void recv_pcap_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *bytes) { struct state *st; struct pcr_kenonce *kn = &r->pcr_d.kn; /* I'm jacob two-two. I do everything twice! */ recv_pcap_packet_gen(user, h, bytes); /* find st involved */ st = state_with_serialno(1); st->st_connection->extra_debugging = DBG_EMITTING | DBG_CONTROL | DBG_CONTROLMORE; /* now fill in the KE values from a constant.. not calculated */ clonetowirechunk(&kn->thespace, kn->space, &kn->secret, tc3_secret, tc3_secret_len); clonetowirechunk(&kn->thespace, kn->space, &kn->n, tc3_nr, tc3_nr_len); clonetowirechunk(&kn->thespace, kn->space, &kn->gi, tc3_gr, tc3_gr_len); run_continuation(r); }
void recv_pcap_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *bytes) { struct state *st; struct pcr_kenonce *kn = &r->pcr_d.kn; recv_pcap_packet_gen(user, h, bytes); /* find st involved */ st = state_with_serialno(1); st->st_connection->extra_debugging = DBG_EMITTING | DBG_CONTROL | DBG_CONTROLMORE; /* now fill in the KE values from a constant.. not calculated */ WIRE_CLONE_DATA(kn, secret, tc3_secret, tc3_secret_len); WIRE_CLONE_DATA(kn, n, tc3_nr, tc3_nr_len); WIRE_CLONE_DATA(kn, gi, tc3_gr, tc3_gr_len); run_continuation(r); }
void rekeyit() { struct state *st = NULL; struct pcr_kenonce *kn = &crypto_req->pcr_d.kn; fprintf(stderr, "now pretend that the keylife timer is up, and rekey the connection\n"); show_states_status(); timer_list(); st = state_with_serialno(2); /* capture the rekey message */ send_packet_setup_pcap("OUTPUT/rekeyikev2-I1.pcap"); if(st) { DBG(DBG_LIFECYCLE , openswan_log("replacing stale %s SA" , (IS_PHASE1(st->st_state)|| IS_PHASE15(st->st_state ))? "ISAKMP" : "IPsec")); ipsecdoi_replace(st, LEMPTY, LEMPTY, 1); } else { fprintf(stderr, "no state #2 found\n"); } passert(kn->oakley_group == tc14_oakleygroup); /* now fill in the KE values from a constant.. not calculated */ clonetowirechunk(&kn->thespace, kn->space, &kn->secret, tc14_secret,tc14_secret_len); clonetowirechunk(&kn->thespace, kn->space, &kn->n, tc14_ni, tc14_ni_len); /* maybe change nonce for rekey? */ clonetowirechunk(&kn->thespace, kn->space, &kn->gi, tc14_gi, tc14_gi_len); run_continuation(crypto_req); send_packet_close(); }
/* * this routine accepts the I3 packet, and the causes a rekey to be queued */ void recv_pcap_I3_rekey(u_char *user , const struct pcap_pkthdr *h , const u_char *bytes) { struct state *st = NULL; struct pcr_kenonce *kn = &crypto_req->pcr_d.kn; /* create a socket for a possible whack process that is doing --up */ int fake_whack_fd = open("/dev/null", O_RDWR); passert(fake_whack_fd != -1); recv_pcap_packet(user, h, bytes); fprintf(stderr, "now pretend that the keylife timer is up, and rekey the connection\n"); show_states_status(); timer_list(); st = state_with_serialno(2); st->st_whack_sock = fake_whack_fd; if(st) { DBG(DBG_LIFECYCLE , openswan_log("replacing stale %s SA" , (IS_PHASE1(st->st_state)|| IS_PHASE15(st->st_state ))? "ISAKMP" : "IPsec")); ipsecdoi_replace(st, LEMPTY, LEMPTY, 1); } else { fprintf(stderr, "no state #2 found\n"); } /* find new state! */ st = state_with_serialno(3); passert(st->st_whack_sock != -1); passert(kn->oakley_group == SS(oakleygroup)); /* now fill in the KE values from a constant.. not calculated */ clonetowirechunk(&kn->thespace, kn->space, &kn->secret, SS(secret.ptr),SS(secret.len)); clonetowirechunk(&kn->thespace, kn->space, &kn->n, SS(ni.ptr), SS(ni.len)); /* maybe change nonce for rekey? */ clonetowirechunk(&kn->thespace, kn->space, &kn->gi, SS(gi.ptr), SS(gi.len)); run_continuation(crypto_req); }
void enable_debugging_on_sa(int num) { struct state *st; lset_t to_enable = WANT_THIS_DBG; st = state_with_serialno(num); if(st != NULL) { passert(st->st_connection != NULL); st->st_connection->extra_debugging = to_enable; } }
/* * Show IKE algorithms for * - this connection (result from ike= string) * - newest SA */ void ike_alg_show_connection(struct connection *c, const char *instance) { struct state *st; if (c->alg_info_ike) { char buf[1024]; alg_info_snprint(buf, sizeof(buf) - 1, (struct alg_info *)c->alg_info_ike); whack_log(RC_COMMENT, "\"%s\"%s: IKE algorithms wanted: %s", c->name, instance, buf); alg_info_snprint_ike(buf, sizeof(buf), c->alg_info_ike); whack_log(RC_COMMENT, "\"%s\"%s: IKE algorithms found: %s", c->name, instance, buf); } st = state_with_serialno(c->newest_isakmp_sa); if (st != NULL) { static char encbuf[ENUM_SHOW_BUF_LEN]; static char prfbuf[ENUM_SHOW_BUF_LEN]; static char integbuf[ENUM_SHOW_BUF_LEN]; static char groupbuf[ENUM_SHOW_BUF_LEN]; if (!st->st_ikev2) { /* IKEv1 */ whack_log(RC_COMMENT, "\"%s\"%s: IKE algorithm newest: %s_%03d-%s-%s", c->name, instance, strip_prefix(enum_showb(&oakley_enc_names, st->st_oakley.encrypt, encbuf, sizeof(encbuf)), "OAKLEY_"), /* st->st_oakley.encrypter->keydeflen, */ st->st_oakley.enckeylen, strip_prefix(enum_showb(&oakley_hash_names, st->st_oakley.prf_hash, prfbuf, sizeof(prfbuf)), "OAKLEY_"), strip_prefix(enum_showb(&oakley_group_names, st->st_oakley.group->group, groupbuf, sizeof(groupbuf)), "OAKLEY_GROUP_")); } else { /* IKEv2 */ whack_log(RC_COMMENT, "\"%s\"%s: IKEv2 algorithm newest: %s_%03d-%s-%s-%s", c->name, instance, enum_showb(&ikev2_trans_type_encr_names, st->st_oakley.encrypt, encbuf, sizeof(encbuf)), /* st->st_oakley.encrypter->keydeflen, */ st->st_oakley.enckeylen, enum_showb(&ikev2_trans_type_integ_names, st->st_oakley.integ_hash, integbuf, sizeof(integbuf)), enum_showb(&ikev2_trans_type_prf_names, st->st_oakley.prf_hash, prfbuf, sizeof(prfbuf)), strip_prefix(enum_showb(&oakley_group_names, st->st_oakley.group->group, groupbuf, sizeof(groupbuf)), "OAKLEY_GROUP_")); } } }
/* * Show IKE algorithms for * - this connection (result from ike= string) * - newest SA */ void ike_alg_show_connection(const struct connection *c, const char *instance) { const struct state *st; if (c->alg_info_ike != NULL) { char buf[1024]; alg_info_ike_snprint(buf, sizeof(buf) - 1, c->alg_info_ike); whack_log(RC_COMMENT, "\"%s\"%s: IKE algorithms wanted: %s", c->name, instance, buf); alg_info_snprint_ike(buf, sizeof(buf), c->alg_info_ike); whack_log(RC_COMMENT, "\"%s\"%s: IKE algorithms found: %s", c->name, instance, buf); } st = state_with_serialno(c->newest_isakmp_sa); if (st != NULL) { struct esb_buf encbuf, prfbuf, integbuf, groupbuf; if (!st->st_ikev2) { /* IKEv1 */ whack_log(RC_COMMENT, "\"%s\"%s: IKE algorithm newest: %s_%03d-%s-%s", c->name, instance, enum_show_shortb(&oakley_enc_names, st->st_oakley.encrypt, &encbuf), /* st->st_oakley.encrypter->keydeflen, */ st->st_oakley.enckeylen, enum_show_shortb(&oakley_hash_names, st->st_oakley.prf_hash, &prfbuf), enum_show_shortb(&oakley_group_names, st->st_oakley.group->group, &groupbuf)); } else { /* IKEv2 */ whack_log(RC_COMMENT, "\"%s\"%s: IKEv2 algorithm newest: %s_%03d-%s-%s-%s", c->name, instance, enum_showb(&ikev2_trans_type_encr_names, st->st_oakley.encrypt, &encbuf), /* st->st_oakley.encrypter->keydeflen, */ st->st_oakley.enckeylen, enum_showb(&ikev2_trans_type_integ_names, st->st_oakley.integ_hash, &integbuf), enum_showb(&ikev2_trans_type_prf_names, st->st_oakley.prf_hash, &prfbuf), enum_show_shortb(&oakley_group_names, st->st_oakley.group->group, &groupbuf)); } } }
void recv_pcap_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *bytes) { struct state *st; struct pcr_kenonce *kn = &r->pcr_d.kn; recv_pcap_packet_gen(user, h, bytes); /* find st involved */ st = state_with_serialno(1); st->st_connection->extra_debugging = DBG_EMITTING | DBG_CONTROL | DBG_CONTROLMORE; run_continuation(r); }
/* this is replicated in the unit test cases since the patching up of the crypto values is case specific */ void recv_pcap_packet(u_char *user , const struct pcap_pkthdr *h , const u_char *bytes) { struct state *st; struct pcr_kenonce *kn = &crypto_req->pcr_d.kn; recv_pcap_packet_gen(user, h, bytes); /* find st involved */ st = state_with_serialno(1); if(st != NULL) { passert(st != NULL); st->st_connection->extra_debugging = DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE|DBG_CRYPT|DBG_PRIVATE; } run_continuation(crypto_req); }
/* this is replicated in the unit test cases since the patching up of the crypto values is case specific */ void recv_pcap_packet(u_char *user , const struct pcap_pkthdr *h , const u_char *bytes) { struct state *st; struct pcr_kenonce *kn = &crypto_req->pcr_d.kn; recv_pcap_packet_gen(user, h, bytes); /* find st involved */ st = state_with_serialno(1); if(st) { st->st_connection->extra_debugging = DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE; /* now fill in the KE values from a constant.. not calculated */ clonetowirechunk(&kn->thespace, kn->space, &kn->secret, tc14_secretr,tc14_secretr_len); clonetowirechunk(&kn->thespace, kn->space, &kn->n, tc14_nr, tc14_nr_len); clonetowirechunk(&kn->thespace, kn->space, &kn->gi, tc14_gr, tc14_gr_len); run_continuation(crypto_req); } }
/* * Show IKE algorithms for * - this connection (result from ike= string) * - newest SA */ void ike_alg_show_connection(struct connection *c, const char *instance) { char buf[256]; struct state *st; if (c->alg_info_ike) { alg_info_snprint(buf, sizeof(buf), (struct alg_info *)c->alg_info_ike); whack_log(RC_COMMENT , "\"%s\"%s: IKE algorithms wanted: %s" , c->name , instance , buf); } if (c->alg_info_ike) { alg_info_snprint_ike(buf, sizeof(buf), c->alg_info_ike); whack_log(RC_COMMENT , "\"%s\"%s: IKE algorithms found: %s" , c->name , instance , buf); } st = state_with_serialno(c->newest_isakmp_sa); if (st) whack_log(RC_COMMENT , "\"%s\"%s: IKE algorithm newest: %s_%d-%s-%s" , c->name , instance , enum_show(&oakley_enc_names, st->st_oakley.encrypt) +7 /* strlen("OAKLEY_") */ /* , st->st_oakley.encrypter->keydeflen */ , st->st_oakley.enckeylen , enum_show(&oakley_hash_names, st->st_oakley.hash) +7 /* strlen("OAKLEY_") */ , enum_show(&oakley_group_names, st->st_oakley.group->group) +13 /* strlen("OAKLEY_GROUP_") */ ); }
void recv_pcap_packetC1(u_char *user , const struct pcap_pkthdr *h , const u_char *bytes) { struct state *st; struct pcr_kenonce *kn = &crypto_req->pcr_d.kn; recv_pcap_packet_gen(user, h, bytes); /* find st involved */ st = state_with_serialno(3); st->st_connection->extra_debugging = DBG_PRIVATE|DBG_CRYPT|DBG_PARSING|DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE; /* now fill in the KE values from a constant.. not calculated */ clonetowirechunk(&kn->thespace, kn->space, &kn->n, SS(nr.ptr), SS(nr.len)); clonetowirechunk(&kn->thespace, kn->space, &kn->gi, SS(gr.ptr), SS(gr.len)); run_one_continuation(crypto_req); /* now do the second calculation */ clonetowirechunk(&kn->thespace, kn->space, &kn->secret, SS(secret.ptr),SS(secret.len)); run_one_continuation(crypto_req); }
void recv_pcap_packet1(u_char *user, const struct pcap_pkthdr *h, const u_char *bytes) { struct state *st; struct pcr_kenonce *kn = &r->pcr_d.kn; recv_pcap_packet_gen(user, h, bytes); /* find st involved */ st = state_with_serialno(1); st->st_connection->extra_debugging = add_debugging; /* now fill in the SKEYSEED values from constants.. not calculated */ WIRE_CLONE_DATA(kn, secret, tc3_secret, tc3_secret_len); WIRE_CLONE_DATA(kn, n, tc3_ni, tc3_ni_len); WIRE_CLONE_DATA(kn, gi, tc3_gi, tc3_gi_len); run_continuation(r); }
main(int argc, char *argv[]){ int len; char *infile; char *conn_name; int lineno = 0; struct connection *c1; pcap_t *pt; char eb1[256]; struct state *st; EF_PROTECT_FREE = 1; EF_FREE_WIPES = 1; progname = argv[0]; printf("Started %s\n", progname); leak_detective = 1; pluto_shared_secrets_file = "../../../baseconfigs/west/etc/ipsec.secrets"; lsw_init_ipsecdir("../../../baseconfigs/west/etc/ipsec.d"); lsw_init_rootdir("../../../baseconfigs/west"); init_crypto(); init_seam_kernelalgs(); load_authcerts("CA cert", "../../../baseconfigs/west/etc/ipsec.d/cacerts", AUTH_CA); if (argc != 4) { fprintf(stderr, "Usage: %s <whackrecord> <conn-name> <pcapin>\n", progname); exit(10); } /* argv[1] == "-r" */ tool_init_log(); init_fake_vendorid(); infile = argv[1]; conn_name = argv[2]; load_preshared_secrets(NULL_FD); readwhackmsg(infile); send_packet_setup_pcap("parentI2x509.pcap"); pt = pcap_open_offline(argv[3], eb1); if (!pt) { perror(argv[3]); exit(50); } c1 = con_by_name(conn_name, TRUE); show_one_connection(c1); /* now, send the I1 packet, really just so that we are in the right * state to receive the R1 packet and process it. */ st = sendI1(c1, 0); cur_debugging = DBG_EMITTING | DBG_CONTROL | DBG_CONTROLMORE | DBG_PARSING | DBG_PRIVATE | DBG_CRYPT; pcap_dispatch(pt, 1, recv_pcap_packet1, NULL); { struct state *st; /* find st involved */ st = state_with_serialno(1); delete_state(st); /* find st involved */ st = state_with_serialno(2); if (st) delete_state(st); } report_leaks(); tool_close_log(); exit(0); }
static void cannot_oppo(struct connection *c , struct find_oppo_bundle *b , err_t ughmsg) { char pcb[ADDRTOT_BUF]; char ocb[ADDRTOT_BUF]; addrtot(&b->peer_client, 0, pcb, sizeof(pcb)); addrtot(&b->our_client, 0, ocb, sizeof(ocb)); DBG(DBG_OPPO, openswan_log("Can not opportunistically initiate for %s to %s: %s" , ocb, pcb, ughmsg)); whack_log(RC_OPPOFAILURE , "Can not opportunistically initiate for %s to %s: %s" , ocb, pcb, ughmsg); if (c != NULL && c->policy_next != NULL) { /* there is some policy that comes afterwards */ struct spd_route *shunt_spd; struct connection *nc = c->policy_next; struct state *st; passert(c->kind == CK_TEMPLATE); passert(nc->kind == CK_PERMANENT); DBG(DBG_OPPO, DBG_log("OE failed for %s to %s, but %s overrides shunt" , ocb, pcb, nc->name)); /* * okay, here we need add to the "next" policy, which is ought * to be an instance. * We will add another entry to the spd_route list for the specific * situation that we have. */ shunt_spd = clone_thing(nc->spd, "shunt eroute policy"); shunt_spd->next = nc->spd.next; nc->spd.next = shunt_spd; happy(addrtosubnet(&b->peer_client, &shunt_spd->that.client)); if (sameaddr(&b->peer_client, &shunt_spd->that.host_addr)) shunt_spd->that.has_client = FALSE; /* * override the tunnel destination with the one from the secondaried * policy */ shunt_spd->that.host_addr = nc->spd.that.host_addr; /* now, lookup the state, and poke it up. */ st = state_with_serialno(nc->newest_ipsec_sa); /* XXX what to do if the IPSEC SA has died? */ passert(st != NULL); /* link the new connection instance to the state's list of * connections */ DBG(DBG_OPPO, DBG_log("installing state: %ld for %s to %s" , nc->newest_ipsec_sa , ocb, pcb)); #ifdef DEBUG if (DBGP(DBG_OPPO | DBG_CONTROLMORE)) { char state_buf[LOG_WIDTH]; char state_buf2[LOG_WIDTH]; const time_t n = now(); fmt_state(st, n, state_buf, sizeof(state_buf) , state_buf2, sizeof(state_buf2)); DBG_log("cannot_oppo, failure SA1: %s", state_buf); DBG_log("cannot_oppo, failure SA2: %s", state_buf2); } #endif /* DEBUG */ if (!route_and_eroute(c, shunt_spd, st)) { whack_log(RC_OPPOFAILURE , "failed to instantiate shunt policy %s for %s to %s" , c->name , ocb, pcb); } return; } /* * NETKEY default for level param in tmpl is required, so no traffic will * transmitted until an SA is fully up */ if (b->held && kern_interface != USE_NETKEY) { int failure_shunt = b->failure_shunt; /* Replace HOLD with b->failure_shunt. * If no failure_shunt specified, use SPI_PASS -- THIS MAY CHANGE. */ if (failure_shunt == 0) { DBG(DBG_OPPO, DBG_log("no explicit failure shunt for %s to %s; removing spurious hold shunt" , ocb, pcb)); } (void) replace_bare_shunt(&b->our_client, &b->peer_client , b->policy_prio , failure_shunt , failure_shunt != 0 , b->transport_proto , ughmsg); } }
/* Handle a kernel request. Supposedly, there's a message in * the kernelsock socket. */ void whack_handle(int whackctlfd) { struct whack_message msg; struct sockaddr_un whackaddr; int whackaddrlen = sizeof(whackaddr); int whackfd = accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen); ssize_t n; if (whackfd < 0) { log_errno((e, "accept() failed in whack_handle()")); return; } n = read(whackfd, &msg, sizeof(msg)); if (n == -1) { log_errno((e, "read() failed in whack_handle()")); close(whackfd); return; } whack_log_fd = whackfd; /* sanity check message */ { err_t ugh = NULL; next_str = msg.string; str_roof = (char *)&msg + n; if (next_str > str_roof) { ugh = builddiag("truncated message from whack: got %d bytes; expected %d. Message ignored." , n, (int) sizeof(msg)); } else if (msg.magic != WHACK_MAGIC) { ugh = builddiag("message from whack has bad magic %d; should be %d; probably wrong version. Message ignored" , msg.magic, WHACK_MAGIC); } else if (!unpack_str(&msg.name) /* string 1 */ || !unpack_str(&msg.left.id) /* string 2 */ || !unpack_str(&msg.left.cert) /* string 3 */ || !unpack_str(&msg.left.updown) /* string 4 */ #ifdef VIRTUAL_IP || !unpack_str(&msg.left.virt) #endif || !unpack_str(&msg.right.id) /* string 5 */ || !unpack_str(&msg.right.cert) /* string 6 */ || !unpack_str(&msg.right.updown) /* string 7 */ #ifdef VIRTUAL_IP || !unpack_str(&msg.right.virt) #endif || !unpack_str(&msg.keyid) /* string 8 */ || !unpack_str(&msg.ike) /* string 9 */ || !unpack_str(&msg.esp) /* string 10 */ || !unpack_str(&msg.dnshostname) /* string 11 */ || str_roof - next_str != (ptrdiff_t)msg.keyval.len) /* check chunk */ { ugh = "message from whack contains bad string"; } else { msg.keyval.ptr = next_str; /* grab chunk */ } if (ugh != NULL) { loglog(RC_BADWHACKMESSAGE, "%s", ugh); whack_log_fd = NULL_FD; close(whackfd); return; } } if (msg.whack_options) { #ifdef DEBUG if (msg.name == NULL) { /* we do a two-step so that if either old or new would * cause the message to print, it will be printed. */ cur_debugging |= msg.debugging; DBG(DBG_CONTROL , DBG_log("base debugging = %s" , bitnamesof(debug_bit_names, msg.debugging))); cur_debugging = base_debugging = msg.debugging; } else if (!msg.whack_connection) { struct connection *c = con_by_name(msg.name, TRUE); if (c != NULL) { c->extra_debugging = msg.debugging; DBG(DBG_CONTROL , DBG_log("\"%s\" extra_debugging = %s" , c->name , bitnamesof(debug_bit_names, c->extra_debugging))); } } #endif } /* Deleting combined with adding a connection works as replace. * To make this more useful, in only this combination, * delete will silently ignore the lack of the connection. */ if (msg.whack_delete) { struct connection *c = con_by_name(msg.name, !msg.whack_connection); /* note: this is a "while" because road warrior * leads to multiple connections with the same name. */ for (; c != NULL; c = con_by_name(msg.name, FALSE)) delete_connection(c); } if (msg.whack_deletestate) { struct state *st = state_with_serialno(msg.whack_deletestateno); if (st == NULL) { loglog(RC_UNKNOWN_NAME, "no state #%lu to delete" , msg.whack_deletestateno); } else { delete_state(st); } } if (msg.whack_connection) add_connection(&msg); /* process "listen" before any operation that could require it */ if (msg.whack_listen) { log("listening for IKE messages"); listening = TRUE; find_ifaces(); load_preshared_secrets(); } if (msg.whack_unlisten) { log("no longer listening for IKE messages"); listening = FALSE; } if (msg.whack_reread & REREAD_SECRETS) { load_preshared_secrets(); } if (msg.whack_reread & REREAD_MYCERT) { load_mycert(); } if (msg.whack_reread & REREAD_CACERTS) { load_cacerts(); } if (msg.whack_reread & REREAD_CRLS) { load_crls(); } if (msg.whack_list & LIST_PUBKEYS) { list_public_keys(msg.whack_utc); } if (msg.whack_list & LIST_CERTS) { list_certs(msg.whack_utc); } if (msg.whack_list & LIST_CACERTS) { list_cacerts(msg.whack_utc); } if (msg.whack_list & LIST_CRLS) { list_crls(msg.whack_utc); } if (msg.whack_key) { /* add a public key */ struct id keyid; err_t ugh = atoid(msg.keyid, &keyid); if (ugh != NULL) { loglog(RC_BADID, "bad --keyid \"%s\": %s", msg.keyid, ugh); } else { if (!msg.whack_addkey) delete_public_keys(&keyid, msg.pubkey_alg); if (msg.keyval.len == 0) { struct key_add_continuation *kc = alloc_thing(struct key_add_continuation , "key add continuation"); int wfd = dup_any(whackfd); kc->whack_fd = wfd; ugh = start_adns_query(&keyid , NULL , T_KEY , key_add_continue , &kc->ac); if (ugh != NULL) { key_add_ugh(&keyid, ugh); close_any(wfd); } } else { ugh = add_public_key(&keyid, DAL_LOCAL, msg.pubkey_alg , &msg.keyval, &pubkeys); if (ugh != NULL) loglog(RC_LOG_SERIOUS, "%s", ugh); } } }
main(int argc, char *argv[]) { int len; char *infile; char *conn_name; int lineno=0; int regression = 0; struct connection *c1; struct state *st; #ifdef HAVE_EFENCE EF_PROTECT_FREE=1; #endif progname = argv[0]; leak_detective = 1; if(argc != 3 && argc!=4) { fprintf(stderr, "Usage: %s [-r] <whackrecord> <conn-name>\n", progname); exit(10); } /* skip argv0 */ argc--; argv++; if(strcmp(argv[0], "-r")==0) { regression = 1; argc--; argv++; } tool_init_log(); load_oswcrypto(); init_fake_vendorid(); init_fake_secrets(); init_local_interface(); infile = argv[0]; conn_name = argv[1]; cur_debugging = DBG_CONTROL|DBG_CONTROLMORE; if(readwhackmsg(infile) == 0) exit(11); send_packet_setup_pcap("OUTPUT/" TESTNAME ".pcap"); c1 = con_by_name(conn_name, TRUE); assert(c1 != NULL); //list_public_keys(FALSE, FALSE); #ifndef SKIP_ORIENT_ASSERT assert(orient(c1, 500)); #endif show_one_connection(c1); #ifndef SKIP_INITIATE /* do calculation if not -r for regression */ st = sendI1(c1, DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE, regression == 0); st = state_with_serialno(1); if(st!=NULL) { delete_state(st); free_state(st); } #endif delete_connection(c1, TRUE); report_leaks(); tool_close_log(); exit(0); }
int main(int argc, char *argv[]) { int len; char *infile, *pcapin, *pcapout; char *conn_name; int lineno=0; struct connection *c1; struct state *st; char eb1[256]; /* error buffer for pcap open */ #ifdef HAVE_EFENCE EF_PROTECT_FREE=1; #endif progname = argv[0]; leak_detective = 1; if(argc <= 4) { usage: fprintf(stderr, "Usage: %s <whackrecord> <conn-name> <pcapin> <pcapout>\n", progname); exit(10); } /* argv[1] == "-r" ?? */ tool_init_log(); init_crypto(); init_fake_vendorid(); init_fake_secrets(); init_jamesjohnson_interface(); infile = NULL; conn_name = NULL; pcapin = NULL; pcapout = NULL; argc--; argv++; if(argc > 0) { infile = argv[0]; argc--; argv++; } if(argc > 0) { conn_name = argv[0]; argc--; argv++; } if(argc > 0) { pcapin = argv[0]; argc--; argv++; } if(argc > 0) { pcapout = argv[0]; argc--; argv++; } if(conn_name == NULL || infile == NULL || pcapin == NULL || pcapout == NULL) { goto usage; } cur_debugging = DBG_CONTROL|DBG_CONTROLMORE; if(readwhackmsg(infile) == 0) exit(10); c1 = con_by_name(conn_name, TRUE); assert(c1 != NULL); assert(orient(c1, 500)); show_one_connection(c1, whack_log); send_packet_setup_pcap(pcapout); /* setup to process the I1 packet */ recv_pcap_setup(pcapin); cur_debugging = DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE; pcap_dispatch(pt, 1, recv_pcap_packet, NULL); /* clean up so that we can see any leaks */ st = state_with_serialno(1); if(st!=NULL) { delete_state(st); free_state(st); } delete_connection(c1, TRUE); report_leaks(); tool_close_log(); exit(0); }
main(int argc, char *argv[]) { int len; char *infile; char *conn_name; char *pcap1in; char *pcap2in; char *pcap_out; int lineno=0; int regression; struct connection *c1; struct state *st; EF_PROTECT_FREE=1; progname = argv[0]; leak_detective = 1; /* skip argv0 */ argc--; argv++; if(strcmp(argv[0], "-r")==0) { regression = 1; argc--; argv++; } if(argc != 5) { fprintf(stderr, "Usage: %s <whackrecord> <conn-name> <pcapin1> <pcapin2> <pcapout>\n", progname); exit(10); } tool_init_log(); init_crypto(); load_oswcrypto(); init_fake_vendorid(); init_jamesjohnson_interface(); init_seam_kernelalgs(); infile = argv[0]; conn_name = argv[1]; pcap1in = argv[2]; pcap2in = argv[3]; pcap_out = argv[4]; cur_debugging = DBG_CONTROL|DBG_CONTROLMORE; if(readwhackmsg(infile) == 0) exit(10); c1 = con_by_name(conn_name, TRUE); assert(c1 != NULL); assert(orient(c1, 500)); show_one_connection(c1); /* omit the R1 reply */ send_packet_setup_pcap("/dev/null"); /* setup to process the I1 packet */ recv_pcap_setup(pcap1in); /* process first I1 packet */ cur_debugging = DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE; pcap_dispatch(pt, 1, recv_pcap_packet, NULL); /* set up output file */ send_packet_setup_pcap(pcap_out); pcap_close(pt); /* now process the I2 packet */ recv_pcap_setup(pcap2in); cur_debugging = DBG_EMITTING|DBG_CONTROL|DBG_CONTROLMORE; pcap_dispatch(pt, 1, recv_pcap_packet2, NULL); /* clean up so that we can see any leaks */ st = state_with_serialno(1); if(st!=NULL) { free_state(st); } report_leaks(); tool_close_log(); exit(0); }
main(int argc, char *argv[]) { int len; char *infile; char *conn_name; int lineno = 0; struct connection *c1; pcap_t *pt; char eb1[256]; EF_PROTECT_BELOW = 1; EF_PROTECT_FREE = 1; EF_FREE_WIPES = 1; progname = argv[0]; leak_detective = 1; init_crypto(); if (argc != 4) { fprintf(stderr, "Usage: %s <whackrecord> <conn-name> <pcapin>\n", progname); exit(10); } /* argv[1] == "-r" */ tool_init_log(); init_fake_vendorid(); infile = argv[1]; conn_name = argv[2]; readwhackmsg(infile); send_packet_setup_pcap("parentR1.pcap"); c1 = con_by_name(conn_name, TRUE); show_one_connection(c1); pt = pcap_open_offline(argv[3], eb1); if (!pt) { perror(argv[3]); exit(50); } cur_debugging = DBG_EMITTING | DBG_CONTROL | DBG_CONTROLMORE; pcap_dispatch(pt, 1, recv_pcap_packet, NULL); { struct state *st; /* find st involved */ st = state_with_serialno(1); delete_state(st); } report_leaks(); tool_close_log(); exit(0); }
main(int argc, char *argv[]) { int len; char *infile; char *conn_name; int lineno=0; int regression = 0; struct connection *c1; struct state *st; #ifdef HAVE_EFENCE EF_PROTECT_FREE=1; #endif progname = argv[0]; leak_detective = 1; /* skip argv0 */ argc--; argv++; if(strcmp(argv[0], "-r")==0) { regression = 1; argc--; argv++; } if(argc != 4) { fprintf(stderr, "Usage: %s [-r] <whackrecord> <conn-name> <pcapfile> <pcapout>\n", progname); exit(10); } tool_init_log(); init_crypto(); load_oswcrypto(); init_fake_vendorid(); init_parker_interface(); infile = argv[0]; conn_name = argv[1]; cur_debugging = DBG_CONTROL|DBG_CONTROLMORE; if(readwhackmsg(infile) == 0) exit(10); /* input packets */ recv_pcap_setup(argv[2]); /* output first packets to /dev/null */ send_packet_setup_pcap("/dev/null"); c1 = con_by_name(conn_name, TRUE); assert(c1 != NULL); assert(orient(c1, 500)); show_one_connection(c1); st = sendI1(c1, DBG_CONTROL, regression == 0); /* now accept the reply packet */ cur_debugging = DBG_CONTROL|DBG_PARSING; /* now output interesting packet to capture file */ send_packet_setup_pcap(argv[3]); pcap_dispatch(pt, 1, recv_pcap_packet, NULL); pcap_close(pt); recv_pcap_setup(argv[2]); pcap_dispatch(pt, 1, recv_pcap_packet, NULL); /* dump the delete message that comes out */ send_packet_setup_pcap("/dev/null"); delete_connection(c1, TRUE); st = state_with_serialno(1); if(st!=NULL) { free_state(st); } report_leaks(); tool_close_log(); exit(0); }
/** Lookup information about the hostpair, and set things like bandwidth * relative crypto strength, compression and credentials. * * @param IPsec Policy Query * @return void */ static void info_lookuphostpair(struct ipsec_policy_cmd_query *ipcq) { struct connection *c; struct state *p1st, *p2st; /* default result: no crypto */ ipcq->strength = IPSEC_PRIVACY_NONE; ipcq->bandwidth = IPSEC_QOS_WIRESPEED; ipcq->credential_count = 0; #ifdef DEBUG { char sstr[ADDRTOT_BUF], dstr[ADDRTOT_BUF]; addrtot(&ipcq->query_local, 0, sstr, sizeof(sstr)); addrtot(&ipcq->query_remote, 0, dstr, sizeof(dstr)); DBG_log("info request for %s -> %s", sstr, dstr); } #endif /* okay, look up what connection handles this ip pair */ c = find_connection_for_clients(NULL, &ipcq->query_local, &ipcq->query_remote, ipcq->proto); if (c == NULL) { /* try reversing it */ c = find_connection_for_clients(NULL, &ipcq->query_remote, &ipcq->query_local, ipcq->proto); if (c != NULL) { ip_address tmp; /* If it is reversed, swap it */ tmp = ipcq->query_local; ipcq->query_local = ipcq->query_remote; ipcq->query_remote = tmp; } } if (c == NULL) { #ifdef DEBUG DBG_log("no connection found"); #endif return; /* no crypto */ } if (c->newest_ipsec_sa == SOS_NOBODY) { ip_subnet us, them; DBG_log("connection %s found, no ipsec state, looking again", c->name); addrtosubnet(&ipcq->query_local, &us); addrtosubnet(&ipcq->query_remote, &them); c = find_client_connection(c, &us, &them, 0, 0, 0, 0); if (c == NULL) return; /* no crypto */ } DBG_log("connection %s[%ld] with state %u" , c->name, c->instance_serial , (unsigned int)c->newest_ipsec_sa); if (c->newest_ipsec_sa == SOS_NOBODY) return; /* no crypto */ /* we found a connection, try to lookup the state */ p2st = state_with_serialno(c->newest_ipsec_sa); p1st = find_phase1_state(c, ISAKMP_SA_ESTABLISHED_STATES); if (p1st == NULL || p2st == NULL) { DBG_log("connection %s[%ld] has missing states %s %s" , c->name, c->instance_serial , (p1st ? "phase1" : "") , (p2st ? "phase1" : "")); return; /* no crypto */ } /* if we have AH present, then record minimal info */ if (p2st->st_ah.present) { ipcq->strength = IPSEC_PRIVACY_INTEGRAL; ipcq->auth_detail = p2st->st_esp.attrs.transattrs.integ_hash; } if (p2st->st_esp.present) { /* * XXX-mcr Please do not shout at me about relative strengths * here. I'm not a cryptographer. I just diddle bits. */ switch (p2st->st_esp.attrs.transattrs.encrypt) { case ESP_NULL: /* actually, do not change it if we set it from AH */ break; case ESP_DES: case ESP_DES_IV64: case ESP_DES_IV32: case ESP_RC4: ipcq->strength = IPSEC_PRIVACY_ROT13; break; case ESP_RC5: case ESP_IDEA: case ESP_CAST: case ESP_BLOWFISH: case ESP_3DES: ipcq->strength = IPSEC_PRIVACY_PRIVATE; ipcq->bandwidth = IPSEC_QOS_VOIP; break; case ESP_3IDEA: ipcq->strength = IPSEC_PRIVACY_STRONG; ipcq->bandwidth = IPSEC_QOS_INTERACTIVE; break; case ESP_AES: ipcq->strength = IPSEC_PRIVACY_STRONG; ipcq->bandwidth = IPSEC_QOS_FTP; break; } ipcq->esp_detail = p2st->st_esp.attrs.transattrs.encrypt; } if (p2st->st_ipcomp.present) ipcq->comp_detail = p2st->st_esp.attrs.transattrs.encrypt; /* now! the credentails that were used */ /* for the moment we only have 1 credential, the DNS name, * because the DNS servers do not return the chain of SIGs yet */ if(!c->spd.this.key_from_DNS_on_demand) { /* the key didn't come from the DNS in some way, * so it must have been loaded locally. */ ipcq->credential_count = 1; ipcq->credentials[0].ii_type = c->spd.this.id.kind; ipcq->credentials[0].ii_format = CERT_RAW_RSA; } #if 0 switch (c->spd.id.kind) { case ID_IPV4_ADDR: } if (c->gw_info == NULL) { plog("rcv_info: connection %s had NULL gw_info.", c->name); return } #endif ipcq->credential_count = 1; /* pull credentials out of gw_info */ switch (p1st->st_peer_pubkey->dns_auth_level) { case DAL_UNSIGNED: case DAL_NOTSEC: /* these seem to be the same for this purpose */ ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind; ipcq->credentials[0].ii_type = CERT_NONE; idtoa(&p1st->st_peer_pubkey->id , ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn , sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn)); break; case DAL_SIGNED: ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind; ipcq->credentials[0].ii_format = CERT_DNS_SIGNED_KEY; idtoa(&p1st->st_peer_pubkey->id , ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn , sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.fqdn)); if (p1st->st_peer_pubkey->dns_sig != NULL) { strncat(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig , p1st->st_peer_pubkey->dns_sig , sizeof(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig) - strlen(ipcq->credentials[0].ii_credential.ipsec_dns_signed.dns_sig -1)); } break; case DAL_LOCAL: ipcq->credentials[0].ii_type = p1st->st_peer_pubkey->id.kind; ipcq->credentials[0].ii_format = CERT_RAW_RSA; idtoa(&p1st->st_peer_pubkey->id , ipcq->credentials[0].ii_credential.ipsec_raw_key.id_name , sizeof(ipcq->credentials[0].ii_credential.ipsec_raw_key.id_name)); break; } }
main(int argc, char *argv[]) { int len; char *infile; char *conn_name; int lineno=0; int regression = 0; struct connection *c1; struct state *st; EF_PROTECT_FREE=1; progname = argv[0]; leak_detective = 1; if(argc != 4 && argc != 5) { fprintf(stderr, "Usage: %s [-r] <whackrecord> <conn-name> <pcapfile>\n", progname); exit(10); } /* skip argv0 */ argc--; argv++; if(strcmp(argv[0], "-r")==0) { regression = 1; argc--; argv++; } tool_init_log(); load_oswcrypto(); init_fake_vendorid(); init_parker_interface(); infile = argv[0]; conn_name = argv[1]; cur_debugging = DBG_CONTROL|DBG_CONTROLMORE; if(readwhackmsg(infile) == 0) exit(10); /* input packets */ recv_pcap_setup(argv[2]); /* output packets */ send_packet_setup_pcap("OUTPUT/parentI2.pcap"); c1 = con_by_name(conn_name, TRUE); assert(c1 != NULL); assert(orient(c1, 500)); show_one_connection(c1); st = sendI1(c1, DBG_CONTROL, regression == 0); /* now accept the reply packet */ cur_debugging = DBG_CONTROL|DBG_PARSING; pcap_dispatch(pt, 1, recv_pcap_packet, NULL); st = state_with_serialno(1); if(st!=NULL) { delete_state(st); free_state(st); } report_leaks(); tool_close_log(); exit(0); }