ipsec.c 55 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * ipsec.c - Check xfrm on veth inside a net-ns.
  4. * Copyright (c) 2018 Dmitry Safonov
  5. */
  6. #define _GNU_SOURCE
  7. #include <arpa/inet.h>
  8. #include <asm/types.h>
  9. #include <errno.h>
  10. #include <fcntl.h>
  11. #include <limits.h>
  12. #include <linux/limits.h>
  13. #include <linux/netlink.h>
  14. #include <linux/random.h>
  15. #include <linux/rtnetlink.h>
  16. #include <linux/veth.h>
  17. #include <linux/xfrm.h>
  18. #include <netinet/in.h>
  19. #include <net/if.h>
  20. #include <sched.h>
  21. #include <stdbool.h>
  22. #include <stdint.h>
  23. #include <stdio.h>
  24. #include <stdlib.h>
  25. #include <string.h>
  26. #include <sys/mman.h>
  27. #include <sys/socket.h>
  28. #include <sys/stat.h>
  29. #include <sys/syscall.h>
  30. #include <sys/types.h>
  31. #include <sys/wait.h>
  32. #include <time.h>
  33. #include <unistd.h>
  34. #include "kselftest.h"
  35. #define printk(fmt, ...) \
  36. ksft_print_msg("%d[%u] " fmt "\n", getpid(), __LINE__, ##__VA_ARGS__)
  37. #define pr_err(fmt, ...) printk(fmt ": %m", ##__VA_ARGS__)
  38. #define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)]))
  39. #ifndef offsetof
  40. #define offsetof(TYPE, MEMBER) __builtin_offsetof(TYPE, MEMBER)
  41. #endif
  42. #define IPV4_STR_SZ 16 /* xxx.xxx.xxx.xxx is longest + \0 */
  43. #define MAX_PAYLOAD 2048
  44. #define XFRM_ALGO_KEY_BUF_SIZE 512
  45. #define MAX_PROCESSES (1 << 14) /* /16 mask divided by /30 subnets */
  46. #define INADDR_A ((in_addr_t) 0x0a000000) /* 10.0.0.0 */
  47. #define INADDR_B ((in_addr_t) 0xc0a80000) /* 192.168.0.0 */
  48. /* /30 mask for one veth connection */
  49. #define PREFIX_LEN 30
  50. #define child_ip(nr) (4*nr + 1)
  51. #define grchild_ip(nr) (4*nr + 2)
  52. #define VETH_FMT "ktst-%d"
  53. #define VETH_LEN 12
  54. #define XFRM_ALGO_NR_KEYS 29
  55. static int nsfd_parent = -1;
  56. static int nsfd_childa = -1;
  57. static int nsfd_childb = -1;
  58. static long page_size;
  59. /*
  60. * ksft_cnt is static in kselftest, so isn't shared with children.
  61. * We have to send a test result back to parent and count there.
  62. * results_fd is a pipe with test feedback from children.
  63. */
  64. static int results_fd[2];
  65. const unsigned int ping_delay_nsec = 50 * 1000 * 1000;
  66. const unsigned int ping_timeout = 300;
  67. const unsigned int ping_count = 100;
  68. const unsigned int ping_success = 80;
  69. struct xfrm_key_entry {
  70. char algo_name[35];
  71. int key_len;
  72. };
  73. struct xfrm_key_entry xfrm_key_entries[] = {
  74. {"digest_null", 0},
  75. {"ecb(cipher_null)", 0},
  76. {"cbc(des)", 64},
  77. {"hmac(md5)", 128},
  78. {"cmac(aes)", 128},
  79. {"xcbc(aes)", 128},
  80. {"cbc(cast5)", 128},
  81. {"cbc(serpent)", 128},
  82. {"hmac(sha1)", 160},
  83. {"hmac(rmd160)", 160},
  84. {"cbc(des3_ede)", 192},
  85. {"hmac(sha256)", 256},
  86. {"cbc(aes)", 256},
  87. {"cbc(camellia)", 256},
  88. {"cbc(twofish)", 256},
  89. {"rfc3686(ctr(aes))", 288},
  90. {"hmac(sha384)", 384},
  91. {"cbc(blowfish)", 448},
  92. {"hmac(sha512)", 512},
  93. {"rfc4106(gcm(aes))-128", 160},
  94. {"rfc4543(gcm(aes))-128", 160},
  95. {"rfc4309(ccm(aes))-128", 152},
  96. {"rfc4106(gcm(aes))-192", 224},
  97. {"rfc4543(gcm(aes))-192", 224},
  98. {"rfc4309(ccm(aes))-192", 216},
  99. {"rfc4106(gcm(aes))-256", 288},
  100. {"rfc4543(gcm(aes))-256", 288},
  101. {"rfc4309(ccm(aes))-256", 280},
  102. {"rfc7539(chacha20,poly1305)-128", 0}
  103. };
  104. static void randomize_buffer(void *buf, size_t buflen)
  105. {
  106. int *p = (int *)buf;
  107. size_t words = buflen / sizeof(int);
  108. size_t leftover = buflen % sizeof(int);
  109. if (!buflen)
  110. return;
  111. while (words--)
  112. *p++ = rand();
  113. if (leftover) {
  114. int tmp = rand();
  115. memcpy(buf + buflen - leftover, &tmp, leftover);
  116. }
  117. return;
  118. }
  119. static int unshare_open(void)
  120. {
  121. const char *netns_path = "/proc/self/ns/net";
  122. int fd;
  123. if (unshare(CLONE_NEWNET) != 0) {
  124. pr_err("unshare()");
  125. return -1;
  126. }
  127. fd = open(netns_path, O_RDONLY);
  128. if (fd <= 0) {
  129. pr_err("open(%s)", netns_path);
  130. return -1;
  131. }
  132. return fd;
  133. }
  134. static int switch_ns(int fd)
  135. {
  136. if (setns(fd, CLONE_NEWNET)) {
  137. pr_err("setns()");
  138. return -1;
  139. }
  140. return 0;
  141. }
  142. /*
  143. * Running the test inside a new parent net namespace to bother less
  144. * about cleanup on error-path.
  145. */
  146. static int init_namespaces(void)
  147. {
  148. nsfd_parent = unshare_open();
  149. if (nsfd_parent <= 0)
  150. return -1;
  151. nsfd_childa = unshare_open();
  152. if (nsfd_childa <= 0)
  153. return -1;
  154. if (switch_ns(nsfd_parent))
  155. return -1;
  156. nsfd_childb = unshare_open();
  157. if (nsfd_childb <= 0)
  158. return -1;
  159. if (switch_ns(nsfd_parent))
  160. return -1;
  161. return 0;
  162. }
  163. static int netlink_sock(int *sock, uint32_t *seq_nr, int proto)
  164. {
  165. if (*sock > 0) {
  166. seq_nr++;
  167. return 0;
  168. }
  169. *sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, proto);
  170. if (*sock <= 0) {
  171. pr_err("socket(AF_NETLINK)");
  172. return -1;
  173. }
  174. randomize_buffer(seq_nr, sizeof(*seq_nr));
  175. return 0;
  176. }
  177. static inline struct rtattr *rtattr_hdr(struct nlmsghdr *nh)
  178. {
  179. return (struct rtattr *)((char *)(nh) + RTA_ALIGN((nh)->nlmsg_len));
  180. }
  181. static int rtattr_pack(struct nlmsghdr *nh, size_t req_sz,
  182. unsigned short rta_type, const void *payload, size_t size)
  183. {
  184. /* NLMSG_ALIGNTO == RTA_ALIGNTO, nlmsg_len already aligned */
  185. struct rtattr *attr = rtattr_hdr(nh);
  186. size_t nl_size = RTA_ALIGN(nh->nlmsg_len) + RTA_LENGTH(size);
  187. if (req_sz < nl_size) {
  188. printk("req buf is too small: %zu < %zu", req_sz, nl_size);
  189. return -1;
  190. }
  191. nh->nlmsg_len = nl_size;
  192. attr->rta_len = RTA_LENGTH(size);
  193. attr->rta_type = rta_type;
  194. if (payload)
  195. memcpy(RTA_DATA(attr), payload, size);
  196. return 0;
  197. }
  198. static struct rtattr *_rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
  199. unsigned short rta_type, const void *payload, size_t size)
  200. {
  201. struct rtattr *ret = rtattr_hdr(nh);
  202. if (rtattr_pack(nh, req_sz, rta_type, payload, size))
  203. return 0;
  204. return ret;
  205. }
  206. static inline struct rtattr *rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
  207. unsigned short rta_type)
  208. {
  209. return _rtattr_begin(nh, req_sz, rta_type, 0, 0);
  210. }
  211. static inline void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr)
  212. {
  213. char *nlmsg_end = (char *)nh + nh->nlmsg_len;
  214. attr->rta_len = nlmsg_end - (char *)attr;
  215. }
  216. static int veth_pack_peerb(struct nlmsghdr *nh, size_t req_sz,
  217. const char *peer, int ns)
  218. {
  219. struct ifinfomsg pi;
  220. struct rtattr *peer_attr;
  221. memset(&pi, 0, sizeof(pi));
  222. pi.ifi_family = AF_UNSPEC;
  223. pi.ifi_change = 0xFFFFFFFF;
  224. peer_attr = _rtattr_begin(nh, req_sz, VETH_INFO_PEER, &pi, sizeof(pi));
  225. if (!peer_attr)
  226. return -1;
  227. if (rtattr_pack(nh, req_sz, IFLA_IFNAME, peer, strlen(peer)))
  228. return -1;
  229. if (rtattr_pack(nh, req_sz, IFLA_NET_NS_FD, &ns, sizeof(ns)))
  230. return -1;
  231. rtattr_end(nh, peer_attr);
  232. return 0;
  233. }
  234. static int netlink_check_answer(int sock)
  235. {
  236. struct nlmsgerror {
  237. struct nlmsghdr hdr;
  238. int error;
  239. struct nlmsghdr orig_msg;
  240. } answer;
  241. if (recv(sock, &answer, sizeof(answer), 0) < 0) {
  242. pr_err("recv()");
  243. return -1;
  244. } else if (answer.hdr.nlmsg_type != NLMSG_ERROR) {
  245. printk("expected NLMSG_ERROR, got %d", (int)answer.hdr.nlmsg_type);
  246. return -1;
  247. } else if (answer.error) {
  248. printk("NLMSG_ERROR: %d: %s",
  249. answer.error, strerror(-answer.error));
  250. return answer.error;
  251. }
  252. return 0;
  253. }
  254. static int veth_add(int sock, uint32_t seq, const char *peera, int ns_a,
  255. const char *peerb, int ns_b)
  256. {
  257. uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
  258. struct {
  259. struct nlmsghdr nh;
  260. struct ifinfomsg info;
  261. char attrbuf[MAX_PAYLOAD];
  262. } req;
  263. const char veth_type[] = "veth";
  264. struct rtattr *link_info, *info_data;
  265. memset(&req, 0, sizeof(req));
  266. req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
  267. req.nh.nlmsg_type = RTM_NEWLINK;
  268. req.nh.nlmsg_flags = flags;
  269. req.nh.nlmsg_seq = seq;
  270. req.info.ifi_family = AF_UNSPEC;
  271. req.info.ifi_change = 0xFFFFFFFF;
  272. if (rtattr_pack(&req.nh, sizeof(req), IFLA_IFNAME, peera, strlen(peera)))
  273. return -1;
  274. if (rtattr_pack(&req.nh, sizeof(req), IFLA_NET_NS_FD, &ns_a, sizeof(ns_a)))
  275. return -1;
  276. link_info = rtattr_begin(&req.nh, sizeof(req), IFLA_LINKINFO);
  277. if (!link_info)
  278. return -1;
  279. if (rtattr_pack(&req.nh, sizeof(req), IFLA_INFO_KIND, veth_type, sizeof(veth_type)))
  280. return -1;
  281. info_data = rtattr_begin(&req.nh, sizeof(req), IFLA_INFO_DATA);
  282. if (!info_data)
  283. return -1;
  284. if (veth_pack_peerb(&req.nh, sizeof(req), peerb, ns_b))
  285. return -1;
  286. rtattr_end(&req.nh, info_data);
  287. rtattr_end(&req.nh, link_info);
  288. if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
  289. pr_err("send()");
  290. return -1;
  291. }
  292. return netlink_check_answer(sock);
  293. }
  294. static int ip4_addr_set(int sock, uint32_t seq, const char *intf,
  295. struct in_addr addr, uint8_t prefix)
  296. {
  297. uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
  298. struct {
  299. struct nlmsghdr nh;
  300. struct ifaddrmsg info;
  301. char attrbuf[MAX_PAYLOAD];
  302. } req;
  303. memset(&req, 0, sizeof(req));
  304. req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
  305. req.nh.nlmsg_type = RTM_NEWADDR;
  306. req.nh.nlmsg_flags = flags;
  307. req.nh.nlmsg_seq = seq;
  308. req.info.ifa_family = AF_INET;
  309. req.info.ifa_prefixlen = prefix;
  310. req.info.ifa_index = if_nametoindex(intf);
  311. #ifdef DEBUG
  312. {
  313. char addr_str[IPV4_STR_SZ] = {};
  314. strncpy(addr_str, inet_ntoa(addr), IPV4_STR_SZ - 1);
  315. printk("ip addr set %s", addr_str);
  316. }
  317. #endif
  318. if (rtattr_pack(&req.nh, sizeof(req), IFA_LOCAL, &addr, sizeof(addr)))
  319. return -1;
  320. if (rtattr_pack(&req.nh, sizeof(req), IFA_ADDRESS, &addr, sizeof(addr)))
  321. return -1;
  322. if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
  323. pr_err("send()");
  324. return -1;
  325. }
  326. return netlink_check_answer(sock);
  327. }
  328. static int link_set_up(int sock, uint32_t seq, const char *intf)
  329. {
  330. struct {
  331. struct nlmsghdr nh;
  332. struct ifinfomsg info;
  333. char attrbuf[MAX_PAYLOAD];
  334. } req;
  335. memset(&req, 0, sizeof(req));
  336. req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
  337. req.nh.nlmsg_type = RTM_NEWLINK;
  338. req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
  339. req.nh.nlmsg_seq = seq;
  340. req.info.ifi_family = AF_UNSPEC;
  341. req.info.ifi_change = 0xFFFFFFFF;
  342. req.info.ifi_index = if_nametoindex(intf);
  343. req.info.ifi_flags = IFF_UP;
  344. req.info.ifi_change = IFF_UP;
  345. if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
  346. pr_err("send()");
  347. return -1;
  348. }
  349. return netlink_check_answer(sock);
  350. }
  351. static int ip4_route_set(int sock, uint32_t seq, const char *intf,
  352. struct in_addr src, struct in_addr dst)
  353. {
  354. struct {
  355. struct nlmsghdr nh;
  356. struct rtmsg rt;
  357. char attrbuf[MAX_PAYLOAD];
  358. } req;
  359. unsigned int index = if_nametoindex(intf);
  360. memset(&req, 0, sizeof(req));
  361. req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.rt));
  362. req.nh.nlmsg_type = RTM_NEWROUTE;
  363. req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE;
  364. req.nh.nlmsg_seq = seq;
  365. req.rt.rtm_family = AF_INET;
  366. req.rt.rtm_dst_len = 32;
  367. req.rt.rtm_table = RT_TABLE_MAIN;
  368. req.rt.rtm_protocol = RTPROT_BOOT;
  369. req.rt.rtm_scope = RT_SCOPE_LINK;
  370. req.rt.rtm_type = RTN_UNICAST;
  371. if (rtattr_pack(&req.nh, sizeof(req), RTA_DST, &dst, sizeof(dst)))
  372. return -1;
  373. if (rtattr_pack(&req.nh, sizeof(req), RTA_PREFSRC, &src, sizeof(src)))
  374. return -1;
  375. if (rtattr_pack(&req.nh, sizeof(req), RTA_OIF, &index, sizeof(index)))
  376. return -1;
  377. if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
  378. pr_err("send()");
  379. return -1;
  380. }
  381. return netlink_check_answer(sock);
  382. }
  383. static int tunnel_set_route(int route_sock, uint32_t *route_seq, char *veth,
  384. struct in_addr tunsrc, struct in_addr tundst)
  385. {
  386. if (ip4_addr_set(route_sock, (*route_seq)++, "lo",
  387. tunsrc, PREFIX_LEN)) {
  388. printk("Failed to set ipv4 addr");
  389. return -1;
  390. }
  391. if (ip4_route_set(route_sock, (*route_seq)++, veth, tunsrc, tundst)) {
  392. printk("Failed to set ipv4 route");
  393. return -1;
  394. }
  395. return 0;
  396. }
  397. static int init_child(int nsfd, char *veth, unsigned int src, unsigned int dst)
  398. {
  399. struct in_addr intsrc = inet_makeaddr(INADDR_B, src);
  400. struct in_addr tunsrc = inet_makeaddr(INADDR_A, src);
  401. struct in_addr tundst = inet_makeaddr(INADDR_A, dst);
  402. int route_sock = -1, ret = -1;
  403. uint32_t route_seq;
  404. if (switch_ns(nsfd))
  405. return -1;
  406. if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE)) {
  407. printk("Failed to open netlink route socket in child");
  408. return -1;
  409. }
  410. if (ip4_addr_set(route_sock, route_seq++, veth, intsrc, PREFIX_LEN)) {
  411. printk("Failed to set ipv4 addr");
  412. goto err;
  413. }
  414. if (link_set_up(route_sock, route_seq++, veth)) {
  415. printk("Failed to bring up %s", veth);
  416. goto err;
  417. }
  418. if (tunnel_set_route(route_sock, &route_seq, veth, tunsrc, tundst)) {
  419. printk("Failed to add tunnel route on %s", veth);
  420. goto err;
  421. }
  422. ret = 0;
  423. err:
  424. close(route_sock);
  425. return ret;
  426. }
  427. #define ALGO_LEN 64
  428. enum desc_type {
  429. CREATE_TUNNEL = 0,
  430. ALLOCATE_SPI,
  431. MONITOR_ACQUIRE,
  432. EXPIRE_STATE,
  433. EXPIRE_POLICY,
  434. SPDINFO_ATTRS,
  435. };
  436. const char *desc_name[] = {
  437. "create tunnel",
  438. "alloc spi",
  439. "monitor acquire",
  440. "expire state",
  441. "expire policy",
  442. "spdinfo attributes",
  443. ""
  444. };
  445. struct xfrm_desc {
  446. enum desc_type type;
  447. uint8_t proto;
  448. char a_algo[ALGO_LEN];
  449. char e_algo[ALGO_LEN];
  450. char c_algo[ALGO_LEN];
  451. char ae_algo[ALGO_LEN];
  452. unsigned int icv_len;
  453. /* unsigned key_len; */
  454. };
  455. enum msg_type {
  456. MSG_ACK = 0,
  457. MSG_EXIT,
  458. MSG_PING,
  459. MSG_XFRM_PREPARE,
  460. MSG_XFRM_ADD,
  461. MSG_XFRM_DEL,
  462. MSG_XFRM_CLEANUP,
  463. };
  464. struct test_desc {
  465. enum msg_type type;
  466. union {
  467. struct {
  468. in_addr_t reply_ip;
  469. unsigned int port;
  470. } ping;
  471. struct xfrm_desc xfrm_desc;
  472. } body;
  473. };
  474. struct test_result {
  475. struct xfrm_desc desc;
  476. unsigned int res;
  477. };
  478. static void write_test_result(unsigned int res, struct xfrm_desc *d)
  479. {
  480. struct test_result tr = {};
  481. ssize_t ret;
  482. tr.desc = *d;
  483. tr.res = res;
  484. ret = write(results_fd[1], &tr, sizeof(tr));
  485. if (ret != sizeof(tr))
  486. pr_err("Failed to write the result in pipe %zd", ret);
  487. }
  488. static void write_msg(int fd, struct test_desc *msg, bool exit_of_fail)
  489. {
  490. ssize_t bytes = write(fd, msg, sizeof(*msg));
  491. /* Make sure that write/read is atomic to a pipe */
  492. BUILD_BUG_ON(sizeof(struct test_desc) > PIPE_BUF);
  493. if (bytes < 0) {
  494. pr_err("write()");
  495. if (exit_of_fail)
  496. exit(KSFT_FAIL);
  497. }
  498. if (bytes != sizeof(*msg)) {
  499. pr_err("sent part of the message %zd/%zu", bytes, sizeof(*msg));
  500. if (exit_of_fail)
  501. exit(KSFT_FAIL);
  502. }
  503. }
  504. static void read_msg(int fd, struct test_desc *msg, bool exit_of_fail)
  505. {
  506. ssize_t bytes = read(fd, msg, sizeof(*msg));
  507. if (bytes < 0) {
  508. pr_err("read()");
  509. if (exit_of_fail)
  510. exit(KSFT_FAIL);
  511. }
  512. if (bytes != sizeof(*msg)) {
  513. pr_err("got incomplete message %zd/%zu", bytes, sizeof(*msg));
  514. if (exit_of_fail)
  515. exit(KSFT_FAIL);
  516. }
  517. }
  518. static int udp_ping_init(struct in_addr listen_ip, unsigned int u_timeout,
  519. unsigned int *server_port, int sock[2])
  520. {
  521. struct sockaddr_in server;
  522. struct timeval t = { .tv_sec = 0, .tv_usec = u_timeout };
  523. socklen_t s_len = sizeof(server);
  524. sock[0] = socket(AF_INET, SOCK_DGRAM, 0);
  525. if (sock[0] < 0) {
  526. pr_err("socket()");
  527. return -1;
  528. }
  529. server.sin_family = AF_INET;
  530. server.sin_port = 0;
  531. memcpy(&server.sin_addr.s_addr, &listen_ip, sizeof(struct in_addr));
  532. if (bind(sock[0], (struct sockaddr *)&server, s_len)) {
  533. pr_err("bind()");
  534. goto err_close_server;
  535. }
  536. if (getsockname(sock[0], (struct sockaddr *)&server, &s_len)) {
  537. pr_err("getsockname()");
  538. goto err_close_server;
  539. }
  540. *server_port = ntohs(server.sin_port);
  541. if (setsockopt(sock[0], SOL_SOCKET, SO_RCVTIMEO, (const char *)&t, sizeof t)) {
  542. pr_err("setsockopt()");
  543. goto err_close_server;
  544. }
  545. sock[1] = socket(AF_INET, SOCK_DGRAM, 0);
  546. if (sock[1] < 0) {
  547. pr_err("socket()");
  548. goto err_close_server;
  549. }
  550. return 0;
  551. err_close_server:
  552. close(sock[0]);
  553. return -1;
  554. }
  555. static int udp_ping_send(int sock[2], in_addr_t dest_ip, unsigned int port,
  556. char *buf, size_t buf_len)
  557. {
  558. struct sockaddr_in server;
  559. const struct sockaddr *dest_addr = (struct sockaddr *)&server;
  560. char *sock_buf[buf_len];
  561. ssize_t r_bytes, s_bytes;
  562. server.sin_family = AF_INET;
  563. server.sin_port = htons(port);
  564. server.sin_addr.s_addr = dest_ip;
  565. s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
  566. if (s_bytes < 0) {
  567. pr_err("sendto()");
  568. return -1;
  569. } else if (s_bytes != buf_len) {
  570. printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
  571. return -1;
  572. }
  573. r_bytes = recv(sock[0], sock_buf, buf_len, 0);
  574. if (r_bytes < 0) {
  575. if (errno != EAGAIN)
  576. pr_err("recv()");
  577. return -1;
  578. } else if (r_bytes == 0) { /* EOF */
  579. printk("EOF on reply to ping");
  580. return -1;
  581. } else if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
  582. printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
  583. return -1;
  584. }
  585. return 0;
  586. }
  587. static int udp_ping_reply(int sock[2], in_addr_t dest_ip, unsigned int port,
  588. char *buf, size_t buf_len)
  589. {
  590. struct sockaddr_in server;
  591. const struct sockaddr *dest_addr = (struct sockaddr *)&server;
  592. char *sock_buf[buf_len];
  593. ssize_t r_bytes, s_bytes;
  594. server.sin_family = AF_INET;
  595. server.sin_port = htons(port);
  596. server.sin_addr.s_addr = dest_ip;
  597. r_bytes = recv(sock[0], sock_buf, buf_len, 0);
  598. if (r_bytes < 0) {
  599. if (errno != EAGAIN)
  600. pr_err("recv()");
  601. return -1;
  602. }
  603. if (r_bytes == 0) { /* EOF */
  604. printk("EOF on reply to ping");
  605. return -1;
  606. }
  607. if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
  608. printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
  609. return -1;
  610. }
  611. s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
  612. if (s_bytes < 0) {
  613. pr_err("sendto()");
  614. return -1;
  615. } else if (s_bytes != buf_len) {
  616. printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
  617. return -1;
  618. }
  619. return 0;
  620. }
  621. typedef int (*ping_f)(int sock[2], in_addr_t dest_ip, unsigned int port,
  622. char *buf, size_t buf_len);
  623. static int do_ping(int cmd_fd, char *buf, size_t buf_len, struct in_addr from,
  624. bool init_side, int d_port, in_addr_t to, ping_f func)
  625. {
  626. struct test_desc msg;
  627. unsigned int s_port, i, ping_succeeded = 0;
  628. int ping_sock[2];
  629. char to_str[IPV4_STR_SZ] = {}, from_str[IPV4_STR_SZ] = {};
  630. if (udp_ping_init(from, ping_timeout, &s_port, ping_sock)) {
  631. printk("Failed to init ping");
  632. return -1;
  633. }
  634. memset(&msg, 0, sizeof(msg));
  635. msg.type = MSG_PING;
  636. msg.body.ping.port = s_port;
  637. memcpy(&msg.body.ping.reply_ip, &from, sizeof(from));
  638. write_msg(cmd_fd, &msg, 0);
  639. if (init_side) {
  640. /* The other end sends ip to ping */
  641. read_msg(cmd_fd, &msg, 0);
  642. if (msg.type != MSG_PING)
  643. return -1;
  644. to = msg.body.ping.reply_ip;
  645. d_port = msg.body.ping.port;
  646. }
  647. for (i = 0; i < ping_count ; i++) {
  648. struct timespec sleep_time = {
  649. .tv_sec = 0,
  650. .tv_nsec = ping_delay_nsec,
  651. };
  652. ping_succeeded += !func(ping_sock, to, d_port, buf, page_size);
  653. nanosleep(&sleep_time, 0);
  654. }
  655. close(ping_sock[0]);
  656. close(ping_sock[1]);
  657. strncpy(to_str, inet_ntoa(*(struct in_addr *)&to), IPV4_STR_SZ - 1);
  658. strncpy(from_str, inet_ntoa(from), IPV4_STR_SZ - 1);
  659. if (ping_succeeded < ping_success) {
  660. printk("ping (%s) %s->%s failed %u/%u times",
  661. init_side ? "send" : "reply", from_str, to_str,
  662. ping_count - ping_succeeded, ping_count);
  663. return -1;
  664. }
  665. #ifdef DEBUG
  666. printk("ping (%s) %s->%s succeeded %u/%u times",
  667. init_side ? "send" : "reply", from_str, to_str,
  668. ping_succeeded, ping_count);
  669. #endif
  670. return 0;
  671. }
  672. static int xfrm_fill_key(char *name, char *buf,
  673. size_t buf_len, unsigned int *key_len)
  674. {
  675. int i;
  676. for (i = 0; i < XFRM_ALGO_NR_KEYS; i++) {
  677. if (strncmp(name, xfrm_key_entries[i].algo_name, ALGO_LEN) == 0)
  678. *key_len = xfrm_key_entries[i].key_len;
  679. }
  680. if (*key_len > buf_len) {
  681. printk("Can't pack a key - too big for buffer");
  682. return -1;
  683. }
  684. randomize_buffer(buf, *key_len);
  685. return 0;
  686. }
  687. static int xfrm_state_pack_algo(struct nlmsghdr *nh, size_t req_sz,
  688. struct xfrm_desc *desc)
  689. {
  690. union {
  691. union {
  692. struct xfrm_algo alg;
  693. struct xfrm_algo_aead aead;
  694. struct xfrm_algo_auth auth;
  695. } u;
  696. struct {
  697. unsigned char __offset_to_FAM[offsetof(struct xfrm_algo_auth, alg_key)];
  698. char buf[XFRM_ALGO_KEY_BUF_SIZE];
  699. };
  700. } alg = {};
  701. size_t alen, elen, clen, aelen;
  702. unsigned short type;
  703. alen = strlen(desc->a_algo);
  704. elen = strlen(desc->e_algo);
  705. clen = strlen(desc->c_algo);
  706. aelen = strlen(desc->ae_algo);
  707. /* Verify desc */
  708. switch (desc->proto) {
  709. case IPPROTO_AH:
  710. if (!alen || elen || clen || aelen) {
  711. printk("BUG: buggy ah desc");
  712. return -1;
  713. }
  714. strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN - 1);
  715. if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
  716. sizeof(alg.buf), &alg.u.alg.alg_key_len))
  717. return -1;
  718. type = XFRMA_ALG_AUTH;
  719. break;
  720. case IPPROTO_COMP:
  721. if (!clen || elen || alen || aelen) {
  722. printk("BUG: buggy comp desc");
  723. return -1;
  724. }
  725. strncpy(alg.u.alg.alg_name, desc->c_algo, ALGO_LEN - 1);
  726. if (xfrm_fill_key(desc->c_algo, alg.u.alg.alg_key,
  727. sizeof(alg.buf), &alg.u.alg.alg_key_len))
  728. return -1;
  729. type = XFRMA_ALG_COMP;
  730. break;
  731. case IPPROTO_ESP:
  732. if (!((alen && elen) ^ aelen) || clen) {
  733. printk("BUG: buggy esp desc");
  734. return -1;
  735. }
  736. if (aelen) {
  737. alg.u.aead.alg_icv_len = desc->icv_len;
  738. strncpy(alg.u.aead.alg_name, desc->ae_algo, ALGO_LEN - 1);
  739. if (xfrm_fill_key(desc->ae_algo, alg.u.aead.alg_key,
  740. sizeof(alg.buf), &alg.u.aead.alg_key_len))
  741. return -1;
  742. type = XFRMA_ALG_AEAD;
  743. } else {
  744. strncpy(alg.u.alg.alg_name, desc->e_algo, ALGO_LEN - 1);
  745. type = XFRMA_ALG_CRYPT;
  746. if (xfrm_fill_key(desc->e_algo, alg.u.alg.alg_key,
  747. sizeof(alg.buf), &alg.u.alg.alg_key_len))
  748. return -1;
  749. if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
  750. return -1;
  751. strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN);
  752. type = XFRMA_ALG_AUTH;
  753. if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
  754. sizeof(alg.buf), &alg.u.alg.alg_key_len))
  755. return -1;
  756. }
  757. break;
  758. default:
  759. printk("BUG: unknown proto in desc");
  760. return -1;
  761. }
  762. if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
  763. return -1;
  764. return 0;
  765. }
  766. static inline uint32_t gen_spi(struct in_addr src)
  767. {
  768. return htonl(inet_lnaof(src));
  769. }
  770. static int xfrm_state_add(int xfrm_sock, uint32_t seq, uint32_t spi,
  771. struct in_addr src, struct in_addr dst,
  772. struct xfrm_desc *desc)
  773. {
  774. struct {
  775. struct nlmsghdr nh;
  776. struct xfrm_usersa_info info;
  777. char attrbuf[MAX_PAYLOAD];
  778. } req;
  779. memset(&req, 0, sizeof(req));
  780. req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
  781. req.nh.nlmsg_type = XFRM_MSG_NEWSA;
  782. req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
  783. req.nh.nlmsg_seq = seq;
  784. /* Fill selector. */
  785. memcpy(&req.info.sel.daddr, &dst, sizeof(dst));
  786. memcpy(&req.info.sel.saddr, &src, sizeof(src));
  787. req.info.sel.family = AF_INET;
  788. req.info.sel.prefixlen_d = PREFIX_LEN;
  789. req.info.sel.prefixlen_s = PREFIX_LEN;
  790. /* Fill id */
  791. memcpy(&req.info.id.daddr, &dst, sizeof(dst));
  792. /* Note: zero-spi cannot be deleted */
  793. req.info.id.spi = spi;
  794. req.info.id.proto = desc->proto;
  795. memcpy(&req.info.saddr, &src, sizeof(src));
  796. /* Fill lifteme_cfg */
  797. req.info.lft.soft_byte_limit = XFRM_INF;
  798. req.info.lft.hard_byte_limit = XFRM_INF;
  799. req.info.lft.soft_packet_limit = XFRM_INF;
  800. req.info.lft.hard_packet_limit = XFRM_INF;
  801. req.info.family = AF_INET;
  802. req.info.mode = XFRM_MODE_TUNNEL;
  803. if (xfrm_state_pack_algo(&req.nh, sizeof(req), desc))
  804. return -1;
  805. if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
  806. pr_err("send()");
  807. return -1;
  808. }
  809. return netlink_check_answer(xfrm_sock);
  810. }
  811. static bool xfrm_usersa_found(struct xfrm_usersa_info *info, uint32_t spi,
  812. struct in_addr src, struct in_addr dst,
  813. struct xfrm_desc *desc)
  814. {
  815. if (memcmp(&info->sel.daddr, &dst, sizeof(dst)))
  816. return false;
  817. if (memcmp(&info->sel.saddr, &src, sizeof(src)))
  818. return false;
  819. if (info->sel.family != AF_INET ||
  820. info->sel.prefixlen_d != PREFIX_LEN ||
  821. info->sel.prefixlen_s != PREFIX_LEN)
  822. return false;
  823. if (info->id.spi != spi || info->id.proto != desc->proto)
  824. return false;
  825. if (memcmp(&info->id.daddr, &dst, sizeof(dst)))
  826. return false;
  827. if (memcmp(&info->saddr, &src, sizeof(src)))
  828. return false;
  829. if (info->lft.soft_byte_limit != XFRM_INF ||
  830. info->lft.hard_byte_limit != XFRM_INF ||
  831. info->lft.soft_packet_limit != XFRM_INF ||
  832. info->lft.hard_packet_limit != XFRM_INF)
  833. return false;
  834. if (info->family != AF_INET || info->mode != XFRM_MODE_TUNNEL)
  835. return false;
  836. /* XXX: check xfrm algo, see xfrm_state_pack_algo(). */
  837. return true;
  838. }
  839. static int xfrm_state_check(int xfrm_sock, uint32_t seq, uint32_t spi,
  840. struct in_addr src, struct in_addr dst,
  841. struct xfrm_desc *desc)
  842. {
  843. struct {
  844. struct nlmsghdr nh;
  845. char attrbuf[MAX_PAYLOAD];
  846. } req;
  847. struct {
  848. struct nlmsghdr nh;
  849. union {
  850. struct xfrm_usersa_info info;
  851. int error;
  852. };
  853. char attrbuf[MAX_PAYLOAD];
  854. } answer;
  855. struct xfrm_address_filter filter = {};
  856. bool found = false;
  857. memset(&req, 0, sizeof(req));
  858. req.nh.nlmsg_len = NLMSG_LENGTH(0);
  859. req.nh.nlmsg_type = XFRM_MSG_GETSA;
  860. req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
  861. req.nh.nlmsg_seq = seq;
  862. /*
  863. * Add dump filter by source address as there may be other tunnels
  864. * in this netns (if tests run in parallel).
  865. */
  866. filter.family = AF_INET;
  867. filter.splen = 0x1f; /* 0xffffffff mask see addr_match() */
  868. memcpy(&filter.saddr, &src, sizeof(src));
  869. if (rtattr_pack(&req.nh, sizeof(req), XFRMA_ADDRESS_FILTER,
  870. &filter, sizeof(filter)))
  871. return -1;
  872. if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
  873. pr_err("send()");
  874. return -1;
  875. }
  876. while (1) {
  877. if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
  878. pr_err("recv()");
  879. return -1;
  880. }
  881. if (answer.nh.nlmsg_type == NLMSG_ERROR) {
  882. printk("NLMSG_ERROR: %d: %s",
  883. answer.error, strerror(-answer.error));
  884. return -1;
  885. } else if (answer.nh.nlmsg_type == NLMSG_DONE) {
  886. if (found)
  887. return 0;
  888. printk("didn't find allocated xfrm state in dump");
  889. return -1;
  890. } else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
  891. if (xfrm_usersa_found(&answer.info, spi, src, dst, desc))
  892. found = true;
  893. }
  894. }
  895. }
  896. static int xfrm_set(int xfrm_sock, uint32_t *seq,
  897. struct in_addr src, struct in_addr dst,
  898. struct in_addr tunsrc, struct in_addr tundst,
  899. struct xfrm_desc *desc)
  900. {
  901. int err;
  902. err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
  903. if (err) {
  904. printk("Failed to add xfrm state");
  905. return -1;
  906. }
  907. err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
  908. if (err) {
  909. printk("Failed to add xfrm state");
  910. return -1;
  911. }
  912. /* Check dumps for XFRM_MSG_GETSA */
  913. err = xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
  914. err |= xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
  915. if (err) {
  916. printk("Failed to check xfrm state");
  917. return -1;
  918. }
  919. return 0;
  920. }
  921. static int xfrm_policy_add(int xfrm_sock, uint32_t seq, uint32_t spi,
  922. struct in_addr src, struct in_addr dst, uint8_t dir,
  923. struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
  924. {
  925. struct {
  926. struct nlmsghdr nh;
  927. struct xfrm_userpolicy_info info;
  928. char attrbuf[MAX_PAYLOAD];
  929. } req;
  930. struct xfrm_user_tmpl tmpl;
  931. memset(&req, 0, sizeof(req));
  932. memset(&tmpl, 0, sizeof(tmpl));
  933. req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
  934. req.nh.nlmsg_type = XFRM_MSG_NEWPOLICY;
  935. req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
  936. req.nh.nlmsg_seq = seq;
  937. /* Fill selector. */
  938. memcpy(&req.info.sel.daddr, &dst, sizeof(tundst));
  939. memcpy(&req.info.sel.saddr, &src, sizeof(tunsrc));
  940. req.info.sel.family = AF_INET;
  941. req.info.sel.prefixlen_d = PREFIX_LEN;
  942. req.info.sel.prefixlen_s = PREFIX_LEN;
  943. /* Fill lifteme_cfg */
  944. req.info.lft.soft_byte_limit = XFRM_INF;
  945. req.info.lft.hard_byte_limit = XFRM_INF;
  946. req.info.lft.soft_packet_limit = XFRM_INF;
  947. req.info.lft.hard_packet_limit = XFRM_INF;
  948. req.info.dir = dir;
  949. /* Fill tmpl */
  950. memcpy(&tmpl.id.daddr, &dst, sizeof(dst));
  951. /* Note: zero-spi cannot be deleted */
  952. tmpl.id.spi = spi;
  953. tmpl.id.proto = proto;
  954. tmpl.family = AF_INET;
  955. memcpy(&tmpl.saddr, &src, sizeof(src));
  956. tmpl.mode = XFRM_MODE_TUNNEL;
  957. tmpl.aalgos = (~(uint32_t)0);
  958. tmpl.ealgos = (~(uint32_t)0);
  959. tmpl.calgos = (~(uint32_t)0);
  960. if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &tmpl, sizeof(tmpl)))
  961. return -1;
  962. if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
  963. pr_err("send()");
  964. return -1;
  965. }
  966. return netlink_check_answer(xfrm_sock);
  967. }
  968. static int xfrm_prepare(int xfrm_sock, uint32_t *seq,
  969. struct in_addr src, struct in_addr dst,
  970. struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
  971. {
  972. if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
  973. XFRM_POLICY_OUT, tunsrc, tundst, proto)) {
  974. printk("Failed to add xfrm policy");
  975. return -1;
  976. }
  977. if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src,
  978. XFRM_POLICY_IN, tunsrc, tundst, proto)) {
  979. printk("Failed to add xfrm policy");
  980. return -1;
  981. }
  982. return 0;
  983. }
  984. static int xfrm_policy_del(int xfrm_sock, uint32_t seq,
  985. struct in_addr src, struct in_addr dst, uint8_t dir,
  986. struct in_addr tunsrc, struct in_addr tundst)
  987. {
  988. struct {
  989. struct nlmsghdr nh;
  990. struct xfrm_userpolicy_id id;
  991. char attrbuf[MAX_PAYLOAD];
  992. } req;
  993. memset(&req, 0, sizeof(req));
  994. req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.id));
  995. req.nh.nlmsg_type = XFRM_MSG_DELPOLICY;
  996. req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
  997. req.nh.nlmsg_seq = seq;
  998. /* Fill id */
  999. memcpy(&req.id.sel.daddr, &dst, sizeof(tundst));
  1000. memcpy(&req.id.sel.saddr, &src, sizeof(tunsrc));
  1001. req.id.sel.family = AF_INET;
  1002. req.id.sel.prefixlen_d = PREFIX_LEN;
  1003. req.id.sel.prefixlen_s = PREFIX_LEN;
  1004. req.id.dir = dir;
  1005. if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
  1006. pr_err("send()");
  1007. return -1;
  1008. }
  1009. return netlink_check_answer(xfrm_sock);
  1010. }
  1011. static int xfrm_cleanup(int xfrm_sock, uint32_t *seq,
  1012. struct in_addr src, struct in_addr dst,
  1013. struct in_addr tunsrc, struct in_addr tundst)
  1014. {
  1015. if (xfrm_policy_del(xfrm_sock, (*seq)++, src, dst,
  1016. XFRM_POLICY_OUT, tunsrc, tundst)) {
  1017. printk("Failed to add xfrm policy");
  1018. return -1;
  1019. }
  1020. if (xfrm_policy_del(xfrm_sock, (*seq)++, dst, src,
  1021. XFRM_POLICY_IN, tunsrc, tundst)) {
  1022. printk("Failed to add xfrm policy");
  1023. return -1;
  1024. }
  1025. return 0;
  1026. }
  1027. static int xfrm_state_del(int xfrm_sock, uint32_t seq, uint32_t spi,
  1028. struct in_addr src, struct in_addr dst, uint8_t proto)
  1029. {
  1030. struct {
  1031. struct nlmsghdr nh;
  1032. struct xfrm_usersa_id id;
  1033. char attrbuf[MAX_PAYLOAD];
  1034. } req;
  1035. xfrm_address_t saddr = {};
  1036. memset(&req, 0, sizeof(req));
  1037. req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.id));
  1038. req.nh.nlmsg_type = XFRM_MSG_DELSA;
  1039. req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
  1040. req.nh.nlmsg_seq = seq;
  1041. memcpy(&req.id.daddr, &dst, sizeof(dst));
  1042. req.id.family = AF_INET;
  1043. req.id.proto = proto;
  1044. /* Note: zero-spi cannot be deleted */
  1045. req.id.spi = spi;
  1046. memcpy(&saddr, &src, sizeof(src));
  1047. if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SRCADDR, &saddr, sizeof(saddr)))
  1048. return -1;
  1049. if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
  1050. pr_err("send()");
  1051. return -1;
  1052. }
  1053. return netlink_check_answer(xfrm_sock);
  1054. }
  1055. static int xfrm_delete(int xfrm_sock, uint32_t *seq,
  1056. struct in_addr src, struct in_addr dst,
  1057. struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
  1058. {
  1059. if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), src, dst, proto)) {
  1060. printk("Failed to remove xfrm state");
  1061. return -1;
  1062. }
  1063. if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), dst, src, proto)) {
  1064. printk("Failed to remove xfrm state");
  1065. return -1;
  1066. }
  1067. return 0;
  1068. }
  1069. static int xfrm_state_allocspi(int xfrm_sock, uint32_t *seq,
  1070. uint32_t spi, uint8_t proto)
  1071. {
  1072. struct {
  1073. struct nlmsghdr nh;
  1074. struct xfrm_userspi_info spi;
  1075. } req;
  1076. struct {
  1077. struct nlmsghdr nh;
  1078. union {
  1079. struct xfrm_usersa_info info;
  1080. int error;
  1081. };
  1082. } answer;
  1083. memset(&req, 0, sizeof(req));
  1084. req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.spi));
  1085. req.nh.nlmsg_type = XFRM_MSG_ALLOCSPI;
  1086. req.nh.nlmsg_flags = NLM_F_REQUEST;
  1087. req.nh.nlmsg_seq = (*seq)++;
  1088. req.spi.info.family = AF_INET;
  1089. req.spi.min = spi;
  1090. req.spi.max = spi;
  1091. req.spi.info.id.proto = proto;
  1092. if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
  1093. pr_err("send()");
  1094. return KSFT_FAIL;
  1095. }
  1096. if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
  1097. pr_err("recv()");
  1098. return KSFT_FAIL;
  1099. } else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
  1100. uint32_t new_spi = htonl(answer.info.id.spi);
  1101. if (new_spi != spi) {
  1102. printk("allocated spi is different from requested: %#x != %#x",
  1103. new_spi, spi);
  1104. return KSFT_FAIL;
  1105. }
  1106. return KSFT_PASS;
  1107. } else if (answer.nh.nlmsg_type != NLMSG_ERROR) {
  1108. printk("expected NLMSG_ERROR, got %d", (int)answer.nh.nlmsg_type);
  1109. return KSFT_FAIL;
  1110. }
  1111. printk("NLMSG_ERROR: %d: %s", answer.error, strerror(-answer.error));
  1112. return (answer.error) ? KSFT_FAIL : KSFT_PASS;
  1113. }
  1114. static int netlink_sock_bind(int *sock, uint32_t *seq, int proto, uint32_t groups)
  1115. {
  1116. struct sockaddr_nl snl = {};
  1117. socklen_t addr_len;
  1118. int ret = -1;
  1119. snl.nl_family = AF_NETLINK;
  1120. snl.nl_groups = groups;
  1121. if (netlink_sock(sock, seq, proto)) {
  1122. printk("Failed to open xfrm netlink socket");
  1123. return -1;
  1124. }
  1125. if (bind(*sock, (struct sockaddr *)&snl, sizeof(snl)) < 0) {
  1126. pr_err("bind()");
  1127. goto out_close;
  1128. }
  1129. addr_len = sizeof(snl);
  1130. if (getsockname(*sock, (struct sockaddr *)&snl, &addr_len) < 0) {
  1131. pr_err("getsockname()");
  1132. goto out_close;
  1133. }
  1134. if (addr_len != sizeof(snl)) {
  1135. printk("Wrong address length %d", addr_len);
  1136. goto out_close;
  1137. }
  1138. if (snl.nl_family != AF_NETLINK) {
  1139. printk("Wrong address family %d", snl.nl_family);
  1140. goto out_close;
  1141. }
  1142. return 0;
  1143. out_close:
  1144. close(*sock);
  1145. return ret;
  1146. }
  1147. static int xfrm_monitor_acquire(int xfrm_sock, uint32_t *seq, unsigned int nr)
  1148. {
  1149. struct {
  1150. struct nlmsghdr nh;
  1151. union {
  1152. struct xfrm_user_acquire acq;
  1153. int error;
  1154. };
  1155. char attrbuf[MAX_PAYLOAD];
  1156. } req;
  1157. struct xfrm_user_tmpl xfrm_tmpl = {};
  1158. int xfrm_listen = -1, ret = KSFT_FAIL;
  1159. uint32_t seq_listen;
  1160. if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_ACQUIRE))
  1161. return KSFT_FAIL;
  1162. memset(&req, 0, sizeof(req));
  1163. req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.acq));
  1164. req.nh.nlmsg_type = XFRM_MSG_ACQUIRE;
  1165. req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
  1166. req.nh.nlmsg_seq = (*seq)++;
  1167. req.acq.policy.sel.family = AF_INET;
  1168. req.acq.aalgos = 0xfeed;
  1169. req.acq.ealgos = 0xbaad;
  1170. req.acq.calgos = 0xbabe;
  1171. xfrm_tmpl.family = AF_INET;
  1172. xfrm_tmpl.id.proto = IPPROTO_ESP;
  1173. if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &xfrm_tmpl, sizeof(xfrm_tmpl)))
  1174. goto out_close;
  1175. if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
  1176. pr_err("send()");
  1177. goto out_close;
  1178. }
  1179. if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
  1180. pr_err("recv()");
  1181. goto out_close;
  1182. } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
  1183. printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
  1184. goto out_close;
  1185. }
  1186. if (req.error) {
  1187. printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
  1188. ret = req.error;
  1189. goto out_close;
  1190. }
  1191. if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
  1192. pr_err("recv()");
  1193. goto out_close;
  1194. }
  1195. if (req.acq.aalgos != 0xfeed || req.acq.ealgos != 0xbaad
  1196. || req.acq.calgos != 0xbabe) {
  1197. printk("xfrm_user_acquire has changed %x %x %x",
  1198. req.acq.aalgos, req.acq.ealgos, req.acq.calgos);
  1199. goto out_close;
  1200. }
  1201. ret = KSFT_PASS;
  1202. out_close:
  1203. close(xfrm_listen);
  1204. return ret;
  1205. }
  1206. static int xfrm_expire_state(int xfrm_sock, uint32_t *seq,
  1207. unsigned int nr, struct xfrm_desc *desc)
  1208. {
  1209. struct {
  1210. struct nlmsghdr nh;
  1211. union {
  1212. struct xfrm_user_expire expire;
  1213. int error;
  1214. };
  1215. } req;
  1216. struct in_addr src, dst;
  1217. int xfrm_listen = -1, ret = KSFT_FAIL;
  1218. uint32_t seq_listen;
  1219. src = inet_makeaddr(INADDR_B, child_ip(nr));
  1220. dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
  1221. if (xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc)) {
  1222. printk("Failed to add xfrm state");
  1223. return KSFT_FAIL;
  1224. }
  1225. if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
  1226. return KSFT_FAIL;
  1227. memset(&req, 0, sizeof(req));
  1228. req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.expire));
  1229. req.nh.nlmsg_type = XFRM_MSG_EXPIRE;
  1230. req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
  1231. req.nh.nlmsg_seq = (*seq)++;
  1232. memcpy(&req.expire.state.id.daddr, &dst, sizeof(dst));
  1233. req.expire.state.id.spi = gen_spi(src);
  1234. req.expire.state.id.proto = desc->proto;
  1235. req.expire.state.family = AF_INET;
  1236. req.expire.hard = 0xff;
  1237. if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
  1238. pr_err("send()");
  1239. goto out_close;
  1240. }
  1241. if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
  1242. pr_err("recv()");
  1243. goto out_close;
  1244. } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
  1245. printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
  1246. goto out_close;
  1247. }
  1248. if (req.error) {
  1249. printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
  1250. ret = req.error;
  1251. goto out_close;
  1252. }
  1253. if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
  1254. pr_err("recv()");
  1255. goto out_close;
  1256. }
  1257. if (req.expire.hard != 0x1) {
  1258. printk("expire.hard is not set: %x", req.expire.hard);
  1259. goto out_close;
  1260. }
  1261. ret = KSFT_PASS;
  1262. out_close:
  1263. close(xfrm_listen);
  1264. return ret;
  1265. }
  1266. static int xfrm_expire_policy(int xfrm_sock, uint32_t *seq,
  1267. unsigned int nr, struct xfrm_desc *desc)
  1268. {
  1269. struct {
  1270. struct nlmsghdr nh;
  1271. union {
  1272. struct xfrm_user_polexpire expire;
  1273. int error;
  1274. };
  1275. } req;
  1276. struct in_addr src, dst, tunsrc, tundst;
  1277. int xfrm_listen = -1, ret = KSFT_FAIL;
  1278. uint32_t seq_listen;
  1279. src = inet_makeaddr(INADDR_B, child_ip(nr));
  1280. dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
  1281. tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
  1282. tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
  1283. if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
  1284. XFRM_POLICY_OUT, tunsrc, tundst, desc->proto)) {
  1285. printk("Failed to add xfrm policy");
  1286. return KSFT_FAIL;
  1287. }
  1288. if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
  1289. return KSFT_FAIL;
  1290. memset(&req, 0, sizeof(req));
  1291. req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.expire));
  1292. req.nh.nlmsg_type = XFRM_MSG_POLEXPIRE;
  1293. req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
  1294. req.nh.nlmsg_seq = (*seq)++;
  1295. /* Fill selector. */
  1296. memcpy(&req.expire.pol.sel.daddr, &dst, sizeof(tundst));
  1297. memcpy(&req.expire.pol.sel.saddr, &src, sizeof(tunsrc));
  1298. req.expire.pol.sel.family = AF_INET;
  1299. req.expire.pol.sel.prefixlen_d = PREFIX_LEN;
  1300. req.expire.pol.sel.prefixlen_s = PREFIX_LEN;
  1301. req.expire.pol.dir = XFRM_POLICY_OUT;
  1302. req.expire.hard = 0xff;
  1303. if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
  1304. pr_err("send()");
  1305. goto out_close;
  1306. }
  1307. if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
  1308. pr_err("recv()");
  1309. goto out_close;
  1310. } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
  1311. printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
  1312. goto out_close;
  1313. }
  1314. if (req.error) {
  1315. printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
  1316. ret = req.error;
  1317. goto out_close;
  1318. }
  1319. if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
  1320. pr_err("recv()");
  1321. goto out_close;
  1322. }
  1323. if (req.expire.hard != 0x1) {
  1324. printk("expire.hard is not set: %x", req.expire.hard);
  1325. goto out_close;
  1326. }
  1327. ret = KSFT_PASS;
  1328. out_close:
  1329. close(xfrm_listen);
  1330. return ret;
  1331. }
  1332. static int xfrm_spdinfo_set_thresh(int xfrm_sock, uint32_t *seq,
  1333. unsigned thresh4_l, unsigned thresh4_r,
  1334. unsigned thresh6_l, unsigned thresh6_r,
  1335. bool add_bad_attr)
  1336. {
  1337. struct {
  1338. struct nlmsghdr nh;
  1339. union {
  1340. uint32_t unused;
  1341. int error;
  1342. };
  1343. char attrbuf[MAX_PAYLOAD];
  1344. } req;
  1345. struct xfrmu_spdhthresh thresh;
  1346. memset(&req, 0, sizeof(req));
  1347. req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.unused));
  1348. req.nh.nlmsg_type = XFRM_MSG_NEWSPDINFO;
  1349. req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
  1350. req.nh.nlmsg_seq = (*seq)++;
  1351. thresh.lbits = thresh4_l;
  1352. thresh.rbits = thresh4_r;
  1353. if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SPD_IPV4_HTHRESH, &thresh, sizeof(thresh)))
  1354. return -1;
  1355. thresh.lbits = thresh6_l;
  1356. thresh.rbits = thresh6_r;
  1357. if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SPD_IPV6_HTHRESH, &thresh, sizeof(thresh)))
  1358. return -1;
  1359. if (add_bad_attr) {
  1360. BUILD_BUG_ON(XFRMA_IF_ID <= XFRMA_SPD_MAX + 1);
  1361. if (rtattr_pack(&req.nh, sizeof(req), XFRMA_IF_ID, NULL, 0)) {
  1362. pr_err("adding attribute failed: no space");
  1363. return -1;
  1364. }
  1365. }
  1366. if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
  1367. pr_err("send()");
  1368. return -1;
  1369. }
  1370. if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
  1371. pr_err("recv()");
  1372. return -1;
  1373. } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
  1374. printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
  1375. return -1;
  1376. }
  1377. if (req.error) {
  1378. printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
  1379. return -1;
  1380. }
  1381. return 0;
  1382. }
  1383. static int xfrm_spdinfo_attrs(int xfrm_sock, uint32_t *seq)
  1384. {
  1385. struct {
  1386. struct nlmsghdr nh;
  1387. union {
  1388. uint32_t unused;
  1389. int error;
  1390. };
  1391. char attrbuf[MAX_PAYLOAD];
  1392. } req;
  1393. if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 31, 120, 16, false)) {
  1394. pr_err("Can't set SPD HTHRESH");
  1395. return KSFT_FAIL;
  1396. }
  1397. memset(&req, 0, sizeof(req));
  1398. req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.unused));
  1399. req.nh.nlmsg_type = XFRM_MSG_GETSPDINFO;
  1400. req.nh.nlmsg_flags = NLM_F_REQUEST;
  1401. req.nh.nlmsg_seq = (*seq)++;
  1402. if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
  1403. pr_err("send()");
  1404. return KSFT_FAIL;
  1405. }
  1406. if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
  1407. pr_err("recv()");
  1408. return KSFT_FAIL;
  1409. } else if (req.nh.nlmsg_type == XFRM_MSG_NEWSPDINFO) {
  1410. size_t len = NLMSG_PAYLOAD(&req.nh, sizeof(req.unused));
  1411. struct rtattr *attr = (void *)req.attrbuf;
  1412. int got_thresh = 0;
  1413. for (; RTA_OK(attr, len); attr = RTA_NEXT(attr, len)) {
  1414. if (attr->rta_type == XFRMA_SPD_IPV4_HTHRESH) {
  1415. struct xfrmu_spdhthresh *t = RTA_DATA(attr);
  1416. got_thresh++;
  1417. if (t->lbits != 32 || t->rbits != 31) {
  1418. pr_err("thresh differ: %u, %u",
  1419. t->lbits, t->rbits);
  1420. return KSFT_FAIL;
  1421. }
  1422. }
  1423. if (attr->rta_type == XFRMA_SPD_IPV6_HTHRESH) {
  1424. struct xfrmu_spdhthresh *t = RTA_DATA(attr);
  1425. got_thresh++;
  1426. if (t->lbits != 120 || t->rbits != 16) {
  1427. pr_err("thresh differ: %u, %u",
  1428. t->lbits, t->rbits);
  1429. return KSFT_FAIL;
  1430. }
  1431. }
  1432. }
  1433. if (got_thresh != 2) {
  1434. pr_err("only %d thresh returned by XFRM_MSG_GETSPDINFO", got_thresh);
  1435. return KSFT_FAIL;
  1436. }
  1437. } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
  1438. printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
  1439. return KSFT_FAIL;
  1440. } else {
  1441. printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
  1442. return -1;
  1443. }
  1444. /* Restore the default */
  1445. if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 32, 128, 128, false)) {
  1446. pr_err("Can't restore SPD HTHRESH");
  1447. return KSFT_FAIL;
  1448. }
  1449. /*
  1450. * At this moment xfrm uses nlmsg_parse_deprecated(), which
  1451. * implies NL_VALIDATE_LIBERAL - ignoring attributes with
  1452. * (type > maxtype). nla_parse_depricated_strict() would enforce
  1453. * it. Or even stricter nla_parse().
  1454. * Right now it's not expected to fail, but to be ignored.
  1455. */
  1456. if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 32, 128, 128, true))
  1457. return KSFT_PASS;
  1458. return KSFT_PASS;
  1459. }
  1460. static int child_serv(int xfrm_sock, uint32_t *seq,
  1461. unsigned int nr, int cmd_fd, void *buf, struct xfrm_desc *desc)
  1462. {
  1463. struct in_addr src, dst, tunsrc, tundst;
  1464. struct test_desc msg;
  1465. int ret = KSFT_FAIL;
  1466. src = inet_makeaddr(INADDR_B, child_ip(nr));
  1467. dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
  1468. tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
  1469. tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
  1470. /* UDP pinging without xfrm */
  1471. if (do_ping(cmd_fd, buf, page_size, src, true, 0, 0, udp_ping_send)) {
  1472. printk("ping failed before setting xfrm");
  1473. return KSFT_FAIL;
  1474. }
  1475. memset(&msg, 0, sizeof(msg));
  1476. msg.type = MSG_XFRM_PREPARE;
  1477. memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
  1478. write_msg(cmd_fd, &msg, 1);
  1479. if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
  1480. printk("failed to prepare xfrm");
  1481. goto cleanup;
  1482. }
  1483. memset(&msg, 0, sizeof(msg));
  1484. msg.type = MSG_XFRM_ADD;
  1485. memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
  1486. write_msg(cmd_fd, &msg, 1);
  1487. if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
  1488. printk("failed to set xfrm");
  1489. goto delete;
  1490. }
  1491. /* UDP pinging with xfrm tunnel */
  1492. if (do_ping(cmd_fd, buf, page_size, tunsrc,
  1493. true, 0, 0, udp_ping_send)) {
  1494. printk("ping failed for xfrm");
  1495. goto delete;
  1496. }
  1497. ret = KSFT_PASS;
  1498. delete:
  1499. /* xfrm delete */
  1500. memset(&msg, 0, sizeof(msg));
  1501. msg.type = MSG_XFRM_DEL;
  1502. memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
  1503. write_msg(cmd_fd, &msg, 1);
  1504. if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
  1505. printk("failed ping to remove xfrm");
  1506. ret = KSFT_FAIL;
  1507. }
  1508. cleanup:
  1509. memset(&msg, 0, sizeof(msg));
  1510. msg.type = MSG_XFRM_CLEANUP;
  1511. memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
  1512. write_msg(cmd_fd, &msg, 1);
  1513. if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
  1514. printk("failed ping to cleanup xfrm");
  1515. ret = KSFT_FAIL;
  1516. }
  1517. return ret;
  1518. }
  1519. static int child_f(unsigned int nr, int test_desc_fd, int cmd_fd, void *buf)
  1520. {
  1521. struct xfrm_desc desc;
  1522. struct test_desc msg;
  1523. int xfrm_sock = -1;
  1524. uint32_t seq;
  1525. if (switch_ns(nsfd_childa))
  1526. exit(KSFT_FAIL);
  1527. if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
  1528. printk("Failed to open xfrm netlink socket");
  1529. exit(KSFT_FAIL);
  1530. }
  1531. /* Check that seq sock is ready, just for sure. */
  1532. memset(&msg, 0, sizeof(msg));
  1533. msg.type = MSG_ACK;
  1534. write_msg(cmd_fd, &msg, 1);
  1535. read_msg(cmd_fd, &msg, 1);
  1536. if (msg.type != MSG_ACK) {
  1537. printk("Ack failed");
  1538. exit(KSFT_FAIL);
  1539. }
  1540. for (;;) {
  1541. ssize_t received = read(test_desc_fd, &desc, sizeof(desc));
  1542. int ret;
  1543. if (received == 0) /* EOF */
  1544. break;
  1545. if (received != sizeof(desc)) {
  1546. pr_err("read() returned %zd", received);
  1547. exit(KSFT_FAIL);
  1548. }
  1549. switch (desc.type) {
  1550. case CREATE_TUNNEL:
  1551. ret = child_serv(xfrm_sock, &seq, nr,
  1552. cmd_fd, buf, &desc);
  1553. break;
  1554. case ALLOCATE_SPI:
  1555. ret = xfrm_state_allocspi(xfrm_sock, &seq,
  1556. -1, desc.proto);
  1557. break;
  1558. case MONITOR_ACQUIRE:
  1559. ret = xfrm_monitor_acquire(xfrm_sock, &seq, nr);
  1560. break;
  1561. case EXPIRE_STATE:
  1562. ret = xfrm_expire_state(xfrm_sock, &seq, nr, &desc);
  1563. break;
  1564. case EXPIRE_POLICY:
  1565. ret = xfrm_expire_policy(xfrm_sock, &seq, nr, &desc);
  1566. break;
  1567. case SPDINFO_ATTRS:
  1568. ret = xfrm_spdinfo_attrs(xfrm_sock, &seq);
  1569. break;
  1570. default:
  1571. printk("Unknown desc type %d", desc.type);
  1572. exit(KSFT_FAIL);
  1573. }
  1574. write_test_result(ret, &desc);
  1575. }
  1576. close(xfrm_sock);
  1577. msg.type = MSG_EXIT;
  1578. write_msg(cmd_fd, &msg, 1);
  1579. exit(KSFT_PASS);
  1580. }
  1581. static void grand_child_serv(unsigned int nr, int cmd_fd, void *buf,
  1582. struct test_desc *msg, int xfrm_sock, uint32_t *seq)
  1583. {
  1584. struct in_addr src, dst, tunsrc, tundst;
  1585. bool tun_reply;
  1586. struct xfrm_desc *desc = &msg->body.xfrm_desc;
  1587. src = inet_makeaddr(INADDR_B, grchild_ip(nr));
  1588. dst = inet_makeaddr(INADDR_B, child_ip(nr));
  1589. tunsrc = inet_makeaddr(INADDR_A, grchild_ip(nr));
  1590. tundst = inet_makeaddr(INADDR_A, child_ip(nr));
  1591. switch (msg->type) {
  1592. case MSG_EXIT:
  1593. exit(KSFT_PASS);
  1594. case MSG_ACK:
  1595. write_msg(cmd_fd, msg, 1);
  1596. break;
  1597. case MSG_PING:
  1598. tun_reply = memcmp(&dst, &msg->body.ping.reply_ip, sizeof(in_addr_t));
  1599. /* UDP pinging without xfrm */
  1600. if (do_ping(cmd_fd, buf, page_size, tun_reply ? tunsrc : src,
  1601. false, msg->body.ping.port,
  1602. msg->body.ping.reply_ip, udp_ping_reply)) {
  1603. printk("ping failed before setting xfrm");
  1604. }
  1605. break;
  1606. case MSG_XFRM_PREPARE:
  1607. if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst,
  1608. desc->proto)) {
  1609. xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
  1610. printk("failed to prepare xfrm");
  1611. }
  1612. break;
  1613. case MSG_XFRM_ADD:
  1614. if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
  1615. xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
  1616. printk("failed to set xfrm");
  1617. }
  1618. break;
  1619. case MSG_XFRM_DEL:
  1620. if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst,
  1621. desc->proto)) {
  1622. xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
  1623. printk("failed to remove xfrm");
  1624. }
  1625. break;
  1626. case MSG_XFRM_CLEANUP:
  1627. if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
  1628. printk("failed to cleanup xfrm");
  1629. }
  1630. break;
  1631. default:
  1632. printk("got unknown msg type %d", msg->type);
  1633. }
  1634. }
  1635. static int grand_child_f(unsigned int nr, int cmd_fd, void *buf)
  1636. {
  1637. struct test_desc msg;
  1638. int xfrm_sock = -1;
  1639. uint32_t seq;
  1640. if (switch_ns(nsfd_childb))
  1641. exit(KSFT_FAIL);
  1642. if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
  1643. printk("Failed to open xfrm netlink socket");
  1644. exit(KSFT_FAIL);
  1645. }
  1646. do {
  1647. read_msg(cmd_fd, &msg, 1);
  1648. grand_child_serv(nr, cmd_fd, buf, &msg, xfrm_sock, &seq);
  1649. } while (1);
  1650. close(xfrm_sock);
  1651. exit(KSFT_FAIL);
  1652. }
  1653. static int start_child(unsigned int nr, char *veth, int test_desc_fd[2])
  1654. {
  1655. int cmd_sock[2];
  1656. void *data_map;
  1657. pid_t child;
  1658. if (init_child(nsfd_childa, veth, child_ip(nr), grchild_ip(nr)))
  1659. return -1;
  1660. if (init_child(nsfd_childb, veth, grchild_ip(nr), child_ip(nr)))
  1661. return -1;
  1662. child = fork();
  1663. if (child < 0) {
  1664. pr_err("fork()");
  1665. return -1;
  1666. } else if (child) {
  1667. /* in parent - selftest */
  1668. return switch_ns(nsfd_parent);
  1669. }
  1670. if (close(test_desc_fd[1])) {
  1671. pr_err("close()");
  1672. return -1;
  1673. }
  1674. /* child */
  1675. data_map = mmap(0, page_size, PROT_READ | PROT_WRITE,
  1676. MAP_SHARED | MAP_ANONYMOUS, -1, 0);
  1677. if (data_map == MAP_FAILED) {
  1678. pr_err("mmap()");
  1679. return -1;
  1680. }
  1681. randomize_buffer(data_map, page_size);
  1682. if (socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, cmd_sock)) {
  1683. pr_err("socketpair()");
  1684. return -1;
  1685. }
  1686. child = fork();
  1687. if (child < 0) {
  1688. pr_err("fork()");
  1689. return -1;
  1690. } else if (child) {
  1691. if (close(cmd_sock[0])) {
  1692. pr_err("close()");
  1693. return -1;
  1694. }
  1695. return child_f(nr, test_desc_fd[0], cmd_sock[1], data_map);
  1696. }
  1697. if (close(cmd_sock[1])) {
  1698. pr_err("close()");
  1699. return -1;
  1700. }
  1701. return grand_child_f(nr, cmd_sock[0], data_map);
  1702. }
  1703. static void exit_usage(char **argv)
  1704. {
  1705. printk("Usage: %s [nr_process]", argv[0]);
  1706. exit(KSFT_FAIL);
  1707. }
  1708. static int __write_desc(int test_desc_fd, struct xfrm_desc *desc)
  1709. {
  1710. ssize_t ret;
  1711. ret = write(test_desc_fd, desc, sizeof(*desc));
  1712. if (ret == sizeof(*desc))
  1713. return 0;
  1714. pr_err("Writing test's desc failed %ld", ret);
  1715. return -1;
  1716. }
  1717. static int write_desc(int proto, int test_desc_fd,
  1718. char *a, char *e, char *c, char *ae)
  1719. {
  1720. struct xfrm_desc desc = {};
  1721. desc.type = CREATE_TUNNEL;
  1722. desc.proto = proto;
  1723. if (a)
  1724. strncpy(desc.a_algo, a, ALGO_LEN - 1);
  1725. if (e)
  1726. strncpy(desc.e_algo, e, ALGO_LEN - 1);
  1727. if (c)
  1728. strncpy(desc.c_algo, c, ALGO_LEN - 1);
  1729. if (ae)
  1730. strncpy(desc.ae_algo, ae, ALGO_LEN - 1);
  1731. return __write_desc(test_desc_fd, &desc);
  1732. }
  1733. int proto_list[] = { IPPROTO_AH, IPPROTO_COMP, IPPROTO_ESP };
  1734. char *ah_list[] = {
  1735. "digest_null", "hmac(md5)", "hmac(sha1)", "hmac(sha256)",
  1736. "hmac(sha384)", "hmac(sha512)", "hmac(rmd160)",
  1737. "xcbc(aes)", "cmac(aes)"
  1738. };
  1739. char *comp_list[] = {
  1740. "deflate",
  1741. #if 0
  1742. /* No compression backend realization */
  1743. "lzs", "lzjh"
  1744. #endif
  1745. };
  1746. char *e_list[] = {
  1747. "ecb(cipher_null)", "cbc(des)", "cbc(des3_ede)", "cbc(cast5)",
  1748. "cbc(blowfish)", "cbc(aes)", "cbc(serpent)", "cbc(camellia)",
  1749. "cbc(twofish)", "rfc3686(ctr(aes))"
  1750. };
  1751. char *ae_list[] = {
  1752. #if 0
  1753. /* not implemented */
  1754. "rfc4106(gcm(aes))", "rfc4309(ccm(aes))", "rfc4543(gcm(aes))",
  1755. "rfc7539esp(chacha20,poly1305)"
  1756. #endif
  1757. };
  1758. const unsigned int proto_plan = ARRAY_SIZE(ah_list) + ARRAY_SIZE(comp_list) \
  1759. + (ARRAY_SIZE(ah_list) * ARRAY_SIZE(e_list)) \
  1760. + ARRAY_SIZE(ae_list);
  1761. static int write_proto_plan(int fd, int proto)
  1762. {
  1763. unsigned int i;
  1764. switch (proto) {
  1765. case IPPROTO_AH:
  1766. for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
  1767. if (write_desc(proto, fd, ah_list[i], 0, 0, 0))
  1768. return -1;
  1769. }
  1770. break;
  1771. case IPPROTO_COMP:
  1772. for (i = 0; i < ARRAY_SIZE(comp_list); i++) {
  1773. if (write_desc(proto, fd, 0, 0, comp_list[i], 0))
  1774. return -1;
  1775. }
  1776. break;
  1777. case IPPROTO_ESP:
  1778. for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
  1779. int j;
  1780. for (j = 0; j < ARRAY_SIZE(e_list); j++) {
  1781. if (write_desc(proto, fd, ah_list[i],
  1782. e_list[j], 0, 0))
  1783. return -1;
  1784. }
  1785. }
  1786. for (i = 0; i < ARRAY_SIZE(ae_list); i++) {
  1787. if (write_desc(proto, fd, 0, 0, 0, ae_list[i]))
  1788. return -1;
  1789. }
  1790. break;
  1791. default:
  1792. printk("BUG: Specified unknown proto %d", proto);
  1793. return -1;
  1794. }
  1795. return 0;
  1796. }
  1797. /*
  1798. * Some structures in xfrm uapi header differ in size between
  1799. * 64-bit and 32-bit ABI:
  1800. *
  1801. * 32-bit UABI | 64-bit UABI
  1802. * -------------------------------------|-------------------------------------
  1803. * sizeof(xfrm_usersa_info) = 220 | sizeof(xfrm_usersa_info) = 224
  1804. * sizeof(xfrm_userpolicy_info) = 164 | sizeof(xfrm_userpolicy_info) = 168
  1805. * sizeof(xfrm_userspi_info) = 228 | sizeof(xfrm_userspi_info) = 232
  1806. * sizeof(xfrm_user_acquire) = 276 | sizeof(xfrm_user_acquire) = 280
  1807. * sizeof(xfrm_user_expire) = 224 | sizeof(xfrm_user_expire) = 232
  1808. * sizeof(xfrm_user_polexpire) = 168 | sizeof(xfrm_user_polexpire) = 176
  1809. *
  1810. * Check the affected by the UABI difference structures.
  1811. * Also, check translation for xfrm_set_spdinfo: it has it's own attributes
  1812. * which needs to be correctly copied, but not translated.
  1813. */
  1814. const unsigned int compat_plan = 5;
  1815. static int write_compat_struct_tests(int test_desc_fd)
  1816. {
  1817. struct xfrm_desc desc = {};
  1818. desc.type = ALLOCATE_SPI;
  1819. desc.proto = IPPROTO_AH;
  1820. strncpy(desc.a_algo, ah_list[0], ALGO_LEN - 1);
  1821. if (__write_desc(test_desc_fd, &desc))
  1822. return -1;
  1823. desc.type = MONITOR_ACQUIRE;
  1824. if (__write_desc(test_desc_fd, &desc))
  1825. return -1;
  1826. desc.type = EXPIRE_STATE;
  1827. if (__write_desc(test_desc_fd, &desc))
  1828. return -1;
  1829. desc.type = EXPIRE_POLICY;
  1830. if (__write_desc(test_desc_fd, &desc))
  1831. return -1;
  1832. desc.type = SPDINFO_ATTRS;
  1833. if (__write_desc(test_desc_fd, &desc))
  1834. return -1;
  1835. return 0;
  1836. }
  1837. static int write_test_plan(int test_desc_fd)
  1838. {
  1839. unsigned int i;
  1840. pid_t child;
  1841. child = fork();
  1842. if (child < 0) {
  1843. pr_err("fork()");
  1844. return -1;
  1845. }
  1846. if (child) {
  1847. if (close(test_desc_fd))
  1848. printk("close(): %m");
  1849. return 0;
  1850. }
  1851. if (write_compat_struct_tests(test_desc_fd))
  1852. exit(KSFT_FAIL);
  1853. for (i = 0; i < ARRAY_SIZE(proto_list); i++) {
  1854. if (write_proto_plan(test_desc_fd, proto_list[i]))
  1855. exit(KSFT_FAIL);
  1856. }
  1857. exit(KSFT_PASS);
  1858. }
  1859. static int children_cleanup(void)
  1860. {
  1861. unsigned ret = KSFT_PASS;
  1862. while (1) {
  1863. int status;
  1864. pid_t p = wait(&status);
  1865. if ((p < 0) && errno == ECHILD)
  1866. break;
  1867. if (p < 0) {
  1868. pr_err("wait()");
  1869. return KSFT_FAIL;
  1870. }
  1871. if (!WIFEXITED(status)) {
  1872. ret = KSFT_FAIL;
  1873. continue;
  1874. }
  1875. if (WEXITSTATUS(status) == KSFT_FAIL)
  1876. ret = KSFT_FAIL;
  1877. }
  1878. return ret;
  1879. }
  1880. typedef void (*print_res)(const char *, ...);
  1881. static int check_results(void)
  1882. {
  1883. struct test_result tr = {};
  1884. struct xfrm_desc *d = &tr.desc;
  1885. int ret = KSFT_PASS;
  1886. while (1) {
  1887. ssize_t received = read(results_fd[0], &tr, sizeof(tr));
  1888. print_res result;
  1889. if (received == 0) /* EOF */
  1890. break;
  1891. if (received != sizeof(tr)) {
  1892. pr_err("read() returned %zd", received);
  1893. return KSFT_FAIL;
  1894. }
  1895. switch (tr.res) {
  1896. case KSFT_PASS:
  1897. result = ksft_test_result_pass;
  1898. break;
  1899. case KSFT_FAIL:
  1900. default:
  1901. result = ksft_test_result_fail;
  1902. ret = KSFT_FAIL;
  1903. }
  1904. result(" %s: [%u, '%s', '%s', '%s', '%s', %u]\n",
  1905. desc_name[d->type], (unsigned int)d->proto, d->a_algo,
  1906. d->e_algo, d->c_algo, d->ae_algo, d->icv_len);
  1907. }
  1908. return ret;
  1909. }
  1910. int main(int argc, char **argv)
  1911. {
  1912. long nr_process = 1;
  1913. int route_sock = -1, ret = KSFT_SKIP;
  1914. int test_desc_fd[2];
  1915. uint32_t route_seq;
  1916. unsigned int i;
  1917. if (argc > 2)
  1918. exit_usage(argv);
  1919. if (argc > 1) {
  1920. char *endptr;
  1921. errno = 0;
  1922. nr_process = strtol(argv[1], &endptr, 10);
  1923. if ((errno == ERANGE && (nr_process == LONG_MAX || nr_process == LONG_MIN))
  1924. || (errno != 0 && nr_process == 0)
  1925. || (endptr == argv[1]) || (*endptr != '\0')) {
  1926. printk("Failed to parse [nr_process]");
  1927. exit_usage(argv);
  1928. }
  1929. if (nr_process > MAX_PROCESSES || nr_process < 1) {
  1930. printk("nr_process should be between [1; %u]",
  1931. MAX_PROCESSES);
  1932. exit_usage(argv);
  1933. }
  1934. }
  1935. srand(time(NULL));
  1936. page_size = sysconf(_SC_PAGESIZE);
  1937. if (page_size < 1)
  1938. ksft_exit_skip("sysconf(): %m\n");
  1939. if (pipe2(test_desc_fd, O_DIRECT) < 0)
  1940. ksft_exit_skip("pipe(): %m\n");
  1941. if (pipe2(results_fd, O_DIRECT) < 0)
  1942. ksft_exit_skip("pipe(): %m\n");
  1943. if (init_namespaces())
  1944. ksft_exit_skip("Failed to create namespaces\n");
  1945. if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE))
  1946. ksft_exit_skip("Failed to open netlink route socket\n");
  1947. for (i = 0; i < nr_process; i++) {
  1948. char veth[VETH_LEN];
  1949. snprintf(veth, VETH_LEN, VETH_FMT, i);
  1950. if (veth_add(route_sock, route_seq++, veth, nsfd_childa, veth, nsfd_childb)) {
  1951. close(route_sock);
  1952. ksft_exit_fail_msg("Failed to create veth device");
  1953. }
  1954. if (start_child(i, veth, test_desc_fd)) {
  1955. close(route_sock);
  1956. ksft_exit_fail_msg("Child %u failed to start", i);
  1957. }
  1958. }
  1959. if (close(route_sock) || close(test_desc_fd[0]) || close(results_fd[1]))
  1960. ksft_exit_fail_msg("close(): %m");
  1961. ksft_set_plan(proto_plan + compat_plan);
  1962. if (write_test_plan(test_desc_fd[1]))
  1963. ksft_exit_fail_msg("Failed to write test plan to pipe");
  1964. ret = check_results();
  1965. if (children_cleanup() == KSFT_FAIL)
  1966. exit(KSFT_FAIL);
  1967. exit(ret);
  1968. }