Loading...
1// SPDX-License-Identifier: GPL-2.0
2/*
3 * ipsec.c - Check xfrm on veth inside a net-ns.
4 * Copyright (c) 2018 Dmitry Safonov
5 */
6
7#define _GNU_SOURCE
8
9#include <arpa/inet.h>
10#include <asm/types.h>
11#include <errno.h>
12#include <fcntl.h>
13#include <limits.h>
14#include <linux/limits.h>
15#include <linux/netlink.h>
16#include <linux/random.h>
17#include <linux/rtnetlink.h>
18#include <linux/veth.h>
19#include <linux/xfrm.h>
20#include <netinet/in.h>
21#include <net/if.h>
22#include <sched.h>
23#include <stdbool.h>
24#include <stdint.h>
25#include <stdio.h>
26#include <stdlib.h>
27#include <string.h>
28#include <sys/mman.h>
29#include <sys/socket.h>
30#include <sys/stat.h>
31#include <sys/syscall.h>
32#include <sys/types.h>
33#include <sys/wait.h>
34#include <time.h>
35#include <unistd.h>
36
37#include "../kselftest.h"
38
39#define printk(fmt, ...) \
40 ksft_print_msg("%d[%u] " fmt "\n", getpid(), __LINE__, ##__VA_ARGS__)
41
42#define pr_err(fmt, ...) printk(fmt ": %m", ##__VA_ARGS__)
43
44#define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)]))
45
46#define IPV4_STR_SZ 16 /* xxx.xxx.xxx.xxx is longest + \0 */
47#define MAX_PAYLOAD 2048
48#define XFRM_ALGO_KEY_BUF_SIZE 512
49#define MAX_PROCESSES (1 << 14) /* /16 mask divided by /30 subnets */
50#define INADDR_A ((in_addr_t) 0x0a000000) /* 10.0.0.0 */
51#define INADDR_B ((in_addr_t) 0xc0a80000) /* 192.168.0.0 */
52
53/* /30 mask for one veth connection */
54#define PREFIX_LEN 30
55#define child_ip(nr) (4*nr + 1)
56#define grchild_ip(nr) (4*nr + 2)
57
58#define VETH_FMT "ktst-%d"
59#define VETH_LEN 12
60
61#define XFRM_ALGO_NR_KEYS 29
62
63static int nsfd_parent = -1;
64static int nsfd_childa = -1;
65static int nsfd_childb = -1;
66static long page_size;
67
68/*
69 * ksft_cnt is static in kselftest, so isn't shared with children.
70 * We have to send a test result back to parent and count there.
71 * results_fd is a pipe with test feedback from children.
72 */
73static int results_fd[2];
74
75const unsigned int ping_delay_nsec = 50 * 1000 * 1000;
76const unsigned int ping_timeout = 300;
77const unsigned int ping_count = 100;
78const unsigned int ping_success = 80;
79
80struct xfrm_key_entry {
81 char algo_name[35];
82 int key_len;
83};
84
85struct xfrm_key_entry xfrm_key_entries[] = {
86 {"digest_null", 0},
87 {"ecb(cipher_null)", 0},
88 {"cbc(des)", 64},
89 {"hmac(md5)", 128},
90 {"cmac(aes)", 128},
91 {"xcbc(aes)", 128},
92 {"cbc(cast5)", 128},
93 {"cbc(serpent)", 128},
94 {"hmac(sha1)", 160},
95 {"hmac(rmd160)", 160},
96 {"cbc(des3_ede)", 192},
97 {"hmac(sha256)", 256},
98 {"cbc(aes)", 256},
99 {"cbc(camellia)", 256},
100 {"cbc(twofish)", 256},
101 {"rfc3686(ctr(aes))", 288},
102 {"hmac(sha384)", 384},
103 {"cbc(blowfish)", 448},
104 {"hmac(sha512)", 512},
105 {"rfc4106(gcm(aes))-128", 160},
106 {"rfc4543(gcm(aes))-128", 160},
107 {"rfc4309(ccm(aes))-128", 152},
108 {"rfc4106(gcm(aes))-192", 224},
109 {"rfc4543(gcm(aes))-192", 224},
110 {"rfc4309(ccm(aes))-192", 216},
111 {"rfc4106(gcm(aes))-256", 288},
112 {"rfc4543(gcm(aes))-256", 288},
113 {"rfc4309(ccm(aes))-256", 280},
114 {"rfc7539(chacha20,poly1305)-128", 0}
115};
116
117static void randomize_buffer(void *buf, size_t buflen)
118{
119 int *p = (int *)buf;
120 size_t words = buflen / sizeof(int);
121 size_t leftover = buflen % sizeof(int);
122
123 if (!buflen)
124 return;
125
126 while (words--)
127 *p++ = rand();
128
129 if (leftover) {
130 int tmp = rand();
131
132 memcpy(buf + buflen - leftover, &tmp, leftover);
133 }
134
135 return;
136}
137
138static int unshare_open(void)
139{
140 const char *netns_path = "/proc/self/ns/net";
141 int fd;
142
143 if (unshare(CLONE_NEWNET) != 0) {
144 pr_err("unshare()");
145 return -1;
146 }
147
148 fd = open(netns_path, O_RDONLY);
149 if (fd <= 0) {
150 pr_err("open(%s)", netns_path);
151 return -1;
152 }
153
154 return fd;
155}
156
157static int switch_ns(int fd)
158{
159 if (setns(fd, CLONE_NEWNET)) {
160 pr_err("setns()");
161 return -1;
162 }
163 return 0;
164}
165
166/*
167 * Running the test inside a new parent net namespace to bother less
168 * about cleanup on error-path.
169 */
170static int init_namespaces(void)
171{
172 nsfd_parent = unshare_open();
173 if (nsfd_parent <= 0)
174 return -1;
175
176 nsfd_childa = unshare_open();
177 if (nsfd_childa <= 0)
178 return -1;
179
180 if (switch_ns(nsfd_parent))
181 return -1;
182
183 nsfd_childb = unshare_open();
184 if (nsfd_childb <= 0)
185 return -1;
186
187 if (switch_ns(nsfd_parent))
188 return -1;
189 return 0;
190}
191
192static int netlink_sock(int *sock, uint32_t *seq_nr, int proto)
193{
194 if (*sock > 0) {
195 seq_nr++;
196 return 0;
197 }
198
199 *sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, proto);
200 if (*sock <= 0) {
201 pr_err("socket(AF_NETLINK)");
202 return -1;
203 }
204
205 randomize_buffer(seq_nr, sizeof(*seq_nr));
206
207 return 0;
208}
209
210static inline struct rtattr *rtattr_hdr(struct nlmsghdr *nh)
211{
212 return (struct rtattr *)((char *)(nh) + RTA_ALIGN((nh)->nlmsg_len));
213}
214
215static int rtattr_pack(struct nlmsghdr *nh, size_t req_sz,
216 unsigned short rta_type, const void *payload, size_t size)
217{
218 /* NLMSG_ALIGNTO == RTA_ALIGNTO, nlmsg_len already aligned */
219 struct rtattr *attr = rtattr_hdr(nh);
220 size_t nl_size = RTA_ALIGN(nh->nlmsg_len) + RTA_LENGTH(size);
221
222 if (req_sz < nl_size) {
223 printk("req buf is too small: %zu < %zu", req_sz, nl_size);
224 return -1;
225 }
226 nh->nlmsg_len = nl_size;
227
228 attr->rta_len = RTA_LENGTH(size);
229 attr->rta_type = rta_type;
230 memcpy(RTA_DATA(attr), payload, size);
231
232 return 0;
233}
234
235static struct rtattr *_rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
236 unsigned short rta_type, const void *payload, size_t size)
237{
238 struct rtattr *ret = rtattr_hdr(nh);
239
240 if (rtattr_pack(nh, req_sz, rta_type, payload, size))
241 return 0;
242
243 return ret;
244}
245
246static inline struct rtattr *rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
247 unsigned short rta_type)
248{
249 return _rtattr_begin(nh, req_sz, rta_type, 0, 0);
250}
251
252static inline void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr)
253{
254 char *nlmsg_end = (char *)nh + nh->nlmsg_len;
255
256 attr->rta_len = nlmsg_end - (char *)attr;
257}
258
259static int veth_pack_peerb(struct nlmsghdr *nh, size_t req_sz,
260 const char *peer, int ns)
261{
262 struct ifinfomsg pi;
263 struct rtattr *peer_attr;
264
265 memset(&pi, 0, sizeof(pi));
266 pi.ifi_family = AF_UNSPEC;
267 pi.ifi_change = 0xFFFFFFFF;
268
269 peer_attr = _rtattr_begin(nh, req_sz, VETH_INFO_PEER, &pi, sizeof(pi));
270 if (!peer_attr)
271 return -1;
272
273 if (rtattr_pack(nh, req_sz, IFLA_IFNAME, peer, strlen(peer)))
274 return -1;
275
276 if (rtattr_pack(nh, req_sz, IFLA_NET_NS_FD, &ns, sizeof(ns)))
277 return -1;
278
279 rtattr_end(nh, peer_attr);
280
281 return 0;
282}
283
284static int netlink_check_answer(int sock)
285{
286 struct nlmsgerror {
287 struct nlmsghdr hdr;
288 int error;
289 struct nlmsghdr orig_msg;
290 } answer;
291
292 if (recv(sock, &answer, sizeof(answer), 0) < 0) {
293 pr_err("recv()");
294 return -1;
295 } else if (answer.hdr.nlmsg_type != NLMSG_ERROR) {
296 printk("expected NLMSG_ERROR, got %d", (int)answer.hdr.nlmsg_type);
297 return -1;
298 } else if (answer.error) {
299 printk("NLMSG_ERROR: %d: %s",
300 answer.error, strerror(-answer.error));
301 return answer.error;
302 }
303
304 return 0;
305}
306
307static int veth_add(int sock, uint32_t seq, const char *peera, int ns_a,
308 const char *peerb, int ns_b)
309{
310 uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
311 struct {
312 struct nlmsghdr nh;
313 struct ifinfomsg info;
314 char attrbuf[MAX_PAYLOAD];
315 } req;
316 const char veth_type[] = "veth";
317 struct rtattr *link_info, *info_data;
318
319 memset(&req, 0, sizeof(req));
320 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
321 req.nh.nlmsg_type = RTM_NEWLINK;
322 req.nh.nlmsg_flags = flags;
323 req.nh.nlmsg_seq = seq;
324 req.info.ifi_family = AF_UNSPEC;
325 req.info.ifi_change = 0xFFFFFFFF;
326
327 if (rtattr_pack(&req.nh, sizeof(req), IFLA_IFNAME, peera, strlen(peera)))
328 return -1;
329
330 if (rtattr_pack(&req.nh, sizeof(req), IFLA_NET_NS_FD, &ns_a, sizeof(ns_a)))
331 return -1;
332
333 link_info = rtattr_begin(&req.nh, sizeof(req), IFLA_LINKINFO);
334 if (!link_info)
335 return -1;
336
337 if (rtattr_pack(&req.nh, sizeof(req), IFLA_INFO_KIND, veth_type, sizeof(veth_type)))
338 return -1;
339
340 info_data = rtattr_begin(&req.nh, sizeof(req), IFLA_INFO_DATA);
341 if (!info_data)
342 return -1;
343
344 if (veth_pack_peerb(&req.nh, sizeof(req), peerb, ns_b))
345 return -1;
346
347 rtattr_end(&req.nh, info_data);
348 rtattr_end(&req.nh, link_info);
349
350 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
351 pr_err("send()");
352 return -1;
353 }
354 return netlink_check_answer(sock);
355}
356
357static int ip4_addr_set(int sock, uint32_t seq, const char *intf,
358 struct in_addr addr, uint8_t prefix)
359{
360 uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
361 struct {
362 struct nlmsghdr nh;
363 struct ifaddrmsg info;
364 char attrbuf[MAX_PAYLOAD];
365 } req;
366
367 memset(&req, 0, sizeof(req));
368 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
369 req.nh.nlmsg_type = RTM_NEWADDR;
370 req.nh.nlmsg_flags = flags;
371 req.nh.nlmsg_seq = seq;
372 req.info.ifa_family = AF_INET;
373 req.info.ifa_prefixlen = prefix;
374 req.info.ifa_index = if_nametoindex(intf);
375
376#ifdef DEBUG
377 {
378 char addr_str[IPV4_STR_SZ] = {};
379
380 strncpy(addr_str, inet_ntoa(addr), IPV4_STR_SZ - 1);
381
382 printk("ip addr set %s", addr_str);
383 }
384#endif
385
386 if (rtattr_pack(&req.nh, sizeof(req), IFA_LOCAL, &addr, sizeof(addr)))
387 return -1;
388
389 if (rtattr_pack(&req.nh, sizeof(req), IFA_ADDRESS, &addr, sizeof(addr)))
390 return -1;
391
392 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
393 pr_err("send()");
394 return -1;
395 }
396 return netlink_check_answer(sock);
397}
398
399static int link_set_up(int sock, uint32_t seq, const char *intf)
400{
401 struct {
402 struct nlmsghdr nh;
403 struct ifinfomsg info;
404 char attrbuf[MAX_PAYLOAD];
405 } req;
406
407 memset(&req, 0, sizeof(req));
408 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
409 req.nh.nlmsg_type = RTM_NEWLINK;
410 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
411 req.nh.nlmsg_seq = seq;
412 req.info.ifi_family = AF_UNSPEC;
413 req.info.ifi_change = 0xFFFFFFFF;
414 req.info.ifi_index = if_nametoindex(intf);
415 req.info.ifi_flags = IFF_UP;
416 req.info.ifi_change = IFF_UP;
417
418 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
419 pr_err("send()");
420 return -1;
421 }
422 return netlink_check_answer(sock);
423}
424
425static int ip4_route_set(int sock, uint32_t seq, const char *intf,
426 struct in_addr src, struct in_addr dst)
427{
428 struct {
429 struct nlmsghdr nh;
430 struct rtmsg rt;
431 char attrbuf[MAX_PAYLOAD];
432 } req;
433 unsigned int index = if_nametoindex(intf);
434
435 memset(&req, 0, sizeof(req));
436 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.rt));
437 req.nh.nlmsg_type = RTM_NEWROUTE;
438 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE;
439 req.nh.nlmsg_seq = seq;
440 req.rt.rtm_family = AF_INET;
441 req.rt.rtm_dst_len = 32;
442 req.rt.rtm_table = RT_TABLE_MAIN;
443 req.rt.rtm_protocol = RTPROT_BOOT;
444 req.rt.rtm_scope = RT_SCOPE_LINK;
445 req.rt.rtm_type = RTN_UNICAST;
446
447 if (rtattr_pack(&req.nh, sizeof(req), RTA_DST, &dst, sizeof(dst)))
448 return -1;
449
450 if (rtattr_pack(&req.nh, sizeof(req), RTA_PREFSRC, &src, sizeof(src)))
451 return -1;
452
453 if (rtattr_pack(&req.nh, sizeof(req), RTA_OIF, &index, sizeof(index)))
454 return -1;
455
456 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
457 pr_err("send()");
458 return -1;
459 }
460
461 return netlink_check_answer(sock);
462}
463
464static int tunnel_set_route(int route_sock, uint32_t *route_seq, char *veth,
465 struct in_addr tunsrc, struct in_addr tundst)
466{
467 if (ip4_addr_set(route_sock, (*route_seq)++, "lo",
468 tunsrc, PREFIX_LEN)) {
469 printk("Failed to set ipv4 addr");
470 return -1;
471 }
472
473 if (ip4_route_set(route_sock, (*route_seq)++, veth, tunsrc, tundst)) {
474 printk("Failed to set ipv4 route");
475 return -1;
476 }
477
478 return 0;
479}
480
481static int init_child(int nsfd, char *veth, unsigned int src, unsigned int dst)
482{
483 struct in_addr intsrc = inet_makeaddr(INADDR_B, src);
484 struct in_addr tunsrc = inet_makeaddr(INADDR_A, src);
485 struct in_addr tundst = inet_makeaddr(INADDR_A, dst);
486 int route_sock = -1, ret = -1;
487 uint32_t route_seq;
488
489 if (switch_ns(nsfd))
490 return -1;
491
492 if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE)) {
493 printk("Failed to open netlink route socket in child");
494 return -1;
495 }
496
497 if (ip4_addr_set(route_sock, route_seq++, veth, intsrc, PREFIX_LEN)) {
498 printk("Failed to set ipv4 addr");
499 goto err;
500 }
501
502 if (link_set_up(route_sock, route_seq++, veth)) {
503 printk("Failed to bring up %s", veth);
504 goto err;
505 }
506
507 if (tunnel_set_route(route_sock, &route_seq, veth, tunsrc, tundst)) {
508 printk("Failed to add tunnel route on %s", veth);
509 goto err;
510 }
511 ret = 0;
512
513err:
514 close(route_sock);
515 return ret;
516}
517
518#define ALGO_LEN 64
519enum desc_type {
520 CREATE_TUNNEL = 0,
521 ALLOCATE_SPI,
522 MONITOR_ACQUIRE,
523 EXPIRE_STATE,
524 EXPIRE_POLICY,
525 SPDINFO_ATTRS,
526};
527const char *desc_name[] = {
528 "create tunnel",
529 "alloc spi",
530 "monitor acquire",
531 "expire state",
532 "expire policy",
533 "spdinfo attributes",
534 ""
535};
536struct xfrm_desc {
537 enum desc_type type;
538 uint8_t proto;
539 char a_algo[ALGO_LEN];
540 char e_algo[ALGO_LEN];
541 char c_algo[ALGO_LEN];
542 char ae_algo[ALGO_LEN];
543 unsigned int icv_len;
544 /* unsigned key_len; */
545};
546
547enum msg_type {
548 MSG_ACK = 0,
549 MSG_EXIT,
550 MSG_PING,
551 MSG_XFRM_PREPARE,
552 MSG_XFRM_ADD,
553 MSG_XFRM_DEL,
554 MSG_XFRM_CLEANUP,
555};
556
557struct test_desc {
558 enum msg_type type;
559 union {
560 struct {
561 in_addr_t reply_ip;
562 unsigned int port;
563 } ping;
564 struct xfrm_desc xfrm_desc;
565 } body;
566};
567
568struct test_result {
569 struct xfrm_desc desc;
570 unsigned int res;
571};
572
573static void write_test_result(unsigned int res, struct xfrm_desc *d)
574{
575 struct test_result tr = {};
576 ssize_t ret;
577
578 tr.desc = *d;
579 tr.res = res;
580
581 ret = write(results_fd[1], &tr, sizeof(tr));
582 if (ret != sizeof(tr))
583 pr_err("Failed to write the result in pipe %zd", ret);
584}
585
586static void write_msg(int fd, struct test_desc *msg, bool exit_of_fail)
587{
588 ssize_t bytes = write(fd, msg, sizeof(*msg));
589
590 /* Make sure that write/read is atomic to a pipe */
591 BUILD_BUG_ON(sizeof(struct test_desc) > PIPE_BUF);
592
593 if (bytes < 0) {
594 pr_err("write()");
595 if (exit_of_fail)
596 exit(KSFT_FAIL);
597 }
598 if (bytes != sizeof(*msg)) {
599 pr_err("sent part of the message %zd/%zu", bytes, sizeof(*msg));
600 if (exit_of_fail)
601 exit(KSFT_FAIL);
602 }
603}
604
605static void read_msg(int fd, struct test_desc *msg, bool exit_of_fail)
606{
607 ssize_t bytes = read(fd, msg, sizeof(*msg));
608
609 if (bytes < 0) {
610 pr_err("read()");
611 if (exit_of_fail)
612 exit(KSFT_FAIL);
613 }
614 if (bytes != sizeof(*msg)) {
615 pr_err("got incomplete message %zd/%zu", bytes, sizeof(*msg));
616 if (exit_of_fail)
617 exit(KSFT_FAIL);
618 }
619}
620
621static int udp_ping_init(struct in_addr listen_ip, unsigned int u_timeout,
622 unsigned int *server_port, int sock[2])
623{
624 struct sockaddr_in server;
625 struct timeval t = { .tv_sec = 0, .tv_usec = u_timeout };
626 socklen_t s_len = sizeof(server);
627
628 sock[0] = socket(AF_INET, SOCK_DGRAM, 0);
629 if (sock[0] < 0) {
630 pr_err("socket()");
631 return -1;
632 }
633
634 server.sin_family = AF_INET;
635 server.sin_port = 0;
636 memcpy(&server.sin_addr.s_addr, &listen_ip, sizeof(struct in_addr));
637
638 if (bind(sock[0], (struct sockaddr *)&server, s_len)) {
639 pr_err("bind()");
640 goto err_close_server;
641 }
642
643 if (getsockname(sock[0], (struct sockaddr *)&server, &s_len)) {
644 pr_err("getsockname()");
645 goto err_close_server;
646 }
647
648 *server_port = ntohs(server.sin_port);
649
650 if (setsockopt(sock[0], SOL_SOCKET, SO_RCVTIMEO, (const char *)&t, sizeof t)) {
651 pr_err("setsockopt()");
652 goto err_close_server;
653 }
654
655 sock[1] = socket(AF_INET, SOCK_DGRAM, 0);
656 if (sock[1] < 0) {
657 pr_err("socket()");
658 goto err_close_server;
659 }
660
661 return 0;
662
663err_close_server:
664 close(sock[0]);
665 return -1;
666}
667
668static int udp_ping_send(int sock[2], in_addr_t dest_ip, unsigned int port,
669 char *buf, size_t buf_len)
670{
671 struct sockaddr_in server;
672 const struct sockaddr *dest_addr = (struct sockaddr *)&server;
673 char *sock_buf[buf_len];
674 ssize_t r_bytes, s_bytes;
675
676 server.sin_family = AF_INET;
677 server.sin_port = htons(port);
678 server.sin_addr.s_addr = dest_ip;
679
680 s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
681 if (s_bytes < 0) {
682 pr_err("sendto()");
683 return -1;
684 } else if (s_bytes != buf_len) {
685 printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
686 return -1;
687 }
688
689 r_bytes = recv(sock[0], sock_buf, buf_len, 0);
690 if (r_bytes < 0) {
691 if (errno != EAGAIN)
692 pr_err("recv()");
693 return -1;
694 } else if (r_bytes == 0) { /* EOF */
695 printk("EOF on reply to ping");
696 return -1;
697 } else if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
698 printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
699 return -1;
700 }
701
702 return 0;
703}
704
705static int udp_ping_reply(int sock[2], in_addr_t dest_ip, unsigned int port,
706 char *buf, size_t buf_len)
707{
708 struct sockaddr_in server;
709 const struct sockaddr *dest_addr = (struct sockaddr *)&server;
710 char *sock_buf[buf_len];
711 ssize_t r_bytes, s_bytes;
712
713 server.sin_family = AF_INET;
714 server.sin_port = htons(port);
715 server.sin_addr.s_addr = dest_ip;
716
717 r_bytes = recv(sock[0], sock_buf, buf_len, 0);
718 if (r_bytes < 0) {
719 if (errno != EAGAIN)
720 pr_err("recv()");
721 return -1;
722 }
723 if (r_bytes == 0) { /* EOF */
724 printk("EOF on reply to ping");
725 return -1;
726 }
727 if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
728 printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
729 return -1;
730 }
731
732 s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
733 if (s_bytes < 0) {
734 pr_err("sendto()");
735 return -1;
736 } else if (s_bytes != buf_len) {
737 printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
738 return -1;
739 }
740
741 return 0;
742}
743
744typedef int (*ping_f)(int sock[2], in_addr_t dest_ip, unsigned int port,
745 char *buf, size_t buf_len);
746static int do_ping(int cmd_fd, char *buf, size_t buf_len, struct in_addr from,
747 bool init_side, int d_port, in_addr_t to, ping_f func)
748{
749 struct test_desc msg;
750 unsigned int s_port, i, ping_succeeded = 0;
751 int ping_sock[2];
752 char to_str[IPV4_STR_SZ] = {}, from_str[IPV4_STR_SZ] = {};
753
754 if (udp_ping_init(from, ping_timeout, &s_port, ping_sock)) {
755 printk("Failed to init ping");
756 return -1;
757 }
758
759 memset(&msg, 0, sizeof(msg));
760 msg.type = MSG_PING;
761 msg.body.ping.port = s_port;
762 memcpy(&msg.body.ping.reply_ip, &from, sizeof(from));
763
764 write_msg(cmd_fd, &msg, 0);
765 if (init_side) {
766 /* The other end sends ip to ping */
767 read_msg(cmd_fd, &msg, 0);
768 if (msg.type != MSG_PING)
769 return -1;
770 to = msg.body.ping.reply_ip;
771 d_port = msg.body.ping.port;
772 }
773
774 for (i = 0; i < ping_count ; i++) {
775 struct timespec sleep_time = {
776 .tv_sec = 0,
777 .tv_nsec = ping_delay_nsec,
778 };
779
780 ping_succeeded += !func(ping_sock, to, d_port, buf, page_size);
781 nanosleep(&sleep_time, 0);
782 }
783
784 close(ping_sock[0]);
785 close(ping_sock[1]);
786
787 strncpy(to_str, inet_ntoa(*(struct in_addr *)&to), IPV4_STR_SZ - 1);
788 strncpy(from_str, inet_ntoa(from), IPV4_STR_SZ - 1);
789
790 if (ping_succeeded < ping_success) {
791 printk("ping (%s) %s->%s failed %u/%u times",
792 init_side ? "send" : "reply", from_str, to_str,
793 ping_count - ping_succeeded, ping_count);
794 return -1;
795 }
796
797#ifdef DEBUG
798 printk("ping (%s) %s->%s succeeded %u/%u times",
799 init_side ? "send" : "reply", from_str, to_str,
800 ping_succeeded, ping_count);
801#endif
802
803 return 0;
804}
805
806static int xfrm_fill_key(char *name, char *buf,
807 size_t buf_len, unsigned int *key_len)
808{
809 int i;
810
811 for (i = 0; i < XFRM_ALGO_NR_KEYS; i++) {
812 if (strncmp(name, xfrm_key_entries[i].algo_name, ALGO_LEN) == 0)
813 *key_len = xfrm_key_entries[i].key_len;
814 }
815
816 if (*key_len > buf_len) {
817 printk("Can't pack a key - too big for buffer");
818 return -1;
819 }
820
821 randomize_buffer(buf, *key_len);
822
823 return 0;
824}
825
826static int xfrm_state_pack_algo(struct nlmsghdr *nh, size_t req_sz,
827 struct xfrm_desc *desc)
828{
829 struct {
830 union {
831 struct xfrm_algo alg;
832 struct xfrm_algo_aead aead;
833 struct xfrm_algo_auth auth;
834 } u;
835 char buf[XFRM_ALGO_KEY_BUF_SIZE];
836 } alg = {};
837 size_t alen, elen, clen, aelen;
838 unsigned short type;
839
840 alen = strlen(desc->a_algo);
841 elen = strlen(desc->e_algo);
842 clen = strlen(desc->c_algo);
843 aelen = strlen(desc->ae_algo);
844
845 /* Verify desc */
846 switch (desc->proto) {
847 case IPPROTO_AH:
848 if (!alen || elen || clen || aelen) {
849 printk("BUG: buggy ah desc");
850 return -1;
851 }
852 strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN - 1);
853 if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
854 sizeof(alg.buf), &alg.u.alg.alg_key_len))
855 return -1;
856 type = XFRMA_ALG_AUTH;
857 break;
858 case IPPROTO_COMP:
859 if (!clen || elen || alen || aelen) {
860 printk("BUG: buggy comp desc");
861 return -1;
862 }
863 strncpy(alg.u.alg.alg_name, desc->c_algo, ALGO_LEN - 1);
864 if (xfrm_fill_key(desc->c_algo, alg.u.alg.alg_key,
865 sizeof(alg.buf), &alg.u.alg.alg_key_len))
866 return -1;
867 type = XFRMA_ALG_COMP;
868 break;
869 case IPPROTO_ESP:
870 if (!((alen && elen) ^ aelen) || clen) {
871 printk("BUG: buggy esp desc");
872 return -1;
873 }
874 if (aelen) {
875 alg.u.aead.alg_icv_len = desc->icv_len;
876 strncpy(alg.u.aead.alg_name, desc->ae_algo, ALGO_LEN - 1);
877 if (xfrm_fill_key(desc->ae_algo, alg.u.aead.alg_key,
878 sizeof(alg.buf), &alg.u.aead.alg_key_len))
879 return -1;
880 type = XFRMA_ALG_AEAD;
881 } else {
882
883 strncpy(alg.u.alg.alg_name, desc->e_algo, ALGO_LEN - 1);
884 type = XFRMA_ALG_CRYPT;
885 if (xfrm_fill_key(desc->e_algo, alg.u.alg.alg_key,
886 sizeof(alg.buf), &alg.u.alg.alg_key_len))
887 return -1;
888 if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
889 return -1;
890
891 strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN);
892 type = XFRMA_ALG_AUTH;
893 if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
894 sizeof(alg.buf), &alg.u.alg.alg_key_len))
895 return -1;
896 }
897 break;
898 default:
899 printk("BUG: unknown proto in desc");
900 return -1;
901 }
902
903 if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
904 return -1;
905
906 return 0;
907}
908
909static inline uint32_t gen_spi(struct in_addr src)
910{
911 return htonl(inet_lnaof(src));
912}
913
914static int xfrm_state_add(int xfrm_sock, uint32_t seq, uint32_t spi,
915 struct in_addr src, struct in_addr dst,
916 struct xfrm_desc *desc)
917{
918 struct {
919 struct nlmsghdr nh;
920 struct xfrm_usersa_info info;
921 char attrbuf[MAX_PAYLOAD];
922 } req;
923
924 memset(&req, 0, sizeof(req));
925 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
926 req.nh.nlmsg_type = XFRM_MSG_NEWSA;
927 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
928 req.nh.nlmsg_seq = seq;
929
930 /* Fill selector. */
931 memcpy(&req.info.sel.daddr, &dst, sizeof(dst));
932 memcpy(&req.info.sel.saddr, &src, sizeof(src));
933 req.info.sel.family = AF_INET;
934 req.info.sel.prefixlen_d = PREFIX_LEN;
935 req.info.sel.prefixlen_s = PREFIX_LEN;
936
937 /* Fill id */
938 memcpy(&req.info.id.daddr, &dst, sizeof(dst));
939 /* Note: zero-spi cannot be deleted */
940 req.info.id.spi = spi;
941 req.info.id.proto = desc->proto;
942
943 memcpy(&req.info.saddr, &src, sizeof(src));
944
945 /* Fill lifteme_cfg */
946 req.info.lft.soft_byte_limit = XFRM_INF;
947 req.info.lft.hard_byte_limit = XFRM_INF;
948 req.info.lft.soft_packet_limit = XFRM_INF;
949 req.info.lft.hard_packet_limit = XFRM_INF;
950
951 req.info.family = AF_INET;
952 req.info.mode = XFRM_MODE_TUNNEL;
953
954 if (xfrm_state_pack_algo(&req.nh, sizeof(req), desc))
955 return -1;
956
957 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
958 pr_err("send()");
959 return -1;
960 }
961
962 return netlink_check_answer(xfrm_sock);
963}
964
965static bool xfrm_usersa_found(struct xfrm_usersa_info *info, uint32_t spi,
966 struct in_addr src, struct in_addr dst,
967 struct xfrm_desc *desc)
968{
969 if (memcmp(&info->sel.daddr, &dst, sizeof(dst)))
970 return false;
971
972 if (memcmp(&info->sel.saddr, &src, sizeof(src)))
973 return false;
974
975 if (info->sel.family != AF_INET ||
976 info->sel.prefixlen_d != PREFIX_LEN ||
977 info->sel.prefixlen_s != PREFIX_LEN)
978 return false;
979
980 if (info->id.spi != spi || info->id.proto != desc->proto)
981 return false;
982
983 if (memcmp(&info->id.daddr, &dst, sizeof(dst)))
984 return false;
985
986 if (memcmp(&info->saddr, &src, sizeof(src)))
987 return false;
988
989 if (info->lft.soft_byte_limit != XFRM_INF ||
990 info->lft.hard_byte_limit != XFRM_INF ||
991 info->lft.soft_packet_limit != XFRM_INF ||
992 info->lft.hard_packet_limit != XFRM_INF)
993 return false;
994
995 if (info->family != AF_INET || info->mode != XFRM_MODE_TUNNEL)
996 return false;
997
998 /* XXX: check xfrm algo, see xfrm_state_pack_algo(). */
999
1000 return true;
1001}
1002
1003static int xfrm_state_check(int xfrm_sock, uint32_t seq, uint32_t spi,
1004 struct in_addr src, struct in_addr dst,
1005 struct xfrm_desc *desc)
1006{
1007 struct {
1008 struct nlmsghdr nh;
1009 char attrbuf[MAX_PAYLOAD];
1010 } req;
1011 struct {
1012 struct nlmsghdr nh;
1013 union {
1014 struct xfrm_usersa_info info;
1015 int error;
1016 };
1017 char attrbuf[MAX_PAYLOAD];
1018 } answer;
1019 struct xfrm_address_filter filter = {};
1020 bool found = false;
1021
1022
1023 memset(&req, 0, sizeof(req));
1024 req.nh.nlmsg_len = NLMSG_LENGTH(0);
1025 req.nh.nlmsg_type = XFRM_MSG_GETSA;
1026 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
1027 req.nh.nlmsg_seq = seq;
1028
1029 /*
1030 * Add dump filter by source address as there may be other tunnels
1031 * in this netns (if tests run in parallel).
1032 */
1033 filter.family = AF_INET;
1034 filter.splen = 0x1f; /* 0xffffffff mask see addr_match() */
1035 memcpy(&filter.saddr, &src, sizeof(src));
1036 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_ADDRESS_FILTER,
1037 &filter, sizeof(filter)))
1038 return -1;
1039
1040 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1041 pr_err("send()");
1042 return -1;
1043 }
1044
1045 while (1) {
1046 if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
1047 pr_err("recv()");
1048 return -1;
1049 }
1050 if (answer.nh.nlmsg_type == NLMSG_ERROR) {
1051 printk("NLMSG_ERROR: %d: %s",
1052 answer.error, strerror(-answer.error));
1053 return -1;
1054 } else if (answer.nh.nlmsg_type == NLMSG_DONE) {
1055 if (found)
1056 return 0;
1057 printk("didn't find allocated xfrm state in dump");
1058 return -1;
1059 } else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
1060 if (xfrm_usersa_found(&answer.info, spi, src, dst, desc))
1061 found = true;
1062 }
1063 }
1064}
1065
1066static int xfrm_set(int xfrm_sock, uint32_t *seq,
1067 struct in_addr src, struct in_addr dst,
1068 struct in_addr tunsrc, struct in_addr tundst,
1069 struct xfrm_desc *desc)
1070{
1071 int err;
1072
1073 err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
1074 if (err) {
1075 printk("Failed to add xfrm state");
1076 return -1;
1077 }
1078
1079 err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
1080 if (err) {
1081 printk("Failed to add xfrm state");
1082 return -1;
1083 }
1084
1085 /* Check dumps for XFRM_MSG_GETSA */
1086 err = xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
1087 err |= xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
1088 if (err) {
1089 printk("Failed to check xfrm state");
1090 return -1;
1091 }
1092
1093 return 0;
1094}
1095
1096static int xfrm_policy_add(int xfrm_sock, uint32_t seq, uint32_t spi,
1097 struct in_addr src, struct in_addr dst, uint8_t dir,
1098 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1099{
1100 struct {
1101 struct nlmsghdr nh;
1102 struct xfrm_userpolicy_info info;
1103 char attrbuf[MAX_PAYLOAD];
1104 } req;
1105 struct xfrm_user_tmpl tmpl;
1106
1107 memset(&req, 0, sizeof(req));
1108 memset(&tmpl, 0, sizeof(tmpl));
1109 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
1110 req.nh.nlmsg_type = XFRM_MSG_NEWPOLICY;
1111 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1112 req.nh.nlmsg_seq = seq;
1113
1114 /* Fill selector. */
1115 memcpy(&req.info.sel.daddr, &dst, sizeof(tundst));
1116 memcpy(&req.info.sel.saddr, &src, sizeof(tunsrc));
1117 req.info.sel.family = AF_INET;
1118 req.info.sel.prefixlen_d = PREFIX_LEN;
1119 req.info.sel.prefixlen_s = PREFIX_LEN;
1120
1121 /* Fill lifteme_cfg */
1122 req.info.lft.soft_byte_limit = XFRM_INF;
1123 req.info.lft.hard_byte_limit = XFRM_INF;
1124 req.info.lft.soft_packet_limit = XFRM_INF;
1125 req.info.lft.hard_packet_limit = XFRM_INF;
1126
1127 req.info.dir = dir;
1128
1129 /* Fill tmpl */
1130 memcpy(&tmpl.id.daddr, &dst, sizeof(dst));
1131 /* Note: zero-spi cannot be deleted */
1132 tmpl.id.spi = spi;
1133 tmpl.id.proto = proto;
1134 tmpl.family = AF_INET;
1135 memcpy(&tmpl.saddr, &src, sizeof(src));
1136 tmpl.mode = XFRM_MODE_TUNNEL;
1137 tmpl.aalgos = (~(uint32_t)0);
1138 tmpl.ealgos = (~(uint32_t)0);
1139 tmpl.calgos = (~(uint32_t)0);
1140
1141 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &tmpl, sizeof(tmpl)))
1142 return -1;
1143
1144 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1145 pr_err("send()");
1146 return -1;
1147 }
1148
1149 return netlink_check_answer(xfrm_sock);
1150}
1151
1152static int xfrm_prepare(int xfrm_sock, uint32_t *seq,
1153 struct in_addr src, struct in_addr dst,
1154 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1155{
1156 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
1157 XFRM_POLICY_OUT, tunsrc, tundst, proto)) {
1158 printk("Failed to add xfrm policy");
1159 return -1;
1160 }
1161
1162 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src,
1163 XFRM_POLICY_IN, tunsrc, tundst, proto)) {
1164 printk("Failed to add xfrm policy");
1165 return -1;
1166 }
1167
1168 return 0;
1169}
1170
1171static int xfrm_policy_del(int xfrm_sock, uint32_t seq,
1172 struct in_addr src, struct in_addr dst, uint8_t dir,
1173 struct in_addr tunsrc, struct in_addr tundst)
1174{
1175 struct {
1176 struct nlmsghdr nh;
1177 struct xfrm_userpolicy_id id;
1178 char attrbuf[MAX_PAYLOAD];
1179 } req;
1180
1181 memset(&req, 0, sizeof(req));
1182 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.id));
1183 req.nh.nlmsg_type = XFRM_MSG_DELPOLICY;
1184 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1185 req.nh.nlmsg_seq = seq;
1186
1187 /* Fill id */
1188 memcpy(&req.id.sel.daddr, &dst, sizeof(tundst));
1189 memcpy(&req.id.sel.saddr, &src, sizeof(tunsrc));
1190 req.id.sel.family = AF_INET;
1191 req.id.sel.prefixlen_d = PREFIX_LEN;
1192 req.id.sel.prefixlen_s = PREFIX_LEN;
1193 req.id.dir = dir;
1194
1195 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1196 pr_err("send()");
1197 return -1;
1198 }
1199
1200 return netlink_check_answer(xfrm_sock);
1201}
1202
1203static int xfrm_cleanup(int xfrm_sock, uint32_t *seq,
1204 struct in_addr src, struct in_addr dst,
1205 struct in_addr tunsrc, struct in_addr tundst)
1206{
1207 if (xfrm_policy_del(xfrm_sock, (*seq)++, src, dst,
1208 XFRM_POLICY_OUT, tunsrc, tundst)) {
1209 printk("Failed to add xfrm policy");
1210 return -1;
1211 }
1212
1213 if (xfrm_policy_del(xfrm_sock, (*seq)++, dst, src,
1214 XFRM_POLICY_IN, tunsrc, tundst)) {
1215 printk("Failed to add xfrm policy");
1216 return -1;
1217 }
1218
1219 return 0;
1220}
1221
1222static int xfrm_state_del(int xfrm_sock, uint32_t seq, uint32_t spi,
1223 struct in_addr src, struct in_addr dst, uint8_t proto)
1224{
1225 struct {
1226 struct nlmsghdr nh;
1227 struct xfrm_usersa_id id;
1228 char attrbuf[MAX_PAYLOAD];
1229 } req;
1230 xfrm_address_t saddr = {};
1231
1232 memset(&req, 0, sizeof(req));
1233 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.id));
1234 req.nh.nlmsg_type = XFRM_MSG_DELSA;
1235 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1236 req.nh.nlmsg_seq = seq;
1237
1238 memcpy(&req.id.daddr, &dst, sizeof(dst));
1239 req.id.family = AF_INET;
1240 req.id.proto = proto;
1241 /* Note: zero-spi cannot be deleted */
1242 req.id.spi = spi;
1243
1244 memcpy(&saddr, &src, sizeof(src));
1245 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SRCADDR, &saddr, sizeof(saddr)))
1246 return -1;
1247
1248 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1249 pr_err("send()");
1250 return -1;
1251 }
1252
1253 return netlink_check_answer(xfrm_sock);
1254}
1255
1256static int xfrm_delete(int xfrm_sock, uint32_t *seq,
1257 struct in_addr src, struct in_addr dst,
1258 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1259{
1260 if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), src, dst, proto)) {
1261 printk("Failed to remove xfrm state");
1262 return -1;
1263 }
1264
1265 if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), dst, src, proto)) {
1266 printk("Failed to remove xfrm state");
1267 return -1;
1268 }
1269
1270 return 0;
1271}
1272
1273static int xfrm_state_allocspi(int xfrm_sock, uint32_t *seq,
1274 uint32_t spi, uint8_t proto)
1275{
1276 struct {
1277 struct nlmsghdr nh;
1278 struct xfrm_userspi_info spi;
1279 } req;
1280 struct {
1281 struct nlmsghdr nh;
1282 union {
1283 struct xfrm_usersa_info info;
1284 int error;
1285 };
1286 } answer;
1287
1288 memset(&req, 0, sizeof(req));
1289 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.spi));
1290 req.nh.nlmsg_type = XFRM_MSG_ALLOCSPI;
1291 req.nh.nlmsg_flags = NLM_F_REQUEST;
1292 req.nh.nlmsg_seq = (*seq)++;
1293
1294 req.spi.info.family = AF_INET;
1295 req.spi.min = spi;
1296 req.spi.max = spi;
1297 req.spi.info.id.proto = proto;
1298
1299 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1300 pr_err("send()");
1301 return KSFT_FAIL;
1302 }
1303
1304 if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
1305 pr_err("recv()");
1306 return KSFT_FAIL;
1307 } else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
1308 uint32_t new_spi = htonl(answer.info.id.spi);
1309
1310 if (new_spi != spi) {
1311 printk("allocated spi is different from requested: %#x != %#x",
1312 new_spi, spi);
1313 return KSFT_FAIL;
1314 }
1315 return KSFT_PASS;
1316 } else if (answer.nh.nlmsg_type != NLMSG_ERROR) {
1317 printk("expected NLMSG_ERROR, got %d", (int)answer.nh.nlmsg_type);
1318 return KSFT_FAIL;
1319 }
1320
1321 printk("NLMSG_ERROR: %d: %s", answer.error, strerror(-answer.error));
1322 return (answer.error) ? KSFT_FAIL : KSFT_PASS;
1323}
1324
1325static int netlink_sock_bind(int *sock, uint32_t *seq, int proto, uint32_t groups)
1326{
1327 struct sockaddr_nl snl = {};
1328 socklen_t addr_len;
1329 int ret = -1;
1330
1331 snl.nl_family = AF_NETLINK;
1332 snl.nl_groups = groups;
1333
1334 if (netlink_sock(sock, seq, proto)) {
1335 printk("Failed to open xfrm netlink socket");
1336 return -1;
1337 }
1338
1339 if (bind(*sock, (struct sockaddr *)&snl, sizeof(snl)) < 0) {
1340 pr_err("bind()");
1341 goto out_close;
1342 }
1343
1344 addr_len = sizeof(snl);
1345 if (getsockname(*sock, (struct sockaddr *)&snl, &addr_len) < 0) {
1346 pr_err("getsockname()");
1347 goto out_close;
1348 }
1349 if (addr_len != sizeof(snl)) {
1350 printk("Wrong address length %d", addr_len);
1351 goto out_close;
1352 }
1353 if (snl.nl_family != AF_NETLINK) {
1354 printk("Wrong address family %d", snl.nl_family);
1355 goto out_close;
1356 }
1357 return 0;
1358
1359out_close:
1360 close(*sock);
1361 return ret;
1362}
1363
1364static int xfrm_monitor_acquire(int xfrm_sock, uint32_t *seq, unsigned int nr)
1365{
1366 struct {
1367 struct nlmsghdr nh;
1368 union {
1369 struct xfrm_user_acquire acq;
1370 int error;
1371 };
1372 char attrbuf[MAX_PAYLOAD];
1373 } req;
1374 struct xfrm_user_tmpl xfrm_tmpl = {};
1375 int xfrm_listen = -1, ret = KSFT_FAIL;
1376 uint32_t seq_listen;
1377
1378 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_ACQUIRE))
1379 return KSFT_FAIL;
1380
1381 memset(&req, 0, sizeof(req));
1382 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.acq));
1383 req.nh.nlmsg_type = XFRM_MSG_ACQUIRE;
1384 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1385 req.nh.nlmsg_seq = (*seq)++;
1386
1387 req.acq.policy.sel.family = AF_INET;
1388 req.acq.aalgos = 0xfeed;
1389 req.acq.ealgos = 0xbaad;
1390 req.acq.calgos = 0xbabe;
1391
1392 xfrm_tmpl.family = AF_INET;
1393 xfrm_tmpl.id.proto = IPPROTO_ESP;
1394 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &xfrm_tmpl, sizeof(xfrm_tmpl)))
1395 goto out_close;
1396
1397 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1398 pr_err("send()");
1399 goto out_close;
1400 }
1401
1402 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1403 pr_err("recv()");
1404 goto out_close;
1405 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1406 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1407 goto out_close;
1408 }
1409
1410 if (req.error) {
1411 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1412 ret = req.error;
1413 goto out_close;
1414 }
1415
1416 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1417 pr_err("recv()");
1418 goto out_close;
1419 }
1420
1421 if (req.acq.aalgos != 0xfeed || req.acq.ealgos != 0xbaad
1422 || req.acq.calgos != 0xbabe) {
1423 printk("xfrm_user_acquire has changed %x %x %x",
1424 req.acq.aalgos, req.acq.ealgos, req.acq.calgos);
1425 goto out_close;
1426 }
1427
1428 ret = KSFT_PASS;
1429out_close:
1430 close(xfrm_listen);
1431 return ret;
1432}
1433
1434static int xfrm_expire_state(int xfrm_sock, uint32_t *seq,
1435 unsigned int nr, struct xfrm_desc *desc)
1436{
1437 struct {
1438 struct nlmsghdr nh;
1439 union {
1440 struct xfrm_user_expire expire;
1441 int error;
1442 };
1443 } req;
1444 struct in_addr src, dst;
1445 int xfrm_listen = -1, ret = KSFT_FAIL;
1446 uint32_t seq_listen;
1447
1448 src = inet_makeaddr(INADDR_B, child_ip(nr));
1449 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1450
1451 if (xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc)) {
1452 printk("Failed to add xfrm state");
1453 return KSFT_FAIL;
1454 }
1455
1456 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
1457 return KSFT_FAIL;
1458
1459 memset(&req, 0, sizeof(req));
1460 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.expire));
1461 req.nh.nlmsg_type = XFRM_MSG_EXPIRE;
1462 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1463 req.nh.nlmsg_seq = (*seq)++;
1464
1465 memcpy(&req.expire.state.id.daddr, &dst, sizeof(dst));
1466 req.expire.state.id.spi = gen_spi(src);
1467 req.expire.state.id.proto = desc->proto;
1468 req.expire.state.family = AF_INET;
1469 req.expire.hard = 0xff;
1470
1471 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1472 pr_err("send()");
1473 goto out_close;
1474 }
1475
1476 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1477 pr_err("recv()");
1478 goto out_close;
1479 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1480 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1481 goto out_close;
1482 }
1483
1484 if (req.error) {
1485 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1486 ret = req.error;
1487 goto out_close;
1488 }
1489
1490 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1491 pr_err("recv()");
1492 goto out_close;
1493 }
1494
1495 if (req.expire.hard != 0x1) {
1496 printk("expire.hard is not set: %x", req.expire.hard);
1497 goto out_close;
1498 }
1499
1500 ret = KSFT_PASS;
1501out_close:
1502 close(xfrm_listen);
1503 return ret;
1504}
1505
1506static int xfrm_expire_policy(int xfrm_sock, uint32_t *seq,
1507 unsigned int nr, struct xfrm_desc *desc)
1508{
1509 struct {
1510 struct nlmsghdr nh;
1511 union {
1512 struct xfrm_user_polexpire expire;
1513 int error;
1514 };
1515 } req;
1516 struct in_addr src, dst, tunsrc, tundst;
1517 int xfrm_listen = -1, ret = KSFT_FAIL;
1518 uint32_t seq_listen;
1519
1520 src = inet_makeaddr(INADDR_B, child_ip(nr));
1521 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1522 tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
1523 tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
1524
1525 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
1526 XFRM_POLICY_OUT, tunsrc, tundst, desc->proto)) {
1527 printk("Failed to add xfrm policy");
1528 return KSFT_FAIL;
1529 }
1530
1531 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
1532 return KSFT_FAIL;
1533
1534 memset(&req, 0, sizeof(req));
1535 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.expire));
1536 req.nh.nlmsg_type = XFRM_MSG_POLEXPIRE;
1537 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1538 req.nh.nlmsg_seq = (*seq)++;
1539
1540 /* Fill selector. */
1541 memcpy(&req.expire.pol.sel.daddr, &dst, sizeof(tundst));
1542 memcpy(&req.expire.pol.sel.saddr, &src, sizeof(tunsrc));
1543 req.expire.pol.sel.family = AF_INET;
1544 req.expire.pol.sel.prefixlen_d = PREFIX_LEN;
1545 req.expire.pol.sel.prefixlen_s = PREFIX_LEN;
1546 req.expire.pol.dir = XFRM_POLICY_OUT;
1547 req.expire.hard = 0xff;
1548
1549 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1550 pr_err("send()");
1551 goto out_close;
1552 }
1553
1554 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1555 pr_err("recv()");
1556 goto out_close;
1557 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1558 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1559 goto out_close;
1560 }
1561
1562 if (req.error) {
1563 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1564 ret = req.error;
1565 goto out_close;
1566 }
1567
1568 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1569 pr_err("recv()");
1570 goto out_close;
1571 }
1572
1573 if (req.expire.hard != 0x1) {
1574 printk("expire.hard is not set: %x", req.expire.hard);
1575 goto out_close;
1576 }
1577
1578 ret = KSFT_PASS;
1579out_close:
1580 close(xfrm_listen);
1581 return ret;
1582}
1583
1584static int xfrm_spdinfo_set_thresh(int xfrm_sock, uint32_t *seq,
1585 unsigned thresh4_l, unsigned thresh4_r,
1586 unsigned thresh6_l, unsigned thresh6_r,
1587 bool add_bad_attr)
1588
1589{
1590 struct {
1591 struct nlmsghdr nh;
1592 union {
1593 uint32_t unused;
1594 int error;
1595 };
1596 char attrbuf[MAX_PAYLOAD];
1597 } req;
1598 struct xfrmu_spdhthresh thresh;
1599
1600 memset(&req, 0, sizeof(req));
1601 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.unused));
1602 req.nh.nlmsg_type = XFRM_MSG_NEWSPDINFO;
1603 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1604 req.nh.nlmsg_seq = (*seq)++;
1605
1606 thresh.lbits = thresh4_l;
1607 thresh.rbits = thresh4_r;
1608 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SPD_IPV4_HTHRESH, &thresh, sizeof(thresh)))
1609 return -1;
1610
1611 thresh.lbits = thresh6_l;
1612 thresh.rbits = thresh6_r;
1613 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SPD_IPV6_HTHRESH, &thresh, sizeof(thresh)))
1614 return -1;
1615
1616 if (add_bad_attr) {
1617 BUILD_BUG_ON(XFRMA_IF_ID <= XFRMA_SPD_MAX + 1);
1618 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_IF_ID, NULL, 0)) {
1619 pr_err("adding attribute failed: no space");
1620 return -1;
1621 }
1622 }
1623
1624 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1625 pr_err("send()");
1626 return -1;
1627 }
1628
1629 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1630 pr_err("recv()");
1631 return -1;
1632 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1633 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1634 return -1;
1635 }
1636
1637 if (req.error) {
1638 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1639 return -1;
1640 }
1641
1642 return 0;
1643}
1644
1645static int xfrm_spdinfo_attrs(int xfrm_sock, uint32_t *seq)
1646{
1647 struct {
1648 struct nlmsghdr nh;
1649 union {
1650 uint32_t unused;
1651 int error;
1652 };
1653 char attrbuf[MAX_PAYLOAD];
1654 } req;
1655
1656 if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 31, 120, 16, false)) {
1657 pr_err("Can't set SPD HTHRESH");
1658 return KSFT_FAIL;
1659 }
1660
1661 memset(&req, 0, sizeof(req));
1662
1663 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.unused));
1664 req.nh.nlmsg_type = XFRM_MSG_GETSPDINFO;
1665 req.nh.nlmsg_flags = NLM_F_REQUEST;
1666 req.nh.nlmsg_seq = (*seq)++;
1667 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1668 pr_err("send()");
1669 return KSFT_FAIL;
1670 }
1671
1672 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1673 pr_err("recv()");
1674 return KSFT_FAIL;
1675 } else if (req.nh.nlmsg_type == XFRM_MSG_NEWSPDINFO) {
1676 size_t len = NLMSG_PAYLOAD(&req.nh, sizeof(req.unused));
1677 struct rtattr *attr = (void *)req.attrbuf;
1678 int got_thresh = 0;
1679
1680 for (; RTA_OK(attr, len); attr = RTA_NEXT(attr, len)) {
1681 if (attr->rta_type == XFRMA_SPD_IPV4_HTHRESH) {
1682 struct xfrmu_spdhthresh *t = RTA_DATA(attr);
1683
1684 got_thresh++;
1685 if (t->lbits != 32 || t->rbits != 31) {
1686 pr_err("thresh differ: %u, %u",
1687 t->lbits, t->rbits);
1688 return KSFT_FAIL;
1689 }
1690 }
1691 if (attr->rta_type == XFRMA_SPD_IPV6_HTHRESH) {
1692 struct xfrmu_spdhthresh *t = RTA_DATA(attr);
1693
1694 got_thresh++;
1695 if (t->lbits != 120 || t->rbits != 16) {
1696 pr_err("thresh differ: %u, %u",
1697 t->lbits, t->rbits);
1698 return KSFT_FAIL;
1699 }
1700 }
1701 }
1702 if (got_thresh != 2) {
1703 pr_err("only %d thresh returned by XFRM_MSG_GETSPDINFO", got_thresh);
1704 return KSFT_FAIL;
1705 }
1706 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1707 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1708 return KSFT_FAIL;
1709 } else {
1710 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1711 return -1;
1712 }
1713
1714 /* Restore the default */
1715 if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 32, 128, 128, false)) {
1716 pr_err("Can't restore SPD HTHRESH");
1717 return KSFT_FAIL;
1718 }
1719
1720 /*
1721 * At this moment xfrm uses nlmsg_parse_deprecated(), which
1722 * implies NL_VALIDATE_LIBERAL - ignoring attributes with
1723 * (type > maxtype). nla_parse_depricated_strict() would enforce
1724 * it. Or even stricter nla_parse().
1725 * Right now it's not expected to fail, but to be ignored.
1726 */
1727 if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 32, 128, 128, true))
1728 return KSFT_PASS;
1729
1730 return KSFT_PASS;
1731}
1732
1733static int child_serv(int xfrm_sock, uint32_t *seq,
1734 unsigned int nr, int cmd_fd, void *buf, struct xfrm_desc *desc)
1735{
1736 struct in_addr src, dst, tunsrc, tundst;
1737 struct test_desc msg;
1738 int ret = KSFT_FAIL;
1739
1740 src = inet_makeaddr(INADDR_B, child_ip(nr));
1741 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1742 tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
1743 tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
1744
1745 /* UDP pinging without xfrm */
1746 if (do_ping(cmd_fd, buf, page_size, src, true, 0, 0, udp_ping_send)) {
1747 printk("ping failed before setting xfrm");
1748 return KSFT_FAIL;
1749 }
1750
1751 memset(&msg, 0, sizeof(msg));
1752 msg.type = MSG_XFRM_PREPARE;
1753 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1754 write_msg(cmd_fd, &msg, 1);
1755
1756 if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
1757 printk("failed to prepare xfrm");
1758 goto cleanup;
1759 }
1760
1761 memset(&msg, 0, sizeof(msg));
1762 msg.type = MSG_XFRM_ADD;
1763 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1764 write_msg(cmd_fd, &msg, 1);
1765 if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
1766 printk("failed to set xfrm");
1767 goto delete;
1768 }
1769
1770 /* UDP pinging with xfrm tunnel */
1771 if (do_ping(cmd_fd, buf, page_size, tunsrc,
1772 true, 0, 0, udp_ping_send)) {
1773 printk("ping failed for xfrm");
1774 goto delete;
1775 }
1776
1777 ret = KSFT_PASS;
1778delete:
1779 /* xfrm delete */
1780 memset(&msg, 0, sizeof(msg));
1781 msg.type = MSG_XFRM_DEL;
1782 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1783 write_msg(cmd_fd, &msg, 1);
1784
1785 if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
1786 printk("failed ping to remove xfrm");
1787 ret = KSFT_FAIL;
1788 }
1789
1790cleanup:
1791 memset(&msg, 0, sizeof(msg));
1792 msg.type = MSG_XFRM_CLEANUP;
1793 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1794 write_msg(cmd_fd, &msg, 1);
1795 if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
1796 printk("failed ping to cleanup xfrm");
1797 ret = KSFT_FAIL;
1798 }
1799 return ret;
1800}
1801
1802static int child_f(unsigned int nr, int test_desc_fd, int cmd_fd, void *buf)
1803{
1804 struct xfrm_desc desc;
1805 struct test_desc msg;
1806 int xfrm_sock = -1;
1807 uint32_t seq;
1808
1809 if (switch_ns(nsfd_childa))
1810 exit(KSFT_FAIL);
1811
1812 if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
1813 printk("Failed to open xfrm netlink socket");
1814 exit(KSFT_FAIL);
1815 }
1816
1817 /* Check that seq sock is ready, just for sure. */
1818 memset(&msg, 0, sizeof(msg));
1819 msg.type = MSG_ACK;
1820 write_msg(cmd_fd, &msg, 1);
1821 read_msg(cmd_fd, &msg, 1);
1822 if (msg.type != MSG_ACK) {
1823 printk("Ack failed");
1824 exit(KSFT_FAIL);
1825 }
1826
1827 for (;;) {
1828 ssize_t received = read(test_desc_fd, &desc, sizeof(desc));
1829 int ret;
1830
1831 if (received == 0) /* EOF */
1832 break;
1833
1834 if (received != sizeof(desc)) {
1835 pr_err("read() returned %zd", received);
1836 exit(KSFT_FAIL);
1837 }
1838
1839 switch (desc.type) {
1840 case CREATE_TUNNEL:
1841 ret = child_serv(xfrm_sock, &seq, nr,
1842 cmd_fd, buf, &desc);
1843 break;
1844 case ALLOCATE_SPI:
1845 ret = xfrm_state_allocspi(xfrm_sock, &seq,
1846 -1, desc.proto);
1847 break;
1848 case MONITOR_ACQUIRE:
1849 ret = xfrm_monitor_acquire(xfrm_sock, &seq, nr);
1850 break;
1851 case EXPIRE_STATE:
1852 ret = xfrm_expire_state(xfrm_sock, &seq, nr, &desc);
1853 break;
1854 case EXPIRE_POLICY:
1855 ret = xfrm_expire_policy(xfrm_sock, &seq, nr, &desc);
1856 break;
1857 case SPDINFO_ATTRS:
1858 ret = xfrm_spdinfo_attrs(xfrm_sock, &seq);
1859 break;
1860 default:
1861 printk("Unknown desc type %d", desc.type);
1862 exit(KSFT_FAIL);
1863 }
1864 write_test_result(ret, &desc);
1865 }
1866
1867 close(xfrm_sock);
1868
1869 msg.type = MSG_EXIT;
1870 write_msg(cmd_fd, &msg, 1);
1871 exit(KSFT_PASS);
1872}
1873
1874static void grand_child_serv(unsigned int nr, int cmd_fd, void *buf,
1875 struct test_desc *msg, int xfrm_sock, uint32_t *seq)
1876{
1877 struct in_addr src, dst, tunsrc, tundst;
1878 bool tun_reply;
1879 struct xfrm_desc *desc = &msg->body.xfrm_desc;
1880
1881 src = inet_makeaddr(INADDR_B, grchild_ip(nr));
1882 dst = inet_makeaddr(INADDR_B, child_ip(nr));
1883 tunsrc = inet_makeaddr(INADDR_A, grchild_ip(nr));
1884 tundst = inet_makeaddr(INADDR_A, child_ip(nr));
1885
1886 switch (msg->type) {
1887 case MSG_EXIT:
1888 exit(KSFT_PASS);
1889 case MSG_ACK:
1890 write_msg(cmd_fd, msg, 1);
1891 break;
1892 case MSG_PING:
1893 tun_reply = memcmp(&dst, &msg->body.ping.reply_ip, sizeof(in_addr_t));
1894 /* UDP pinging without xfrm */
1895 if (do_ping(cmd_fd, buf, page_size, tun_reply ? tunsrc : src,
1896 false, msg->body.ping.port,
1897 msg->body.ping.reply_ip, udp_ping_reply)) {
1898 printk("ping failed before setting xfrm");
1899 }
1900 break;
1901 case MSG_XFRM_PREPARE:
1902 if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst,
1903 desc->proto)) {
1904 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1905 printk("failed to prepare xfrm");
1906 }
1907 break;
1908 case MSG_XFRM_ADD:
1909 if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
1910 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1911 printk("failed to set xfrm");
1912 }
1913 break;
1914 case MSG_XFRM_DEL:
1915 if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst,
1916 desc->proto)) {
1917 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1918 printk("failed to remove xfrm");
1919 }
1920 break;
1921 case MSG_XFRM_CLEANUP:
1922 if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
1923 printk("failed to cleanup xfrm");
1924 }
1925 break;
1926 default:
1927 printk("got unknown msg type %d", msg->type);
1928 }
1929}
1930
1931static int grand_child_f(unsigned int nr, int cmd_fd, void *buf)
1932{
1933 struct test_desc msg;
1934 int xfrm_sock = -1;
1935 uint32_t seq;
1936
1937 if (switch_ns(nsfd_childb))
1938 exit(KSFT_FAIL);
1939
1940 if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
1941 printk("Failed to open xfrm netlink socket");
1942 exit(KSFT_FAIL);
1943 }
1944
1945 do {
1946 read_msg(cmd_fd, &msg, 1);
1947 grand_child_serv(nr, cmd_fd, buf, &msg, xfrm_sock, &seq);
1948 } while (1);
1949
1950 close(xfrm_sock);
1951 exit(KSFT_FAIL);
1952}
1953
1954static int start_child(unsigned int nr, char *veth, int test_desc_fd[2])
1955{
1956 int cmd_sock[2];
1957 void *data_map;
1958 pid_t child;
1959
1960 if (init_child(nsfd_childa, veth, child_ip(nr), grchild_ip(nr)))
1961 return -1;
1962
1963 if (init_child(nsfd_childb, veth, grchild_ip(nr), child_ip(nr)))
1964 return -1;
1965
1966 child = fork();
1967 if (child < 0) {
1968 pr_err("fork()");
1969 return -1;
1970 } else if (child) {
1971 /* in parent - selftest */
1972 return switch_ns(nsfd_parent);
1973 }
1974
1975 if (close(test_desc_fd[1])) {
1976 pr_err("close()");
1977 return -1;
1978 }
1979
1980 /* child */
1981 data_map = mmap(0, page_size, PROT_READ | PROT_WRITE,
1982 MAP_SHARED | MAP_ANONYMOUS, -1, 0);
1983 if (data_map == MAP_FAILED) {
1984 pr_err("mmap()");
1985 return -1;
1986 }
1987
1988 randomize_buffer(data_map, page_size);
1989
1990 if (socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, cmd_sock)) {
1991 pr_err("socketpair()");
1992 return -1;
1993 }
1994
1995 child = fork();
1996 if (child < 0) {
1997 pr_err("fork()");
1998 return -1;
1999 } else if (child) {
2000 if (close(cmd_sock[0])) {
2001 pr_err("close()");
2002 return -1;
2003 }
2004 return child_f(nr, test_desc_fd[0], cmd_sock[1], data_map);
2005 }
2006 if (close(cmd_sock[1])) {
2007 pr_err("close()");
2008 return -1;
2009 }
2010 return grand_child_f(nr, cmd_sock[0], data_map);
2011}
2012
2013static void exit_usage(char **argv)
2014{
2015 printk("Usage: %s [nr_process]", argv[0]);
2016 exit(KSFT_FAIL);
2017}
2018
2019static int __write_desc(int test_desc_fd, struct xfrm_desc *desc)
2020{
2021 ssize_t ret;
2022
2023 ret = write(test_desc_fd, desc, sizeof(*desc));
2024
2025 if (ret == sizeof(*desc))
2026 return 0;
2027
2028 pr_err("Writing test's desc failed %ld", ret);
2029
2030 return -1;
2031}
2032
2033static int write_desc(int proto, int test_desc_fd,
2034 char *a, char *e, char *c, char *ae)
2035{
2036 struct xfrm_desc desc = {};
2037
2038 desc.type = CREATE_TUNNEL;
2039 desc.proto = proto;
2040
2041 if (a)
2042 strncpy(desc.a_algo, a, ALGO_LEN - 1);
2043 if (e)
2044 strncpy(desc.e_algo, e, ALGO_LEN - 1);
2045 if (c)
2046 strncpy(desc.c_algo, c, ALGO_LEN - 1);
2047 if (ae)
2048 strncpy(desc.ae_algo, ae, ALGO_LEN - 1);
2049
2050 return __write_desc(test_desc_fd, &desc);
2051}
2052
2053int proto_list[] = { IPPROTO_AH, IPPROTO_COMP, IPPROTO_ESP };
2054char *ah_list[] = {
2055 "digest_null", "hmac(md5)", "hmac(sha1)", "hmac(sha256)",
2056 "hmac(sha384)", "hmac(sha512)", "hmac(rmd160)",
2057 "xcbc(aes)", "cmac(aes)"
2058};
2059char *comp_list[] = {
2060 "deflate",
2061#if 0
2062 /* No compression backend realization */
2063 "lzs", "lzjh"
2064#endif
2065};
2066char *e_list[] = {
2067 "ecb(cipher_null)", "cbc(des)", "cbc(des3_ede)", "cbc(cast5)",
2068 "cbc(blowfish)", "cbc(aes)", "cbc(serpent)", "cbc(camellia)",
2069 "cbc(twofish)", "rfc3686(ctr(aes))"
2070};
2071char *ae_list[] = {
2072#if 0
2073 /* not implemented */
2074 "rfc4106(gcm(aes))", "rfc4309(ccm(aes))", "rfc4543(gcm(aes))",
2075 "rfc7539esp(chacha20,poly1305)"
2076#endif
2077};
2078
2079const unsigned int proto_plan = ARRAY_SIZE(ah_list) + ARRAY_SIZE(comp_list) \
2080 + (ARRAY_SIZE(ah_list) * ARRAY_SIZE(e_list)) \
2081 + ARRAY_SIZE(ae_list);
2082
2083static int write_proto_plan(int fd, int proto)
2084{
2085 unsigned int i;
2086
2087 switch (proto) {
2088 case IPPROTO_AH:
2089 for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
2090 if (write_desc(proto, fd, ah_list[i], 0, 0, 0))
2091 return -1;
2092 }
2093 break;
2094 case IPPROTO_COMP:
2095 for (i = 0; i < ARRAY_SIZE(comp_list); i++) {
2096 if (write_desc(proto, fd, 0, 0, comp_list[i], 0))
2097 return -1;
2098 }
2099 break;
2100 case IPPROTO_ESP:
2101 for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
2102 int j;
2103
2104 for (j = 0; j < ARRAY_SIZE(e_list); j++) {
2105 if (write_desc(proto, fd, ah_list[i],
2106 e_list[j], 0, 0))
2107 return -1;
2108 }
2109 }
2110 for (i = 0; i < ARRAY_SIZE(ae_list); i++) {
2111 if (write_desc(proto, fd, 0, 0, 0, ae_list[i]))
2112 return -1;
2113 }
2114 break;
2115 default:
2116 printk("BUG: Specified unknown proto %d", proto);
2117 return -1;
2118 }
2119
2120 return 0;
2121}
2122
2123/*
2124 * Some structures in xfrm uapi header differ in size between
2125 * 64-bit and 32-bit ABI:
2126 *
2127 * 32-bit UABI | 64-bit UABI
2128 * -------------------------------------|-------------------------------------
2129 * sizeof(xfrm_usersa_info) = 220 | sizeof(xfrm_usersa_info) = 224
2130 * sizeof(xfrm_userpolicy_info) = 164 | sizeof(xfrm_userpolicy_info) = 168
2131 * sizeof(xfrm_userspi_info) = 228 | sizeof(xfrm_userspi_info) = 232
2132 * sizeof(xfrm_user_acquire) = 276 | sizeof(xfrm_user_acquire) = 280
2133 * sizeof(xfrm_user_expire) = 224 | sizeof(xfrm_user_expire) = 232
2134 * sizeof(xfrm_user_polexpire) = 168 | sizeof(xfrm_user_polexpire) = 176
2135 *
2136 * Check the affected by the UABI difference structures.
2137 * Also, check translation for xfrm_set_spdinfo: it has it's own attributes
2138 * which needs to be correctly copied, but not translated.
2139 */
2140const unsigned int compat_plan = 5;
2141static int write_compat_struct_tests(int test_desc_fd)
2142{
2143 struct xfrm_desc desc = {};
2144
2145 desc.type = ALLOCATE_SPI;
2146 desc.proto = IPPROTO_AH;
2147 strncpy(desc.a_algo, ah_list[0], ALGO_LEN - 1);
2148
2149 if (__write_desc(test_desc_fd, &desc))
2150 return -1;
2151
2152 desc.type = MONITOR_ACQUIRE;
2153 if (__write_desc(test_desc_fd, &desc))
2154 return -1;
2155
2156 desc.type = EXPIRE_STATE;
2157 if (__write_desc(test_desc_fd, &desc))
2158 return -1;
2159
2160 desc.type = EXPIRE_POLICY;
2161 if (__write_desc(test_desc_fd, &desc))
2162 return -1;
2163
2164 desc.type = SPDINFO_ATTRS;
2165 if (__write_desc(test_desc_fd, &desc))
2166 return -1;
2167
2168 return 0;
2169}
2170
2171static int write_test_plan(int test_desc_fd)
2172{
2173 unsigned int i;
2174 pid_t child;
2175
2176 child = fork();
2177 if (child < 0) {
2178 pr_err("fork()");
2179 return -1;
2180 }
2181 if (child) {
2182 if (close(test_desc_fd))
2183 printk("close(): %m");
2184 return 0;
2185 }
2186
2187 if (write_compat_struct_tests(test_desc_fd))
2188 exit(KSFT_FAIL);
2189
2190 for (i = 0; i < ARRAY_SIZE(proto_list); i++) {
2191 if (write_proto_plan(test_desc_fd, proto_list[i]))
2192 exit(KSFT_FAIL);
2193 }
2194
2195 exit(KSFT_PASS);
2196}
2197
2198static int children_cleanup(void)
2199{
2200 unsigned ret = KSFT_PASS;
2201
2202 while (1) {
2203 int status;
2204 pid_t p = wait(&status);
2205
2206 if ((p < 0) && errno == ECHILD)
2207 break;
2208
2209 if (p < 0) {
2210 pr_err("wait()");
2211 return KSFT_FAIL;
2212 }
2213
2214 if (!WIFEXITED(status)) {
2215 ret = KSFT_FAIL;
2216 continue;
2217 }
2218
2219 if (WEXITSTATUS(status) == KSFT_FAIL)
2220 ret = KSFT_FAIL;
2221 }
2222
2223 return ret;
2224}
2225
2226typedef void (*print_res)(const char *, ...);
2227
2228static int check_results(void)
2229{
2230 struct test_result tr = {};
2231 struct xfrm_desc *d = &tr.desc;
2232 int ret = KSFT_PASS;
2233
2234 while (1) {
2235 ssize_t received = read(results_fd[0], &tr, sizeof(tr));
2236 print_res result;
2237
2238 if (received == 0) /* EOF */
2239 break;
2240
2241 if (received != sizeof(tr)) {
2242 pr_err("read() returned %zd", received);
2243 return KSFT_FAIL;
2244 }
2245
2246 switch (tr.res) {
2247 case KSFT_PASS:
2248 result = ksft_test_result_pass;
2249 break;
2250 case KSFT_FAIL:
2251 default:
2252 result = ksft_test_result_fail;
2253 ret = KSFT_FAIL;
2254 }
2255
2256 result(" %s: [%u, '%s', '%s', '%s', '%s', %u]\n",
2257 desc_name[d->type], (unsigned int)d->proto, d->a_algo,
2258 d->e_algo, d->c_algo, d->ae_algo, d->icv_len);
2259 }
2260
2261 return ret;
2262}
2263
2264int main(int argc, char **argv)
2265{
2266 unsigned int nr_process = 1;
2267 int route_sock = -1, ret = KSFT_SKIP;
2268 int test_desc_fd[2];
2269 uint32_t route_seq;
2270 unsigned int i;
2271
2272 if (argc > 2)
2273 exit_usage(argv);
2274
2275 if (argc > 1) {
2276 char *endptr;
2277
2278 errno = 0;
2279 nr_process = strtol(argv[1], &endptr, 10);
2280 if ((errno == ERANGE && (nr_process == LONG_MAX || nr_process == LONG_MIN))
2281 || (errno != 0 && nr_process == 0)
2282 || (endptr == argv[1]) || (*endptr != '\0')) {
2283 printk("Failed to parse [nr_process]");
2284 exit_usage(argv);
2285 }
2286
2287 if (nr_process > MAX_PROCESSES || !nr_process) {
2288 printk("nr_process should be between [1; %u]",
2289 MAX_PROCESSES);
2290 exit_usage(argv);
2291 }
2292 }
2293
2294 srand(time(NULL));
2295 page_size = sysconf(_SC_PAGESIZE);
2296 if (page_size < 1)
2297 ksft_exit_skip("sysconf(): %m\n");
2298
2299 if (pipe2(test_desc_fd, O_DIRECT) < 0)
2300 ksft_exit_skip("pipe(): %m\n");
2301
2302 if (pipe2(results_fd, O_DIRECT) < 0)
2303 ksft_exit_skip("pipe(): %m\n");
2304
2305 if (init_namespaces())
2306 ksft_exit_skip("Failed to create namespaces\n");
2307
2308 if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE))
2309 ksft_exit_skip("Failed to open netlink route socket\n");
2310
2311 for (i = 0; i < nr_process; i++) {
2312 char veth[VETH_LEN];
2313
2314 snprintf(veth, VETH_LEN, VETH_FMT, i);
2315
2316 if (veth_add(route_sock, route_seq++, veth, nsfd_childa, veth, nsfd_childb)) {
2317 close(route_sock);
2318 ksft_exit_fail_msg("Failed to create veth device");
2319 }
2320
2321 if (start_child(i, veth, test_desc_fd)) {
2322 close(route_sock);
2323 ksft_exit_fail_msg("Child %u failed to start", i);
2324 }
2325 }
2326
2327 if (close(route_sock) || close(test_desc_fd[0]) || close(results_fd[1]))
2328 ksft_exit_fail_msg("close(): %m");
2329
2330 ksft_set_plan(proto_plan + compat_plan);
2331
2332 if (write_test_plan(test_desc_fd[1]))
2333 ksft_exit_fail_msg("Failed to write test plan to pipe");
2334
2335 ret = check_results();
2336
2337 if (children_cleanup() == KSFT_FAIL)
2338 exit(KSFT_FAIL);
2339
2340 exit(ret);
2341}
1// SPDX-License-Identifier: GPL-2.0
2/*
3 * ipsec.c - Check xfrm on veth inside a net-ns.
4 * Copyright (c) 2018 Dmitry Safonov
5 */
6
7#define _GNU_SOURCE
8
9#include <arpa/inet.h>
10#include <asm/types.h>
11#include <errno.h>
12#include <fcntl.h>
13#include <limits.h>
14#include <linux/limits.h>
15#include <linux/netlink.h>
16#include <linux/random.h>
17#include <linux/rtnetlink.h>
18#include <linux/veth.h>
19#include <linux/xfrm.h>
20#include <netinet/in.h>
21#include <net/if.h>
22#include <sched.h>
23#include <stdbool.h>
24#include <stdint.h>
25#include <stdio.h>
26#include <stdlib.h>
27#include <string.h>
28#include <sys/mman.h>
29#include <sys/socket.h>
30#include <sys/stat.h>
31#include <sys/syscall.h>
32#include <sys/types.h>
33#include <sys/wait.h>
34#include <time.h>
35#include <unistd.h>
36
37#include "../kselftest.h"
38
39#define printk(fmt, ...) \
40 ksft_print_msg("%d[%u] " fmt "\n", getpid(), __LINE__, ##__VA_ARGS__)
41
42#define pr_err(fmt, ...) printk(fmt ": %m", ##__VA_ARGS__)
43
44#define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)]))
45
46#define IPV4_STR_SZ 16 /* xxx.xxx.xxx.xxx is longest + \0 */
47#define MAX_PAYLOAD 2048
48#define XFRM_ALGO_KEY_BUF_SIZE 512
49#define MAX_PROCESSES (1 << 14) /* /16 mask divided by /30 subnets */
50#define INADDR_A ((in_addr_t) 0x0a000000) /* 10.0.0.0 */
51#define INADDR_B ((in_addr_t) 0xc0a80000) /* 192.168.0.0 */
52
53/* /30 mask for one veth connection */
54#define PREFIX_LEN 30
55#define child_ip(nr) (4*nr + 1)
56#define grchild_ip(nr) (4*nr + 2)
57
58#define VETH_FMT "ktst-%d"
59#define VETH_LEN 12
60
61#define XFRM_ALGO_NR_KEYS 29
62
63static int nsfd_parent = -1;
64static int nsfd_childa = -1;
65static int nsfd_childb = -1;
66static long page_size;
67
68/*
69 * ksft_cnt is static in kselftest, so isn't shared with children.
70 * We have to send a test result back to parent and count there.
71 * results_fd is a pipe with test feedback from children.
72 */
73static int results_fd[2];
74
75const unsigned int ping_delay_nsec = 50 * 1000 * 1000;
76const unsigned int ping_timeout = 300;
77const unsigned int ping_count = 100;
78const unsigned int ping_success = 80;
79
80struct xfrm_key_entry {
81 char algo_name[35];
82 int key_len;
83};
84
85struct xfrm_key_entry xfrm_key_entries[] = {
86 {"digest_null", 0},
87 {"ecb(cipher_null)", 0},
88 {"cbc(des)", 64},
89 {"hmac(md5)", 128},
90 {"cmac(aes)", 128},
91 {"xcbc(aes)", 128},
92 {"cbc(cast5)", 128},
93 {"cbc(serpent)", 128},
94 {"hmac(sha1)", 160},
95 {"hmac(rmd160)", 160},
96 {"cbc(des3_ede)", 192},
97 {"hmac(sha256)", 256},
98 {"cbc(aes)", 256},
99 {"cbc(camellia)", 256},
100 {"cbc(twofish)", 256},
101 {"rfc3686(ctr(aes))", 288},
102 {"hmac(sha384)", 384},
103 {"cbc(blowfish)", 448},
104 {"hmac(sha512)", 512},
105 {"rfc4106(gcm(aes))-128", 160},
106 {"rfc4543(gcm(aes))-128", 160},
107 {"rfc4309(ccm(aes))-128", 152},
108 {"rfc4106(gcm(aes))-192", 224},
109 {"rfc4543(gcm(aes))-192", 224},
110 {"rfc4309(ccm(aes))-192", 216},
111 {"rfc4106(gcm(aes))-256", 288},
112 {"rfc4543(gcm(aes))-256", 288},
113 {"rfc4309(ccm(aes))-256", 280},
114 {"rfc7539(chacha20,poly1305)-128", 0}
115};
116
117static void randomize_buffer(void *buf, size_t buflen)
118{
119 int *p = (int *)buf;
120 size_t words = buflen / sizeof(int);
121 size_t leftover = buflen % sizeof(int);
122
123 if (!buflen)
124 return;
125
126 while (words--)
127 *p++ = rand();
128
129 if (leftover) {
130 int tmp = rand();
131
132 memcpy(buf + buflen - leftover, &tmp, leftover);
133 }
134
135 return;
136}
137
138static int unshare_open(void)
139{
140 const char *netns_path = "/proc/self/ns/net";
141 int fd;
142
143 if (unshare(CLONE_NEWNET) != 0) {
144 pr_err("unshare()");
145 return -1;
146 }
147
148 fd = open(netns_path, O_RDONLY);
149 if (fd <= 0) {
150 pr_err("open(%s)", netns_path);
151 return -1;
152 }
153
154 return fd;
155}
156
157static int switch_ns(int fd)
158{
159 if (setns(fd, CLONE_NEWNET)) {
160 pr_err("setns()");
161 return -1;
162 }
163 return 0;
164}
165
166/*
167 * Running the test inside a new parent net namespace to bother less
168 * about cleanup on error-path.
169 */
170static int init_namespaces(void)
171{
172 nsfd_parent = unshare_open();
173 if (nsfd_parent <= 0)
174 return -1;
175
176 nsfd_childa = unshare_open();
177 if (nsfd_childa <= 0)
178 return -1;
179
180 if (switch_ns(nsfd_parent))
181 return -1;
182
183 nsfd_childb = unshare_open();
184 if (nsfd_childb <= 0)
185 return -1;
186
187 if (switch_ns(nsfd_parent))
188 return -1;
189 return 0;
190}
191
192static int netlink_sock(int *sock, uint32_t *seq_nr, int proto)
193{
194 if (*sock > 0) {
195 seq_nr++;
196 return 0;
197 }
198
199 *sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, proto);
200 if (*sock <= 0) {
201 pr_err("socket(AF_NETLINK)");
202 return -1;
203 }
204
205 randomize_buffer(seq_nr, sizeof(*seq_nr));
206
207 return 0;
208}
209
210static inline struct rtattr *rtattr_hdr(struct nlmsghdr *nh)
211{
212 return (struct rtattr *)((char *)(nh) + RTA_ALIGN((nh)->nlmsg_len));
213}
214
215static int rtattr_pack(struct nlmsghdr *nh, size_t req_sz,
216 unsigned short rta_type, const void *payload, size_t size)
217{
218 /* NLMSG_ALIGNTO == RTA_ALIGNTO, nlmsg_len already aligned */
219 struct rtattr *attr = rtattr_hdr(nh);
220 size_t nl_size = RTA_ALIGN(nh->nlmsg_len) + RTA_LENGTH(size);
221
222 if (req_sz < nl_size) {
223 printk("req buf is too small: %zu < %zu", req_sz, nl_size);
224 return -1;
225 }
226 nh->nlmsg_len = nl_size;
227
228 attr->rta_len = RTA_LENGTH(size);
229 attr->rta_type = rta_type;
230 if (payload)
231 memcpy(RTA_DATA(attr), payload, size);
232
233 return 0;
234}
235
236static struct rtattr *_rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
237 unsigned short rta_type, const void *payload, size_t size)
238{
239 struct rtattr *ret = rtattr_hdr(nh);
240
241 if (rtattr_pack(nh, req_sz, rta_type, payload, size))
242 return 0;
243
244 return ret;
245}
246
247static inline struct rtattr *rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
248 unsigned short rta_type)
249{
250 return _rtattr_begin(nh, req_sz, rta_type, 0, 0);
251}
252
253static inline void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr)
254{
255 char *nlmsg_end = (char *)nh + nh->nlmsg_len;
256
257 attr->rta_len = nlmsg_end - (char *)attr;
258}
259
260static int veth_pack_peerb(struct nlmsghdr *nh, size_t req_sz,
261 const char *peer, int ns)
262{
263 struct ifinfomsg pi;
264 struct rtattr *peer_attr;
265
266 memset(&pi, 0, sizeof(pi));
267 pi.ifi_family = AF_UNSPEC;
268 pi.ifi_change = 0xFFFFFFFF;
269
270 peer_attr = _rtattr_begin(nh, req_sz, VETH_INFO_PEER, &pi, sizeof(pi));
271 if (!peer_attr)
272 return -1;
273
274 if (rtattr_pack(nh, req_sz, IFLA_IFNAME, peer, strlen(peer)))
275 return -1;
276
277 if (rtattr_pack(nh, req_sz, IFLA_NET_NS_FD, &ns, sizeof(ns)))
278 return -1;
279
280 rtattr_end(nh, peer_attr);
281
282 return 0;
283}
284
285static int netlink_check_answer(int sock)
286{
287 struct nlmsgerror {
288 struct nlmsghdr hdr;
289 int error;
290 struct nlmsghdr orig_msg;
291 } answer;
292
293 if (recv(sock, &answer, sizeof(answer), 0) < 0) {
294 pr_err("recv()");
295 return -1;
296 } else if (answer.hdr.nlmsg_type != NLMSG_ERROR) {
297 printk("expected NLMSG_ERROR, got %d", (int)answer.hdr.nlmsg_type);
298 return -1;
299 } else if (answer.error) {
300 printk("NLMSG_ERROR: %d: %s",
301 answer.error, strerror(-answer.error));
302 return answer.error;
303 }
304
305 return 0;
306}
307
308static int veth_add(int sock, uint32_t seq, const char *peera, int ns_a,
309 const char *peerb, int ns_b)
310{
311 uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
312 struct {
313 struct nlmsghdr nh;
314 struct ifinfomsg info;
315 char attrbuf[MAX_PAYLOAD];
316 } req;
317 const char veth_type[] = "veth";
318 struct rtattr *link_info, *info_data;
319
320 memset(&req, 0, sizeof(req));
321 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
322 req.nh.nlmsg_type = RTM_NEWLINK;
323 req.nh.nlmsg_flags = flags;
324 req.nh.nlmsg_seq = seq;
325 req.info.ifi_family = AF_UNSPEC;
326 req.info.ifi_change = 0xFFFFFFFF;
327
328 if (rtattr_pack(&req.nh, sizeof(req), IFLA_IFNAME, peera, strlen(peera)))
329 return -1;
330
331 if (rtattr_pack(&req.nh, sizeof(req), IFLA_NET_NS_FD, &ns_a, sizeof(ns_a)))
332 return -1;
333
334 link_info = rtattr_begin(&req.nh, sizeof(req), IFLA_LINKINFO);
335 if (!link_info)
336 return -1;
337
338 if (rtattr_pack(&req.nh, sizeof(req), IFLA_INFO_KIND, veth_type, sizeof(veth_type)))
339 return -1;
340
341 info_data = rtattr_begin(&req.nh, sizeof(req), IFLA_INFO_DATA);
342 if (!info_data)
343 return -1;
344
345 if (veth_pack_peerb(&req.nh, sizeof(req), peerb, ns_b))
346 return -1;
347
348 rtattr_end(&req.nh, info_data);
349 rtattr_end(&req.nh, link_info);
350
351 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
352 pr_err("send()");
353 return -1;
354 }
355 return netlink_check_answer(sock);
356}
357
358static int ip4_addr_set(int sock, uint32_t seq, const char *intf,
359 struct in_addr addr, uint8_t prefix)
360{
361 uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
362 struct {
363 struct nlmsghdr nh;
364 struct ifaddrmsg info;
365 char attrbuf[MAX_PAYLOAD];
366 } req;
367
368 memset(&req, 0, sizeof(req));
369 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
370 req.nh.nlmsg_type = RTM_NEWADDR;
371 req.nh.nlmsg_flags = flags;
372 req.nh.nlmsg_seq = seq;
373 req.info.ifa_family = AF_INET;
374 req.info.ifa_prefixlen = prefix;
375 req.info.ifa_index = if_nametoindex(intf);
376
377#ifdef DEBUG
378 {
379 char addr_str[IPV4_STR_SZ] = {};
380
381 strncpy(addr_str, inet_ntoa(addr), IPV4_STR_SZ - 1);
382
383 printk("ip addr set %s", addr_str);
384 }
385#endif
386
387 if (rtattr_pack(&req.nh, sizeof(req), IFA_LOCAL, &addr, sizeof(addr)))
388 return -1;
389
390 if (rtattr_pack(&req.nh, sizeof(req), IFA_ADDRESS, &addr, sizeof(addr)))
391 return -1;
392
393 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
394 pr_err("send()");
395 return -1;
396 }
397 return netlink_check_answer(sock);
398}
399
400static int link_set_up(int sock, uint32_t seq, const char *intf)
401{
402 struct {
403 struct nlmsghdr nh;
404 struct ifinfomsg info;
405 char attrbuf[MAX_PAYLOAD];
406 } req;
407
408 memset(&req, 0, sizeof(req));
409 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
410 req.nh.nlmsg_type = RTM_NEWLINK;
411 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
412 req.nh.nlmsg_seq = seq;
413 req.info.ifi_family = AF_UNSPEC;
414 req.info.ifi_change = 0xFFFFFFFF;
415 req.info.ifi_index = if_nametoindex(intf);
416 req.info.ifi_flags = IFF_UP;
417 req.info.ifi_change = IFF_UP;
418
419 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
420 pr_err("send()");
421 return -1;
422 }
423 return netlink_check_answer(sock);
424}
425
426static int ip4_route_set(int sock, uint32_t seq, const char *intf,
427 struct in_addr src, struct in_addr dst)
428{
429 struct {
430 struct nlmsghdr nh;
431 struct rtmsg rt;
432 char attrbuf[MAX_PAYLOAD];
433 } req;
434 unsigned int index = if_nametoindex(intf);
435
436 memset(&req, 0, sizeof(req));
437 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.rt));
438 req.nh.nlmsg_type = RTM_NEWROUTE;
439 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE;
440 req.nh.nlmsg_seq = seq;
441 req.rt.rtm_family = AF_INET;
442 req.rt.rtm_dst_len = 32;
443 req.rt.rtm_table = RT_TABLE_MAIN;
444 req.rt.rtm_protocol = RTPROT_BOOT;
445 req.rt.rtm_scope = RT_SCOPE_LINK;
446 req.rt.rtm_type = RTN_UNICAST;
447
448 if (rtattr_pack(&req.nh, sizeof(req), RTA_DST, &dst, sizeof(dst)))
449 return -1;
450
451 if (rtattr_pack(&req.nh, sizeof(req), RTA_PREFSRC, &src, sizeof(src)))
452 return -1;
453
454 if (rtattr_pack(&req.nh, sizeof(req), RTA_OIF, &index, sizeof(index)))
455 return -1;
456
457 if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
458 pr_err("send()");
459 return -1;
460 }
461
462 return netlink_check_answer(sock);
463}
464
465static int tunnel_set_route(int route_sock, uint32_t *route_seq, char *veth,
466 struct in_addr tunsrc, struct in_addr tundst)
467{
468 if (ip4_addr_set(route_sock, (*route_seq)++, "lo",
469 tunsrc, PREFIX_LEN)) {
470 printk("Failed to set ipv4 addr");
471 return -1;
472 }
473
474 if (ip4_route_set(route_sock, (*route_seq)++, veth, tunsrc, tundst)) {
475 printk("Failed to set ipv4 route");
476 return -1;
477 }
478
479 return 0;
480}
481
482static int init_child(int nsfd, char *veth, unsigned int src, unsigned int dst)
483{
484 struct in_addr intsrc = inet_makeaddr(INADDR_B, src);
485 struct in_addr tunsrc = inet_makeaddr(INADDR_A, src);
486 struct in_addr tundst = inet_makeaddr(INADDR_A, dst);
487 int route_sock = -1, ret = -1;
488 uint32_t route_seq;
489
490 if (switch_ns(nsfd))
491 return -1;
492
493 if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE)) {
494 printk("Failed to open netlink route socket in child");
495 return -1;
496 }
497
498 if (ip4_addr_set(route_sock, route_seq++, veth, intsrc, PREFIX_LEN)) {
499 printk("Failed to set ipv4 addr");
500 goto err;
501 }
502
503 if (link_set_up(route_sock, route_seq++, veth)) {
504 printk("Failed to bring up %s", veth);
505 goto err;
506 }
507
508 if (tunnel_set_route(route_sock, &route_seq, veth, tunsrc, tundst)) {
509 printk("Failed to add tunnel route on %s", veth);
510 goto err;
511 }
512 ret = 0;
513
514err:
515 close(route_sock);
516 return ret;
517}
518
519#define ALGO_LEN 64
520enum desc_type {
521 CREATE_TUNNEL = 0,
522 ALLOCATE_SPI,
523 MONITOR_ACQUIRE,
524 EXPIRE_STATE,
525 EXPIRE_POLICY,
526 SPDINFO_ATTRS,
527};
528const char *desc_name[] = {
529 "create tunnel",
530 "alloc spi",
531 "monitor acquire",
532 "expire state",
533 "expire policy",
534 "spdinfo attributes",
535 ""
536};
537struct xfrm_desc {
538 enum desc_type type;
539 uint8_t proto;
540 char a_algo[ALGO_LEN];
541 char e_algo[ALGO_LEN];
542 char c_algo[ALGO_LEN];
543 char ae_algo[ALGO_LEN];
544 unsigned int icv_len;
545 /* unsigned key_len; */
546};
547
548enum msg_type {
549 MSG_ACK = 0,
550 MSG_EXIT,
551 MSG_PING,
552 MSG_XFRM_PREPARE,
553 MSG_XFRM_ADD,
554 MSG_XFRM_DEL,
555 MSG_XFRM_CLEANUP,
556};
557
558struct test_desc {
559 enum msg_type type;
560 union {
561 struct {
562 in_addr_t reply_ip;
563 unsigned int port;
564 } ping;
565 struct xfrm_desc xfrm_desc;
566 } body;
567};
568
569struct test_result {
570 struct xfrm_desc desc;
571 unsigned int res;
572};
573
574static void write_test_result(unsigned int res, struct xfrm_desc *d)
575{
576 struct test_result tr = {};
577 ssize_t ret;
578
579 tr.desc = *d;
580 tr.res = res;
581
582 ret = write(results_fd[1], &tr, sizeof(tr));
583 if (ret != sizeof(tr))
584 pr_err("Failed to write the result in pipe %zd", ret);
585}
586
587static void write_msg(int fd, struct test_desc *msg, bool exit_of_fail)
588{
589 ssize_t bytes = write(fd, msg, sizeof(*msg));
590
591 /* Make sure that write/read is atomic to a pipe */
592 BUILD_BUG_ON(sizeof(struct test_desc) > PIPE_BUF);
593
594 if (bytes < 0) {
595 pr_err("write()");
596 if (exit_of_fail)
597 exit(KSFT_FAIL);
598 }
599 if (bytes != sizeof(*msg)) {
600 pr_err("sent part of the message %zd/%zu", bytes, sizeof(*msg));
601 if (exit_of_fail)
602 exit(KSFT_FAIL);
603 }
604}
605
606static void read_msg(int fd, struct test_desc *msg, bool exit_of_fail)
607{
608 ssize_t bytes = read(fd, msg, sizeof(*msg));
609
610 if (bytes < 0) {
611 pr_err("read()");
612 if (exit_of_fail)
613 exit(KSFT_FAIL);
614 }
615 if (bytes != sizeof(*msg)) {
616 pr_err("got incomplete message %zd/%zu", bytes, sizeof(*msg));
617 if (exit_of_fail)
618 exit(KSFT_FAIL);
619 }
620}
621
622static int udp_ping_init(struct in_addr listen_ip, unsigned int u_timeout,
623 unsigned int *server_port, int sock[2])
624{
625 struct sockaddr_in server;
626 struct timeval t = { .tv_sec = 0, .tv_usec = u_timeout };
627 socklen_t s_len = sizeof(server);
628
629 sock[0] = socket(AF_INET, SOCK_DGRAM, 0);
630 if (sock[0] < 0) {
631 pr_err("socket()");
632 return -1;
633 }
634
635 server.sin_family = AF_INET;
636 server.sin_port = 0;
637 memcpy(&server.sin_addr.s_addr, &listen_ip, sizeof(struct in_addr));
638
639 if (bind(sock[0], (struct sockaddr *)&server, s_len)) {
640 pr_err("bind()");
641 goto err_close_server;
642 }
643
644 if (getsockname(sock[0], (struct sockaddr *)&server, &s_len)) {
645 pr_err("getsockname()");
646 goto err_close_server;
647 }
648
649 *server_port = ntohs(server.sin_port);
650
651 if (setsockopt(sock[0], SOL_SOCKET, SO_RCVTIMEO, (const char *)&t, sizeof t)) {
652 pr_err("setsockopt()");
653 goto err_close_server;
654 }
655
656 sock[1] = socket(AF_INET, SOCK_DGRAM, 0);
657 if (sock[1] < 0) {
658 pr_err("socket()");
659 goto err_close_server;
660 }
661
662 return 0;
663
664err_close_server:
665 close(sock[0]);
666 return -1;
667}
668
669static int udp_ping_send(int sock[2], in_addr_t dest_ip, unsigned int port,
670 char *buf, size_t buf_len)
671{
672 struct sockaddr_in server;
673 const struct sockaddr *dest_addr = (struct sockaddr *)&server;
674 char *sock_buf[buf_len];
675 ssize_t r_bytes, s_bytes;
676
677 server.sin_family = AF_INET;
678 server.sin_port = htons(port);
679 server.sin_addr.s_addr = dest_ip;
680
681 s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
682 if (s_bytes < 0) {
683 pr_err("sendto()");
684 return -1;
685 } else if (s_bytes != buf_len) {
686 printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
687 return -1;
688 }
689
690 r_bytes = recv(sock[0], sock_buf, buf_len, 0);
691 if (r_bytes < 0) {
692 if (errno != EAGAIN)
693 pr_err("recv()");
694 return -1;
695 } else if (r_bytes == 0) { /* EOF */
696 printk("EOF on reply to ping");
697 return -1;
698 } else if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
699 printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
700 return -1;
701 }
702
703 return 0;
704}
705
706static int udp_ping_reply(int sock[2], in_addr_t dest_ip, unsigned int port,
707 char *buf, size_t buf_len)
708{
709 struct sockaddr_in server;
710 const struct sockaddr *dest_addr = (struct sockaddr *)&server;
711 char *sock_buf[buf_len];
712 ssize_t r_bytes, s_bytes;
713
714 server.sin_family = AF_INET;
715 server.sin_port = htons(port);
716 server.sin_addr.s_addr = dest_ip;
717
718 r_bytes = recv(sock[0], sock_buf, buf_len, 0);
719 if (r_bytes < 0) {
720 if (errno != EAGAIN)
721 pr_err("recv()");
722 return -1;
723 }
724 if (r_bytes == 0) { /* EOF */
725 printk("EOF on reply to ping");
726 return -1;
727 }
728 if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
729 printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
730 return -1;
731 }
732
733 s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
734 if (s_bytes < 0) {
735 pr_err("sendto()");
736 return -1;
737 } else if (s_bytes != buf_len) {
738 printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
739 return -1;
740 }
741
742 return 0;
743}
744
745typedef int (*ping_f)(int sock[2], in_addr_t dest_ip, unsigned int port,
746 char *buf, size_t buf_len);
747static int do_ping(int cmd_fd, char *buf, size_t buf_len, struct in_addr from,
748 bool init_side, int d_port, in_addr_t to, ping_f func)
749{
750 struct test_desc msg;
751 unsigned int s_port, i, ping_succeeded = 0;
752 int ping_sock[2];
753 char to_str[IPV4_STR_SZ] = {}, from_str[IPV4_STR_SZ] = {};
754
755 if (udp_ping_init(from, ping_timeout, &s_port, ping_sock)) {
756 printk("Failed to init ping");
757 return -1;
758 }
759
760 memset(&msg, 0, sizeof(msg));
761 msg.type = MSG_PING;
762 msg.body.ping.port = s_port;
763 memcpy(&msg.body.ping.reply_ip, &from, sizeof(from));
764
765 write_msg(cmd_fd, &msg, 0);
766 if (init_side) {
767 /* The other end sends ip to ping */
768 read_msg(cmd_fd, &msg, 0);
769 if (msg.type != MSG_PING)
770 return -1;
771 to = msg.body.ping.reply_ip;
772 d_port = msg.body.ping.port;
773 }
774
775 for (i = 0; i < ping_count ; i++) {
776 struct timespec sleep_time = {
777 .tv_sec = 0,
778 .tv_nsec = ping_delay_nsec,
779 };
780
781 ping_succeeded += !func(ping_sock, to, d_port, buf, page_size);
782 nanosleep(&sleep_time, 0);
783 }
784
785 close(ping_sock[0]);
786 close(ping_sock[1]);
787
788 strncpy(to_str, inet_ntoa(*(struct in_addr *)&to), IPV4_STR_SZ - 1);
789 strncpy(from_str, inet_ntoa(from), IPV4_STR_SZ - 1);
790
791 if (ping_succeeded < ping_success) {
792 printk("ping (%s) %s->%s failed %u/%u times",
793 init_side ? "send" : "reply", from_str, to_str,
794 ping_count - ping_succeeded, ping_count);
795 return -1;
796 }
797
798#ifdef DEBUG
799 printk("ping (%s) %s->%s succeeded %u/%u times",
800 init_side ? "send" : "reply", from_str, to_str,
801 ping_succeeded, ping_count);
802#endif
803
804 return 0;
805}
806
807static int xfrm_fill_key(char *name, char *buf,
808 size_t buf_len, unsigned int *key_len)
809{
810 int i;
811
812 for (i = 0; i < XFRM_ALGO_NR_KEYS; i++) {
813 if (strncmp(name, xfrm_key_entries[i].algo_name, ALGO_LEN) == 0)
814 *key_len = xfrm_key_entries[i].key_len;
815 }
816
817 if (*key_len > buf_len) {
818 printk("Can't pack a key - too big for buffer");
819 return -1;
820 }
821
822 randomize_buffer(buf, *key_len);
823
824 return 0;
825}
826
827static int xfrm_state_pack_algo(struct nlmsghdr *nh, size_t req_sz,
828 struct xfrm_desc *desc)
829{
830 struct {
831 union {
832 struct xfrm_algo alg;
833 struct xfrm_algo_aead aead;
834 struct xfrm_algo_auth auth;
835 } u;
836 char buf[XFRM_ALGO_KEY_BUF_SIZE];
837 } alg = {};
838 size_t alen, elen, clen, aelen;
839 unsigned short type;
840
841 alen = strlen(desc->a_algo);
842 elen = strlen(desc->e_algo);
843 clen = strlen(desc->c_algo);
844 aelen = strlen(desc->ae_algo);
845
846 /* Verify desc */
847 switch (desc->proto) {
848 case IPPROTO_AH:
849 if (!alen || elen || clen || aelen) {
850 printk("BUG: buggy ah desc");
851 return -1;
852 }
853 strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN - 1);
854 if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
855 sizeof(alg.buf), &alg.u.alg.alg_key_len))
856 return -1;
857 type = XFRMA_ALG_AUTH;
858 break;
859 case IPPROTO_COMP:
860 if (!clen || elen || alen || aelen) {
861 printk("BUG: buggy comp desc");
862 return -1;
863 }
864 strncpy(alg.u.alg.alg_name, desc->c_algo, ALGO_LEN - 1);
865 if (xfrm_fill_key(desc->c_algo, alg.u.alg.alg_key,
866 sizeof(alg.buf), &alg.u.alg.alg_key_len))
867 return -1;
868 type = XFRMA_ALG_COMP;
869 break;
870 case IPPROTO_ESP:
871 if (!((alen && elen) ^ aelen) || clen) {
872 printk("BUG: buggy esp desc");
873 return -1;
874 }
875 if (aelen) {
876 alg.u.aead.alg_icv_len = desc->icv_len;
877 strncpy(alg.u.aead.alg_name, desc->ae_algo, ALGO_LEN - 1);
878 if (xfrm_fill_key(desc->ae_algo, alg.u.aead.alg_key,
879 sizeof(alg.buf), &alg.u.aead.alg_key_len))
880 return -1;
881 type = XFRMA_ALG_AEAD;
882 } else {
883
884 strncpy(alg.u.alg.alg_name, desc->e_algo, ALGO_LEN - 1);
885 type = XFRMA_ALG_CRYPT;
886 if (xfrm_fill_key(desc->e_algo, alg.u.alg.alg_key,
887 sizeof(alg.buf), &alg.u.alg.alg_key_len))
888 return -1;
889 if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
890 return -1;
891
892 strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN);
893 type = XFRMA_ALG_AUTH;
894 if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
895 sizeof(alg.buf), &alg.u.alg.alg_key_len))
896 return -1;
897 }
898 break;
899 default:
900 printk("BUG: unknown proto in desc");
901 return -1;
902 }
903
904 if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
905 return -1;
906
907 return 0;
908}
909
910static inline uint32_t gen_spi(struct in_addr src)
911{
912 return htonl(inet_lnaof(src));
913}
914
915static int xfrm_state_add(int xfrm_sock, uint32_t seq, uint32_t spi,
916 struct in_addr src, struct in_addr dst,
917 struct xfrm_desc *desc)
918{
919 struct {
920 struct nlmsghdr nh;
921 struct xfrm_usersa_info info;
922 char attrbuf[MAX_PAYLOAD];
923 } req;
924
925 memset(&req, 0, sizeof(req));
926 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
927 req.nh.nlmsg_type = XFRM_MSG_NEWSA;
928 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
929 req.nh.nlmsg_seq = seq;
930
931 /* Fill selector. */
932 memcpy(&req.info.sel.daddr, &dst, sizeof(dst));
933 memcpy(&req.info.sel.saddr, &src, sizeof(src));
934 req.info.sel.family = AF_INET;
935 req.info.sel.prefixlen_d = PREFIX_LEN;
936 req.info.sel.prefixlen_s = PREFIX_LEN;
937
938 /* Fill id */
939 memcpy(&req.info.id.daddr, &dst, sizeof(dst));
940 /* Note: zero-spi cannot be deleted */
941 req.info.id.spi = spi;
942 req.info.id.proto = desc->proto;
943
944 memcpy(&req.info.saddr, &src, sizeof(src));
945
946 /* Fill lifteme_cfg */
947 req.info.lft.soft_byte_limit = XFRM_INF;
948 req.info.lft.hard_byte_limit = XFRM_INF;
949 req.info.lft.soft_packet_limit = XFRM_INF;
950 req.info.lft.hard_packet_limit = XFRM_INF;
951
952 req.info.family = AF_INET;
953 req.info.mode = XFRM_MODE_TUNNEL;
954
955 if (xfrm_state_pack_algo(&req.nh, sizeof(req), desc))
956 return -1;
957
958 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
959 pr_err("send()");
960 return -1;
961 }
962
963 return netlink_check_answer(xfrm_sock);
964}
965
966static bool xfrm_usersa_found(struct xfrm_usersa_info *info, uint32_t spi,
967 struct in_addr src, struct in_addr dst,
968 struct xfrm_desc *desc)
969{
970 if (memcmp(&info->sel.daddr, &dst, sizeof(dst)))
971 return false;
972
973 if (memcmp(&info->sel.saddr, &src, sizeof(src)))
974 return false;
975
976 if (info->sel.family != AF_INET ||
977 info->sel.prefixlen_d != PREFIX_LEN ||
978 info->sel.prefixlen_s != PREFIX_LEN)
979 return false;
980
981 if (info->id.spi != spi || info->id.proto != desc->proto)
982 return false;
983
984 if (memcmp(&info->id.daddr, &dst, sizeof(dst)))
985 return false;
986
987 if (memcmp(&info->saddr, &src, sizeof(src)))
988 return false;
989
990 if (info->lft.soft_byte_limit != XFRM_INF ||
991 info->lft.hard_byte_limit != XFRM_INF ||
992 info->lft.soft_packet_limit != XFRM_INF ||
993 info->lft.hard_packet_limit != XFRM_INF)
994 return false;
995
996 if (info->family != AF_INET || info->mode != XFRM_MODE_TUNNEL)
997 return false;
998
999 /* XXX: check xfrm algo, see xfrm_state_pack_algo(). */
1000
1001 return true;
1002}
1003
1004static int xfrm_state_check(int xfrm_sock, uint32_t seq, uint32_t spi,
1005 struct in_addr src, struct in_addr dst,
1006 struct xfrm_desc *desc)
1007{
1008 struct {
1009 struct nlmsghdr nh;
1010 char attrbuf[MAX_PAYLOAD];
1011 } req;
1012 struct {
1013 struct nlmsghdr nh;
1014 union {
1015 struct xfrm_usersa_info info;
1016 int error;
1017 };
1018 char attrbuf[MAX_PAYLOAD];
1019 } answer;
1020 struct xfrm_address_filter filter = {};
1021 bool found = false;
1022
1023
1024 memset(&req, 0, sizeof(req));
1025 req.nh.nlmsg_len = NLMSG_LENGTH(0);
1026 req.nh.nlmsg_type = XFRM_MSG_GETSA;
1027 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP;
1028 req.nh.nlmsg_seq = seq;
1029
1030 /*
1031 * Add dump filter by source address as there may be other tunnels
1032 * in this netns (if tests run in parallel).
1033 */
1034 filter.family = AF_INET;
1035 filter.splen = 0x1f; /* 0xffffffff mask see addr_match() */
1036 memcpy(&filter.saddr, &src, sizeof(src));
1037 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_ADDRESS_FILTER,
1038 &filter, sizeof(filter)))
1039 return -1;
1040
1041 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1042 pr_err("send()");
1043 return -1;
1044 }
1045
1046 while (1) {
1047 if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
1048 pr_err("recv()");
1049 return -1;
1050 }
1051 if (answer.nh.nlmsg_type == NLMSG_ERROR) {
1052 printk("NLMSG_ERROR: %d: %s",
1053 answer.error, strerror(-answer.error));
1054 return -1;
1055 } else if (answer.nh.nlmsg_type == NLMSG_DONE) {
1056 if (found)
1057 return 0;
1058 printk("didn't find allocated xfrm state in dump");
1059 return -1;
1060 } else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
1061 if (xfrm_usersa_found(&answer.info, spi, src, dst, desc))
1062 found = true;
1063 }
1064 }
1065}
1066
1067static int xfrm_set(int xfrm_sock, uint32_t *seq,
1068 struct in_addr src, struct in_addr dst,
1069 struct in_addr tunsrc, struct in_addr tundst,
1070 struct xfrm_desc *desc)
1071{
1072 int err;
1073
1074 err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
1075 if (err) {
1076 printk("Failed to add xfrm state");
1077 return -1;
1078 }
1079
1080 err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
1081 if (err) {
1082 printk("Failed to add xfrm state");
1083 return -1;
1084 }
1085
1086 /* Check dumps for XFRM_MSG_GETSA */
1087 err = xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
1088 err |= xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
1089 if (err) {
1090 printk("Failed to check xfrm state");
1091 return -1;
1092 }
1093
1094 return 0;
1095}
1096
1097static int xfrm_policy_add(int xfrm_sock, uint32_t seq, uint32_t spi,
1098 struct in_addr src, struct in_addr dst, uint8_t dir,
1099 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1100{
1101 struct {
1102 struct nlmsghdr nh;
1103 struct xfrm_userpolicy_info info;
1104 char attrbuf[MAX_PAYLOAD];
1105 } req;
1106 struct xfrm_user_tmpl tmpl;
1107
1108 memset(&req, 0, sizeof(req));
1109 memset(&tmpl, 0, sizeof(tmpl));
1110 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.info));
1111 req.nh.nlmsg_type = XFRM_MSG_NEWPOLICY;
1112 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1113 req.nh.nlmsg_seq = seq;
1114
1115 /* Fill selector. */
1116 memcpy(&req.info.sel.daddr, &dst, sizeof(tundst));
1117 memcpy(&req.info.sel.saddr, &src, sizeof(tunsrc));
1118 req.info.sel.family = AF_INET;
1119 req.info.sel.prefixlen_d = PREFIX_LEN;
1120 req.info.sel.prefixlen_s = PREFIX_LEN;
1121
1122 /* Fill lifteme_cfg */
1123 req.info.lft.soft_byte_limit = XFRM_INF;
1124 req.info.lft.hard_byte_limit = XFRM_INF;
1125 req.info.lft.soft_packet_limit = XFRM_INF;
1126 req.info.lft.hard_packet_limit = XFRM_INF;
1127
1128 req.info.dir = dir;
1129
1130 /* Fill tmpl */
1131 memcpy(&tmpl.id.daddr, &dst, sizeof(dst));
1132 /* Note: zero-spi cannot be deleted */
1133 tmpl.id.spi = spi;
1134 tmpl.id.proto = proto;
1135 tmpl.family = AF_INET;
1136 memcpy(&tmpl.saddr, &src, sizeof(src));
1137 tmpl.mode = XFRM_MODE_TUNNEL;
1138 tmpl.aalgos = (~(uint32_t)0);
1139 tmpl.ealgos = (~(uint32_t)0);
1140 tmpl.calgos = (~(uint32_t)0);
1141
1142 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &tmpl, sizeof(tmpl)))
1143 return -1;
1144
1145 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1146 pr_err("send()");
1147 return -1;
1148 }
1149
1150 return netlink_check_answer(xfrm_sock);
1151}
1152
1153static int xfrm_prepare(int xfrm_sock, uint32_t *seq,
1154 struct in_addr src, struct in_addr dst,
1155 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1156{
1157 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
1158 XFRM_POLICY_OUT, tunsrc, tundst, proto)) {
1159 printk("Failed to add xfrm policy");
1160 return -1;
1161 }
1162
1163 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src,
1164 XFRM_POLICY_IN, tunsrc, tundst, proto)) {
1165 printk("Failed to add xfrm policy");
1166 return -1;
1167 }
1168
1169 return 0;
1170}
1171
1172static int xfrm_policy_del(int xfrm_sock, uint32_t seq,
1173 struct in_addr src, struct in_addr dst, uint8_t dir,
1174 struct in_addr tunsrc, struct in_addr tundst)
1175{
1176 struct {
1177 struct nlmsghdr nh;
1178 struct xfrm_userpolicy_id id;
1179 char attrbuf[MAX_PAYLOAD];
1180 } req;
1181
1182 memset(&req, 0, sizeof(req));
1183 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.id));
1184 req.nh.nlmsg_type = XFRM_MSG_DELPOLICY;
1185 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1186 req.nh.nlmsg_seq = seq;
1187
1188 /* Fill id */
1189 memcpy(&req.id.sel.daddr, &dst, sizeof(tundst));
1190 memcpy(&req.id.sel.saddr, &src, sizeof(tunsrc));
1191 req.id.sel.family = AF_INET;
1192 req.id.sel.prefixlen_d = PREFIX_LEN;
1193 req.id.sel.prefixlen_s = PREFIX_LEN;
1194 req.id.dir = dir;
1195
1196 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1197 pr_err("send()");
1198 return -1;
1199 }
1200
1201 return netlink_check_answer(xfrm_sock);
1202}
1203
1204static int xfrm_cleanup(int xfrm_sock, uint32_t *seq,
1205 struct in_addr src, struct in_addr dst,
1206 struct in_addr tunsrc, struct in_addr tundst)
1207{
1208 if (xfrm_policy_del(xfrm_sock, (*seq)++, src, dst,
1209 XFRM_POLICY_OUT, tunsrc, tundst)) {
1210 printk("Failed to add xfrm policy");
1211 return -1;
1212 }
1213
1214 if (xfrm_policy_del(xfrm_sock, (*seq)++, dst, src,
1215 XFRM_POLICY_IN, tunsrc, tundst)) {
1216 printk("Failed to add xfrm policy");
1217 return -1;
1218 }
1219
1220 return 0;
1221}
1222
1223static int xfrm_state_del(int xfrm_sock, uint32_t seq, uint32_t spi,
1224 struct in_addr src, struct in_addr dst, uint8_t proto)
1225{
1226 struct {
1227 struct nlmsghdr nh;
1228 struct xfrm_usersa_id id;
1229 char attrbuf[MAX_PAYLOAD];
1230 } req;
1231 xfrm_address_t saddr = {};
1232
1233 memset(&req, 0, sizeof(req));
1234 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.id));
1235 req.nh.nlmsg_type = XFRM_MSG_DELSA;
1236 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1237 req.nh.nlmsg_seq = seq;
1238
1239 memcpy(&req.id.daddr, &dst, sizeof(dst));
1240 req.id.family = AF_INET;
1241 req.id.proto = proto;
1242 /* Note: zero-spi cannot be deleted */
1243 req.id.spi = spi;
1244
1245 memcpy(&saddr, &src, sizeof(src));
1246 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SRCADDR, &saddr, sizeof(saddr)))
1247 return -1;
1248
1249 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1250 pr_err("send()");
1251 return -1;
1252 }
1253
1254 return netlink_check_answer(xfrm_sock);
1255}
1256
1257static int xfrm_delete(int xfrm_sock, uint32_t *seq,
1258 struct in_addr src, struct in_addr dst,
1259 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1260{
1261 if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), src, dst, proto)) {
1262 printk("Failed to remove xfrm state");
1263 return -1;
1264 }
1265
1266 if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), dst, src, proto)) {
1267 printk("Failed to remove xfrm state");
1268 return -1;
1269 }
1270
1271 return 0;
1272}
1273
1274static int xfrm_state_allocspi(int xfrm_sock, uint32_t *seq,
1275 uint32_t spi, uint8_t proto)
1276{
1277 struct {
1278 struct nlmsghdr nh;
1279 struct xfrm_userspi_info spi;
1280 } req;
1281 struct {
1282 struct nlmsghdr nh;
1283 union {
1284 struct xfrm_usersa_info info;
1285 int error;
1286 };
1287 } answer;
1288
1289 memset(&req, 0, sizeof(req));
1290 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.spi));
1291 req.nh.nlmsg_type = XFRM_MSG_ALLOCSPI;
1292 req.nh.nlmsg_flags = NLM_F_REQUEST;
1293 req.nh.nlmsg_seq = (*seq)++;
1294
1295 req.spi.info.family = AF_INET;
1296 req.spi.min = spi;
1297 req.spi.max = spi;
1298 req.spi.info.id.proto = proto;
1299
1300 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1301 pr_err("send()");
1302 return KSFT_FAIL;
1303 }
1304
1305 if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
1306 pr_err("recv()");
1307 return KSFT_FAIL;
1308 } else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
1309 uint32_t new_spi = htonl(answer.info.id.spi);
1310
1311 if (new_spi != spi) {
1312 printk("allocated spi is different from requested: %#x != %#x",
1313 new_spi, spi);
1314 return KSFT_FAIL;
1315 }
1316 return KSFT_PASS;
1317 } else if (answer.nh.nlmsg_type != NLMSG_ERROR) {
1318 printk("expected NLMSG_ERROR, got %d", (int)answer.nh.nlmsg_type);
1319 return KSFT_FAIL;
1320 }
1321
1322 printk("NLMSG_ERROR: %d: %s", answer.error, strerror(-answer.error));
1323 return (answer.error) ? KSFT_FAIL : KSFT_PASS;
1324}
1325
1326static int netlink_sock_bind(int *sock, uint32_t *seq, int proto, uint32_t groups)
1327{
1328 struct sockaddr_nl snl = {};
1329 socklen_t addr_len;
1330 int ret = -1;
1331
1332 snl.nl_family = AF_NETLINK;
1333 snl.nl_groups = groups;
1334
1335 if (netlink_sock(sock, seq, proto)) {
1336 printk("Failed to open xfrm netlink socket");
1337 return -1;
1338 }
1339
1340 if (bind(*sock, (struct sockaddr *)&snl, sizeof(snl)) < 0) {
1341 pr_err("bind()");
1342 goto out_close;
1343 }
1344
1345 addr_len = sizeof(snl);
1346 if (getsockname(*sock, (struct sockaddr *)&snl, &addr_len) < 0) {
1347 pr_err("getsockname()");
1348 goto out_close;
1349 }
1350 if (addr_len != sizeof(snl)) {
1351 printk("Wrong address length %d", addr_len);
1352 goto out_close;
1353 }
1354 if (snl.nl_family != AF_NETLINK) {
1355 printk("Wrong address family %d", snl.nl_family);
1356 goto out_close;
1357 }
1358 return 0;
1359
1360out_close:
1361 close(*sock);
1362 return ret;
1363}
1364
1365static int xfrm_monitor_acquire(int xfrm_sock, uint32_t *seq, unsigned int nr)
1366{
1367 struct {
1368 struct nlmsghdr nh;
1369 union {
1370 struct xfrm_user_acquire acq;
1371 int error;
1372 };
1373 char attrbuf[MAX_PAYLOAD];
1374 } req;
1375 struct xfrm_user_tmpl xfrm_tmpl = {};
1376 int xfrm_listen = -1, ret = KSFT_FAIL;
1377 uint32_t seq_listen;
1378
1379 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_ACQUIRE))
1380 return KSFT_FAIL;
1381
1382 memset(&req, 0, sizeof(req));
1383 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.acq));
1384 req.nh.nlmsg_type = XFRM_MSG_ACQUIRE;
1385 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1386 req.nh.nlmsg_seq = (*seq)++;
1387
1388 req.acq.policy.sel.family = AF_INET;
1389 req.acq.aalgos = 0xfeed;
1390 req.acq.ealgos = 0xbaad;
1391 req.acq.calgos = 0xbabe;
1392
1393 xfrm_tmpl.family = AF_INET;
1394 xfrm_tmpl.id.proto = IPPROTO_ESP;
1395 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &xfrm_tmpl, sizeof(xfrm_tmpl)))
1396 goto out_close;
1397
1398 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1399 pr_err("send()");
1400 goto out_close;
1401 }
1402
1403 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1404 pr_err("recv()");
1405 goto out_close;
1406 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1407 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1408 goto out_close;
1409 }
1410
1411 if (req.error) {
1412 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1413 ret = req.error;
1414 goto out_close;
1415 }
1416
1417 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1418 pr_err("recv()");
1419 goto out_close;
1420 }
1421
1422 if (req.acq.aalgos != 0xfeed || req.acq.ealgos != 0xbaad
1423 || req.acq.calgos != 0xbabe) {
1424 printk("xfrm_user_acquire has changed %x %x %x",
1425 req.acq.aalgos, req.acq.ealgos, req.acq.calgos);
1426 goto out_close;
1427 }
1428
1429 ret = KSFT_PASS;
1430out_close:
1431 close(xfrm_listen);
1432 return ret;
1433}
1434
1435static int xfrm_expire_state(int xfrm_sock, uint32_t *seq,
1436 unsigned int nr, struct xfrm_desc *desc)
1437{
1438 struct {
1439 struct nlmsghdr nh;
1440 union {
1441 struct xfrm_user_expire expire;
1442 int error;
1443 };
1444 } req;
1445 struct in_addr src, dst;
1446 int xfrm_listen = -1, ret = KSFT_FAIL;
1447 uint32_t seq_listen;
1448
1449 src = inet_makeaddr(INADDR_B, child_ip(nr));
1450 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1451
1452 if (xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc)) {
1453 printk("Failed to add xfrm state");
1454 return KSFT_FAIL;
1455 }
1456
1457 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
1458 return KSFT_FAIL;
1459
1460 memset(&req, 0, sizeof(req));
1461 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.expire));
1462 req.nh.nlmsg_type = XFRM_MSG_EXPIRE;
1463 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1464 req.nh.nlmsg_seq = (*seq)++;
1465
1466 memcpy(&req.expire.state.id.daddr, &dst, sizeof(dst));
1467 req.expire.state.id.spi = gen_spi(src);
1468 req.expire.state.id.proto = desc->proto;
1469 req.expire.state.family = AF_INET;
1470 req.expire.hard = 0xff;
1471
1472 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1473 pr_err("send()");
1474 goto out_close;
1475 }
1476
1477 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1478 pr_err("recv()");
1479 goto out_close;
1480 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1481 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1482 goto out_close;
1483 }
1484
1485 if (req.error) {
1486 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1487 ret = req.error;
1488 goto out_close;
1489 }
1490
1491 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1492 pr_err("recv()");
1493 goto out_close;
1494 }
1495
1496 if (req.expire.hard != 0x1) {
1497 printk("expire.hard is not set: %x", req.expire.hard);
1498 goto out_close;
1499 }
1500
1501 ret = KSFT_PASS;
1502out_close:
1503 close(xfrm_listen);
1504 return ret;
1505}
1506
1507static int xfrm_expire_policy(int xfrm_sock, uint32_t *seq,
1508 unsigned int nr, struct xfrm_desc *desc)
1509{
1510 struct {
1511 struct nlmsghdr nh;
1512 union {
1513 struct xfrm_user_polexpire expire;
1514 int error;
1515 };
1516 } req;
1517 struct in_addr src, dst, tunsrc, tundst;
1518 int xfrm_listen = -1, ret = KSFT_FAIL;
1519 uint32_t seq_listen;
1520
1521 src = inet_makeaddr(INADDR_B, child_ip(nr));
1522 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1523 tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
1524 tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
1525
1526 if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
1527 XFRM_POLICY_OUT, tunsrc, tundst, desc->proto)) {
1528 printk("Failed to add xfrm policy");
1529 return KSFT_FAIL;
1530 }
1531
1532 if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
1533 return KSFT_FAIL;
1534
1535 memset(&req, 0, sizeof(req));
1536 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.expire));
1537 req.nh.nlmsg_type = XFRM_MSG_POLEXPIRE;
1538 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1539 req.nh.nlmsg_seq = (*seq)++;
1540
1541 /* Fill selector. */
1542 memcpy(&req.expire.pol.sel.daddr, &dst, sizeof(tundst));
1543 memcpy(&req.expire.pol.sel.saddr, &src, sizeof(tunsrc));
1544 req.expire.pol.sel.family = AF_INET;
1545 req.expire.pol.sel.prefixlen_d = PREFIX_LEN;
1546 req.expire.pol.sel.prefixlen_s = PREFIX_LEN;
1547 req.expire.pol.dir = XFRM_POLICY_OUT;
1548 req.expire.hard = 0xff;
1549
1550 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1551 pr_err("send()");
1552 goto out_close;
1553 }
1554
1555 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1556 pr_err("recv()");
1557 goto out_close;
1558 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1559 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1560 goto out_close;
1561 }
1562
1563 if (req.error) {
1564 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1565 ret = req.error;
1566 goto out_close;
1567 }
1568
1569 if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1570 pr_err("recv()");
1571 goto out_close;
1572 }
1573
1574 if (req.expire.hard != 0x1) {
1575 printk("expire.hard is not set: %x", req.expire.hard);
1576 goto out_close;
1577 }
1578
1579 ret = KSFT_PASS;
1580out_close:
1581 close(xfrm_listen);
1582 return ret;
1583}
1584
1585static int xfrm_spdinfo_set_thresh(int xfrm_sock, uint32_t *seq,
1586 unsigned thresh4_l, unsigned thresh4_r,
1587 unsigned thresh6_l, unsigned thresh6_r,
1588 bool add_bad_attr)
1589
1590{
1591 struct {
1592 struct nlmsghdr nh;
1593 union {
1594 uint32_t unused;
1595 int error;
1596 };
1597 char attrbuf[MAX_PAYLOAD];
1598 } req;
1599 struct xfrmu_spdhthresh thresh;
1600
1601 memset(&req, 0, sizeof(req));
1602 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.unused));
1603 req.nh.nlmsg_type = XFRM_MSG_NEWSPDINFO;
1604 req.nh.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
1605 req.nh.nlmsg_seq = (*seq)++;
1606
1607 thresh.lbits = thresh4_l;
1608 thresh.rbits = thresh4_r;
1609 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SPD_IPV4_HTHRESH, &thresh, sizeof(thresh)))
1610 return -1;
1611
1612 thresh.lbits = thresh6_l;
1613 thresh.rbits = thresh6_r;
1614 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SPD_IPV6_HTHRESH, &thresh, sizeof(thresh)))
1615 return -1;
1616
1617 if (add_bad_attr) {
1618 BUILD_BUG_ON(XFRMA_IF_ID <= XFRMA_SPD_MAX + 1);
1619 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_IF_ID, NULL, 0)) {
1620 pr_err("adding attribute failed: no space");
1621 return -1;
1622 }
1623 }
1624
1625 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1626 pr_err("send()");
1627 return -1;
1628 }
1629
1630 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1631 pr_err("recv()");
1632 return -1;
1633 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1634 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1635 return -1;
1636 }
1637
1638 if (req.error) {
1639 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1640 return -1;
1641 }
1642
1643 return 0;
1644}
1645
1646static int xfrm_spdinfo_attrs(int xfrm_sock, uint32_t *seq)
1647{
1648 struct {
1649 struct nlmsghdr nh;
1650 union {
1651 uint32_t unused;
1652 int error;
1653 };
1654 char attrbuf[MAX_PAYLOAD];
1655 } req;
1656
1657 if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 31, 120, 16, false)) {
1658 pr_err("Can't set SPD HTHRESH");
1659 return KSFT_FAIL;
1660 }
1661
1662 memset(&req, 0, sizeof(req));
1663
1664 req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(req.unused));
1665 req.nh.nlmsg_type = XFRM_MSG_GETSPDINFO;
1666 req.nh.nlmsg_flags = NLM_F_REQUEST;
1667 req.nh.nlmsg_seq = (*seq)++;
1668 if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1669 pr_err("send()");
1670 return KSFT_FAIL;
1671 }
1672
1673 if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1674 pr_err("recv()");
1675 return KSFT_FAIL;
1676 } else if (req.nh.nlmsg_type == XFRM_MSG_NEWSPDINFO) {
1677 size_t len = NLMSG_PAYLOAD(&req.nh, sizeof(req.unused));
1678 struct rtattr *attr = (void *)req.attrbuf;
1679 int got_thresh = 0;
1680
1681 for (; RTA_OK(attr, len); attr = RTA_NEXT(attr, len)) {
1682 if (attr->rta_type == XFRMA_SPD_IPV4_HTHRESH) {
1683 struct xfrmu_spdhthresh *t = RTA_DATA(attr);
1684
1685 got_thresh++;
1686 if (t->lbits != 32 || t->rbits != 31) {
1687 pr_err("thresh differ: %u, %u",
1688 t->lbits, t->rbits);
1689 return KSFT_FAIL;
1690 }
1691 }
1692 if (attr->rta_type == XFRMA_SPD_IPV6_HTHRESH) {
1693 struct xfrmu_spdhthresh *t = RTA_DATA(attr);
1694
1695 got_thresh++;
1696 if (t->lbits != 120 || t->rbits != 16) {
1697 pr_err("thresh differ: %u, %u",
1698 t->lbits, t->rbits);
1699 return KSFT_FAIL;
1700 }
1701 }
1702 }
1703 if (got_thresh != 2) {
1704 pr_err("only %d thresh returned by XFRM_MSG_GETSPDINFO", got_thresh);
1705 return KSFT_FAIL;
1706 }
1707 } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1708 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1709 return KSFT_FAIL;
1710 } else {
1711 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1712 return -1;
1713 }
1714
1715 /* Restore the default */
1716 if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 32, 128, 128, false)) {
1717 pr_err("Can't restore SPD HTHRESH");
1718 return KSFT_FAIL;
1719 }
1720
1721 /*
1722 * At this moment xfrm uses nlmsg_parse_deprecated(), which
1723 * implies NL_VALIDATE_LIBERAL - ignoring attributes with
1724 * (type > maxtype). nla_parse_depricated_strict() would enforce
1725 * it. Or even stricter nla_parse().
1726 * Right now it's not expected to fail, but to be ignored.
1727 */
1728 if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 32, 128, 128, true))
1729 return KSFT_PASS;
1730
1731 return KSFT_PASS;
1732}
1733
1734static int child_serv(int xfrm_sock, uint32_t *seq,
1735 unsigned int nr, int cmd_fd, void *buf, struct xfrm_desc *desc)
1736{
1737 struct in_addr src, dst, tunsrc, tundst;
1738 struct test_desc msg;
1739 int ret = KSFT_FAIL;
1740
1741 src = inet_makeaddr(INADDR_B, child_ip(nr));
1742 dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1743 tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
1744 tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
1745
1746 /* UDP pinging without xfrm */
1747 if (do_ping(cmd_fd, buf, page_size, src, true, 0, 0, udp_ping_send)) {
1748 printk("ping failed before setting xfrm");
1749 return KSFT_FAIL;
1750 }
1751
1752 memset(&msg, 0, sizeof(msg));
1753 msg.type = MSG_XFRM_PREPARE;
1754 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1755 write_msg(cmd_fd, &msg, 1);
1756
1757 if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
1758 printk("failed to prepare xfrm");
1759 goto cleanup;
1760 }
1761
1762 memset(&msg, 0, sizeof(msg));
1763 msg.type = MSG_XFRM_ADD;
1764 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1765 write_msg(cmd_fd, &msg, 1);
1766 if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
1767 printk("failed to set xfrm");
1768 goto delete;
1769 }
1770
1771 /* UDP pinging with xfrm tunnel */
1772 if (do_ping(cmd_fd, buf, page_size, tunsrc,
1773 true, 0, 0, udp_ping_send)) {
1774 printk("ping failed for xfrm");
1775 goto delete;
1776 }
1777
1778 ret = KSFT_PASS;
1779delete:
1780 /* xfrm delete */
1781 memset(&msg, 0, sizeof(msg));
1782 msg.type = MSG_XFRM_DEL;
1783 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1784 write_msg(cmd_fd, &msg, 1);
1785
1786 if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
1787 printk("failed ping to remove xfrm");
1788 ret = KSFT_FAIL;
1789 }
1790
1791cleanup:
1792 memset(&msg, 0, sizeof(msg));
1793 msg.type = MSG_XFRM_CLEANUP;
1794 memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1795 write_msg(cmd_fd, &msg, 1);
1796 if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
1797 printk("failed ping to cleanup xfrm");
1798 ret = KSFT_FAIL;
1799 }
1800 return ret;
1801}
1802
1803static int child_f(unsigned int nr, int test_desc_fd, int cmd_fd, void *buf)
1804{
1805 struct xfrm_desc desc;
1806 struct test_desc msg;
1807 int xfrm_sock = -1;
1808 uint32_t seq;
1809
1810 if (switch_ns(nsfd_childa))
1811 exit(KSFT_FAIL);
1812
1813 if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
1814 printk("Failed to open xfrm netlink socket");
1815 exit(KSFT_FAIL);
1816 }
1817
1818 /* Check that seq sock is ready, just for sure. */
1819 memset(&msg, 0, sizeof(msg));
1820 msg.type = MSG_ACK;
1821 write_msg(cmd_fd, &msg, 1);
1822 read_msg(cmd_fd, &msg, 1);
1823 if (msg.type != MSG_ACK) {
1824 printk("Ack failed");
1825 exit(KSFT_FAIL);
1826 }
1827
1828 for (;;) {
1829 ssize_t received = read(test_desc_fd, &desc, sizeof(desc));
1830 int ret;
1831
1832 if (received == 0) /* EOF */
1833 break;
1834
1835 if (received != sizeof(desc)) {
1836 pr_err("read() returned %zd", received);
1837 exit(KSFT_FAIL);
1838 }
1839
1840 switch (desc.type) {
1841 case CREATE_TUNNEL:
1842 ret = child_serv(xfrm_sock, &seq, nr,
1843 cmd_fd, buf, &desc);
1844 break;
1845 case ALLOCATE_SPI:
1846 ret = xfrm_state_allocspi(xfrm_sock, &seq,
1847 -1, desc.proto);
1848 break;
1849 case MONITOR_ACQUIRE:
1850 ret = xfrm_monitor_acquire(xfrm_sock, &seq, nr);
1851 break;
1852 case EXPIRE_STATE:
1853 ret = xfrm_expire_state(xfrm_sock, &seq, nr, &desc);
1854 break;
1855 case EXPIRE_POLICY:
1856 ret = xfrm_expire_policy(xfrm_sock, &seq, nr, &desc);
1857 break;
1858 case SPDINFO_ATTRS:
1859 ret = xfrm_spdinfo_attrs(xfrm_sock, &seq);
1860 break;
1861 default:
1862 printk("Unknown desc type %d", desc.type);
1863 exit(KSFT_FAIL);
1864 }
1865 write_test_result(ret, &desc);
1866 }
1867
1868 close(xfrm_sock);
1869
1870 msg.type = MSG_EXIT;
1871 write_msg(cmd_fd, &msg, 1);
1872 exit(KSFT_PASS);
1873}
1874
1875static void grand_child_serv(unsigned int nr, int cmd_fd, void *buf,
1876 struct test_desc *msg, int xfrm_sock, uint32_t *seq)
1877{
1878 struct in_addr src, dst, tunsrc, tundst;
1879 bool tun_reply;
1880 struct xfrm_desc *desc = &msg->body.xfrm_desc;
1881
1882 src = inet_makeaddr(INADDR_B, grchild_ip(nr));
1883 dst = inet_makeaddr(INADDR_B, child_ip(nr));
1884 tunsrc = inet_makeaddr(INADDR_A, grchild_ip(nr));
1885 tundst = inet_makeaddr(INADDR_A, child_ip(nr));
1886
1887 switch (msg->type) {
1888 case MSG_EXIT:
1889 exit(KSFT_PASS);
1890 case MSG_ACK:
1891 write_msg(cmd_fd, msg, 1);
1892 break;
1893 case MSG_PING:
1894 tun_reply = memcmp(&dst, &msg->body.ping.reply_ip, sizeof(in_addr_t));
1895 /* UDP pinging without xfrm */
1896 if (do_ping(cmd_fd, buf, page_size, tun_reply ? tunsrc : src,
1897 false, msg->body.ping.port,
1898 msg->body.ping.reply_ip, udp_ping_reply)) {
1899 printk("ping failed before setting xfrm");
1900 }
1901 break;
1902 case MSG_XFRM_PREPARE:
1903 if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst,
1904 desc->proto)) {
1905 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1906 printk("failed to prepare xfrm");
1907 }
1908 break;
1909 case MSG_XFRM_ADD:
1910 if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
1911 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1912 printk("failed to set xfrm");
1913 }
1914 break;
1915 case MSG_XFRM_DEL:
1916 if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst,
1917 desc->proto)) {
1918 xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1919 printk("failed to remove xfrm");
1920 }
1921 break;
1922 case MSG_XFRM_CLEANUP:
1923 if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
1924 printk("failed to cleanup xfrm");
1925 }
1926 break;
1927 default:
1928 printk("got unknown msg type %d", msg->type);
1929 }
1930}
1931
1932static int grand_child_f(unsigned int nr, int cmd_fd, void *buf)
1933{
1934 struct test_desc msg;
1935 int xfrm_sock = -1;
1936 uint32_t seq;
1937
1938 if (switch_ns(nsfd_childb))
1939 exit(KSFT_FAIL);
1940
1941 if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
1942 printk("Failed to open xfrm netlink socket");
1943 exit(KSFT_FAIL);
1944 }
1945
1946 do {
1947 read_msg(cmd_fd, &msg, 1);
1948 grand_child_serv(nr, cmd_fd, buf, &msg, xfrm_sock, &seq);
1949 } while (1);
1950
1951 close(xfrm_sock);
1952 exit(KSFT_FAIL);
1953}
1954
1955static int start_child(unsigned int nr, char *veth, int test_desc_fd[2])
1956{
1957 int cmd_sock[2];
1958 void *data_map;
1959 pid_t child;
1960
1961 if (init_child(nsfd_childa, veth, child_ip(nr), grchild_ip(nr)))
1962 return -1;
1963
1964 if (init_child(nsfd_childb, veth, grchild_ip(nr), child_ip(nr)))
1965 return -1;
1966
1967 child = fork();
1968 if (child < 0) {
1969 pr_err("fork()");
1970 return -1;
1971 } else if (child) {
1972 /* in parent - selftest */
1973 return switch_ns(nsfd_parent);
1974 }
1975
1976 if (close(test_desc_fd[1])) {
1977 pr_err("close()");
1978 return -1;
1979 }
1980
1981 /* child */
1982 data_map = mmap(0, page_size, PROT_READ | PROT_WRITE,
1983 MAP_SHARED | MAP_ANONYMOUS, -1, 0);
1984 if (data_map == MAP_FAILED) {
1985 pr_err("mmap()");
1986 return -1;
1987 }
1988
1989 randomize_buffer(data_map, page_size);
1990
1991 if (socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, cmd_sock)) {
1992 pr_err("socketpair()");
1993 return -1;
1994 }
1995
1996 child = fork();
1997 if (child < 0) {
1998 pr_err("fork()");
1999 return -1;
2000 } else if (child) {
2001 if (close(cmd_sock[0])) {
2002 pr_err("close()");
2003 return -1;
2004 }
2005 return child_f(nr, test_desc_fd[0], cmd_sock[1], data_map);
2006 }
2007 if (close(cmd_sock[1])) {
2008 pr_err("close()");
2009 return -1;
2010 }
2011 return grand_child_f(nr, cmd_sock[0], data_map);
2012}
2013
2014static void exit_usage(char **argv)
2015{
2016 printk("Usage: %s [nr_process]", argv[0]);
2017 exit(KSFT_FAIL);
2018}
2019
2020static int __write_desc(int test_desc_fd, struct xfrm_desc *desc)
2021{
2022 ssize_t ret;
2023
2024 ret = write(test_desc_fd, desc, sizeof(*desc));
2025
2026 if (ret == sizeof(*desc))
2027 return 0;
2028
2029 pr_err("Writing test's desc failed %ld", ret);
2030
2031 return -1;
2032}
2033
2034static int write_desc(int proto, int test_desc_fd,
2035 char *a, char *e, char *c, char *ae)
2036{
2037 struct xfrm_desc desc = {};
2038
2039 desc.type = CREATE_TUNNEL;
2040 desc.proto = proto;
2041
2042 if (a)
2043 strncpy(desc.a_algo, a, ALGO_LEN - 1);
2044 if (e)
2045 strncpy(desc.e_algo, e, ALGO_LEN - 1);
2046 if (c)
2047 strncpy(desc.c_algo, c, ALGO_LEN - 1);
2048 if (ae)
2049 strncpy(desc.ae_algo, ae, ALGO_LEN - 1);
2050
2051 return __write_desc(test_desc_fd, &desc);
2052}
2053
2054int proto_list[] = { IPPROTO_AH, IPPROTO_COMP, IPPROTO_ESP };
2055char *ah_list[] = {
2056 "digest_null", "hmac(md5)", "hmac(sha1)", "hmac(sha256)",
2057 "hmac(sha384)", "hmac(sha512)", "hmac(rmd160)",
2058 "xcbc(aes)", "cmac(aes)"
2059};
2060char *comp_list[] = {
2061 "deflate",
2062#if 0
2063 /* No compression backend realization */
2064 "lzs", "lzjh"
2065#endif
2066};
2067char *e_list[] = {
2068 "ecb(cipher_null)", "cbc(des)", "cbc(des3_ede)", "cbc(cast5)",
2069 "cbc(blowfish)", "cbc(aes)", "cbc(serpent)", "cbc(camellia)",
2070 "cbc(twofish)", "rfc3686(ctr(aes))"
2071};
2072char *ae_list[] = {
2073#if 0
2074 /* not implemented */
2075 "rfc4106(gcm(aes))", "rfc4309(ccm(aes))", "rfc4543(gcm(aes))",
2076 "rfc7539esp(chacha20,poly1305)"
2077#endif
2078};
2079
2080const unsigned int proto_plan = ARRAY_SIZE(ah_list) + ARRAY_SIZE(comp_list) \
2081 + (ARRAY_SIZE(ah_list) * ARRAY_SIZE(e_list)) \
2082 + ARRAY_SIZE(ae_list);
2083
2084static int write_proto_plan(int fd, int proto)
2085{
2086 unsigned int i;
2087
2088 switch (proto) {
2089 case IPPROTO_AH:
2090 for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
2091 if (write_desc(proto, fd, ah_list[i], 0, 0, 0))
2092 return -1;
2093 }
2094 break;
2095 case IPPROTO_COMP:
2096 for (i = 0; i < ARRAY_SIZE(comp_list); i++) {
2097 if (write_desc(proto, fd, 0, 0, comp_list[i], 0))
2098 return -1;
2099 }
2100 break;
2101 case IPPROTO_ESP:
2102 for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
2103 int j;
2104
2105 for (j = 0; j < ARRAY_SIZE(e_list); j++) {
2106 if (write_desc(proto, fd, ah_list[i],
2107 e_list[j], 0, 0))
2108 return -1;
2109 }
2110 }
2111 for (i = 0; i < ARRAY_SIZE(ae_list); i++) {
2112 if (write_desc(proto, fd, 0, 0, 0, ae_list[i]))
2113 return -1;
2114 }
2115 break;
2116 default:
2117 printk("BUG: Specified unknown proto %d", proto);
2118 return -1;
2119 }
2120
2121 return 0;
2122}
2123
2124/*
2125 * Some structures in xfrm uapi header differ in size between
2126 * 64-bit and 32-bit ABI:
2127 *
2128 * 32-bit UABI | 64-bit UABI
2129 * -------------------------------------|-------------------------------------
2130 * sizeof(xfrm_usersa_info) = 220 | sizeof(xfrm_usersa_info) = 224
2131 * sizeof(xfrm_userpolicy_info) = 164 | sizeof(xfrm_userpolicy_info) = 168
2132 * sizeof(xfrm_userspi_info) = 228 | sizeof(xfrm_userspi_info) = 232
2133 * sizeof(xfrm_user_acquire) = 276 | sizeof(xfrm_user_acquire) = 280
2134 * sizeof(xfrm_user_expire) = 224 | sizeof(xfrm_user_expire) = 232
2135 * sizeof(xfrm_user_polexpire) = 168 | sizeof(xfrm_user_polexpire) = 176
2136 *
2137 * Check the affected by the UABI difference structures.
2138 * Also, check translation for xfrm_set_spdinfo: it has it's own attributes
2139 * which needs to be correctly copied, but not translated.
2140 */
2141const unsigned int compat_plan = 5;
2142static int write_compat_struct_tests(int test_desc_fd)
2143{
2144 struct xfrm_desc desc = {};
2145
2146 desc.type = ALLOCATE_SPI;
2147 desc.proto = IPPROTO_AH;
2148 strncpy(desc.a_algo, ah_list[0], ALGO_LEN - 1);
2149
2150 if (__write_desc(test_desc_fd, &desc))
2151 return -1;
2152
2153 desc.type = MONITOR_ACQUIRE;
2154 if (__write_desc(test_desc_fd, &desc))
2155 return -1;
2156
2157 desc.type = EXPIRE_STATE;
2158 if (__write_desc(test_desc_fd, &desc))
2159 return -1;
2160
2161 desc.type = EXPIRE_POLICY;
2162 if (__write_desc(test_desc_fd, &desc))
2163 return -1;
2164
2165 desc.type = SPDINFO_ATTRS;
2166 if (__write_desc(test_desc_fd, &desc))
2167 return -1;
2168
2169 return 0;
2170}
2171
2172static int write_test_plan(int test_desc_fd)
2173{
2174 unsigned int i;
2175 pid_t child;
2176
2177 child = fork();
2178 if (child < 0) {
2179 pr_err("fork()");
2180 return -1;
2181 }
2182 if (child) {
2183 if (close(test_desc_fd))
2184 printk("close(): %m");
2185 return 0;
2186 }
2187
2188 if (write_compat_struct_tests(test_desc_fd))
2189 exit(KSFT_FAIL);
2190
2191 for (i = 0; i < ARRAY_SIZE(proto_list); i++) {
2192 if (write_proto_plan(test_desc_fd, proto_list[i]))
2193 exit(KSFT_FAIL);
2194 }
2195
2196 exit(KSFT_PASS);
2197}
2198
2199static int children_cleanup(void)
2200{
2201 unsigned ret = KSFT_PASS;
2202
2203 while (1) {
2204 int status;
2205 pid_t p = wait(&status);
2206
2207 if ((p < 0) && errno == ECHILD)
2208 break;
2209
2210 if (p < 0) {
2211 pr_err("wait()");
2212 return KSFT_FAIL;
2213 }
2214
2215 if (!WIFEXITED(status)) {
2216 ret = KSFT_FAIL;
2217 continue;
2218 }
2219
2220 if (WEXITSTATUS(status) == KSFT_FAIL)
2221 ret = KSFT_FAIL;
2222 }
2223
2224 return ret;
2225}
2226
2227typedef void (*print_res)(const char *, ...);
2228
2229static int check_results(void)
2230{
2231 struct test_result tr = {};
2232 struct xfrm_desc *d = &tr.desc;
2233 int ret = KSFT_PASS;
2234
2235 while (1) {
2236 ssize_t received = read(results_fd[0], &tr, sizeof(tr));
2237 print_res result;
2238
2239 if (received == 0) /* EOF */
2240 break;
2241
2242 if (received != sizeof(tr)) {
2243 pr_err("read() returned %zd", received);
2244 return KSFT_FAIL;
2245 }
2246
2247 switch (tr.res) {
2248 case KSFT_PASS:
2249 result = ksft_test_result_pass;
2250 break;
2251 case KSFT_FAIL:
2252 default:
2253 result = ksft_test_result_fail;
2254 ret = KSFT_FAIL;
2255 }
2256
2257 result(" %s: [%u, '%s', '%s', '%s', '%s', %u]\n",
2258 desc_name[d->type], (unsigned int)d->proto, d->a_algo,
2259 d->e_algo, d->c_algo, d->ae_algo, d->icv_len);
2260 }
2261
2262 return ret;
2263}
2264
2265int main(int argc, char **argv)
2266{
2267 long nr_process = 1;
2268 int route_sock = -1, ret = KSFT_SKIP;
2269 int test_desc_fd[2];
2270 uint32_t route_seq;
2271 unsigned int i;
2272
2273 if (argc > 2)
2274 exit_usage(argv);
2275
2276 if (argc > 1) {
2277 char *endptr;
2278
2279 errno = 0;
2280 nr_process = strtol(argv[1], &endptr, 10);
2281 if ((errno == ERANGE && (nr_process == LONG_MAX || nr_process == LONG_MIN))
2282 || (errno != 0 && nr_process == 0)
2283 || (endptr == argv[1]) || (*endptr != '\0')) {
2284 printk("Failed to parse [nr_process]");
2285 exit_usage(argv);
2286 }
2287
2288 if (nr_process > MAX_PROCESSES || nr_process < 1) {
2289 printk("nr_process should be between [1; %u]",
2290 MAX_PROCESSES);
2291 exit_usage(argv);
2292 }
2293 }
2294
2295 srand(time(NULL));
2296 page_size = sysconf(_SC_PAGESIZE);
2297 if (page_size < 1)
2298 ksft_exit_skip("sysconf(): %m\n");
2299
2300 if (pipe2(test_desc_fd, O_DIRECT) < 0)
2301 ksft_exit_skip("pipe(): %m\n");
2302
2303 if (pipe2(results_fd, O_DIRECT) < 0)
2304 ksft_exit_skip("pipe(): %m\n");
2305
2306 if (init_namespaces())
2307 ksft_exit_skip("Failed to create namespaces\n");
2308
2309 if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE))
2310 ksft_exit_skip("Failed to open netlink route socket\n");
2311
2312 for (i = 0; i < nr_process; i++) {
2313 char veth[VETH_LEN];
2314
2315 snprintf(veth, VETH_LEN, VETH_FMT, i);
2316
2317 if (veth_add(route_sock, route_seq++, veth, nsfd_childa, veth, nsfd_childb)) {
2318 close(route_sock);
2319 ksft_exit_fail_msg("Failed to create veth device");
2320 }
2321
2322 if (start_child(i, veth, test_desc_fd)) {
2323 close(route_sock);
2324 ksft_exit_fail_msg("Child %u failed to start", i);
2325 }
2326 }
2327
2328 if (close(route_sock) || close(test_desc_fd[0]) || close(results_fd[1]))
2329 ksft_exit_fail_msg("close(): %m");
2330
2331 ksft_set_plan(proto_plan + compat_plan);
2332
2333 if (write_test_plan(test_desc_fd[1]))
2334 ksft_exit_fail_msg("Failed to write test plan to pipe");
2335
2336 ret = check_results();
2337
2338 if (children_cleanup() == KSFT_FAIL)
2339 exit(KSFT_FAIL);
2340
2341 exit(ret);
2342}