diff options
author | René Mayrhofer <rene@mayrhofer.eu.org> | 2011-03-05 09:20:09 +0100 |
---|---|---|
committer | René Mayrhofer <rene@mayrhofer.eu.org> | 2011-03-05 09:20:09 +0100 |
commit | 568905f488e63e28778f87ac0e38d845f45bae79 (patch) | |
tree | d9969a147e36413583ff4bc75542d34c955f8823 /src/conftest/hooks | |
parent | f73fba54dc8b30c6482e1e8abf15bbf455592fcd (diff) | |
download | vyos-strongswan-568905f488e63e28778f87ac0e38d845f45bae79.tar.gz vyos-strongswan-568905f488e63e28778f87ac0e38d845f45bae79.zip |
Imported Upstream version 4.5.1
Diffstat (limited to 'src/conftest/hooks')
24 files changed, 3352 insertions, 0 deletions
diff --git a/src/conftest/hooks/add_notify.c b/src/conftest/hooks/add_notify.c new file mode 100644 index 000000000..de46ca81f --- /dev/null +++ b/src/conftest/hooks/add_notify.c @@ -0,0 +1,140 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_add_notify_t private_add_notify_t; + +/** + * Private data of an add_notify_t object. + */ +struct private_add_notify_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Notify type + */ + char *type; + + /** + * Notify data + */ + char *data; + + /** + * SPI of notify + */ + int spi; + + /** + * TRUE for a ESP protocol notify, FALSE for IKE + */ + bool esp; +}; + +METHOD(listener_t, message, bool, + private_add_notify_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + notify_type_t type; + notify_payload_t *notify; + chunk_t data = chunk_empty; + + type = atoi(this->type); + if (!type) + { + type = enum_from_name(notify_type_names, this->type); + if (type == -1) + { + DBG1(DBG_CFG, "unknown notify: '%s', skipped", this->type); + return TRUE; + } + } + if (strncaseeq(this->data, "0x", 2)) + { + data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2); + data = chunk_from_hex(data, NULL); + } + else if (this->data && strlen(this->data)) + { + data = chunk_clone(chunk_create(this->data, strlen(this->data))); + } + notify = notify_payload_create_from_protocol_and_type( + this->esp ? PROTO_ESP : PROTO_IKE, type); + notify->set_spi(notify, this->spi); + if (data.len) + { + notify->set_notification_data(notify, data); + free(data.ptr); + } + message->add_payload(message, ¬ify->payload_interface); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_add_notify_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *add_notify_hook_create(char *name) +{ + private_add_notify_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .type = conftest->test->get_str(conftest->test, + "hooks.%s.type", "", name), + .data = conftest->test->get_str(conftest->test, + "hooks.%s.data", "", name), + .spi = conftest->test->get_int(conftest->test, + "hooks.%s.spi", 0, name), + .esp = conftest->test->get_bool(conftest->test, + "hooks.%s.esp", FALSE, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/add_payload.c b/src/conftest/hooks/add_payload.c new file mode 100644 index 000000000..03a47cc23 --- /dev/null +++ b/src/conftest/hooks/add_payload.c @@ -0,0 +1,151 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/payloads/unknown_payload.h> + +typedef struct private_add_payload_t private_add_payload_t; + +/** + * Private data of an add_payload_t object. + */ +struct private_add_payload_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Payload type + */ + char *type; + + /** + * Payload data + */ + char *data; + + /** + * Set critical bit of the payload + */ + bool critical; + + /** + * True to replace existing payload of this type + */ + bool replace; +}; + +METHOD(listener_t, message, bool, + private_add_payload_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + unknown_payload_t *unknown; + payload_t *payload; + enumerator_t *enumerator; + chunk_t data = chunk_empty; + payload_type_t type; + + type = atoi(this->type); + if (!type) + { + type = enum_from_name(payload_type_short_names, this->type); + if (type == -1) + { + DBG1(DBG_CFG, "unknown payload: '%s', skipped", this->type); + return TRUE; + } + } + if (this->replace) + { + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == type) + { + message->remove_payload_at(message, enumerator); + payload->destroy(payload); + break; + } + } + enumerator->destroy(enumerator); + } + if (strncaseeq(this->data, "0x", 2)) + { + data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2); + data = chunk_from_hex(data, NULL); + } + else if (this->data && strlen(this->data)) + { + data = chunk_clone(chunk_create(this->data, strlen(this->data))); + } + unknown = unknown_payload_create_data(type, this->critical, data); + message->add_payload(message, &unknown->payload_interface); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_add_payload_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *add_payload_hook_create(char *name) +{ + private_add_payload_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .type = conftest->test->get_str(conftest->test, + "hooks.%s.type", "", name), + .data = conftest->test->get_str(conftest->test, + "hooks.%s.data", "", name), + .critical = conftest->test->get_bool(conftest->test, + "hooks.%s.critical", FALSE, name), + .replace = conftest->test->get_bool(conftest->test, + "hooks.%s.replace", FALSE, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/custom_proposal.c b/src/conftest/hooks/custom_proposal.c new file mode 100644 index 000000000..e4acd841f --- /dev/null +++ b/src/conftest/hooks/custom_proposal.c @@ -0,0 +1,188 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <errno.h> + +#include <encoding/payloads/sa_payload.h> +#include <config/proposal.h> +#include <crypto/proposal/proposal_keywords.h> + +typedef struct private_custom_proposal_t private_custom_proposal_t; + +/** + * Private data of an custom_proposal_t object. + */ +struct private_custom_proposal_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * hook name + */ + char *name; +}; + +/** + * Load custom proposal configuration to proposal list + */ +static linked_list_t* load_proposals(private_custom_proposal_t *this, + protocol_id_t proto, u_int64_t spi) +{ + enumerator_t *props, *algs; + char *number, *key, *value; + linked_list_t *list; + + list = linked_list_create(); + props = conftest->test->create_section_enumerator(conftest->test, + "hooks.%s", this->name); + while (props->enumerate(props, &number)) + { + const proposal_token_t *token = NULL; + proposal_t *proposal; + u_int16_t type, alg, keysize = 0; + char *end; + + proposal = proposal_create(proto, atoi(number)); + proposal->set_spi(proposal, spi); + + algs = conftest->test->create_key_value_enumerator(conftest->test, + "hooks.%s.%s", this->name, number); + while (algs->enumerate(algs, &key, &value)) + { + errno = 0; + type = strtoul(key, &end, 10); + if (end == key || errno) + { + type = enum_from_name(transform_type_names, key); + if (type == -1) + { + DBG1(DBG_CFG, "unknown transform: '%s', skipped", key); + continue; + } + } + errno = 0; + alg = strtoul(value, &end, 10); + if (end == value || errno) + { + token = proposal_get_token(value, strlen(value)); + if (!token) + { + DBG1(DBG_CFG, "unknown algorithm: '%s', skipped", value); + continue; + } + keysize = token->keysize; + alg = token->algorithm; + } + proposal->add_algorithm(proposal, type, alg, keysize); + } + algs->destroy(algs); + list->insert_last(list, proposal); + } + props->destroy(props); + return list; +} + +METHOD(listener_t, message, bool, + private_custom_proposal_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *enumerator; + payload_t *payload; + sa_payload_t *new, *old = NULL; + linked_list_t *new_props, *old_props; + proposal_t *proposal; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == SECURITY_ASSOCIATION) + { + old = (sa_payload_t*)payload; + message->remove_payload_at(message, enumerator); + } + } + enumerator->destroy(enumerator); + + if (old) + { + old_props = old->get_proposals(old); + old->destroy(old); + enumerator = old_props->create_enumerator(old_props); + if (enumerator->enumerate(enumerator, &proposal)) + { + new_props = load_proposals(this, + proposal->get_protocol(proposal), + proposal->get_spi(proposal)); + DBG1(DBG_CFG, "injecting custom proposal: %#P", new_props); + new = sa_payload_create_from_proposal_list(new_props); + message->add_payload(message, (payload_t*)new); + new_props->destroy_offset(new_props, offsetof(proposal_t, destroy)); + } + enumerator->destroy(enumerator); + old_props->destroy_offset(old_props, offsetof(proposal_t, destroy)); + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_custom_proposal_t *this) +{ + free(this->name); + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *custom_proposal_hook_create(char *name) +{ + private_custom_proposal_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .name = strdup(name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/force_cookie.c b/src/conftest/hooks/force_cookie.c new file mode 100644 index 000000000..e34f82851 --- /dev/null +++ b/src/conftest/hooks/force_cookie.c @@ -0,0 +1,117 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/payloads/unknown_payload.h> + +typedef struct private_force_cookie_t private_force_cookie_t; + +/** + * Private data of an force_cookie_t object. + */ +struct private_force_cookie_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_force_cookie_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming && message->get_request(message) && + message->get_exchange_type(message) == IKE_SA_INIT) + { + enumerator_t *enumerator; + bool has_cookie = FALSE; + payload_t *payload; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == NOTIFY) + { + notify_payload_t *notify = (notify_payload_t*)payload; + chunk_t data; + + if (notify->get_notify_type(notify) == COOKIE) + { + data = notify->get_notification_data(notify); + DBG1(DBG_CFG, "received COOKIE: %#B", &data); + has_cookie = TRUE; + break; + } + } + } + enumerator->destroy(enumerator); + if (!has_cookie) + { + message_t *response; + host_t *src, *dst; + packet_t *packet; + ike_sa_id_t *ike_sa_id; + chunk_t data = chunk_from_thing("COOKIE test data"); + + DBG1(DBG_CFG, "sending COOKIE: %#B", &data); + response = message_create(); + dst = message->get_source(message); + src = message->get_destination(message); + response->set_source(response, src->clone(src)); + response->set_destination(response, dst->clone(dst)); + response->set_exchange_type(response, IKE_SA_INIT); + response->set_request(response, FALSE); + response->set_message_id(response, 0); + ike_sa_id = message->get_ike_sa_id(message); + ike_sa_id->switch_initiator(ike_sa_id); + response->set_ike_sa_id(response, ike_sa_id); + response->add_notify(response, FALSE, COOKIE, data); + if (response->generate(response, NULL, &packet) == SUCCESS) + { + charon->sender->send(charon->sender, packet); + response->destroy(response); + } + message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED); + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_force_cookie_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *force_cookie_hook_create(char *name) +{ + private_force_cookie_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/hook.h b/src/conftest/hooks/hook.h new file mode 100644 index 000000000..39a15f21b --- /dev/null +++ b/src/conftest/hooks/hook.h @@ -0,0 +1,45 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup hook hook + * @{ @ingroup hooks + */ + +#ifndef HOOK_H_ +#define HOOK_H_ + +typedef struct hook_t hook_t; + +#include <daemon.h> +#include <conftest.h> + +/** + * Hook providing interface. + */ +struct hook_t { + + /** + * Implements listener_t. + */ + listener_t listener; + + /** + * Destroy a hook_t. + */ + void (*destroy)(hook_t *this); +}; + +#endif /** HOOK_H_ @}*/ diff --git a/src/conftest/hooks/ignore_message.c b/src/conftest/hooks/ignore_message.c new file mode 100644 index 000000000..210f3ac50 --- /dev/null +++ b/src/conftest/hooks/ignore_message.c @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_ignore_message_t private_ignore_message_t; + +/** + * Private data of an ignore_message_t object. + */ +struct private_ignore_message_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Drop incoming or outgoing? + */ + bool in; + + /** + * Drop requests or responses? + */ + bool req; + + /** + * ID of message to drop. + */ + int id; +}; + +METHOD(listener_t, message, bool, + private_ignore_message_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming == this->in && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + DBG1(DBG_CFG, "ignoring message"); + message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_ignore_message_t *this) +{ + free(this); +} + +/** + * Create the ignore_message hook + */ +hook_t *ignore_message_hook_create(char *name) +{ + private_ignore_message_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .in = conftest->test->get_bool(conftest->test, + "hooks.%s.inbound", TRUE, name), + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/ike_auth_fill.c b/src/conftest/hooks/ike_auth_fill.c new file mode 100644 index 000000000..2843d60c1 --- /dev/null +++ b/src/conftest/hooks/ike_auth_fill.c @@ -0,0 +1,145 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <time.h> +#include <netinet/udp.h> + +#include <encoding/payloads/cert_payload.h> +#include <encoding/payloads/encryption_payload.h> + +typedef struct private_ike_auth_fill_t private_ike_auth_fill_t; + +/** + * Private data of an ike_auth_fill_t object. + */ +struct private_ike_auth_fill_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Number of bytes to fill IKE_AUTH up + */ + int bytes; +}; + +/** size of non ESP-Marker */ +#define NON_ESP_MARKER_LEN 4 + +/** + * Calculate packet size on wire (without ethernet/IP header) + */ +static size_t calculate_wire_size(message_t *message, ike_sa_t *ike_sa) +{ + enumerator_t *enumerator; + payload_t *payload; + size_t size = 0; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + size += payload->get_length(payload); + } + enumerator->destroy(enumerator); + + if (message->get_exchange_type(message) != IKE_SA_INIT) + { + keymat_t *keymat; + aead_t *aead; + size_t bs; + + keymat = ike_sa->get_keymat(ike_sa); + aead = keymat->get_aead(keymat, FALSE); + if (aead) + { + bs = aead->get_block_size(aead); + size += ENCRYPTION_PAYLOAD_HEADER_LENGTH + NON_ESP_MARKER_LEN + + aead->get_icv_size(aead) + aead->get_iv_size(aead) + + (bs - (size % bs)); + } + } + return sizeof(struct udphdr) + IKE_HEADER_LENGTH + size; +} + +METHOD(listener_t, message, bool, + private_ike_auth_fill_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + cert_payload_t *pld; + size_t size, diff; + chunk_t data; + + size = calculate_wire_size(message, ike_sa); + if (size < this->bytes - CERT_PAYLOAD_HEADER_LENGTH) + { + diff = this->bytes - size - CERT_PAYLOAD_HEADER_LENGTH; + data = chunk_alloc(diff); + memset(data.ptr, 0x12, data.len); + pld = cert_payload_create_custom(201, data); + message->add_payload(message, &pld->payload_interface); + DBG1(DBG_CFG, "inserting %d dummy bytes certificate payload", diff); + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_ike_auth_fill_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *ike_auth_fill_hook_create(char *name) +{ + private_ike_auth_fill_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 1, name), + .bytes = conftest->test->get_int(conftest->test, + "hooks.%s.bytes", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/log_id.c b/src/conftest/hooks/log_id.c new file mode 100644 index 000000000..ad14cea10 --- /dev/null +++ b/src/conftest/hooks/log_id.c @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/payloads/id_payload.h> + +typedef struct private_log_id_t private_log_id_t; + +/** + * Private data of an log_id_t object. + */ +struct private_log_id_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_log_id_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + enumerator_t *enumerator; + payload_t *payload; + id_payload_t *id_payload; + identification_t *id; + chunk_t data; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == ID_INITIATOR || + payload->get_type(payload) == ID_RESPONDER) + { + id_payload = (id_payload_t*)payload; + id = id_payload->get_identification(id_payload); + data = id->get_encoding(id); + + DBG1(DBG_CFG, "%N: %N %B", + payload_type_short_names, payload->get_type(payload), + id_type_names, id->get_type(id), &data); + id->destroy(id); + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_log_id_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *log_id_hook_create(char *name) +{ + private_log_id_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/log_ke.c b/src/conftest/hooks/log_ke.c new file mode 100644 index 000000000..231c0a8d8 --- /dev/null +++ b/src/conftest/hooks/log_ke.c @@ -0,0 +1,81 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/payloads/ke_payload.h> + +typedef struct private_log_ke_t private_log_ke_t; + +/** + * Private data of an log_ke_t object. + */ +struct private_log_ke_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_log_ke_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + enumerator_t *enumerator; + payload_t *payload; + ke_payload_t *ke; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == KEY_EXCHANGE) + { + ke = (ke_payload_t*)payload; + DBG1(DBG_CFG, "received DH group %N", + diffie_hellman_group_names, ke->get_dh_group_number(ke)); + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_log_ke_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *log_ke_hook_create(char *name) +{ + private_log_ke_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/log_proposals.c b/src/conftest/hooks/log_proposals.c new file mode 100644 index 000000000..8c330ab3d --- /dev/null +++ b/src/conftest/hooks/log_proposals.c @@ -0,0 +1,98 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/payloads/sa_payload.h> + +typedef struct private_log_proposals_t private_log_proposals_t; + +/** + * Private data of an log_proposals_t object. + */ +struct private_log_proposals_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_log_proposals_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + enumerator_t *enumerator, *proposals; + payload_t *payload; + linked_list_t *list; + sa_payload_t *sa; + proposal_t *proposal; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == SECURITY_ASSOCIATION) + { + sa = (sa_payload_t*)payload; + list = sa->get_proposals(sa); + DBG1(DBG_CFG, "received %d proposal%s:", list->get_count(list), + list->get_count(list) == 1 ? "" : "s"); + proposals = list->create_enumerator(list); + while (proposals->enumerate(proposals, &proposal)) + { + u_int64_t spi = proposal->get_spi(proposal); + + if (proposal->get_protocol(proposal) != PROTO_IKE) + { + spi = htonl(spi); + } + DBG1(DBG_CFG, " %d (SPI 0x%llx): %P", + proposal->get_number(proposal), spi, proposal); + } + proposals->destroy(proposals); + list->destroy_offset(list, offsetof(proposal_t, destroy)); + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_log_proposals_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *log_proposals_hook_create(char *name) +{ + private_log_proposals_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/log_ts.c b/src/conftest/hooks/log_ts.c new file mode 100644 index 000000000..dacc7a58c --- /dev/null +++ b/src/conftest/hooks/log_ts.c @@ -0,0 +1,86 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/payloads/ts_payload.h> + +typedef struct private_log_ts_t private_log_ts_t; + +/** + * Private data of an log_ts_t object. + */ +struct private_log_ts_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_log_ts_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + enumerator_t *enumerator; + payload_t *payload; + linked_list_t *list; + ts_payload_t *ts; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == TRAFFIC_SELECTOR_INITIATOR || + payload->get_type(payload) == TRAFFIC_SELECTOR_RESPONDER) + { + ts = (ts_payload_t*)payload; + list = ts->get_traffic_selectors(ts); + + DBG1(DBG_CFG, "received %N: %#R", + payload_type_short_names, payload->get_type(payload), list); + list->destroy_offset(list, offsetof(traffic_selector_t, destroy)); + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_log_ts_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *log_ts_hook_create(char *name) +{ + private_log_ts_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c new file mode 100644 index 000000000..4b7168cac --- /dev/null +++ b/src/conftest/hooks/pretend_auth.c @@ -0,0 +1,386 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/payloads/nonce_payload.h> +#include <encoding/payloads/cert_payload.h> +#include <encoding/payloads/auth_payload.h> +#include <encoding/payloads/id_payload.h> +#include <encoding/payloads/sa_payload.h> +#include <encoding/payloads/ts_payload.h> + +typedef struct private_pretend_auth_t private_pretend_auth_t; + +/** + * Private data of an pretend_auth_t object. + */ +struct private_pretend_auth_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * remote peer identity + */ + identification_t *id; + + /** + * reserved bytes of ID payload + */ + char reserved[3]; + + /** + * IKE_SA_INIT data for signature + */ + chunk_t ike_init; + + /** + * Nonce for signature + */ + chunk_t nonce; + + /** + * Selected CHILD_SA proposal + */ + proposal_t *proposal; + + /** + * List of initiators Traffic Selectors + */ + linked_list_t *tsi; + + /** + * List of responders Traffic Selectors + */ + linked_list_t *tsr; +}; + +/** + * Process IKE_SA_INIT request message, outgoing + */ +static void process_init_request(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + nonce_payload_t *nonce; + + nonce = (nonce_payload_t*)message->get_payload(message, NONCE); + if (nonce) + { + free(this->nonce.ptr); + this->nonce = nonce->get_nonce(nonce); + } +} + +/** + * Process IKE_AUTH request message, outgoing + */ +static void process_auth_request(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + id_payload_t *id; + sa_payload_t *sa; + ts_payload_t *tsi, *tsr; + linked_list_t *proposals; + + id = (id_payload_t*)message->get_payload(message, ID_RESPONDER); + if (id) + { + this->id->destroy(this->id); + this->id = id->get_identification(id); + } + sa = (sa_payload_t*)message->get_payload(message, SECURITY_ASSOCIATION); + if (sa) + { + proposals = sa->get_proposals(sa); + proposals->remove_first(proposals, (void**)&this->proposal); + if (this->proposal) + { + this->proposal->set_spi(this->proposal, htonl(0x12345678)); + } + proposals->destroy_offset(proposals, offsetof(proposal_t, destroy)); + } + tsi = (ts_payload_t*)message->get_payload(message, + TRAFFIC_SELECTOR_INITIATOR); + if (tsi) + { + this->tsi = tsi->get_traffic_selectors(tsi); + } + tsr = (ts_payload_t*)message->get_payload(message, + TRAFFIC_SELECTOR_RESPONDER); + if (tsr) + { + this->tsr = tsr->get_traffic_selectors(tsr); + } + +} + +/** + * Process IKE_SA_INIT response message, incoming + */ +static void process_init_response(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + this->ike_init = message->get_packet_data(message); +} + +/** + * Build CERT payloads + */ +static void build_certs(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message, auth_cfg_t *auth) +{ + enumerator_t *enumerator; + cert_payload_t *payload; + certificate_t *cert; + auth_rule_t type; + + /* get subject cert first, then issuing certificates */ + cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (cert) + { + payload = cert_payload_create_from_cert(cert); + if (payload) + { + DBG1(DBG_IKE, "pretending end entity cert \"%Y\"", + cert->get_subject(cert)); + message->add_payload(message, (payload_t*)payload); + } + } + enumerator = auth->create_enumerator(auth); + while (enumerator->enumerate(enumerator, &type, &cert)) + { + if (type == AUTH_RULE_IM_CERT) + { + payload = cert_payload_create_from_cert(cert); + if (payload) + { + DBG1(DBG_IKE, "pretending issuer cert \"%Y\"", + cert->get_subject(cert)); + message->add_payload(message, (payload_t*)payload); + } + } + } + enumerator->destroy(enumerator); +} + +/** + * Build faked AUTH payload + */ +static bool build_auth(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + chunk_t octets, auth_data; + private_key_t *private; + auth_cfg_t *auth; + auth_payload_t *auth_payload; + auth_method_t auth_method; + signature_scheme_t scheme; + keymat_t *keymat; + + auth = auth_cfg_create(); + private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->id, auth); + build_certs(this, ike_sa, message, auth); + auth->destroy(auth); + if (private == NULL) + { + DBG1(DBG_CFG, "no private key found for '%Y' to pretend AUTH", this->id); + return FALSE; + } + + switch (private->get_type(private)) + { + case KEY_RSA: + scheme = SIGN_RSA_EMSA_PKCS1_SHA1; + auth_method = AUTH_RSA; + break; + case KEY_ECDSA: + /* we try to deduct the signature scheme from the keysize */ + switch (private->get_keysize(private)) + { + case 256: + scheme = SIGN_ECDSA_256; + auth_method = AUTH_ECDSA_256; + break; + case 384: + scheme = SIGN_ECDSA_384; + auth_method = AUTH_ECDSA_384; + break; + case 521: + scheme = SIGN_ECDSA_521; + auth_method = AUTH_ECDSA_521; + break; + default: + DBG1(DBG_CFG, "%d bit ECDSA private key size not supported", + private->get_keysize(private)); + return FALSE; + } + break; + default: + DBG1(DBG_CFG, "private key of type %N not supported", + key_type_names, private->get_type(private)); + return FALSE; + } + keymat = ike_sa->get_keymat(ike_sa); + octets = keymat->get_auth_octets(keymat, TRUE, this->ike_init, + this->nonce, this->id, this->reserved); + if (!private->sign(private, scheme, octets, &auth_data)) + { + chunk_free(&octets); + private->destroy(private); + return FALSE; + } + auth_payload = auth_payload_create(); + auth_payload->set_auth_method(auth_payload, auth_method); + auth_payload->set_data(auth_payload, auth_data); + chunk_free(&auth_data); + chunk_free(&octets); + private->destroy(private); + message->add_payload(message, (payload_t*)auth_payload); + DBG1(DBG_CFG, "pretending AUTH payload for '%Y' with %N", + this->id, auth_method_names, auth_method); + return TRUE; +} + +/** + * Process IKE_AUTH response message, incoming + */ +static void process_auth_response(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + enumerator_t *enumerator; + payload_t *payload; + + /* check for, and remove AUTHENTICATION_FAILED notify */ + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + notify_payload_t *notify = (notify_payload_t*)payload; + + if (payload->get_type(payload) != NOTIFY || + notify->get_notify_type(notify) != AUTHENTICATION_FAILED) + { + DBG1(DBG_CFG, "no %N notify found, disabling AUTH pretending", + notify_type_names, AUTHENTICATION_FAILED); + enumerator->destroy(enumerator); + return; + } + message->remove_payload_at(message, enumerator); + payload->destroy(payload); + } + enumerator->destroy(enumerator); + + if (!build_auth(this, ike_sa, message)) + { + message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); + return; + } + message->add_payload(message, (payload_t*) + id_payload_create_from_identification(ID_RESPONDER, this->id)); + if (this->proposal) + { + message->add_payload(message, (payload_t*) + sa_payload_create_from_proposal(this->proposal)); + } + if (this->tsi) + { + message->add_payload(message, (payload_t*) + ts_payload_create_from_traffic_selectors(TRUE, this->tsi)); + } + if (this->tsr) + { + message->add_payload(message, (payload_t*) + ts_payload_create_from_traffic_selectors(FALSE, this->tsr)); + } +} + +METHOD(listener_t, message, bool, + private_pretend_auth_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + if (!message->get_request(message)) + { + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + process_init_response(this, ike_sa, message); + } + if (message->get_exchange_type(message) == IKE_AUTH && + message->get_message_id(message) == 1) + { + process_auth_response(this, ike_sa, message); + } + } + } + else + { + if (message->get_request(message)) + { + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + process_init_request(this, ike_sa, message); + } + if (message->get_exchange_type(message) == IKE_AUTH && + message->get_message_id(message) == 1) + { + process_auth_request(this, ike_sa, message); + } + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_pretend_auth_t *this) +{ + if (this->tsi) + { + this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy)); + } + if (this->tsr) + { + this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy)); + } + DESTROY_IF(this->proposal); + this->id->destroy(this->id); + free(this->ike_init.ptr); + free(this->nonce.ptr); + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *pretend_auth_hook_create(char *name) +{ + private_pretend_auth_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .id = identification_create_from_string( + conftest->test->get_str(conftest->test, + "hooks.%s.peer", "%any", name)), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/rebuild_auth.c b/src/conftest/hooks/rebuild_auth.c new file mode 100644 index 000000000..993c952e0 --- /dev/null +++ b/src/conftest/hooks/rebuild_auth.c @@ -0,0 +1,243 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/generator.h> +#include <encoding/payloads/nonce_payload.h> +#include <encoding/payloads/auth_payload.h> +#include <encoding/payloads/id_payload.h> + +typedef struct private_rebuild_auth_t private_rebuild_auth_t; + +/** + * Private data of an rebuild_auth_t object. + */ +struct private_rebuild_auth_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Our IKE_SA_INIT data, required to rebuild AUTH + */ + chunk_t ike_init; + + /** + * Received NONCE, required to rebuild AUTH + */ + chunk_t nonce; + + /** + * ID to use for key lookup, if not from IDi + */ + identification_t *id; +}; + +/** + * Rebuild our AUTH data + */ +static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa, + message_t *message) +{ + enumerator_t *enumerator; + chunk_t octets, auth_data; + private_key_t *private; + auth_cfg_t *auth; + payload_t *payload; + auth_payload_t *auth_payload; + auth_method_t auth_method; + signature_scheme_t scheme; + keymat_t *keymat; + identification_t *id; + char reserved[3]; + generator_t *generator; + chunk_t data; + u_int32_t *lenpos; + + payload = message->get_payload(message, + message->get_request(message) ? ID_INITIATOR : ID_RESPONDER); + if (!payload) + { + DBG1(DBG_CFG, "ID payload not found to rebuild AUTH"); + return FALSE; + } + + generator = generator_create(); + generator->generate_payload(generator, payload); + data = generator->get_chunk(generator, &lenpos); + if (data.len < 8) + { + DBG1(DBG_CFG, "ID payload invalid to rebuild AUTH"); + generator->destroy(generator); + return FALSE; + } + memcpy(reserved, data.ptr + 5, 3); + id = identification_create_from_encoding(data.ptr[4], chunk_skip(data, 8)); + generator->destroy(generator); + + auth = auth_cfg_create(); + private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, + this->id ?: id, auth); + auth->destroy(auth); + if (private == NULL) + { + DBG1(DBG_CFG, "no private key found for '%Y' to rebuild AUTH", + this->id ?: id); + id->destroy(id); + return FALSE; + } + + switch (private->get_type(private)) + { + case KEY_RSA: + scheme = SIGN_RSA_EMSA_PKCS1_SHA1; + auth_method = AUTH_RSA; + break; + case KEY_ECDSA: + /* we try to deduct the signature scheme from the keysize */ + switch (private->get_keysize(private)) + { + case 256: + scheme = SIGN_ECDSA_256; + auth_method = AUTH_ECDSA_256; + break; + case 384: + scheme = SIGN_ECDSA_384; + auth_method = AUTH_ECDSA_384; + break; + case 521: + scheme = SIGN_ECDSA_521; + auth_method = AUTH_ECDSA_521; + break; + default: + DBG1(DBG_CFG, "%d bit ECDSA private key size not supported", + private->get_keysize(private)); + id->destroy(id); + return FALSE; + } + break; + default: + DBG1(DBG_CFG, "private key of type %N not supported", + key_type_names, private->get_type(private)); + id->destroy(id); + return FALSE; + } + keymat = ike_sa->get_keymat(ike_sa); + octets = keymat->get_auth_octets(keymat, FALSE, this->ike_init, + this->nonce, id, reserved); + if (!private->sign(private, scheme, octets, &auth_data)) + { + chunk_free(&octets); + private->destroy(private); + id->destroy(id); + return FALSE; + } + auth_payload = auth_payload_create(); + auth_payload->set_auth_method(auth_payload, auth_method); + auth_payload->set_data(auth_payload, auth_data); + chunk_free(&auth_data); + chunk_free(&octets); + private->destroy(private); + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == AUTHENTICATION) + { + message->remove_payload_at(message, enumerator); + payload->destroy(payload); + } + } + enumerator->destroy(enumerator); + + message->add_payload(message, (payload_t*)auth_payload); + DBG1(DBG_CFG, "rebuilding AUTH payload for '%Y' with %N", + id, auth_method_names, auth_method); + id->destroy(id); + return TRUE; +} + +METHOD(listener_t, message, bool, + private_rebuild_auth_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && message->get_message_id(message) == 1) + { + rebuild_auth(this, ike_sa, message); + } + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + if (incoming) + { + nonce_payload_t *nonce; + + nonce = (nonce_payload_t*)message->get_payload(message, NONCE); + if (nonce) + { + free(this->nonce.ptr); + this->nonce = nonce->get_nonce(nonce); + } + } + else + { + packet_t *packet; + + if (message->generate(message, NULL, &packet) == SUCCESS) + { + free(this->ike_init.ptr); + this->ike_init = chunk_clone(packet->get_data(packet)); + packet->destroy(packet); + } + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_rebuild_auth_t *this) +{ + free(this->ike_init.ptr); + free(this->nonce.ptr); + DESTROY_IF(this->id); + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *rebuild_auth_hook_create(char *name) +{ + private_rebuild_auth_t *this; + char *id; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + id = conftest->test->get_str(conftest->test, "hooks.%s.key", NULL, name); + if (id) + { + this->id = identification_create_from_string(id); + } + + return &this->hook; +} diff --git a/src/conftest/hooks/reset_seq.c b/src/conftest/hooks/reset_seq.c new file mode 100644 index 000000000..ccf8e997d --- /dev/null +++ b/src/conftest/hooks/reset_seq.c @@ -0,0 +1,158 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <linux/xfrm.h> +#include <unistd.h> +#include <errno.h> + +#include <processing/jobs/callback_job.h> +#include <plugins/kernel_netlink/kernel_netlink_shared.h> + +#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x)))) + +typedef struct private_reset_seq_t private_reset_seq_t; + +/** + * Private data of an reset_seq_t object. + */ +struct private_reset_seq_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Delay for reset + */ + int delay; +}; + +/** + * Callback job + */ +static job_requeue_t reset_cb(struct xfrm_usersa_id *data) +{ + netlink_buf_t request; + struct nlmsghdr *hdr; + struct xfrm_aevent_id *id; + struct rtattr *rthdr; + struct xfrm_replay_state *replay; + struct sockaddr_nl addr; + int s, len; + + DBG1(DBG_CFG, "resetting sequence number of SPI 0x%x", htonl(data->spi)); + + memset(&request, 0, sizeof(request)); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_REPLACE; + hdr->nlmsg_seq = 201; + hdr->nlmsg_pid = getpid(); + hdr->nlmsg_type = XFRM_MSG_NEWAE; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id)); + + id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr); + id->sa_id = *data; + + rthdr = XFRM_RTA(hdr, struct xfrm_aevent_id); + rthdr->rta_type = XFRMA_REPLAY_VAL; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state)); + hdr->nlmsg_len += rthdr->rta_len; + + replay = (struct xfrm_replay_state*)RTA_DATA(rthdr); + + s = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); + if (s == -1) + { + DBG1(DBG_CFG, "opening XFRM socket failed: %s", strerror(errno)); + return JOB_REQUEUE_NONE; + } + memset(&addr, 0, sizeof(addr)); + addr.nl_family = AF_NETLINK; + len = sendto(s, hdr, hdr->nlmsg_len, 0, + (struct sockaddr*)&addr, sizeof(addr)); + if (len != hdr->nlmsg_len) + { + DBG1(DBG_CFG, "sending XFRM aevent failed: %s", strerror(errno)); + } + close(s); + return JOB_REQUEUE_NONE; +} + +/** + * Schedule sequence number reset job + */ +static void schedule_reset_job(private_reset_seq_t *this, host_t *dst, + u_int32_t spi) +{ + struct xfrm_usersa_id *data; + chunk_t chunk; + + INIT(data, + .spi = spi, + .family = dst->get_family(dst), + .proto = IPPROTO_ESP, + ); + + chunk = dst->get_address(dst); + memcpy(&data->daddr, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t))); + + lib->scheduler->schedule_job(lib->scheduler, + (job_t*)callback_job_create( + (void*)reset_cb, data, (void*)free, NULL), + this->delay); +} + +METHOD(listener_t, child_updown, bool, + private_reset_seq_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + bool up) +{ + if (up) + { + schedule_reset_job(this, ike_sa->get_other_host(ike_sa), + child_sa->get_spi(child_sa, FALSE)); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_reset_seq_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *reset_seq_hook_create(char *name) +{ + private_reset_seq_t *this; + + INIT(this, + .hook = { + .listener = { + .child_updown = _child_updown, + }, + .destroy = _destroy, + }, + .delay = conftest->test->get_int(conftest->test, + "hooks.%s.delay", 10, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_critical.c b/src/conftest/hooks/set_critical.c new file mode 100644 index 000000000..caf2215c3 --- /dev/null +++ b/src/conftest/hooks/set_critical.c @@ -0,0 +1,123 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/payloads/unknown_payload.h> + +typedef struct private_set_critical_t private_set_critical_t; + +/** + * Private data of an set_critical_t object. + */ +struct private_set_critical_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Payload types, space separated + */ + char *payloads; +}; + +METHOD(listener_t, message, bool, + private_set_critical_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *msg, *types; + payload_t *payload; + payload_type_t type; + bool *critical; + char *name; + + types = enumerator_create_token(this->payloads, " ", ""); + while (types->enumerate(types, &name)) + { + type = atoi(name); + if (!type) + { + type = enum_from_name(payload_type_short_names, name); + if (type == -1) + { + DBG1(DBG_CFG, "invalid payload name '%s'", name); + break; + } + } + msg = message->create_payload_enumerator(message); + while (msg->enumerate(msg, &payload)) + { + if (type == payload->get_type(payload)) + { + critical = payload_get_field(payload, FLAG, 0); + if (critical) + { + *critical = TRUE; + } + } + } + msg->destroy(msg); + } + types->destroy(types); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_critical_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_critical_hook_create(char *name) +{ + private_set_critical_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .payloads = conftest->test->get_str(conftest->test, + "hooks.%s.payloads", "", name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_ike_initiator.c b/src/conftest/hooks/set_ike_initiator.c new file mode 100644 index 000000000..6ba43eaca --- /dev/null +++ b/src/conftest/hooks/set_ike_initiator.c @@ -0,0 +1,87 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/payloads/unknown_payload.h> + +typedef struct private_set_ike_initiator_t private_set_ike_initiator_t; + +/** + * Private data of an set_ike_initiator_t object. + */ +struct private_set_ike_initiator_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; +}; + +METHOD(listener_t, message, bool, + private_set_ike_initiator_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + ike_sa_id_t *id; + + DBG1(DBG_CFG, "toggling IKE message initiator flag"); + id = message->get_ike_sa_id(message); + id->switch_initiator(id); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_ike_initiator_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_ike_initiator_hook_create(char *name) +{ + private_set_ike_initiator_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_ike_request.c b/src/conftest/hooks/set_ike_request.c new file mode 100644 index 000000000..baabea66a --- /dev/null +++ b/src/conftest/hooks/set_ike_request.c @@ -0,0 +1,84 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/payloads/unknown_payload.h> + +typedef struct private_set_ike_request_t private_set_ike_request_t; + +/** + * Private data of an set_ike_request_t object. + */ +struct private_set_ike_request_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; +}; + +METHOD(listener_t, message, bool, + private_set_ike_request_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + DBG1(DBG_CFG, "toggling IKE message request flag"); + message->set_request(message, !this->req); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_ike_request_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_ike_request_hook_create(char *name) +{ + private_set_ike_request_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_ike_spi.c b/src/conftest/hooks/set_ike_spi.c new file mode 100644 index 000000000..14a0da9cd --- /dev/null +++ b/src/conftest/hooks/set_ike_spi.c @@ -0,0 +1,104 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/payloads/unknown_payload.h> + +typedef struct private_set_ike_spi_t private_set_ike_spi_t; + +/** + * Private data of an set_ike_spi_t object. + */ +struct private_set_ike_spi_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Initiator SPI + */ + u_int64_t spii; + + /** + * Responder SPI + */ + u_int64_t spir; +}; + +METHOD(listener_t, message, bool, + private_set_ike_spi_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + ike_sa_id_t *id; + + DBG1(DBG_CFG, "setting IKE SPIs to: 0x%llx/0x%llx", + this->spii, this->spir); + + id = message->get_ike_sa_id(message); + id->set_initiator_spi(id, this->spii); + id->set_responder_spi(id, this->spir); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_ike_spi_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_ike_spi_hook_create(char *name) +{ + private_set_ike_spi_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .spii = strtoull(conftest->test->get_str(conftest->test, + "hooks.%s.spii", "0", name), NULL, 16), + .spir = strtoull(conftest->test->get_str(conftest->test, + "hooks.%s.spir", "0", name), NULL, 16), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_ike_version.c b/src/conftest/hooks/set_ike_version.c new file mode 100644 index 000000000..d2de9dc81 --- /dev/null +++ b/src/conftest/hooks/set_ike_version.c @@ -0,0 +1,111 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/payloads/unknown_payload.h> + +typedef struct private_set_ike_version_t private_set_ike_version_t; + +/** + * Private data of an set_ike_version_t object. + */ +struct private_set_ike_version_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Major version to set + */ + int major; + + /** + * Minor version to set + */ + int minor; + + /** + * Higher version supported? + */ + bool higher; +}; + +METHOD(listener_t, message, bool, + private_set_ike_version_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + DBG1(DBG_CFG, "setting IKE version of message ID %d to %d.%d", + this->id, this->major, this->minor); + message->set_major_version(message, this->major); + message->set_minor_version(message, this->minor); + if (this->higher) + { + message->set_version_flag(message); + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_ike_version_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_ike_version_hook_create(char *name) +{ + private_set_ike_version_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .major = conftest->test->get_int(conftest->test, + "hooks.%s.major", 2, name), + .minor = conftest->test->get_int(conftest->test, + "hooks.%s.minor", 0, name), + .higher = conftest->test->get_bool(conftest->test, + "hooks.%s.higher", FALSE, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_length.c b/src/conftest/hooks/set_length.c new file mode 100644 index 000000000..0379dcb7c --- /dev/null +++ b/src/conftest/hooks/set_length.c @@ -0,0 +1,133 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_set_length_t private_set_length_t; + +/** + * Private data of an set_length_t object. + */ +struct private_set_length_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Payload type + */ + char *type; + + /** + * Difference to correct length + */ + int diff; +}; + +METHOD(listener_t, message, bool, + private_set_length_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + payload_t *payload; + enumerator_t *enumerator; + payload_type_t type; + + type = atoi(this->type); + if (!type) + { + type = enum_from_name(payload_type_short_names, this->type); + if (type == -1) + { + DBG1(DBG_CFG, "unknown payload: '%s', skipped", this->type); + return TRUE; + } + } + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (type == payload->get_type(payload)) + { + encoding_rule_t *rules; + size_t count; + u_int16_t *len; + int i; + + payload->get_encoding_rules(payload, &rules, &count); + for (i = 0; i < count; i++) + { + if (rules[i].type == PAYLOAD_LENGTH) + { + len = (u_int16_t*)(((void*)payload) + rules[i].offset); + DBG1(DBG_CFG, "adjusting length of %N payload " + "from %d to %d", payload_type_short_names, type, + *len, *len + this->diff); + *len = *len + this->diff; + } + } + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_length_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_length_hook_create(char *name) +{ + private_set_length_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .type = conftest->test->get_str(conftest->test, + "hooks.%s.type", "", name), + .diff = conftest->test->get_int(conftest->test, + "hooks.%s.diff", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_proposal_number.c b/src/conftest/hooks/set_proposal_number.c new file mode 100644 index 000000000..a59d96b6d --- /dev/null +++ b/src/conftest/hooks/set_proposal_number.c @@ -0,0 +1,163 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/payloads/sa_payload.h> + +typedef struct private_set_proposal_number_t private_set_proposal_number_t; + +/** + * Private data of an set_proposal_number_t object. + */ +struct private_set_proposal_number_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Proposal number to modify + */ + int from; + + /** + * Proposal number to set + */ + int to; +}; + +/** + * Copy all algs from given type from one proposal to another + */ +static void copy_proposal_algs(proposal_t *from, proposal_t *to, + transform_type_t type) +{ + enumerator_t *enumerator; + u_int16_t alg, key_size; + + enumerator = from->create_enumerator(from, type); + while (enumerator->enumerate(enumerator, &alg, &key_size)) + { + to->add_algorithm(to, type, alg, key_size); + } + enumerator->destroy(enumerator); +} + +METHOD(listener_t, message, bool, + private_set_proposal_number_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *enumerator; + payload_t *payload; + linked_list_t *list = NULL, *updated; + sa_payload_t *sa; + proposal_t *proposal, *new; + + updated = linked_list_create(); + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == SECURITY_ASSOCIATION) + { + sa = (sa_payload_t*)payload; + list = sa->get_proposals(sa); + message->remove_payload_at(message, enumerator); + sa->destroy(sa); + } + } + enumerator->destroy(enumerator); + + if (list) + { + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &proposal)) + { + if (proposal->get_number(proposal) == this->from) + { + DBG1(DBG_CFG, "setting proposal number from %d to %d", + this->from, this->to); + new = proposal_create(proposal->get_protocol(proposal), + this->to); + copy_proposal_algs(proposal, new, ENCRYPTION_ALGORITHM); + copy_proposal_algs(proposal, new, INTEGRITY_ALGORITHM); + copy_proposal_algs(proposal, new, PSEUDO_RANDOM_FUNCTION); + copy_proposal_algs(proposal, new, DIFFIE_HELLMAN_GROUP); + copy_proposal_algs(proposal, new, EXTENDED_SEQUENCE_NUMBERS); + updated->insert_last(updated, new); + } + else + { + list->remove_at(list, enumerator); + updated->insert_last(updated, proposal); + } + } + enumerator->destroy(enumerator); + } + sa = sa_payload_create_from_proposal_list(updated); + list->destroy_offset(list, offsetof(proposal_t, destroy)); + updated->destroy_offset(updated, offsetof(proposal_t, destroy)); + message->add_payload(message, (payload_t*)sa); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_proposal_number_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_proposal_number_hook_create(char *name) +{ + private_set_proposal_number_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .from = conftest->test->get_int(conftest->test, + "hooks.%s.from", 0, name), + .to = conftest->test->get_int(conftest->test, + "hooks.%s.to", 1, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_reserved.c b/src/conftest/hooks/set_reserved.c new file mode 100644 index 000000000..77a605d2a --- /dev/null +++ b/src/conftest/hooks/set_reserved.c @@ -0,0 +1,245 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include <encoding/payloads/sa_payload.h> + +typedef struct private_set_reserved_t private_set_reserved_t; + +/** + * Private data of an set_reserved_t object. + */ +struct private_set_reserved_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Hook name + */ + char *name; +}; + +/** + * Set reserved bit of a payload + */ +static void set_bit(private_set_reserved_t *this, message_t *message, + payload_type_t type, u_int nr) +{ + enumerator_t *payloads; + payload_t *payload; + bool *bit; + + if (type == HEADER) + { + message->set_reserved_header_bit(message, nr); + DBG1(DBG_CFG, "setting reserved bit %d of %N", + nr, payload_type_short_names, type); + } + else + { + payloads = message->create_payload_enumerator(message); + while (payloads->enumerate(payloads, &payload)) + { + if (payload->get_type(payload) == type) + { + bit = payload_get_field(payload, RESERVED_BIT, nr); + if (bit) + { + DBG1(DBG_CFG, "setting reserved bit %d of %N", + nr, payload_type_short_names, type); + *bit = TRUE; + } + } + } + payloads->destroy(payloads); + } +} + +/** + * Set reserved byte of a payload + */ +static void set_byte(private_set_reserved_t *this, message_t *message, + payload_type_t type, u_int nr, u_int8_t byteval) +{ + enumerator_t *payloads; + payload_t *payload; + u_int8_t *byte; + + if (type == TRANSFORM_SUBSTRUCTURE || type == PROPOSAL_SUBSTRUCTURE) + { + enumerator_t *transforms, *proposals; + transform_substructure_t *transform; + proposal_substructure_t *proposal; + sa_payload_t *sa; + + payloads = message->create_payload_enumerator(message); + while (payloads->enumerate(payloads, &payload)) + { + if (payload->get_type(payload) == SECURITY_ASSOCIATION) + { + sa = (sa_payload_t*)payload; + proposals = sa->create_substructure_enumerator(sa); + while (proposals->enumerate(proposals, &proposal)) + { + if (type == PROPOSAL_SUBSTRUCTURE) + { + byte = payload_get_field(&proposal->payload_interface, + RESERVED_BYTE, nr); + if (byte) + { + DBG1(DBG_CFG, "setting reserved byte %d of %N to %d", + nr, payload_type_short_names, type, byteval); + *byte = byteval; + } + } + else if (type == TRANSFORM_SUBSTRUCTURE) + { + transforms = proposal->create_substructure_enumerator( + proposal); + while (transforms->enumerate(transforms, &transform)) + { + byte = payload_get_field(&transform->payload_interface, + RESERVED_BYTE, nr); + if (byte) + { + DBG1(DBG_CFG, "setting reserved byte %d of %N to %d", + nr, payload_type_short_names, type, byteval); + *byte = byteval; + } + } + transforms->destroy(transforms); + } + } + proposals->destroy(proposals); + } + } + payloads->destroy(payloads); + } + else + { + payloads = message->create_payload_enumerator(message); + while (payloads->enumerate(payloads, &payload)) + { + if (payload->get_type(payload) == type) + { + byte = payload_get_field(payload, RESERVED_BYTE, nr); + if (byte) + { + DBG1(DBG_CFG, "setting reserved byte %d of %N to %d", + nr, payload_type_short_names, type, byteval); + *byte = byteval; + } + } + } + payloads->destroy(payloads); + } +} + +METHOD(listener_t, message, bool, + private_set_reserved_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *bits, *bytes, *types; + payload_type_t type; + char *nr, *name; + u_int8_t byteval; + + types = conftest->test->create_section_enumerator(conftest->test, + "hooks.%s", this->name); + while (types->enumerate(types, &name)) + { + type = atoi(name); + if (!type) + { + type = enum_from_name(payload_type_short_names, name); + if (type == -1) + { + DBG1(DBG_CFG, "invalid payload name '%s'", name); + break; + } + } + nr = conftest->test->get_str(conftest->test, + "hooks.%s.%s.bits", "", this->name, name); + bits = enumerator_create_token(nr, ",", " "); + while (bits->enumerate(bits, &nr)) + { + set_bit(this, message, type, atoi(nr)); + } + bits->destroy(bits); + + nr = conftest->test->get_str(conftest->test, + "hooks.%s.%s.bytes", "", this->name, name); + byteval = conftest->test->get_int(conftest->test, + "hooks.%s.%s.byteval", 255, this->name, name); + bytes = enumerator_create_token(nr, ",", " "); + while (bytes->enumerate(bytes, &nr)) + { + set_byte(this, message, type, atoi(nr), byteval); + } + bytes->destroy(bytes); + } + types->destroy(types); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_reserved_t *this) +{ + free(this->name); + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_reserved_hook_create(char *name) +{ + private_set_reserved_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .name = strdup(name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/unencrypted_notify.c b/src/conftest/hooks/unencrypted_notify.c new file mode 100644 index 000000000..80bdc64b7 --- /dev/null +++ b/src/conftest/hooks/unencrypted_notify.c @@ -0,0 +1,153 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_unencrypted_notify_t private_unencrypted_notify_t; + +/** + * Private data of an unencrypted_notify_t object. + */ +struct private_unencrypted_notify_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * ID of message send. + */ + int id; + + /** + * Notify type + */ + char *type; + + /** + * Notify data + */ + char *data; + + /** + * SPI of notify + */ + int spi; + + /** + * TRUE for a ESP protocol notify, FALSE for IKE + */ + bool esp; +}; + +METHOD(listener_t, ike_updown, bool, + private_unencrypted_notify_t *this, ike_sa_t *ike_sa, bool up) +{ + if (up) + { + message_t *message; + host_t *host; + notify_type_t type; + notify_payload_t *notify; + chunk_t data = chunk_empty; + packet_t *packet; + + type = atoi(this->type); + if (!type) + { + type = enum_from_name(notify_type_names, this->type); + if (type == -1) + { + DBG1(DBG_CFG, "unknown notify: '%s', skipped", this->type); + return TRUE; + } + } + if (strncaseeq(this->data, "0x", 2)) + { + data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2); + data = chunk_from_hex(data, NULL); + } + else if (this->data && strlen(this->data)) + { + data = chunk_clone(chunk_create(this->data, strlen(this->data))); + } + notify = notify_payload_create_from_protocol_and_type( + this->esp ? PROTO_ESP : PROTO_IKE, type); + notify->set_spi(notify, this->spi); + if (data.len) + { + notify->set_notification_data(notify, data); + free(data.ptr); + } + + DBG1(DBG_CFG, "injecting unencrypted INFORMATIONAL message"); + + message = message_create(); + message->set_message_id(message, this->id); + message->set_ike_sa_id(message, ike_sa->get_id(ike_sa)); + message->set_exchange_type(message, INFORMATIONAL); + message->set_request(message, TRUE); + host = ike_sa->get_my_host(ike_sa); + message->set_source(message, host->clone(host)); + host = ike_sa->get_other_host(ike_sa); + message->set_destination(message, host->clone(host)); + message->add_payload(message, ¬ify->payload_interface); + if (message->generate(message, NULL, &packet) != SUCCESS) + { + DBG1(DBG_CFG, "generating message failed"); + message->destroy(message); + return TRUE; + } + message->destroy(message); + charon->sender->send(charon->sender, packet); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_unencrypted_notify_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *unencrypted_notify_hook_create(char *name) +{ + private_unencrypted_notify_t *this; + + INIT(this, + .hook = { + .listener = { + .ike_updown = _ike_updown, + }, + .destroy = _destroy, + }, + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 2, name), + .type = conftest->test->get_str(conftest->test, + "hooks.%s.type", "", name), + .data = conftest->test->get_str(conftest->test, + "hooks.%s.data", "", name), + .spi = conftest->test->get_int(conftest->test, + "hooks.%s.spi", 0, name), + .esp = conftest->test->get_bool(conftest->test, + "hooks.%s.esp", FALSE, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/unsort_message.c b/src/conftest/hooks/unsort_message.c new file mode 100644 index 000000000..b37b261a4 --- /dev/null +++ b/src/conftest/hooks/unsort_message.c @@ -0,0 +1,133 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_unsort_message_t private_unsort_message_t; + +/** + * Private data of an unsort_message_t object. + */ +struct private_unsort_message_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Order of payloads we want + */ + char *order; +}; + +METHOD(listener_t, message, bool, + private_unsort_message_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *enumerator, *order; + linked_list_t *list; + payload_type_t type; + payload_t *payload; + char *name; + + list = linked_list_create(); + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + message->remove_payload_at(message, enumerator); + list->insert_last(list, payload); + } + enumerator->destroy(enumerator); + + order = enumerator_create_token(this->order, ", ", " "); + while (order->enumerate(order, &name)) + { + type = enum_from_name(payload_type_short_names, name); + if (type != -1) + { + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == type) + { + list->remove_at(list, enumerator); + message->add_payload(message, payload); + } + } + enumerator->destroy(enumerator); + } + else + { + DBG1(DBG_CFG, "unknown payload to sort: '%s', skipped", name); + } + } + order->destroy(order); + + while (list->remove_first(list, (void**)&payload) == SUCCESS) + { + message->add_payload(message, payload); + } + list->destroy(list); + + message->disable_sort(message); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_unsort_message_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *unsort_message_hook_create(char *name) +{ + private_unsort_message_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .order = conftest->test->get_str(conftest->test, + "hooks.%s.order", "", name), + ); + + return &this->hook; +} |