| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220923201319.493208-30-dima@arista.com>
Date: Fri, 23 Sep 2022 21:13:13 +0100
From: Dmitry Safonov <dima@...sta.com>
To: linux-kernel@...r.kernel.org, David Ahern <dsahern@...nel.org>,
Eric Dumazet <edumazet@...gle.com>
Cc: Dmitry Safonov <dima@...sta.com>,
Andy Lutomirski <luto@...capital.net>,
Ard Biesheuvel <ardb@...nel.org>,
Bob Gilligan <gilligan@...sta.com>,
Dan Carpenter <dan.carpenter@...cle.com>,
"David S. Miller" <davem@...emloft.net>,
Dmitry Safonov <0x7f454c46@...il.com>,
Eric Biggers <ebiggers@...nel.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Francesco Ruggeri <fruggeri@...sta.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
Ivan Delalande <colona@...sta.com>,
Jakub Kicinski <kuba@...nel.org>,
Leonard Crestez <cdleonard@...il.com>,
Paolo Abeni <pabeni@...hat.com>,
Salam Noureddine <noureddine@...sta.com>,
Shuah Khan <shuah@...nel.org>, netdev@...r.kernel.org,
linux-crypto@...r.kernel.org
Subject: [PATCH v2 29/35] selftest/tcp-ao: Add test for TCP-AO add setsockopt() command
Verify corner-cases for UAPI.
Sample output:
> # ./setsockopt-closed_ipv6
> 1..16
> # 9508[lib/setup.c:173] rand seed 1643819055
> TAP version 13
> ok 1 minimum size
> ok 2 extended size
> ok 3 bad algo
> ok 4 bad ao flags
> ok 5 empty prefix
> ok 6 prefix, any addr
> ok 7 no prefix, any addr
> ok 8 too short prefix
> ok 9 too big prefix
> ok 10 too big maclen
> ok 11 bad key flags
> ok 12 too big keylen
> not ok 13 duplicate: full copy: setsockopt() was expected to fail with 17
> ok 14 duplicate: any addr key on the socket
> ok 15 duplicate: add any addr key
> not ok 16 duplicate: add any addr for the same subnet: setsockopt() was expected to fail with 17
Signed-off-by: Dmitry Safonov <dima@...sta.com>
---
tools/testing/selftests/net/tcp_ao/Makefile | 3 +-
.../selftests/net/tcp_ao/setsockopt-closed.c | 191 ++++++++++++++++++
2 files changed, 193 insertions(+), 1 deletion(-)
create mode 100644 tools/testing/selftests/net/tcp_ao/setsockopt-closed.c
diff --git a/tools/testing/selftests/net/tcp_ao/Makefile b/tools/testing/selftests/net/tcp_ao/Makefile
index 5064e34ebe38..a001dc2aed4e 100644
--- a/tools/testing/selftests/net/tcp_ao/Makefile
+++ b/tools/testing/selftests/net/tcp_ao/Makefile
@@ -1,5 +1,6 @@
# SPDX-License-Identifier: GPL-2.0
-TEST_BOTH_AF := connect icmps-discard icmps-accept connect-deny
+TEST_BOTH_AF := connect icmps-discard icmps-accept connect-deny \
+ setsockopt-closed
TEST_IPV4_PROGS := $(TEST_BOTH_AF:%=%_ipv4)
TEST_IPV6_PROGS := $(TEST_BOTH_AF:%=%_ipv6)
diff --git a/tools/testing/selftests/net/tcp_ao/setsockopt-closed.c b/tools/testing/selftests/net/tcp_ao/setsockopt-closed.c
new file mode 100644
index 000000000000..be2cbc407f60
--- /dev/null
+++ b/tools/testing/selftests/net/tcp_ao/setsockopt-closed.c
@@ -0,0 +1,191 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Author: Dmitry Safonov <dima@...sta.com> */
+#include <inttypes.h>
+#include "../../../../include/linux/kernel.h"
+#include "aolib.h"
+
+static void clean_ao(int sk, struct tcp_ao *ao)
+{
+ struct tcp_ao_del ao_del = {};
+
+ ao_del.tcpa_sndid = ao->tcpa_sndid;
+ ao_del.tcpa_rcvid = ao->tcpa_rcvid;
+ ao_del.tcpa_prefix = ao->tcpa_prefix;
+ memcpy(&ao_del.tcpa_addr, &ao->tcpa_addr, sizeof(ao->tcpa_addr));
+
+ if (setsockopt(sk, IPPROTO_TCP, TCP_AO_DEL, &ao_del, sizeof(ao_del)))
+ test_error("setsockopt(TCP_AO_DEL) failed to clean");
+ close(sk);
+}
+
+static void setsockopt_checked(int sk, int optname, struct tcp_ao *ao,
+ int err, const char *tst)
+{
+ int ret;
+
+ errno = 0;
+ ret = setsockopt(sk, IPPROTO_TCP, optname, ao, sizeof(*ao));
+ if (ret == -1) {
+ if (errno == err) {
+ test_ok("%s", tst);
+ return;
+ }
+ test_fail("%s: setsockopt() returned %d", tst, err);
+ return;
+ }
+
+ if (err) {
+ test_fail("%s: setsockopt() was expected to fail with %d", tst, err);
+ } else {
+ test_ok("%s", tst);
+ test_verify_socket_ao(sk, ao);
+ }
+ clean_ao(sk, ao);
+}
+
+static int prepare_defs(struct tcp_ao *ao)
+{
+ int sk = socket(test_family, SOCK_STREAM, IPPROTO_TCP);
+
+ if (sk < 0)
+ test_error("socket()");
+
+ if (test_prepare_def_ao(ao, "password", 0, this_ip_dest, -1, 100, 100))
+ test_error("prepare default tcp_ao");
+
+ return sk;
+}
+
+static void test_extend(void)
+{
+ struct tcp_ao ao;
+ struct {
+ struct tcp_ao ao;
+ char *extend[100];
+ } ao_big = {};
+ int ret, sk;
+
+ sk = prepare_defs(&ao);
+ errno = 0;
+ ret = setsockopt(sk, IPPROTO_TCP, TCP_AO,
+ &ao, offsetof(struct tcp_ao, tcpa_key));
+ if (!ret) {
+ test_fail("minminum size: accepted invalid size");
+ clean_ao(sk, &ao);
+ } else if (errno != EINVAL) {
+ test_fail("minminum size: failed with %d", errno);
+ } else {
+ test_ok("minimum size");
+ }
+
+ sk = prepare_defs(&ao_big.ao);
+ errno = 0;
+ ret = setsockopt(sk, IPPROTO_TCP, TCP_AO, &ao_big.ao, sizeof(ao_big));
+ if (ret) {
+ test_fail("extended size: returned %d", ret);
+ } else {
+ test_ok("extended size");
+ clean_ao(sk, &ao_big.ao);
+ }
+}
+
+static void einval_tests(void)
+{
+ struct tcp_ao ao;
+ int sk;
+
+ sk = prepare_defs(&ao);
+ strcpy(ao.tcpa_alg_name, "imaginary hash algo");
+ setsockopt_checked(sk, TCP_AO, &ao, ENOENT, "bad algo");
+
+ sk = prepare_defs(&ao);
+ ao.tcpa_flags = (uint16_t)(-1);
+ setsockopt_checked(sk, TCP_AO, &ao, EINVAL, "bad ao flags");
+
+ sk = prepare_defs(&ao);
+ ao.tcpa_prefix = 0;
+ setsockopt_checked(sk, TCP_AO, &ao, EINVAL, "empty prefix");
+
+ sk = prepare_defs(&ao);
+ ao.tcpa_prefix = 32;
+ memcpy(&ao.tcpa_addr, &SOCKADDR_ANY, sizeof(SOCKADDR_ANY));
+ setsockopt_checked(sk, TCP_AO, &ao, EINVAL, "prefix, any addr");
+
+ sk = prepare_defs(&ao);
+ ao.tcpa_prefix = 0;
+ memcpy(&ao.tcpa_addr, &SOCKADDR_ANY, sizeof(SOCKADDR_ANY));
+ setsockopt_checked(sk, TCP_AO, &ao, 0, "no prefix, any addr");
+
+ sk = prepare_defs(&ao);
+ ao.tcpa_prefix = 2;
+ setsockopt_checked(sk, TCP_AO, &ao, EINVAL, "too short prefix");
+
+ sk = prepare_defs(&ao);
+ ao.tcpa_prefix = 129;
+ setsockopt_checked(sk, TCP_AO, &ao, EINVAL, "too big prefix");
+
+ sk = prepare_defs(&ao);
+ ao.tcpa_maclen = 100;
+ setsockopt_checked(sk, TCP_AO, &ao, EMSGSIZE, "too big maclen");
+
+ sk = prepare_defs(&ao);
+ ao.tcpa_keyflags = (uint8_t)(-1);
+ setsockopt_checked(sk, TCP_AO, &ao, EINVAL, "bad key flags");
+
+ sk = prepare_defs(&ao);
+ ao.tcpa_keylen = TCP_AO_MAXKEYLEN + 1;
+ setsockopt_checked(sk, TCP_AO, &ao, EINVAL, "too big keylen");
+}
+
+static void duplicate_tests(void)
+{
+ union tcp_addr network_dup;
+ struct tcp_ao ao, ao2;
+ int sk;
+
+ sk = prepare_defs(&ao);
+ if (setsockopt(sk, IPPROTO_TCP, TCP_AO, &ao, sizeof(ao)))
+ test_error("setsockopt()");
+ setsockopt_checked(sk, TCP_AO, &ao, EEXIST, "duplicate: full copy");
+
+ sk = prepare_defs(&ao);
+ ao2 = ao;
+ memcpy(&ao2.tcpa_addr, &SOCKADDR_ANY, sizeof(SOCKADDR_ANY));
+ ao2.tcpa_prefix = 0;
+ if (setsockopt(sk, IPPROTO_TCP, TCP_AO, &ao2, sizeof(ao)))
+ test_error("setsockopt()");
+ setsockopt_checked(sk, TCP_AO, &ao, EEXIST, "duplicate: any addr key on the socket");
+
+ sk = prepare_defs(&ao);
+ if (setsockopt(sk, IPPROTO_TCP, TCP_AO, &ao, sizeof(ao)))
+ test_error("setsockopt()");
+ memcpy(&ao.tcpa_addr, &SOCKADDR_ANY, sizeof(SOCKADDR_ANY));
+ ao.tcpa_prefix = 0;
+ setsockopt_checked(sk, TCP_AO, &ao, EEXIST, "duplicate: add any addr key");
+
+
+ if (inet_pton(TEST_FAMILY, TEST_NETWORK, &network_dup) != 1)
+ test_error("Can't convert ip address %s", TEST_NETWORK);
+ sk = prepare_defs(&ao);
+ if (setsockopt(sk, IPPROTO_TCP, TCP_AO, &ao, sizeof(ao)))
+ test_error("setsockopt()");
+ if (test_prepare_def_ao(&ao, "password", 0, network_dup, 16, 100, 100))
+ test_error("prepare default tcp_ao");
+ setsockopt_checked(sk, TCP_AO, &ao, EEXIST, "duplicate: add any addr for the same subnet");
+}
+
+
+static void *client_fn(void *arg)
+{
+ test_extend();
+ einval_tests();
+ duplicate_tests();
+
+ return NULL;
+}
+
+int main(int argc, char *argv[])
+{
+ test_init(16, client_fn, NULL);
+ return 0;
+}
--
2.37.2
Powered by blists - more mailing lists