diff options
author | Iris Chang <iris.chang@mediatek.com> | 2018-08-13 16:31:49 +0800 |
---|---|---|
committer | Iris Chang <iris.chang@mediatek.com> | 2018-09-18 04:09:26 +0000 |
commit | f9e22fba0a22afcafba358ba44ca6972c980f085 (patch) | |
tree | b9a48d92dd426f2d3a1ca536b592236981d8f48b | |
parent | e59c063ef4331ca047d51a0df4aa4dd0ce49e09e (diff) | |
download | tests-f9e22fba0a22afcafba358ba44ca6972c980f085.tar.gz |
Check xfrm state to delete embryonic SA
3 VtsKernelNetTest test cases fail on a platform where an IPsec key manager
is running. They are testSocketPolicyIPv4, testSocketPolicyIPv6 and
testSocketPolicyMapped. These 3 cases fail because CreateNewSa returns
EEXIST when test cases call CreateNewSa() to send netlink message of adding
xfrm state info to kernel.
Take testSocketPolicyIPv4 as an example, normal flow is as below.
udp send dns query -> apply socket policy ->
assertRaisesErrno(EAGAIN, s.sendto, ...) -> CreateNewSa() ->
Send encrypted dns query
When it calls sendto after applying socket policy, kernel will call
xfrm_state_find() to check if policy and state match. If there is a
xfrm netlink message listener, kernel will allocate xfrm state.
Therefore, when CreateNewSa() tries to create a new xfrm state, kernel
returns EEXIST. On a platform where an IPsec key manager is running,
there is a daemon which listens to xfrm policy message. We suggest that we
can delete embryonic SA before creating a new SA when there is a existing
user space key manager. Without existing user space key manager, test case
still creates a new SA. In both conditions, EAGAIN will be returned after
calling sendto().
Bug: 112518266
Test: VtsKernelNetTest can pass
Change-Id: Id461b6c06884ff3e3464cd80dcf091f7da28f418
-rwxr-xr-x | net/test/xfrm_test.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/net/test/xfrm_test.py b/net/test/xfrm_test.py index 93c66f4..24f9edc 100755 --- a/net/test/xfrm_test.py +++ b/net/test/xfrm_test.py @@ -132,6 +132,14 @@ class XfrmFunctionalTest(xfrm_base.XfrmLazyTest): EAGAIN, s.sendto, net_test.UDP_PAYLOAD, (remotesockaddr, 53)) + # If there is a user space key manager, calling sendto() after applying the socket policy + # creates an SA whose state is XFRM_STATE_ACQ. So this just deletes it. + # If there is no user space key manager, deleting SA returns ESRCH as the error code. + try: + self.xfrm.DeleteSaInfo(self.GetRemoteAddress(xfrm_version), TEST_SPI, IPPROTO_ESP) + except IOError as e: + self.assertEquals(ESRCH, e.errno, "Unexpected error when deleting ACQ SA") + # Adding a matching SA causes the packet to go out encrypted. The SA's # SPI must match the one in our template, and the destination address must # match the packet's destination address (in tunnel mode, it has to match @@ -139,6 +147,7 @@ class XfrmFunctionalTest(xfrm_base.XfrmLazyTest): self.CreateNewSa( net_test.GetWildcardAddress(xfrm_version), self.GetRemoteAddress(xfrm_version), TEST_SPI, reqid, None) + s.sendto(net_test.UDP_PAYLOAD, (remotesockaddr, 53)) expected_length = xfrm_base.GetEspPacketLength(xfrm.XFRM_MODE_TRANSPORT, version, False, |