lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <2f178d43-8a40-4f1a-b8cf-85d26ad0a063@openvpn.net>
Date: Tue, 29 Oct 2024 10:42:09 +0100
From: Antonio Quartulli <antonio@...nvpn.net>
To: Shuah Khan <skhan@...uxfoundation.org>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
 Donald Hunter <donald.hunter@...il.com>, Andrew Lunn <andrew@...n.ch>,
 Paolo Abeni <pabeni@...hat.com>, Jakub Kicinski <kuba@...nel.org>,
 sd@...asysnail.net, Shuah Khan <shuah@...nel.org>, ryazanov.s.a@...il.com,
 Eric Dumazet <edumazet@...gle.com>, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH net-next v10 23/23] testing/selftests: add test tool and
 scripts for ovpn module



On 29/10/2024 03:29, Shuah Khan wrote:
> On 10/28/24 04:13, Antonio Quartulli wrote:
>> On 27/10/2024 01:40, Shuah Khan wrote:
>>> On 10/25/24 03:14, Antonio Quartulli wrote:
>>>> The ovpn-cli tool can be compiled and used as selftest for the ovpn
>>>> kernel module.
>>>>
>>>> It implements the netlink API and can thus be integrated in any
>>>> script for more automated testing.
>>>>
>>>> Along with the tool, 4 scripts are added that perform basic
>>>> functionality tests by means of network namespaces.
>>>>
>>>> Cc: shuah@...nel.org
>>>> Cc: linux-kselftest@...r.kernel.org
>>>> Signed-off-by: Antonio Quartulli <antonio@...nvpn.net>
>>>> ---
>>>>   MAINTAINERS                                        |    1 +
>>>>   tools/testing/selftests/Makefile                   |    1 +
>>>>   tools/testing/selftests/net/ovpn/.gitignore        |    2 +
>>>>   tools/testing/selftests/net/ovpn/Makefile          |   17 +
>>>>   tools/testing/selftests/net/ovpn/config            |   10 +
>>>>   tools/testing/selftests/net/ovpn/data64.key        |    5 +
>>>>   tools/testing/selftests/net/ovpn/ovpn-cli.c        | 2370 ++++++++ 
>>>> ++ ++++++++++
>>>>   tools/testing/selftests/net/ovpn/tcp_peers.txt     |    5 +
>>>>   .../testing/selftests/net/ovpn/test-chachapoly.sh  |    9 +
>>>>   tools/testing/selftests/net/ovpn/test-float.sh     |    9 +
>>>>   tools/testing/selftests/net/ovpn/test-tcp.sh       |    9 +
>>>>   tools/testing/selftests/net/ovpn/test.sh           |  183 ++
>>>>   tools/testing/selftests/net/ovpn/udp_peers.txt     |    5 +
>>>>   13 files changed, 2626 insertions(+)
>>>>
>>>
>>> What does the test output look like? Add that to the change log.
>>
>> Hi Shuan,
>>
>> is there any expected output for kselftest scripts?
>> Right now it just prints a bunch of messages about what is being 
>> tested, plus the output from `ping` and `iperf`.
>>
>> My assumption is that the output would be useful in case of failures, 
>> to understand where and what went wrong.
>>
>> I can document that, but I am not sure it is truly helpful (?).
>> What do you think?
>>
>> Is there any specific output format I should obey to?
>>
>>
>> [...]
>>
>>
>>>> +
>>>> +static void usage(const char *cmd)
>>>> +{
>>>> +    fprintf(stderr,
>>>> +        "Usage %s <command> <iface> [arguments..]\n",
>>>> +        cmd);
>>>> +    fprintf(stderr, "where <command> can be one of the 
>>>> following\n\n");
>>>> +
>>>> +    fprintf(stderr, "* new_iface <iface> [mode]: create new ovpn 
>>>> interface\n");
>>>> +    fprintf(stderr, "\tiface: ovpn interface name\n");
>>>> +    fprintf(stderr, "\tmode:\n");
>>>> +    fprintf(stderr, "\t\t- P2P for peer-to-peer mode (i.e. 
>>>> client)\n");
>>>> +    fprintf(stderr, "\t\t- MP for multi-peer mode (i.e. server)\n");
>>>> +
>>>> +    fprintf(stderr, "* del_iface <iface>: delete ovpn interface\n");
>>>> +    fprintf(stderr, "\tiface: ovpn interface name\n");
>>>> +
>>>> +    fprintf(stderr,
>>>> +        "* listen <iface> <lport> <peers_file> [ipv6]: listen for 
>>>> incoming peer TCP connections\n");
>>>> +    fprintf(stderr, "\tiface: ovpn interface name\n");
>>>> +    fprintf(stderr, "\tlport: TCP port to listen to\n");
>>>> +    fprintf(stderr,
>>>> +        "\tpeers_file: file containing one peer per line: Line 
>>>> format:\n");
>>>> +    fprintf(stderr, "\t\t<peer_id> <vpnaddr>\n");
>>>> +    fprintf(stderr,
>>>> +        "\tipv6: whether the socket should listen to the IPv6 
>>>> wildcard address\n");
>>>> +
>>>> +    fprintf(stderr,
>>>> +        "* connect <iface> <peer_id> <raddr> <rport> [key_file]: 
>>>> start connecting peer of TCP-based VPN session\n");
>>>> +    fprintf(stderr, "\tiface: ovpn interface name\n");
>>>> +    fprintf(stderr, "\tpeer_id: peer ID of the connecting peer\n");
>>>> +    fprintf(stderr, "\traddr: peer IP address to connect to\n");
>>>> +    fprintf(stderr, "\trport: peer TCP port to connect to\n");
>>>> +    fprintf(stderr,
>>>> +        "\tkey_file: file containing the symmetric key for 
>>>> encryption\n");
>>>> +
>>>> +    fprintf(stderr,
>>>> +        "* new_peer <iface> <peer_id> <lport> <raddr> <rport> 
>>>> [vpnaddr]: add new peer\n");
>>>> +    fprintf(stderr, "\tiface: ovpn interface name\n");
>>>> +    fprintf(stderr, "\tlport: local UDP port to bind to\n");
>>>> +    fprintf(stderr,
>>>> +        "\tpeer_id: peer ID to be used in data packets to/from this 
>>>> peer\n");
>>>> +    fprintf(stderr, "\traddr: peer IP address\n");
>>>> +    fprintf(stderr, "\trport: peer UDP port\n");
>>>> +    fprintf(stderr, "\tvpnaddr: peer VPN IP\n");
>>>> +
>>>> +    fprintf(stderr,
>>>> +        "* new_multi_peer <iface> <lport> <peers_file>: add 
>>>> multiple peers as listed in the file\n");
>>>> +    fprintf(stderr, "\tiface: ovpn interface name\n");
>>>> +    fprintf(stderr, "\tlport: local UDP port to bind to\n");
>>>> +    fprintf(stderr,
>>>> +        "\tpeers_file: text file containing one peer per line. Line 
>>>> format:\n");
>>>> +    fprintf(stderr, "\t\t<peer_id> <raddr> <rport> <vpnaddr>\n");
>>>> +
>>>> +    fprintf(stderr,
>>>> +        "* set_peer <iface> <peer_id> <keepalive_interval> 
>>>> <keepalive_timeout>: set peer attributes\n");
>>>> +    fprintf(stderr, "\tiface: ovpn interface name\n");
>>>> +    fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
>>>> +    fprintf(stderr,
>>>> +        "\tkeepalive_interval: interval for sending ping messages\n");
>>>> +    fprintf(stderr,
>>>> +        "\tkeepalive_timeout: time after which a peer is timed 
>>>> out\n");
>>>> +
>>>> +    fprintf(stderr, "* del_peer <iface> <peer_id>: delete peer\n");
>>>> +    fprintf(stderr, "\tiface: ovpn interface name\n");
>>>> +    fprintf(stderr, "\tpeer_id: peer ID of the peer to delete\n");
>>>> +
>>>> +    fprintf(stderr, "* get_peer <iface> [peer_id]: retrieve peer(s) 
>>>> status\n");
>>>> +    fprintf(stderr, "\tiface: ovpn interface name\n");
>>>> +    fprintf(stderr,
>>>> +        "\tpeer_id: peer ID of the peer to query. All peers are 
>>>> returned if omitted\n");
>>>> +
>>>> +    fprintf(stderr,
>>>> +        "* new_key <iface> <peer_id> <slot> <key_id> <cipher> 
>>>> <key_dir> <key_file>: set data channel key\n");
>>>> +    fprintf(stderr, "\tiface: ovpn interface name\n");
>>>> +    fprintf(stderr,
>>>> +        "\tpeer_id: peer ID of the peer to configure the key for\n");
>>>> +    fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n");
>>>> +    fprintf(stderr, "\tkey_id: an ID from 0 to 7\n");
>>>> +    fprintf(stderr,
>>>> +        "\tcipher: cipher to use, supported: aes (AES-GCM), 
>>>> chachapoly (CHACHA20POLY1305)\n");
>>>> +    fprintf(stderr,
>>>> +        "\tkey_dir: key direction, must 0 on one host and 1 on the 
>>>> other\n");
>>>> +    fprintf(stderr, "\tkey_file: file containing the pre-shared 
>>>> key\n");
>>>> +
>>>> +    fprintf(stderr,
>>>> +        "* del_key <iface> <peer_id> [slot]: erase existing data 
>>>> channel key\n");
>>>> +    fprintf(stderr, "\tiface: ovpn interface name\n");
>>>> +    fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
>>>> +    fprintf(stderr, "\tslot: slot to erase. PRIMARY if omitted\n");
>>>> +
>>>> +    fprintf(stderr,
>>>> +        "* get_key <iface> <peer_id> <slot>: retrieve non sensible 
>>>> key data\n");
>>>> +    fprintf(stderr, "\tiface: ovpn interface name\n");
>>>> +    fprintf(stderr, "\tpeer_id: peer ID of the peer to query\n");
>>>> +    fprintf(stderr, "\tslot: either 1 (primary) or 2 (secondary)\n");
>>>> +
>>>> +    fprintf(stderr,
>>>> +        "* swap_keys <iface> <peer_id>: swap content of primary and 
>>>> secondary key slots\n");
>>>> +    fprintf(stderr, "\tiface: ovpn interface name\n");
>>>> +    fprintf(stderr, "\tpeer_id: peer ID of the peer to modify\n");
>>>> +
>>>> +    fprintf(stderr,
>>>> +        "* listen_mcast: listen to ovpn netlink multicast 
>>>> messages\n");
>>>> +}
>>>
>>> If this test is run from "make kselftest" as default run does this usage
>>> output show up in the report?
>>
>> No.
>> This usage is only printed when invoking ovpn-cli with wrong arguments 
>> and this can't be the case in the kselftest.
> 
> The usage() is great and much needed. My concern is if this usage would 
> show up
> when we run "make kselftest" - some tests do this by adding wrapper 
> shell script
> to run the test with different options to cover all the cases.
> 
>>
>>
>> Other than documenting the output, do you think there is any other 
>> critical part to be adjusted in this patch?
> 
> No - I don't have any other comments on the test itself. I just want to 
> make
> sure this usage inadvertently doesn't end up in the "make kselftest" run.
> 
> With that
> 
> Reviewed-by: Shuah Khan <skhan@...uxfoundation.org>

Thanks a lot for your feedback.
I promise no usage() output will pollute the reports :-)

Ok then, I will extend the commit message with a description of the 
output and retain your Reviewed-by in v11.

I'll try to send it out today.

Thanks.
Regards,

> 
> thanks,
> -- Shuah

-- 
Antonio Quartulli
OpenVPN Inc.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ