void recv_pcap_packet(u_char *user,
const struct pcap_pkthdr *h,
const u_char *bytes)
{
struct state *st;
struct pcr_kenonce *kn = &r->pcr_d.kn;
/* I'm jacob two-two. I do everything twice! */
recv_pcap_packet_gen(user, h, bytes);
/* find st involved */
st = state_with_serialno(1);
st->st_connection->extra_debugging = DBG_EMITTING | DBG_CONTROL |
DBG_CONTROLMORE;
/* now fill in the KE values from a constant.. not calculated */
clonetowirechunk(&kn->thespace, kn->space, &kn->secret, tc3_secret,
tc3_secret_len);
clonetowirechunk(&kn->thespace, kn->space, &kn->n, tc3_nr,
tc3_nr_len);
clonetowirechunk(&kn->thespace, kn->space, &kn->gi, tc3_gr,
tc3_gr_len);
run_continuation(r);
}
void recv_pcap_packet(u_char *user,
const struct pcap_pkthdr *h,
const u_char *bytes)
{
struct state *st;
struct pcr_kenonce *kn = &r->pcr_d.kn;
recv_pcap_packet_gen(user, h, bytes);
/* find st involved */
st = state_with_serialno(1);
st->st_connection->extra_debugging = DBG_EMITTING | DBG_CONTROL |
DBG_CONTROLMORE;
/* now fill in the KE values from a constant.. not calculated */
WIRE_CLONE_DATA(kn, secret, tc3_secret,
tc3_secret_len);
WIRE_CLONE_DATA(kn, n, tc3_nr,
tc3_nr_len);
WIRE_CLONE_DATA(kn, gi, tc3_gr,
tc3_gr_len);
run_continuation(r);
}
void rekeyit()
{
struct state *st = NULL;
struct pcr_kenonce *kn = &crypto_req->pcr_d.kn;
fprintf(stderr, "now pretend that the keylife timer is up, and rekey the connection\n");
show_states_status();
timer_list();
st = state_with_serialno(2);
/* capture the rekey message */
send_packet_setup_pcap("OUTPUT/rekeyikev2-I1.pcap");
if(st) {
DBG(DBG_LIFECYCLE
, openswan_log("replacing stale %s SA"
, (IS_PHASE1(st->st_state)|| IS_PHASE15(st->st_state ))? "ISAKMP" : "IPsec"));
ipsecdoi_replace(st, LEMPTY, LEMPTY, 1);
} else {
fprintf(stderr, "no state #2 found\n");
}
passert(kn->oakley_group == tc14_oakleygroup);
/* now fill in the KE values from a constant.. not calculated */
clonetowirechunk(&kn->thespace, kn->space, &kn->secret, tc14_secret,tc14_secret_len);
clonetowirechunk(&kn->thespace, kn->space, &kn->n, tc14_ni, tc14_ni_len); /* maybe change nonce for rekey? */
clonetowirechunk(&kn->thespace, kn->space, &kn->gi, tc14_gi, tc14_gi_len);
run_continuation(crypto_req);
send_packet_close();
}
/*
* this routine accepts the I3 packet, and the causes a rekey to be queued */
void recv_pcap_I3_rekey(u_char *user
, const struct pcap_pkthdr *h
, const u_char *bytes)
{
struct state *st = NULL;
struct pcr_kenonce *kn = &crypto_req->pcr_d.kn;
/* create a socket for a possible whack process that is doing --up */
int fake_whack_fd = open("/dev/null", O_RDWR);
passert(fake_whack_fd != -1);
recv_pcap_packet(user, h, bytes);
fprintf(stderr, "now pretend that the keylife timer is up, and rekey the connection\n");
show_states_status();
timer_list();
st = state_with_serialno(2);
st->st_whack_sock = fake_whack_fd;
if(st) {
DBG(DBG_LIFECYCLE
, openswan_log("replacing stale %s SA"
, (IS_PHASE1(st->st_state)|| IS_PHASE15(st->st_state ))? "ISAKMP" : "IPsec"));
ipsecdoi_replace(st, LEMPTY, LEMPTY, 1);
} else {
fprintf(stderr, "no state #2 found\n");
}
/* find new state! */
st = state_with_serialno(3);
passert(st->st_whack_sock != -1);
passert(kn->oakley_group == SS(oakleygroup));
/* now fill in the KE values from a constant.. not calculated */
clonetowirechunk(&kn->thespace, kn->space, &kn->secret, SS(secret.ptr),SS(secret.len));
clonetowirechunk(&kn->thespace, kn->space, &kn->n, SS(ni.ptr), SS(ni.len)); /* maybe change nonce for rekey? */
clonetowirechunk(&kn->thespace, kn->space, &kn->gi, SS(gi.ptr), SS(gi.len));
run_continuation(crypto_req);
}
void enable_debugging_on_sa(int num)
{
struct state *st;
lset_t to_enable = WANT_THIS_DBG;
st = state_with_serialno(num);
if(st != NULL) {
passert(st->st_connection != NULL);
st->st_connection->extra_debugging = to_enable;
}
}
/*
* Show IKE algorithms for
* - this connection (result from ike= string)
* - newest SA
*/
void ike_alg_show_connection(struct connection *c, const char *instance)
{
struct state *st;
if (c->alg_info_ike) {
char buf[1024];
alg_info_snprint(buf, sizeof(buf) - 1,
(struct alg_info *)c->alg_info_ike);
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithms wanted: %s",
c->name,
instance,
buf);
alg_info_snprint_ike(buf, sizeof(buf), c->alg_info_ike);
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithms found: %s",
c->name,
instance,
buf);
}
st = state_with_serialno(c->newest_isakmp_sa);
if (st != NULL) {
static char encbuf[ENUM_SHOW_BUF_LEN];
static char prfbuf[ENUM_SHOW_BUF_LEN];
static char integbuf[ENUM_SHOW_BUF_LEN];
static char groupbuf[ENUM_SHOW_BUF_LEN];
if (!st->st_ikev2) { /* IKEv1 */
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithm newest: %s_%03d-%s-%s",
c->name,
instance,
strip_prefix(enum_showb(&oakley_enc_names, st->st_oakley.encrypt, encbuf, sizeof(encbuf)), "OAKLEY_"),
/* st->st_oakley.encrypter->keydeflen, */
st->st_oakley.enckeylen,
strip_prefix(enum_showb(&oakley_hash_names, st->st_oakley.prf_hash, prfbuf, sizeof(prfbuf)), "OAKLEY_"),
strip_prefix(enum_showb(&oakley_group_names, st->st_oakley.group->group, groupbuf, sizeof(groupbuf)), "OAKLEY_GROUP_"));
} else { /* IKEv2 */
whack_log(RC_COMMENT,
"\"%s\"%s: IKEv2 algorithm newest: %s_%03d-%s-%s-%s",
c->name,
instance,
enum_showb(&ikev2_trans_type_encr_names, st->st_oakley.encrypt, encbuf, sizeof(encbuf)),
/* st->st_oakley.encrypter->keydeflen, */
st->st_oakley.enckeylen,
enum_showb(&ikev2_trans_type_integ_names, st->st_oakley.integ_hash, integbuf, sizeof(integbuf)),
enum_showb(&ikev2_trans_type_prf_names, st->st_oakley.prf_hash, prfbuf, sizeof(prfbuf)),
strip_prefix(enum_showb(&oakley_group_names, st->st_oakley.group->group, groupbuf, sizeof(groupbuf)), "OAKLEY_GROUP_"));
}
}
}
/*
* Show IKE algorithms for
* - this connection (result from ike= string)
* - newest SA
*/
void ike_alg_show_connection(const struct connection *c, const char *instance)
{
const struct state *st;
if (c->alg_info_ike != NULL) {
char buf[1024];
alg_info_ike_snprint(buf, sizeof(buf) - 1,
c->alg_info_ike);
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithms wanted: %s",
c->name,
instance,
buf);
alg_info_snprint_ike(buf, sizeof(buf), c->alg_info_ike);
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithms found: %s",
c->name,
instance,
buf);
}
st = state_with_serialno(c->newest_isakmp_sa);
if (st != NULL) {
struct esb_buf encbuf, prfbuf, integbuf, groupbuf;
if (!st->st_ikev2) {
/* IKEv1 */
whack_log(RC_COMMENT,
"\"%s\"%s: IKE algorithm newest: %s_%03d-%s-%s",
c->name,
instance,
enum_show_shortb(&oakley_enc_names, st->st_oakley.encrypt, &encbuf),
/* st->st_oakley.encrypter->keydeflen, */
st->st_oakley.enckeylen,
enum_show_shortb(&oakley_hash_names, st->st_oakley.prf_hash, &prfbuf),
enum_show_shortb(&oakley_group_names, st->st_oakley.group->group, &groupbuf));
} else {
/* IKEv2 */
whack_log(RC_COMMENT,
"\"%s\"%s: IKEv2 algorithm newest: %s_%03d-%s-%s-%s",
c->name,
instance,
enum_showb(&ikev2_trans_type_encr_names, st->st_oakley.encrypt, &encbuf),
/* st->st_oakley.encrypter->keydeflen, */
st->st_oakley.enckeylen,
enum_showb(&ikev2_trans_type_integ_names, st->st_oakley.integ_hash, &integbuf),
enum_showb(&ikev2_trans_type_prf_names, st->st_oakley.prf_hash, &prfbuf),
enum_show_shortb(&oakley_group_names, st->st_oakley.group->group, &groupbuf));
}
}
}
void recv_pcap_packet(u_char *user,
const struct pcap_pkthdr *h,
const u_char *bytes)
{
struct state *st;
struct pcr_kenonce *kn = &r->pcr_d.kn;
recv_pcap_packet_gen(user, h, bytes);
/* find st involved */
st = state_with_serialno(1);
st->st_connection->extra_debugging = DBG_EMITTING | DBG_CONTROL |
DBG_CONTROLMORE;
run_continuation(r);
}
/* this is replicated in the unit test cases since the patching up of the crypto values is case specific */
void recv_pcap_packet(u_char *user
, const struct pcap_pkthdr *h
, const u_char *bytes)
{
struct state *st;
struct pcr_kenonce *kn = &crypto_req->pcr_d.kn;
recv_pcap_packet_gen(user, h, bytes);
/* find st involved */
st = state_with_serialno(1);
if(st != NULL) {
passert(st != NULL);
st->st_connection->extra_debugging = DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE|DBG_CRYPT|DBG_PRIVATE;
}
run_continuation(crypto_req);
}
/* this is replicated in the unit test cases since the patching up of the crypto values is case specific */
void recv_pcap_packet(u_char *user
, const struct pcap_pkthdr *h
, const u_char *bytes)
{
struct state *st;
struct pcr_kenonce *kn = &crypto_req->pcr_d.kn;
recv_pcap_packet_gen(user, h, bytes);
/* find st involved */
st = state_with_serialno(1);
if(st) {
st->st_connection->extra_debugging = DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE;
/* now fill in the KE values from a constant.. not calculated */
clonetowirechunk(&kn->thespace, kn->space, &kn->secret, tc14_secretr,tc14_secretr_len);
clonetowirechunk(&kn->thespace, kn->space, &kn->n, tc14_nr, tc14_nr_len);
clonetowirechunk(&kn->thespace, kn->space, &kn->gi, tc14_gr, tc14_gr_len);
run_continuation(crypto_req);
}
}
/*
* Show IKE algorithms for
* - this connection (result from ike= string)
* - newest SA
*/
void
ike_alg_show_connection(struct connection *c, const char *instance)
{
char buf[256];
struct state *st;
if (c->alg_info_ike) {
alg_info_snprint(buf, sizeof(buf),
(struct alg_info *)c->alg_info_ike);
whack_log(RC_COMMENT
, "\"%s\"%s: IKE algorithms wanted: %s"
, c->name
, instance
, buf);
}
if (c->alg_info_ike) {
alg_info_snprint_ike(buf, sizeof(buf), c->alg_info_ike);
whack_log(RC_COMMENT
, "\"%s\"%s: IKE algorithms found: %s"
, c->name
, instance
, buf);
}
st = state_with_serialno(c->newest_isakmp_sa);
if (st)
whack_log(RC_COMMENT
, "\"%s\"%s: IKE algorithm newest: %s_%d-%s-%s"
, c->name
, instance
, enum_show(&oakley_enc_names, st->st_oakley.encrypt)
+7 /* strlen("OAKLEY_") */
/* , st->st_oakley.encrypter->keydeflen */
, st->st_oakley.enckeylen
, enum_show(&oakley_hash_names, st->st_oakley.hash)
+7 /* strlen("OAKLEY_") */
, enum_show(&oakley_group_names, st->st_oakley.group->group)
+13 /* strlen("OAKLEY_GROUP_") */
);
}
void recv_pcap_packetC1(u_char *user
, const struct pcap_pkthdr *h
, const u_char *bytes)
{
struct state *st;
struct pcr_kenonce *kn = &crypto_req->pcr_d.kn;
recv_pcap_packet_gen(user, h, bytes);
/* find st involved */
st = state_with_serialno(3);
st->st_connection->extra_debugging = DBG_PRIVATE|DBG_CRYPT|DBG_PARSING|DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE;
/* now fill in the KE values from a constant.. not calculated */
clonetowirechunk(&kn->thespace, kn->space, &kn->n, SS(nr.ptr), SS(nr.len));
clonetowirechunk(&kn->thespace, kn->space, &kn->gi, SS(gr.ptr), SS(gr.len));
run_one_continuation(crypto_req);
/* now do the second calculation */
clonetowirechunk(&kn->thespace, kn->space, &kn->secret, SS(secret.ptr),SS(secret.len));
run_one_continuation(crypto_req);
}
void recv_pcap_packet1(u_char *user,
const struct pcap_pkthdr *h,
const u_char *bytes)
{
struct state *st;
struct pcr_kenonce *kn = &r->pcr_d.kn;
recv_pcap_packet_gen(user, h, bytes);
/* find st involved */
st = state_with_serialno(1);
st->st_connection->extra_debugging = add_debugging;
/* now fill in the SKEYSEED values from constants.. not calculated */
WIRE_CLONE_DATA(kn, secret, tc3_secret,
tc3_secret_len);
WIRE_CLONE_DATA(kn, n, tc3_ni,
tc3_ni_len);
WIRE_CLONE_DATA(kn, gi, tc3_gi,
tc3_gi_len);
run_continuation(r);
}
main(int argc, char *argv[]){
int len;
char *infile;
char *conn_name;
int lineno = 0;
struct connection *c1;
pcap_t *pt;
char eb1[256];
struct state *st;
EF_PROTECT_FREE = 1;
EF_FREE_WIPES = 1;
progname = argv[0];
printf("Started %s\n", progname);
leak_detective = 1;
pluto_shared_secrets_file =
"../../../baseconfigs/west/etc/ipsec.secrets";
lsw_init_ipsecdir("../../../baseconfigs/west/etc/ipsec.d");
lsw_init_rootdir("../../../baseconfigs/west");
init_crypto();
init_seam_kernelalgs();
load_authcerts("CA cert",
"../../../baseconfigs/west/etc/ipsec.d/cacerts",
AUTH_CA);
if (argc != 4) {
fprintf(stderr,
"Usage: %s <whackrecord> <conn-name> <pcapin>\n",
progname);
exit(10);
}
/* argv[1] == "-r" */
tool_init_log();
init_fake_vendorid();
infile = argv[1];
conn_name = argv[2];
load_preshared_secrets(NULL_FD);
readwhackmsg(infile);
send_packet_setup_pcap("parentI2x509.pcap");
pt = pcap_open_offline(argv[3], eb1);
if (!pt) {
perror(argv[3]);
exit(50);
}
c1 = con_by_name(conn_name, TRUE);
show_one_connection(c1);
/* now, send the I1 packet, really just so that we are in the right
* state to receive the R1 packet and process it.
*/
st = sendI1(c1, 0);
cur_debugging = DBG_EMITTING | DBG_CONTROL | DBG_CONTROLMORE |
DBG_PARSING | DBG_PRIVATE | DBG_CRYPT;
pcap_dispatch(pt, 1, recv_pcap_packet1, NULL);
{
struct state *st;
/* find st involved */
st = state_with_serialno(1);
delete_state(st);
/* find st involved */
st = state_with_serialno(2);
if (st)
delete_state(st);
}
report_leaks();
tool_close_log();
exit(0);
}
static void
cannot_oppo(struct connection *c
, struct find_oppo_bundle *b
, err_t ughmsg)
{
char pcb[ADDRTOT_BUF];
char ocb[ADDRTOT_BUF];
addrtot(&b->peer_client, 0, pcb, sizeof(pcb));
addrtot(&b->our_client, 0, ocb, sizeof(ocb));
DBG(DBG_OPPO,
openswan_log("Can not opportunistically initiate for %s to %s: %s"
, ocb, pcb, ughmsg));
whack_log(RC_OPPOFAILURE
, "Can not opportunistically initiate for %s to %s: %s"
, ocb, pcb, ughmsg);
if (c != NULL && c->policy_next != NULL)
{
/* there is some policy that comes afterwards */
struct spd_route *shunt_spd;
struct connection *nc = c->policy_next;
struct state *st;
passert(c->kind == CK_TEMPLATE);
passert(nc->kind == CK_PERMANENT);
DBG(DBG_OPPO, DBG_log("OE failed for %s to %s, but %s overrides shunt"
, ocb, pcb, nc->name));
/*
* okay, here we need add to the "next" policy, which is ought
* to be an instance.
* We will add another entry to the spd_route list for the specific
* situation that we have.
*/
shunt_spd = clone_thing(nc->spd, "shunt eroute policy");
shunt_spd->next = nc->spd.next;
nc->spd.next = shunt_spd;
happy(addrtosubnet(&b->peer_client, &shunt_spd->that.client));
if (sameaddr(&b->peer_client, &shunt_spd->that.host_addr))
shunt_spd->that.has_client = FALSE;
/*
* override the tunnel destination with the one from the secondaried
* policy
*/
shunt_spd->that.host_addr = nc->spd.that.host_addr;
/* now, lookup the state, and poke it up.
*/
st = state_with_serialno(nc->newest_ipsec_sa);
/* XXX what to do if the IPSEC SA has died? */
passert(st != NULL);
/* link the new connection instance to the state's list of
* connections
*/
DBG(DBG_OPPO, DBG_log("installing state: %ld for %s to %s"
, nc->newest_ipsec_sa
, ocb, pcb));
#ifdef DEBUG
if (DBGP(DBG_OPPO | DBG_CONTROLMORE))
{
char state_buf[LOG_WIDTH];
char state_buf2[LOG_WIDTH];
const time_t n = now();
fmt_state(st, n, state_buf, sizeof(state_buf)
, state_buf2, sizeof(state_buf2));
DBG_log("cannot_oppo, failure SA1: %s", state_buf);
DBG_log("cannot_oppo, failure SA2: %s", state_buf2);
}
#endif /* DEBUG */
if (!route_and_eroute(c, shunt_spd, st))
{
whack_log(RC_OPPOFAILURE
, "failed to instantiate shunt policy %s for %s to %s"
, c->name
, ocb, pcb);
}
return;
}
/*
* NETKEY default for level param in tmpl is required, so no traffic will
* transmitted until an SA is fully up
*/
if (b->held && kern_interface != USE_NETKEY)
{
int failure_shunt = b->failure_shunt;
/* Replace HOLD with b->failure_shunt.
* If no failure_shunt specified, use SPI_PASS -- THIS MAY CHANGE.
*/
if (failure_shunt == 0)
{
DBG(DBG_OPPO, DBG_log("no explicit failure shunt for %s to %s; removing spurious hold shunt"
, ocb, pcb));
}
(void) replace_bare_shunt(&b->our_client, &b->peer_client
, b->policy_prio
, failure_shunt
, failure_shunt != 0
, b->transport_proto
, ughmsg);
}
}
/* Handle a kernel request. Supposedly, there's a message in
* the kernelsock socket.
*/
void
whack_handle(int whackctlfd)
{
struct whack_message msg;
struct sockaddr_un whackaddr;
int whackaddrlen = sizeof(whackaddr);
int whackfd = accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen);
ssize_t n;
if (whackfd < 0)
{
log_errno((e, "accept() failed in whack_handle()"));
return;
}
n = read(whackfd, &msg, sizeof(msg));
if (n == -1)
{
log_errno((e, "read() failed in whack_handle()"));
close(whackfd);
return;
}
whack_log_fd = whackfd;
/* sanity check message */
{
err_t ugh = NULL;
next_str = msg.string;
str_roof = (char *)&msg + n;
if (next_str > str_roof)
{
ugh = builddiag("truncated message from whack: got %d bytes; expected %d. Message ignored."
, n, (int) sizeof(msg));
}
else if (msg.magic != WHACK_MAGIC)
{
ugh = builddiag("message from whack has bad magic %d; should be %d; probably wrong version. Message ignored"
, msg.magic, WHACK_MAGIC);
}
else if (!unpack_str(&msg.name) /* string 1 */
|| !unpack_str(&msg.left.id) /* string 2 */
|| !unpack_str(&msg.left.cert) /* string 3 */
|| !unpack_str(&msg.left.updown) /* string 4 */
#ifdef VIRTUAL_IP
|| !unpack_str(&msg.left.virt)
#endif
|| !unpack_str(&msg.right.id) /* string 5 */
|| !unpack_str(&msg.right.cert) /* string 6 */
|| !unpack_str(&msg.right.updown) /* string 7 */
#ifdef VIRTUAL_IP
|| !unpack_str(&msg.right.virt)
#endif
|| !unpack_str(&msg.keyid) /* string 8 */
|| !unpack_str(&msg.ike) /* string 9 */
|| !unpack_str(&msg.esp) /* string 10 */
|| !unpack_str(&msg.dnshostname) /* string 11 */
|| str_roof - next_str != (ptrdiff_t)msg.keyval.len) /* check chunk */
{
ugh = "message from whack contains bad string";
}
else
{
msg.keyval.ptr = next_str; /* grab chunk */
}
if (ugh != NULL)
{
loglog(RC_BADWHACKMESSAGE, "%s", ugh);
whack_log_fd = NULL_FD;
close(whackfd);
return;
}
}
if (msg.whack_options)
{
#ifdef DEBUG
if (msg.name == NULL)
{
/* we do a two-step so that if either old or new would
* cause the message to print, it will be printed.
*/
cur_debugging |= msg.debugging;
DBG(DBG_CONTROL
, DBG_log("base debugging = %s"
, bitnamesof(debug_bit_names, msg.debugging)));
cur_debugging = base_debugging = msg.debugging;
}
else if (!msg.whack_connection)
{
struct connection *c = con_by_name(msg.name, TRUE);
if (c != NULL)
{
c->extra_debugging = msg.debugging;
DBG(DBG_CONTROL
, DBG_log("\"%s\" extra_debugging = %s"
, c->name
, bitnamesof(debug_bit_names, c->extra_debugging)));
}
}
#endif
}
/* Deleting combined with adding a connection works as replace.
* To make this more useful, in only this combination,
* delete will silently ignore the lack of the connection.
*/
if (msg.whack_delete)
{
struct connection *c = con_by_name(msg.name, !msg.whack_connection);
/* note: this is a "while" because road warrior
* leads to multiple connections with the same name.
*/
for (; c != NULL; c = con_by_name(msg.name, FALSE))
delete_connection(c);
}
if (msg.whack_deletestate)
{
struct state *st = state_with_serialno(msg.whack_deletestateno);
if (st == NULL)
{
loglog(RC_UNKNOWN_NAME, "no state #%lu to delete"
, msg.whack_deletestateno);
}
else
{
delete_state(st);
}
}
if (msg.whack_connection)
add_connection(&msg);
/* process "listen" before any operation that could require it */
if (msg.whack_listen)
{
log("listening for IKE messages");
listening = TRUE;
find_ifaces();
load_preshared_secrets();
}
if (msg.whack_unlisten)
{
log("no longer listening for IKE messages");
listening = FALSE;
}
if (msg.whack_reread & REREAD_SECRETS)
{
load_preshared_secrets();
}
if (msg.whack_reread & REREAD_MYCERT)
{
load_mycert();
}
if (msg.whack_reread & REREAD_CACERTS)
{
load_cacerts();
}
if (msg.whack_reread & REREAD_CRLS)
{
load_crls();
}
if (msg.whack_list & LIST_PUBKEYS)
{
list_public_keys(msg.whack_utc);
}
if (msg.whack_list & LIST_CERTS)
{
list_certs(msg.whack_utc);
}
if (msg.whack_list & LIST_CACERTS)
{
list_cacerts(msg.whack_utc);
}
if (msg.whack_list & LIST_CRLS)
{
list_crls(msg.whack_utc);
}
if (msg.whack_key)
{
/* add a public key */
struct id keyid;
err_t ugh = atoid(msg.keyid, &keyid);
if (ugh != NULL)
{
loglog(RC_BADID, "bad --keyid \"%s\": %s", msg.keyid, ugh);
}
else
{
if (!msg.whack_addkey)
delete_public_keys(&keyid, msg.pubkey_alg);
if (msg.keyval.len == 0)
{
struct key_add_continuation *kc
= alloc_thing(struct key_add_continuation
, "key add continuation");
int wfd = dup_any(whackfd);
kc->whack_fd = wfd;
ugh = start_adns_query(&keyid
, NULL
, T_KEY
, key_add_continue
, &kc->ac);
if (ugh != NULL)
{
key_add_ugh(&keyid, ugh);
close_any(wfd);
}
}
else
{
ugh = add_public_key(&keyid, DAL_LOCAL, msg.pubkey_alg
, &msg.keyval, &pubkeys);
if (ugh != NULL)
loglog(RC_LOG_SERIOUS, "%s", ugh);
}
}
}
main(int argc, char *argv[])
{
int len;
char *infile;
char *conn_name;
int lineno=0;
int regression = 0;
struct connection *c1;
struct state *st;
#ifdef HAVE_EFENCE
EF_PROTECT_FREE=1;
#endif
progname = argv[0];
leak_detective = 1;
if(argc != 3 && argc!=4) {
fprintf(stderr, "Usage: %s [-r] <whackrecord> <conn-name>\n", progname);
exit(10);
}
/* skip argv0 */
argc--; argv++;
if(strcmp(argv[0], "-r")==0) {
regression = 1;
argc--; argv++;
}
tool_init_log();
load_oswcrypto();
init_fake_vendorid();
init_fake_secrets();
init_local_interface();
infile = argv[0];
conn_name = argv[1];
cur_debugging = DBG_CONTROL|DBG_CONTROLMORE;
if(readwhackmsg(infile) == 0) exit(11);
send_packet_setup_pcap("OUTPUT/" TESTNAME ".pcap");
c1 = con_by_name(conn_name, TRUE);
assert(c1 != NULL);
//list_public_keys(FALSE, FALSE);
#ifndef SKIP_ORIENT_ASSERT
assert(orient(c1, 500));
#endif
show_one_connection(c1);
#ifndef SKIP_INITIATE
/* do calculation if not -r for regression */
st = sendI1(c1, DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE, regression == 0);
st = state_with_serialno(1);
if(st!=NULL) {
delete_state(st);
free_state(st);
}
#endif
delete_connection(c1, TRUE);
report_leaks();
tool_close_log();
exit(0);
}
int main(int argc, char *argv[])
{
int len;
char *infile, *pcapin, *pcapout;
char *conn_name;
int lineno=0;
struct connection *c1;
struct state *st;
char eb1[256]; /* error buffer for pcap open */
#ifdef HAVE_EFENCE
EF_PROTECT_FREE=1;
#endif
progname = argv[0];
leak_detective = 1;
if(argc <= 4) {
usage:
fprintf(stderr, "Usage: %s <whackrecord> <conn-name> <pcapin> <pcapout>\n", progname);
exit(10);
}
/* argv[1] == "-r" ?? */
tool_init_log();
init_crypto();
init_fake_vendorid();
init_fake_secrets();
init_jamesjohnson_interface();
infile = NULL;
conn_name = NULL;
pcapin = NULL;
pcapout = NULL;
argc--; argv++;
if(argc > 0) {
infile = argv[0];
argc--; argv++;
}
if(argc > 0) {
conn_name = argv[0];
argc--; argv++;
}
if(argc > 0) {
pcapin = argv[0];
argc--; argv++;
}
if(argc > 0) {
pcapout = argv[0];
argc--; argv++;
}
if(conn_name == NULL ||
infile == NULL ||
pcapin == NULL ||
pcapout == NULL) {
goto usage;
}
cur_debugging = DBG_CONTROL|DBG_CONTROLMORE;
if(readwhackmsg(infile) == 0) exit(10);
c1 = con_by_name(conn_name, TRUE);
assert(c1 != NULL);
assert(orient(c1, 500));
show_one_connection(c1, whack_log);
send_packet_setup_pcap(pcapout);
/* setup to process the I1 packet */
recv_pcap_setup(pcapin);
cur_debugging = DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE;
pcap_dispatch(pt, 1, recv_pcap_packet, NULL);
/* clean up so that we can see any leaks */
st = state_with_serialno(1);
if(st!=NULL) {
delete_state(st);
free_state(st);
}
delete_connection(c1, TRUE);
report_leaks();
tool_close_log();
exit(0);
}
main(int argc, char *argv[])
{
int len;
char *infile;
char *conn_name;
char *pcap1in;
char *pcap2in;
char *pcap_out;
int lineno=0;
int regression;
struct connection *c1;
struct state *st;
EF_PROTECT_FREE=1;
progname = argv[0];
leak_detective = 1;
/* skip argv0 */
argc--; argv++;
if(strcmp(argv[0], "-r")==0) {
regression = 1;
argc--; argv++;
}
if(argc != 5) {
fprintf(stderr, "Usage: %s <whackrecord> <conn-name> <pcapin1> <pcapin2> <pcapout>\n", progname);
exit(10);
}
tool_init_log();
init_crypto();
load_oswcrypto();
init_fake_vendorid();
init_jamesjohnson_interface();
init_seam_kernelalgs();
infile = argv[0];
conn_name = argv[1];
pcap1in = argv[2];
pcap2in = argv[3];
pcap_out = argv[4];
cur_debugging = DBG_CONTROL|DBG_CONTROLMORE;
if(readwhackmsg(infile) == 0) exit(10);
c1 = con_by_name(conn_name, TRUE);
assert(c1 != NULL);
assert(orient(c1, 500));
show_one_connection(c1);
/* omit the R1 reply */
send_packet_setup_pcap("/dev/null");
/* setup to process the I1 packet */
recv_pcap_setup(pcap1in);
/* process first I1 packet */
cur_debugging = DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE;
pcap_dispatch(pt, 1, recv_pcap_packet, NULL);
/* set up output file */
send_packet_setup_pcap(pcap_out);
pcap_close(pt);
/* now process the I2 packet */
recv_pcap_setup(pcap2in);
cur_debugging = DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE;
pcap_dispatch(pt, 1, recv_pcap_packet2, NULL);
/* clean up so that we can see any leaks */
st = state_with_serialno(1);
if(st!=NULL) {
free_state(st);
}
report_leaks();
tool_close_log();
exit(0);
}
main(int argc, char *argv[]) {
int len;
char *infile;
char *conn_name;
int lineno = 0;
struct connection *c1;
pcap_t *pt;
char eb1[256];
EF_PROTECT_BELOW = 1;
EF_PROTECT_FREE = 1;
EF_FREE_WIPES = 1;
progname = argv[0];
leak_detective = 1;
init_crypto();
if (argc != 4) {
fprintf(stderr,
"Usage: %s <whackrecord> <conn-name> <pcapin>\n",
progname);
exit(10);
}
/* argv[1] == "-r" */
tool_init_log();
init_fake_vendorid();
infile = argv[1];
conn_name = argv[2];
readwhackmsg(infile);
send_packet_setup_pcap("parentR1.pcap");
c1 = con_by_name(conn_name, TRUE);
show_one_connection(c1);
pt = pcap_open_offline(argv[3], eb1);
if (!pt) {
perror(argv[3]);
exit(50);
}
cur_debugging = DBG_EMITTING | DBG_CONTROL | DBG_CONTROLMORE;
pcap_dispatch(pt, 1, recv_pcap_packet, NULL);
{
struct state *st;
/* find st involved */
st = state_with_serialno(1);
delete_state(st);
}
report_leaks();
tool_close_log();
exit(0);
}
main(int argc, char *argv[])
{
int len;
char *infile;
char *conn_name;
int lineno=0;
int regression = 0;
struct connection *c1;
struct state *st;
#ifdef HAVE_EFENCE
EF_PROTECT_FREE=1;
#endif
progname = argv[0];
leak_detective = 1;
/* skip argv0 */
argc--; argv++;
if(strcmp(argv[0], "-r")==0) {
regression = 1;
argc--; argv++;
}
if(argc != 4) {
fprintf(stderr, "Usage: %s [-r] <whackrecord> <conn-name> <pcapfile> <pcapout>\n", progname);
exit(10);
}
tool_init_log();
init_crypto();
load_oswcrypto();
init_fake_vendorid();
init_parker_interface();
infile = argv[0];
conn_name = argv[1];
cur_debugging = DBG_CONTROL|DBG_CONTROLMORE;
if(readwhackmsg(infile) == 0) exit(10);
/* input packets */
recv_pcap_setup(argv[2]);
/* output first packets to /dev/null */
send_packet_setup_pcap("/dev/null");
c1 = con_by_name(conn_name, TRUE);
assert(c1 != NULL);
assert(orient(c1, 500));
show_one_connection(c1);
st = sendI1(c1, DBG_CONTROL, regression == 0);
/* now accept the reply packet */
cur_debugging = DBG_CONTROL|DBG_PARSING;
/* now output interesting packet to capture file */
send_packet_setup_pcap(argv[3]);
pcap_dispatch(pt, 1, recv_pcap_packet, NULL);
pcap_close(pt);
recv_pcap_setup(argv[2]);
pcap_dispatch(pt, 1, recv_pcap_packet, NULL);
/* dump the delete message that comes out */
send_packet_setup_pcap("/dev/null");
delete_connection(c1, TRUE);
st = state_with_serialno(1);
if(st!=NULL) {
free_state(st);
}
report_leaks();
tool_close_log();
exit(0);
}
/** Lookup information about the hostpair, and set things like bandwidth
* relative crypto strength, compression and credentials.
*
* @param IPsec Policy Query
* @return void
*/
static void
info_lookuphostpair(struct ipsec_policy_cmd_query *ipcq)
{
struct connection *c;
struct state *p1st, *p2st;
/* default result: no crypto */
ipcq->strength = IPSEC_PRIVACY_NONE;
ipcq->bandwidth = IPSEC_QOS_WIRESPEED;
ipcq->credential_count = 0;
#ifdef DEBUG
{
char sstr[ADDRTOT_BUF], dstr[ADDRTOT_BUF];
addrtot(&ipcq->query_local, 0, sstr, sizeof(sstr));
addrtot(&ipcq->query_remote, 0, dstr, sizeof(dstr));
DBG_log("info request for %s -> %s", sstr, dstr);
}
#endif
/* okay, look up what connection handles this ip pair */
c = find_connection_for_clients(NULL,
&ipcq->query_local,
&ipcq->query_remote,
ipcq->proto);
if (c == NULL)
{
/* try reversing it */
c = find_connection_for_clients(NULL,
&ipcq->query_remote,
&ipcq->query_local,
ipcq->proto);
if (c != NULL)
{
ip_address tmp;
/* If it is reversed, swap it */
tmp = ipcq->query_local;
ipcq->query_local = ipcq->query_remote;
ipcq->query_remote = tmp;
}
}
if (c == NULL)
{
#ifdef DEBUG
DBG_log("no connection found");
#endif
return; /* no crypto */
}
if (c->newest_ipsec_sa == SOS_NOBODY)
{
ip_subnet us, them;
DBG_log("connection %s found, no ipsec state, looking again", c->name);
addrtosubnet(&ipcq->query_local, &us);
addrtosubnet(&ipcq->query_remote, &them);
c = find_client_connection(c, &us, &them, 0, 0, 0, 0);
if (c == NULL)
return; /* no crypto */
}
DBG_log("connection %s[%ld] with state %u"
, c->name, c->instance_serial
, (unsigned int)c->newest_ipsec_sa);
if (c->newest_ipsec_sa == SOS_NOBODY)
return; /* no crypto */
/* we found a connection, try to lookup the state */
p2st = state_with_serialno(c->newest_ipsec_sa);
p1st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES);
if (p1st == NULL || p2st == NULL)
{
DBG_log("connection %s[%ld] has missing states %s %s"
, c->name, c->instance_serial
, (p1st ? "phase1" : "")
, (p2st ? "phase1" : ""));
return; /* no crypto */
}
/* if we have AH present, then record minimal info */
if (p2st->st_ah.present)
{
ipcq->strength = IPSEC_PRIVACY_INTEGRAL;
ipcq->auth_detail = p2st->st_esp.attrs.transattrs.integ_hash;
}
if (p2st->st_esp.present)
{
/*
* XXX-mcr Please do not shout at me about relative strengths
* here. I'm not a cryptographer. I just diddle bits.
*/
switch (p2st->st_esp.attrs.transattrs.encrypt)
{
case ESP_NULL:
/* actually, do not change it if we set it from AH */
break;
case ESP_DES:
case ESP_DES_IV64:
case ESP_DES_IV32:
case ESP_RC4:
ipcq->strength = IPSEC_PRIVACY_ROT13;
break;
case ESP_RC5:
case ESP_IDEA:
case ESP_CAST:
case ESP_BLOWFISH:
case ESP_3DES:
ipcq->strength = IPSEC_PRIVACY_PRIVATE;
ipcq->bandwidth = IPSEC_QOS_VOIP;
break;
case ESP_3IDEA:
ipcq->strength = IPSEC_PRIVACY_STRONG;
ipcq->bandwidth = IPSEC_QOS_INTERACTIVE;
break;
case ESP_AES:
ipcq->strength = IPSEC_PRIVACY_STRONG;
ipcq->bandwidth = IPSEC_QOS_FTP;
break;
}
ipcq->esp_detail = p2st->st_esp.attrs.transattrs.encrypt;
}
if (p2st->st_ipcomp.present)
ipcq->comp_detail = p2st->st_esp.attrs.transattrs.encrypt;
/* now! the credentails that were used */
/* for the moment we only have 1 credential, the DNS name,
* because the DNS servers do not return the chain of SIGs yet
*/
if(!c->spd.this.key_from_DNS_on_demand)
{
/* the key didn't come from the DNS in some way,
* so it must have been loaded locally.
*/
ipcq->credential_count = 1;
ipcq->credentials[0].ii_type = c->spd.this.id.kind;
ipcq->credentials[0].ii_format = CERT_RAW_RSA;
}
#if 0
switch (c->spd.id.kind)
{
case ID_IPV4_ADDR:
}
if (c->gw_info == NULL)
{
plog("rcv_info: connection %s had NULL gw_info.", c->name);
return
}
#endif
ipcq->credential_count = 1;
/* pull credentials out of gw_info */
switch (p1st->st_peer_pubkey->dns_auth_level)
{
case DAL_UNSIGNED:
case DAL_NOTSEC:
/* these seem to be the same for this purpose */
ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind;
ipcq->credentials[0].ii_type = CERT_NONE;
idtoa(&p1st->st_peer_pubkey->id
, ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn
, sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn));
break;
case DAL_SIGNED:
ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind;
ipcq->credentials[0].ii_format = CERT_DNS_SIGNED_KEY;
idtoa(&p1st->st_peer_pubkey->id
, ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn
, sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn));
if (p1st->st_peer_pubkey->dns_sig != NULL)
{
strncat(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig
, p1st->st_peer_pubkey->dns_sig
, sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig) - strlen(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig -1));
}
break;
case DAL_LOCAL:
ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind;
ipcq->credentials[0].ii_format = CERT_RAW_RSA;
idtoa(&p1st->st_peer_pubkey->id
, ipcq->credentials[0].ii_credential.ipsec_raw_key.id_name
, sizeof(ipcq->credentials[0].ii_credential.ipsec_raw_key.id_name));
break;
}
}
main(int argc, char *argv[])
{
int len;
char *infile;
char *conn_name;
int lineno=0;
int regression = 0;
struct connection *c1;
struct state *st;
EF_PROTECT_FREE=1;
progname = argv[0];
leak_detective = 1;
if(argc != 4 && argc != 5) {
fprintf(stderr, "Usage: %s [-r] <whackrecord> <conn-name> <pcapfile>\n", progname);
exit(10);
}
/* skip argv0 */
argc--; argv++;
if(strcmp(argv[0], "-r")==0) {
regression = 1;
argc--; argv++;
}
tool_init_log();
load_oswcrypto();
init_fake_vendorid();
init_parker_interface();
infile = argv[0];
conn_name = argv[1];
cur_debugging = DBG_CONTROL|DBG_CONTROLMORE;
if(readwhackmsg(infile) == 0) exit(10);
/* input packets */
recv_pcap_setup(argv[2]);
/* output packets */
send_packet_setup_pcap("OUTPUT/parentI2.pcap");
c1 = con_by_name(conn_name, TRUE);
assert(c1 != NULL);
assert(orient(c1, 500));
show_one_connection(c1);
st = sendI1(c1, DBG_CONTROL, regression == 0);
/* now accept the reply packet */
cur_debugging = DBG_CONTROL|DBG_PARSING;
pcap_dispatch(pt, 1, recv_pcap_packet, NULL);
st = state_with_serialno(1);
if(st!=NULL) {
delete_state(st);
free_state(st);
}
report_leaks();
tool_close_log();
exit(0);
}
