Check xfrm state to delete embryonic SA

3 VtsKernelNetTest test cases fail on a platform where an IPsec key manager is running. They are testSocketPolicyIPv4, testSocketPolicyIPv6 and testSocketPolicyMapped. These 3 cases fail because CreateNewSa returns EEXIST when test cases call CreateNewSa() to send netlink message of adding xfrm state info to kernel. Take testSocketPolicyIPv4 as an example, normal flow is as below. udp send dns query -> apply socket policy -> assertRaisesErrno(EAGAIN, s.sendto, ...) -> CreateNewSa() -> Send encrypted dns query When it calls sendto after applying socket policy, kernel will call xfrm_state_find() to check if policy and state match. If there is a xfrm netlink message listener, kernel will allocate xfrm state. Therefore, when CreateNewSa() tries to create a new xfrm state, kernel returns EEXIST. On a platform where an IPsec key manager is running, there is a daemon which listens to xfrm policy message. We suggest that we can delete embryonic SA before creating a new SA when there is a existing user space key manager. Without existing user space key manager, test case still creates a new SA. In both conditions, EAGAIN will be returned after calling sendto(). Bug: 112518266 Test: VtsKernelNetTest can pass Change-Id: Id461b6c06884ff3e3464cd80dcf091f7da28f418
author: Iris Chang <iris.chang@mediatek.com> 2018-08-13 16:31:49 +0800
committer: Iris Chang <iris.chang@mediatek.com> 2018-09-18 04:09:26 +0000
commit: f9e22fba0a22afcafba358ba44ca6972c980f085 (patch)
tree: b9a48d92dd426f2d3a1ca536b592236981d8f48b
parent: e59c063ef4331ca047d51a0df4aa4dd0ce49e09e (diff)
download: tests-f9e22fba0a22afcafba358ba44ca6972c980f085.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/net/test/xfrm_test.py b/net/test/xfrm_test.py
index 93c66f4..24f9edc 100755
--- a/net/test/xfrm_test.py
+++ b/net/test/xfrm_test.py
@@ -132,6 +132,14 @@ class XfrmFunctionalTest(xfrm_base.XfrmLazyTest):
         EAGAIN,
         s.sendto, net_test.UDP_PAYLOAD, (remotesockaddr, 53))
 
+    # If there is a user space key manager, calling sendto() after applying the socket policy
+    # creates an SA whose state is XFRM_STATE_ACQ. So this just deletes it.
+    # If there is no user space key manager, deleting SA returns ESRCH as the error code.
+    try:
+        self.xfrm.DeleteSaInfo(self.GetRemoteAddress(xfrm_version), TEST_SPI, IPPROTO_ESP)
+    except IOError as e:
+        self.assertEquals(ESRCH, e.errno, "Unexpected error when deleting ACQ SA")
+
     # Adding a matching SA causes the packet to go out encrypted. The SA's
     # SPI must match the one in our template, and the destination address must
     # match the packet's destination address (in tunnel mode, it has to match
@@ -139,6 +147,7 @@ class XfrmFunctionalTest(xfrm_base.XfrmLazyTest):
     self.CreateNewSa(
         net_test.GetWildcardAddress(xfrm_version),
         self.GetRemoteAddress(xfrm_version), TEST_SPI, reqid, None)
+
     s.sendto(net_test.UDP_PAYLOAD, (remotesockaddr, 53))
     expected_length = xfrm_base.GetEspPacketLength(xfrm.XFRM_MODE_TRANSPORT,
                                                 version, False,
author	Iris Chang <iris.chang@mediatek.com>	2018-08-13 16:31:49 +0800
committer	Iris Chang <iris.chang@mediatek.com>	2018-09-18 04:09:26 +0000
commit	f9e22fba0a22afcafba358ba44ca6972c980f085 (patch)
tree	b9a48d92dd426f2d3a1ca536b592236981d8f48b
parent	e59c063ef4331ca047d51a0df4aa4dd0ce49e09e (diff)
download	tests-f9e22fba0a22afcafba358ba44ca6972c980f085.tar.gz