~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/tools/testing/selftests/net/ipsec.c

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 // SPDX-License-Identifier: GPL-2.0
  2 /*
  3  * ipsec.c - Check xfrm on veth inside a net-ns.
  4  * Copyright (c) 2018 Dmitry Safonov
  5  */
  6 
  7 #define _GNU_SOURCE
  8 
  9 #include <arpa/inet.h>
 10 #include <asm/types.h>
 11 #include <errno.h>
 12 #include <fcntl.h>
 13 #include <limits.h>
 14 #include <linux/limits.h>
 15 #include <linux/netlink.h>
 16 #include <linux/random.h>
 17 #include <linux/rtnetlink.h>
 18 #include <linux/veth.h>
 19 #include <linux/xfrm.h>
 20 #include <netinet/in.h>
 21 #include <net/if.h>
 22 #include <sched.h>
 23 #include <stdbool.h>
 24 #include <stdint.h>
 25 #include <stdio.h>
 26 #include <stdlib.h>
 27 #include <string.h>
 28 #include <sys/mman.h>
 29 #include <sys/socket.h>
 30 #include <sys/stat.h>
 31 #include <sys/syscall.h>
 32 #include <sys/types.h>
 33 #include <sys/wait.h>
 34 #include <time.h>
 35 #include <unistd.h>
 36 
 37 #include "../kselftest.h"
 38 
 39 #define printk(fmt, ...)                                                \
 40         ksft_print_msg("%d[%u] " fmt "\n", getpid(), __LINE__, ##__VA_ARGS__)
 41 
 42 #define pr_err(fmt, ...)        printk(fmt ": %m", ##__VA_ARGS__)
 43 
 44 #define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)]))
 45 
 46 #define IPV4_STR_SZ     16      /* xxx.xxx.xxx.xxx is longest + \0 */
 47 #define MAX_PAYLOAD     2048
 48 #define XFRM_ALGO_KEY_BUF_SIZE  512
 49 #define MAX_PROCESSES   (1 << 14) /* /16 mask divided by /30 subnets */
 50 #define INADDR_A        ((in_addr_t) 0x0a000000) /* 10.0.0.0 */
 51 #define INADDR_B        ((in_addr_t) 0xc0a80000) /* 192.168.0.0 */
 52 
 53 /* /30 mask for one veth connection */
 54 #define PREFIX_LEN      30
 55 #define child_ip(nr)    (4*nr + 1)
 56 #define grchild_ip(nr)  (4*nr + 2)
 57 
 58 #define VETH_FMT        "ktst-%d"
 59 #define VETH_LEN        12
 60 
 61 #define XFRM_ALGO_NR_KEYS 29
 62 
 63 static int nsfd_parent  = -1;
 64 static int nsfd_childa  = -1;
 65 static int nsfd_childb  = -1;
 66 static long page_size;
 67 
 68 /*
 69  * ksft_cnt is static in kselftest, so isn't shared with children.
 70  * We have to send a test result back to parent and count there.
 71  * results_fd is a pipe with test feedback from children.
 72  */
 73 static int results_fd[2];
 74 
 75 const unsigned int ping_delay_nsec      = 50 * 1000 * 1000;
 76 const unsigned int ping_timeout         = 300;
 77 const unsigned int ping_count           = 100;
 78 const unsigned int ping_success         = 80;
 79 
 80 struct xfrm_key_entry {
 81         char algo_name[35];
 82         int key_len;
 83 };
 84 
 85 struct xfrm_key_entry xfrm_key_entries[] = {
 86         {"digest_null", 0},
 87         {"ecb(cipher_null)", 0},
 88         {"cbc(des)", 64},
 89         {"hmac(md5)", 128},
 90         {"cmac(aes)", 128},
 91         {"xcbc(aes)", 128},
 92         {"cbc(cast5)", 128},
 93         {"cbc(serpent)", 128},
 94         {"hmac(sha1)", 160},
 95         {"hmac(rmd160)", 160},
 96         {"cbc(des3_ede)", 192},
 97         {"hmac(sha256)", 256},
 98         {"cbc(aes)", 256},
 99         {"cbc(camellia)", 256},
100         {"cbc(twofish)", 256},
101         {"rfc3686(ctr(aes))", 288},
102         {"hmac(sha384)", 384},
103         {"cbc(blowfish)", 448},
104         {"hmac(sha512)", 512},
105         {"rfc4106(gcm(aes))-128", 160},
106         {"rfc4543(gcm(aes))-128", 160},
107         {"rfc4309(ccm(aes))-128", 152},
108         {"rfc4106(gcm(aes))-192", 224},
109         {"rfc4543(gcm(aes))-192", 224},
110         {"rfc4309(ccm(aes))-192", 216},
111         {"rfc4106(gcm(aes))-256", 288},
112         {"rfc4543(gcm(aes))-256", 288},
113         {"rfc4309(ccm(aes))-256", 280},
114         {"rfc7539(chacha20,poly1305)-128", 0}
115 };
116 
117 static void randomize_buffer(void *buf, size_t buflen)
118 {
119         int *p = (int *)buf;
120         size_t words = buflen / sizeof(int);
121         size_t leftover = buflen % sizeof(int);
122 
123         if (!buflen)
124                 return;
125 
126         while (words--)
127                 *p++ = rand();
128 
129         if (leftover) {
130                 int tmp = rand();
131 
132                 memcpy(buf + buflen - leftover, &tmp, leftover);
133         }
134 
135         return;
136 }
137 
138 static int unshare_open(void)
139 {
140         const char *netns_path = "/proc/self/ns/net";
141         int fd;
142 
143         if (unshare(CLONE_NEWNET) != 0) {
144                 pr_err("unshare()");
145                 return -1;
146         }
147 
148         fd = open(netns_path, O_RDONLY);
149         if (fd <= 0) {
150                 pr_err("open(%s)", netns_path);
151                 return -1;
152         }
153 
154         return fd;
155 }
156 
157 static int switch_ns(int fd)
158 {
159         if (setns(fd, CLONE_NEWNET)) {
160                 pr_err("setns()");
161                 return -1;
162         }
163         return 0;
164 }
165 
166 /*
167  * Running the test inside a new parent net namespace to bother less
168  * about cleanup on error-path.
169  */
170 static int init_namespaces(void)
171 {
172         nsfd_parent = unshare_open();
173         if (nsfd_parent <= 0)
174                 return -1;
175 
176         nsfd_childa = unshare_open();
177         if (nsfd_childa <= 0)
178                 return -1;
179 
180         if (switch_ns(nsfd_parent))
181                 return -1;
182 
183         nsfd_childb = unshare_open();
184         if (nsfd_childb <= 0)
185                 return -1;
186 
187         if (switch_ns(nsfd_parent))
188                 return -1;
189         return 0;
190 }
191 
192 static int netlink_sock(int *sock, uint32_t *seq_nr, int proto)
193 {
194         if (*sock > 0) {
195                 seq_nr++;
196                 return 0;
197         }
198 
199         *sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, proto);
200         if (*sock <= 0) {
201                 pr_err("socket(AF_NETLINK)");
202                 return -1;
203         }
204 
205         randomize_buffer(seq_nr, sizeof(*seq_nr));
206 
207         return 0;
208 }
209 
210 static inline struct rtattr *rtattr_hdr(struct nlmsghdr *nh)
211 {
212         return (struct rtattr *)((char *)(nh) + RTA_ALIGN((nh)->nlmsg_len));
213 }
214 
215 static int rtattr_pack(struct nlmsghdr *nh, size_t req_sz,
216                 unsigned short rta_type, const void *payload, size_t size)
217 {
218         /* NLMSG_ALIGNTO == RTA_ALIGNTO, nlmsg_len already aligned */
219         struct rtattr *attr = rtattr_hdr(nh);
220         size_t nl_size = RTA_ALIGN(nh->nlmsg_len) + RTA_LENGTH(size);
221 
222         if (req_sz < nl_size) {
223                 printk("req buf is too small: %zu < %zu", req_sz, nl_size);
224                 return -1;
225         }
226         nh->nlmsg_len = nl_size;
227 
228         attr->rta_len = RTA_LENGTH(size);
229         attr->rta_type = rta_type;
230         memcpy(RTA_DATA(attr), payload, size);
231 
232         return 0;
233 }
234 
235 static struct rtattr *_rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
236                 unsigned short rta_type, const void *payload, size_t size)
237 {
238         struct rtattr *ret = rtattr_hdr(nh);
239 
240         if (rtattr_pack(nh, req_sz, rta_type, payload, size))
241                 return 0;
242 
243         return ret;
244 }
245 
246 static inline struct rtattr *rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
247                 unsigned short rta_type)
248 {
249         return _rtattr_begin(nh, req_sz, rta_type, 0, 0);
250 }
251 
252 static inline void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr)
253 {
254         char *nlmsg_end = (char *)nh + nh->nlmsg_len;
255 
256         attr->rta_len = nlmsg_end - (char *)attr;
257 }
258 
259 static int veth_pack_peerb(struct nlmsghdr *nh, size_t req_sz,
260                 const char *peer, int ns)
261 {
262         struct ifinfomsg pi;
263         struct rtattr *peer_attr;
264 
265         memset(&pi, 0, sizeof(pi));
266         pi.ifi_family   = AF_UNSPEC;
267         pi.ifi_change   = 0xFFFFFFFF;
268 
269         peer_attr = _rtattr_begin(nh, req_sz, VETH_INFO_PEER, &pi, sizeof(pi));
270         if (!peer_attr)
271                 return -1;
272 
273         if (rtattr_pack(nh, req_sz, IFLA_IFNAME, peer, strlen(peer)))
274                 return -1;
275 
276         if (rtattr_pack(nh, req_sz, IFLA_NET_NS_FD, &ns, sizeof(ns)))
277                 return -1;
278 
279         rtattr_end(nh, peer_attr);
280 
281         return 0;
282 }
283 
284 static int netlink_check_answer(int sock)
285 {
286         struct nlmsgerror {
287                 struct nlmsghdr hdr;
288                 int error;
289                 struct nlmsghdr orig_msg;
290         } answer;
291 
292         if (recv(sock, &answer, sizeof(answer), 0) < 0) {
293                 pr_err("recv()");
294                 return -1;
295         } else if (answer.hdr.nlmsg_type != NLMSG_ERROR) {
296                 printk("expected NLMSG_ERROR, got %d", (int)answer.hdr.nlmsg_type);
297                 return -1;
298         } else if (answer.error) {
299                 printk("NLMSG_ERROR: %d: %s",
300                         answer.error, strerror(-answer.error));
301                 return answer.error;
302         }
303 
304         return 0;
305 }
306 
307 static int veth_add(int sock, uint32_t seq, const char *peera, int ns_a,
308                 const char *peerb, int ns_b)
309 {
310         uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
311         struct {
312                 struct nlmsghdr         nh;
313                 struct ifinfomsg        info;
314                 char                    attrbuf[MAX_PAYLOAD];
315         } req;
316         const char veth_type[] = "veth";
317         struct rtattr *link_info, *info_data;
318 
319         memset(&req, 0, sizeof(req));
320         req.nh.nlmsg_len        = NLMSG_LENGTH(sizeof(req.info));
321         req.nh.nlmsg_type       = RTM_NEWLINK;
322         req.nh.nlmsg_flags      = flags;
323         req.nh.nlmsg_seq        = seq;
324         req.info.ifi_family     = AF_UNSPEC;
325         req.info.ifi_change     = 0xFFFFFFFF;
326 
327         if (rtattr_pack(&req.nh, sizeof(req), IFLA_IFNAME, peera, strlen(peera)))
328                 return -1;
329 
330         if (rtattr_pack(&req.nh, sizeof(req), IFLA_NET_NS_FD, &ns_a, sizeof(ns_a)))
331                 return -1;
332 
333         link_info = rtattr_begin(&req.nh, sizeof(req), IFLA_LINKINFO);
334         if (!link_info)
335                 return -1;
336 
337         if (rtattr_pack(&req.nh, sizeof(req), IFLA_INFO_KIND, veth_type, sizeof(veth_type)))
338                 return -1;
339 
340         info_data = rtattr_begin(&req.nh, sizeof(req), IFLA_INFO_DATA);
341         if (!info_data)
342                 return -1;
343 
344         if (veth_pack_peerb(&req.nh, sizeof(req), peerb, ns_b))
345                 return -1;
346 
347         rtattr_end(&req.nh, info_data);
348         rtattr_end(&req.nh, link_info);
349 
350         if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
351                 pr_err("send()");
352                 return -1;
353         }
354         return netlink_check_answer(sock);
355 }
356 
357 static int ip4_addr_set(int sock, uint32_t seq, const char *intf,
358                 struct in_addr addr, uint8_t prefix)
359 {
360         uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
361         struct {
362                 struct nlmsghdr         nh;
363                 struct ifaddrmsg        info;
364                 char                    attrbuf[MAX_PAYLOAD];
365         } req;
366 
367         memset(&req, 0, sizeof(req));
368         req.nh.nlmsg_len        = NLMSG_LENGTH(sizeof(req.info));
369         req.nh.nlmsg_type       = RTM_NEWADDR;
370         req.nh.nlmsg_flags      = flags;
371         req.nh.nlmsg_seq        = seq;
372         req.info.ifa_family     = AF_INET;
373         req.info.ifa_prefixlen  = prefix;
374         req.info.ifa_index      = if_nametoindex(intf);
375 
376 #ifdef DEBUG
377         {
378                 char addr_str[IPV4_STR_SZ] = {};
379 
380                 strncpy(addr_str, inet_ntoa(addr), IPV4_STR_SZ - 1);
381 
382                 printk("ip addr set %s", addr_str);
383         }
384 #endif
385 
386         if (rtattr_pack(&req.nh, sizeof(req), IFA_LOCAL, &addr, sizeof(addr)))
387                 return -1;
388 
389         if (rtattr_pack(&req.nh, sizeof(req), IFA_ADDRESS, &addr, sizeof(addr)))
390                 return -1;
391 
392         if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
393                 pr_err("send()");
394                 return -1;
395         }
396         return netlink_check_answer(sock);
397 }
398 
399 static int link_set_up(int sock, uint32_t seq, const char *intf)
400 {
401         struct {
402                 struct nlmsghdr         nh;
403                 struct ifinfomsg        info;
404                 char                    attrbuf[MAX_PAYLOAD];
405         } req;
406 
407         memset(&req, 0, sizeof(req));
408         req.nh.nlmsg_len        = NLMSG_LENGTH(sizeof(req.info));
409         req.nh.nlmsg_type       = RTM_NEWLINK;
410         req.nh.nlmsg_flags      = NLM_F_REQUEST | NLM_F_ACK;
411         req.nh.nlmsg_seq        = seq;
412         req.info.ifi_family     = AF_UNSPEC;
413         req.info.ifi_change     = 0xFFFFFFFF;
414         req.info.ifi_index      = if_nametoindex(intf);
415         req.info.ifi_flags      = IFF_UP;
416         req.info.ifi_change     = IFF_UP;
417 
418         if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
419                 pr_err("send()");
420                 return -1;
421         }
422         return netlink_check_answer(sock);
423 }
424 
425 static int ip4_route_set(int sock, uint32_t seq, const char *intf,
426                 struct in_addr src, struct in_addr dst)
427 {
428         struct {
429                 struct nlmsghdr nh;
430                 struct rtmsg    rt;
431                 char            attrbuf[MAX_PAYLOAD];
432         } req;
433         unsigned int index = if_nametoindex(intf);
434 
435         memset(&req, 0, sizeof(req));
436         req.nh.nlmsg_len        = NLMSG_LENGTH(sizeof(req.rt));
437         req.nh.nlmsg_type       = RTM_NEWROUTE;
438         req.nh.nlmsg_flags      = NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE;
439         req.nh.nlmsg_seq        = seq;
440         req.rt.rtm_family       = AF_INET;
441         req.rt.rtm_dst_len      = 32;
442         req.rt.rtm_table        = RT_TABLE_MAIN;
443         req.rt.rtm_protocol     = RTPROT_BOOT;
444         req.rt.rtm_scope        = RT_SCOPE_LINK;
445         req.rt.rtm_type         = RTN_UNICAST;
446 
447         if (rtattr_pack(&req.nh, sizeof(req), RTA_DST, &dst, sizeof(dst)))
448                 return -1;
449 
450         if (rtattr_pack(&req.nh, sizeof(req), RTA_PREFSRC, &src, sizeof(src)))
451                 return -1;
452 
453         if (rtattr_pack(&req.nh, sizeof(req), RTA_OIF, &index, sizeof(index)))
454                 return -1;
455 
456         if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
457                 pr_err("send()");
458                 return -1;
459         }
460 
461         return netlink_check_answer(sock);
462 }
463 
464 static int tunnel_set_route(int route_sock, uint32_t *route_seq, char *veth,
465                 struct in_addr tunsrc, struct in_addr tundst)
466 {
467         if (ip4_addr_set(route_sock, (*route_seq)++, "lo",
468                         tunsrc, PREFIX_LEN)) {
469                 printk("Failed to set ipv4 addr");
470                 return -1;
471         }
472 
473         if (ip4_route_set(route_sock, (*route_seq)++, veth, tunsrc, tundst)) {
474                 printk("Failed to set ipv4 route");
475                 return -1;
476         }
477 
478         return 0;
479 }
480 
481 static int init_child(int nsfd, char *veth, unsigned int src, unsigned int dst)
482 {
483         struct in_addr intsrc = inet_makeaddr(INADDR_B, src);
484         struct in_addr tunsrc = inet_makeaddr(INADDR_A, src);
485         struct in_addr tundst = inet_makeaddr(INADDR_A, dst);
486         int route_sock = -1, ret = -1;
487         uint32_t route_seq;
488 
489         if (switch_ns(nsfd))
490                 return -1;
491 
492         if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE)) {
493                 printk("Failed to open netlink route socket in child");
494                 return -1;
495         }
496 
497         if (ip4_addr_set(route_sock, route_seq++, veth, intsrc, PREFIX_LEN)) {
498                 printk("Failed to set ipv4 addr");
499                 goto err;
500         }
501 
502         if (link_set_up(route_sock, route_seq++, veth)) {
503                 printk("Failed to bring up %s", veth);
504                 goto err;
505         }
506 
507         if (tunnel_set_route(route_sock, &route_seq, veth, tunsrc, tundst)) {
508                 printk("Failed to add tunnel route on %s", veth);
509                 goto err;
510         }
511         ret = 0;
512 
513 err:
514         close(route_sock);
515         return ret;
516 }
517 
518 #define ALGO_LEN        64
519 enum desc_type {
520         CREATE_TUNNEL   = 0,
521         ALLOCATE_SPI,
522         MONITOR_ACQUIRE,
523         EXPIRE_STATE,
524         EXPIRE_POLICY,
525         SPDINFO_ATTRS,
526 };
527 const char *desc_name[] = {
528         "create tunnel",
529         "alloc spi",
530         "monitor acquire",
531         "expire state",
532         "expire policy",
533         "spdinfo attributes",
534         ""
535 };
536 struct xfrm_desc {
537         enum desc_type  type;
538         uint8_t         proto;
539         char            a_algo[ALGO_LEN];
540         char            e_algo[ALGO_LEN];
541         char            c_algo[ALGO_LEN];
542         char            ae_algo[ALGO_LEN];
543         unsigned int    icv_len;
544         /* unsigned key_len; */
545 };
546 
547 enum msg_type {
548         MSG_ACK         = 0,
549         MSG_EXIT,
550         MSG_PING,
551         MSG_XFRM_PREPARE,
552         MSG_XFRM_ADD,
553         MSG_XFRM_DEL,
554         MSG_XFRM_CLEANUP,
555 };
556 
557 struct test_desc {
558         enum msg_type type;
559         union {
560                 struct {
561                         in_addr_t reply_ip;
562                         unsigned int port;
563                 } ping;
564                 struct xfrm_desc xfrm_desc;
565         } body;
566 };
567 
568 struct test_result {
569         struct xfrm_desc desc;
570         unsigned int res;
571 };
572 
573 static void write_test_result(unsigned int res, struct xfrm_desc *d)
574 {
575         struct test_result tr = {};
576         ssize_t ret;
577 
578         tr.desc = *d;
579         tr.res = res;
580 
581         ret = write(results_fd[1], &tr, sizeof(tr));
582         if (ret != sizeof(tr))
583                 pr_err("Failed to write the result in pipe %zd", ret);
584 }
585 
586 static void write_msg(int fd, struct test_desc *msg, bool exit_of_fail)
587 {
588         ssize_t bytes = write(fd, msg, sizeof(*msg));
589 
590         /* Make sure that write/read is atomic to a pipe */
591         BUILD_BUG_ON(sizeof(struct test_desc) > PIPE_BUF);
592 
593         if (bytes < 0) {
594                 pr_err("write()");
595                 if (exit_of_fail)
596                         exit(KSFT_FAIL);
597         }
598         if (bytes != sizeof(*msg)) {
599                 pr_err("sent part of the message %zd/%zu", bytes, sizeof(*msg));
600                 if (exit_of_fail)
601                         exit(KSFT_FAIL);
602         }
603 }
604 
605 static void read_msg(int fd, struct test_desc *msg, bool exit_of_fail)
606 {
607         ssize_t bytes = read(fd, msg, sizeof(*msg));
608 
609         if (bytes < 0) {
610                 pr_err("read()");
611                 if (exit_of_fail)
612                         exit(KSFT_FAIL);
613         }
614         if (bytes != sizeof(*msg)) {
615                 pr_err("got incomplete message %zd/%zu", bytes, sizeof(*msg));
616                 if (exit_of_fail)
617                         exit(KSFT_FAIL);
618         }
619 }
620 
621 static int udp_ping_init(struct in_addr listen_ip, unsigned int u_timeout,
622                 unsigned int *server_port, int sock[2])
623 {
624         struct sockaddr_in server;
625         struct timeval t = { .tv_sec = 0, .tv_usec = u_timeout };
626         socklen_t s_len = sizeof(server);
627 
628         sock[0] = socket(AF_INET, SOCK_DGRAM, 0);
629         if (sock[0] < 0) {
630                 pr_err("socket()");
631                 return -1;
632         }
633 
634         server.sin_family       = AF_INET;
635         server.sin_port         = 0;
636         memcpy(&server.sin_addr.s_addr, &listen_ip, sizeof(struct in_addr));
637 
638         if (bind(sock[0], (struct sockaddr *)&server, s_len)) {
639                 pr_err("bind()");
640                 goto err_close_server;
641         }
642 
643         if (getsockname(sock[0], (struct sockaddr *)&server, &s_len)) {
644                 pr_err("getsockname()");
645                 goto err_close_server;
646         }
647 
648         *server_port = ntohs(server.sin_port);
649 
650         if (setsockopt(sock[0], SOL_SOCKET, SO_RCVTIMEO, (const char *)&t, sizeof t)) {
651                 pr_err("setsockopt()");
652                 goto err_close_server;
653         }
654 
655         sock[1] = socket(AF_INET, SOCK_DGRAM, 0);
656         if (sock[1] < 0) {
657                 pr_err("socket()");
658                 goto err_close_server;
659         }
660 
661         return 0;
662 
663 err_close_server:
664         close(sock[0]);
665         return -1;
666 }
667 
668 static int udp_ping_send(int sock[2], in_addr_t dest_ip, unsigned int port,
669                 char *buf, size_t buf_len)
670 {
671         struct sockaddr_in server;
672         const struct sockaddr *dest_addr = (struct sockaddr *)&server;
673         char *sock_buf[buf_len];
674         ssize_t r_bytes, s_bytes;
675 
676         server.sin_family       = AF_INET;
677         server.sin_port         = htons(port);
678         server.sin_addr.s_addr  = dest_ip;
679 
680         s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
681         if (s_bytes < 0) {
682                 pr_err("sendto()");
683                 return -1;
684         } else if (s_bytes != buf_len) {
685                 printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
686                 return -1;
687         }
688 
689         r_bytes = recv(sock[0], sock_buf, buf_len, 0);
690         if (r_bytes < 0) {
691                 if (errno != EAGAIN)
692                         pr_err("recv()");
693                 return -1;
694         } else if (r_bytes == 0) { /* EOF */
695                 printk("EOF on reply to ping");
696                 return -1;
697         } else if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
698                 printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
699                 return -1;
700         }
701 
702         return 0;
703 }
704 
705 static int udp_ping_reply(int sock[2], in_addr_t dest_ip, unsigned int port,
706                 char *buf, size_t buf_len)
707 {
708         struct sockaddr_in server;
709         const struct sockaddr *dest_addr = (struct sockaddr *)&server;
710         char *sock_buf[buf_len];
711         ssize_t r_bytes, s_bytes;
712 
713         server.sin_family       = AF_INET;
714         server.sin_port         = htons(port);
715         server.sin_addr.s_addr  = dest_ip;
716 
717         r_bytes = recv(sock[0], sock_buf, buf_len, 0);
718         if (r_bytes < 0) {
719                 if (errno != EAGAIN)
720                         pr_err("recv()");
721                 return -1;
722         }
723         if (r_bytes == 0) { /* EOF */
724                 printk("EOF on reply to ping");
725                 return -1;
726         }
727         if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
728                 printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
729                 return -1;
730         }
731 
732         s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
733         if (s_bytes < 0) {
734                 pr_err("sendto()");
735                 return -1;
736         } else if (s_bytes != buf_len) {
737                 printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
738                 return -1;
739         }
740 
741         return 0;
742 }
743 
744 typedef int (*ping_f)(int sock[2], in_addr_t dest_ip, unsigned int port,
745                 char *buf, size_t buf_len);
746 static int do_ping(int cmd_fd, char *buf, size_t buf_len, struct in_addr from,
747                 bool init_side, int d_port, in_addr_t to, ping_f func)
748 {
749         struct test_desc msg;
750         unsigned int s_port, i, ping_succeeded = 0;
751         int ping_sock[2];
752         char to_str[IPV4_STR_SZ] = {}, from_str[IPV4_STR_SZ] = {};
753 
754         if (udp_ping_init(from, ping_timeout, &s_port, ping_sock)) {
755                 printk("Failed to init ping");
756                 return -1;
757         }
758 
759         memset(&msg, 0, sizeof(msg));
760         msg.type                = MSG_PING;
761         msg.body.ping.port      = s_port;
762         memcpy(&msg.body.ping.reply_ip, &from, sizeof(from));
763 
764         write_msg(cmd_fd, &msg, 0);
765         if (init_side) {
766                 /* The other end sends ip to ping */
767                 read_msg(cmd_fd, &msg, 0);
768                 if (msg.type != MSG_PING)
769                         return -1;
770                 to = msg.body.ping.reply_ip;
771                 d_port = msg.body.ping.port;
772         }
773 
774         for (i = 0; i < ping_count ; i++) {
775                 struct timespec sleep_time = {
776                         .tv_sec = 0,
777                         .tv_nsec = ping_delay_nsec,
778                 };
779 
780                 ping_succeeded += !func(ping_sock, to, d_port, buf, page_size);
781                 nanosleep(&sleep_time, 0);
782         }
783 
784         close(ping_sock[0]);
785         close(ping_sock[1]);
786 
787         strncpy(to_str, inet_ntoa(*(struct in_addr *)&to), IPV4_STR_SZ - 1);
788         strncpy(from_str, inet_ntoa(from), IPV4_STR_SZ - 1);
789 
790         if (ping_succeeded < ping_success) {
791                 printk("ping (%s) %s->%s failed %u/%u times",
792                         init_side ? "send" : "reply", from_str, to_str,
793                         ping_count - ping_succeeded, ping_count);
794                 return -1;
795         }
796 
797 #ifdef DEBUG
798         printk("ping (%s) %s->%s succeeded %u/%u times",
799                 init_side ? "send" : "reply", from_str, to_str,
800                 ping_succeeded, ping_count);
801 #endif
802 
803         return 0;
804 }
805 
806 static int xfrm_fill_key(char *name, char *buf,
807                 size_t buf_len, unsigned int *key_len)
808 {
809         int i;
810 
811         for (i = 0; i < XFRM_ALGO_NR_KEYS; i++) {
812                 if (strncmp(name, xfrm_key_entries[i].algo_name, ALGO_LEN) == 0)
813                         *key_len = xfrm_key_entries[i].key_len;
814         }
815 
816         if (*key_len > buf_len) {
817                 printk("Can't pack a key - too big for buffer");
818                 return -1;
819         }
820 
821         randomize_buffer(buf, *key_len);
822 
823         return 0;
824 }
825 
826 static int xfrm_state_pack_algo(struct nlmsghdr *nh, size_t req_sz,
827                 struct xfrm_desc *desc)
828 {
829         struct {
830                 union {
831                         struct xfrm_algo        alg;
832                         struct xfrm_algo_aead   aead;
833                         struct xfrm_algo_auth   auth;
834                 } u;
835                 char buf[XFRM_ALGO_KEY_BUF_SIZE];
836         } alg = {};
837         size_t alen, elen, clen, aelen;
838         unsigned short type;
839 
840         alen = strlen(desc->a_algo);
841         elen = strlen(desc->e_algo);
842         clen = strlen(desc->c_algo);
843         aelen = strlen(desc->ae_algo);
844 
845         /* Verify desc */
846         switch (desc->proto) {
847         case IPPROTO_AH:
848                 if (!alen || elen || clen || aelen) {
849                         printk("BUG: buggy ah desc");
850                         return -1;
851                 }
852                 strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN - 1);
853                 if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
854                                 sizeof(alg.buf), &alg.u.alg.alg_key_len))
855                         return -1;
856                 type = XFRMA_ALG_AUTH;
857                 break;
858         case IPPROTO_COMP:
859                 if (!clen || elen || alen || aelen) {
860                         printk("BUG: buggy comp desc");
861                         return -1;
862                 }
863                 strncpy(alg.u.alg.alg_name, desc->c_algo, ALGO_LEN - 1);
864                 if (xfrm_fill_key(desc->c_algo, alg.u.alg.alg_key,
865                                 sizeof(alg.buf), &alg.u.alg.alg_key_len))
866                         return -1;
867                 type = XFRMA_ALG_COMP;
868                 break;
869         case IPPROTO_ESP:
870                 if (!((alen && elen) ^ aelen) || clen) {
871                         printk("BUG: buggy esp desc");
872                         return -1;
873                 }
874                 if (aelen) {
875                         alg.u.aead.alg_icv_len = desc->icv_len;
876                         strncpy(alg.u.aead.alg_name, desc->ae_algo, ALGO_LEN - 1);
877                         if (xfrm_fill_key(desc->ae_algo, alg.u.aead.alg_key,
878                                                 sizeof(alg.buf), &alg.u.aead.alg_key_len))
879                                 return -1;
880                         type = XFRMA_ALG_AEAD;
881                 } else {
882 
883                         strncpy(alg.u.alg.alg_name, desc->e_algo, ALGO_LEN - 1);
884                         type = XFRMA_ALG_CRYPT;
885                         if (xfrm_fill_key(desc->e_algo, alg.u.alg.alg_key,
886                                                 sizeof(alg.buf), &alg.u.alg.alg_key_len))
887                                 return -1;
888                         if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
889                                 return -1;
890 
891                         strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN);
892                         type = XFRMA_ALG_AUTH;
893                         if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
894                                                 sizeof(alg.buf), &alg.u.alg.alg_key_len))
895                                 return -1;
896                 }
897                 break;
898         default:
899                 printk("BUG: unknown proto in desc");
900                 return -1;
901         }
902 
903         if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
904                 return -1;
905 
906         return 0;
907 }
908 
909 static inline uint32_t gen_spi(struct in_addr src)
910 {
911         return htonl(inet_lnaof(src));
912 }
913 
914 static int xfrm_state_add(int xfrm_sock, uint32_t seq, uint32_t spi,
915                 struct in_addr src, struct in_addr dst,
916                 struct xfrm_desc *desc)
917 {
918         struct {
919                 struct nlmsghdr         nh;
920                 struct xfrm_usersa_info info;
921                 char                    attrbuf[MAX_PAYLOAD];
922         } req;
923 
924         memset(&req, 0, sizeof(req));
925         req.nh.nlmsg_len        = NLMSG_LENGTH(sizeof(req.info));
926         req.nh.nlmsg_type       = XFRM_MSG_NEWSA;
927         req.nh.nlmsg_flags      = NLM_F_REQUEST | NLM_F_ACK;
928         req.nh.nlmsg_seq        = seq;
929 
930         /* Fill selector. */
931         memcpy(&req.info.sel.daddr, &dst, sizeof(dst));
932         memcpy(&req.info.sel.saddr, &src, sizeof(src));
933         req.info.sel.family             = AF_INET;
934         req.info.sel.prefixlen_d        = PREFIX_LEN;
935         req.info.sel.prefixlen_s        = PREFIX_LEN;
936 
937         /* Fill id */
938         memcpy(&req.info.id.daddr, &dst, sizeof(dst));
939         /* Note: zero-spi cannot be deleted */
940         req.info.id.spi = spi;
941         req.info.id.proto       = desc->proto;
942 
943         memcpy(&req.info.saddr, &src, sizeof(src));
944 
945         /* Fill lifteme_cfg */
946         req.info.lft.soft_byte_limit    = XFRM_INF;
947         req.info.lft.hard_byte_limit    = XFRM_INF;
948         req.info.lft.soft_packet_limit  = XFRM_INF;
949         req.info.lft.hard_packet_limit  = XFRM_INF;
950 
951         req.info.family         = AF_INET;
952         req.info.mode           = XFRM_MODE_TUNNEL;
953 
954         if (xfrm_state_pack_algo(&req.nh, sizeof(req), desc))
955                 return -1;
956 
957         if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
958                 pr_err("send()");
959                 return -1;
960         }
961 
962         return netlink_check_answer(xfrm_sock);
963 }
964 
965 static bool xfrm_usersa_found(struct xfrm_usersa_info *info, uint32_t spi,
966                 struct in_addr src, struct in_addr dst,
967                 struct xfrm_desc *desc)
968 {
969         if (memcmp(&info->sel.daddr, &dst, sizeof(dst)))
970                 return false;
971 
972         if (memcmp(&info->sel.saddr, &src, sizeof(src)))
973                 return false;
974 
975         if (info->sel.family != AF_INET                                 ||
976                         info->sel.prefixlen_d != PREFIX_LEN             ||
977                         info->sel.prefixlen_s != PREFIX_LEN)
978                 return false;
979 
980         if (info->id.spi != spi || info->id.proto != desc->proto)
981                 return false;
982 
983         if (memcmp(&info->id.daddr, &dst, sizeof(dst)))
984                 return false;
985 
986         if (memcmp(&info->saddr, &src, sizeof(src)))
987                 return false;
988 
989         if (info->lft.soft_byte_limit != XFRM_INF                       ||
990                         info->lft.hard_byte_limit != XFRM_INF           ||
991                         info->lft.soft_packet_limit != XFRM_INF         ||
992                         info->lft.hard_packet_limit != XFRM_INF)
993                 return false;
994 
995         if (info->family != AF_INET || info->mode != XFRM_MODE_TUNNEL)
996                 return false;
997 
998         /* XXX: check xfrm algo, see xfrm_state_pack_algo(). */
999 
1000         return true;
1001 }
1002 
1003 static int xfrm_state_check(int xfrm_sock, uint32_t seq, uint32_t spi,
1004                 struct in_addr src, struct in_addr dst,
1005                 struct xfrm_desc *desc)
1006 {
1007         struct {
1008                 struct nlmsghdr         nh;
1009                 char                    attrbuf[MAX_PAYLOAD];
1010         } req;
1011         struct {
1012                 struct nlmsghdr         nh;
1013                 union {
1014                         struct xfrm_usersa_info info;
1015                         int error;
1016                 };
1017                 char                    attrbuf[MAX_PAYLOAD];
1018         } answer;
1019         struct xfrm_address_filter filter = {};
1020         bool found = false;
1021 
1022 
1023         memset(&req, 0, sizeof(req));
1024         req.nh.nlmsg_len        = NLMSG_LENGTH(0);
1025         req.nh.nlmsg_type       = XFRM_MSG_GETSA;
1026         req.nh.nlmsg_flags      = NLM_F_REQUEST | NLM_F_DUMP;
1027         req.nh.nlmsg_seq        = seq;
1028 
1029         /*
1030          * Add dump filter by source address as there may be other tunnels
1031          * in this netns (if tests run in parallel).
1032          */
1033         filter.family = AF_INET;
1034         filter.splen = 0x1f;    /* 0xffffffff mask see addr_match() */
1035         memcpy(&filter.saddr, &src, sizeof(src));
1036         if (rtattr_pack(&req.nh, sizeof(req), XFRMA_ADDRESS_FILTER,
1037                                 &filter, sizeof(filter)))
1038                 return -1;
1039 
1040         if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1041                 pr_err("send()");
1042                 return -1;
1043         }
1044 
1045         while (1) {
1046                 if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
1047                         pr_err("recv()");
1048                         return -1;
1049                 }
1050                 if (answer.nh.nlmsg_type == NLMSG_ERROR) {
1051                         printk("NLMSG_ERROR: %d: %s",
1052                                 answer.error, strerror(-answer.error));
1053                         return -1;
1054                 } else if (answer.nh.nlmsg_type == NLMSG_DONE) {
1055                         if (found)
1056                                 return 0;
1057                         printk("didn't find allocated xfrm state in dump");
1058                         return -1;
1059                 } else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
1060                         if (xfrm_usersa_found(&answer.info, spi, src, dst, desc))
1061                                 found = true;
1062                 }
1063         }
1064 }
1065 
1066 static int xfrm_set(int xfrm_sock, uint32_t *seq,
1067                 struct in_addr src, struct in_addr dst,
1068                 struct in_addr tunsrc, struct in_addr tundst,
1069                 struct xfrm_desc *desc)
1070 {
1071         int err;
1072 
1073         err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
1074         if (err) {
1075                 printk("Failed to add xfrm state");
1076                 return -1;
1077         }
1078 
1079         err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
1080         if (err) {
1081                 printk("Failed to add xfrm state");
1082                 return -1;
1083         }
1084 
1085         /* Check dumps for XFRM_MSG_GETSA */
1086         err = xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
1087         err |= xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
1088         if (err) {
1089                 printk("Failed to check xfrm state");
1090                 return -1;
1091         }
1092 
1093         return 0;
1094 }
1095 
1096 static int xfrm_policy_add(int xfrm_sock, uint32_t seq, uint32_t spi,
1097                 struct in_addr src, struct in_addr dst, uint8_t dir,
1098                 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1099 {
1100         struct {
1101                 struct nlmsghdr                 nh;
1102                 struct xfrm_userpolicy_info     info;
1103                 char                            attrbuf[MAX_PAYLOAD];
1104         } req;
1105         struct xfrm_user_tmpl tmpl;
1106 
1107         memset(&req, 0, sizeof(req));
1108         memset(&tmpl, 0, sizeof(tmpl));
1109         req.nh.nlmsg_len        = NLMSG_LENGTH(sizeof(req.info));
1110         req.nh.nlmsg_type       = XFRM_MSG_NEWPOLICY;
1111         req.nh.nlmsg_flags      = NLM_F_REQUEST | NLM_F_ACK;
1112         req.nh.nlmsg_seq        = seq;
1113 
1114         /* Fill selector. */
1115         memcpy(&req.info.sel.daddr, &dst, sizeof(tundst));
1116         memcpy(&req.info.sel.saddr, &src, sizeof(tunsrc));
1117         req.info.sel.family             = AF_INET;
1118         req.info.sel.prefixlen_d        = PREFIX_LEN;
1119         req.info.sel.prefixlen_s        = PREFIX_LEN;
1120 
1121         /* Fill lifteme_cfg */
1122         req.info.lft.soft_byte_limit    = XFRM_INF;
1123         req.info.lft.hard_byte_limit    = XFRM_INF;
1124         req.info.lft.soft_packet_limit  = XFRM_INF;
1125         req.info.lft.hard_packet_limit  = XFRM_INF;
1126 
1127         req.info.dir = dir;
1128 
1129         /* Fill tmpl */
1130         memcpy(&tmpl.id.daddr, &dst, sizeof(dst));
1131         /* Note: zero-spi cannot be deleted */
1132         tmpl.id.spi = spi;
1133         tmpl.id.proto   = proto;
1134         tmpl.family     = AF_INET;
1135         memcpy(&tmpl.saddr, &src, sizeof(src));
1136         tmpl.mode       = XFRM_MODE_TUNNEL;
1137         tmpl.aalgos = (~(uint32_t)0);
1138         tmpl.ealgos = (~(uint32_t)0);
1139         tmpl.calgos = (~(uint32_t)0);
1140 
1141         if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &tmpl, sizeof(tmpl)))
1142                 return -1;
1143 
1144         if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1145                 pr_err("send()");
1146                 return -1;
1147         }
1148 
1149         return netlink_check_answer(xfrm_sock);
1150 }
1151 
1152 static int xfrm_prepare(int xfrm_sock, uint32_t *seq,
1153                 struct in_addr src, struct in_addr dst,
1154                 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1155 {
1156         if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
1157                                 XFRM_POLICY_OUT, tunsrc, tundst, proto)) {
1158                 printk("Failed to add xfrm policy");
1159                 return -1;
1160         }
1161 
1162         if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src,
1163                                 XFRM_POLICY_IN, tunsrc, tundst, proto)) {
1164                 printk("Failed to add xfrm policy");
1165                 return -1;
1166         }
1167 
1168         return 0;
1169 }
1170 
1171 static int xfrm_policy_del(int xfrm_sock, uint32_t seq,
1172                 struct in_addr src, struct in_addr dst, uint8_t dir,
1173                 struct in_addr tunsrc, struct in_addr tundst)
1174 {
1175         struct {
1176                 struct nlmsghdr                 nh;
1177                 struct xfrm_userpolicy_id       id;
1178                 char                            attrbuf[MAX_PAYLOAD];
1179         } req;
1180 
1181         memset(&req, 0, sizeof(req));
1182         req.nh.nlmsg_len        = NLMSG_LENGTH(sizeof(req.id));
1183         req.nh.nlmsg_type       = XFRM_MSG_DELPOLICY;
1184         req.nh.nlmsg_flags      = NLM_F_REQUEST | NLM_F_ACK;
1185         req.nh.nlmsg_seq        = seq;
1186 
1187         /* Fill id */
1188         memcpy(&req.id.sel.daddr, &dst, sizeof(tundst));
1189         memcpy(&req.id.sel.saddr, &src, sizeof(tunsrc));
1190         req.id.sel.family               = AF_INET;
1191         req.id.sel.prefixlen_d          = PREFIX_LEN;
1192         req.id.sel.prefixlen_s          = PREFIX_LEN;
1193         req.id.dir = dir;
1194 
1195         if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1196                 pr_err("send()");
1197                 return -1;
1198         }
1199 
1200         return netlink_check_answer(xfrm_sock);
1201 }
1202 
1203 static int xfrm_cleanup(int xfrm_sock, uint32_t *seq,
1204                 struct in_addr src, struct in_addr dst,
1205                 struct in_addr tunsrc, struct in_addr tundst)
1206 {
1207         if (xfrm_policy_del(xfrm_sock, (*seq)++, src, dst,
1208                                 XFRM_POLICY_OUT, tunsrc, tundst)) {
1209                 printk("Failed to add xfrm policy");
1210                 return -1;
1211         }
1212 
1213         if (xfrm_policy_del(xfrm_sock, (*seq)++, dst, src,
1214                                 XFRM_POLICY_IN, tunsrc, tundst)) {
1215                 printk("Failed to add xfrm policy");
1216                 return -1;
1217         }
1218 
1219         return 0;
1220 }
1221 
1222 static int xfrm_state_del(int xfrm_sock, uint32_t seq, uint32_t spi,
1223                 struct in_addr src, struct in_addr dst, uint8_t proto)
1224 {
1225         struct {
1226                 struct nlmsghdr         nh;
1227                 struct xfrm_usersa_id   id;
1228                 char                    attrbuf[MAX_PAYLOAD];
1229         } req;
1230         xfrm_address_t saddr = {};
1231 
1232         memset(&req, 0, sizeof(req));
1233         req.nh.nlmsg_len        = NLMSG_LENGTH(sizeof(req.id));
1234         req.nh.nlmsg_type       = XFRM_MSG_DELSA;
1235         req.nh.nlmsg_flags      = NLM_F_REQUEST | NLM_F_ACK;
1236         req.nh.nlmsg_seq        = seq;
1237 
1238         memcpy(&req.id.daddr, &dst, sizeof(dst));
1239         req.id.family           = AF_INET;
1240         req.id.proto            = proto;
1241         /* Note: zero-spi cannot be deleted */
1242         req.id.spi = spi;
1243 
1244         memcpy(&saddr, &src, sizeof(src));
1245         if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SRCADDR, &saddr, sizeof(saddr)))
1246                 return -1;
1247 
1248         if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1249                 pr_err("send()");
1250                 return -1;
1251         }
1252 
1253         return netlink_check_answer(xfrm_sock);
1254 }
1255 
1256 static int xfrm_delete(int xfrm_sock, uint32_t *seq,
1257                 struct in_addr src, struct in_addr dst,
1258                 struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1259 {
1260         if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), src, dst, proto)) {
1261                 printk("Failed to remove xfrm state");
1262                 return -1;
1263         }
1264 
1265         if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), dst, src, proto)) {
1266                 printk("Failed to remove xfrm state");
1267                 return -1;
1268         }
1269 
1270         return 0;
1271 }
1272 
1273 static int xfrm_state_allocspi(int xfrm_sock, uint32_t *seq,
1274                 uint32_t spi, uint8_t proto)
1275 {
1276         struct {
1277                 struct nlmsghdr                 nh;
1278                 struct xfrm_userspi_info        spi;
1279         } req;
1280         struct {
1281                 struct nlmsghdr                 nh;
1282                 union {
1283                         struct xfrm_usersa_info info;
1284                         int error;
1285                 };
1286         } answer;
1287 
1288         memset(&req, 0, sizeof(req));
1289         req.nh.nlmsg_len        = NLMSG_LENGTH(sizeof(req.spi));
1290         req.nh.nlmsg_type       = XFRM_MSG_ALLOCSPI;
1291         req.nh.nlmsg_flags      = NLM_F_REQUEST;
1292         req.nh.nlmsg_seq        = (*seq)++;
1293 
1294         req.spi.info.family     = AF_INET;
1295         req.spi.min             = spi;
1296         req.spi.max             = spi;
1297         req.spi.info.id.proto   = proto;
1298 
1299         if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1300                 pr_err("send()");
1301                 return KSFT_FAIL;
1302         }
1303 
1304         if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
1305                 pr_err("recv()");
1306                 return KSFT_FAIL;
1307         } else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
1308                 uint32_t new_spi = htonl(answer.info.id.spi);
1309 
1310                 if (new_spi != spi) {
1311                         printk("allocated spi is different from requested: %#x != %#x",
1312                                         new_spi, spi);
1313                         return KSFT_FAIL;
1314                 }
1315                 return KSFT_PASS;
1316         } else if (answer.nh.nlmsg_type != NLMSG_ERROR) {
1317                 printk("expected NLMSG_ERROR, got %d", (int)answer.nh.nlmsg_type);
1318                 return KSFT_FAIL;
1319         }
1320 
1321         printk("NLMSG_ERROR: %d: %s", answer.error, strerror(-answer.error));
1322         return (answer.error) ? KSFT_FAIL : KSFT_PASS;
1323 }
1324 
1325 static int netlink_sock_bind(int *sock, uint32_t *seq, int proto, uint32_t groups)
1326 {
1327         struct sockaddr_nl snl = {};
1328         socklen_t addr_len;
1329         int ret = -1;
1330 
1331         snl.nl_family = AF_NETLINK;
1332         snl.nl_groups = groups;
1333 
1334         if (netlink_sock(sock, seq, proto)) {
1335                 printk("Failed to open xfrm netlink socket");
1336                 return -1;
1337         }
1338 
1339         if (bind(*sock, (struct sockaddr *)&snl, sizeof(snl)) < 0) {
1340                 pr_err("bind()");
1341                 goto out_close;
1342         }
1343 
1344         addr_len = sizeof(snl);
1345         if (getsockname(*sock, (struct sockaddr *)&snl, &addr_len) < 0) {
1346                 pr_err("getsockname()");
1347                 goto out_close;
1348         }
1349         if (addr_len != sizeof(snl)) {
1350                 printk("Wrong address length %d", addr_len);
1351                 goto out_close;
1352         }
1353         if (snl.nl_family != AF_NETLINK) {
1354                 printk("Wrong address family %d", snl.nl_family);
1355                 goto out_close;
1356         }
1357         return 0;
1358 
1359 out_close:
1360         close(*sock);
1361         return ret;
1362 }
1363 
1364 static int xfrm_monitor_acquire(int xfrm_sock, uint32_t *seq, unsigned int nr)
1365 {
1366         struct {
1367                 struct nlmsghdr nh;
1368                 union {
1369                         struct xfrm_user_acquire acq;
1370                         int error;
1371                 };
1372                 char attrbuf[MAX_PAYLOAD];
1373         } req;
1374         struct xfrm_user_tmpl xfrm_tmpl = {};
1375         int xfrm_listen = -1, ret = KSFT_FAIL;
1376         uint32_t seq_listen;
1377 
1378         if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_ACQUIRE))
1379                 return KSFT_FAIL;
1380 
1381         memset(&req, 0, sizeof(req));
1382         req.nh.nlmsg_len        = NLMSG_LENGTH(sizeof(req.acq));
1383         req.nh.nlmsg_type       = XFRM_MSG_ACQUIRE;
1384         req.nh.nlmsg_flags      = NLM_F_REQUEST | NLM_F_ACK;
1385         req.nh.nlmsg_seq        = (*seq)++;
1386 
1387         req.acq.policy.sel.family       = AF_INET;
1388         req.acq.aalgos  = 0xfeed;
1389         req.acq.ealgos  = 0xbaad;
1390         req.acq.calgos  = 0xbabe;
1391 
1392         xfrm_tmpl.family = AF_INET;
1393         xfrm_tmpl.id.proto = IPPROTO_ESP;
1394         if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &xfrm_tmpl, sizeof(xfrm_tmpl)))
1395                 goto out_close;
1396 
1397         if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1398                 pr_err("send()");
1399                 goto out_close;
1400         }
1401 
1402         if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1403                 pr_err("recv()");
1404                 goto out_close;
1405         } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1406                 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1407                 goto out_close;
1408         }
1409 
1410         if (req.error) {
1411                 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1412                 ret = req.error;
1413                 goto out_close;
1414         }
1415 
1416         if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1417                 pr_err("recv()");
1418                 goto out_close;
1419         }
1420 
1421         if (req.acq.aalgos != 0xfeed || req.acq.ealgos != 0xbaad
1422                         || req.acq.calgos != 0xbabe) {
1423                 printk("xfrm_user_acquire has changed  %x %x %x",
1424                                 req.acq.aalgos, req.acq.ealgos, req.acq.calgos);
1425                 goto out_close;
1426         }
1427 
1428         ret = KSFT_PASS;
1429 out_close:
1430         close(xfrm_listen);
1431         return ret;
1432 }
1433 
1434 static int xfrm_expire_state(int xfrm_sock, uint32_t *seq,
1435                 unsigned int nr, struct xfrm_desc *desc)
1436 {
1437         struct {
1438                 struct nlmsghdr nh;
1439                 union {
1440                         struct xfrm_user_expire expire;
1441                         int error;
1442                 };
1443         } req;
1444         struct in_addr src, dst;
1445         int xfrm_listen = -1, ret = KSFT_FAIL;
1446         uint32_t seq_listen;
1447 
1448         src = inet_makeaddr(INADDR_B, child_ip(nr));
1449         dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1450 
1451         if (xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc)) {
1452                 printk("Failed to add xfrm state");
1453                 return KSFT_FAIL;
1454         }
1455 
1456         if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
1457                 return KSFT_FAIL;
1458 
1459         memset(&req, 0, sizeof(req));
1460         req.nh.nlmsg_len        = NLMSG_LENGTH(sizeof(req.expire));
1461         req.nh.nlmsg_type       = XFRM_MSG_EXPIRE;
1462         req.nh.nlmsg_flags      = NLM_F_REQUEST | NLM_F_ACK;
1463         req.nh.nlmsg_seq        = (*seq)++;
1464 
1465         memcpy(&req.expire.state.id.daddr, &dst, sizeof(dst));
1466         req.expire.state.id.spi         = gen_spi(src);
1467         req.expire.state.id.proto       = desc->proto;
1468         req.expire.state.family         = AF_INET;
1469         req.expire.hard                 = 0xff;
1470 
1471         if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1472                 pr_err("send()");
1473                 goto out_close;
1474         }
1475 
1476         if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1477                 pr_err("recv()");
1478                 goto out_close;
1479         } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1480                 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1481                 goto out_close;
1482         }
1483 
1484         if (req.error) {
1485                 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1486                 ret = req.error;
1487                 goto out_close;
1488         }
1489 
1490         if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1491                 pr_err("recv()");
1492                 goto out_close;
1493         }
1494 
1495         if (req.expire.hard != 0x1) {
1496                 printk("expire.hard is not set: %x", req.expire.hard);
1497                 goto out_close;
1498         }
1499 
1500         ret = KSFT_PASS;
1501 out_close:
1502         close(xfrm_listen);
1503         return ret;
1504 }
1505 
1506 static int xfrm_expire_policy(int xfrm_sock, uint32_t *seq,
1507                 unsigned int nr, struct xfrm_desc *desc)
1508 {
1509         struct {
1510                 struct nlmsghdr nh;
1511                 union {
1512                         struct xfrm_user_polexpire expire;
1513                         int error;
1514                 };
1515         } req;
1516         struct in_addr src, dst, tunsrc, tundst;
1517         int xfrm_listen = -1, ret = KSFT_FAIL;
1518         uint32_t seq_listen;
1519 
1520         src = inet_makeaddr(INADDR_B, child_ip(nr));
1521         dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1522         tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
1523         tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
1524 
1525         if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
1526                                 XFRM_POLICY_OUT, tunsrc, tundst, desc->proto)) {
1527                 printk("Failed to add xfrm policy");
1528                 return KSFT_FAIL;
1529         }
1530 
1531         if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
1532                 return KSFT_FAIL;
1533 
1534         memset(&req, 0, sizeof(req));
1535         req.nh.nlmsg_len        = NLMSG_LENGTH(sizeof(req.expire));
1536         req.nh.nlmsg_type       = XFRM_MSG_POLEXPIRE;
1537         req.nh.nlmsg_flags      = NLM_F_REQUEST | NLM_F_ACK;
1538         req.nh.nlmsg_seq        = (*seq)++;
1539 
1540         /* Fill selector. */
1541         memcpy(&req.expire.pol.sel.daddr, &dst, sizeof(tundst));
1542         memcpy(&req.expire.pol.sel.saddr, &src, sizeof(tunsrc));
1543         req.expire.pol.sel.family       = AF_INET;
1544         req.expire.pol.sel.prefixlen_d  = PREFIX_LEN;
1545         req.expire.pol.sel.prefixlen_s  = PREFIX_LEN;
1546         req.expire.pol.dir              = XFRM_POLICY_OUT;
1547         req.expire.hard                 = 0xff;
1548 
1549         if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1550                 pr_err("send()");
1551                 goto out_close;
1552         }
1553 
1554         if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1555                 pr_err("recv()");
1556                 goto out_close;
1557         } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1558                 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1559                 goto out_close;
1560         }
1561 
1562         if (req.error) {
1563                 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1564                 ret = req.error;
1565                 goto out_close;
1566         }
1567 
1568         if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1569                 pr_err("recv()");
1570                 goto out_close;
1571         }
1572 
1573         if (req.expire.hard != 0x1) {
1574                 printk("expire.hard is not set: %x", req.expire.hard);
1575                 goto out_close;
1576         }
1577 
1578         ret = KSFT_PASS;
1579 out_close:
1580         close(xfrm_listen);
1581         return ret;
1582 }
1583 
1584 static int xfrm_spdinfo_set_thresh(int xfrm_sock, uint32_t *seq,
1585                 unsigned thresh4_l, unsigned thresh4_r,
1586                 unsigned thresh6_l, unsigned thresh6_r,
1587                 bool add_bad_attr)
1588 
1589 {
1590         struct {
1591                 struct nlmsghdr         nh;
1592                 union {
1593                         uint32_t        unused;
1594                         int             error;
1595                 };
1596                 char                    attrbuf[MAX_PAYLOAD];
1597         } req;
1598         struct xfrmu_spdhthresh thresh;
1599 
1600         memset(&req, 0, sizeof(req));
1601         req.nh.nlmsg_len        = NLMSG_LENGTH(sizeof(req.unused));
1602         req.nh.nlmsg_type       = XFRM_MSG_NEWSPDINFO;
1603         req.nh.nlmsg_flags      = NLM_F_REQUEST | NLM_F_ACK;
1604         req.nh.nlmsg_seq        = (*seq)++;
1605 
1606         thresh.lbits = thresh4_l;
1607         thresh.rbits = thresh4_r;
1608         if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SPD_IPV4_HTHRESH, &thresh, sizeof(thresh)))
1609                 return -1;
1610 
1611         thresh.lbits = thresh6_l;
1612         thresh.rbits = thresh6_r;
1613         if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SPD_IPV6_HTHRESH, &thresh, sizeof(thresh)))
1614                 return -1;
1615 
1616         if (add_bad_attr) {
1617                 BUILD_BUG_ON(XFRMA_IF_ID <= XFRMA_SPD_MAX + 1);
1618                 if (rtattr_pack(&req.nh, sizeof(req), XFRMA_IF_ID, NULL, 0)) {
1619                         pr_err("adding attribute failed: no space");
1620                         return -1;
1621                 }
1622         }
1623 
1624         if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1625                 pr_err("send()");
1626                 return -1;
1627         }
1628 
1629         if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1630                 pr_err("recv()");
1631                 return -1;
1632         } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1633                 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1634                 return -1;
1635         }
1636 
1637         if (req.error) {
1638                 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1639                 return -1;
1640         }
1641 
1642         return 0;
1643 }
1644 
1645 static int xfrm_spdinfo_attrs(int xfrm_sock, uint32_t *seq)
1646 {
1647         struct {
1648                 struct nlmsghdr                 nh;
1649                 union {
1650                         uint32_t        unused;
1651                         int             error;
1652                 };
1653                 char                    attrbuf[MAX_PAYLOAD];
1654         } req;
1655 
1656         if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 31, 120, 16, false)) {
1657                 pr_err("Can't set SPD HTHRESH");
1658                 return KSFT_FAIL;
1659         }
1660 
1661         memset(&req, 0, sizeof(req));
1662 
1663         req.nh.nlmsg_len        = NLMSG_LENGTH(sizeof(req.unused));
1664         req.nh.nlmsg_type       = XFRM_MSG_GETSPDINFO;
1665         req.nh.nlmsg_flags      = NLM_F_REQUEST;
1666         req.nh.nlmsg_seq        = (*seq)++;
1667         if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1668                 pr_err("send()");
1669                 return KSFT_FAIL;
1670         }
1671 
1672         if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1673                 pr_err("recv()");
1674                 return KSFT_FAIL;
1675         } else if (req.nh.nlmsg_type == XFRM_MSG_NEWSPDINFO) {
1676                 size_t len = NLMSG_PAYLOAD(&req.nh, sizeof(req.unused));
1677                 struct rtattr *attr = (void *)req.attrbuf;
1678                 int got_thresh = 0;
1679 
1680                 for (; RTA_OK(attr, len); attr = RTA_NEXT(attr, len)) {
1681                         if (attr->rta_type == XFRMA_SPD_IPV4_HTHRESH) {
1682                                 struct xfrmu_spdhthresh *t = RTA_DATA(attr);
1683 
1684                                 got_thresh++;
1685                                 if (t->lbits != 32 || t->rbits != 31) {
1686                                         pr_err("thresh differ: %u, %u",
1687                                                         t->lbits, t->rbits);
1688                                         return KSFT_FAIL;
1689                                 }
1690                         }
1691                         if (attr->rta_type == XFRMA_SPD_IPV6_HTHRESH) {
1692                                 struct xfrmu_spdhthresh *t = RTA_DATA(attr);
1693 
1694                                 got_thresh++;
1695                                 if (t->lbits != 120 || t->rbits != 16) {
1696                                         pr_err("thresh differ: %u, %u",
1697                                                         t->lbits, t->rbits);
1698                                         return KSFT_FAIL;
1699                                 }
1700                         }
1701                 }
1702                 if (got_thresh != 2) {
1703                         pr_err("only %d thresh returned by XFRM_MSG_GETSPDINFO", got_thresh);
1704                         return KSFT_FAIL;
1705                 }
1706         } else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1707                 printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1708                 return KSFT_FAIL;
1709         } else {
1710                 printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1711                 return -1;
1712         }
1713 
1714         /* Restore the default */
1715         if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 32, 128, 128, false)) {
1716                 pr_err("Can't restore SPD HTHRESH");
1717                 return KSFT_FAIL;
1718         }
1719 
1720         /*
1721          * At this moment xfrm uses nlmsg_parse_deprecated(), which
1722          * implies NL_VALIDATE_LIBERAL - ignoring attributes with
1723          * (type > maxtype). nla_parse_depricated_strict() would enforce
1724          * it. Or even stricter nla_parse().
1725          * Right now it's not expected to fail, but to be ignored.
1726          */
1727         if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 32, 128, 128, true))
1728                 return KSFT_PASS;
1729 
1730         return KSFT_PASS;
1731 }
1732 
1733 static int child_serv(int xfrm_sock, uint32_t *seq,
1734                 unsigned int nr, int cmd_fd, void *buf, struct xfrm_desc *desc)
1735 {
1736         struct in_addr src, dst, tunsrc, tundst;
1737         struct test_desc msg;
1738         int ret = KSFT_FAIL;
1739 
1740         src = inet_makeaddr(INADDR_B, child_ip(nr));
1741         dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1742         tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
1743         tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
1744 
1745         /* UDP pinging without xfrm */
1746         if (do_ping(cmd_fd, buf, page_size, src, true, 0, 0, udp_ping_send)) {
1747                 printk("ping failed before setting xfrm");
1748                 return KSFT_FAIL;
1749         }
1750 
1751         memset(&msg, 0, sizeof(msg));
1752         msg.type = MSG_XFRM_PREPARE;
1753         memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1754         write_msg(cmd_fd, &msg, 1);
1755 
1756         if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
1757                 printk("failed to prepare xfrm");
1758                 goto cleanup;
1759         }
1760 
1761         memset(&msg, 0, sizeof(msg));
1762         msg.type = MSG_XFRM_ADD;
1763         memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1764         write_msg(cmd_fd, &msg, 1);
1765         if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
1766                 printk("failed to set xfrm");
1767                 goto delete;
1768         }
1769 
1770         /* UDP pinging with xfrm tunnel */
1771         if (do_ping(cmd_fd, buf, page_size, tunsrc,
1772                                 true, 0, 0, udp_ping_send)) {
1773                 printk("ping failed for xfrm");
1774                 goto delete;
1775         }
1776 
1777         ret = KSFT_PASS;
1778 delete:
1779         /* xfrm delete */
1780         memset(&msg, 0, sizeof(msg));
1781         msg.type = MSG_XFRM_DEL;
1782         memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1783         write_msg(cmd_fd, &msg, 1);
1784 
1785         if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
1786                 printk("failed ping to remove xfrm");
1787                 ret = KSFT_FAIL;
1788         }
1789 
1790 cleanup:
1791         memset(&msg, 0, sizeof(msg));
1792         msg.type = MSG_XFRM_CLEANUP;
1793         memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1794         write_msg(cmd_fd, &msg, 1);
1795         if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
1796                 printk("failed ping to cleanup xfrm");
1797                 ret = KSFT_FAIL;
1798         }
1799         return ret;
1800 }
1801 
1802 static int child_f(unsigned int nr, int test_desc_fd, int cmd_fd, void *buf)
1803 {
1804         struct xfrm_desc desc;
1805         struct test_desc msg;
1806         int xfrm_sock = -1;
1807         uint32_t seq;
1808 
1809         if (switch_ns(nsfd_childa))
1810                 exit(KSFT_FAIL);
1811 
1812         if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
1813                 printk("Failed to open xfrm netlink socket");
1814                 exit(KSFT_FAIL);
1815         }
1816 
1817         /* Check that seq sock is ready, just for sure. */
1818         memset(&msg, 0, sizeof(msg));
1819         msg.type = MSG_ACK;
1820         write_msg(cmd_fd, &msg, 1);
1821         read_msg(cmd_fd, &msg, 1);
1822         if (msg.type != MSG_ACK) {
1823                 printk("Ack failed");
1824                 exit(KSFT_FAIL);
1825         }
1826 
1827         for (;;) {
1828                 ssize_t received = read(test_desc_fd, &desc, sizeof(desc));
1829                 int ret;
1830 
1831                 if (received == 0) /* EOF */
1832                         break;
1833 
1834                 if (received != sizeof(desc)) {
1835                         pr_err("read() returned %zd", received);
1836                         exit(KSFT_FAIL);
1837                 }
1838 
1839                 switch (desc.type) {
1840                 case CREATE_TUNNEL:
1841                         ret = child_serv(xfrm_sock, &seq, nr,
1842                                          cmd_fd, buf, &desc);
1843                         break;
1844                 case ALLOCATE_SPI:
1845                         ret = xfrm_state_allocspi(xfrm_sock, &seq,
1846                                                   -1, desc.proto);
1847                         break;
1848                 case MONITOR_ACQUIRE:
1849                         ret = xfrm_monitor_acquire(xfrm_sock, &seq, nr);
1850                         break;
1851                 case EXPIRE_STATE:
1852                         ret = xfrm_expire_state(xfrm_sock, &seq, nr, &desc);
1853                         break;
1854                 case EXPIRE_POLICY:
1855                         ret = xfrm_expire_policy(xfrm_sock, &seq, nr, &desc);
1856                         break;
1857                 case SPDINFO_ATTRS:
1858                         ret = xfrm_spdinfo_attrs(xfrm_sock, &seq);
1859                         break;
1860                 default:
1861                         printk("Unknown desc type %d", desc.type);
1862                         exit(KSFT_FAIL);
1863                 }
1864                 write_test_result(ret, &desc);
1865         }
1866 
1867         close(xfrm_sock);
1868 
1869         msg.type = MSG_EXIT;
1870         write_msg(cmd_fd, &msg, 1);
1871         exit(KSFT_PASS);
1872 }
1873 
1874 static void grand_child_serv(unsigned int nr, int cmd_fd, void *buf,
1875                 struct test_desc *msg, int xfrm_sock, uint32_t *seq)
1876 {
1877         struct in_addr src, dst, tunsrc, tundst;
1878         bool tun_reply;
1879         struct xfrm_desc *desc = &msg->body.xfrm_desc;
1880 
1881         src = inet_makeaddr(INADDR_B, grchild_ip(nr));
1882         dst = inet_makeaddr(INADDR_B, child_ip(nr));
1883         tunsrc = inet_makeaddr(INADDR_A, grchild_ip(nr));
1884         tundst = inet_makeaddr(INADDR_A, child_ip(nr));
1885 
1886         switch (msg->type) {
1887         case MSG_EXIT:
1888                 exit(KSFT_PASS);
1889         case MSG_ACK:
1890                 write_msg(cmd_fd, msg, 1);
1891                 break;
1892         case MSG_PING:
1893                 tun_reply = memcmp(&dst, &msg->body.ping.reply_ip, sizeof(in_addr_t));
1894                 /* UDP pinging without xfrm */
1895                 if (do_ping(cmd_fd, buf, page_size, tun_reply ? tunsrc : src,
1896                                 false, msg->body.ping.port,
1897                                 msg->body.ping.reply_ip, udp_ping_reply)) {
1898                         printk("ping failed before setting xfrm");
1899                 }
1900                 break;
1901         case MSG_XFRM_PREPARE:
1902                 if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst,
1903                                         desc->proto)) {
1904                         xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1905                         printk("failed to prepare xfrm");
1906                 }
1907                 break;
1908         case MSG_XFRM_ADD:
1909                 if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
1910                         xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1911                         printk("failed to set xfrm");
1912                 }
1913                 break;
1914         case MSG_XFRM_DEL:
1915                 if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst,
1916                                         desc->proto)) {
1917                         xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1918                         printk("failed to remove xfrm");
1919                 }
1920                 break;
1921         case MSG_XFRM_CLEANUP:
1922                 if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
1923                         printk("failed to cleanup xfrm");
1924                 }
1925                 break;
1926         default:
1927                 printk("got unknown msg type %d", msg->type);
1928         }
1929 }
1930 
1931 static int grand_child_f(unsigned int nr, int cmd_fd, void *buf)
1932 {
1933         struct test_desc msg;
1934         int xfrm_sock = -1;
1935         uint32_t seq;
1936 
1937         if (switch_ns(nsfd_childb))
1938                 exit(KSFT_FAIL);
1939 
1940         if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
1941                 printk("Failed to open xfrm netlink socket");
1942                 exit(KSFT_FAIL);
1943         }
1944 
1945         do {
1946                 read_msg(cmd_fd, &msg, 1);
1947                 grand_child_serv(nr, cmd_fd, buf, &msg, xfrm_sock, &seq);
1948         } while (1);
1949 
1950         close(xfrm_sock);
1951         exit(KSFT_FAIL);
1952 }
1953 
1954 static int start_child(unsigned int nr, char *veth, int test_desc_fd[2])
1955 {
1956         int cmd_sock[2];
1957         void *data_map;
1958         pid_t child;
1959 
1960         if (init_child(nsfd_childa, veth, child_ip(nr), grchild_ip(nr)))
1961                 return -1;
1962 
1963         if (init_child(nsfd_childb, veth, grchild_ip(nr), child_ip(nr)))
1964                 return -1;
1965 
1966         child = fork();
1967         if (child < 0) {
1968                 pr_err("fork()");
1969                 return -1;
1970         } else if (child) {
1971                 /* in parent - selftest */
1972                 return switch_ns(nsfd_parent);
1973         }
1974 
1975         if (close(test_desc_fd[1])) {
1976                 pr_err("close()");
1977                 return -1;
1978         }
1979 
1980         /* child */
1981         data_map = mmap(0, page_size, PROT_READ | PROT_WRITE,
1982                         MAP_SHARED | MAP_ANONYMOUS, -1, 0);
1983         if (data_map == MAP_FAILED) {
1984                 pr_err("mmap()");
1985                 return -1;
1986         }
1987 
1988         randomize_buffer(data_map, page_size);
1989 
1990         if (socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, cmd_sock)) {
1991                 pr_err("socketpair()");
1992                 return -1;
1993         }
1994 
1995         child = fork();
1996         if (child < 0) {
1997                 pr_err("fork()");
1998                 return -1;
1999         } else if (child) {
2000                 if (close(cmd_sock[0])) {
2001                         pr_err("close()");
2002                         return -1;
2003                 }
2004                 return child_f(nr, test_desc_fd[0], cmd_sock[1], data_map);
2005         }
2006         if (close(cmd_sock[1])) {
2007                 pr_err("close()");
2008                 return -1;
2009         }
2010         return grand_child_f(nr, cmd_sock[0], data_map);
2011 }
2012 
2013 static void exit_usage(char **argv)
2014 {
2015         printk("Usage: %s [nr_process]", argv[0]);
2016         exit(KSFT_FAIL);
2017 }
2018 
2019 static int __write_desc(int test_desc_fd, struct xfrm_desc *desc)
2020 {
2021         ssize_t ret;
2022 
2023         ret = write(test_desc_fd, desc, sizeof(*desc));
2024 
2025         if (ret == sizeof(*desc))
2026                 return 0;
2027 
2028         pr_err("Writing test's desc failed %ld", ret);
2029 
2030         return -1;
2031 }
2032 
2033 static int write_desc(int proto, int test_desc_fd,
2034                 char *a, char *e, char *c, char *ae)
2035 {
2036         struct xfrm_desc desc = {};
2037 
2038         desc.type = CREATE_TUNNEL;
2039         desc.proto = proto;
2040 
2041         if (a)
2042                 strncpy(desc.a_algo, a, ALGO_LEN - 1);
2043         if (e)
2044                 strncpy(desc.e_algo, e, ALGO_LEN - 1);
2045         if (c)
2046                 strncpy(desc.c_algo, c, ALGO_LEN - 1);
2047         if (ae)
2048                 strncpy(desc.ae_algo, ae, ALGO_LEN - 1);
2049 
2050         return __write_desc(test_desc_fd, &desc);
2051 }
2052 
2053 int proto_list[] = { IPPROTO_AH, IPPROTO_COMP, IPPROTO_ESP };
2054 char *ah_list[] = {
2055         "digest_null", "hmac(md5)", "hmac(sha1)", "hmac(sha256)",
2056         "hmac(sha384)", "hmac(sha512)", "hmac(rmd160)",
2057         "xcbc(aes)", "cmac(aes)"
2058 };
2059 char *comp_list[] = {
2060         "deflate",
2061 #if 0
2062         /* No compression backend realization */
2063         "lzs", "lzjh"
2064 #endif
2065 };
2066 char *e_list[] = {
2067         "ecb(cipher_null)", "cbc(des)", "cbc(des3_ede)", "cbc(cast5)",
2068         "cbc(blowfish)", "cbc(aes)", "cbc(serpent)", "cbc(camellia)",
2069         "cbc(twofish)", "rfc3686(ctr(aes))"
2070 };
2071 char *ae_list[] = {
2072 #if 0
2073         /* not implemented */
2074         "rfc4106(gcm(aes))", "rfc4309(ccm(aes))", "rfc4543(gcm(aes))",
2075         "rfc7539esp(chacha20,poly1305)"
2076 #endif
2077 };
2078 
2079 const unsigned int proto_plan = ARRAY_SIZE(ah_list) + ARRAY_SIZE(comp_list) \
2080                                 + (ARRAY_SIZE(ah_list) * ARRAY_SIZE(e_list)) \
2081                                 + ARRAY_SIZE(ae_list);
2082 
2083 static int write_proto_plan(int fd, int proto)
2084 {
2085         unsigned int i;
2086 
2087         switch (proto) {
2088         case IPPROTO_AH:
2089                 for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
2090                         if (write_desc(proto, fd, ah_list[i], 0, 0, 0))
2091                                 return -1;
2092                 }
2093                 break;
2094         case IPPROTO_COMP:
2095                 for (i = 0; i < ARRAY_SIZE(comp_list); i++) {
2096                         if (write_desc(proto, fd, 0, 0, comp_list[i], 0))
2097                                 return -1;
2098                 }
2099                 break;
2100         case IPPROTO_ESP:
2101                 for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
2102                         int j;
2103 
2104                         for (j = 0; j < ARRAY_SIZE(e_list); j++) {
2105                                 if (write_desc(proto, fd, ah_list[i],
2106                                                         e_list[j], 0, 0))
2107                                         return -1;
2108                         }
2109                 }
2110                 for (i = 0; i < ARRAY_SIZE(ae_list); i++) {
2111                         if (write_desc(proto, fd, 0, 0, 0, ae_list[i]))
2112                                 return -1;
2113                 }
2114                 break;
2115         default:
2116                 printk("BUG: Specified unknown proto %d", proto);
2117                 return -1;
2118         }
2119 
2120         return 0;
2121 }
2122 
2123 /*
2124  * Some structures in xfrm uapi header differ in size between
2125  * 64-bit and 32-bit ABI:
2126  *
2127  *             32-bit UABI               |            64-bit UABI
2128  *  -------------------------------------|-------------------------------------
2129  *   sizeof(xfrm_usersa_info)     = 220  |  sizeof(xfrm_usersa_info)     = 224
2130  *   sizeof(xfrm_userpolicy_info) = 164  |  sizeof(xfrm_userpolicy_info) = 168
2131  *   sizeof(xfrm_userspi_info)    = 228  |  sizeof(xfrm_userspi_info)    = 232
2132  *   sizeof(xfrm_user_acquire)    = 276  |  sizeof(xfrm_user_acquire)    = 280
2133  *   sizeof(xfrm_user_expire)     = 224  |  sizeof(xfrm_user_expire)     = 232
2134  *   sizeof(xfrm_user_polexpire)  = 168  |  sizeof(xfrm_user_polexpire)  = 176
2135  *
2136  * Check the affected by the UABI difference structures.
2137  * Also, check translation for xfrm_set_spdinfo: it has it's own attributes
2138  * which needs to be correctly copied, but not translated.
2139  */
2140 const unsigned int compat_plan = 5;
2141 static int write_compat_struct_tests(int test_desc_fd)
2142 {
2143         struct xfrm_desc desc = {};
2144 
2145         desc.type = ALLOCATE_SPI;
2146         desc.proto = IPPROTO_AH;
2147         strncpy(desc.a_algo, ah_list[0], ALGO_LEN - 1);
2148 
2149         if (__write_desc(test_desc_fd, &desc))
2150                 return -1;
2151 
2152         desc.type = MONITOR_ACQUIRE;
2153         if (__write_desc(test_desc_fd, &desc))
2154                 return -1;
2155 
2156         desc.type = EXPIRE_STATE;
2157         if (__write_desc(test_desc_fd, &desc))
2158                 return -1;
2159 
2160         desc.type = EXPIRE_POLICY;
2161         if (__write_desc(test_desc_fd, &desc))
2162                 return -1;
2163 
2164         desc.type = SPDINFO_ATTRS;
2165         if (__write_desc(test_desc_fd, &desc))
2166                 return -1;
2167 
2168         return 0;
2169 }
2170 
2171 static int write_test_plan(int test_desc_fd)
2172 {
2173         unsigned int i;
2174         pid_t child;
2175 
2176         child = fork();
2177         if (child < 0) {
2178                 pr_err("fork()");
2179                 return -1;
2180         }
2181         if (child) {
2182                 if (close(test_desc_fd))
2183                         printk("close(): %m");
2184                 return 0;
2185         }
2186 
2187         if (write_compat_struct_tests(test_desc_fd))
2188                 exit(KSFT_FAIL);
2189 
2190         for (i = 0; i < ARRAY_SIZE(proto_list); i++) {
2191                 if (write_proto_plan(test_desc_fd, proto_list[i]))
2192                         exit(KSFT_FAIL);
2193         }
2194 
2195         exit(KSFT_PASS);
2196 }
2197 
2198 static int children_cleanup(void)
2199 {
2200         unsigned ret = KSFT_PASS;
2201 
2202         while (1) {
2203                 int status;
2204                 pid_t p = wait(&status);
2205 
2206                 if ((p < 0) && errno == ECHILD)
2207                         break;
2208 
2209                 if (p < 0) {
2210                         pr_err("wait()");
2211                         return KSFT_FAIL;
2212                 }
2213 
2214                 if (!WIFEXITED(status)) {
2215                         ret = KSFT_FAIL;
2216                         continue;
2217                 }
2218 
2219                 if (WEXITSTATUS(status) == KSFT_FAIL)
2220                         ret = KSFT_FAIL;
2221         }
2222 
2223         return ret;
2224 }
2225 
2226 typedef void (*print_res)(const char *, ...);
2227 
2228 static int check_results(void)
2229 {
2230         struct test_result tr = {};
2231         struct xfrm_desc *d = &tr.desc;
2232         int ret = KSFT_PASS;
2233 
2234         while (1) {
2235                 ssize_t received = read(results_fd[0], &tr, sizeof(tr));
2236                 print_res result;
2237 
2238                 if (received == 0) /* EOF */
2239                         break;
2240 
2241                 if (received != sizeof(tr)) {
2242                         pr_err("read() returned %zd", received);
2243                         return KSFT_FAIL;
2244                 }
2245 
2246                 switch (tr.res) {
2247                 case KSFT_PASS:
2248                         result = ksft_test_result_pass;
2249                         break;
2250                 case KSFT_FAIL:
2251                 default:
2252                         result = ksft_test_result_fail;
2253                         ret = KSFT_FAIL;
2254                 }
2255 
2256                 result(" %s: [%u, '%s', '%s', '%s', '%s', %u]\n",
2257                        desc_name[d->type], (unsigned int)d->proto, d->a_algo,
2258                        d->e_algo, d->c_algo, d->ae_algo, d->icv_len);
2259         }
2260 
2261         return ret;
2262 }
2263 
2264 int main(int argc, char **argv)
2265 {
2266         long nr_process = 1;
2267         int route_sock = -1, ret = KSFT_SKIP;
2268         int test_desc_fd[2];
2269         uint32_t route_seq;
2270         unsigned int i;
2271 
2272         if (argc > 2)
2273                 exit_usage(argv);
2274 
2275         if (argc > 1) {
2276                 char *endptr;
2277 
2278                 errno = 0;
2279                 nr_process = strtol(argv[1], &endptr, 10);
2280                 if ((errno == ERANGE && (nr_process == LONG_MAX || nr_process == LONG_MIN))
2281                                 || (errno != 0 && nr_process == 0)
2282                                 || (endptr == argv[1]) || (*endptr != '\0')) {
2283                         printk("Failed to parse [nr_process]");
2284                         exit_usage(argv);
2285                 }
2286 
2287                 if (nr_process > MAX_PROCESSES || nr_process < 1) {
2288                         printk("nr_process should be between [1; %u]",
2289                                         MAX_PROCESSES);
2290                         exit_usage(argv);
2291                 }
2292         }
2293 
2294         srand(time(NULL));
2295         page_size = sysconf(_SC_PAGESIZE);
2296         if (page_size < 1)
2297                 ksft_exit_skip("sysconf(): %m\n");
2298 
2299         if (pipe2(test_desc_fd, O_DIRECT) < 0)
2300                 ksft_exit_skip("pipe(): %m\n");
2301 
2302         if (pipe2(results_fd, O_DIRECT) < 0)
2303                 ksft_exit_skip("pipe(): %m\n");
2304 
2305         if (init_namespaces())
2306                 ksft_exit_skip("Failed to create namespaces\n");
2307 
2308         if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE))
2309                 ksft_exit_skip("Failed to open netlink route socket\n");
2310 
2311         for (i = 0; i < nr_process; i++) {
2312                 char veth[VETH_LEN];
2313 
2314                 snprintf(veth, VETH_LEN, VETH_FMT, i);
2315 
2316                 if (veth_add(route_sock, route_seq++, veth, nsfd_childa, veth, nsfd_childb)) {
2317                         close(route_sock);
2318                         ksft_exit_fail_msg("Failed to create veth device");
2319                 }
2320 
2321                 if (start_child(i, veth, test_desc_fd)) {
2322                         close(route_sock);
2323                         ksft_exit_fail_msg("Child %u failed to start", i);
2324                 }
2325         }
2326 
2327         if (close(route_sock) || close(test_desc_fd[0]) || close(results_fd[1]))
2328                 ksft_exit_fail_msg("close(): %m");
2329 
2330         ksft_set_plan(proto_plan + compat_plan);
2331 
2332         if (write_test_plan(test_desc_fd[1]))
2333                 ksft_exit_fail_msg("Failed to write test plan to pipe");
2334 
2335         ret = check_results();
2336 
2337         if (children_cleanup() == KSFT_FAIL)
2338                 exit(KSFT_FAIL);
2339 
2340         exit(ret);
2341 }
2342 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php