From patchwork Thu Oct 27 20:43:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 11979 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp450028wru; Thu, 27 Oct 2022 13:52:26 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4yZgbLFZb8ErqZBif3p8R8RbdfjDBb+Vler0RE1cWTPi1WNIo/s1DTri/VvpbxfZ7UfHFw X-Received: by 2002:a05:6402:42c6:b0:462:1abc:e576 with SMTP id i6-20020a05640242c600b004621abce576mr14659264edc.223.1666903946008; Thu, 27 Oct 2022 13:52:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666903946; cv=none; d=google.com; s=arc-20160816; b=0zCjf/rFWrjxxuk48U2nGQmbflXw19BjKXomCTJWWcRt9yAkL9fXQYTkubB+K+OVDJ +wtbKaqLP7hAynmS66dK4tsZ210PWWvdzO0IAAQajAjgqETvT5uH9JTqJr+0nG2JDyQ6 wTTCE1IyHVyqIZtWdsdCugE6ysyfu3k4kOr2JF7lNO4PDfZKpOWoGBB20/bd6kNPBqOc 5Qi4VyKxO3lD7V9tK792h8HWR0ccWc6RHqV0lh/X1BvsdQUMVUSO0kXSwiuwi1O/FYBh JDEZo6uZm+XsiNZb8zuPdxf4ENedxvqn5F66SVWfoDGZNZBA02yL7For8xREged7c4Kg VqQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Fds8a12jf9hfVLIPaQf1hCBYTA2Bs1gOOen7wI+4FKs=; b=V65RN3/AIF9KfTzUHwcPqWdIIKKg6yeDOWADqVgkmvmvhfhkEImJel7kpiS3tgQxEI RLXPpw8e9sniFLikw8fEjwuHXskdODbKouZ0OwmICcmYgiSu3twUvT6YKDSIcNiTpsZF Z36x56PivRy3GqtKAej554BYvnTTh41bqV6KBWu/UuTQg8G7yP0bY7Patxhb0DOyXUig bPmeGSXb86gxOT6U9mvdxMoi3JZ5DOyJFrakJjwG9SzdrvQRiPvziB2sMmaoz0bwIqRF JVl7dg4dOGaq4bUz+wLnHNyv8swSLW6S/ciRGtrFTqoQ6oRlakPkCIPE6DLBhdNe7O7h tjoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=eqMrDFj+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s9-20020a50ab09000000b004617df75676si2321083edc.245.2022.10.27.13.52.02; Thu, 27 Oct 2022 13:52:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=eqMrDFj+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236083AbiJ0UvP (ORCPT + 99 others); Thu, 27 Oct 2022 16:51:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32836 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236565AbiJ0Ute (ORCPT ); Thu, 27 Oct 2022 16:49:34 -0400 Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 72C996558 for ; Thu, 27 Oct 2022 13:44:50 -0700 (PDT) Received: by mail-wr1-x431.google.com with SMTP id g12so4148502wrs.10 for ; Thu, 27 Oct 2022 13:44:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Fds8a12jf9hfVLIPaQf1hCBYTA2Bs1gOOen7wI+4FKs=; b=eqMrDFj+3C4vgMdKJwg0YIgDKbiHptwg7llwlbnqfbe1638SE7MZvOmDpHQbP5O5SG ZY8YWWuJEFRk3N23/HNrzn+WGuemP7ndSwE5t79LY4WpspLO8ZBnAVf+E/WMpB6hPcq3 njCoc7tP3HVHMzjq2aeV5tvlkGoMBmLhbKpR/zT4bhulMYeT03PEUpQuzrERvyedU+/7 7nyy5rtYnZJhgXSFaah4w4nNhQJPYCRGRQqDctgcgtshZAQyI/mFhQvYXhQm3kE+YQLz aVvuyB7J7cEa/1a965O0EAx4bP3ycDKfl5igc/7AM/i61gQ11Qg9VnPfviYovuvtPMZz /UBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Fds8a12jf9hfVLIPaQf1hCBYTA2Bs1gOOen7wI+4FKs=; b=DJPEzmUQri8IelR8QtHHkbZ6Aq/JJYLbgQOXww9V1RfgWU2/H2UeE/WYfUjl8esfrI bSg/Ok6WJ3t26uSKGvSYIIWuDEkizoDP3RY7LgfIw0yY1shCX3UqvfhzXAjHjcyMSrlF vOR2fpCWHvhQKaLhjwKNMuspGL6ai0bf8qYQY5uuiJ8VEHq4Jxb1QxyhdlBMeMqC4n9W U9weKX27ERn15vEgNsly5NH9+fdfjzR75epoOPa6yxGmR0d6D2Ty8zm7SdDPuKWPbIZ6 EuUIxJAXoRdO7RZxxxfNcTu/Grao4fKu4T2cM333aqjWYmefc4D1zfgYN3DRBMFBfqnv 3kTA== X-Gm-Message-State: ACrzQf0+JCl+IL97dgIU4ueR0/Fozi5IuhJoxWkcCgMQN0UfARsnxxxJ 8nVwX3ajhm8WPYgHAZhCH2eqlVWfgkfqMtx1 X-Received: by 2002:adf:e38d:0:b0:236:7217:827e with SMTP id e13-20020adfe38d000000b002367217827emr15088546wrm.652.1666903489637; Thu, 27 Oct 2022 13:44:49 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id n3-20020a5d6b83000000b00236644228besm1968739wrx.40.2022.10.27.13.44.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Oct 2022 13:44:49 -0700 (PDT) From: Dmitry Safonov To: linux-kernel@vger.kernel.org, David Ahern , Eric Dumazet Cc: Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , Dan Carpenter , "David S. Miller" , Dmitry Safonov <0x7f454c46@gmail.com>, Eric Biggers , "Eric W. Biederman" , Francesco Ruggeri , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Jakub Kicinski , Leonard Crestez , Paolo Abeni , Salam Noureddine , Shuah Khan , netdev@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH v3 36/36] selftests/fcnal-test.sh: Add TCP-AO tests Date: Thu, 27 Oct 2022 21:43:47 +0100 Message-Id: <20221027204347.529913-37-dima@arista.com> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221027204347.529913-1-dima@arista.com> References: <20221027204347.529913-1-dima@arista.com> MIME-Version: 1.0 X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747875472297941201?= X-GMAIL-MSGID: =?utf-8?q?1747875472297941201?= These are basic TCP-AO functionality tests, more detailed coverage with functional testing is done by selftests/net/tcp_ao library and binaries. Sample output: > TEST: Global server - ns-A IP [ OK ] > TEST: Global server - ns-A loopback IP [ OK ] > TEST: Device server - ns-A IP [ OK ] > TEST: No server - ns-A IP [ OK ] > TEST: No server - ns-A loopback IP [ OK ] > TEST: Client - ns-B IP [ OK ] > TEST: Client, device bind - ns-B IP [ OK ] > TEST: No server, unbound client - ns-B IP [ OK ] > TEST: No server, device client - ns-B IP [ OK ] > TEST: Client - ns-B loopback IP [ OK ] > TEST: Client, device bind - ns-B loopback IP [ OK ] > TEST: No server, unbound client - ns-B loopback IP [ OK ] > TEST: No server, device client - ns-B loopback IP [ OK ] > TEST: Global server, local connection - ns-A IP [ OK ] > TEST: Global server, local connection - ns-A loopback IP [ OK ] > TEST: Global server, local connection - loopback [ OK ] > TEST: Device server, unbound client, local connection - ns-A IP [ OK ] > TEST: Device server, unbound client, local connection - ns-A loopback IP [ OK ] > TEST: Device server, unbound client, local connection - loopback [ OK ] > TEST: Global server, device client, local connection - ns-A IP [ OK ] > TEST: Global server, device client, local connection - ns-A loopback IP [ OK ] > TEST: Global server, device client, local connection - loopback [ OK ] > TEST: Device server, device client, local connection - ns-A IP [ OK ] > TEST: No server, device client, local conn - ns-A IP [ OK ] > TEST: MD5: Single address config [ OK ] > TEST: MD5: Server no config, client uses password [ OK ] > TEST: MD5: Client uses wrong password [ OK ] > TEST: MD5: Client address does not match address configured with password [ OK ] > TEST: MD5: Prefix config [ OK ] > TEST: MD5: Prefix config, client uses wrong password [ OK ] > TEST: MD5: Prefix config, client address not in configured prefix [ OK ] > TEST: TCP-AO [hmac(sha1):12]: Single address config [ OK ] > TEST: TCP-AO [hmac(sha1):12]: Server no config, client uses password [ OK ] > TEST: TCP-AO [hmac(sha1):12]: Client uses wrong password [ OK ] > TEST: TCP-AO [cmac(aes128):12]: Single address config [ OK ] > TEST: TCP-AO [cmac(aes128):12]: Server no config, client uses password [ OK ] > TEST: TCP-AO [cmac(aes128):12]: Client uses wrong password [ OK ] > TEST: TCP-AO [hmac(rmd160):12]: Single address config [ OK ] > TEST: TCP-AO [hmac(rmd160):12]: Server no config, client uses password [ OK ] > TEST: TCP-AO [hmac(rmd160):12]: Client uses wrong password [ OK ] > TEST: TCP-AO [hmac(sha512):12]: Single address config [ OK ] > TEST: TCP-AO [hmac(sha512):12]: Server no config, client uses password [ OK ] > TEST: TCP-AO [hmac(sha512):12]: Client uses wrong password [ OK ] > TEST: TCP-AO [hmac(sha384):12]: Single address config [ OK ] > TEST: TCP-AO [hmac(sha384):12]: Server no config, client uses password [ OK ] > TEST: TCP-AO [hmac(sha384):12]: Client uses wrong password [ OK ] > TEST: TCP-AO [hmac(sha256):12]: Single address config [ OK ] > TEST: TCP-AO [hmac(sha256):12]: Server no config, client uses password [ OK ] > TEST: TCP-AO [hmac(sha256):12]: Client uses wrong password [ OK ] > TEST: TCP-AO [hmac(md5):12]: Single address config [ OK ] > TEST: TCP-AO [hmac(md5):12]: Server no config, client uses password [ OK ] > TEST: TCP-AO [hmac(md5):12]: Client uses wrong password [ OK ] > TEST: TCP-AO [hmac(sha224):12]: Single address config [ OK ] > TEST: TCP-AO [hmac(sha224):12]: Server no config, client uses password [ OK ] > TEST: TCP-AO [hmac(sha224):12]: Client uses wrong password [ OK ] > TEST: TCP-AO [hmac(sha3-512):12]: Single address config [ OK ] > TEST: TCP-AO [hmac(sha3-512):12]: Server no config, client uses password [ OK ] > TEST: TCP-AO [hmac(sha3-512):12]: Client uses wrong password [ OK ] > TEST: TCP-AO: Client address does not match address configured with password [ OK ] > TEST: TCP-AO: Prefix config [ OK ] > TEST: TCP-AO: Prefix config, client uses wrong password [ OK ] > TEST: TCP-AO: Prefix config, client address not in configured prefix [ OK ] > TEST: TCP-AO: Different key ids [ OK ] > TEST: TCP-AO: Wrong keyid [ OK ] > TEST: TCP-AO [cmac(aes128):16]: Single address config [ OK ] > TEST: TCP-AO [cmac(aes128):16]: Server no config, client uses password [ OK ] > TEST: TCP-AO [cmac(aes128):16]: Client uses wrong password [ OK ] > TEST: TCP-AO [hmac(sha1):16]: Single address config [ OK ] > TEST: TCP-AO [hmac(sha1):16]: Server no config, client uses password [ OK ] > TEST: TCP-AO [hmac(sha1):16]: Client uses wrong password [ OK ] > TEST: TCP-AO [cmac(aes128):4]: Single address config [ OK ] > TEST: TCP-AO [cmac(aes128):4]: Server no config, client uses password [ OK ] > TEST: TCP-AO [cmac(aes128):4]: Client uses wrong password [ OK ] > TEST: TCP-AO [hmac(sha1):4]: Single address config [ OK ] > TEST: TCP-AO [hmac(sha1):4]: Server no config, client uses password [ OK ] > TEST: TCP-AO [hmac(sha1):4]: Client uses wrong password [ OK ] > TEST: TCP-AO: add MD5 and TCP-AO for the same peer address [ OK ] > TEST: TCP-AO: MD5 and TCP-AO on connect() [ OK ] > TEST: TCP-AO: Exclude TCP options [ OK ] Signed-off-by: Dmitry Safonov --- tools/testing/selftests/net/fcnal-test.sh | 239 ++++++++++++++++++++++ 1 file changed, 239 insertions(+) diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh index d4516c755858..95718516b234 100755 --- a/tools/testing/selftests/net/fcnal-test.sh +++ b/tools/testing/selftests/net/fcnal-test.sh @@ -76,6 +76,12 @@ BCAST_IP=255.255.255.255 MD5_PW=abc123 MD5_WRONG_PW=abc1234 +AO_PW=abc123 +AO_WRONG_PW=abc1234 +AO_HASH_ALGOS="hmac(sha1) cmac(aes128)" +AO_HASH_ALGOS+=" hmac(rmd160) hmac(sha512)" +AO_HASH_ALGOS+=" hmac(sha384) hmac(sha256) hmac(md5)" +AO_HASH_ALGOS+=" hmac(sha224) hmac(sha3-512)" MCAST=ff02::1 # set after namespace create @@ -900,6 +906,123 @@ ipv4_tcp_md5_novrf() log_test $? 2 "MD5: Prefix config, client address not in configured prefix" } +# +# TCP-AO tests without VRF +# +ipv4_tcp_ao_algos() +{ + # basic use case + log_start + run_cmd nettest -s -T 100:100 --tcpao_algo=$1 --tcpao_maclen=$2 \ + -X ${AO_PW} -m ${NSB_IP} & + sleep 1 + run_cmd_nsb nettest -r ${NSA_IP} -T 100:100 --tcpao_algo=$1 \ + --tcpao_maclen=$2 -X ${AO_PW} + log_test $? 0 "TCP-AO [$1:$2]: Single address config" + + # client sends TCP-AO, server not configured + log_start + show_hint "Should timeout due to TCP-AO password mismatch" + run_cmd nettest -s & + sleep 1 + run_cmd_nsb nettest -r ${NSA_IP} -T 100:100 --tcpao_algo=$1 \ + --tcpao_maclen=$2 -X ${AO_PW} + log_test $? 2 "TCP-AO [$1:$2]: Server no config, client uses password" + + # wrong password + log_start + show_hint "Should timeout since client uses wrong password" + run_cmd nettest -s -T 100:100 --tcpao_algo=$1 --tcpao_maclen=$2 \ + -X ${AO_PW} -m ${NSB_IP} & + sleep 1 + run_cmd_nsb nettest -r ${NSA_IP} -T 100:100 --tcpao_algo=$1 \ + --tcpao_maclen=$2 -X ${AO_WRONG_PW} + log_test $? 2 "TCP-AO [$1:$2]: Client uses wrong password" +} + +ipv4_tcp_ao_novrf() +{ + # + # single address + # + for i in $AO_HASH_ALGOS ; do + ipv4_tcp_ao_algos $i 12 + done + + # client from different address + log_start + show_hint "Should timeout due to TCP-AO address mismatch" + run_cmd nettest -s -T 100:100 -X ${AO_PW} -m ${NSB_LO_IP} & + sleep 1 + run_cmd_nsb nettest -r ${NSA_IP} -T 100:100 -X ${AO_PW} + log_test $? 2 "TCP-AO: Client address does not match address configured with password" + + # client in prefix + log_start + run_cmd nettest -s -T 100:100 -X ${AO_PW} -m ${NS_NET} & + sleep 1 + run_cmd_nsb nettest -r ${NSA_IP} -T 100:100 -X ${AO_PW} + log_test $? 0 "TCP-AO: Prefix config" + + # client in prefix, wrong password + log_start + show_hint "Should timeout since client uses wrong password" + run_cmd nettest -s -T 100:100 -X ${AO_PW} -m ${NS_NET} & + sleep 1 + run_cmd_nsb nettest -r ${NSA_IP} -T 100:100 -X ${AO_WRONG_PW} + log_test $? 2 "TCP-AO: Prefix config, client uses wrong password" + + # client outside of prefix + log_start + show_hint "Should timeout due to address out of TCP-AO prefix mismatch" + run_cmd nettest -s -T 100:100 -X ${AO_PW} -m ${NS_NET} & + sleep 1 + run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -T 100:100 -X ${AO_PW} + log_test $? 2 "TCP-AO: Prefix config, client address not in configured prefix" + + # TCP-AO more specific tests + # sendid != rcvid + log_start + run_cmd nettest -s -T 100:101 -X ${AO_PW} -m ${NSB_IP} & + sleep 1 + run_cmd_nsb nettest -r ${NSA_IP} -T 101:100 -X ${AO_PW} + log_test $? 0 "TCP-AO: Different key ids" + + # Wrong keyid + log_start + show_hint "Should timeout due to a wrong keyid" + run_cmd nettest -s -T 100:100 -X ${AO_PW} -m ${NSB_IP} & + sleep 1 + run_cmd_nsb nettest -r ${NSA_IP} -T 101:101 -X ${AO_PW} + log_test $? 2 "TCP-AO: Wrong keyid" + + # Variable maclen + ipv4_tcp_ao_algos "cmac(aes128)" 16 + ipv4_tcp_ao_algos "hmac(sha1)" 16 + ipv4_tcp_ao_algos "cmac(aes128)" 4 + ipv4_tcp_ao_algos "hmac(sha1)" 4 + + # MD5 and TCP-AO for the same peer + log_start + run_cmd nettest -s -T 100:100 -M -X ${AO_PW} -m ${NSB_IP} + log_test $? 1 "TCP-AO: add MD5 and TCP-AO for the same peer address" + + # Connect with both TCP-AO and MD5 on the socket + log_start + show_hint "Should fail to connect with both MD5 and TCP-AO on the socket" + run_cmd nettest -s -T 100:100 -M -X ${AO_PW} -m ${NSB_IP} & + sleep 1 + run_cmd_nsb nettest -r ${NSA_IP} -T 100:100 -M -X ${AO_PW} + log_test $? 1 "TCP-AO: MD5 and TCP-AO on connect()" + + # Exclude TCP options + log_start + run_cmd nettest -s -T 100:101 -X ${AO_PW} -m ${NSB_IP} --tcpao_excopts & + sleep 1 + run_cmd_nsb nettest -r ${NSA_IP} -T 101:100 -X ${AO_PW} --tcpao_excopts + log_test $? 0 "TCP-AO: Exclude TCP options" +} + # # MD5 tests with VRF # @@ -1217,6 +1340,7 @@ ipv4_tcp_novrf() log_test_addr ${a} $? 1 "No server, device client, local conn" ipv4_tcp_md5_novrf + ipv4_tcp_ao_novrf } ipv4_tcp_vrf() @@ -2511,6 +2635,120 @@ ipv6_tcp_md5_novrf() log_test $? 2 "MD5: Prefix config, client address not in configured prefix" } +ipv6_tcp_ao_algos() +{ + # basic use case + log_start + run_cmd nettest -6 -s -T 100:100 --tcpao_algo=$1 --tcpao_maclen=$2 \ + -X ${AO_PW} -m ${NSB_IP6} & + sleep 1 + run_cmd_nsb nettest -6 -r ${NSA_IP6} -T 100:100 --tcpao_algo=$1 \ + --tcpao_maclen=$2 -X ${AO_PW} + log_test $? 0 "TCP-AO [$1:$2]: Single address config" + + # client sends TCP-AO, server not configured + log_start + show_hint "Should timeout since server does not have TCP-AO auth" + run_cmd nettest -6 -s & + sleep 1 + run_cmd_nsb nettest -6 -r ${NSA_IP6} -T 100:100 --tcpao_algo=$1 \ + --tcpao_maclen=$2 -X ${AO_PW} + log_test $? 2 "TCP-AO [$1:$2]: Server no config, client uses password" + + # wrong password + log_start + show_hint "Should timeout since client uses wrong password" + run_cmd nettest -6 -s -T 100:100 --tcpao_algo=$1 --tcpao_maclen=$2 \ + -X ${AO_PW} -m ${NSB_IP6} & + sleep 1 + run_cmd_nsb nettest -6 -r ${NSA_IP6} -T 100:100 --tcpao_algo=$1 \ + --tcpao_maclen=$2 -X ${AO_WRONG_PW} + log_test $? 2 "TCP-AO [$1:$2]: Client uses wrong password" +} + +ipv6_tcp_ao_novrf() +{ + # + # single address + # + for i in $AO_HASH_ALGOS ; do + ipv6_tcp_ao_algos $i 12 + done + + # client from different address + log_start + show_hint "Should timeout since server config differs from client" + run_cmd nettest -6 -s -T 100:100 -X ${AO_PW} -m ${NSB_LO_IP6} & + sleep 1 + run_cmd_nsb nettest -6 -r ${NSA_IP6} -T 100:100 -X ${AO_PW} + log_test $? 2 "TCP-AO: Client address does not match address configured with password" + + # client in prefix + log_start + run_cmd nettest -6 -s -T 100:100 -X ${AO_PW} -m ${NS_NET6} & + sleep 1 + run_cmd_nsb nettest -6 -r ${NSA_IP6} -T 100:100 -X ${AO_PW} + log_test $? 0 "TCP-AO: Prefix config" + + # client in prefix, wrong password + log_start + show_hint "Should timeout since client uses wrong password" + run_cmd nettest -6 -s -T 100:100 -X ${AO_PW} -m ${NS_NET6} & + sleep 1 + run_cmd_nsb nettest -6 -r ${NSA_IP6} -T 100:100 -X ${AO_WRONG_PW} + log_test $? 2 "TCP-AO: Prefix config, client uses wrong password" + + # client outside of prefix + log_start + show_hint "Should timeout since client address is outside of prefix" + run_cmd nettest -6 -s -T 100:100 -X ${AO_PW} -m ${NS_NET6} & + sleep 1 + run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -T 100:100 -X ${AO_PW} + log_test $? 2 "TCP-AO: Prefix config, client address not in configured prefix" + + # TCP-AO more specific tests + # sendid != rcvid + log_start + run_cmd nettest -6 -s -T 100:101 -X ${AO_PW} -m ${NSB_IP6} & + sleep 1 + run_cmd_nsb nettest -6 -r ${NSA_IP6} -T 101:100 -X ${AO_PW} + log_test $? 0 "TCP-AO: Different key ids" + + # Wrong keyid + log_start + show_hint "Should timeout due to a wrong keyid" + run_cmd nettest -6 -s -T 100:100 -X ${AO_PW} -m ${NSB_IP6} & + sleep 1 + run_cmd_nsb nettest -6 -r ${NSA_IP6} -T 101:101 -X ${AO_PW} + log_test $? 2 "TCP-AO: Wrong keyid" + + # Variable maclen + ipv6_tcp_ao_algos "cmac(aes128)" 16 + ipv6_tcp_ao_algos "hmac(sha1)" 16 + ipv6_tcp_ao_algos "cmac(aes128)" 4 + ipv6_tcp_ao_algos "hmac(sha1)" 4 + + # MD5 and TCP-AO for the same peer + log_start + run_cmd nettest -6 -s -T 100:100 -M -X ${AO_PW} -m ${NSB_IP6} + log_test $? 1 "TCP-AO: add MD5 and TCP-AO for the same peer address" + + # Connect with both TCP-AO and MD5 on the socket + log_start + show_hint "Should fail to connect with both MD5 and TCP-AO on the socket" + run_cmd nettest -6 -s -T 100:100 -M -X ${AO_PW} -m ${NSB_IP6} & + sleep 1 + run_cmd_nsb nettest -6 -r ${NSA_IP6} -T 100:100 -M -X ${AO_PW} + log_test $? 1 "TCP-AO: MD5 and TCP-AO on connect()" + + # Exclude TCP options + log_start + run_cmd nettest -6 -s -T 100:101 -X ${AO_PW} -m ${NSB_IP6} --tcpao_excopts & + sleep 1 + run_cmd_nsb nettest -6 -r ${NSA_IP6} -T 101:100 -X ${AO_PW} --tcpao_excopts + log_test $? 0 "TCP-AO: Exclude TCP options" +} + # # MD5 tests with VRF # @@ -2773,6 +3011,7 @@ ipv6_tcp_novrf() done ipv6_tcp_md5_novrf + ipv6_tcp_ao_novrf } ipv6_tcp_vrf()