1. Patchew
  2. MPTCP
  3. [PATCH mptcp-next 0/3] mptcp: TCP_MD5SIG support
  4. View patch

[PATCH mptcp-next 3/3] selftests: mptcp: add TCP_MD5SIG tests in sockopt

Geliang Tang posted 3 patches 1 month, 2 weeks ago
There is a newer version of this series
[PATCH mptcp-next 3/3] selftests: mptcp: add TCP_MD5SIG tests in sockopt
Posted by Geliang Tang 1 month, 2 weeks ago 
From: Geliang Tang <tanggeliang@kylinos.cn>

Add test cases for TCP_MD5SIG and TCP_MD5SIG_EXT socket options:
- Enable CONFIG_TCP_MD5SIG in test config
- Implement test functions for both options:
  - test_tcp_md5sig_sockopt() - sets basic MD5 key
  - test_tcp_md5sig_ext_sockopt() - sets extended MD5 with flags
- Tests run on both IPv4/IPv6 during server setup

Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
---
 tools/testing/selftests/net/mptcp/config      |  1 +
 .../selftests/net/mptcp/mptcp_sockopt.c       | 67 +++++++++++++++++++
 2 files changed, 68 insertions(+)

diff --git a/tools/testing/selftests/net/mptcp/config b/tools/testing/selftests/net/mptcp/config
index 968d440c03fe..d9022261b6f8 100644
--- a/tools/testing/selftests/net/mptcp/config
+++ b/tools/testing/selftests/net/mptcp/config
@@ -34,3 +34,4 @@ CONFIG_NET_ACT_PEDIT=m
 CONFIG_NET_CLS_ACT=y
 CONFIG_NET_CLS_FW=m
 CONFIG_NET_SCH_INGRESS=m
+CONFIG_TCP_MD5SIG=y
diff --git a/tools/testing/selftests/net/mptcp/mptcp_sockopt.c b/tools/testing/selftests/net/mptcp/mptcp_sockopt.c
index 9934a68df237..b99d7bce96ee 100644
--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.c
+++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.c
@@ -25,6 +25,7 @@
 #include <netinet/in.h>
 
 #include <linux/tcp.h>
+#include <arpa/inet.h>
 
 static int pf = AF_INET;
 
@@ -127,6 +128,15 @@ struct so_state {
 #define MIN(a, b) ((a) < (b) ? (a) : (b))
 #endif
 
+struct tcp_md5sig_ext {
+	struct __kernel_sockaddr_storage tcpm_addr;
+	unsigned short	__tcpm_pad1;
+	unsigned short	tcpm_keylen;
+	unsigned char	tcpm_key[TCP_MD5SIG_MAXKEYLEN];
+	unsigned int	tcpm_flags;
+	unsigned int	tcpm_ifindex;
+};
+
 static void die_perror(const char *msg)
 {
 	perror(msg);
@@ -697,6 +707,60 @@ static int xaccept(int s)
 	return fd;
 }
 
+static void test_tcp_md5sig_sockopt(int fd)
+{
+	const char *peer_ip = (pf == AF_INET) ? "127.0.0.1" : "::1";
+	const char *key = "0123456789";
+	size_t key_len = strlen(key);
+	struct tcp_md5sig md5sig;
+	struct sockaddr_in *addr;
+
+	memset(&md5sig, 0, sizeof(md5sig));
+	addr = (struct sockaddr_in *)&md5sig.tcpm_addr;
+	addr->sin_family = pf;
+
+	if (inet_pton(pf, peer_ip, &addr->sin_addr) != 1)
+		die_perror("inet_pton failed");
+
+	if (key_len > sizeof(md5sig.tcpm_key))
+		die_perror("Key too long\n");
+
+	memcpy(md5sig.tcpm_key, key, key_len);
+	md5sig.tcpm_keylen = key_len;
+
+	if (setsockopt(fd, IPPROTO_TCP, TCP_MD5SIG, &md5sig, sizeof(md5sig)))
+		die_perror("setsockopt(TCP_MD5SIG) failed");
+}
+
+static void test_tcp_md5sig_ext_sockopt(int sockfd)
+{
+	const char *peer_ip = (pf == AF_INET) ? "127.0.0.1" : "::1";
+	const char *key = "0123456789";
+	size_t key_len = strlen(key);
+	struct tcp_md5sig_ext md5ext;
+	struct sockaddr_in *addr;
+	int ifindex = 2;
+
+	memset(&md5ext, 0, sizeof(md5ext));
+	addr = (struct sockaddr_in *)&md5ext.tcpm_addr;
+	addr->sin_family = pf;
+
+	if (inet_pton(pf, peer_ip, &addr->sin_addr) != 1)
+		die_perror("inet_pton failed");
+
+	if (key_len > TCP_MD5SIG_MAXKEYLEN)
+		die_perror("Key too long\n");
+
+	memcpy(md5ext.tcpm_key, key, key_len);
+	md5ext.tcpm_keylen = key_len;
+
+	md5ext.tcpm_ifindex = ifindex;
+	md5ext.tcpm_flags = TCP_MD5SIG_FLAG_IFINDEX;
+
+	if (setsockopt(sockfd, IPPROTO_TCP, TCP_MD5SIG_EXT, &md5ext, sizeof(md5ext)))
+		die_perror("setsockopt(TCP_MD5SIG_EXT) failed");
+}
+
 static int server(int pipefd)
 {
 	int fd = -1, r;
@@ -721,6 +785,9 @@ static int server(int pipefd)
 
 	process_one_client(r, pipefd);
 
+	test_tcp_md5sig_sockopt(fd);
+	test_tcp_md5sig_ext_sockopt(fd);
+
 	return 0;
 }
 
-- 
2.48.1
Re: [PATCH mptcp-next 3/3] selftests: mptcp: add TCP_MD5SIG tests in sockopt
Posted by Matthieu Baerts 1 month, 2 weeks ago 
Hi Geliang,

On 30/07/2025 09:22, Geliang Tang wrote:
> From: Geliang Tang <tanggeliang@kylinos.cn>
> 
> Add test cases for TCP_MD5SIG and TCP_MD5SIG_EXT socket options:
> - Enable CONFIG_TCP_MD5SIG in test config
> - Implement test functions for both options:
>   - test_tcp_md5sig_sockopt() - sets basic MD5 key
>   - test_tcp_md5sig_ext_sockopt() - sets extended MD5 with flags
> - Tests run on both IPv4/IPv6 during server setup

It looks like you set the socket option, but you don't check if MD5 is
correctly used without MPTCP.

It might be better to check this feature with packetdrill:

- set it before/after the listen(), but before an accept(), then check
if the server replies without MPTCP, but with MD5.
- if it is set on an establish MPTCP connection (MPTCP still being
used), an error should be returned.

Also, you will need to adapt "mptcp_unsupported_sockopts.pkt" test.

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.