[PATCH v7 21/26] selftests: net/fcnal: Initial tcp_authopt support

From: Leonard Crestez
Date: Thu Aug 18 2022 - 16:04:20 EST


Tests are mostly copied from tcp_md5 with minor changes.

It covers VRF support but only based on binding multiple servers: not
multiple keys bound to different interfaces.

Also add a specific -t tcp_authopt to run only these tests specifically.

Signed-off-by: Leonard Crestez <cdleonard@xxxxxxxxx>
---
tools/testing/selftests/net/fcnal-test.sh | 329 +++++++++++++++++++++-
1 file changed, 327 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh
index 03b586760164..6b443aa0d89e 100755
--- a/tools/testing/selftests/net/fcnal-test.sh
+++ b/tools/testing/selftests/net/fcnal-test.sh
@@ -830,10 +830,330 @@ ipv4_ping()
}

################################################################################
# IPv4 TCP

+#
+# TCP Authentication Option Tests
+#
+
+# try to enable tcp_authopt sysctl
+enable_tcp_authopt()
+{
+ if [[ -e /proc/sys/net/ipv4/tcp_authopt ]]; then
+ sysctl -w net.ipv4.tcp_authopt=1
+ fi
+}
+
+# check if tcp_authopt is compiled with a client-side bind test
+has_tcp_authopt()
+{
+ run_cmd_nsb nettest -b -A ${MD5_PW} -r ${NSA_IP}
+}
+
+# Verify /proc/net/tcp_authopt is empty in all namespaces
+check_tcp_authopt_key_leak()
+{
+ local ns cnt
+
+ for ns in $NSA $NSB $NSC; do
+ if ! ip netns list | grep -q $ns; then
+ continue
+ fi
+ cnt=$(ip netns exec "$ns" cat /proc/net/tcp_authopt | wc -l)
+ if [[ $cnt != 1 ]]; then
+ echo "FAIL: leaked tcp_authopt keys in netns $ns"
+ ip netns exec $ns cat /proc/net/tcp_authopt
+ return 1
+ fi
+ done
+}
+
+log_check_tcp_authopt_key_leak()
+{
+ check_tcp_authopt_key_leak
+ log_test $? 0 "TCP-AO: Key leak check"
+}
+
+ipv4_tcp_authopt_novrf()
+{
+ enable_tcp_authopt
+ if ! has_tcp_authopt; then
+ echo "TCP-AO appears to be missing, skip"
+ return 0
+ fi
+
+ log_start
+ run_cmd nettest -s -A ${MD5_PW} -m ${NSB_IP} &
+ sleep 1
+ run_cmd_nsb nettest -r ${NSA_IP} -A ${MD5_PW}
+ log_test $? 0 "AO: Single address config"
+
+ log_start
+ run_cmd nettest -s &
+ sleep 1
+ run_cmd_nsb nettest -r ${NSA_IP} -A ${MD5_PW}
+ log_test $? 2 "AO: Server no config, client uses password"
+
+ log_start
+ run_cmd nettest -s -A ${MD5_PW} -m ${NSB_IP} &
+ sleep 1
+ run_cmd_nsb nettest -r ${NSA_IP} -A ${MD5_WRONG_PW}
+ log_test $? 2 "AO: Client uses wrong password"
+ log_check_tcp_authopt_key_leak
+
+ log_start
+ run_cmd nettest -s -A ${MD5_PW} -m ${NSB_LO_IP} &
+ sleep 1
+ run_cmd_nsb nettest -r ${NSA_IP} -A ${MD5_PW}
+ log_test $? 2 "AO: Client address does not match address configured on server"
+ log_check_tcp_authopt_key_leak
+
+ # client in prefix
+ log_start
+ run_cmd nettest -s -A ${MD5_PW} -m ${NS_NET} &
+ sleep 1
+ run_cmd_nsb nettest -r ${NSA_IP} -A ${MD5_PW}
+ log_test $? 0 "AO: Prefix config"
+
+ # client in prefix, wrong password
+ log_start
+ show_hint "Should timeout since client uses wrong password"
+ run_cmd nettest -s -A ${MD5_PW} -m ${NS_NET} &
+ sleep 1
+ run_cmd_nsb nettest -r ${NSA_IP} -A ${MD5_WRONG_PW}
+ log_test $? 2 "AO: Prefix config, client uses wrong password"
+ log_check_tcp_authopt_key_leak
+
+ # client outside of prefix
+ log_start
+ show_hint "Should timeout due to MD5 mismatch"
+ run_cmd nettest -s -A ${MD5_PW} -m ${NS_NET} &
+ sleep 1
+ run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -A ${MD5_PW}
+ log_test $? 2 "AO: Prefix config, client address not in configured prefix"
+ log_check_tcp_authopt_key_leak
+}
+
+ipv6_tcp_authopt_novrf()
+{
+ enable_tcp_authopt
+ if ! has_tcp_authopt; then
+ echo "TCP-AO appears to be missing, skip"
+ return 0
+ fi
+
+ log_start
+ run_cmd nettest -6 -s -A ${MD5_PW} &
+ sleep 1
+ run_cmd_nsb nettest -6 -r ${NSA_IP6} -A ${MD5_PW}
+ log_test $? 0 "AO: Simple correct config"
+
+ log_start
+ run_cmd nettest -6 -s
+ sleep 1
+ run_cmd_nsb nettest -6 -r ${NSA_IP6} -A ${MD5_PW}
+ log_test $? 2 "AO: Server no config, client uses password"
+
+ log_start
+ run_cmd nettest -6 -s -A ${MD5_PW} -m ${NSB_IP6} &
+ sleep 1
+ run_cmd_nsb nettest -6 -r ${NSA_IP6} -A ${MD5_WRONG_PW}
+ log_test $? 2 "AO: Client uses wrong password"
+
+ log_start
+ run_cmd nettest -6 -s -A ${MD5_PW} -m ${NSB_LO_IP6} &
+ sleep 1
+ run_cmd_nsb nettest -6 -r ${NSA_IP6} -A ${MD5_PW}
+ log_test $? 2 "AO: Client address does not match address configured on server"
+}
+
+ipv4_tcp_authopt_vrf()
+{
+ enable_tcp_authopt
+ if ! has_tcp_authopt; then
+ echo "TCP-AO appears to be missing, skip"
+ return 0
+ fi
+
+ log_start
+ run_cmd nettest -s -I ${VRF} -A ${MD5_PW} &
+ sleep 1
+ run_cmd_nsb nettest -r ${NSA_IP} -A ${MD5_PW}
+ log_test $? 0 "AO: VRF: Simple config"
+
+ #
+ # duplicate config between default VRF and a VRF
+ #
+
+ log_start
+ run_cmd nettest -s -I ${VRF} -A ${MD5_PW} -m ${NSB_IP} &
+ run_cmd nettest -s -A ${MD5_WRONG_PW} -m ${NSB_IP} &
+ sleep 1
+ run_cmd_nsb nettest -r ${NSA_IP} -A ${MD5_PW}
+ log_test $? 0 "AO: VRF: Servers in default VRF and VRF, client in VRF"
+
+ log_start
+ run_cmd nettest -s -I ${VRF} -A ${MD5_PW} -m ${NSB_IP} &
+ run_cmd nettest -s -A ${MD5_WRONG_PW} -m ${NSB_IP} &
+ sleep 1
+ run_cmd_nsc nettest -r ${NSA_IP} -A ${MD5_WRONG_PW}
+ log_test $? 0 "AO: VRF: Servers in default VRF and VRF, client in default VRF"
+
+ log_start
+ show_hint "Should timeout since client in default VRF uses VRF password"
+ run_cmd nettest -s -I ${VRF} -A ${MD5_PW} -m ${NSB_IP} &
+ run_cmd nettest -s -A ${MD5_WRONG_PW} -m ${NSB_IP} &
+ sleep 1
+ run_cmd_nsc nettest -r ${NSA_IP} -A ${MD5_PW}
+ log_test $? 2 "AO: VRF: Servers in default VRF and VRF, conn in default VRF with VRF pw"
+
+ log_start
+ show_hint "Should timeout since client in VRF uses default VRF password"
+ run_cmd nettest -s -I ${VRF} -A ${MD5_PW} -m ${NSB_IP} &
+ run_cmd nettest -s -A ${MD5_WRONG_PW} -m ${NSB_IP} &
+ sleep 1
+ run_cmd_nsb nettest -r ${NSA_IP} -A ${MD5_WRONG_PW}
+ log_test $? 2 "AO: VRF: Servers in default VRF and VRF, conn in VRF with default VRF pw"
+
+ test_ipv4_tcp_authopt_vrf__global_server__bind_ifindex0
+}
+
+test_ipv4_tcp_authopt_vrf__global_server__bind_ifindex0()
+{
+ # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections
+ local old_tcp_l3mdev_accept
+ old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept)
+ set_sysctl net.ipv4.tcp_l3mdev_accept=1
+
+ log_start
+ run_cmd nettest -s -A ${MD5_PW} --force-bind-key-ifindex &
+ sleep 1
+ run_cmd_nsb nettest -r ${NSA_IP} -A ${MD5_PW}
+ log_test $? 2 "AO: VRF: Global server, Key bound to ifindex=0 rejects VRF connection"
+
+ log_start
+ run_cmd nettest -s -A ${MD5_PW} --force-bind-key-ifindex &
+ sleep 1
+ run_cmd_nsc nettest -r ${NSA_IP} -A ${MD5_PW}
+ log_test $? 0 "AO: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection"
+ log_start
+
+ run_cmd nettest -s -A ${MD5_PW} --no-bind-key-ifindex &
+ sleep 1
+ run_cmd_nsb nettest -r ${NSA_IP} -A ${MD5_PW}
+ log_test $? 0 "AO: VRF: Global server, key not bound to ifindex accepts VRF connection"
+
+ log_start
+ run_cmd nettest -s -A ${MD5_PW} --no-bind-key-ifindex &
+ sleep 1
+ run_cmd_nsc nettest -r ${NSA_IP} -A ${MD5_PW}
+ log_test $? 0 "AO: VRF: Global server, key not bound to ifindex accepts non-VRF connection"
+
+ # restore value
+ set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept"
+}
+
+ipv6_tcp_authopt_vrf()
+{
+ enable_tcp_authopt
+ if ! has_tcp_authopt; then
+ echo "TCP-AO appears to be missing, skip"
+ return 0
+ fi
+
+ log_start
+ run_cmd nettest -6 -s -I ${VRF} -A ${MD5_PW} &
+ sleep 1
+ run_cmd_nsb nettest -6 -r ${NSA_IP6} -A ${MD5_PW}
+ log_test $? 0 "AO: VRF: Simple config"
+
+ #
+ # duplicate config between default VRF and a VRF
+ #
+
+ log_start
+ run_cmd nettest -6 -s -I ${VRF} -A ${MD5_PW} -m ${NSB_IP6} &
+ run_cmd nettest -6 -s -A ${MD5_WRONG_PW} -m ${NSB_IP6} &
+ sleep 1
+ run_cmd_nsb nettest -6 -r ${NSA_IP6} -A ${MD5_PW}
+ log_test $? 0 "AO: VRF: Servers in default VRF and VRF, client in VRF"
+
+ log_start
+ run_cmd nettest -6 -s -I ${VRF} -A ${MD5_PW} -m ${NSB_IP6} &
+ run_cmd nettest -6 -s -A ${MD5_WRONG_PW} -m ${NSB_IP6} &
+ sleep 1
+ run_cmd_nsc nettest -6 -r ${NSA_IP6} -A ${MD5_WRONG_PW}
+ log_test $? 0 "AO: VRF: Servers in default VRF and VRF, client in default VRF"
+
+ log_start
+ show_hint "Should timeout since client in default VRF uses VRF password"
+ run_cmd nettest -6 -s -I ${VRF} -A ${MD5_PW} -m ${NSB_IP6} &
+ run_cmd nettest -6 -s -A ${MD5_WRONG_PW} -m ${NSB_IP6} &
+ sleep 1
+ run_cmd_nsc nettest -6 -r ${NSA_IP6} -A ${MD5_PW}
+ log_test $? 2 "AO: VRF: Servers in default VRF and VRF, conn in default VRF with VRF pw"
+
+ log_start
+ show_hint "Should timeout since client in VRF uses default VRF password"
+ run_cmd nettest -6 -s -I ${VRF} -A ${MD5_PW} -m ${NSB_IP6} &
+ run_cmd nettest -6 -s -A ${MD5_WRONG_PW} -m ${NSB_IP6} &
+ sleep 1
+ run_cmd_nsb nettest -6 -r ${NSA_IP6} -A ${MD5_WRONG_PW}
+ log_test $? 2 "AO: VRF: Servers in default VRF and VRF, conn in VRF with default VRF pw"
+
+ log_start
+ run_cmd nettest -6 -s -I ${VRF} -A ${MD5_PW} -m ${NS_NET6} &
+ run_cmd nettest -6 -s -A ${MD5_WRONG_PW} -m ${NS_NET6} &
+ sleep 1
+ run_cmd_nsb nettest -6 -r ${NSA_IP6} -A ${MD5_PW}
+ log_test $? 0 "AO: VRF: Prefix config in default VRF and VRF, conn in VRF"
+
+ log_start
+ run_cmd nettest -6 -s -I ${VRF} -A ${MD5_PW} -m ${NS_NET6} &
+ run_cmd nettest -6 -s -A ${MD5_WRONG_PW} -m ${NS_NET6} &
+ sleep 1
+ run_cmd_nsc nettest -6 -r ${NSA_IP6} -A ${MD5_WRONG_PW}
+ log_test $? 0 "AO: VRF: Prefix config in default VRF and VRF, conn in default VRF"
+
+ log_start
+ show_hint "Should timeout since client in default VRF uses VRF password"
+ run_cmd nettest -6 -s -I ${VRF} -A ${MD5_PW} -m ${NS_NET6} &
+ run_cmd nettest -6 -s -A ${MD5_WRONG_PW} -m ${NS_NET6} &
+ sleep 1
+ run_cmd_nsc nettest -6 -r ${NSA_IP6} -A ${MD5_PW}
+ log_test $? 2 "AO: VRF: Prefix config in def VRF and VRF, conn in def VRF with VRF pw"
+
+ log_start
+ show_hint "Should timeout since client in VRF uses default VRF password"
+ run_cmd nettest -6 -s -I ${VRF} -A ${MD5_PW} -m ${NS_NET6} &
+ run_cmd nettest -6 -s -A ${MD5_WRONG_PW} -m ${NS_NET6} &
+ sleep 1
+ run_cmd_nsb nettest -6 -r ${NSA_IP6} -A ${MD5_WRONG_PW}
+ log_test $? 2 "AO: VRF: Prefix config in dev VRF and VRF, conn in VRF with def VRF pw"
+}
+
+only_tcp_authopt()
+{
+ log_section "TCP Authentication Option"
+
+ setup
+ set_sysctl net.ipv4.tcp_l3mdev_accept=0
+ log_subsection "TCP-AO IPv4 no VRF"
+ ipv4_tcp_authopt_novrf
+ log_subsection "TCP-AO IPv6 no VRF"
+ ipv6_tcp_authopt_novrf
+
+ setup "yes"
+ setup_vrf_dup
+ set_sysctl net.ipv4.tcp_l3mdev_accept=0
+ log_subsection "TCP-AO IPv4 VRF"
+ ipv4_tcp_authopt_vrf
+ log_subsection "TCP-AO IPv6 VRF"
+ ipv6_tcp_authopt_vrf
+}
+
#
# MD5 tests without VRF
#
ipv4_tcp_md5_novrf()
{
@@ -1215,10 +1535,11 @@ ipv4_tcp_novrf()
show_hint "Should fail 'Connection refused'"
run_cmd nettest -d ${NSA_DEV} -r ${a}
log_test_addr ${a} $? 1 "No server, device client, local conn"

ipv4_tcp_md5_novrf
+ ipv4_tcp_authopt_novrf
}

ipv4_tcp_vrf()
{
local a
@@ -1267,13 +1588,14 @@ ipv4_tcp_vrf()
run_cmd nettest -s &
sleep 1
run_cmd nettest -r ${a} -d ${NSA_DEV}
log_test_addr ${a} $? 1 "Global server, local connection"

- # run MD5 tests
+ # run MD5+AO tests
setup_vrf_dup
ipv4_tcp_md5
+ ipv6_tcp_md5_vrf
cleanup_vrf_dup

#
# enable VRF global server
#
@@ -2748,10 +3070,11 @@ ipv6_tcp_novrf()
run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
log_test_addr ${a} $? 1 "No server, device client, local conn"
done

ipv6_tcp_md5_novrf
+ ipv6_tcp_authopt_novrf
}

ipv6_tcp_vrf()
{
local a
@@ -2816,13 +3139,14 @@ ipv6_tcp_vrf()
run_cmd nettest -6 -s &
sleep 1
run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
log_test_addr ${a} $? 1 "Global server, local connection"

- # run MD5 tests
+ # run MD5+AO tests
setup_vrf_dup
ipv6_tcp_md5
+ ipv6_tcp_authopt_vrf
cleanup_vrf_dup

#
# enable VRF global server
#
@@ -4191,10 +4515,11 @@ do
ipv6_bind|bind6) ipv6_addr_bind;;
ipv6_runtime) ipv6_runtime;;
ipv6_netfilter) ipv6_netfilter;;

use_cases) use_cases;;
+ tcp_authopt) only_tcp_authopt;;

# setup namespaces and config, but do not run any tests
setup) setup; exit 0;;
vrf_setup) setup "yes"; exit 0;;
esac
--
2.25.1