lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADYN=9Jmgk91RBiEyEbSdMr5_3JQgk058CO6HLRhDW6NFaF6qQ@mail.gmail.com>
Date:   Thu, 21 Jun 2018 01:18:35 +0200
From:   Anders Roxell <anders.roxell@...aro.org>
To:     shannon.nelson@...cle.com
Cc:     Networking <netdev@...r.kernel.org>,
        David Miller <davem@...emloft.net>
Subject: Re: [PATCH net-next 0/2] fixes for ipsec selftests

On Thu, 21 Jun 2018 at 00:26, Shannon Nelson <shannon.nelson@...cle.com> wrote:
>
> On 6/20/2018 12:09 PM, Anders Roxell wrote:
> > On Wed, 20 Jun 2018 at 07:42, Shannon Nelson <shannon.nelson@...cle.com> wrote:
> >>
> >> A couple of bad behaviors in the ipsec selftest were pointed out
> >> by Anders Roxell <anders.roxell@...aro.org> and are addressed here.
> >>
> >> Shannon Nelson (2):
> >>    selftests: rtnetlink: hide complaint from terminated monitor
> >>    selftests: rtnetlink: use a local IP address for IPsec tests
> >>
> >>   tools/testing/selftests/net/rtnetlink.sh | 11 +++++++----
> >>   1 file changed, 7 insertions(+), 4 deletions(-)
> >>
> >> --
> >> 2.7.4
> >>
> >
> > Hi Shannon,
> >
> > With this patches applied and my config patch.
> >
> > I still get this error when I run the ipsec test:
> >
> > FAIL: can't add fou port 7777, skipping test
> > RTNETLINK answers: Operation not supported
> > FAIL: can't add macsec interface, skipping test
> > RTNETLINK answers: Protocol not supported
> > RTNETLINK answers: No such process
> > RTNETLINK answers: No such process
> > FAIL: ipsec
>
> One of the odd things I noticed about this script is that there really
> aren't any diagnosis messages, just PASS or FAIL.  I followed this
> custom when I added the ipsec tests, but I think this is something that
> should change so we can get some idea of what breaks.
>
> I'm curious about the "RTNETLINK answers" messages and where they might
> be coming from, especially "RTNETLINK answers: Protocol not supported".

I added: "set -x" in the beginning of the rtnetlink.sh script.
+ ip x s add proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07 mode
transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))'
0x3132333435
363738393031323334353664636261 128 sel src 10.66.17.140/24 dst 10.66.17.141/24
RTNETLINK answers: Protocol not supported

> What version of iproute2 are you using?  Is it older than iproute2-ss130716?

I use iproute2 release 4.17.0.

>
> What distro and kernel are you running?

for this test linux-next tag: next-20180620 distro OE (morty)

>
> What are the XFRM and AES settings in your kernel config - what is the
> output from
>         egrep -i "xfrm|_aes" .config

CONFIG_XFRM=y
CONFIG_XFRM_ALGO=y
CONFIG_XFRM_USER=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET6_XFRM_MODE_TRANSPORT=y
CONFIG_INET6_XFRM_MODE_TUNNEL=y
CONFIG_INET6_XFRM_MODE_BEET=y
CONFIG_CRYPTO_AES=y

>
> I did also notice that the ipsec test should set ret=0 at its start.

did.

> Can you either add this or comment out all the other tests in
> kci_test_rtnl() so that only the kci_test_ipsec is run and send me the
> output?

done.

Same result as before... added "set -x" and this is the output:
+ devdummy=test-dummy0
+ ret=0
+ ksft_skip=4
++ id -u
+ '[' 0 -ne 0 ']'
+ for x in ip tc
+ ip -Version
+ '[' 0 -ne 0 ']'
+ for x in ip tc
+ tc -Version
+ '[' 0 -ne 0 ']'
+ kci_test_rtnl
+ kci_test_ipsec
+ ret=0
++ ip -o addr
++ awk '/inet / { print $4; }'
++ grep -v '^127'
++ head -1
++ cut -f1 -d/
+ srcip=10.66.17.140
++ echo 10.66.17.140
++ cut -f1-3 -d.
+ net=10.66.17
++ echo 10.66.17.140
++ cut -f4 -d.
+ base=140
++ expr 140 + 1
+ dstip=10.66.17.141
+ algo='aead rfc4106(gcm(aes)) 0x3132333435363738393031323334353664636261 128'
+ ip x s flush
+ ip x p flush
+ check_err 0
+ '[' 0 -eq 0 ']'
+ ret=0
++ mktemp ipsectestXXX
+ tmpfile=ipsectestHFP
+ mpid=3339
+ sleep 0.2
+ ipsecid='proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07'
+ ip x s add proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07 mode
transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))'
0x3132333435
363738393031323334353664636261 128 sel src 10.66.17.140/24 dst 10.66.17.141/24
RTNETLINK answers: Protocol not supported
+ check_err 2
+ '[' 0 -eq 0 ']'
+ ret=2
++ ip x s list
++ grep 10.66.17.140
++ grep 10.66.17.141
++ wc -l
+ lines=0
+ test 0 -eq 2
+ check_err 1
+ '[' 2 -eq 0 ']'
+ ip x s count
+ grep -q 'SAD count 1'
+ check_err 1
+ '[' 2 -eq 0 ']'
++ ip x s get proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07
++ grep 10.66.17.140
++ grep 10.66.17.141
++ wc -l
RTNETLINK answers: No such process
+ lines=0
+ test 0 -eq 2
+ check_err 1
+ '[' 2 -eq 0 ']'
+ ip x s delete proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07
RTNETLINK answers: No such process
+ check_err 2
+ '[' 2 -eq 0 ']'
++ ip x s list
++ wc -l
+ lines=0
+ test 0 -eq 0
+ check_err 0
+ '[' 2 -eq 0 ']'
+ ipsecsel='dir out src 10.66.17.140/24 dst 10.66.17.141/24'
+ ip x p add dir out src 10.66.17.140/24 dst 10.66.17.141/24 tmpl
proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07 mode transport
reqid 0x07
+ check_err 0
+ '[' 2 -eq 0 ']'
++ grep 10.66.17.140
++ grep 10.66.17.141
++ wc -l
++ ip x p list
+ lines=2
+ test 2 -eq 2
+ check_err 0
+ '[' 2 -eq 0 ']'
+ ip x p count
+ grep -q 'SPD IN  0 OUT 1 FWD 0'
+ check_err 0
+ '[' 2 -eq 0 ']'
++ ip x p get dir out src 10.66.17.140/24 dst 10.66.17.141/24
++ grep 10.66.17.140
++ grep 10.66.17.141
++ wc -l
+ lines=2
+ test 2 -eq 2
+ check_err 0
+ '[' 2 -eq 0 ']'
+ ip x p delete dir out src 10.66.17.140/24 dst 10.66.17.141/24
+ check_err 0
+ '[' 2 -eq 0 ']'
++ ip x p list
++ wc -l
+ lines=0
+ test 0 -eq 0
+ check_err 0
+ '[' 2 -eq 0 ']'
+ kill 3339
++ wc -l ipsectestHFP
++ cut '-d ' -f1
+ lines=8
+ test 8 -eq 20
+ check_err 1
+ '[' 2 -eq 0 ']'
+ rm -rf ipsectestHFP
+ ip x s flush
+ check_err 0
+ '[' 2 -eq 0 ']'
+ ip x p flush
+ check_err 0
+ '[' 2 -eq 0 ']'
+ '[' 2 -ne 0 ']'
+ echo 'FAIL: ipsec'
FAIL: ipsec
+ return 1
+ exit 2

Cheers,
Anders

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ