selftests: tls: test TCP stealing data from under the TLS socket

	close(cfd);

}

TEST(data_steal) {

	struct tls_crypto_info_keys tls;

	char buf[20000], buf2[20000];

	struct sockaddr_in addr;

	int sfd, cfd, ret, fd;

	int pid, status;

	socklen_t len;

	len = sizeof(addr);

	memrnd(buf, sizeof(buf));

	tls_crypto_info_init(TLS_1_2_VERSION, TLS_CIPHER_AES_GCM_256, &tls, 0);

	addr.sin_family = AF_INET;

	addr.sin_addr.s_addr = htonl(INADDR_ANY);

	addr.sin_port = 0;

	fd = socket(AF_INET, SOCK_STREAM, 0);

	sfd = socket(AF_INET, SOCK_STREAM, 0);

	ASSERT_EQ(bind(sfd, &addr, sizeof(addr)), 0);

	ASSERT_EQ(listen(sfd, 10), 0);

	ASSERT_EQ(getsockname(sfd, &addr, &len), 0);

	ASSERT_EQ(connect(fd, &addr, sizeof(addr)), 0);

	ASSERT_GE(cfd = accept(sfd, &addr, &len), 0);

	close(sfd);

	ret = setsockopt(fd, IPPROTO_TCP, TCP_ULP, "tls", sizeof("tls"));

	if (ret) {

		ASSERT_EQ(errno, ENOENT);

		SKIP(return, "no TLS support");

	}

	ASSERT_EQ(setsockopt(cfd, IPPROTO_TCP, TCP_ULP, "tls", sizeof("tls")), 0);

	/* Spawn a child and get it into the read wait path of the underlying

	 * TCP socket.

	 */

	pid = fork();

	ASSERT_GE(pid, 0);

	if (!pid) {

		EXPECT_EQ(recv(cfd, buf, sizeof(buf), MSG_WAITALL),

			  sizeof(buf));

		exit(!__test_passed(_metadata));

	}

	usleep(2000);

	ASSERT_EQ(setsockopt(fd, SOL_TLS, TLS_TX, &tls, tls.len), 0);

	ASSERT_EQ(setsockopt(cfd, SOL_TLS, TLS_RX, &tls, tls.len), 0);

	EXPECT_EQ(send(fd, buf, sizeof(buf), 0), sizeof(buf));

	usleep(2000);

	EXPECT_EQ(recv(cfd, buf2, sizeof(buf2), MSG_DONTWAIT), -1);

	/* Don't check errno, the error will be different depending

	 * on what random bytes TLS interpreted as the record length.

	 */

	close(fd);

	close(cfd);

	EXPECT_EQ(wait(&status), pid);

	EXPECT_EQ(status, 0);

}

static void __attribute__((constructor)) fips_check(void) {

	int res;

	FILE *f;