Loading...
1// SPDX-License-Identifier: GPL-2.0
2
3/*
4 * Test key rotation for TFO.
5 * New keys are 'rotated' in two steps:
6 * 1) Add new key as the 'backup' key 'behind' the primary key
7 * 2) Make new key the primary by swapping the backup and primary keys
8 *
9 * The rotation is done in stages using multiple sockets bound
10 * to the same port via SO_REUSEPORT. This simulates key rotation
11 * behind say a load balancer. We verify that across the rotation
12 * there are no cases in which a cookie is not accepted by verifying
13 * that TcpExtTCPFastOpenPassiveFail remains 0.
14 */
15#define _GNU_SOURCE
16#include <arpa/inet.h>
17#include <errno.h>
18#include <error.h>
19#include <stdbool.h>
20#include <stdio.h>
21#include <stdlib.h>
22#include <string.h>
23#include <sys/epoll.h>
24#include <unistd.h>
25#include <netinet/tcp.h>
26#include <fcntl.h>
27#include <time.h>
28
29#include "../kselftest.h"
30
31#ifndef TCP_FASTOPEN_KEY
32#define TCP_FASTOPEN_KEY 33
33#endif
34
35#define N_LISTEN 10
36#define PROC_FASTOPEN_KEY "/proc/sys/net/ipv4/tcp_fastopen_key"
37#define KEY_LENGTH 16
38
39static bool do_ipv6;
40static bool do_sockopt;
41static bool do_rotate;
42static int key_len = KEY_LENGTH;
43static int rcv_fds[N_LISTEN];
44static int proc_fd;
45static const char *IP4_ADDR = "127.0.0.1";
46static const char *IP6_ADDR = "::1";
47static const int PORT = 8891;
48
49static void get_keys(int fd, uint32_t *keys)
50{
51 char buf[128];
52 socklen_t len = KEY_LENGTH * 2;
53
54 if (do_sockopt) {
55 if (getsockopt(fd, SOL_TCP, TCP_FASTOPEN_KEY, keys, &len))
56 error(1, errno, "Unable to get key");
57 return;
58 }
59 lseek(proc_fd, 0, SEEK_SET);
60 if (read(proc_fd, buf, sizeof(buf)) <= 0)
61 error(1, errno, "Unable to read %s", PROC_FASTOPEN_KEY);
62 if (sscanf(buf, "%x-%x-%x-%x,%x-%x-%x-%x", keys, keys + 1, keys + 2,
63 keys + 3, keys + 4, keys + 5, keys + 6, keys + 7) != 8)
64 error(1, 0, "Unable to parse %s", PROC_FASTOPEN_KEY);
65}
66
67static void set_keys(int fd, uint32_t *keys)
68{
69 char buf[128];
70
71 if (do_sockopt) {
72 if (setsockopt(fd, SOL_TCP, TCP_FASTOPEN_KEY, keys,
73 key_len))
74 error(1, errno, "Unable to set key");
75 return;
76 }
77 if (do_rotate)
78 snprintf(buf, 128, "%08x-%08x-%08x-%08x,%08x-%08x-%08x-%08x",
79 keys[0], keys[1], keys[2], keys[3], keys[4], keys[5],
80 keys[6], keys[7]);
81 else
82 snprintf(buf, 128, "%08x-%08x-%08x-%08x",
83 keys[0], keys[1], keys[2], keys[3]);
84 lseek(proc_fd, 0, SEEK_SET);
85 if (write(proc_fd, buf, sizeof(buf)) <= 0)
86 error(1, errno, "Unable to write %s", PROC_FASTOPEN_KEY);
87}
88
89static void build_rcv_fd(int family, int proto, int *rcv_fds)
90{
91 struct sockaddr_in addr4 = {0};
92 struct sockaddr_in6 addr6 = {0};
93 struct sockaddr *addr;
94 int opt = 1, i, sz;
95 int qlen = 100;
96 uint32_t keys[8];
97
98 switch (family) {
99 case AF_INET:
100 addr4.sin_family = family;
101 addr4.sin_addr.s_addr = htonl(INADDR_ANY);
102 addr4.sin_port = htons(PORT);
103 sz = sizeof(addr4);
104 addr = (struct sockaddr *)&addr4;
105 break;
106 case AF_INET6:
107 addr6.sin6_family = AF_INET6;
108 addr6.sin6_addr = in6addr_any;
109 addr6.sin6_port = htons(PORT);
110 sz = sizeof(addr6);
111 addr = (struct sockaddr *)&addr6;
112 break;
113 default:
114 error(1, 0, "Unsupported family %d", family);
115 /* clang does not recognize error() above as terminating
116 * the program, so it complains that saddr, sz are
117 * not initialized when this code path is taken. Silence it.
118 */
119 return;
120 }
121 for (i = 0; i < ARRAY_SIZE(keys); i++)
122 keys[i] = rand();
123 for (i = 0; i < N_LISTEN; i++) {
124 rcv_fds[i] = socket(family, proto, 0);
125 if (rcv_fds[i] < 0)
126 error(1, errno, "failed to create receive socket");
127 if (setsockopt(rcv_fds[i], SOL_SOCKET, SO_REUSEPORT, &opt,
128 sizeof(opt)))
129 error(1, errno, "failed to set SO_REUSEPORT");
130 if (bind(rcv_fds[i], addr, sz))
131 error(1, errno, "failed to bind receive socket");
132 if (setsockopt(rcv_fds[i], SOL_TCP, TCP_FASTOPEN, &qlen,
133 sizeof(qlen)))
134 error(1, errno, "failed to set TCP_FASTOPEN");
135 set_keys(rcv_fds[i], keys);
136 if (proto == SOCK_STREAM && listen(rcv_fds[i], 10))
137 error(1, errno, "failed to listen on receive port");
138 }
139}
140
141static int connect_and_send(int family, int proto)
142{
143 struct sockaddr_in saddr4 = {0};
144 struct sockaddr_in daddr4 = {0};
145 struct sockaddr_in6 saddr6 = {0};
146 struct sockaddr_in6 daddr6 = {0};
147 struct sockaddr *saddr, *daddr;
148 int fd, sz, ret;
149 char data[1];
150
151 switch (family) {
152 case AF_INET:
153 saddr4.sin_family = AF_INET;
154 saddr4.sin_addr.s_addr = htonl(INADDR_ANY);
155 saddr4.sin_port = 0;
156
157 daddr4.sin_family = AF_INET;
158 if (!inet_pton(family, IP4_ADDR, &daddr4.sin_addr.s_addr))
159 error(1, errno, "inet_pton failed: %s", IP4_ADDR);
160 daddr4.sin_port = htons(PORT);
161
162 sz = sizeof(saddr4);
163 saddr = (struct sockaddr *)&saddr4;
164 daddr = (struct sockaddr *)&daddr4;
165 break;
166 case AF_INET6:
167 saddr6.sin6_family = AF_INET6;
168 saddr6.sin6_addr = in6addr_any;
169
170 daddr6.sin6_family = AF_INET6;
171 if (!inet_pton(family, IP6_ADDR, &daddr6.sin6_addr))
172 error(1, errno, "inet_pton failed: %s", IP6_ADDR);
173 daddr6.sin6_port = htons(PORT);
174
175 sz = sizeof(saddr6);
176 saddr = (struct sockaddr *)&saddr6;
177 daddr = (struct sockaddr *)&daddr6;
178 break;
179 default:
180 error(1, 0, "Unsupported family %d", family);
181 /* clang does not recognize error() above as terminating
182 * the program, so it complains that saddr, daddr, sz are
183 * not initialized when this code path is taken. Silence it.
184 */
185 return -1;
186 }
187 fd = socket(family, proto, 0);
188 if (fd < 0)
189 error(1, errno, "failed to create send socket");
190 if (bind(fd, saddr, sz))
191 error(1, errno, "failed to bind send socket");
192 data[0] = 'a';
193 ret = sendto(fd, data, 1, MSG_FASTOPEN, daddr, sz);
194 if (ret != 1)
195 error(1, errno, "failed to sendto");
196
197 return fd;
198}
199
200static bool is_listen_fd(int fd)
201{
202 int i;
203
204 for (i = 0; i < N_LISTEN; i++) {
205 if (rcv_fds[i] == fd)
206 return true;
207 }
208 return false;
209}
210
211static void rotate_key(int fd)
212{
213 static int iter;
214 static uint32_t new_key[4];
215 uint32_t keys[8];
216 uint32_t tmp_key[4];
217 int i;
218
219 if (iter < N_LISTEN) {
220 /* first set new key as backups */
221 if (iter == 0) {
222 for (i = 0; i < ARRAY_SIZE(new_key); i++)
223 new_key[i] = rand();
224 }
225 get_keys(fd, keys);
226 memcpy(keys + 4, new_key, KEY_LENGTH);
227 set_keys(fd, keys);
228 } else {
229 /* swap the keys */
230 get_keys(fd, keys);
231 memcpy(tmp_key, keys + 4, KEY_LENGTH);
232 memcpy(keys + 4, keys, KEY_LENGTH);
233 memcpy(keys, tmp_key, KEY_LENGTH);
234 set_keys(fd, keys);
235 }
236 if (++iter >= (N_LISTEN * 2))
237 iter = 0;
238}
239
240static void run_one_test(int family)
241{
242 struct epoll_event ev;
243 int i, send_fd;
244 int n_loops = 10000;
245 int rotate_key_fd = 0;
246 int key_rotate_interval = 50;
247 int fd, epfd;
248 char buf[1];
249
250 build_rcv_fd(family, SOCK_STREAM, rcv_fds);
251 epfd = epoll_create(1);
252 if (epfd < 0)
253 error(1, errno, "failed to create epoll");
254 ev.events = EPOLLIN;
255 for (i = 0; i < N_LISTEN; i++) {
256 ev.data.fd = rcv_fds[i];
257 if (epoll_ctl(epfd, EPOLL_CTL_ADD, rcv_fds[i], &ev))
258 error(1, errno, "failed to register sock epoll");
259 }
260 while (n_loops--) {
261 send_fd = connect_and_send(family, SOCK_STREAM);
262 if (do_rotate && ((n_loops % key_rotate_interval) == 0)) {
263 rotate_key(rcv_fds[rotate_key_fd]);
264 if (++rotate_key_fd >= N_LISTEN)
265 rotate_key_fd = 0;
266 }
267 while (1) {
268 i = epoll_wait(epfd, &ev, 1, -1);
269 if (i < 0)
270 error(1, errno, "epoll_wait failed");
271 if (is_listen_fd(ev.data.fd)) {
272 fd = accept(ev.data.fd, NULL, NULL);
273 if (fd < 0)
274 error(1, errno, "failed to accept");
275 ev.data.fd = fd;
276 if (epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &ev))
277 error(1, errno, "failed epoll add");
278 continue;
279 }
280 i = recv(ev.data.fd, buf, sizeof(buf), 0);
281 if (i != 1)
282 error(1, errno, "failed recv data");
283 if (epoll_ctl(epfd, EPOLL_CTL_DEL, ev.data.fd, NULL))
284 error(1, errno, "failed epoll del");
285 close(ev.data.fd);
286 break;
287 }
288 close(send_fd);
289 }
290 for (i = 0; i < N_LISTEN; i++)
291 close(rcv_fds[i]);
292}
293
294static void parse_opts(int argc, char **argv)
295{
296 int c;
297
298 while ((c = getopt(argc, argv, "46sr")) != -1) {
299 switch (c) {
300 case '4':
301 do_ipv6 = false;
302 break;
303 case '6':
304 do_ipv6 = true;
305 break;
306 case 's':
307 do_sockopt = true;
308 break;
309 case 'r':
310 do_rotate = true;
311 key_len = KEY_LENGTH * 2;
312 break;
313 default:
314 error(1, 0, "%s: parse error", argv[0]);
315 }
316 }
317}
318
319int main(int argc, char **argv)
320{
321 parse_opts(argc, argv);
322 proc_fd = open(PROC_FASTOPEN_KEY, O_RDWR);
323 if (proc_fd < 0)
324 error(1, errno, "Unable to open %s", PROC_FASTOPEN_KEY);
325 srand(time(NULL));
326 if (do_ipv6)
327 run_one_test(AF_INET6);
328 else
329 run_one_test(AF_INET);
330 close(proc_fd);
331 fprintf(stderr, "PASS\n");
332 return 0;
333}
1// SPDX-License-Identifier: GPL-2.0
2
3/*
4 * Test key rotation for TFO.
5 * New keys are 'rotated' in two steps:
6 * 1) Add new key as the 'backup' key 'behind' the primary key
7 * 2) Make new key the primary by swapping the backup and primary keys
8 *
9 * The rotation is done in stages using multiple sockets bound
10 * to the same port via SO_REUSEPORT. This simulates key rotation
11 * behind say a load balancer. We verify that across the rotation
12 * there are no cases in which a cookie is not accepted by verifying
13 * that TcpExtTCPFastOpenPassiveFail remains 0.
14 */
15#define _GNU_SOURCE
16#include <arpa/inet.h>
17#include <errno.h>
18#include <error.h>
19#include <stdbool.h>
20#include <stdio.h>
21#include <stdlib.h>
22#include <string.h>
23#include <sys/epoll.h>
24#include <unistd.h>
25#include <netinet/tcp.h>
26#include <fcntl.h>
27#include <time.h>
28
29#ifndef TCP_FASTOPEN_KEY
30#define TCP_FASTOPEN_KEY 33
31#endif
32
33#define N_LISTEN 10
34#define PROC_FASTOPEN_KEY "/proc/sys/net/ipv4/tcp_fastopen_key"
35#define KEY_LENGTH 16
36
37#ifndef ARRAY_SIZE
38#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
39#endif
40
41static bool do_ipv6;
42static bool do_sockopt;
43static bool do_rotate;
44static int key_len = KEY_LENGTH;
45static int rcv_fds[N_LISTEN];
46static int proc_fd;
47static const char *IP4_ADDR = "127.0.0.1";
48static const char *IP6_ADDR = "::1";
49static const int PORT = 8891;
50
51static void get_keys(int fd, uint32_t *keys)
52{
53 char buf[128];
54 socklen_t len = KEY_LENGTH * 2;
55
56 if (do_sockopt) {
57 if (getsockopt(fd, SOL_TCP, TCP_FASTOPEN_KEY, keys, &len))
58 error(1, errno, "Unable to get key");
59 return;
60 }
61 lseek(proc_fd, 0, SEEK_SET);
62 if (read(proc_fd, buf, sizeof(buf)) <= 0)
63 error(1, errno, "Unable to read %s", PROC_FASTOPEN_KEY);
64 if (sscanf(buf, "%x-%x-%x-%x,%x-%x-%x-%x", keys, keys + 1, keys + 2,
65 keys + 3, keys + 4, keys + 5, keys + 6, keys + 7) != 8)
66 error(1, 0, "Unable to parse %s", PROC_FASTOPEN_KEY);
67}
68
69static void set_keys(int fd, uint32_t *keys)
70{
71 char buf[128];
72
73 if (do_sockopt) {
74 if (setsockopt(fd, SOL_TCP, TCP_FASTOPEN_KEY, keys,
75 key_len))
76 error(1, errno, "Unable to set key");
77 return;
78 }
79 if (do_rotate)
80 snprintf(buf, 128, "%08x-%08x-%08x-%08x,%08x-%08x-%08x-%08x",
81 keys[0], keys[1], keys[2], keys[3], keys[4], keys[5],
82 keys[6], keys[7]);
83 else
84 snprintf(buf, 128, "%08x-%08x-%08x-%08x",
85 keys[0], keys[1], keys[2], keys[3]);
86 lseek(proc_fd, 0, SEEK_SET);
87 if (write(proc_fd, buf, sizeof(buf)) <= 0)
88 error(1, errno, "Unable to write %s", PROC_FASTOPEN_KEY);
89}
90
91static void build_rcv_fd(int family, int proto, int *rcv_fds)
92{
93 struct sockaddr_in addr4 = {0};
94 struct sockaddr_in6 addr6 = {0};
95 struct sockaddr *addr;
96 int opt = 1, i, sz;
97 int qlen = 100;
98 uint32_t keys[8];
99
100 switch (family) {
101 case AF_INET:
102 addr4.sin_family = family;
103 addr4.sin_addr.s_addr = htonl(INADDR_ANY);
104 addr4.sin_port = htons(PORT);
105 sz = sizeof(addr4);
106 addr = (struct sockaddr *)&addr4;
107 break;
108 case AF_INET6:
109 addr6.sin6_family = AF_INET6;
110 addr6.sin6_addr = in6addr_any;
111 addr6.sin6_port = htons(PORT);
112 sz = sizeof(addr6);
113 addr = (struct sockaddr *)&addr6;
114 break;
115 default:
116 error(1, 0, "Unsupported family %d", family);
117 /* clang does not recognize error() above as terminating
118 * the program, so it complains that saddr, sz are
119 * not initialized when this code path is taken. Silence it.
120 */
121 return;
122 }
123 for (i = 0; i < ARRAY_SIZE(keys); i++)
124 keys[i] = rand();
125 for (i = 0; i < N_LISTEN; i++) {
126 rcv_fds[i] = socket(family, proto, 0);
127 if (rcv_fds[i] < 0)
128 error(1, errno, "failed to create receive socket");
129 if (setsockopt(rcv_fds[i], SOL_SOCKET, SO_REUSEPORT, &opt,
130 sizeof(opt)))
131 error(1, errno, "failed to set SO_REUSEPORT");
132 if (bind(rcv_fds[i], addr, sz))
133 error(1, errno, "failed to bind receive socket");
134 if (setsockopt(rcv_fds[i], SOL_TCP, TCP_FASTOPEN, &qlen,
135 sizeof(qlen)))
136 error(1, errno, "failed to set TCP_FASTOPEN");
137 set_keys(rcv_fds[i], keys);
138 if (proto == SOCK_STREAM && listen(rcv_fds[i], 10))
139 error(1, errno, "failed to listen on receive port");
140 }
141}
142
143static int connect_and_send(int family, int proto)
144{
145 struct sockaddr_in saddr4 = {0};
146 struct sockaddr_in daddr4 = {0};
147 struct sockaddr_in6 saddr6 = {0};
148 struct sockaddr_in6 daddr6 = {0};
149 struct sockaddr *saddr, *daddr;
150 int fd, sz, ret;
151 char data[1];
152
153 switch (family) {
154 case AF_INET:
155 saddr4.sin_family = AF_INET;
156 saddr4.sin_addr.s_addr = htonl(INADDR_ANY);
157 saddr4.sin_port = 0;
158
159 daddr4.sin_family = AF_INET;
160 if (!inet_pton(family, IP4_ADDR, &daddr4.sin_addr.s_addr))
161 error(1, errno, "inet_pton failed: %s", IP4_ADDR);
162 daddr4.sin_port = htons(PORT);
163
164 sz = sizeof(saddr4);
165 saddr = (struct sockaddr *)&saddr4;
166 daddr = (struct sockaddr *)&daddr4;
167 break;
168 case AF_INET6:
169 saddr6.sin6_family = AF_INET6;
170 saddr6.sin6_addr = in6addr_any;
171
172 daddr6.sin6_family = AF_INET6;
173 if (!inet_pton(family, IP6_ADDR, &daddr6.sin6_addr))
174 error(1, errno, "inet_pton failed: %s", IP6_ADDR);
175 daddr6.sin6_port = htons(PORT);
176
177 sz = sizeof(saddr6);
178 saddr = (struct sockaddr *)&saddr6;
179 daddr = (struct sockaddr *)&daddr6;
180 break;
181 default:
182 error(1, 0, "Unsupported family %d", family);
183 /* clang does not recognize error() above as terminating
184 * the program, so it complains that saddr, daddr, sz are
185 * not initialized when this code path is taken. Silence it.
186 */
187 return -1;
188 }
189 fd = socket(family, proto, 0);
190 if (fd < 0)
191 error(1, errno, "failed to create send socket");
192 if (bind(fd, saddr, sz))
193 error(1, errno, "failed to bind send socket");
194 data[0] = 'a';
195 ret = sendto(fd, data, 1, MSG_FASTOPEN, daddr, sz);
196 if (ret != 1)
197 error(1, errno, "failed to sendto");
198
199 return fd;
200}
201
202static bool is_listen_fd(int fd)
203{
204 int i;
205
206 for (i = 0; i < N_LISTEN; i++) {
207 if (rcv_fds[i] == fd)
208 return true;
209 }
210 return false;
211}
212
213static void rotate_key(int fd)
214{
215 static int iter;
216 static uint32_t new_key[4];
217 uint32_t keys[8];
218 uint32_t tmp_key[4];
219 int i;
220
221 if (iter < N_LISTEN) {
222 /* first set new key as backups */
223 if (iter == 0) {
224 for (i = 0; i < ARRAY_SIZE(new_key); i++)
225 new_key[i] = rand();
226 }
227 get_keys(fd, keys);
228 memcpy(keys + 4, new_key, KEY_LENGTH);
229 set_keys(fd, keys);
230 } else {
231 /* swap the keys */
232 get_keys(fd, keys);
233 memcpy(tmp_key, keys + 4, KEY_LENGTH);
234 memcpy(keys + 4, keys, KEY_LENGTH);
235 memcpy(keys, tmp_key, KEY_LENGTH);
236 set_keys(fd, keys);
237 }
238 if (++iter >= (N_LISTEN * 2))
239 iter = 0;
240}
241
242static void run_one_test(int family)
243{
244 struct epoll_event ev;
245 int i, send_fd;
246 int n_loops = 10000;
247 int rotate_key_fd = 0;
248 int key_rotate_interval = 50;
249 int fd, epfd;
250 char buf[1];
251
252 build_rcv_fd(family, SOCK_STREAM, rcv_fds);
253 epfd = epoll_create(1);
254 if (epfd < 0)
255 error(1, errno, "failed to create epoll");
256 ev.events = EPOLLIN;
257 for (i = 0; i < N_LISTEN; i++) {
258 ev.data.fd = rcv_fds[i];
259 if (epoll_ctl(epfd, EPOLL_CTL_ADD, rcv_fds[i], &ev))
260 error(1, errno, "failed to register sock epoll");
261 }
262 while (n_loops--) {
263 send_fd = connect_and_send(family, SOCK_STREAM);
264 if (do_rotate && ((n_loops % key_rotate_interval) == 0)) {
265 rotate_key(rcv_fds[rotate_key_fd]);
266 if (++rotate_key_fd >= N_LISTEN)
267 rotate_key_fd = 0;
268 }
269 while (1) {
270 i = epoll_wait(epfd, &ev, 1, -1);
271 if (i < 0)
272 error(1, errno, "epoll_wait failed");
273 if (is_listen_fd(ev.data.fd)) {
274 fd = accept(ev.data.fd, NULL, NULL);
275 if (fd < 0)
276 error(1, errno, "failed to accept");
277 ev.data.fd = fd;
278 if (epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &ev))
279 error(1, errno, "failed epoll add");
280 continue;
281 }
282 i = recv(ev.data.fd, buf, sizeof(buf), 0);
283 if (i != 1)
284 error(1, errno, "failed recv data");
285 if (epoll_ctl(epfd, EPOLL_CTL_DEL, ev.data.fd, NULL))
286 error(1, errno, "failed epoll del");
287 close(ev.data.fd);
288 break;
289 }
290 close(send_fd);
291 }
292 for (i = 0; i < N_LISTEN; i++)
293 close(rcv_fds[i]);
294}
295
296static void parse_opts(int argc, char **argv)
297{
298 int c;
299
300 while ((c = getopt(argc, argv, "46sr")) != -1) {
301 switch (c) {
302 case '4':
303 do_ipv6 = false;
304 break;
305 case '6':
306 do_ipv6 = true;
307 break;
308 case 's':
309 do_sockopt = true;
310 break;
311 case 'r':
312 do_rotate = true;
313 key_len = KEY_LENGTH * 2;
314 break;
315 default:
316 error(1, 0, "%s: parse error", argv[0]);
317 }
318 }
319}
320
321int main(int argc, char **argv)
322{
323 parse_opts(argc, argv);
324 proc_fd = open(PROC_FASTOPEN_KEY, O_RDWR);
325 if (proc_fd < 0)
326 error(1, errno, "Unable to open %s", PROC_FASTOPEN_KEY);
327 srand(time(NULL));
328 if (do_ipv6)
329 run_one_test(AF_INET6);
330 else
331 run_one_test(AF_INET);
332 close(proc_fd);
333 fprintf(stderr, "PASS\n");
334 return 0;
335}