1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * ipsec.c - Check xfrm on veth inside a net-ns.
4 * Copyright (c) 2018 Dmitry Safonov
5 */
6
7 #define _GNU_SOURCE
8
9 #include <arpa/inet.h>
10 #include <asm/types.h>
11 #include <errno.h>
12 #include <fcntl.h>
13 #include <limits.h>
14 #include <linux/limits.h>
15 #include <linux/netlink.h>
16 #include <linux/random.h>
17 #include <linux/rtnetlink.h>
18 #include <linux/veth.h>
19 #include <linux/xfrm.h>
20 #include <netinet/in.h>
21 #include <net/if.h>
22 #include <sched.h>
23 #include <stdbool.h>
24 #include <stdint.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <sys/mman.h>
29 #include <sys/socket.h>
30 #include <sys/stat.h>
31 #include <sys/syscall.h>
32 #include <sys/types.h>
33 #include <sys/wait.h>
34 #include <time.h>
35 #include <unistd.h>
36
37 #include "kselftest.h"
38
39 #define printk(fmt, ...) \
40 ksft_print_msg("%d[%u] " fmt "\n", getpid(), __LINE__, ##__VA_ARGS__)
41
42 #define pr_err(fmt, ...) printk(fmt ": %m", ##__VA_ARGS__)
43
44 #define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)]))
45
46 #ifndef offsetof
47 #define offsetof(TYPE, MEMBER) __builtin_offsetof(TYPE, MEMBER)
48 #endif
49
50 #define IPV4_STR_SZ 16 /* xxx.xxx.xxx.xxx is longest + \0 */
51 #define MAX_PAYLOAD 2048
52 #define XFRM_ALGO_KEY_BUF_SIZE 512
53 #define MAX_PROCESSES (1 << 14) /* /16 mask divided by /30 subnets */
54 #define INADDR_A ((in_addr_t) 0x0a000000) /* 10.0.0.0 */
55 #define INADDR_B ((in_addr_t) 0xc0a80000) /* 192.168.0.0 */
56
57 /* /30 mask for one veth connection */
58 #define PREFIX_LEN 30
59 #define child_ip(nr) (4*nr + 1)
60 #define grchild_ip(nr) (4*nr + 2)
61
62 #define VETH_FMT "ktst-%d"
63 #define VETH_LEN 12
64
65 #define XFRM_ALGO_NR_KEYS 29
66
67 static int nsfd_parent = -1;
68 static int nsfd_childa = -1;
69 static int nsfd_childb = -1;
70 static long page_size;
71
72 /*
73 * ksft_cnt is static in kselftest, so isn't shared with children.
74 * We have to send a test result back to parent and count there.
75 * results_fd is a pipe with test feedback from children.
76 */
77 static int results_fd[2];
78
79 const unsigned int ping_delay_nsec = 50 * 1000 * 1000;
80 const unsigned int ping_timeout = 300;
81 const unsigned int ping_count = 100;
82 const unsigned int ping_success = 80;
83
84 struct xfrm_key_entry {
85 char algo_name[35];
86 int key_len;
87 };
88
89 struct xfrm_key_entry xfrm_key_entries[] = {
90 {"digest_null", 0},
91 {"ecb(cipher_null)", 0},
92 {"cbc(des)", 64},
93 {"hmac(md5)", 128},
94 {"cmac(aes)", 128},
95 {"xcbc(aes)", 128},
96 {"cbc(cast5)", 128},
97 {"cbc(serpent)", 128},
98 {"hmac(sha1)", 160},
99 {"hmac(rmd160)", 160},
100 {"cbc(des3_ede)", 192},
101 {"hmac(sha256)", 256},
102 {"cbc(aes)", 256},
103 {"cbc(camellia)", 256},
104 {"cbc(twofish)", 256},
105 {"rfc3686(ctr(aes))", 288},
106 {"hmac(sha384)", 384},
107 {"cbc(blowfish)", 448},
108 {"hmac(sha512)", 512},
109 {"rfc4106(gcm(aes))-128", 160},
110 {"rfc4543(gcm(aes))-128", 160},
111 {"rfc4309(ccm(aes))-128", 152},
112 {"rfc4106(gcm(aes))-192", 224},
113 {"rfc4543(gcm(aes))-192", 224},
114 {"rfc4309(ccm(aes))-192", 216},
115 {"rfc4106(gcm(aes))-256", 288},
116 {"rfc4543(gcm(aes))-256", 288},
117 {"rfc4309(ccm(aes))-256", 280},
118 {"rfc7539(chacha20,poly1305)-128", 0}
119 };
120
randomize_buffer(void * buf,size_t buflen)121 static void randomize_buffer(void *buf, size_t buflen)
122 {
123 int *p = (int *)buf;
124 size_t words = buflen / sizeof(int);
125 size_t leftover = buflen % sizeof(int);
126
127 if (!buflen)
128 return;
129
130 while (words--)
131 *p++ = rand();
132
133 if (leftover) {
134 int tmp = rand();
135
136 memcpy(buf + buflen - leftover, &tmp, leftover);
137 }
138
139 return;
140 }
141
unshare_open(void)142 static int unshare_open(void)
143 {
144 const char *netns_path = "/proc/self/ns/net";
145 int fd;
146
147 if (unshare(CLONE_NEWNET) != 0) {
148 pr_err("unshare()");
149 return -1;
150 }
151
152 fd = open(netns_path, O_RDONLY);
153 if (fd <= 0) {
154 pr_err("open(%s)", netns_path);
155 return -1;
156 }
157
158 return fd;
159 }
160
switch_ns(int fd)161 static int switch_ns(int fd)
162 {
163 if (setns(fd, CLONE_NEWNET)) {
164 pr_err("setns()");
165 return -1;
166 }
167 return 0;
168 }
169
170 /*
171 * Running the test inside a new parent net namespace to bother less
172 * about cleanup on error-path.
173 */
init_namespaces(void)174 static int init_namespaces(void)
175 {
176 nsfd_parent = unshare_open();
177 if (nsfd_parent <= 0)
178 return -1;
179
180 nsfd_childa = unshare_open();
181 if (nsfd_childa <= 0)
182 return -1;
183
184 if (switch_ns(nsfd_parent))
185 return -1;
186
187 nsfd_childb = unshare_open();
188 if (nsfd_childb <= 0)
189 return -1;
190
191 if (switch_ns(nsfd_parent))
192 return -1;
193 return 0;
194 }
195
netlink_sock(int * sock,uint32_t * seq_nr,int proto)196 static int netlink_sock(int *sock, uint32_t *seq_nr, int proto)
197 {
198 if (*sock > 0) {
199 seq_nr++;
200 return 0;
201 }
202
203 *sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, proto);
204 if (*sock <= 0) {
205 pr_err("socket(AF_NETLINK)");
206 return -1;
207 }
208
209 randomize_buffer(seq_nr, sizeof(*seq_nr));
210
211 return 0;
212 }
213
rtattr_hdr(struct nlmsghdr * nh)214 static inline struct rtattr *rtattr_hdr(struct nlmsghdr *nh)
215 {
216 return (struct rtattr *)((char *)(nh) + RTA_ALIGN((nh)->nlmsg_len));
217 }
218
rtattr_pack(struct nlmsghdr * nh,size_t req_sz,unsigned short rta_type,const void * payload,size_t size)219 static int rtattr_pack(struct nlmsghdr *nh, size_t req_sz,
220 unsigned short rta_type, const void *payload, size_t size)
221 {
222 /* NLMSG_ALIGNTO == RTA_ALIGNTO, nlmsg_len already aligned */
223 struct rtattr *attr = rtattr_hdr(nh);
224 size_t nl_size = RTA_ALIGN(nh->nlmsg_len) + RTA_LENGTH(size);
225
226 if (req_sz < nl_size) {
227 printk("req buf is too small: %zu < %zu", req_sz, nl_size);
228 return -1;
229 }
230 nh->nlmsg_len = nl_size;
231
232 attr->rta_len = RTA_LENGTH(size);
233 attr->rta_type = rta_type;
234 if (payload)
235 memcpy(RTA_DATA(attr), payload, size);
236
237 return 0;
238 }
239
_rtattr_begin(struct nlmsghdr * nh,size_t req_sz,unsigned short rta_type,const void * payload,size_t size)240 static struct rtattr *_rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
241 unsigned short rta_type, const void *payload, size_t size)
242 {
243 struct rtattr *ret = rtattr_hdr(nh);
244
245 if (rtattr_pack(nh, req_sz, rta_type, payload, size))
246 return 0;
247
248 return ret;
249 }
250
rtattr_begin(struct nlmsghdr * nh,size_t req_sz,unsigned short rta_type)251 static inline struct rtattr *rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
252 unsigned short rta_type)
253 {
254 return _rtattr_begin(nh, req_sz, rta_type, 0, 0);
255 }
256
rtattr_end(struct nlmsghdr * nh,struct rtattr * attr)257 static inline void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr)
258 {
259 char *nlmsg_end = (char *)nh + nh->nlmsg_len;
260
261 attr->rta_len = nlmsg_end - (char *)attr;
262 }
263
veth_pack_peerb(struct nlmsghdr * nh,size_t req_sz,const char * peer,int ns)264 static int veth_pack_peerb(struct nlmsghdr *nh, size_t req_sz,
265 const char *peer, int ns)
266 {
267 struct ifinfomsg pi;
268 struct rtattr *peer_attr;
269
270 memset(&pi, 0, sizeof(pi));
271 pi.ifi_family = AF_UNSPEC;
272 pi.ifi_change = 0xFFFFFFFF;
273
274 peer_attr = _rtattr_begin(nh, req_sz, VETH_INFO_PEER, &pi, sizeof(pi));
275 if (!peer_attr)
276 return -1;
277
278 if (rtattr_pack(nh, req_sz, IFLA_IFNAME, peer, strlen(peer)))
279 return -1;
280
281 if (rtattr_pack(nh, req_sz, IFLA_NET_NS_FD, &ns, sizeof(ns)))
282 return -1;
283
284 rtattr_end(nh, peer_attr);
285
286 return 0;
287 }
288
netlink_check_answer(int sock)289 static int netlink_check_answer(int sock)
290 {
291 struct nlmsgerror {
292 struct nlmsghdr hdr;
293 int error;
294 struct nlmsghdr orig_msg;
295 } answer;
296
297 if (recv(sock, &answer, sizeof(answer), 0) < 0) {
298 pr_err("recv()");
299 return -1;
300 } else if (answer.hdr.nlmsg_type != NLMSG_ERROR) {
301 printk("expected NLMSG_ERROR, got %d", (int)answer.hdr.nlmsg_type);
302 return -1;
303 } else if (answer.error) {
304 printk("NLMSG_ERROR: %d: %s",
305 answer.error, strerror(-answer.error));
306 return answer.error;
307 }
308
309 return 0;
310 }
311
veth_add(int sock,uint32_t seq,const char * peera,int ns_a,const char * peerb,int ns_b)312 static int veth_add(int sock, uint32_t seq, const char *peera, int ns_a,
313 const char *peerb, int ns_b)
314 {
315 uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
316 struct {
317 struct nlmsghdr nh;
318 struct ifinfomsg info;
319 char attrbuf[MAX_PAYLOAD];
320 } req;
321 const char veth_type[] = "veth";
322 struct rtattr *link_info, *info_data;
323
324 memset(&req, 0, sizeof(req));
325 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
326 req.nh.nlmsg_type = RTM_NEWLINK;
327 req.nh.nlmsg_flags = flags;
328 req.nh.nlmsg_seq = seq;
329 req.info.ifi_family = AF_UNSPEC;
330 req.info.ifi_change = 0xFFFFFFFF;
331
332 if (rtattr_pack(&req.nh, sizeof(req), IFLA_IFNAME, peera, strlen(peera)))
333 return -1;
334
335 if (rtattr_pack(&req.nh, sizeof(req), IFLA_NET_NS_FD, &ns_a, sizeof(ns_a)))
336 return -1;
337
338 link_info = rtattr_begin(&req.nh, sizeof(req), IFLA_LINKINFO);
339 if (!link_info)
340 return -1;
341
342 if (rtattr_pack(&req.nh, sizeof(req), IFLA_INFO_KIND, veth_type, sizeof(veth_type)))
343 return -1;
344
345 info_data = rtattr_begin(&req.nh, sizeof(req), IFLA_INFO_DATA);
346 if (!info_data)
347 return -1;
348
349 if (veth_pack_peerb(&req.nh, sizeof(req), peerb, ns_b))
350 return -1;
351
352 rtattr_end(&req.nh, info_data);
353 rtattr_end(&req.nh, link_info);
354
355 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
356 pr_err("send()");
357 return -1;
358 }
359 return netlink_check_answer(sock);
360 }
361
ip4_addr_set(int sock,uint32_t seq,const char * intf,struct in_addr addr,uint8_t prefix)362 static int ip4_addr_set(int sock, uint32_t seq, const char *intf,
363 struct in_addr addr, uint8_t prefix)
364 {
365 uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
366 struct {
367 struct nlmsghdr nh;
368 struct ifaddrmsg info;
369 char attrbuf[MAX_PAYLOAD];
370 } req;
371
372 memset(&req, 0, sizeof(req));
373 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
374 req.nh.nlmsg_type = RTM_NEWADDR;
375 req.nh.nlmsg_flags = flags;
376 req.nh.nlmsg_seq = seq;
377 req.info.ifa_family = AF_INET;
378 req.info.ifa_prefixlen = prefix;
379 req.info.ifa_index = if_nametoindex(intf);
380
381 #ifdef DEBUG
382 {
383 char addr_str[IPV4_STR_SZ] = {};
384
385 strncpy(addr_str, inet_ntoa(addr), IPV4_STR_SZ - 1);
386
387 printk("ip addr set %s", addr_str);
388 }
389 #endif
390
391 if (rtattr_pack(&req.nh, sizeof(req), IFA_LOCAL, &addr, sizeof(addr)))
392 return -1;
393
394 if (rtattr_pack(&req.nh, sizeof(req), IFA_ADDRESS, &addr, sizeof(addr)))
395 return -1;
396
397 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
398 pr_err("send()");
399 return -1;
400 }
401 return netlink_check_answer(sock);
402 }
403
link_set_up(int sock,uint32_t seq,const char * intf)404 static int link_set_up(int sock, uint32_t seq, const char *intf)
405 {
406 struct {
407 struct nlmsghdr nh;
408 struct ifinfomsg info;
409 char attrbuf[MAX_PAYLOAD];
410 } req;
411
412 memset(&req, 0, sizeof(req));
413 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
414 req.nh.nlmsg_type = RTM_NEWLINK;
415 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
416 req.nh.nlmsg_seq = seq;
417 req.info.ifi_family = AF_UNSPEC;
418 req.info.ifi_change = 0xFFFFFFFF;
419 req.info.ifi_index = if_nametoindex(intf);
420 req.info.ifi_flags = IFF_UP;
421 req.info.ifi_change = IFF_UP;
422
423 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
424 pr_err("send()");
425 return -1;
426 }
427 return netlink_check_answer(sock);
428 }
429
ip4_route_set(int sock,uint32_t seq,const char * intf,struct in_addr src,struct in_addr dst)430 static int ip4_route_set(int sock, uint32_t seq, const char *intf,
431 struct in_addr src, struct in_addr dst)
432 {
433 struct {
434 struct nlmsghdr nh;
435 struct rtmsg rt;
436 char attrbuf[MAX_PAYLOAD];
437 } req;
438 unsigned int index = if_nametoindex(intf);
439
440 memset(&req, 0, sizeof(req));
441 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.rt));
442 req.nh.nlmsg_type = RTM_NEWROUTE;
443 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE;
444 req.nh.nlmsg_seq = seq;
445 req.rt.rtm_family = AF_INET;
446 req.rt.rtm_dst_len = 32;
447 req.rt.rtm_table = RT_TABLE_MAIN;
448 req.rt.rtm_protocol = RTPROT_BOOT;
449 req.rt.rtm_scope = RT_SCOPE_LINK;
450 req.rt.rtm_type = RTN_UNICAST;
451
452 if (rtattr_pack(&req.nh, sizeof(req), RTA_DST, &dst, sizeof(dst)))
453 return -1;
454
455 if (rtattr_pack(&req.nh, sizeof(req), RTA_PREFSRC, &src, sizeof(src)))
456 return -1;
457
458 if (rtattr_pack(&req.nh, sizeof(req), RTA_OIF, &index, sizeof(index)))
459 return -1;
460
461 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
462 pr_err("send()");
463 return -1;
464 }
465
466 return netlink_check_answer(sock);
467 }
468
tunnel_set_route(int route_sock,uint32_t * route_seq,char * veth,struct in_addr tunsrc,struct in_addr tundst)469 static int tunnel_set_route(int route_sock, uint32_t *route_seq, char *veth,
470 struct in_addr tunsrc, struct in_addr tundst)
471 {
472 if (ip4_addr_set(route_sock, (*route_seq)++, "lo",
473 tunsrc, PREFIX_LEN)) {
474 printk("Failed to set ipv4 addr");
475 return -1;
476 }
477
478 if (ip4_route_set(route_sock, (*route_seq)++, veth, tunsrc, tundst)) {
479 printk("Failed to set ipv4 route");
480 return -1;
481 }
482
483 return 0;
484 }
485
init_child(int nsfd,char * veth,unsigned int src,unsigned int dst)486 static int init_child(int nsfd, char *veth, unsigned int src, unsigned int dst)
487 {
488 struct in_addr intsrc = inet_makeaddr(INADDR_B, src);
489 struct in_addr tunsrc = inet_makeaddr(INADDR_A, src);
490 struct in_addr tundst = inet_makeaddr(INADDR_A, dst);
491 int route_sock = -1, ret = -1;
492 uint32_t route_seq;
493
494 if (switch_ns(nsfd))
495 return -1;
496
497 if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE)) {
498 printk("Failed to open netlink route socket in child");
499 return -1;
500 }
501
502 if (ip4_addr_set(route_sock, route_seq++, veth, intsrc, PREFIX_LEN)) {
503 printk("Failed to set ipv4 addr");
504 goto err;
505 }
506
507 if (link_set_up(route_sock, route_seq++, veth)) {
508 printk("Failed to bring up %s", veth);
509 goto err;
510 }
511
512 if (tunnel_set_route(route_sock, &route_seq, veth, tunsrc, tundst)) {
513 printk("Failed to add tunnel route on %s", veth);
514 goto err;
515 }
516 ret = 0;
517
518 err:
519 close(route_sock);
520 return ret;
521 }
522
523 #define ALGO_LEN 64
524 enum desc_type {
525 CREATE_TUNNEL = 0,
526 ALLOCATE_SPI,
527 MONITOR_ACQUIRE,
528 EXPIRE_STATE,
529 EXPIRE_POLICY,
530 SPDINFO_ATTRS,
531 };
532 const char *desc_name[] = {
533 "create tunnel",
534 "alloc spi",
535 "monitor acquire",
536 "expire state",
537 "expire policy",
538 "spdinfo attributes",
539 ""
540 };
541 struct xfrm_desc {
542 enum desc_type type;
543 uint8_t proto;
544 char a_algo[ALGO_LEN];
545 char e_algo[ALGO_LEN];
546 char c_algo[ALGO_LEN];
547 char ae_algo[ALGO_LEN];
548 unsigned int icv_len;
549 /* unsigned key_len; */
550 };
551
552 enum msg_type {
553 MSG_ACK = 0,
554 MSG_EXIT,
555 MSG_PING,
556 MSG_XFRM_PREPARE,
557 MSG_XFRM_ADD,
558 MSG_XFRM_DEL,
559 MSG_XFRM_CLEANUP,
560 };
561
562 struct test_desc {
563 enum msg_type type;
564 union {
565 struct {
566 in_addr_t reply_ip;
567 unsigned int port;
568 } ping;
569 struct xfrm_desc xfrm_desc;
570 } body;
571 };
572
573 struct test_result {
574 struct xfrm_desc desc;
575 unsigned int res;
576 };
577
write_test_result(unsigned int res,struct xfrm_desc * d)578 static void write_test_result(unsigned int res, struct xfrm_desc *d)
579 {
580 struct test_result tr = {};
581 ssize_t ret;
582
583 tr.desc = *d;
584 tr.res = res;
585
586 ret = write(results_fd[1], &tr, sizeof(tr));
587 if (ret != sizeof(tr))
588 pr_err("Failed to write the result in pipe %zd", ret);
589 }
590
write_msg(int fd,struct test_desc * msg,bool exit_of_fail)591 static void write_msg(int fd, struct test_desc *msg, bool exit_of_fail)
592 {
593 ssize_t bytes = write(fd, msg, sizeof(*msg));
594
595 /* Make sure that write/read is atomic to a pipe */
596 BUILD_BUG_ON(sizeof(struct test_desc) > PIPE_BUF);
597
598 if (bytes < 0) {
599 pr_err("write()");
600 if (exit_of_fail)
601 exit(KSFT_FAIL);
602 }
603 if (bytes != sizeof(*msg)) {
604 pr_err("sent part of the message %zd/%zu", bytes, sizeof(*msg));
605 if (exit_of_fail)
606 exit(KSFT_FAIL);
607 }
608 }
609
read_msg(int fd,struct test_desc * msg,bool exit_of_fail)610 static void read_msg(int fd, struct test_desc *msg, bool exit_of_fail)
611 {
612 ssize_t bytes = read(fd, msg, sizeof(*msg));
613
614 if (bytes < 0) {
615 pr_err("read()");
616 if (exit_of_fail)
617 exit(KSFT_FAIL);
618 }
619 if (bytes != sizeof(*msg)) {
620 pr_err("got incomplete message %zd/%zu", bytes, sizeof(*msg));
621 if (exit_of_fail)
622 exit(KSFT_FAIL);
623 }
624 }
625
udp_ping_init(struct in_addr listen_ip,unsigned int u_timeout,unsigned int * server_port,int sock[2])626 static int udp_ping_init(struct in_addr listen_ip, unsigned int u_timeout,
627 unsigned int *server_port, int sock[2])
628 {
629 struct sockaddr_in server;
630 struct timeval t = { .tv_sec = 0, .tv_usec = u_timeout };
631 socklen_t s_len = sizeof(server);
632
633 sock[0] = socket(AF_INET, SOCK_DGRAM, 0);
634 if (sock[0] < 0) {
635 pr_err("socket()");
636 return -1;
637 }
638
639 server.sin_family = AF_INET;
640 server.sin_port = 0;
641 memcpy(&server.sin_addr.s_addr, &listen_ip, sizeof(struct in_addr));
642
643 if (bind(sock[0], (struct sockaddr *)&server, s_len)) {
644 pr_err("bind()");
645 goto err_close_server;
646 }
647
648 if (getsockname(sock[0], (struct sockaddr *)&server, &s_len)) {
649 pr_err("getsockname()");
650 goto err_close_server;
651 }
652
653 *server_port = ntohs(server.sin_port);
654
655 if (setsockopt(sock[0], SOL_SOCKET, SO_RCVTIMEO, (const char *)&t, sizeof t)) {
656 pr_err("setsockopt()");
657 goto err_close_server;
658 }
659
660 sock[1] = socket(AF_INET, SOCK_DGRAM, 0);
661 if (sock[1] < 0) {
662 pr_err("socket()");
663 goto err_close_server;
664 }
665
666 return 0;
667
668 err_close_server:
669 close(sock[0]);
670 return -1;
671 }
672
udp_ping_send(int sock[2],in_addr_t dest_ip,unsigned int port,char * buf,size_t buf_len)673 static int udp_ping_send(int sock[2], in_addr_t dest_ip, unsigned int port,
674 char *buf, size_t buf_len)
675 {
676 struct sockaddr_in server;
677 const struct sockaddr *dest_addr = (struct sockaddr *)&server;
678 char *sock_buf[buf_len];
679 ssize_t r_bytes, s_bytes;
680
681 server.sin_family = AF_INET;
682 server.sin_port = htons(port);
683 server.sin_addr.s_addr = dest_ip;
684
685 s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
686 if (s_bytes < 0) {
687 pr_err("sendto()");
688 return -1;
689 } else if (s_bytes != buf_len) {
690 printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
691 return -1;
692 }
693
694 r_bytes = recv(sock[0], sock_buf, buf_len, 0);
695 if (r_bytes < 0) {
696 if (errno != EAGAIN)
697 pr_err("recv()");
698 return -1;
699 } else if (r_bytes == 0) { /* EOF */
700 printk("EOF on reply to ping");
701 return -1;
702 } else if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
703 printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
704 return -1;
705 }
706
707 return 0;
708 }
709
udp_ping_reply(int sock[2],in_addr_t dest_ip,unsigned int port,char * buf,size_t buf_len)710 static int udp_ping_reply(int sock[2], in_addr_t dest_ip, unsigned int port,
711 char *buf, size_t buf_len)
712 {
713 struct sockaddr_in server;
714 const struct sockaddr *dest_addr = (struct sockaddr *)&server;
715 char *sock_buf[buf_len];
716 ssize_t r_bytes, s_bytes;
717
718 server.sin_family = AF_INET;
719 server.sin_port = htons(port);
720 server.sin_addr.s_addr = dest_ip;
721
722 r_bytes = recv(sock[0], sock_buf, buf_len, 0);
723 if (r_bytes < 0) {
724 if (errno != EAGAIN)
725 pr_err("recv()");
726 return -1;
727 }
728 if (r_bytes == 0) { /* EOF */
729 printk("EOF on reply to ping");
730 return -1;
731 }
732 if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
733 printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
734 return -1;
735 }
736
737 s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
738 if (s_bytes < 0) {
739 pr_err("sendto()");
740 return -1;
741 } else if (s_bytes != buf_len) {
742 printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
743 return -1;
744 }
745
746 return 0;
747 }
748
749 typedef int (*ping_f)(int sock[2], in_addr_t dest_ip, unsigned int port,
750 char *buf, size_t buf_len);
do_ping(int cmd_fd,char * buf,size_t buf_len,struct in_addr from,bool init_side,int d_port,in_addr_t to,ping_f func)751 static int do_ping(int cmd_fd, char *buf, size_t buf_len, struct in_addr from,
752 bool init_side, int d_port, in_addr_t to, ping_f func)
753 {
754 struct test_desc msg;
755 unsigned int s_port, i, ping_succeeded = 0;
756 int ping_sock[2];
757 char to_str[IPV4_STR_SZ] = {}, from_str[IPV4_STR_SZ] = {};
758
759 if (udp_ping_init(from, ping_timeout, &s_port, ping_sock)) {
760 printk("Failed to init ping");
761 return -1;
762 }
763
764 memset(&msg, 0, sizeof(msg));
765 msg.type = MSG_PING;
766 msg.body.ping.port = s_port;
767 memcpy(&msg.body.ping.reply_ip, &from, sizeof(from));
768
769 write_msg(cmd_fd, &msg, 0);
770 if (init_side) {
771 /* The other end sends ip to ping */
772 read_msg(cmd_fd, &msg, 0);
773 if (msg.type != MSG_PING)
774 return -1;
775 to = msg.body.ping.reply_ip;
776 d_port = msg.body.ping.port;
777 }
778
779 for (i = 0; i < ping_count ; i++) {
780 struct timespec sleep_time = {
781 .tv_sec = 0,
782 .tv_nsec = ping_delay_nsec,
783 };
784
785 ping_succeeded += !func(ping_sock, to, d_port, buf, page_size);
786 nanosleep(&sleep_time, 0);
787 }
788
789 close(ping_sock[0]);
790 close(ping_sock[1]);
791
792 strncpy(to_str, inet_ntoa(*(struct in_addr *)&to), IPV4_STR_SZ - 1);
793 strncpy(from_str, inet_ntoa(from), IPV4_STR_SZ - 1);
794
795 if (ping_succeeded < ping_success) {
796 printk("ping (%s) %s->%s failed %u/%u times",
797 init_side ? "send" : "reply", from_str, to_str,
798 ping_count - ping_succeeded, ping_count);
799 return -1;
800 }
801
802 #ifdef DEBUG
803 printk("ping (%s) %s->%s succeeded %u/%u times",
804 init_side ? "send" : "reply", from_str, to_str,
805 ping_succeeded, ping_count);
806 #endif
807
808 return 0;
809 }
810
xfrm_fill_key(char * name,char * buf,size_t buf_len,unsigned int * key_len)811 static int xfrm_fill_key(char *name, char *buf,
812 size_t buf_len, unsigned int *key_len)
813 {
814 int i;
815
816 for (i = 0; i < XFRM_ALGO_NR_KEYS; i++) {
817 if (strncmp(name, xfrm_key_entries[i].algo_name, ALGO_LEN) == 0)
818 *key_len = xfrm_key_entries[i].key_len;
819 }
820
821 if (*key_len > buf_len) {
822 printk("Can't pack a key - too big for buffer");
823 return -1;
824 }
825
826 randomize_buffer(buf, *key_len);
827
828 return 0;
829 }
830
xfrm_state_pack_algo(struct nlmsghdr * nh,size_t req_sz,struct xfrm_desc * desc)831 static int xfrm_state_pack_algo(struct nlmsghdr *nh, size_t req_sz,
832 struct xfrm_desc *desc)
833 {
834 union {
835 union {
836 struct xfrm_algo alg;
837 struct xfrm_algo_aead aead;
838 struct xfrm_algo_auth auth;
839 } u;
840 struct {
841 unsigned char __offset_to_FAM[offsetof(struct xfrm_algo_auth, alg_key)];
842 char buf[XFRM_ALGO_KEY_BUF_SIZE];
843 };
844 } alg = {};
845 size_t alen, elen, clen, aelen;
846 unsigned short type;
847
848 alen = strlen(desc->a_algo);
849 elen = strlen(desc->e_algo);
850 clen = strlen(desc->c_algo);
851 aelen = strlen(desc->ae_algo);
852
853 /* Verify desc */
854 switch (desc->proto) {
855 case IPPROTO_AH:
856 if (!alen || elen || clen || aelen) {
857 printk("BUG: buggy ah desc");
858 return -1;
859 }
860 strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN - 1);
861 if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
862 sizeof(alg.buf), &alg.u.alg.alg_key_len))
863 return -1;
864 type = XFRMA_ALG_AUTH;
865 break;
866 case IPPROTO_COMP:
867 if (!clen || elen || alen || aelen) {
868 printk("BUG: buggy comp desc");
869 return -1;
870 }
871 strncpy(alg.u.alg.alg_name, desc->c_algo, ALGO_LEN - 1);
872 if (xfrm_fill_key(desc->c_algo, alg.u.alg.alg_key,
873 sizeof(alg.buf), &alg.u.alg.alg_key_len))
874 return -1;
875 type = XFRMA_ALG_COMP;
876 break;
877 case IPPROTO_ESP:
878 if (!((alen && elen) ^ aelen) || clen) {
879 printk("BUG: buggy esp desc");
880 return -1;
881 }
882 if (aelen) {
883 alg.u.aead.alg_icv_len = desc->icv_len;
884 strncpy(alg.u.aead.alg_name, desc->ae_algo, ALGO_LEN - 1);
885 if (xfrm_fill_key(desc->ae_algo, alg.u.aead.alg_key,
886 sizeof(alg.buf), &alg.u.aead.alg_key_len))
887 return -1;
888 type = XFRMA_ALG_AEAD;
889 } else {
890
891 strncpy(alg.u.alg.alg_name, desc->e_algo, ALGO_LEN - 1);
892 type = XFRMA_ALG_CRYPT;
893 if (xfrm_fill_key(desc->e_algo, alg.u.alg.alg_key,
894 sizeof(alg.buf), &alg.u.alg.alg_key_len))
895 return -1;
896 if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
897 return -1;
898
899 strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN);
900 type = XFRMA_ALG_AUTH;
901 if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
902 sizeof(alg.buf), &alg.u.alg.alg_key_len))
903 return -1;
904 }
905 break;
906 default:
907 printk("BUG: unknown proto in desc");
908 return -1;
909 }
910
911 if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
912 return -1;
913
914 return 0;
915 }
916
gen_spi(struct in_addr src)917 static inline uint32_t gen_spi(struct in_addr src)
918 {
919 return htonl(inet_lnaof(src));
920 }
921
xfrm_state_add(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,struct xfrm_desc * desc)922 static int xfrm_state_add(int xfrm_sock, uint32_t seq, uint32_t spi,
923 struct in_addr src, struct in_addr dst,
924 struct xfrm_desc *desc)
925 {
926 struct {
927 struct nlmsghdr nh;
928 struct xfrm_usersa_info info;
929 char attrbuf[MAX_PAYLOAD];
930 } req;
931
932 memset(&req, 0, sizeof(req));
933 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
934 req.nh.nlmsg_type = XFRM_MSG_NEWSA;
935 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
936 req.nh.nlmsg_seq = seq;
937
938 /* Fill selector. */
939 memcpy(&req.info.sel.daddr, &dst, sizeof(dst));
940 memcpy(&req.info.sel.saddr, &src, sizeof(src));
941 req.info.sel.family = AF_INET;
942 req.info.sel.prefixlen_d = PREFIX_LEN;
943 req.info.sel.prefixlen_s = PREFIX_LEN;
944
945 /* Fill id */
946 memcpy(&req.info.id.daddr, &dst, sizeof(dst));
947 /* Note: zero-spi cannot be deleted */
948 req.info.id.spi = spi;
949 req.info.id.proto = desc->proto;
950
951 memcpy(&req.info.saddr, &src, sizeof(src));
952
953 /* Fill lifteme_cfg */
954 req.info.lft.soft_byte_limit = XFRM_INF;
955 req.info.lft.hard_byte_limit = XFRM_INF;
956 req.info.lft.soft_packet_limit = XFRM_INF;
957 req.info.lft.hard_packet_limit = XFRM_INF;
958
959 req.info.family = AF_INET;
960 req.info.mode = XFRM_MODE_TUNNEL;
961
962 if (xfrm_state_pack_algo(&req.nh, sizeof(req), desc))
963 return -1;
964
965 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
966 pr_err("send()");
967 return -1;
968 }
969
970 return netlink_check_answer(xfrm_sock);
971 }
972
xfrm_usersa_found(struct xfrm_usersa_info * info,uint32_t spi,struct in_addr src,struct in_addr dst,struct xfrm_desc * desc)973 static bool xfrm_usersa_found(struct xfrm_usersa_info *info, uint32_t spi,
974 struct in_addr src, struct in_addr dst,
975 struct xfrm_desc *desc)
976 {
977 if (memcmp(&info->sel.daddr, &dst, sizeof(dst)))
978 return false;
979
980 if (memcmp(&info->sel.saddr, &src, sizeof(src)))
981 return false;
982
983 if (info->sel.family != AF_INET ||
984 info->sel.prefixlen_d != PREFIX_LEN ||
985 info->sel.prefixlen_s != PREFIX_LEN)
986 return false;
987
988 if (info->id.spi != spi || info->id.proto != desc->proto)
989 return false;
990
991 if (memcmp(&info->id.daddr, &dst, sizeof(dst)))
992 return false;
993
994 if (memcmp(&info->saddr, &src, sizeof(src)))
995 return false;
996
997 if (info->lft.soft_byte_limit != XFRM_INF ||
998 info->lft.hard_byte_limit != XFRM_INF ||
999 info->lft.soft_packet_limit != XFRM_INF ||
1000 info->lft.hard_packet_limit != XFRM_INF)
1001 return false;
1002
1003 if (info->family != AF_INET || info->mode != XFRM_MODE_TUNNEL)
1004 return false;
1005
1006 /* XXX: check xfrm algo, see xfrm_state_pack_algo(). */
1007
1008 return true;
1009 }
1010
xfrm_state_check(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,struct xfrm_desc * desc)1011 static int xfrm_state_check(int xfrm_sock, uint32_t seq, uint32_t spi,
1012 struct in_addr src, struct in_addr dst,
1013 struct xfrm_desc *desc)
1014 {
1015 struct {
1016 struct nlmsghdr nh;
1017 char attrbuf[MAX_PAYLOAD];
1018 } req;
1019 struct {
1020 struct nlmsghdr nh;
1021 union {
1022 struct xfrm_usersa_info info;
1023 int error;
1024 };
1025 char attrbuf[MAX_PAYLOAD];
1026 } answer;
1027 struct xfrm_address_filter filter = {};
1028 bool found = false;
1029
1030
1031 memset(&req, 0, sizeof(req));
1032 req.nh.nlmsg_len = NLMSG_LENGTH(0);
1033 req.nh.nlmsg_type = XFRM_MSG_GETSA;
1034 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
1035 req.nh.nlmsg_seq = seq;
1036
1037 /*
1038 * Add dump filter by source address as there may be other tunnels
1039 * in this netns (if tests run in parallel).
1040 */
1041 filter.family = AF_INET;
1042 filter.splen = 0x1f; /* 0xffffffff mask see addr_match() */
1043 memcpy(&filter.saddr, &src, sizeof(src));
1044 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_ADDRESS_FILTER,
1045 &filter, sizeof(filter)))
1046 return -1;
1047
1048 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1049 pr_err("send()");
1050 return -1;
1051 }
1052
1053 while (1) {
1054 if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
1055 pr_err("recv()");
1056 return -1;
1057 }
1058 if (answer.nh.nlmsg_type == NLMSG_ERROR) {
1059 printk("NLMSG_ERROR: %d: %s",
1060 answer.error, strerror(-answer.error));
1061 return -1;
1062 } else if (answer.nh.nlmsg_type == NLMSG_DONE) {
1063 if (found)
1064 return 0;
1065 printk("didn't find allocated xfrm state in dump");
1066 return -1;
1067 } else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
1068 if (xfrm_usersa_found(&answer.info, spi, src, dst, desc))
1069 found = true;
1070 }
1071 }
1072 }
1073
xfrm_set(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst,struct xfrm_desc * desc)1074 static int xfrm_set(int xfrm_sock, uint32_t *seq,
1075 struct in_addr src, struct in_addr dst,
1076 struct in_addr tunsrc, struct in_addr tundst,
1077 struct xfrm_desc *desc)
1078 {
1079 int err;
1080
1081 err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
1082 if (err) {
1083 printk("Failed to add xfrm state");
1084 return -1;
1085 }
1086
1087 err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
1088 if (err) {
1089 printk("Failed to add xfrm state");
1090 return -1;
1091 }
1092
1093 /* Check dumps for XFRM_MSG_GETSA */
1094 err = xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
1095 err |= xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
1096 if (err) {
1097 printk("Failed to check xfrm state");
1098 return -1;
1099 }
1100
1101 return 0;
1102 }
1103
xfrm_policy_add(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,uint8_t dir,struct in_addr tunsrc,struct in_addr tundst,uint8_t proto)1104 static int xfrm_policy_add(int xfrm_sock, uint32_t seq, uint32_t spi,
1105 struct in_addr src, struct in_addr dst, uint8_t dir,
1106 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1107 {
1108 struct {
1109 struct nlmsghdr nh;
1110 struct xfrm_userpolicy_info info;
1111 char attrbuf[MAX_PAYLOAD];
1112 } req;
1113 struct xfrm_user_tmpl tmpl;
1114
1115 memset(&req, 0, sizeof(req));
1116 memset(&tmpl, 0, sizeof(tmpl));
1117 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
1118 req.nh.nlmsg_type = XFRM_MSG_NEWPOLICY;
1119 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1120 req.nh.nlmsg_seq = seq;
1121
1122 /* Fill selector. */
1123 memcpy(&req.info.sel.daddr, &dst, sizeof(tundst));
1124 memcpy(&req.info.sel.saddr, &src, sizeof(tunsrc));
1125 req.info.sel.family = AF_INET;
1126 req.info.sel.prefixlen_d = PREFIX_LEN;
1127 req.info.sel.prefixlen_s = PREFIX_LEN;
1128
1129 /* Fill lifteme_cfg */
1130 req.info.lft.soft_byte_limit = XFRM_INF;
1131 req.info.lft.hard_byte_limit = XFRM_INF;
1132 req.info.lft.soft_packet_limit = XFRM_INF;
1133 req.info.lft.hard_packet_limit = XFRM_INF;
1134
1135 req.info.dir = dir;
1136
1137 /* Fill tmpl */
1138 memcpy(&tmpl.id.daddr, &dst, sizeof(dst));
1139 /* Note: zero-spi cannot be deleted */
1140 tmpl.id.spi = spi;
1141 tmpl.id.proto = proto;
1142 tmpl.family = AF_INET;
1143 memcpy(&tmpl.saddr, &src, sizeof(src));
1144 tmpl.mode = XFRM_MODE_TUNNEL;
1145 tmpl.aalgos = (~(uint32_t)0);
1146 tmpl.ealgos = (~(uint32_t)0);
1147 tmpl.calgos = (~(uint32_t)0);
1148
1149 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &tmpl, sizeof(tmpl)))
1150 return -1;
1151
1152 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1153 pr_err("send()");
1154 return -1;
1155 }
1156
1157 return netlink_check_answer(xfrm_sock);
1158 }
1159
xfrm_prepare(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst,uint8_t proto)1160 static int xfrm_prepare(int xfrm_sock, uint32_t *seq,
1161 struct in_addr src, struct in_addr dst,
1162 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1163 {
1164 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
1165 XFRM_POLICY_OUT, tunsrc, tundst, proto)) {
1166 printk("Failed to add xfrm policy");
1167 return -1;
1168 }
1169
1170 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src,
1171 XFRM_POLICY_IN, tunsrc, tundst, proto)) {
1172 printk("Failed to add xfrm policy");
1173 return -1;
1174 }
1175
1176 return 0;
1177 }
1178
xfrm_policy_del(int xfrm_sock,uint32_t seq,struct in_addr src,struct in_addr dst,uint8_t dir,struct in_addr tunsrc,struct in_addr tundst)1179 static int xfrm_policy_del(int xfrm_sock, uint32_t seq,
1180 struct in_addr src, struct in_addr dst, uint8_t dir,
1181 struct in_addr tunsrc, struct in_addr tundst)
1182 {
1183 struct {
1184 struct nlmsghdr nh;
1185 struct xfrm_userpolicy_id id;
1186 char attrbuf[MAX_PAYLOAD];
1187 } req;
1188
1189 memset(&req, 0, sizeof(req));
1190 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.id));
1191 req.nh.nlmsg_type = XFRM_MSG_DELPOLICY;
1192 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1193 req.nh.nlmsg_seq = seq;
1194
1195 /* Fill id */
1196 memcpy(&req.id.sel.daddr, &dst, sizeof(tundst));
1197 memcpy(&req.id.sel.saddr, &src, sizeof(tunsrc));
1198 req.id.sel.family = AF_INET;
1199 req.id.sel.prefixlen_d = PREFIX_LEN;
1200 req.id.sel.prefixlen_s = PREFIX_LEN;
1201 req.id.dir = dir;
1202
1203 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1204 pr_err("send()");
1205 return -1;
1206 }
1207
1208 return netlink_check_answer(xfrm_sock);
1209 }
1210
xfrm_cleanup(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst)1211 static int xfrm_cleanup(int xfrm_sock, uint32_t *seq,
1212 struct in_addr src, struct in_addr dst,
1213 struct in_addr tunsrc, struct in_addr tundst)
1214 {
1215 if (xfrm_policy_del(xfrm_sock, (*seq)++, src, dst,
1216 XFRM_POLICY_OUT, tunsrc, tundst)) {
1217 printk("Failed to add xfrm policy");
1218 return -1;
1219 }
1220
1221 if (xfrm_policy_del(xfrm_sock, (*seq)++, dst, src,
1222 XFRM_POLICY_IN, tunsrc, tundst)) {
1223 printk("Failed to add xfrm policy");
1224 return -1;
1225 }
1226
1227 return 0;
1228 }
1229
xfrm_state_del(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,uint8_t proto)1230 static int xfrm_state_del(int xfrm_sock, uint32_t seq, uint32_t spi,
1231 struct in_addr src, struct in_addr dst, uint8_t proto)
1232 {
1233 struct {
1234 struct nlmsghdr nh;
1235 struct xfrm_usersa_id id;
1236 char attrbuf[MAX_PAYLOAD];
1237 } req;
1238 xfrm_address_t saddr = {};
1239
1240 memset(&req, 0, sizeof(req));
1241 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.id));
1242 req.nh.nlmsg_type = XFRM_MSG_DELSA;
1243 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1244 req.nh.nlmsg_seq = seq;
1245
1246 memcpy(&req.id.daddr, &dst, sizeof(dst));
1247 req.id.family = AF_INET;
1248 req.id.proto = proto;
1249 /* Note: zero-spi cannot be deleted */
1250 req.id.spi = spi;
1251
1252 memcpy(&saddr, &src, sizeof(src));
1253 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SRCADDR, &saddr, sizeof(saddr)))
1254 return -1;
1255
1256 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1257 pr_err("send()");
1258 return -1;
1259 }
1260
1261 return netlink_check_answer(xfrm_sock);
1262 }
1263
xfrm_delete(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst,uint8_t proto)1264 static int xfrm_delete(int xfrm_sock, uint32_t *seq,
1265 struct in_addr src, struct in_addr dst,
1266 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1267 {
1268 if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), src, dst, proto)) {
1269 printk("Failed to remove xfrm state");
1270 return -1;
1271 }
1272
1273 if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), dst, src, proto)) {
1274 printk("Failed to remove xfrm state");
1275 return -1;
1276 }
1277
1278 return 0;
1279 }
1280
xfrm_state_allocspi(int xfrm_sock,uint32_t * seq,uint32_t spi,uint8_t proto)1281 static int xfrm_state_allocspi(int xfrm_sock, uint32_t *seq,
1282 uint32_t spi, uint8_t proto)
1283 {
1284 struct {
1285 struct nlmsghdr nh;
1286 struct xfrm_userspi_info spi;
1287 } req;
1288 struct {
1289 struct nlmsghdr nh;
1290 union {
1291 struct xfrm_usersa_info info;
1292 int error;
1293 };
1294 } answer;
1295
1296 memset(&req, 0, sizeof(req));
1297 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.spi));
1298 req.nh.nlmsg_type = XFRM_MSG_ALLOCSPI;
1299 req.nh.nlmsg_flags = NLM_F_REQUEST;
1300 req.nh.nlmsg_seq = (*seq)++;
1301
1302 req.spi.info.family = AF_INET;
1303 req.spi.min = spi;
1304 req.spi.max = spi;
1305 req.spi.info.id.proto = proto;
1306
1307 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1308 pr_err("send()");
1309 return KSFT_FAIL;
1310 }
1311
1312 if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
1313 pr_err("recv()");
1314 return KSFT_FAIL;
1315 } else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
1316 uint32_t new_spi = htonl(answer.info.id.spi);
1317
1318 if (new_spi != spi) {
1319 printk("allocated spi is different from requested: %#x != %#x",
1320 new_spi, spi);
1321 return KSFT_FAIL;
1322 }
1323 return KSFT_PASS;
1324 } else if (answer.nh.nlmsg_type != NLMSG_ERROR) {
1325 printk("expected NLMSG_ERROR, got %d", (int)answer.nh.nlmsg_type);
1326 return KSFT_FAIL;
1327 }
1328
1329 printk("NLMSG_ERROR: %d: %s", answer.error, strerror(-answer.error));
1330 return (answer.error) ? KSFT_FAIL : KSFT_PASS;
1331 }
1332
netlink_sock_bind(int * sock,uint32_t * seq,int proto,uint32_t groups)1333 static int netlink_sock_bind(int *sock, uint32_t *seq, int proto, uint32_t groups)
1334 {
1335 struct sockaddr_nl snl = {};
1336 socklen_t addr_len;
1337 int ret = -1;
1338
1339 snl.nl_family = AF_NETLINK;
1340 snl.nl_groups = groups;
1341
1342 if (netlink_sock(sock, seq, proto)) {
1343 printk("Failed to open xfrm netlink socket");
1344 return -1;
1345 }
1346
1347 if (bind(*sock, (struct sockaddr *)&snl, sizeof(snl)) < 0) {
1348 pr_err("bind()");
1349 goto out_close;
1350 }
1351
1352 addr_len = sizeof(snl);
1353 if (getsockname(*sock, (struct sockaddr *)&snl, &addr_len) < 0) {
1354 pr_err("getsockname()");
1355 goto out_close;
1356 }
1357 if (addr_len != sizeof(snl)) {
1358 printk("Wrong address length %d", addr_len);
1359 goto out_close;
1360 }
1361 if (snl.nl_family != AF_NETLINK) {
1362 printk("Wrong address family %d", snl.nl_family);
1363 goto out_close;
1364 }
1365 return 0;
1366
1367 out_close:
1368 close(*sock);
1369 return ret;
1370 }
1371
xfrm_monitor_acquire(int xfrm_sock,uint32_t * seq,unsigned int nr)1372 static int xfrm_monitor_acquire(int xfrm_sock, uint32_t *seq, unsigned int nr)
1373 {
1374 struct {
1375 struct nlmsghdr nh;
1376 union {
1377 struct xfrm_user_acquire acq;
1378 int error;
1379 };
1380 char attrbuf[MAX_PAYLOAD];
1381 } req;
1382 struct xfrm_user_tmpl xfrm_tmpl = {};
1383 int xfrm_listen = -1, ret = KSFT_FAIL;
1384 uint32_t seq_listen;
1385
1386 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_ACQUIRE))
1387 return KSFT_FAIL;
1388
1389 memset(&req, 0, sizeof(req));
1390 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.acq));
1391 req.nh.nlmsg_type = XFRM_MSG_ACQUIRE;
1392 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1393 req.nh.nlmsg_seq = (*seq)++;
1394
1395 req.acq.policy.sel.family = AF_INET;
1396 req.acq.aalgos = 0xfeed;
1397 req.acq.ealgos = 0xbaad;
1398 req.acq.calgos = 0xbabe;
1399
1400 xfrm_tmpl.family = AF_INET;
1401 xfrm_tmpl.id.proto = IPPROTO_ESP;
1402 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &xfrm_tmpl, sizeof(xfrm_tmpl)))
1403 goto out_close;
1404
1405 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1406 pr_err("send()");
1407 goto out_close;
1408 }
1409
1410 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1411 pr_err("recv()");
1412 goto out_close;
1413 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1414 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1415 goto out_close;
1416 }
1417
1418 if (req.error) {
1419 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1420 ret = req.error;
1421 goto out_close;
1422 }
1423
1424 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1425 pr_err("recv()");
1426 goto out_close;
1427 }
1428
1429 if (req.acq.aalgos != 0xfeed || req.acq.ealgos != 0xbaad
1430 || req.acq.calgos != 0xbabe) {
1431 printk("xfrm_user_acquire has changed %x %x %x",
1432 req.acq.aalgos, req.acq.ealgos, req.acq.calgos);
1433 goto out_close;
1434 }
1435
1436 ret = KSFT_PASS;
1437 out_close:
1438 close(xfrm_listen);
1439 return ret;
1440 }
1441
xfrm_expire_state(int xfrm_sock,uint32_t * seq,unsigned int nr,struct xfrm_desc * desc)1442 static int xfrm_expire_state(int xfrm_sock, uint32_t *seq,
1443 unsigned int nr, struct xfrm_desc *desc)
1444 {
1445 struct {
1446 struct nlmsghdr nh;
1447 union {
1448 struct xfrm_user_expire expire;
1449 int error;
1450 };
1451 } req;
1452 struct in_addr src, dst;
1453 int xfrm_listen = -1, ret = KSFT_FAIL;
1454 uint32_t seq_listen;
1455
1456 src = inet_makeaddr(INADDR_B, child_ip(nr));
1457 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1458
1459 if (xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc)) {
1460 printk("Failed to add xfrm state");
1461 return KSFT_FAIL;
1462 }
1463
1464 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
1465 return KSFT_FAIL;
1466
1467 memset(&req, 0, sizeof(req));
1468 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.expire));
1469 req.nh.nlmsg_type = XFRM_MSG_EXPIRE;
1470 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1471 req.nh.nlmsg_seq = (*seq)++;
1472
1473 memcpy(&req.expire.state.id.daddr, &dst, sizeof(dst));
1474 req.expire.state.id.spi = gen_spi(src);
1475 req.expire.state.id.proto = desc->proto;
1476 req.expire.state.family = AF_INET;
1477 req.expire.hard = 0xff;
1478
1479 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1480 pr_err("send()");
1481 goto out_close;
1482 }
1483
1484 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1485 pr_err("recv()");
1486 goto out_close;
1487 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1488 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1489 goto out_close;
1490 }
1491
1492 if (req.error) {
1493 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1494 ret = req.error;
1495 goto out_close;
1496 }
1497
1498 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1499 pr_err("recv()");
1500 goto out_close;
1501 }
1502
1503 if (req.expire.hard != 0x1) {
1504 printk("expire.hard is not set: %x", req.expire.hard);
1505 goto out_close;
1506 }
1507
1508 ret = KSFT_PASS;
1509 out_close:
1510 close(xfrm_listen);
1511 return ret;
1512 }
1513
xfrm_expire_policy(int xfrm_sock,uint32_t * seq,unsigned int nr,struct xfrm_desc * desc)1514 static int xfrm_expire_policy(int xfrm_sock, uint32_t *seq,
1515 unsigned int nr, struct xfrm_desc *desc)
1516 {
1517 struct {
1518 struct nlmsghdr nh;
1519 union {
1520 struct xfrm_user_polexpire expire;
1521 int error;
1522 };
1523 } req;
1524 struct in_addr src, dst, tunsrc, tundst;
1525 int xfrm_listen = -1, ret = KSFT_FAIL;
1526 uint32_t seq_listen;
1527
1528 src = inet_makeaddr(INADDR_B, child_ip(nr));
1529 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1530 tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
1531 tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
1532
1533 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
1534 XFRM_POLICY_OUT, tunsrc, tundst, desc->proto)) {
1535 printk("Failed to add xfrm policy");
1536 return KSFT_FAIL;
1537 }
1538
1539 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
1540 return KSFT_FAIL;
1541
1542 memset(&req, 0, sizeof(req));
1543 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.expire));
1544 req.nh.nlmsg_type = XFRM_MSG_POLEXPIRE;
1545 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1546 req.nh.nlmsg_seq = (*seq)++;
1547
1548 /* Fill selector. */
1549 memcpy(&req.expire.pol.sel.daddr, &dst, sizeof(tundst));
1550 memcpy(&req.expire.pol.sel.saddr, &src, sizeof(tunsrc));
1551 req.expire.pol.sel.family = AF_INET;
1552 req.expire.pol.sel.prefixlen_d = PREFIX_LEN;
1553 req.expire.pol.sel.prefixlen_s = PREFIX_LEN;
1554 req.expire.pol.dir = XFRM_POLICY_OUT;
1555 req.expire.hard = 0xff;
1556
1557 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1558 pr_err("send()");
1559 goto out_close;
1560 }
1561
1562 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1563 pr_err("recv()");
1564 goto out_close;
1565 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1566 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1567 goto out_close;
1568 }
1569
1570 if (req.error) {
1571 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1572 ret = req.error;
1573 goto out_close;
1574 }
1575
1576 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1577 pr_err("recv()");
1578 goto out_close;
1579 }
1580
1581 if (req.expire.hard != 0x1) {
1582 printk("expire.hard is not set: %x", req.expire.hard);
1583 goto out_close;
1584 }
1585
1586 ret = KSFT_PASS;
1587 out_close:
1588 close(xfrm_listen);
1589 return ret;
1590 }
1591
xfrm_spdinfo_set_thresh(int xfrm_sock,uint32_t * seq,unsigned thresh4_l,unsigned thresh4_r,unsigned thresh6_l,unsigned thresh6_r,bool add_bad_attr)1592 static int xfrm_spdinfo_set_thresh(int xfrm_sock, uint32_t *seq,
1593 unsigned thresh4_l, unsigned thresh4_r,
1594 unsigned thresh6_l, unsigned thresh6_r,
1595 bool add_bad_attr)
1596
1597 {
1598 struct {
1599 struct nlmsghdr nh;
1600 union {
1601 uint32_t unused;
1602 int error;
1603 };
1604 char attrbuf[MAX_PAYLOAD];
1605 } req;
1606 struct xfrmu_spdhthresh thresh;
1607
1608 memset(&req, 0, sizeof(req));
1609 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.unused));
1610 req.nh.nlmsg_type = XFRM_MSG_NEWSPDINFO;
1611 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1612 req.nh.nlmsg_seq = (*seq)++;
1613
1614 thresh.lbits = thresh4_l;
1615 thresh.rbits = thresh4_r;
1616 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SPD_IPV4_HTHRESH, &thresh, sizeof(thresh)))
1617 return -1;
1618
1619 thresh.lbits = thresh6_l;
1620 thresh.rbits = thresh6_r;
1621 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SPD_IPV6_HTHRESH, &thresh, sizeof(thresh)))
1622 return -1;
1623
1624 if (add_bad_attr) {
1625 BUILD_BUG_ON(XFRMA_IF_ID <= XFRMA_SPD_MAX + 1);
1626 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_IF_ID, NULL, 0)) {
1627 pr_err("adding attribute failed: no space");
1628 return -1;
1629 }
1630 }
1631
1632 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1633 pr_err("send()");
1634 return -1;
1635 }
1636
1637 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1638 pr_err("recv()");
1639 return -1;
1640 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1641 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1642 return -1;
1643 }
1644
1645 if (req.error) {
1646 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1647 return -1;
1648 }
1649
1650 return 0;
1651 }
1652
xfrm_spdinfo_attrs(int xfrm_sock,uint32_t * seq)1653 static int xfrm_spdinfo_attrs(int xfrm_sock, uint32_t *seq)
1654 {
1655 struct {
1656 struct nlmsghdr nh;
1657 union {
1658 uint32_t unused;
1659 int error;
1660 };
1661 char attrbuf[MAX_PAYLOAD];
1662 } req;
1663
1664 if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 31, 120, 16, false)) {
1665 pr_err("Can't set SPD HTHRESH");
1666 return KSFT_FAIL;
1667 }
1668
1669 memset(&req, 0, sizeof(req));
1670
1671 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.unused));
1672 req.nh.nlmsg_type = XFRM_MSG_GETSPDINFO;
1673 req.nh.nlmsg_flags = NLM_F_REQUEST;
1674 req.nh.nlmsg_seq = (*seq)++;
1675 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1676 pr_err("send()");
1677 return KSFT_FAIL;
1678 }
1679
1680 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1681 pr_err("recv()");
1682 return KSFT_FAIL;
1683 } else if (req.nh.nlmsg_type == XFRM_MSG_NEWSPDINFO) {
1684 size_t len = NLMSG_PAYLOAD(&req.nh, sizeof(req.unused));
1685 struct rtattr *attr = (void *)req.attrbuf;
1686 int got_thresh = 0;
1687
1688 for (; RTA_OK(attr, len); attr = RTA_NEXT(attr, len)) {
1689 if (attr->rta_type == XFRMA_SPD_IPV4_HTHRESH) {
1690 struct xfrmu_spdhthresh *t = RTA_DATA(attr);
1691
1692 got_thresh++;
1693 if (t->lbits != 32 || t->rbits != 31) {
1694 pr_err("thresh differ: %u, %u",
1695 t->lbits, t->rbits);
1696 return KSFT_FAIL;
1697 }
1698 }
1699 if (attr->rta_type == XFRMA_SPD_IPV6_HTHRESH) {
1700 struct xfrmu_spdhthresh *t = RTA_DATA(attr);
1701
1702 got_thresh++;
1703 if (t->lbits != 120 || t->rbits != 16) {
1704 pr_err("thresh differ: %u, %u",
1705 t->lbits, t->rbits);
1706 return KSFT_FAIL;
1707 }
1708 }
1709 }
1710 if (got_thresh != 2) {
1711 pr_err("only %d thresh returned by XFRM_MSG_GETSPDINFO", got_thresh);
1712 return KSFT_FAIL;
1713 }
1714 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1715 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1716 return KSFT_FAIL;
1717 } else {
1718 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1719 return -1;
1720 }
1721
1722 /* Restore the default */
1723 if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 32, 128, 128, false)) {
1724 pr_err("Can't restore SPD HTHRESH");
1725 return KSFT_FAIL;
1726 }
1727
1728 /*
1729 * At this moment xfrm uses nlmsg_parse_deprecated(), which
1730 * implies NL_VALIDATE_LIBERAL - ignoring attributes with
1731 * (type > maxtype). nla_parse_depricated_strict() would enforce
1732 * it. Or even stricter nla_parse().
1733 * Right now it's not expected to fail, but to be ignored.
1734 */
1735 if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 32, 128, 128, true))
1736 return KSFT_PASS;
1737
1738 return KSFT_PASS;
1739 }
1740
child_serv(int xfrm_sock,uint32_t * seq,unsigned int nr,int cmd_fd,void * buf,struct xfrm_desc * desc)1741 static int child_serv(int xfrm_sock, uint32_t *seq,
1742 unsigned int nr, int cmd_fd, void *buf, struct xfrm_desc *desc)
1743 {
1744 struct in_addr src, dst, tunsrc, tundst;
1745 struct test_desc msg;
1746 int ret = KSFT_FAIL;
1747
1748 src = inet_makeaddr(INADDR_B, child_ip(nr));
1749 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1750 tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
1751 tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
1752
1753 /* UDP pinging without xfrm */
1754 if (do_ping(cmd_fd, buf, page_size, src, true, 0, 0, udp_ping_send)) {
1755 printk("ping failed before setting xfrm");
1756 return KSFT_FAIL;
1757 }
1758
1759 memset(&msg, 0, sizeof(msg));
1760 msg.type = MSG_XFRM_PREPARE;
1761 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1762 write_msg(cmd_fd, &msg, 1);
1763
1764 if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
1765 printk("failed to prepare xfrm");
1766 goto cleanup;
1767 }
1768
1769 memset(&msg, 0, sizeof(msg));
1770 msg.type = MSG_XFRM_ADD;
1771 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1772 write_msg(cmd_fd, &msg, 1);
1773 if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
1774 printk("failed to set xfrm");
1775 goto delete;
1776 }
1777
1778 /* UDP pinging with xfrm tunnel */
1779 if (do_ping(cmd_fd, buf, page_size, tunsrc,
1780 true, 0, 0, udp_ping_send)) {
1781 printk("ping failed for xfrm");
1782 goto delete;
1783 }
1784
1785 ret = KSFT_PASS;
1786 delete:
1787 /* xfrm delete */
1788 memset(&msg, 0, sizeof(msg));
1789 msg.type = MSG_XFRM_DEL;
1790 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1791 write_msg(cmd_fd, &msg, 1);
1792
1793 if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
1794 printk("failed ping to remove xfrm");
1795 ret = KSFT_FAIL;
1796 }
1797
1798 cleanup:
1799 memset(&msg, 0, sizeof(msg));
1800 msg.type = MSG_XFRM_CLEANUP;
1801 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1802 write_msg(cmd_fd, &msg, 1);
1803 if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
1804 printk("failed ping to cleanup xfrm");
1805 ret = KSFT_FAIL;
1806 }
1807 return ret;
1808 }
1809
child_f(unsigned int nr,int test_desc_fd,int cmd_fd,void * buf)1810 static int child_f(unsigned int nr, int test_desc_fd, int cmd_fd, void *buf)
1811 {
1812 struct xfrm_desc desc;
1813 struct test_desc msg;
1814 int xfrm_sock = -1;
1815 uint32_t seq;
1816
1817 if (switch_ns(nsfd_childa))
1818 exit(KSFT_FAIL);
1819
1820 if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
1821 printk("Failed to open xfrm netlink socket");
1822 exit(KSFT_FAIL);
1823 }
1824
1825 /* Check that seq sock is ready, just for sure. */
1826 memset(&msg, 0, sizeof(msg));
1827 msg.type = MSG_ACK;
1828 write_msg(cmd_fd, &msg, 1);
1829 read_msg(cmd_fd, &msg, 1);
1830 if (msg.type != MSG_ACK) {
1831 printk("Ack failed");
1832 exit(KSFT_FAIL);
1833 }
1834
1835 for (;;) {
1836 ssize_t received = read(test_desc_fd, &desc, sizeof(desc));
1837 int ret;
1838
1839 if (received == 0) /* EOF */
1840 break;
1841
1842 if (received != sizeof(desc)) {
1843 pr_err("read() returned %zd", received);
1844 exit(KSFT_FAIL);
1845 }
1846
1847 switch (desc.type) {
1848 case CREATE_TUNNEL:
1849 ret = child_serv(xfrm_sock, &seq, nr,
1850 cmd_fd, buf, &desc);
1851 break;
1852 case ALLOCATE_SPI:
1853 ret = xfrm_state_allocspi(xfrm_sock, &seq,
1854 -1, desc.proto);
1855 break;
1856 case MONITOR_ACQUIRE:
1857 ret = xfrm_monitor_acquire(xfrm_sock, &seq, nr);
1858 break;
1859 case EXPIRE_STATE:
1860 ret = xfrm_expire_state(xfrm_sock, &seq, nr, &desc);
1861 break;
1862 case EXPIRE_POLICY:
1863 ret = xfrm_expire_policy(xfrm_sock, &seq, nr, &desc);
1864 break;
1865 case SPDINFO_ATTRS:
1866 ret = xfrm_spdinfo_attrs(xfrm_sock, &seq);
1867 break;
1868 default:
1869 printk("Unknown desc type %d", desc.type);
1870 exit(KSFT_FAIL);
1871 }
1872 write_test_result(ret, &desc);
1873 }
1874
1875 close(xfrm_sock);
1876
1877 msg.type = MSG_EXIT;
1878 write_msg(cmd_fd, &msg, 1);
1879 exit(KSFT_PASS);
1880 }
1881
grand_child_serv(unsigned int nr,int cmd_fd,void * buf,struct test_desc * msg,int xfrm_sock,uint32_t * seq)1882 static void grand_child_serv(unsigned int nr, int cmd_fd, void *buf,
1883 struct test_desc *msg, int xfrm_sock, uint32_t *seq)
1884 {
1885 struct in_addr src, dst, tunsrc, tundst;
1886 bool tun_reply;
1887 struct xfrm_desc *desc = &msg->body.xfrm_desc;
1888
1889 src = inet_makeaddr(INADDR_B, grchild_ip(nr));
1890 dst = inet_makeaddr(INADDR_B, child_ip(nr));
1891 tunsrc = inet_makeaddr(INADDR_A, grchild_ip(nr));
1892 tundst = inet_makeaddr(INADDR_A, child_ip(nr));
1893
1894 switch (msg->type) {
1895 case MSG_EXIT:
1896 exit(KSFT_PASS);
1897 case MSG_ACK:
1898 write_msg(cmd_fd, msg, 1);
1899 break;
1900 case MSG_PING:
1901 tun_reply = memcmp(&dst, &msg->body.ping.reply_ip, sizeof(in_addr_t));
1902 /* UDP pinging without xfrm */
1903 if (do_ping(cmd_fd, buf, page_size, tun_reply ? tunsrc : src,
1904 false, msg->body.ping.port,
1905 msg->body.ping.reply_ip, udp_ping_reply)) {
1906 printk("ping failed before setting xfrm");
1907 }
1908 break;
1909 case MSG_XFRM_PREPARE:
1910 if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst,
1911 desc->proto)) {
1912 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1913 printk("failed to prepare xfrm");
1914 }
1915 break;
1916 case MSG_XFRM_ADD:
1917 if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
1918 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1919 printk("failed to set xfrm");
1920 }
1921 break;
1922 case MSG_XFRM_DEL:
1923 if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst,
1924 desc->proto)) {
1925 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1926 printk("failed to remove xfrm");
1927 }
1928 break;
1929 case MSG_XFRM_CLEANUP:
1930 if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
1931 printk("failed to cleanup xfrm");
1932 }
1933 break;
1934 default:
1935 printk("got unknown msg type %d", msg->type);
1936 }
1937 }
1938
grand_child_f(unsigned int nr,int cmd_fd,void * buf)1939 static int grand_child_f(unsigned int nr, int cmd_fd, void *buf)
1940 {
1941 struct test_desc msg;
1942 int xfrm_sock = -1;
1943 uint32_t seq;
1944
1945 if (switch_ns(nsfd_childb))
1946 exit(KSFT_FAIL);
1947
1948 if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
1949 printk("Failed to open xfrm netlink socket");
1950 exit(KSFT_FAIL);
1951 }
1952
1953 do {
1954 read_msg(cmd_fd, &msg, 1);
1955 grand_child_serv(nr, cmd_fd, buf, &msg, xfrm_sock, &seq);
1956 } while (1);
1957
1958 close(xfrm_sock);
1959 exit(KSFT_FAIL);
1960 }
1961
start_child(unsigned int nr,char * veth,int test_desc_fd[2])1962 static int start_child(unsigned int nr, char *veth, int test_desc_fd[2])
1963 {
1964 int cmd_sock[2];
1965 void *data_map;
1966 pid_t child;
1967
1968 if (init_child(nsfd_childa, veth, child_ip(nr), grchild_ip(nr)))
1969 return -1;
1970
1971 if (init_child(nsfd_childb, veth, grchild_ip(nr), child_ip(nr)))
1972 return -1;
1973
1974 child = fork();
1975 if (child < 0) {
1976 pr_err("fork()");
1977 return -1;
1978 } else if (child) {
1979 /* in parent - selftest */
1980 return switch_ns(nsfd_parent);
1981 }
1982
1983 if (close(test_desc_fd[1])) {
1984 pr_err("close()");
1985 return -1;
1986 }
1987
1988 /* child */
1989 data_map = mmap(0, page_size, PROT_READ | PROT_WRITE,
1990 MAP_SHARED | MAP_ANONYMOUS, -1, 0);
1991 if (data_map == MAP_FAILED) {
1992 pr_err("mmap()");
1993 return -1;
1994 }
1995
1996 randomize_buffer(data_map, page_size);
1997
1998 if (socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, cmd_sock)) {
1999 pr_err("socketpair()");
2000 return -1;
2001 }
2002
2003 child = fork();
2004 if (child < 0) {
2005 pr_err("fork()");
2006 return -1;
2007 } else if (child) {
2008 if (close(cmd_sock[0])) {
2009 pr_err("close()");
2010 return -1;
2011 }
2012 return child_f(nr, test_desc_fd[0], cmd_sock[1], data_map);
2013 }
2014 if (close(cmd_sock[1])) {
2015 pr_err("close()");
2016 return -1;
2017 }
2018 return grand_child_f(nr, cmd_sock[0], data_map);
2019 }
2020
exit_usage(char ** argv)2021 static void exit_usage(char **argv)
2022 {
2023 printk("Usage: %s [nr_process]", argv[0]);
2024 exit(KSFT_FAIL);
2025 }
2026
__write_desc(int test_desc_fd,struct xfrm_desc * desc)2027 static int __write_desc(int test_desc_fd, struct xfrm_desc *desc)
2028 {
2029 ssize_t ret;
2030
2031 ret = write(test_desc_fd, desc, sizeof(*desc));
2032
2033 if (ret == sizeof(*desc))
2034 return 0;
2035
2036 pr_err("Writing test's desc failed %ld", ret);
2037
2038 return -1;
2039 }
2040
write_desc(int proto,int test_desc_fd,char * a,char * e,char * c,char * ae)2041 static int write_desc(int proto, int test_desc_fd,
2042 char *a, char *e, char *c, char *ae)
2043 {
2044 struct xfrm_desc desc = {};
2045
2046 desc.type = CREATE_TUNNEL;
2047 desc.proto = proto;
2048
2049 if (a)
2050 strncpy(desc.a_algo, a, ALGO_LEN - 1);
2051 if (e)
2052 strncpy(desc.e_algo, e, ALGO_LEN - 1);
2053 if (c)
2054 strncpy(desc.c_algo, c, ALGO_LEN - 1);
2055 if (ae)
2056 strncpy(desc.ae_algo, ae, ALGO_LEN - 1);
2057
2058 return __write_desc(test_desc_fd, &desc);
2059 }
2060
2061 int proto_list[] = { IPPROTO_AH, IPPROTO_COMP, IPPROTO_ESP };
2062 char *ah_list[] = {
2063 "digest_null", "hmac(md5)", "hmac(sha1)", "hmac(sha256)",
2064 "hmac(sha384)", "hmac(sha512)", "hmac(rmd160)",
2065 "xcbc(aes)", "cmac(aes)"
2066 };
2067 char *comp_list[] = {
2068 "deflate",
2069 #if 0
2070 /* No compression backend realization */
2071 "lzs", "lzjh"
2072 #endif
2073 };
2074 char *e_list[] = {
2075 "ecb(cipher_null)", "cbc(des)", "cbc(des3_ede)", "cbc(cast5)",
2076 "cbc(blowfish)", "cbc(aes)", "cbc(serpent)", "cbc(camellia)",
2077 "cbc(twofish)", "rfc3686(ctr(aes))"
2078 };
2079 char *ae_list[] = {
2080 #if 0
2081 /* not implemented */
2082 "rfc4106(gcm(aes))", "rfc4309(ccm(aes))", "rfc4543(gcm(aes))",
2083 "rfc7539esp(chacha20,poly1305)"
2084 #endif
2085 };
2086
2087 const unsigned int proto_plan = ARRAY_SIZE(ah_list) + ARRAY_SIZE(comp_list) \
2088 + (ARRAY_SIZE(ah_list) * ARRAY_SIZE(e_list)) \
2089 + ARRAY_SIZE(ae_list);
2090
write_proto_plan(int fd,int proto)2091 static int write_proto_plan(int fd, int proto)
2092 {
2093 unsigned int i;
2094
2095 switch (proto) {
2096 case IPPROTO_AH:
2097 for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
2098 if (write_desc(proto, fd, ah_list[i], 0, 0, 0))
2099 return -1;
2100 }
2101 break;
2102 case IPPROTO_COMP:
2103 for (i = 0; i < ARRAY_SIZE(comp_list); i++) {
2104 if (write_desc(proto, fd, 0, 0, comp_list[i], 0))
2105 return -1;
2106 }
2107 break;
2108 case IPPROTO_ESP:
2109 for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
2110 int j;
2111
2112 for (j = 0; j < ARRAY_SIZE(e_list); j++) {
2113 if (write_desc(proto, fd, ah_list[i],
2114 e_list[j], 0, 0))
2115 return -1;
2116 }
2117 }
2118 for (i = 0; i < ARRAY_SIZE(ae_list); i++) {
2119 if (write_desc(proto, fd, 0, 0, 0, ae_list[i]))
2120 return -1;
2121 }
2122 break;
2123 default:
2124 printk("BUG: Specified unknown proto %d", proto);
2125 return -1;
2126 }
2127
2128 return 0;
2129 }
2130
2131 /*
2132 * Some structures in xfrm uapi header differ in size between
2133 * 64-bit and 32-bit ABI:
2134 *
2135 * 32-bit UABI | 64-bit UABI
2136 * -------------------------------------|-------------------------------------
2137 * sizeof(xfrm_usersa_info) = 220 | sizeof(xfrm_usersa_info) = 224
2138 * sizeof(xfrm_userpolicy_info) = 164 | sizeof(xfrm_userpolicy_info) = 168
2139 * sizeof(xfrm_userspi_info) = 228 | sizeof(xfrm_userspi_info) = 232
2140 * sizeof(xfrm_user_acquire) = 276 | sizeof(xfrm_user_acquire) = 280
2141 * sizeof(xfrm_user_expire) = 224 | sizeof(xfrm_user_expire) = 232
2142 * sizeof(xfrm_user_polexpire) = 168 | sizeof(xfrm_user_polexpire) = 176
2143 *
2144 * Check the affected by the UABI difference structures.
2145 * Also, check translation for xfrm_set_spdinfo: it has it's own attributes
2146 * which needs to be correctly copied, but not translated.
2147 */
2148 const unsigned int compat_plan = 5;
write_compat_struct_tests(int test_desc_fd)2149 static int write_compat_struct_tests(int test_desc_fd)
2150 {
2151 struct xfrm_desc desc = {};
2152
2153 desc.type = ALLOCATE_SPI;
2154 desc.proto = IPPROTO_AH;
2155 strncpy(desc.a_algo, ah_list[0], ALGO_LEN - 1);
2156
2157 if (__write_desc(test_desc_fd, &desc))
2158 return -1;
2159
2160 desc.type = MONITOR_ACQUIRE;
2161 if (__write_desc(test_desc_fd, &desc))
2162 return -1;
2163
2164 desc.type = EXPIRE_STATE;
2165 if (__write_desc(test_desc_fd, &desc))
2166 return -1;
2167
2168 desc.type = EXPIRE_POLICY;
2169 if (__write_desc(test_desc_fd, &desc))
2170 return -1;
2171
2172 desc.type = SPDINFO_ATTRS;
2173 if (__write_desc(test_desc_fd, &desc))
2174 return -1;
2175
2176 return 0;
2177 }
2178
write_test_plan(int test_desc_fd)2179 static int write_test_plan(int test_desc_fd)
2180 {
2181 unsigned int i;
2182 pid_t child;
2183
2184 child = fork();
2185 if (child < 0) {
2186 pr_err("fork()");
2187 return -1;
2188 }
2189 if (child) {
2190 if (close(test_desc_fd))
2191 printk("close(): %m");
2192 return 0;
2193 }
2194
2195 if (write_compat_struct_tests(test_desc_fd))
2196 exit(KSFT_FAIL);
2197
2198 for (i = 0; i < ARRAY_SIZE(proto_list); i++) {
2199 if (write_proto_plan(test_desc_fd, proto_list[i]))
2200 exit(KSFT_FAIL);
2201 }
2202
2203 exit(KSFT_PASS);
2204 }
2205
children_cleanup(void)2206 static int children_cleanup(void)
2207 {
2208 unsigned ret = KSFT_PASS;
2209
2210 while (1) {
2211 int status;
2212 pid_t p = wait(&status);
2213
2214 if ((p < 0) && errno == ECHILD)
2215 break;
2216
2217 if (p < 0) {
2218 pr_err("wait()");
2219 return KSFT_FAIL;
2220 }
2221
2222 if (!WIFEXITED(status)) {
2223 ret = KSFT_FAIL;
2224 continue;
2225 }
2226
2227 if (WEXITSTATUS(status) == KSFT_FAIL)
2228 ret = KSFT_FAIL;
2229 }
2230
2231 return ret;
2232 }
2233
2234 typedef void (*print_res)(const char *, ...);
2235
check_results(void)2236 static int check_results(void)
2237 {
2238 struct test_result tr = {};
2239 struct xfrm_desc *d = &tr.desc;
2240 int ret = KSFT_PASS;
2241
2242 while (1) {
2243 ssize_t received = read(results_fd[0], &tr, sizeof(tr));
2244 print_res result;
2245
2246 if (received == 0) /* EOF */
2247 break;
2248
2249 if (received != sizeof(tr)) {
2250 pr_err("read() returned %zd", received);
2251 return KSFT_FAIL;
2252 }
2253
2254 switch (tr.res) {
2255 case KSFT_PASS:
2256 result = ksft_test_result_pass;
2257 break;
2258 case KSFT_FAIL:
2259 default:
2260 result = ksft_test_result_fail;
2261 ret = KSFT_FAIL;
2262 }
2263
2264 result(" %s: [%u, '%s', '%s', '%s', '%s', %u]\n",
2265 desc_name[d->type], (unsigned int)d->proto, d->a_algo,
2266 d->e_algo, d->c_algo, d->ae_algo, d->icv_len);
2267 }
2268
2269 return ret;
2270 }
2271
main(int argc,char ** argv)2272 int main(int argc, char **argv)
2273 {
2274 long nr_process = 1;
2275 int route_sock = -1, ret = KSFT_SKIP;
2276 int test_desc_fd[2];
2277 uint32_t route_seq;
2278 unsigned int i;
2279
2280 if (argc > 2)
2281 exit_usage(argv);
2282
2283 if (argc > 1) {
2284 char *endptr;
2285
2286 errno = 0;
2287 nr_process = strtol(argv[1], &endptr, 10);
2288 if ((errno == ERANGE && (nr_process == LONG_MAX || nr_process == LONG_MIN))
2289 || (errno != 0 && nr_process == 0)
2290 || (endptr == argv[1]) || (*endptr != '\0')) {
2291 printk("Failed to parse [nr_process]");
2292 exit_usage(argv);
2293 }
2294
2295 if (nr_process > MAX_PROCESSES || nr_process < 1) {
2296 printk("nr_process should be between [1; %u]",
2297 MAX_PROCESSES);
2298 exit_usage(argv);
2299 }
2300 }
2301
2302 srand(time(NULL));
2303 page_size = sysconf(_SC_PAGESIZE);
2304 if (page_size < 1)
2305 ksft_exit_skip("sysconf(): %m\n");
2306
2307 if (pipe2(test_desc_fd, O_DIRECT) < 0)
2308 ksft_exit_skip("pipe(): %m\n");
2309
2310 if (pipe2(results_fd, O_DIRECT) < 0)
2311 ksft_exit_skip("pipe(): %m\n");
2312
2313 if (init_namespaces())
2314 ksft_exit_skip("Failed to create namespaces\n");
2315
2316 if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE))
2317 ksft_exit_skip("Failed to open netlink route socket\n");
2318
2319 for (i = 0; i < nr_process; i++) {
2320 char veth[VETH_LEN];
2321
2322 snprintf(veth, VETH_LEN, VETH_FMT, i);
2323
2324 if (veth_add(route_sock, route_seq++, veth, nsfd_childa, veth, nsfd_childb)) {
2325 close(route_sock);
2326 ksft_exit_fail_msg("Failed to create veth device");
2327 }
2328
2329 if (start_child(i, veth, test_desc_fd)) {
2330 close(route_sock);
2331 ksft_exit_fail_msg("Child %u failed to start", i);
2332 }
2333 }
2334
2335 if (close(route_sock) || close(test_desc_fd[0]) || close(results_fd[1]))
2336 ksft_exit_fail_msg("close(): %m");
2337
2338 ksft_set_plan(proto_plan + compat_plan);
2339
2340 if (write_test_plan(test_desc_fd[1]))
2341 ksft_exit_fail_msg("Failed to write test plan to pipe");
2342
2343 ret = check_results();
2344
2345 if (children_cleanup() == KSFT_FAIL)
2346 exit(KSFT_FAIL);
2347
2348 exit(ret);
2349 }
2350