1 // SPDX-License-Identifier: GPL-2.0
4 * Test key rotation for TFO.
5 * New keys are 'rotated' in two steps:
6 * 1) Add new key as the 'backup' key 'behind' the primary key
7 * 2) Make new key the primary by swapping the backup and primary keys
9 * The rotation is done in stages using multiple sockets bound
10 * to the same port via SO_REUSEPORT. This simulates key rotation
11 * behind say a load balancer. We verify that across the rotation
12 * there are no cases in which a cookie is not accepted by verifying
13 * that TcpExtTCPFastOpenPassiveFail remains 0.
16 #include <arpa/inet.h>
23 #include <sys/epoll.h>
25 #include <netinet/tcp.h>
29 #ifndef TCP_FASTOPEN_KEY
30 #define TCP_FASTOPEN_KEY 33
34 #define PROC_FASTOPEN_KEY "/proc/sys/net/ipv4/tcp_fastopen_key"
38 #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
42 static bool do_sockopt;
43 static bool do_rotate;
44 static int key_len = KEY_LENGTH;
45 static int rcv_fds[N_LISTEN];
47 static const char *IP4_ADDR = "127.0.0.1";
48 static const char *IP6_ADDR = "::1";
49 static const int PORT = 8891;
51 static void get_keys(int fd, uint32_t *keys)
54 socklen_t len = KEY_LENGTH * 2;
57 if (getsockopt(fd, SOL_TCP, TCP_FASTOPEN_KEY, keys, &len))
58 error(1, errno, "Unable to get key");
61 lseek(proc_fd, 0, SEEK_SET);
62 if (read(proc_fd, buf, sizeof(buf)) <= 0)
63 error(1, errno, "Unable to read %s", PROC_FASTOPEN_KEY);
64 if (sscanf(buf, "%x-%x-%x-%x,%x-%x-%x-%x", keys, keys + 1, keys + 2,
65 keys + 3, keys + 4, keys + 5, keys + 6, keys + 7) != 8)
66 error(1, 0, "Unable to parse %s", PROC_FASTOPEN_KEY);
69 static void set_keys(int fd, uint32_t *keys)
74 if (setsockopt(fd, SOL_TCP, TCP_FASTOPEN_KEY, keys,
76 error(1, errno, "Unable to set key");
80 snprintf(buf, 128, "%08x-%08x-%08x-%08x,%08x-%08x-%08x-%08x",
81 keys[0], keys[1], keys[2], keys[3], keys[4], keys[5],
84 snprintf(buf, 128, "%08x-%08x-%08x-%08x",
85 keys[0], keys[1], keys[2], keys[3]);
86 lseek(proc_fd, 0, SEEK_SET);
87 if (write(proc_fd, buf, sizeof(buf)) <= 0)
88 error(1, errno, "Unable to write %s", PROC_FASTOPEN_KEY);
91 static void build_rcv_fd(int family, int proto, int *rcv_fds)
93 struct sockaddr_in addr4 = {0};
94 struct sockaddr_in6 addr6 = {0};
95 struct sockaddr *addr;
102 addr4.sin_family = family;
103 addr4.sin_addr.s_addr = htonl(INADDR_ANY);
104 addr4.sin_port = htons(PORT);
106 addr = (struct sockaddr *)&addr4;
109 addr6.sin6_family = AF_INET6;
110 addr6.sin6_addr = in6addr_any;
111 addr6.sin6_port = htons(PORT);
113 addr = (struct sockaddr *)&addr6;
116 error(1, 0, "Unsupported family %d", family);
117 /* clang does not recognize error() above as terminating
118 * the program, so it complains that saddr, sz are
119 * not initialized when this code path is taken. Silence it.
123 for (i = 0; i < ARRAY_SIZE(keys); i++)
125 for (i = 0; i < N_LISTEN; i++) {
126 rcv_fds[i] = socket(family, proto, 0);
128 error(1, errno, "failed to create receive socket");
129 if (setsockopt(rcv_fds[i], SOL_SOCKET, SO_REUSEPORT, &opt,
131 error(1, errno, "failed to set SO_REUSEPORT");
132 if (bind(rcv_fds[i], addr, sz))
133 error(1, errno, "failed to bind receive socket");
134 if (setsockopt(rcv_fds[i], SOL_TCP, TCP_FASTOPEN, &qlen,
136 error(1, errno, "failed to set TCP_FASTOPEN");
137 set_keys(rcv_fds[i], keys);
138 if (proto == SOCK_STREAM && listen(rcv_fds[i], 10))
139 error(1, errno, "failed to listen on receive port");
143 static int connect_and_send(int family, int proto)
145 struct sockaddr_in saddr4 = {0};
146 struct sockaddr_in daddr4 = {0};
147 struct sockaddr_in6 saddr6 = {0};
148 struct sockaddr_in6 daddr6 = {0};
149 struct sockaddr *saddr, *daddr;
155 saddr4.sin_family = AF_INET;
156 saddr4.sin_addr.s_addr = htonl(INADDR_ANY);
159 daddr4.sin_family = AF_INET;
160 if (!inet_pton(family, IP4_ADDR, &daddr4.sin_addr.s_addr))
161 error(1, errno, "inet_pton failed: %s", IP4_ADDR);
162 daddr4.sin_port = htons(PORT);
165 saddr = (struct sockaddr *)&saddr4;
166 daddr = (struct sockaddr *)&daddr4;
169 saddr6.sin6_family = AF_INET6;
170 saddr6.sin6_addr = in6addr_any;
172 daddr6.sin6_family = AF_INET6;
173 if (!inet_pton(family, IP6_ADDR, &daddr6.sin6_addr))
174 error(1, errno, "inet_pton failed: %s", IP6_ADDR);
175 daddr6.sin6_port = htons(PORT);
178 saddr = (struct sockaddr *)&saddr6;
179 daddr = (struct sockaddr *)&daddr6;
182 error(1, 0, "Unsupported family %d", family);
183 /* clang does not recognize error() above as terminating
184 * the program, so it complains that saddr, daddr, sz are
185 * not initialized when this code path is taken. Silence it.
189 fd = socket(family, proto, 0);
191 error(1, errno, "failed to create send socket");
192 if (bind(fd, saddr, sz))
193 error(1, errno, "failed to bind send socket");
195 ret = sendto(fd, data, 1, MSG_FASTOPEN, daddr, sz);
197 error(1, errno, "failed to sendto");
202 static bool is_listen_fd(int fd)
206 for (i = 0; i < N_LISTEN; i++) {
207 if (rcv_fds[i] == fd)
213 static void rotate_key(int fd)
216 static uint32_t new_key[4];
221 if (iter < N_LISTEN) {
222 /* first set new key as backups */
224 for (i = 0; i < ARRAY_SIZE(new_key); i++)
228 memcpy(keys + 4, new_key, KEY_LENGTH);
233 memcpy(tmp_key, keys + 4, KEY_LENGTH);
234 memcpy(keys + 4, keys, KEY_LENGTH);
235 memcpy(keys, tmp_key, KEY_LENGTH);
238 if (++iter >= (N_LISTEN * 2))
242 static void run_one_test(int family)
244 struct epoll_event ev;
247 int rotate_key_fd = 0;
248 int key_rotate_interval = 50;
252 build_rcv_fd(family, SOCK_STREAM, rcv_fds);
253 epfd = epoll_create(1);
255 error(1, errno, "failed to create epoll");
257 for (i = 0; i < N_LISTEN; i++) {
258 ev.data.fd = rcv_fds[i];
259 if (epoll_ctl(epfd, EPOLL_CTL_ADD, rcv_fds[i], &ev))
260 error(1, errno, "failed to register sock epoll");
263 send_fd = connect_and_send(family, SOCK_STREAM);
264 if (do_rotate && ((n_loops % key_rotate_interval) == 0)) {
265 rotate_key(rcv_fds[rotate_key_fd]);
266 if (++rotate_key_fd >= N_LISTEN)
270 i = epoll_wait(epfd, &ev, 1, -1);
272 error(1, errno, "epoll_wait failed");
273 if (is_listen_fd(ev.data.fd)) {
274 fd = accept(ev.data.fd, NULL, NULL);
276 error(1, errno, "failed to accept");
278 if (epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &ev))
279 error(1, errno, "failed epoll add");
282 i = recv(ev.data.fd, buf, sizeof(buf), 0);
284 error(1, errno, "failed recv data");
285 if (epoll_ctl(epfd, EPOLL_CTL_DEL, ev.data.fd, NULL))
286 error(1, errno, "failed epoll del");
292 for (i = 0; i < N_LISTEN; i++)
296 static void parse_opts(int argc, char **argv)
300 while ((c = getopt(argc, argv, "46sr")) != -1) {
313 key_len = KEY_LENGTH * 2;
316 error(1, 0, "%s: parse error", argv[0]);
321 int main(int argc, char **argv)
323 parse_opts(argc, argv);
324 proc_fd = open(PROC_FASTOPEN_KEY, O_RDWR);
326 error(1, errno, "Unable to open %s", PROC_FASTOPEN_KEY);
329 run_one_test(AF_INET6);
331 run_one_test(AF_INET);
333 fprintf(stderr, "PASS\n");