| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Jun 2018 01:18:35 +0200
From: Anders Roxell <anders.roxell@...aro.org>
To: shannon.nelson@...cle.com
Cc: Networking <netdev@...r.kernel.org>,
David Miller <davem@...emloft.net>
Subject: Re: [PATCH net-next 0/2] fixes for ipsec selftests
On Thu, 21 Jun 2018 at 00:26, Shannon Nelson <shannon.nelson@...cle.com> wrote:
>
> On 6/20/2018 12:09 PM, Anders Roxell wrote:
> > On Wed, 20 Jun 2018 at 07:42, Shannon Nelson <shannon.nelson@...cle.com> wrote:
> >>
> >> A couple of bad behaviors in the ipsec selftest were pointed out
> >> by Anders Roxell <anders.roxell@...aro.org> and are addressed here.
> >>
> >> Shannon Nelson (2):
> >> selftests: rtnetlink: hide complaint from terminated monitor
> >> selftests: rtnetlink: use a local IP address for IPsec tests
> >>
> >> tools/testing/selftests/net/rtnetlink.sh | 11 +++++++----
> >> 1 file changed, 7 insertions(+), 4 deletions(-)
> >>
> >> --
> >> 2.7.4
> >>
> >
> > Hi Shannon,
> >
> > With this patches applied and my config patch.
> >
> > I still get this error when I run the ipsec test:
> >
> > FAIL: can't add fou port 7777, skipping test
> > RTNETLINK answers: Operation not supported
> > FAIL: can't add macsec interface, skipping test
> > RTNETLINK answers: Protocol not supported
> > RTNETLINK answers: No such process
> > RTNETLINK answers: No such process
> > FAIL: ipsec
>
> One of the odd things I noticed about this script is that there really
> aren't any diagnosis messages, just PASS or FAIL. I followed this
> custom when I added the ipsec tests, but I think this is something that
> should change so we can get some idea of what breaks.
>
> I'm curious about the "RTNETLINK answers" messages and where they might
> be coming from, especially "RTNETLINK answers: Protocol not supported".
I added: "set -x" in the beginning of the rtnetlink.sh script.
+ ip x s add proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07 mode
transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))'
0x3132333435
363738393031323334353664636261 128 sel src 10.66.17.140/24 dst 10.66.17.141/24
RTNETLINK answers: Protocol not supported
> What version of iproute2 are you using? Is it older than iproute2-ss130716?
I use iproute2 release 4.17.0.
>
> What distro and kernel are you running?
for this test linux-next tag: next-20180620 distro OE (morty)
>
> What are the XFRM and AES settings in your kernel config - what is the
> output from
> egrep -i "xfrm|_aes" .config
CONFIG_XFRM=y
CONFIG_XFRM_ALGO=y
CONFIG_XFRM_USER=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET6_XFRM_MODE_TRANSPORT=y
CONFIG_INET6_XFRM_MODE_TUNNEL=y
CONFIG_INET6_XFRM_MODE_BEET=y
CONFIG_CRYPTO_AES=y
>
> I did also notice that the ipsec test should set ret=0 at its start.
did.
> Can you either add this or comment out all the other tests in
> kci_test_rtnl() so that only the kci_test_ipsec is run and send me the
> output?
done.
Same result as before... added "set -x" and this is the output:
+ devdummy=test-dummy0
+ ret=0
+ ksft_skip=4
++ id -u
+ '[' 0 -ne 0 ']'
+ for x in ip tc
+ ip -Version
+ '[' 0 -ne 0 ']'
+ for x in ip tc
+ tc -Version
+ '[' 0 -ne 0 ']'
+ kci_test_rtnl
+ kci_test_ipsec
+ ret=0
++ ip -o addr
++ awk '/inet / { print $4; }'
++ grep -v '^127'
++ head -1
++ cut -f1 -d/
+ srcip=10.66.17.140
++ echo 10.66.17.140
++ cut -f1-3 -d.
+ net=10.66.17
++ echo 10.66.17.140
++ cut -f4 -d.
+ base=140
++ expr 140 + 1
+ dstip=10.66.17.141
+ algo='aead rfc4106(gcm(aes)) 0x3132333435363738393031323334353664636261 128'
+ ip x s flush
+ ip x p flush
+ check_err 0
+ '[' 0 -eq 0 ']'
+ ret=0
++ mktemp ipsectestXXX
+ tmpfile=ipsectestHFP
+ mpid=3339
+ sleep 0.2
+ ipsecid='proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07'
+ ip x s add proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07 mode
transport reqid 0x07 replay-window 32 aead 'rfc4106(gcm(aes))'
0x3132333435
363738393031323334353664636261 128 sel src 10.66.17.140/24 dst 10.66.17.141/24
RTNETLINK answers: Protocol not supported
+ check_err 2
+ '[' 0 -eq 0 ']'
+ ret=2
++ ip x s list
++ grep 10.66.17.140
++ grep 10.66.17.141
++ wc -l
+ lines=0
+ test 0 -eq 2
+ check_err 1
+ '[' 2 -eq 0 ']'
+ ip x s count
+ grep -q 'SAD count 1'
+ check_err 1
+ '[' 2 -eq 0 ']'
++ ip x s get proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07
++ grep 10.66.17.140
++ grep 10.66.17.141
++ wc -l
RTNETLINK answers: No such process
+ lines=0
+ test 0 -eq 2
+ check_err 1
+ '[' 2 -eq 0 ']'
+ ip x s delete proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07
RTNETLINK answers: No such process
+ check_err 2
+ '[' 2 -eq 0 ']'
++ ip x s list
++ wc -l
+ lines=0
+ test 0 -eq 0
+ check_err 0
+ '[' 2 -eq 0 ']'
+ ipsecsel='dir out src 10.66.17.140/24 dst 10.66.17.141/24'
+ ip x p add dir out src 10.66.17.140/24 dst 10.66.17.141/24 tmpl
proto esp src 10.66.17.140 dst 10.66.17.141 spi 0x07 mode transport
reqid 0x07
+ check_err 0
+ '[' 2 -eq 0 ']'
++ grep 10.66.17.140
++ grep 10.66.17.141
++ wc -l
++ ip x p list
+ lines=2
+ test 2 -eq 2
+ check_err 0
+ '[' 2 -eq 0 ']'
+ ip x p count
+ grep -q 'SPD IN 0 OUT 1 FWD 0'
+ check_err 0
+ '[' 2 -eq 0 ']'
++ ip x p get dir out src 10.66.17.140/24 dst 10.66.17.141/24
++ grep 10.66.17.140
++ grep 10.66.17.141
++ wc -l
+ lines=2
+ test 2 -eq 2
+ check_err 0
+ '[' 2 -eq 0 ']'
+ ip x p delete dir out src 10.66.17.140/24 dst 10.66.17.141/24
+ check_err 0
+ '[' 2 -eq 0 ']'
++ ip x p list
++ wc -l
+ lines=0
+ test 0 -eq 0
+ check_err 0
+ '[' 2 -eq 0 ']'
+ kill 3339
++ wc -l ipsectestHFP
++ cut '-d ' -f1
+ lines=8
+ test 8 -eq 20
+ check_err 1
+ '[' 2 -eq 0 ']'
+ rm -rf ipsectestHFP
+ ip x s flush
+ check_err 0
+ '[' 2 -eq 0 ']'
+ ip x p flush
+ check_err 0
+ '[' 2 -eq 0 ']'
+ '[' 2 -ne 0 ']'
+ echo 'FAIL: ipsec'
FAIL: ipsec
+ return 1
+ exit 2
Cheers,
Anders
Powered by blists - more mailing lists