lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20181016004243.GA95609@rdna-mbp.dhcp.thefacebook.com>
Date:   Tue, 16 Oct 2018 00:42:46 +0000
From:   Andrey Ignatov <rdna@...com>
To:     Daniel Borkmann <daniel@...earbox.net>,
        "john.fastabend@...il.com" <john.fastabend@...il.com>
CC:     "alexei.starovoitov@...il.com" <alexei.starovoitov@...il.com>,
        Dave Watson <davejwatson@...com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: [PATCH bpf-next v2 7/8] bpf: add tls support for testing in
 test_sockmap

Hi Daniel and John!

Daniel Borkmann <daniel@...earbox.net> [Fri, 2018-10-12 17:46 -0700]:
> From: John Fastabend <john.fastabend@...il.com>
> 
> This adds a --ktls option to test_sockmap in order to enable the
> combination of ktls and sockmap to run, which makes for another
> batch of 648 test cases for both in combination.
> 
> Signed-off-by: John Fastabend <john.fastabend@...il.com>
> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
> ---
>  tools/testing/selftests/bpf/test_sockmap.c | 89 ++++++++++++++++++++++++++++++
>  1 file changed, 89 insertions(+)
> 
> diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c
> index ac7de38..10a5fa8 100644
> --- a/tools/testing/selftests/bpf/test_sockmap.c
> +++ b/tools/testing/selftests/bpf/test_sockmap.c
> @@ -71,6 +71,7 @@ int txmsg_start;
>  int txmsg_end;
>  int txmsg_ingress;
>  int txmsg_skb;
> +int ktls;
>  
>  static const struct option long_options[] = {
>  	{"help",	no_argument,		NULL, 'h' },
> @@ -92,6 +93,7 @@ static const struct option long_options[] = {
>  	{"txmsg_end",	required_argument,	NULL, 'e'},
>  	{"txmsg_ingress", no_argument,		&txmsg_ingress, 1 },
>  	{"txmsg_skb", no_argument,		&txmsg_skb, 1 },
> +	{"ktls", no_argument,			&ktls, 1 },
>  	{0, 0, NULL, 0 }
>  };
>  
> @@ -112,6 +114,76 @@ static void usage(char *argv[])
>  	printf("\n");
>  }
>  
> +#define TCP_ULP 31
> +#define TLS_TX 1
> +#define TLS_RX 2
> +#include <linux/tls.h>

This breaks selftest build for me:
  test_sockmap.c:120:23: fatal error: linux/tls.h: No such file or directory
   #include <linux/tls.h>
                         ^
  compilation terminated.

Should include/uapi/linux/tls.h be copied to tools/ not to depend on
host headers?

> +
> +char *sock_to_string(int s)
> +{
> +	if (s == c1)
> +		return "client1";
> +	else if (s == c2)
> +		return "client2";
> +	else if (s == s1)
> +		return "server1";
> +	else if (s == s2)
> +		return "server2";
> +	else if (s == p1)
> +		return "peer1";
> +	else if (s == p2)
> +		return "peer2";
> +	else
> +		return "unknown";
> +}
> +
> +static int sockmap_init_ktls(int verbose, int s)
> +{
> +	struct tls12_crypto_info_aes_gcm_128 tls_tx = {
> +		.info = {
> +			.version     = TLS_1_2_VERSION,
> +			.cipher_type = TLS_CIPHER_AES_GCM_128,
> +		},
> +	};
> +	struct tls12_crypto_info_aes_gcm_128 tls_rx = {
> +		.info = {
> +			.version     = TLS_1_2_VERSION,
> +			.cipher_type = TLS_CIPHER_AES_GCM_128,
> +		},
> +	};
> +	int so_buf = 6553500;
> +	int err;
> +
> +	err = setsockopt(s, 6, TCP_ULP, "tls", sizeof("tls"));
> +	if (err) {
> +		fprintf(stderr, "setsockopt: TCP_ULP(%s) failed with error %i\n", sock_to_string(s), err);
> +		return -EINVAL;
> +	}
> +	err = setsockopt(s, SOL_TLS, TLS_TX, (void *)&tls_tx, sizeof(tls_tx));
> +	if (err) {
> +		fprintf(stderr, "setsockopt: TLS_TX(%s) failed with error %i\n", sock_to_string(s), err);
> +		return -EINVAL;
> +	}
> +	err = setsockopt(s, SOL_TLS, TLS_RX, (void *)&tls_rx, sizeof(tls_rx));
> +	if (err) {
> +		fprintf(stderr, "setsockopt: TLS_RX(%s) failed with error %i\n", sock_to_string(s), err);
> +		return -EINVAL;
> +	}
> +	err = setsockopt(s, SOL_SOCKET, SO_SNDBUF, &so_buf, sizeof(so_buf));
> +	if (err) {
> +		fprintf(stderr, "setsockopt: (%s) failed sndbuf with error %i\n", sock_to_string(s), err);
> +		return -EINVAL;
> +	}
> +	err = setsockopt(s, SOL_SOCKET, SO_RCVBUF, &so_buf, sizeof(so_buf));
> +	if (err) {
> +		fprintf(stderr, "setsockopt: (%s) failed rcvbuf with error %i\n", sock_to_string(s), err);
> +		return -EINVAL;
> +	}
> +
> +	if (verbose)
> +		fprintf(stdout, "socket(%s) kTLS enabled\n", sock_to_string(s));
> +	return 0;
> +}
>  static int sockmap_init_sockets(int verbose)
>  {
>  	int i, err, one = 1;
> @@ -456,6 +528,21 @@ static int sendmsg_test(struct sockmap_options *opt)
>  	else
>  		rx_fd = p2;
>  
> +	if (ktls) {
> +		/* Redirecting into non-TLS socket which sends into a TLS
> +		 * socket is not a valid test. So in this case lets not
> +		 * enable kTLS but still run the test.
> +		 */
> +		if (!txmsg_redir || (txmsg_redir && txmsg_ingress)) {
> +			err = sockmap_init_ktls(opt->verbose, rx_fd);
> +			if (err)
> +				return err;
> +		}
> +		err = sockmap_init_ktls(opt->verbose, c1);
> +		if (err)
> +			return err;
> +	}
> +
>  	rxpid = fork();
>  	if (rxpid == 0) {
>  		if (opt->drop_expected)
> @@ -907,6 +994,8 @@ static void test_options(char *options)
>  		strncat(options, "ingress,", OPTSTRING);
>  	if (txmsg_skb)
>  		strncat(options, "skb,", OPTSTRING);
> +	if (ktls)
> +		strncat(options, "ktls,", OPTSTRING);
>  }
>  
>  static int __test_exec(int cgrp, int test, struct sockmap_options *opt)
> -- 
> 2.9.5
> 

-- 
Andrey Ignatov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ