.info.ifi_change = 0xFFFFFFFF;
415 req.info.ifi_index = if_nametoindex(intf);
416 req.info.ifi_flags = IFF_UP;
417 req.info.ifi_change = IFF_UP;
418
419 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
420 pr_err("send()");
421 return -1;
422 }
423 return netlink_check_answer(sock);
424 }
425
ip4_route_set(int sock,uint32_t seq,const char * intf,struct in_addr src,struct in_addr dst)426 static int ip4_route_set(int sock, uint32_t seq, const char *intf,
427 struct in_addr src, struct in_addr dst)
428 {
429 struct {
430 struct nlmsghdr nh;
431 struct rtmsg rt;
432 char attrbuf[MAX_PAYLOAD];
433 } req;
434 unsigned int index = if_nametoindex(intf);
435
436 memset(&req, 0, sizeof(req));
437 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.rt));
438 req.nh.nlmsg_type = RTM_NEWROUTE;
439 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE;
440 req.nh.nlmsg_seq = seq;
441 req.rt.rtm_family = AF_INET;
442 req.rt.rtm_dst_len = 32;
443 req.rt.rtm_table = RT_TABLE_MAIN;
444 req.rt.rtm_protocol = RTPROT_BOOT;
445 req.rt.rtm_scope = RT_SCOPE_LINK;
446 req.rt.rtm_type = RTN_UNICAST;
447
448 if (rtattr_pack(&req.nh, sizeof(req), RTA_DST, &dst, sizeof(dst)))
449 return -1;
450
451 if (rtattr_pack(&req.nh, sizeof(req), RTA_PREFSRC, &src, sizeof(src)))
452 return -1;
453
454 if (rtattr_pack(&req.nh, sizeof(req), RTA_OIF, &index, sizeof(index)))
455 return -1;
456
457 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
458 pr_err("send()");
459 return -1;
460 }
461
462 return netlink_check_answer(sock);
463 }
464
tunnel_set_route(int route_sock,uint32_t * route_seq,char * veth,struct in_addr tunsrc,struct in_addr tundst)465 static int tunnel_set_route(int route_sock, uint32_t *route_seq, char *veth,
466 struct in_addr tunsrc, struct in_addr tundst)
467 {
468 if (ip4_addr_set(route_sock, (*route_seq)++, "lo",
469 tunsrc, PREFIX_LEN)) {
470 printk("Failed to set ipv4 addr");
471 return -1;
472 }
473
474 if (ip4_route_set(route_sock, (*route_seq)++, veth, tunsrc, tundst)) {
475 printk("Failed to set ipv4 route");
476 return -1;
477 }
478
479 return 0;
480 }
481
init_child(int nsfd,char * veth,unsigned int src,unsigned int dst)482 static int init_child(int nsfd, char *veth, unsigned int src, unsigned int dst)
483 {
484 struct in_addr intsrc = inet_makeaddr(INADDR_B, src);
485 struct in_addr tunsrc = inet_makeaddr(INADDR_A, src);
486 struct in_addr tundst = inet_makeaddr(INADDR_A, dst);
487 int route_sock = -1, ret = -1;
488 uint32_t route_seq;
489
490 if (switch_ns(nsfd))
491 return -1;
492
493 if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE)) {
494 printk("Failed to open netlink route socket in child");
495 return -1;
496 }
497
498 if (ip4_addr_set(route_sock, route_seq++, veth, intsrc, PREFIX_LEN)) {
499 printk("Failed to set ipv4 addr");
500 goto err;
501 }
502
503 if (link_set_up(route_sock, route_seq++, veth)) {
504 printk("Failed to bring up %s", veth);
505 goto err;
506 }
507
508 if (tunnel_set_route(route_sock, &route_seq, veth, tunsrc, tundst)) {
509 printk("Failed to add tunnel route on %s", veth);
510 goto err;
511 }
512 ret = 0;
513
514 err:
515 close(route_sock);
516 return ret;
517 }
518
519 #define ALGO_LEN 64
520 enum desc_type {
521 CREATE_TUNNEL = 0,
522 ALLOCATE_SPI,
523 MONITOR_ACQUIRE,
524 EXPIRE_STATE,
525 EXPIRE_POLICY,
526 SPDINFO_ATTRS,
527 };
528 const char *desc_name[] = {
529 "create tunnel",
530 "alloc spi",
531 "monitor acquire",
532 "expire state",
533 "expire policy",
534 "spdinfo attributes",
535 ""
536 };
537 struct xfrm_desc {
538 enum desc_type type;
539 uint8_t proto;
540 char a_algo[ALGO_LEN];
541 char e_algo[ALGO_LEN];
542 char c_algo[ALGO_LEN];
543 char ae_algo[ALGO_LEN];
544 unsigned int icv_len;
545 /* unsigned key_len; */
546 };
547
548 enum msg_type {
549 MSG_ACK = 0,
550 MSG_EXIT,
551 MSG_PING,
552 MSG_XFRM_PREPARE,
553 MSG_XFRM_ADD,
554 MSG_XFRM_DEL,
555 MSG_XFRM_CLEANUP,
556 };
557
558 struct test_desc {
559 enum msg_type type;
560 union {
561 struct {
562 in_addr_t reply_ip;
563 unsigned int port;
564 } ping;
565 struct xfrm_desc xfrm_desc;
566 } body;
567 };
568
569 struct test_result {
570 struct xfrm_desc desc;
571 unsigned int res;
572 };
573
write_test_result(unsigned int res,struct xfrm_desc * d)574 static void write_test_result(unsigned int res, struct xfrm_desc *d)
575 {
576 struct test_result tr = {};
577 ssize_t ret;
578
579 tr.desc = *d;
580 tr.res = res;
581
582 ret = write(results_fd[1], &tr, sizeof(tr));
583 if (ret != sizeof(tr))
584 pr_err("Failed to write the result in pipe %zd", ret);
585 }
586
write_msg(int fd,struct test_desc * msg,bool exit_of_fail)587 static void write_msg(int fd, struct test_desc *msg, bool exit_of_fail)
588 {
589 ssize_t bytes = write(fd, msg, sizeof(*msg));
590
591 /* Make sure that write/read is atomic to a pipe */
592 BUILD_BUG_ON(sizeof(struct test_desc) > PIPE_BUF);
593
594 if (bytes < 0) {
595 pr_err("write()");
596 if (exit_of_fail)
597 exit(KSFT_FAIL);
598 }
599 if (bytes != sizeof(*msg)) {
600 pr_err("sent part of the message %zd/%zu", bytes, sizeof(*msg));
601 if (exit_of_fail)
602 exit(KSFT_FAIL);
603 }
604 }
605
read_msg(int fd,struct test_desc * msg,bool exit_of_fail)606 static void read_msg(int fd, struct test_desc *msg, bool exit_of_fail)
607 {
608 ssize_t bytes = read(fd, msg, sizeof(*msg));
609
610 if (bytes < 0) {
611 pr_err("read()");
612 if (exit_of_fail)
613 exit(KSFT_FAIL);
614 }
615 if (bytes != sizeof(*msg)) {
616 pr_err("got incomplete message %zd/%zu", bytes, sizeof(*msg));
617 if (exit_of_fail)
618 exit(KSFT_FAIL);
619 }
620 }
621
udp_ping_init(struct in_addr listen_ip,unsigned int u_timeout,unsigned int * server_port,int sock[2])622 static int udp_ping_init(struct in_addr listen_ip, unsigned int u_timeout,
623 unsigned int *server_port, int sock[2])
624 {
625 struct sockaddr_in server;
626 struct timeval t = { .tv_sec = 0, .tv_usec = u_timeout };
627 socklen_t s_len = sizeof(server);
628
629 sock[0] = socket(AF_INET, SOCK_DGRAM, 0);
630 if (sock[0] < 0) {
631 pr_err("socket()");
632 return -1;
633 }
634
635 server.sin_family = AF_INET;
636 server.sin_port = 0;
637 memcpy(&server.sin_addr.s_addr, &listen_ip, sizeof(struct in_addr));
638
639 if (bind(sock[0], (struct sockaddr *)&server, s_len)) {
640 pr_err("bind()");
641 goto err_close_server;
642 }
643
644 if (getsockname(sock[0], (struct sockaddr *)&server, &s_len)) {
645 pr_err("getsockname()");
646 goto err_close_server;
647 }
648
649 *server_port = ntohs(server.sin_port);
650
651 if (setsockopt(sock[0], SOL_SOCKET, SO_RCVTIMEO, (const char *)&t, sizeof t)) {
652 pr_err("setsockopt()");
653 goto err_close_server;
654 }
655
656 sock[1] = socket(AF_INET, SOCK_DGRAM, 0);
657 if (sock[1] < 0) {
658 pr_err("socket()");
659 goto err_close_server;
660 }
661
662 return 0;
663
664 err_close_server:
665 close(sock[0]);
666 return -1;
667 }
668
udp_ping_send(int sock[2],in_addr_t dest_ip,unsigned int port,char * buf,size_t buf_len)669 static int udp_ping_send(int sock[2], in_addr_t dest_ip, unsigned int port,
670 char *buf, size_t buf_len)
671 {
672 struct sockaddr_in server;
673 const struct sockaddr *dest_addr = (struct sockaddr *)&server;
674 char *sock_buf[buf_len];
675 ssize_t r_bytes, s_bytes;
676
677 server.sin_family = AF_INET;
678 server.sin_port = htons(port);
679 server.sin_addr.s_addr = dest_ip;
680
681 s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
682 if (s_bytes < 0) {
683 pr_err("sendto()");
684 return -1;
685 } else if (s_bytes != buf_len) {
686 printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
687 return -1;
688 }
689
690 r_bytes = recv(sock[0], sock_buf, buf_len, 0);
691 if (r_bytes < 0) {
692 if (errno != EAGAIN)
693 pr_err("recv()");
694 return -1;
695 } else if (r_bytes == 0) { /* EOF */
696 printk("EOF on reply to ping");
697 return -1;
698 } else if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
699 printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
700 return -1;
701 }
702
703 return 0;
704 }
705
udp_ping_reply(int sock[2],in_addr_t dest_ip,unsigned int port,char * buf,size_t buf_len)706 static int udp_ping_reply(int sock[2], in_addr_t dest_ip, unsigned int port,
707 char *buf, size_t buf_len)
708 {
709 struct sockaddr_in server;
710 const struct sockaddr *dest_addr = (struct sockaddr *)&server;
711 char *sock_buf[buf_len];
712 ssize_t r_bytes, s_bytes;
713
714 server.sin_family = AF_INET;
715 server.sin_port = htons(port);
716 server.sin_addr.s_addr = dest_ip;
717
718 r_bytes = recv(sock[0], sock_buf, buf_len, 0);
719 if (r_bytes < 0) {
720 if (errno != EAGAIN)
721 pr_err("recv()");
722 return -1;
723 }
724 if (r_bytes == 0) { /* EOF */
725 printk("EOF on reply to ping");
726 return -1;
727 }
728 if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
729 printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
730 return -1;
731 }
732
733 s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
734 if (s_bytes < 0) {
735 pr_err("sendto()");
736 return -1;
737 } else if (s_bytes != buf_len) {
738 printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
739 return -1;
740 }
741
742 return 0;
743 }
744
745 typedef int (*ping_f)(int sock[2], in_addr_t dest_ip, unsigned int port,
746 char *buf, size_t buf_len);
do_ping(int cmd_fd,char * buf,size_t buf_len,struct in_addr from,bool init_side,int d_port,in_addr_t to,ping_f func)747 static int do_ping(int cmd_fd, char *buf, size_t buf_len, struct in_addr from,
748 bool init_side, int d_port, in_addr_t to, ping_f func)
749 {
750 struct test_desc msg;
751 unsigned int s_port, i, ping_succeeded = 0;
752 int ping_sock[2];
753 char to_str[IPV4_STR_SZ] = {}, from_str[IPV4_STR_SZ] = {};
754
755 if (udp_ping_init(from, ping_timeout, &s_port, ping_sock)) {
756 printk("Failed to init ping");
757 return -1;
758 }
759
760 memset(&msg, 0, sizeof(msg));
761 msg.type = MSG_PING;
762 msg.body.ping.port = s_port;
763 memcpy(&msg.body.ping.reply_ip, &from, sizeof(from));
764
765 write_msg(cmd_fd, &msg, 0);
766 if (init_side) {
767 /* The other end sends ip to ping */
768 read_msg(cmd_fd, &msg, 0);
769 if (msg.type != MSG_PING)
770 return -1;
771 to = msg.body.ping.reply_ip;
772 d_port = msg.body.ping.port;
773 }
774
775 for (i = 0; i < ping_count ; i++) {
776 struct timespec sleep_time = {
777 .tv_sec = 0,
778 .tv_nsec = ping_delay_nsec,
779 };
780
781 ping_succeeded += !func(ping_sock, to, d_port, buf, page_size);
782 nanosleep(&sleep_time, 0);
783 }
784
785 close(ping_sock[0]);
786 close(ping_sock[1]);
787
788 strncpy(to_str, inet_ntoa(*(struct in_addr *)&to), IPV4_STR_SZ - 1);
789 strncpy(from_str, inet_ntoa(from), IPV4_STR_SZ - 1);
790
791 if (ping_succeeded < ping_success) {
792 printk("ping (%s) %s->%s failed %u/%u times",
793 init_side ? "send" : "reply", from_str, to_str,
794 ping_count - ping_succeeded, ping_count);
795 return -1;
796 }
797
798 #ifdef DEBUG
799 printk("ping (%s) %s->%s succeeded %u/%u times",
800 init_side ? "send" : "reply", from_str, to_str,
801 ping_succeeded, ping_count);
802 #endif
803
804 return 0;
805 }
806
xfrm_fill_key(char * name,char * buf,size_t buf_len,unsigned int * key_len)807 static int xfrm_fill_key(char *name, char *buf,
808 size_t buf_len, unsigned int *key_len)
809 {
810 int i;
811
812 for (i = 0; i < XFRM_ALGO_NR_KEYS; i++) {
813 if (strncmp(name, xfrm_key_entries[i].algo_name, ALGO_LEN) == 0)
814 *key_len = xfrm_key_entries[i].key_len;
815 }
816
817 if (*key_len > buf_len) {
818 printk("Can't pack a key - too big for buffer");
819 return -1;
820 }
821
822 randomize_buffer(buf, *key_len);
823
824 return 0;
825 }
826
xfrm_state_pack_algo(struct nlmsghdr * nh,size_t req_sz,struct xfrm_desc * desc)827 static int xfrm_state_pack_algo(struct nlmsghdr *nh, size_t req_sz,
828 struct xfrm_desc *desc)
829 {
830 struct {
831 union {
832 struct xfrm_algo alg;
833 struct xfrm_algo_aead aead;
834 struct xfrm_algo_auth auth;
835 } u;
836 char buf[XFRM_ALGO_KEY_BUF_SIZE];
837 } alg = {};
838 size_t alen, elen, clen, aelen;
839 unsigned short type;
840
841 alen = strlen(desc->a_algo);
842 elen = strlen(desc->e_algo);
843 clen = strlen(desc->c_algo);
844 aelen = strlen(desc->ae_algo);
845
846 /* Verify desc */
847 switch (desc->proto) {
848 case IPPROTO_AH:
849 if (!alen || elen || clen || aelen) {
850 printk("BUG: buggy ah desc");
851 return -1;
852 }
853 strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN - 1);
854 if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
855 sizeof(alg.buf), &alg.u.alg.alg_key_len))
856 return -1;
857 type = XFRMA_ALG_AUTH;
858 break;
859 case IPPROTO_COMP:
860 if (!clen || elen || alen || aelen) {
861 printk("BUG: buggy comp desc");
862 return -1;
863 }
864 strncpy(alg.u.alg.alg_name, desc->c_algo, ALGO_LEN - 1);
865 if (xfrm_fill_key(desc->c_algo, alg.u.alg.alg_key,
866 sizeof(alg.buf), &alg.u.alg.alg_key_len))
867 return -1;
868 type = XFRMA_ALG_COMP;
869 break;
870 case IPPROTO_ESP:
871 if (!((alen && elen) ^ aelen) || clen) {
872 printk("BUG: buggy esp desc");
873 return -1;
874 }
875 if (aelen) {
876 alg.u.aead.alg_icv_len = desc->icv_len;
877 strncpy(alg.u.aead.alg_name, desc->ae_algo, ALGO_LEN - 1);
878 if (xfrm_fill_key(desc->ae_algo, alg.u.aead.alg_key,
879 sizeof(alg.buf), &alg.u.aead.alg_key_len))
880 return -1;
881 type = XFRMA_ALG_AEAD;
882 } else {
883
884 strncpy(alg.u.alg.alg_name, desc->e_algo, ALGO_LEN - 1);
885 type = XFRMA_ALG_CRYPT;
886 if (xfrm_fill_key(desc->e_algo, alg.u.alg.alg_key,
887 sizeof(alg.buf), &alg.u.alg.alg_key_len))
888 return -1;
889 if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
890 return -1;
891
892 strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN);
893 type = XFRMA_ALG_AUTH;
894 if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
895 sizeof(alg.buf), &alg.u.alg.alg_key_len))
896 return -1;
897 }
898 break;
899 default:
900 printk("BUG: unknown proto in desc");
901 return -1;
902 }
903
904 if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
905 return -1;
906
907 return 0;
908 }
909
gen_spi(struct in_addr src)910 static inline uint32_t gen_spi(struct in_addr src)
911 {
912 return htonl(inet_lnaof(src));
913 }
914
xfrm_state_add(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,struct xfrm_desc * desc)915 static int xfrm_state_add(int xfrm_sock, uint32_t seq, uint32_t spi,
916 struct in_addr src, struct in_addr dst,
917 struct xfrm_desc *desc)
918 {
919 struct {
920 struct nlmsghdr nh;
921 struct xfrm_usersa_info info;
922 char attrbuf[MAX_PAYLOAD];
923 } req;
924
925 memset(&req, 0, sizeof(req));
926 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
927 req.nh.nlmsg_type = XFRM_MSG_NEWSA;
928 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
929 req.nh.nlmsg_seq = seq;
930
931 /* Fill selector. */
932 memcpy(&req.info.sel.daddr, &dst, sizeof(dst));
933 memcpy(&req.info.sel.saddr, &src, sizeof(src));
934 req.info.sel.family = AF_INET;
935 req.info.sel.prefixlen_d = PREFIX_LEN;
936 req.info.sel.prefixlen_s = PREFIX_LEN;
937
938 /* Fill id */
939 memcpy(&req.info.id.daddr, &dst, sizeof(dst));
940 /* Note: zero-spi cannot be deleted */
941 req.info.id.spi = spi;
942 req.info.id.proto = desc->proto;
943
944 memcpy(&req.info.saddr, &src, sizeof(src));
945
946 /* Fill lifteme_cfg */
947 req.info.lft.soft_byte_limit = XFRM_INF;
948 req.info.lft.hard_byte_limit = XFRM_INF;
949 req.info.lft.soft_packet_limit = XFRM_INF;
950 req.info.lft.hard_packet_limit = XFRM_INF;
951
952 req.info.family = AF_INET;
953 req.info.mode = XFRM_MODE_TUNNEL;
954
955 if (xfrm_state_pack_algo(&req.nh, sizeof(req), desc))
956 return -1;
957
958 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
959 pr_err("send()");
960 return -1;
961 }
962
963 return netlink_check_answer(xfrm_sock);
964 }
965
xfrm_usersa_found(struct xfrm_usersa_info * info,uint32_t spi,struct in_addr src,struct in_addr dst,struct xfrm_desc * desc)966 static bool xfrm_usersa_found(struct xfrm_usersa_info *info, uint32_t spi,
967 struct in_addr src, struct in_addr dst,
968 struct xfrm_desc *desc)
969 {
970 if (memcmp(&info->sel.daddr, &dst, sizeof(dst)))
971 return false;
972
973 if (memcmp(&info->sel.saddr, &src, sizeof(src)))
974 return false;
975
976 if (info->sel.family != AF_INET ||
977 info->sel.prefixlen_d != PREFIX_LEN ||
978 info->sel.prefixlen_s != PREFIX_LEN)
979 return false;
980
981 if (info->id.spi != spi || info->id.proto != desc->proto)
982 return false;
983
984 if (memcmp(&info->id.daddr, &dst, sizeof(dst)))
985 return false;
986
987 if (memcmp(&info->saddr, &src, sizeof(src)))
988 return false;
989
990 if (info->lft.soft_byte_limit != XFRM_INF ||
991 info->lft.hard_byte_limit != XFRM_INF ||
992 info->lft.soft_packet_limit != XFRM_INF ||
993 info->lft.hard_packet_limit != XFRM_INF)
994 return false;
995
996 if (info->family != AF_INET || info->mode != XFRM_MODE_TUNNEL)
997 return false;
998
999 /* XXX: check xfrm algo, see xfrm_state_pack_algo(). */
1000
1001 return true;
1002 }
1003
xfrm_state_check(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,struct xfrm_desc * desc)1004 static int xfrm_state_check(int xfrm_sock, uint32_t seq, uint32_t spi,
1005 struct in_addr src, struct in_addr dst,
1006 struct xfrm_desc *desc)
1007 {
1008 struct {
1009 struct nlmsghdr nh;
1010 char attrbuf[MAX_PAYLOAD];
1011 } req;
1012 struct {
1013 struct nlmsghdr nh;
1014 union {
1015 struct xfrm_usersa_info info;
1016 int error;
1017 };
1018 char attrbuf[MAX_PAYLOAD];
1019 } answer;
1020 struct xfrm_address_filter filter = {};
1021 bool found = false;
1022
1023
1024 memset(&req, 0, sizeof(req));
1025 req.nh.nlmsg_len = NLMSG_LENGTH(0);
1026 req.nh.nlmsg_type = XFRM_MSG_GETSA;
1027 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
1028 req.nh.nlmsg_seq = seq;
1029
1030 /*
1031 * Add dump filter by source address as there may be other tunnels
1032 * in this netns (if tests run in parallel).
1033 */
1034 filter.family = AF_INET;
1035 filter.splen = 0x1f; /* 0xffffffff mask see addr_match() */
1036 memcpy(&filter.saddr, &src, sizeof(src));
1037 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_ADDRESS_FILTER,
1038 &filter, sizeof(filter)))
1039 return -1;
1040
1041 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1042 pr_err("send()");
1043 return -1;
1044 }
1045
1046 while (1) {
1047 if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
1048 pr_err("recv()");
1049 return -1;
1050 }
1051 if (answer.nh.nlmsg_type == NLMSG_ERROR) {
1052 printk("NLMSG_ERROR: %d: %s",
1053 answer.error, strerror(-answer.error));
1054 return -1;
1055 } else if (answer.nh.nlmsg_type == NLMSG_DONE) {
1056 if (found)
1057 return 0;
1058 printk("didn't find allocated xfrm state in dump");
1059 return -1;
1060 } else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
1061 if (xfrm_usersa_found(&answer.info, spi, src, dst, desc))
1062 found = true;
1063 }
1064 }
1065 }
1066
xfrm_set(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst,struct xfrm_desc * desc)1067 static int xfrm_set(int xfrm_sock, uint32_t *seq,
1068 struct in_addr src, struct in_addr dst,
1069 struct in_addr tunsrc, struct in_addr tundst,
1070 struct xfrm_desc *desc)
1071 {
1072 int err;
1073
1074 err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
1075 if (err) {
1076 printk("Failed to add xfrm state");
1077 return -1;
1078 }
1079
1080 err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
1081 if (err) {
1082 printk("Failed to add xfrm state");
1083 return -1;
1084 }
1085
1086 /* Check dumps for XFRM_MSG_GETSA */
1087 err = xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
1088 err |= xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
1089 if (err) {
1090 printk("Failed to check xfrm state");
1091 return -1;
1092 }
1093
1094 return 0;
1095 }
1096
xfrm_policy_add(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,uint8_t dir,struct in_addr tunsrc,struct in_addr tundst,uint8_t proto)1097 static int xfrm_policy_add(int xfrm_sock, uint32_t seq, uint32_t spi,
1098 struct in_addr src, struct in_addr dst, uint8_t dir,
1099 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1100 {
1101 struct {
1102 struct nlmsghdr nh;
1103 struct xfrm_userpolicy_info info;
1104 char attrbuf[MAX_PAYLOAD];
1105 } req;
1106 struct xfrm_user_tmpl tmpl;
1107
1108 memset(&req, 0, sizeof(req));
1109 memset(&tmpl, 0, sizeof(tmpl));
1110 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
1111 req.nh.nlmsg_type = XFRM_MSG_NEWPOLICY;
1112 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1113 req.nh.nlmsg_seq = seq;
1114
1115 /* Fill selector. */
1116 memcpy(&req.info.sel.daddr, &dst, sizeof(tundst));
1117 memcpy(&req.info.sel.saddr, &src, sizeof(tunsrc));
1118 req.info.sel.family = AF_INET;
1119 req.info.sel.prefixlen_d = PREFIX_LEN;
1120 req.info.sel.prefixlen_s = PREFIX_LEN;
1121
1122 /* Fill lifteme_cfg */
1123 req.info.lft.soft_byte_limit = XFRM_INF;
1124 req.info.lft.hard_byte_limit = XFRM_INF;
1125 req.info.lft.soft_packet_limit = XFRM_INF;
1126 req.info.lft.hard_packet_limit = XFRM_INF;
1127
1128 req.info.dir = dir;
1129
1130 /* Fill tmpl */
1131 memcpy(&tmpl.id.daddr, &dst, sizeof(dst));
1132 /* Note: zero-spi cannot be deleted */
1133 tmpl.id.spi = spi;
1134 tmpl.id.proto = proto;
1135 tmpl.family = AF_INET;
1136 memcpy(&tmpl.saddr, &src, sizeof(src));
1137 tmpl.mode = XFRM_MODE_TUNNEL;
1138 tmpl.aalgos = (~(uint32_t)0);
1139 tmpl.ealgos = (~(uint32_t)0);
1140 tmpl.calgos = (~(uint32_t)0);
1141
1142 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &tmpl, sizeof(tmpl)))
1143 return -1;
1144
1145 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1146 pr_err("send()");
1147 return -1;
1148 }
1149
1150 return netlink_check_answer(xfrm_sock);
1151 }
1152
xfrm_prepare(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst,uint8_t proto)1153 static int xfrm_prepare(int xfrm_sock, uint32_t *seq,
1154 struct in_addr src, struct in_addr dst,
1155 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1156 {
1157 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
1158 XFRM_POLICY_OUT, tunsrc, tundst, proto)) {
1159 printk("Failed to add xfrm policy");
1160 return -1;
1161 }
1162
1163 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src,
1164 XFRM_POLICY_IN, tunsrc, tundst, proto)) {
1165 printk("Failed to add xfrm policy");
1166 return -1;
1167 }
1168
1169 return 0;
1170 }
1171
xfrm_policy_del(int xfrm_sock,uint32_t seq,struct in_addr src,struct in_addr dst,uint8_t dir,struct in_addr tunsrc,struct in_addr tundst)1172 static int xfrm_policy_del(int xfrm_sock, uint32_t seq,
1173 struct in_addr src, struct in_addr dst, uint8_t dir,
1174 struct in_addr tunsrc, struct in_addr tundst)
1175 {
1176 struct {
1177 struct nlmsghdr nh;
1178 struct xfrm_userpolicy_id id;
1179 char attrbuf[MAX_PAYLOAD];
1180 } req;
1181
1182 memset(&req, 0, sizeof(req));
1183 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.id));
1184 req.nh.nlmsg_type = XFRM_MSG_DELPOLICY;
1185 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1186 req.nh.nlmsg_seq = seq;
1187
1188 /* Fill id */
1189 memcpy(&req.id.sel.daddr, &dst, sizeof(tundst));
1190 memcpy(&req.id.sel.saddr, &src, sizeof(tunsrc));
1191 req.id.sel.family = AF_INET;
1192 req.id.sel.prefixlen_d = PREFIX_LEN;
1193 req.id.sel.prefixlen_s = PREFIX_LEN;
1194 req.id.dir = dir;
1195
1196 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1197 pr_err("send()");
1198 return -1;
1199 }
1200
1201 return netlink_check_answer(xfrm_sock);
1202 }
1203
xfrm_cleanup(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst)1204 static int xfrm_cleanup(int xfrm_sock, uint32_t *seq,
1205 struct in_addr src, struct in_addr dst,
1206 struct in_addr tunsrc, struct in_addr tundst)
1207 {
1208 if (xfrm_policy_del(xfrm_sock, (*seq)++, src, dst,
1209 XFRM_POLICY_OUT, tunsrc, tundst)) {
1210 printk("Failed to add xfrm policy");
1211 return -1;
1212 }
1213
1214 if (xfrm_policy_del(xfrm_sock, (*seq)++, dst, src,
1215 XFRM_POLICY_IN, tunsrc, tundst)) {
1216 printk("Failed to add xfrm policy");
1217 return -1;
1218 }
1219
1220 return 0;
1221 }
1222
xfrm_state_del(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,uint8_t proto)1223 static int xfrm_state_del(int xfrm_sock, uint32_t seq, uint32_t spi,
1224 struct in_addr src, struct in_addr dst, uint8_t proto)
1225 {
1226 struct {
1227 struct nlmsghdr nh;
1228 struct xfrm_usersa_id id;
1229 char attrbuf[MAX_PAYLOAD];
1230 } req;
1231 xfrm_address_t saddr = {};
1232
1233 memset(&req, 0, sizeof(req));
1234 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.id));
1235 req.nh.nlmsg_type = XFRM_MSG_DELSA;
1236 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1237 req.nh.nlmsg_seq = seq;
1238
1239 memcpy(&req.id.daddr, &dst, sizeof(dst));
1240 req.id.family = AF_INET;
1241 req.id.proto = proto;
1242 /* Note: zero-spi cannot be deleted */
1243 req.id.spi = spi;
1244
1245 memcpy(&saddr, &src, sizeof(src));
1246 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SRCADDR, &saddr, sizeof(saddr)))
1247 return -1;
1248
1249 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1250 pr_err("send()");
1251 return -1;
1252 }
1253
1254 return netlink_check_answer(xfrm_sock);
1255 }
1256
xfrm_delete(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst,uint8_t proto)1257 static int xfrm_delete(int xfrm_sock, uint32_t *seq,
1258 struct in_addr src, struct in_addr dst,
1259 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1260 {
1261 if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), src, dst, proto)) {
1262 printk("Failed to remove xfrm state");
1263 return -1;
1264 }
1265
1266 if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), dst, src, proto)) {
1267 printk("Failed to remove xfrm state");
1268 return -1;
1269 }
1270
1271 return 0;
1272 }
1273
xfrm_state_allocspi(int xfrm_sock,uint32_t * seq,uint32_t spi,uint8_t proto)1274 static int xfrm_state_allocspi(int xfrm_sock, uint32_t *seq,
1275 uint32_t spi, uint8_t proto)
1276 {
1277 struct {
1278 struct nlmsghdr nh;
1279 struct xfrm_userspi_info spi;
1280 } req;
1281 struct {
1282 struct nlmsghdr nh;
1283 union {
1284 struct xfrm_usersa_info info;
1285 int error;
1286 };
1287 } answer;
1288
1289 memset(&req, 0, sizeof(req));
1290 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.spi));
1291 req.nh.nlmsg_type = XFRM_MSG_ALLOCSPI;
1292 req.nh.nlmsg_flags = NLM_F_REQUEST;
1293 req.nh.nlmsg_seq = (*seq)++;
1294
1295 req.spi.info.family = AF_INET;
1296 req.spi.min = spi;
1297 req.spi.max = spi;
1298 req.spi.info.id.proto = proto;
1299
1300 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1301 pr_err("send()");
1302 return KSFT_FAIL;
1303 }
1304
1305 if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
1306 pr_err("recv()");
1307 return KSFT_FAIL;
1308 } else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
1309 uint32_t new_spi = htonl(answer.info.id.spi);
1310
1311 if (new_spi != spi) {
1312 printk("allocated spi is different from requested: %#x != %#x",
1313 new_spi, spi);
1314 return KSFT_FAIL;
1315 }
1316 return KSFT_PASS;
1317 } else if (answer.nh.nlmsg_type != NLMSG_ERROR) {
1318 printk("expected NLMSG_ERROR, got %d", (int)answer.nh.nlmsg_type);
1319 return KSFT_FAIL;
1320 }
1321
1322 printk("NLMSG_ERROR: %d: %s", answer.error, strerror(-answer.error));
1323 return (answer.error) ? KSFT_FAIL : KSFT_PASS;
1324 }
1325
netlink_sock_bind(int * sock,uint32_t * seq,int proto,uint32_t groups)1326 static int netlink_sock_bind(int *sock, uint32_t *seq, int proto, uint32_t groups)
1327 {
1328 struct sockaddr_nl snl = {};
1329 socklen_t addr_len;
1330 int ret = -1;
1331
1332 snl.nl_family = AF_NETLINK;
1333 snl.nl_groups = groups;
1334
1335 if (netlink_sock(sock, seq, proto)) {
1336 printk("Failed to open xfrm netlink socket");
1337 return -1;
1338 }
1339
1340 if (bind(*sock, (struct sockaddr *)&snl, sizeof(snl)) < 0) {
1341 pr_err("bind()");
1342 goto out_close;
1343 }
1344
1345 addr_len = sizeof(snl);
1346 if (getsockname(*sock, (struct sockaddr *)&snl, &addr_len) < 0) {
1347 pr_err("getsockname()");
1348 goto out_close;
1349 }
1350 if (addr_len != sizeof(snl)) {
1351 printk("Wrong address length %d", addr_len);
1352 goto out_close;
1353 }
1354 if (snl.nl_family != AF_NETLINK) {
1355 printk("Wrong address family %d", snl.nl_family);
1356 goto out_close;
1357 }
1358 return 0;
1359
1360 out_close:
1361 close(*sock);
1362 return ret;
1363 }
1364
xfrm_monitor_acquire(int xfrm_sock,uint32_t * seq,unsigned int nr)1365 static int xfrm_monitor_acquire(int xfrm_sock, uint32_t *seq, unsigned int nr)
1366 {
1367 struct {
1368 struct nlmsghdr nh;
1369 union {
1370 struct xfrm_user_acquire acq;
1371 int error;
1372 };
1373 char attrbuf[MAX_PAYLOAD];
1374 } req;
1375 struct xfrm_user_tmpl xfrm_tmpl = {};
1376 int xfrm_listen = -1, ret = KSFT_FAIL;
1377 uint32_t seq_listen;
1378
1379 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_ACQUIRE))
1380 return KSFT_FAIL;
1381
1382 memset(&req, 0, sizeof(req));
1383 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.acq));
1384 req.nh.nlmsg_type = XFRM_MSG_ACQUIRE;
1385 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1386 req.nh.nlmsg_seq = (*seq)++;
1387
1388 req.acq.policy.sel.family = AF_INET;
1389 req.acq.aalgos = 0xfeed;
1390 req.acq.ealgos = 0xbaad;
1391 req.acq.calgos = 0xbabe;
1392
1393 xfrm_tmpl.family = AF_INET;
1394 xfrm_tmpl.id.proto = IPPROTO_ESP;
1395 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &xfrm_tmpl, sizeof(xfrm_tmpl)))
1396 goto out_close;
1397
1398 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1399 pr_err("send()");
1400 goto out_close;
1401 }
1402
1403 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1404 pr_err("recv()");
1405 goto out_close;
1406 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1407 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1408 goto out_close;
1409 }
1410
1411 if (req.error) {
1412 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1413 ret = req.error;
1414 goto out_close;
1415 }
1416
1417 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1418 pr_err("recv()");
1419 goto out_close;
1420 }
1421
1422 if (req.acq.aalgos != 0xfeed || req.acq.ealgos != 0xbaad
1423 || req.acq.calgos != 0xbabe) {
1424 printk("xfrm_user_acquire has changed %x %x %x",
1425 req.acq.aalgos, req.acq.ealgos, req.acq.calgos);
1426 goto out_close;
1427 }
1428
1429 ret = KSFT_PASS;
1430 out_close:
1431 close(xfrm_listen);
1432 return ret;
1433 }
1434
xfrm_expire_state(int xfrm_sock,uint32_t * seq,unsigned int nr,struct xfrm_desc * desc)1435 static int xfrm_expire_state(int xfrm_sock, uint32_t *seq,
1436 unsigned int nr, struct xfrm_desc *desc)
1437 {
1438 struct {
1439 struct nlmsghdr nh;
1440 union {
1441 struct xfrm_user_expire expire;
1442 int error;
1443 };
1444 } req;
1445 struct in_addr src, dst;
1446 int xfrm_listen = -1, ret = KSFT_FAIL;
1447 uint32_t seq_listen;
1448
1449 src = inet_makeaddr(INADDR_B, child_ip(nr));
1450 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1451
1452 if (xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc)) {
1453 printk("Failed to add xfrm state");
1454 return KSFT_FAIL;
1455 }
1456
1457 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
1458 return KSFT_FAIL;
1459
1460 memset(&req, 0, sizeof(req));
1461 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.expire));
1462 req.nh.nlmsg_type = XFRM_MSG_EXPIRE;
1463 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1464 req.nh.nlmsg_seq = (*seq)++;
1465
1466 memcpy(&req.expire.state.id.daddr, &dst, sizeof(dst));
1467 req.expire.state.id.spi = gen_spi(src);
1468 req.expire.state.id.proto = desc->proto;
1469 req.expire.state.family = AF_INET;
1470 req.expire.hard = 0xff;
1471
1472 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1473 pr_err("send()");
1474 goto out_close;
1475 }
1476
1477 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1478 pr_err("recv()");
1479 goto out_close;
1480 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1481 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1482 goto out_close;
1483 }
1484
1485 if (req.error) {
1486 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1487 ret = req.error;
1488 goto out_close;
1489 }
1490
1491 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1492 pr_err("recv()");
1493 goto out_close;
1494 }
1495
1496 if (req.expire.hard != 0x1) {
1497 printk("expire.hard is not set: %x", req.expire.hard);
1498 goto out_close;
1499 }
1500
1501 ret = KSFT_PASS;
1502 out_close:
1503 close(xfrm_listen);
1504 return ret;
1505 }
1506
xfrm_expire_policy(int xfrm_sock,uint32_t * seq,unsigned int nr,struct xfrm_desc * desc)1507 static int xfrm_expire_policy(int xfrm_sock, uint32_t *seq,
1508 unsigned int nr, struct xfrm_desc *desc)
1509 {
1510 struct {
1511 struct nlmsghdr nh;
1512 union {
1513 struct xfrm_user_polexpire expire;
1514 int error;
1515 };
1516 } req;
1517 struct in_addr src, dst, tunsrc, tundst;
1518 int xfrm_listen = -1, ret = KSFT_FAIL;
1519 uint32_t seq_listen;
1520
1521 src = inet_makeaddr(INADDR_B, child_ip(nr));
1522 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1523 tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
1524 tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
1525
1526 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
1527 XFRM_POLICY_OUT, tunsrc, tundst, desc->proto)) {
1528 printk("Failed to add xfrm policy");
1529 return KSFT_FAIL;
1530 }
1531
1532 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
1533 return KSFT_FAIL;
1534
1535 memset(&req, 0, sizeof(req));
1536 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.expire));
1537 req.nh.nlmsg_type = XFRM_MSG_POLEXPIRE;
1538 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1539 req.nh.nlmsg_seq = (*seq)++;
1540
1541 /* Fill selector. */
1542 memcpy(&req.expire.pol.sel.daddr, &dst, sizeof(tundst));
1543 memcpy(&req.expire.pol.sel.saddr, &src, sizeof(tunsrc));
1544 req.expire.pol.sel.family = AF_INET;
1545 req.expire.pol.sel.prefixlen_d = PREFIX_LEN;
1546 req.expire.pol.sel.prefixlen_s = PREFIX_LEN;
1547 req.expire.pol.dir = XFRM_POLICY_OUT;
1548 req.expire.hard = 0xff;
1549
1550 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1551 pr_err("send()");
1552 goto out_close;
1553 }
1554
1555 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1556 pr_err("recv()");
1557 goto out_close;
1558 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1559 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1560 goto out_close;
1561 }
1562
1563 if (req.error) {
1564 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1565 ret = req.error;
1566 goto out_close;
1567 }
1568
1569 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1570 pr_err("recv()");
1571 goto out_close;
1572 }
1573
1574 if (req.expire.hard != 0x1) {
1575 printk("expire.hard is not set: %x", req.expire.hard);
1576 goto out_close;
1577 }
1578
1579 ret = KSFT_PASS;
1580 out_close:
1581 close(xfrm_listen);
1582 return ret;
1583 }
1584
xfrm_spdinfo_set_thresh(int xfrm_sock,uint32_t * seq,unsigned thresh4_l,unsigned thresh4_r,unsigned thresh6_l,unsigned thresh6_r,bool add_bad_attr)1585 static int xfrm_spdinfo_set_thresh(int xfrm_sock, uint32_t *seq,
1586 unsigned thresh4_l, unsigned thresh4_r,
1587 unsigned thresh6_l, unsigned thresh6_r,
1588 bool add_bad_attr)
1589
1590 {
1591 struct {
1592 struct nlmsghdr nh;
1593 union {
1594 uint32_t unused;
1595 int error;
1596 };
1597 char attrbuf[MAX_PAYLOAD];
1598 } req;
1599 struct xfrmu_spdhthresh thresh;
1600
1601 memset(&req, 0, sizeof(req));
1602 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.unused));
1603 req.nh.nlmsg_type = XFRM_MSG_NEWSPDINFO;
1604 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1605 req.nh.nlmsg_seq = (*seq)++;
1606
1607 thresh.lbits = thresh4_l;
1608 thresh.rbits = thresh4_r;
1609 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SPD_IPV4_HTHRESH, &thresh, sizeof(thresh)))
1610 return -1;
1611
1612 thresh.lbits = thresh6_l;
1613 thresh.rbits = thresh6_r;
1614 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SPD_IPV6_HTHRESH, &thresh, sizeof(thresh)))
1615 return -1;
1616
1617 if (add_bad_attr) {
1618 BUILD_BUG_ON(XFRMA_IF_ID <= XFRMA_SPD_MAX + 1);
1619 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_IF_ID, NULL, 0)) {
1620 pr_err("adding attribute failed: no space");
1621 return -1;
1622 }
1623 }
1624
1625 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1626 pr_err("send()");
1627 return -1;
1628 }
1629
1630 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1631 pr_err("recv()");
1632 return -1;
1633 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1634 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1635 return -1;
1636 }
1637
1638 if (req.error) {
1639 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1640 return -1;
1641 }
1642
1643 return 0;
1644 }
1645
xfrm_spdinfo_attrs(int xfrm_sock,uint32_t * seq)1646 static int xfrm_spdinfo_attrs(int xfrm_sock, uint32_t *seq)
1647 {
1648 struct {
1649 struct nlmsghdr nh;
1650 union {
1651 uint32_t unused;
1652 int error;
1653 };
1654 char attrbuf[MAX_PAYLOAD];
1655 } req;
1656
1657 if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 31, 120, 16, false)) {
1658 pr_err("Can't set SPD HTHRESH");
1659 return KSFT_FAIL;
1660 }
1661
1662 memset(&req, 0, sizeof(req));
1663
1664 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.unused));
1665 req.nh.nlmsg_type = XFRM_MSG_GETSPDINFO;
1666 req.nh.nlmsg_flags = NLM_F_REQUEST;
1667 req.nh.nlmsg_seq = (*seq)++;
1668 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1669 pr_err("send()");
1670 return KSFT_FAIL;
1671 }
1672
1673 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1674 pr_err("recv()");
1675 return KSFT_FAIL;
1676 } else if (req.nh.nlmsg_type == XFRM_MSG_NEWSPDINFO) {
1677 size_t len = NLMSG_PAYLOAD(&req.nh, sizeof(req.unused));
1678 struct rtattr *attr = (void *)req.attrbuf;
1679 int got_thresh = 0;
1680
1681 for (; RTA_OK(attr, len); attr = RTA_NEXT(attr, len)) {
1682 if (attr->rta_type == XFRMA_SPD_IPV4_HTHRESH) {
1683 struct xfrmu_spdhthresh *t = RTA_DATA(attr);
1684
1685 got_thresh++;
1686 if (t->lbits != 32 || t->rbits != 31) {
1687 pr_err("thresh differ: %u, %u",
1688 t->lbits, t->rbits);
1689 return KSFT_FAIL;
1690 }
1691 }
1692 if (attr->rta_type == XFRMA_SPD_IPV6_HTHRESH) {
1693 struct xfrmu_spdhthresh *t = RTA_DATA(attr);
1694
1695 got_thresh++;
1696 if (t->lbits != 120 || t->rbits != 16) {
1697 pr_err("thresh differ: %u, %u",
1698 t->lbits, t->rbits);
1699 return KSFT_FAIL;
1700 }
1701 }
1702 }
1703 if (got_thresh != 2) {
1704 pr_err("only %d thresh returned by XFRM_MSG_GETSPDINFO", got_thresh);
1705 return KSFT_FAIL;
1706 }
1707 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1708 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1709 return KSFT_FAIL;
1710 } else {
1711 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1712 return -1;
1713 }
1714
1715 /* Restore the default */
1716 if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 32, 128, 128, false)) {
1717 pr_err("Can't restore SPD HTHRESH");
1718 return KSFT_FAIL;
1719 }
1720
1721 /*
1722 * At this moment xfrm uses nlmsg_parse_deprecated(), which
1723 * implies NL_VALIDATE_LIBERAL - ignoring attributes with
1724 * (type > maxtype). nla_parse_depricated_strict() would enforce
1725 * it. Or even stricter nla_parse().
1726 * Right now it's not expected to fail, but to be ignored.
1727 */
1728 if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 32, 128, 128, true))
1729 return KSFT_PASS;
1730
1731 return KSFT_PASS;
1732 }
1733
child_serv(int xfrm_sock,uint32_t * seq,unsigned int nr,int cmd_fd,void * buf,struct xfrm_desc * desc)1734 static int child_serv(int xfrm_sock, uint32_t *seq,
1735 unsigned int nr, int cmd_fd, void *buf, struct xfrm_desc *desc)
1736 {
1737 struct in_addr src, dst, tunsrc, tundst;
1738 struct test_desc msg;
1739 int ret = KSFT_FAIL;
1740
1741 src = inet_makeaddr(INADDR_B, child_ip(nr));
1742 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1743 tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
1744 tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
1745
1746 /* UDP pinging without xfrm */
1747 if (do_ping(cmd_fd, buf, page_size, src, true, 0, 0, udp_ping_send)) {
1748 printk("ping failed before setting xfrm");
1749 return KSFT_FAIL;
1750 }
1751
1752 memset(&msg, 0, sizeof(msg));
1753 msg.type = MSG_XFRM_PREPARE;
1754 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1755 write_msg(cmd_fd, &msg, 1);
1756
1757 if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
1758 printk("failed to prepare xfrm");
1759 goto cleanup;
1760 }
1761
1762 memset(&msg, 0, sizeof(msg));
1763 msg.type = MSG_XFRM_ADD;
1764 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1765 write_msg(cmd_fd, &msg, 1);
1766 if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
1767 printk("failed to set xfrm");
1768 goto delete;
1769 }
1770
1771 /* UDP pinging with xfrm tunnel */
1772 if (do_ping(cmd_fd, buf, page_size, tunsrc,
1773 true, 0, 0, udp_ping_send)) {
1774 printk("ping failed for xfrm");
1775 goto delete;
1776 }
1777
1778 ret = KSFT_PASS;
1779 delete:
1780 /* xfrm delete */
1781 memset(&msg, 0, sizeof(msg));
1782 msg.type = MSG_XFRM_DEL;
1783 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1784 write_msg(cmd_fd, &msg, 1);
1785
1786 if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
1787 printk("failed ping to remove xfrm");
1788 ret = KSFT_FAIL;
1789 }
1790
1791 cleanup:
1792 memset(&msg, 0, sizeof(msg));
1793 msg.type = MSG_XFRM_CLEANUP;
1794 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1795 write_msg(cmd_fd, &msg, 1);
1796 if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
1797 printk("failed ping to cleanup xfrm");
1798 ret = KSFT_FAIL;
1799 }
1800 return ret;
1801 }
1802
child_f(unsigned int nr,int test_desc_fd,int cmd_fd,void * buf)1803 static int child_f(unsigned int nr, int test_desc_fd, int cmd_fd, void *buf)
1804 {
1805 struct xfrm_desc desc;
1806 struct test_desc msg;
1807 int xfrm_sock = -1;
1808 uint32_t seq;
1809
1810 if (switch_ns(nsfd_childa))
1811 exit(KSFT_FAIL);
1812
1813 if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
1814 printk("Failed to open xfrm netlink socket");
1815 exit(KSFT_FAIL);
1816 }
1817
1818 /* Check that seq sock is ready, just for sure. */
1819 memset(&msg, 0, sizeof(msg));
1820 msg.type = MSG_ACK;
1821 write_msg(cmd_fd, &msg, 1);
1822 read_msg(cmd_fd, &msg, 1);
1823 if (msg.type != MSG_ACK) {
1824 printk("Ack failed");
1825 exit(KSFT_FAIL);
1826 }
1827
1828 for (;;) {
1829 ssize_t received = read(test_desc_fd, &desc, sizeof(desc));
1830 int ret;
1831
1832 if (received == 0) /* EOF */
1833 break;
1834
1835 if (received != sizeof(desc)) {
1836 pr_err("read() returned %zd", received);
1837 exit(KSFT_FAIL);
1838 }
1839
1840 switch (desc.type) {
1841 case CREATE_TUNNEL:
1842 ret = child_serv(xfrm_sock, &seq, nr,
1843 cmd_fd, buf, &desc);
1844 break;
1845 case ALLOCATE_SPI:
1846 ret = xfrm_state_allocspi(xfrm_sock, &seq,
1847 -1, desc.proto);
1848 break;
1849 case MONITOR_ACQUIRE:
1850 ret = xfrm_monitor_acquire(xfrm_sock, &seq, nr);
1851 break;
1852 case EXPIRE_STATE:
1853 ret = xfrm_expire_state(xfrm_sock, &seq, nr, &desc);
1854 break;
1855 case EXPIRE_POLICY:
1856 ret = xfrm_expire_policy(xfrm_sock, &seq, nr, &desc);
1857 break;
1858 case SPDINFO_ATTRS:
1859 ret = xfrm_spdinfo_attrs(xfrm_sock, &seq);
1860 break;
1861 default:
1862 printk("Unknown desc type %d", desc.type);
1863 exit(KSFT_FAIL);
1864 }
1865 write_test_result(ret, &desc);
1866 }
1867
1868 close(xfrm_sock);
1869
1870 msg.type = MSG_EXIT;
1871 write_msg(cmd_fd, &msg, 1);
1872 exit(KSFT_PASS);
1873 }
1874
grand_child_serv(unsigned int nr,int cmd_fd,void * buf,struct test_desc * msg,int xfrm_sock,uint32_t * seq)1875 static void grand_child_serv(unsigned int nr, int cmd_fd, void *buf,
1876 struct test_desc *msg, int xfrm_sock, uint32_t *seq)
1877 {
1878 struct in_addr src, dst, tunsrc, tundst;
1879 bool tun_reply;
1880 struct xfrm_desc *desc = &msg->body.xfrm_desc;
1881
1882 src = inet_makeaddr(INADDR_B, grchild_ip(nr));
1883 dst = inet_makeaddr(INADDR_B, child_ip(nr));
1884 tunsrc = inet_makeaddr(INADDR_A, grchild_ip(nr));
1885 tundst = inet_makeaddr(INADDR_A, child_ip(nr));
1886
1887 switch (msg->type) {
1888 case MSG_EXIT:
1889 exit(KSFT_PASS);
1890 case MSG_ACK:
1891 write_msg(cmd_fd, msg, 1);
1892 break;
1893 case MSG_PING:
1894 tun_reply = memcmp(&dst, &msg->body.ping.reply_ip, sizeof(in_addr_t));
1895 /* UDP pinging without xfrm */
1896 if (do_ping(cmd_fd, buf, page_size, tun_reply ? tunsrc : src,
1897 false, msg->body.ping.port,
1898 msg->body.ping.reply_ip, udp_ping_reply)) {
1899 printk("ping failed before setting xfrm");
1900 }
1901 break;
1902 case MSG_XFRM_PREPARE:
1903 if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst,
1904 desc->proto)) {
1905 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1906 printk("failed to prepare xfrm");
1907 }
1908 break;
1909 case MSG_XFRM_ADD:
1910 if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
1911 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1912 printk("failed to set xfrm");
1913 }
1914 break;
1915 case MSG_XFRM_DEL:
1916 if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst,
1917 desc->proto)) {
1918 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1919 printk("failed to remove xfrm");
1920 }
1921 break;
1922 case MSG_XFRM_CLEANUP:
1923 if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
1924 printk("failed to cleanup xfrm");
1925 }
1926 break;
1927 default:
1928 printk("got unknown msg type %d", msg->type);
1929 }
1930 }
1931
grand_child_f(unsigned int nr,int cmd_fd,void * buf)1932 static int grand_child_f(unsigned int nr, int cmd_fd, void *buf)
1933 {
1934 struct test_desc msg;
1935 int xfrm_sock = -1;
1936 uint32_t seq;
1937
1938 if (switch_ns(nsfd_childb))
1939 exit(KSFT_FAIL);
1940
1941 if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
1942 printk("Failed to open xfrm netlink socket");
1943 exit(KSFT_FAIL);
1944 }
1945
1946 do {
1947 read_msg(cmd_fd, &msg, 1);
1948 grand_child_serv(nr, cmd_fd, buf, &msg, xfrm_sock, &seq);
1949 } while (1);
1950
1951 close(xfrm_sock);
1952 exit(KSFT_FAIL);
1953 }
1954
start_child(unsigned int nr,char * veth,int test_desc_fd[2])1955 static int start_child(unsigned int nr, char *veth, int test_desc_fd[2])
1956 {
1957 int cmd_sock[2];
1958 void *data_map;
1959 pid_t child;
1960
1961 if (init_child(nsfd_childa, veth, child_ip(nr), grchild_ip(nr)))
1962 return -1;
1963
1964 if (init_child(nsfd_childb, veth, grchild_ip(nr), child_ip(nr)))
1965 return -1;
1966
1967 child = fork();
1968 if (child < 0) {
1969 pr_err("fork()");
1970 return -1;
1971 } else if (child) {
1972 /* in parent - selftest */
1973 return switch_ns(nsfd_parent);
1974 }
1975
1976 if (close(test_desc_fd[1])) {
1977 pr_err("close()");
1978 return -1;
1979 }
1980
1981 /* child */
1982 data_map = mmap(0, page_size, PROT_READ | PROT_WRITE,
1983 MAP_SHARED | MAP_ANONYMOUS, -1, 0);
1984 if (data_map == MAP_FAILED) {
1985 pr_err("mmap()");
1986 return -1;
1987 }
1988
1989 randomize_buffer(data_map, page_size);
1990
1991 if (socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, cmd_sock)) {
1992 pr_err("socketpair()");
1993 return -1;
1994 }
1995
1996 child = fork();
1997 if (child < 0) {
1998 pr_err("fork()");
1999 return -1;
2000 } else if (child) {
2001 if (close(cmd_sock[0])) {
2002 pr_err("close()");
2003 return -1;
2004 }
2005 return child_f(nr, test_desc_fd[0], cmd_sock[1], data_map);
2006 }
2007 if (close(cmd_sock[1])) {
2008 pr_err("close()");
2009 return -1;
2010 }
2011 return grand_child_f(nr, cmd_sock[0], data_map);
2012 }
2013
exit_usage(char ** argv)2014 static void exit_usage(char **argv)
2015 {
2016 printk("Usage: %s [nr_process]", argv[0]);
2017 exit(KSFT_FAIL);
2018 }
2019
__write_desc(int test_desc_fd,struct xfrm_desc * desc)2020 static int __write_desc(int test_desc_fd, struct xfrm_desc *desc)
2021 {
2022 ssize_t ret;
2023
2024 ret = write(test_desc_fd, desc, sizeof(*desc));
2025
2026 if (ret == sizeof(*desc))
2027 return 0;
2028
2029 pr_err("Writing test's desc failed %ld", ret);
2030
2031 return -1;
2032 }
2033
write_desc(int proto,int test_desc_fd,char * a,char * e,char * c,char * ae)2034 static int write_desc(int proto, int test_desc_fd,
2035 char *a, char *e, char *c, char *ae)
2036 {
2037 struct xfrm_desc desc = {};
2038
2039 desc.type = CREATE_TUNNEL;
2040 desc.proto = proto;
2041
2042 if (a)
2043 strncpy(desc.a_algo, a, ALGO_LEN - 1);
2044 if (e)
2045 strncpy(desc.e_algo, e, ALGO_LEN - 1);
2046 if (c)
2047 strncpy(desc.c_algo, c, ALGO_LEN - 1);
2048 if (ae)
2049 strncpy(desc.ae_algo, ae, ALGO_LEN - 1);
2050
2051 return __write_desc(test_desc_fd, &desc);
2052 }
2053
2054 int proto_list[] = { IPPROTO_AH, IPPROTO_COMP, IPPROTO_ESP };
2055 char *ah_list[] = {
2056 "digest_null", "hmac(md5)", "hmac(sha1)", "hmac(sha256)",
2057 "hmac(sha384)", "hmac(sha512)", "hmac(rmd160)",
2058 "xcbc(aes)", "cmac(aes)"
2059 };
2060 char *comp_list[] = {
2061 "deflate",
2062 #if 0
2063 /* No compression backend realization */
2064 "lzs", "lzjh"
2065 #endif
2066 };
2067 char *e_list[] = {
2068 "ecb(cipher_null)", "cbc(des)", "cbc(des3_ede)", "cbc(cast5)",
2069 "cbc(blowfish)", "cbc(aes)", "cbc(serpent)", "cbc(camellia)",
2070 "cbc(twofish)", "rfc3686(ctr(aes))"
2071 };
2072 char *ae_list[] = {
2073 #if 0
2074 /* not implemented */
2075 "rfc4106(gcm(aes))", "rfc4309(ccm(aes))", "rfc4543(gcm(aes))",
2076 "rfc7539esp(chacha20,poly1305)"
2077 #endif
2078 };
2079
2080 const unsigned int proto_plan = ARRAY_SIZE(ah_list) + ARRAY_SIZE(comp_list) \
2081 + (ARRAY_SIZE(ah_list) * ARRAY_SIZE(e_list)) \
2082 + ARRAY_SIZE(ae_list);
2083
write_proto_plan(int fd,int proto)2084 static int write_proto_plan(int fd, int proto)
2085 {
2086 unsigned int i;
2087
2088 switch (proto) {
2089 case IPPROTO_AH:
2090 for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
2091 if (write_desc(proto, fd, ah_list[i], 0, 0, 0))
2092 return -1;
2093 }
2094 break;
2095 case IPPROTO_COMP:
2096 for (i = 0; i < ARRAY_SIZE(comp_list); i++) {
2097 if (write_desc(proto, fd, 0, 0, comp_list[i], 0))
2098 return -1;
2099 }
2100 break;
2101 case IPPROTO_ESP:
2102 for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
2103 int j;
2104
2105 for (j = 0; j < ARRAY_SIZE(e_list); j++) {
2106 if (write_desc(proto, fd, ah_list[i],
2107 e_list[j], 0, 0))
2108 return -1;
2109 }
2110 }
2111 for (i = 0; i < ARRAY_SIZE(ae_list); i++) {
2112 if (write_desc(proto, fd, 0, 0, 0, ae_list[i]))
2113 return -1;
2114 }
2115 break;
2116 default:
2117 printk("BUG: Specified unknown proto %d", proto);
2118 return -1;
2119 }
2120
2121 return 0;
2122 }
2123
2124 /*
2125 * Some structures in xfrm uapi header differ in size between
2126 * 64-bit and 32-bit ABI:
2127 *
2128 * 32-bit UABI | 64-bit UABI
2129 * -------------------------------------|-------------------------------------
2130 * sizeof(xfrm_usersa_info) = 220 | sizeof(xfrm_usersa_info) = 224
2131 * sizeof(xfrm_userpolicy_info) = 164 | sizeof(xfrm_userpolicy_info) = 168
2132 * sizeof(xfrm_userspi_info) = 228 | sizeof(xfrm_userspi_info) = 232
2133 * sizeof(xfrm_user_acquire) = 276 | sizeof(xfrm_user_acquire) = 280
2134 * sizeof(xfrm_user_expire) = 224 | sizeof(xfrm_user_expire) = 232
2135 * sizeof(xfrm_user_polexpire) = 168 | sizeof(xfrm_user_polexpire) = 176
2136 *
2137 * Check the affected by the UABI difference structures.
2138 * Also, check translation for xfrm_set_spdinfo: it has it's own attributes
2139 * which needs to be correctly copied, but not translated.
2140 */
2141 const unsigned int compat_plan = 5;
write_compat_struct_tests(int test_desc_fd)2142 static int write_compat_struct_tests(int test_desc_fd)
2143 {
2144 struct xfrm_desc desc = {};
2145
2146 desc.type = ALLOCATE_SPI;
2147 desc.proto = IPPROTO_AH;
2148 strncpy(desc.a_algo, ah_list[0], ALGO_LEN - 1);
2149
2150 if (__write_desc(test_desc_fd, &desc))
2151 return -1;
2152
2153 desc.type = MONITOR_ACQUIRE;
2154 if (__write_desc(test_desc_fd, &desc))
2155 return -1;
2156
2157 desc.type = EXPIRE_STATE;
2158 if (__write_desc(test_desc_fd, &desc))
2159 return -1;
2160
2161 desc.type = EXPIRE_POLICY;
2162 if (__write_desc(test_desc_fd, &desc))
2163 return -1;
2164
2165 desc.type = SPDINFO_ATTRS;
2166 if (__write_desc(test_desc_fd, &desc))
2167 return -1;
2168
2169 return 0;
2170 }
2171
write_test_plan(int test_desc_fd)2172 static int write_test_plan(int test_desc_fd)
2173 {
2174 unsigned int i;
2175 pid_t child;
2176
2177 child = fork();
2178 if (child < 0) {
2179 pr_err("fork()");
2180 return -1;
2181 }
2182 if (child) {
2183 if (close(test_desc_fd))
2184 printk("close(): %m");
2185 return 0;
2186 }
2187
2188 if (write_compat_struct_tests(test_desc_fd))
2189 exit(KSFT_FAIL);
2190
2191 for (i = 0; i < ARRAY_SIZE(proto_list); i++) {
2192 if (write_proto_plan(test_desc_fd, proto_list[i]))
2193 exit(KSFT_FAIL);
2194 }
2195
2196 exit(KSFT_PASS);
2197 }
2198
children_cleanup(void)2199 static int children_cleanup(void)
2200 {
2201 unsigned ret = KSFT_PASS;
2202
2203 while (1) {
2204 int status;
2205 pid_t p = wait(&status);
2206
2207 if ((p < 0) && errno == ECHILD)
2208 break;
2209
2210 if (p < 0) {
2211 pr_err("wait()");
2212 return KSFT_FAIL;
2213 }
2214
2215 if (!WIFEXITED(status)) {
2216 ret = KSFT_FAIL;
2217 continue;
2218 }
2219
2220 if (WEXITSTATUS(status) == KSFT_FAIL)
2221 ret = KSFT_FAIL;
2222 }
2223
2224 return ret;
2225 }
2226
2227 typedef void (*print_res)(const char *, ...);
2228
check_results(void)2229 static int check_results(void)
2230 {
2231 struct test_result tr = {};
2232 struct xfrm_desc *d = &tr.desc;
2233 int ret = KSFT_PASS;
2234
2235 while (1) {
2236 ssize_t received = read(results_fd[0], &tr, sizeof(tr));
2237 print_res result;
2238
2239 if (received == 0) /* EOF */
2240 break;
2241
2242 if (received != sizeof(tr)) {
2243 pr_err("read() returned %zd", received);
2244 return KSFT_FAIL;
2245 }
2246
2247 switch (tr.res) {
2248 case KSFT_PASS:
2249 result = ksft_test_result_pass;
2250 break;
2251 case KSFT_FAIL:
2252 default:
2253 result = ksft_test_result_fail;
2254 ret = KSFT_FAIL;
2255 }
2256
2257 result(" %s: [%u, '%s', '%s', '%s', '%s', %u]\n",
2258 desc_name[d->type], (unsigned int)d->proto, d->a_algo,
2259 d->e_algo, d->c_algo, d->ae_algo, d->icv_len);
2260 }
2261
2262 return ret;
2263 }
2264
main(int argc,char ** argv)2265 int main(int argc, char **argv)
2266 {
2267 long nr_process = 1;
2268 int route_sock = -1, ret = KSFT_SKIP;
2269 int test_desc_fd[2];
2270 uint32_t route_seq;
2271 unsigned int i;
2272
2273 if (argc > 2)
2274 exit_usage(argv);
2275
2276 if (argc > 1) {
2277 char *endptr;
2278
2279 errno = 0;
2280 nr_process = strtol(argv[1], &endptr, 10);
2281 if ((errno == ERANGE && (nr_process == LONG_MAX || nr_process == LONG_MIN))
2282 || (errno != 0 && nr_process == 0)
2283 || (endptr == argv[1]) || (*endptr != '\0')) {
2284 printk("Failed to parse [nr_process]");
2285 exit_usage(argv);
2286 }
2287
2288 if (nr_process > MAX_PROCESSES || nr_process < 1) {
2289 printk("nr_process should be between [1; %u]",
2290 MAX_PROCESSES);
2291 exit_usage(argv);
2292 }
2293 }
2294
2295 srand(time(NULL));
2296 page_size = sysconf(_SC_PAGESIZE);
2297 if (page_size < 1)
2298 ksft_exit_skip("sysconf(): %m\n");
2299
2300 if (pipe2(test_desc_fd, O_DIRECT) < 0)
2301 ksft_exit_skip("pipe(): %m\n");
2302
2303 if (pipe2(results_fd, O_DIRECT) < 0)
2304 ksft_exit_skip("pipe(): %m\n");
2305
2306 if (init_namespaces())
2307 ksft_exit_skip("Failed to create namespaces\n");
2308
2309 if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE))
2310 ksft_exit_skip("Failed to open netlink route socket\n");
2311
2312 for (i = 0; i < nr_process; i++) {
2313 char veth[VETH_LEN];
2314
2315 snprintf(veth, VETH_LEN, VETH_FMT, i);
2316
2317 if (veth_add(route_sock, route_seq++, veth, nsfd_childa, veth, nsfd_childb)) {
2318 close(route_sock);
2319 ksft_exit_fail_msg("Failed to create veth device");
2320 }
2321
2322 if (start_child(i, veth, test_desc_fd)) {
2323 close(route_sock);
2324 ksft_exit_fail_msg("Child %u failed to start", i);
2325 }
2326 }
2327
2328 if (close(route_sock) || close(test_desc_fd[0]) || close(results_fd[1]))
2329 ksft_exit_fail_msg("close(): %m");
2330
2331 ksft_set_plan(proto_plan + compat_plan);
2332
2333 if (write_test_plan(test_desc_fd[1]))
2334 ksft_exit_fail_msg("Failed to write test plan to pipe");
2335
2336 ret = check_results();
2337
2338 if (children_cleanup() == KSFT_FAIL)
2339 exit(KSFT_FAIL);
2340
2341 exit(ret);
2342 }
2343