]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon_test/racoon_test.c
projects / apple / ipsec.git / blob
? search:


778c08e7bf772fdcbfa2c5d0cfa69cf039f72a77
[apple/ipsec.git] / ipsec-tools / racoon_test / racoon_test.c
1 //
2 // racoon_test.c
3 // ipsec
4 //
5 // Copyright (c) 2017 Apple Inc. All rights reserved.
6 //
7
8 #include "oakley.h"
9 #include "crypto_cssm.h"
10 #include "racoon_certs_data.h"
11 #include "ipsec_doi.h"
12 #include "remoteconf.h"
13 #include "plog.h"
14 #include "isakmp.h"
15 #include "oakley.h"
16 #include "proposal.h"
17 #include "isakmp_cfg.h"
18 #include "racoon_types.h"
19 #include "handler.h"
20 #include "vmbuf.h"
21 #include "vpn_control.h"
22 #include "pfkey.h"
23
24 #include <TargetConditionals.h>
25 #include <Security/SecCertificate.h>
26 #include <sysexits.h>
27 #include <getopt.h>
28 #include <net/pfkeyv2.h>
29 #include <netinet6/ipsec.h>
30
31 #define racoon_test_pass 0
32 #define racoon_test_failure 1
33
34 struct localconf *lcconf;
35
36 static struct option long_options[] =
37 {
38 {"unit_test", no_argument, 0, 'u'},
39 {"help" , no_argument, 0, 'h'}
40 };
41
42 static void
43 print_usage(char *name)
44 {
45 printf("Usage: %s\n", name);
46 printf(" -unit_test\n");
47 }
48
49 int
50 xauth_attr_reply(iph1, attr, id)
51 phase1_handle_t *iph1;
52 struct isakmp_data *attr;
53 int id;
54 {
55 __builtin_unreachable();
56 return 0;
57 }
58
59 void
60 isakmp_unity_reply(iph1, attr)
61 phase1_handle_t *iph1;
62 struct isakmp_data *attr;
63 {
64 __builtin_unreachable();
65 return;
66 }
67
68 int
69 vpncontrol_notify_phase_change(int start, u_int16_t from, phase1_handle_t *iph1, phase2_handle_t *iph2)
70 {
71 __builtin_unreachable();
72 return 0;
73 }
74
75 phase2_handle_t *
76 ike_session_newph2(unsigned int version, int type)
77 {
78 __builtin_unreachable();
79 return NULL;
80 }
81
82 int
83 ike_session_link_ph2_to_ph1 (phase1_handle_t *iph1, phase2_handle_t *iph2)
84 {
85 __builtin_unreachable();
86 return 0;
87 }
88
89 vchar_t *
90 isakmp_xauth_req(iph1, attr)
91 phase1_handle_t *iph1;
92 struct isakmp_data *attr;
93 {
94 __builtin_unreachable();
95 return NULL;
96 }
97
98 int
99 isakmp_ph2resend(iph2)
100 phase2_handle_t *iph2;
101 {
102 __builtin_unreachable();
103 return NULL;
104 }
105
106 void
107 ike_session_start_xauth_timer (phase1_handle_t *iph1)
108 {
109 __builtin_unreachable();
110 return;
111 }
112
113 int
114 isakmp_send(iph1, sbuf)
115 phase1_handle_t *iph1;
116 vchar_t *sbuf;
117 {
118 __builtin_unreachable();
119 return 0;
120 }
121
122 int
123 ike_session_unlink_phase2 (phase2_handle_t *iph2)
124 {
125 __builtin_unreachable();
126 return 0;
127 }
128
129 int
130 ike_session_add_recvdpkt(remote, local, sbuf, rbuf, non_esp, frag_flags)
131 struct sockaddr_storage *remote, *local;
132 vchar_t *sbuf, *rbuf;
133 size_t non_esp;
134 u_int32_t frag_flags;
135 {
136 __builtin_unreachable();
137 return 0;
138 }
139
140 int
141 ike_session_is_client_ph1_rekey (phase1_handle_t *iph1)
142 {
143 return 0;
144 }
145
146 int
147 vpncontrol_notify_need_authinfo(phase1_handle_t *iph1, void* attr_list, size_t attr_len)
148 {
149 __builtin_unreachable();
150 return 0;
151 }
152
153 u_int32_t
154 isakmp_newmsgid2(iph1)
155 phase1_handle_t *iph1;
156 {
157 __builtin_unreachable();
158 return 0;
159 }
160
161 void
162 fsm_set_state(int *var, int state)
163 {
164 __builtin_unreachable();
165 return;
166 }
167
168 int
169 xauth_check(iph1)
170 phase1_handle_t *iph1;
171 {
172 __builtin_unreachable();
173 return 0;
174 }
175
176 void
177 ike_session_delph2(phase2_handle_t *iph2)
178 {
179 __builtin_unreachable();
180 return;
181 }
182
183 vchar_t *
184 isakmp_unity_req(iph1, attr)
185 phase1_handle_t *iph1;
186 struct isakmp_data *attr;
187 {
188 __builtin_unreachable();
189 return NULL;
190 }
191
192 int
193 isakmp_info_send_d1(phase1_handle_t *iph1)
194 {
195 __builtin_unreachable();
196 return 0;
197 }
198
199 vchar_t *
200 isakmp_xauth_set(iph1, attr)
201 phase1_handle_t *iph1;
202 struct isakmp_data *attr;
203 {
204 __builtin_unreachable();
205 return NULL;
206 }
207
208 void
209 isakmp_ph1expire(iph1)
210 phase1_handle_t *iph1;
211 {
212 __builtin_unreachable();
213 return;
214 }
215
216 void
217 check_auto_exit(void)
218 {
219 return;
220 }
221
222 void
223 ipsecSessionTracerEvent (ike_session_t *session, ipsecSessionEventCode_t eventCode, const char *event, const char *failure_reason)
224 {
225 __builtin_unreachable();
226 return;
227 }
228
229 static int
230 racoon_cert_validity_test(void)
231 {
232 int result = racoon_test_pass;
233 #ifndef HAVE_OPENSSL
234 /*
235 * Below tests are applicable only for embedded
236 * because the crypto_cssm_check_x509cert_dates()
237 * does nothing on osx.
238 */
239 cert_status_t cert_status;
240
241 fprintf(stdout, "[TEST] RacoonCertValidity\n");
242
243 // For certificate info, look at past_cert.der
244 fprintf(stdout, "\t[BEGIN] ExpiredCertTest\n");
245 CFDataRef past_cert_data = CFDataCreate(kCFAllocatorDefault, past_cert_der, sizeof(past_cert_der));
246 SecCertificateRef past_cert_ref = SecCertificateCreateWithData(NULL, past_cert_data);
247 cert_status = crypto_cssm_check_x509cert_dates (past_cert_ref);
248 if (cert_status != CERT_STATUS_EXPIRED) {
249 fprintf(stdout, "\t[FAIL] ExpiredCertTest\n");
250 result = racoon_test_failure;
251 } else {
252 fprintf(stdout, "\t[PASS] ExpiredCertTest\n");
253 }
254
255 // For certificate info, look at future_cert.der
256 fprintf(stdout, "\t[BEGIN] PrematureCertTest\n");
257 CFDataRef future_cert_data = CFDataCreate(kCFAllocatorDefault, future_cert_der, sizeof(future_cert_der));
258 SecCertificateRef future_cert_ref = SecCertificateCreateWithData(NULL, future_cert_data);
259 cert_status = crypto_cssm_check_x509cert_dates (future_cert_ref);
260 if (cert_status != CERT_STATUS_PREMATURE) {
261 fprintf(stdout, "\t[FAIL] PrematureCertTest\n");
262 result = racoon_test_failure;
263 } else {
264 fprintf(stdout, "\t[PASS] PrematureCertTest\n");
265 }
266
267
268 // For certificate info, look at valid_cert.der
269 fprintf(stdout, "\t[BEGIN] ValidCertTest\n");
270 CFDataRef valid_cert_data = CFDataCreate(kCFAllocatorDefault, valid_cert_der, sizeof(valid_cert_der));
271 SecCertificateRef valid_cert_ref = SecCertificateCreateWithData(NULL, valid_cert_data);
272 cert_status = crypto_cssm_check_x509cert_dates (valid_cert_ref);
273 if (cert_status != CERT_STATUS_OK) {
274 fprintf(stdout, "\t[FAIL] ValidCertTest\n");
275 result = racoon_test_failure;
276 } else {
277 fprintf(stdout, "\t[PASS] ValidCertTest\n");
278 }
279 #endif // HAVE_OPENSSL
280 return result;
281 }
282
283 static int
284 racoon_test_overflow_transform_attributes(void)
285 {
286 #define TEST_GEN_PAYLOAD_LEN 4
287 void *payload = NULL;
288
289 // Test ISAKMP overflow
290 payload = malloc(2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN));
291 if (payload == NULL) {
292 fprintf(stdout, "malloc failed");
293 return racoon_test_failure;
294 }
295 memset(payload, 0, (2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN)));
296
297 fprintf(stdout, "\t[BEGIN] TransformPayloadTest\n");
298
299 struct isakmp_pl_t *trans = (struct isakmp_pl_t *)payload;
300 struct isakmp_data *data = (struct isakmp_data *)(trans + 1);
301 uint32_t *gen1 = (uint32_t *)(data + 1);
302 struct isakmpsa sa = {0};
303
304 data->type = htons(OAKLEY_ATTR_GRP_GEN_ONE);
305 data->lorv = htons(TEST_GEN_PAYLOAD_LEN);
306 *gen1 = htonl(0x11111111);
307
308 // Transform header total length shorter than data header
309 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1);
310 if (t2isakmpsa(trans, &sa) == 0) {
311 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
312 return racoon_test_failure;
313 }
314
315 // Transform header total length shorter than data header + payload without flag
316 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
317 if (t2isakmpsa(trans, &sa) == 0) {
318 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
319 return racoon_test_failure;
320 }
321
322 // Transform header total length equal to data header + payload without flag
323 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN);
324 if (t2isakmpsa(trans, &sa) < 0) {
325 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
326 return racoon_test_failure;
327 }
328
329 // Transform header total length shorter than data header + payload with flag set
330 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
331 data->type = htons(OAKLEY_ATTR_GRP_GEN_ONE | ISAKMP_GEN_MASK);
332 if (t2isakmpsa(trans, &sa) == 0) {
333 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
334 return racoon_test_failure;
335 }
336
337 // Transform header total length shorter than data header + payload with flag set for Gen 2
338 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
339 data->type = htons(OAKLEY_ATTR_GRP_GEN_TWO | ISAKMP_GEN_MASK);
340 if (t2isakmpsa(trans, &sa) == 0) {
341 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
342 return racoon_test_failure;
343 }
344
345 // Transform header total length shorter than data header + payload with flag set for Encryption
346 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) );
347 data->type = htons(OAKLEY_ATTR_ENC_ALG);
348 if (t2isakmpsa(trans, &sa) == 0) {
349 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
350 return racoon_test_failure;
351 }
352
353 // Transform header total length equal to data header + payload with flag set for Encryption
354 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
355 data->type = htons(OAKLEY_ATTR_ENC_ALG | ISAKMP_GEN_MASK);
356 if (t2isakmpsa(trans, &sa) < 0) {
357 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
358 return racoon_test_failure;
359 }
360
361 // Transform header total length shorter than 2 * data header + payload with flag set for Encryption
362 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + sizeof(struct isakmp_data) - 1);
363 data->type = htons(OAKLEY_ATTR_ENC_ALG | ISAKMP_GEN_MASK);
364 if (t2isakmpsa(trans, &sa) == 0) {
365 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
366 return racoon_test_failure;
367 }
368
369 fprintf(stdout, "\t[PASS] TransformPayloadTest\n");
370 return racoon_test_pass;
371 }
372
373 static int
374 racoon_test_overflow_attribute(void)
375 {
376 void *payload = NULL;
377
378 #define TEST_GEN_PAYLOAD_LEN 4
379
380 payload = malloc(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
381 if (payload == NULL) {
382 fprintf(stdout, "malloc failed");
383 return racoon_test_failure;
384 }
385 memset(payload, 0, sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
386
387 fprintf(stdout, "\t[BEGIN] AttributeTest\n");
388
389 struct isakmp_pl_t *trans = (struct isakmp_pl_t *)payload;
390 struct isakmp_data *data = (struct isakmp_data *)(trans + 1);
391
392 data->type = htons(OAKLEY_ATTR_GRP_GEN_ONE);
393 data->lorv = htons(TEST_GEN_PAYLOAD_LEN);
394
395 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1);
396 if (check_attr_isakmp(trans) == 0) {
397 fprintf(stdout, "\t[FAIL] AttributeTest\n");
398 return racoon_test_failure;
399 }
400
401 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN - 1);
402 if (check_attr_isakmp(trans) == 0) {
403 fprintf(stdout, "\t[FAIL] AttributeTest\n");
404 return racoon_test_failure;
405 }
406
407 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN);
408 if (check_attr_isakmp(trans) < 0) {
409 fprintf(stdout, "\t[FAIL] AttributeTest\n");
410 return racoon_test_failure;
411 }
412
413 fprintf(stdout, "\t[PASS] AttributeTest\n");
414 return racoon_test_pass;
415 }
416
417 static int
418 racoon_test_overflow_ipsec_attribute(void)
419 {
420 void *payload = NULL;
421 #define LA_PAYLOAD_LEN 4
422
423 payload = malloc(2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN));
424 if (payload == NULL) {
425 fprintf(stdout, "malloc failed");
426 return racoon_test_failure;
427 }
428 memset(payload, 0, (2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN)));
429
430 fprintf(stdout, "\t[BEGIN] AttributeIPsecTest\n");
431
432 struct isakmp_pl_t *trans = (struct isakmp_pl_t *)payload;
433 struct isakmp_data *data = (struct isakmp_data *)(trans + 1);
434
435 data->type = htons(IPSECDOI_ATTR_SA_LD);
436 data->lorv = htons(LA_PAYLOAD_LEN);
437
438 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1);
439 if (check_attr_ipsec(IPSECDOI_PROTO_IPSEC_AH, trans) == 0) {
440 fprintf(stdout, "\t[FAIL] AttributeIPsecTest\n");
441 return racoon_test_failure;
442 }
443
444 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN - 1);
445 if (check_attr_ipsec(IPSECDOI_PROTO_IPSEC_AH, trans) == 0) {
446 fprintf(stdout, "\t[FAIL] AttributeIPsecTest\n");
447 return racoon_test_failure;
448 }
449
450 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN + sizeof(struct isakmp_data));
451 struct isakmp_data *auth_data = (struct isakmp_data *)((uint8_t *)data + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN);
452 auth_data->type = htons(IPSECDOI_ATTR_AUTH | ISAKMP_GEN_MASK);
453 auth_data->lorv = htons(IPSECDOI_ATTR_AUTH_HMAC_MD5);
454 trans->t_id = IPSECDOI_AH_MD5;
455 if (check_attr_ipsec(IPSECDOI_PROTO_IPSEC_AH, trans) < 0) {
456 fprintf(stdout, "\t[FAIL] AttributeIPsecTest\n");
457 return racoon_test_failure;
458 }
459
460 fprintf(stdout, "\t[PASS] AttributeIPsecTest\n");
461 return racoon_test_pass;
462 }
463
464 static int
465 racoon_test_overflow_ipcomp_attribute(void)
466 {
467 void *payload = NULL;
468 #define LA_PAYLOAD_LEN 4
469
470 payload = malloc(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
471 if (payload == NULL) {
472 fprintf(stdout, "malloc failed");
473 return racoon_test_failure;
474 }
475 memset(payload, 0, sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
476
477 fprintf(stdout, "\t[BEGIN] AttributeIPCOMPTest\n");
478
479 struct isakmp_pl_t *trans = (struct isakmp_pl_t *)payload;
480 struct isakmp_data *data = (struct isakmp_data *)(trans + 1);
481
482 data->type = htons(IPSECDOI_ATTR_SA_LD);
483 data->lorv = htons(LA_PAYLOAD_LEN);
484
485 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1);
486 if (check_attr_ipcomp(trans) == 0) {
487 fprintf(stdout, "\t[FAIL] AttributeIPCOMPTest\n");
488 return racoon_test_failure;
489 }
490
491 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN - 1);
492 if (check_attr_ipcomp(trans) == 0) {
493 fprintf(stdout, "\t[FAIL] AttributeIPCOMPTest\n");
494 return racoon_test_failure;
495 }
496
497 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN);
498 if (check_attr_ipcomp(trans) < 0) {
499 fprintf(stdout, "\t[FAIL] AttributeIPCOMPTest\n");
500 return racoon_test_failure;
501 }
502
503 fprintf(stdout, "\t[PASS] AttributeIPCOMPTest\n");
504 return racoon_test_pass;
505 }
506
507 static int
508 racoon_test_overflow_proposal(void)
509 {
510 void *payload = NULL;
511
512 #define LD_PAYLOAD_LEN 4
513
514 payload = malloc(2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LD_PAYLOAD_LEN));
515 if (payload == NULL) {
516 fprintf(stdout, "malloc failed");
517 return racoon_test_failure;
518 }
519 memset(payload, 0, (2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LD_PAYLOAD_LEN)));
520
521 fprintf(stdout, "\t[BEGIN] ProposalTest\n");
522
523 struct isakmp_pl_t *ik_payload = (struct isakmp_pl_t *)payload;
524 struct isakmp_data *data = (struct isakmp_data *)(ik_payload + 1);
525 struct saprop pp = {0};
526 struct saproto pr = {0};
527 struct satrns tr = {0};
528
529 ik_payload->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1);
530 if (ipsecdoi_t2satrns(ik_payload, &pp, &pr, &tr) == 0) {
531 fprintf(stdout, "\t[FAIL] ProposalTest\n");
532 return racoon_test_failure;
533 }
534
535 data->type = htons(IPSECDOI_ATTR_SA_LD_TYPE | ISAKMP_GEN_MASK);
536 data->lorv = htons(IPSECDOI_ATTR_SA_LD_TYPE_SEC);
537
538 struct isakmp_data *ld_data = data + 1;
539 ld_data->type = htons(IPSECDOI_ATTR_SA_LD);
540 ld_data->lorv = htons(LD_PAYLOAD_LEN);
541 uint32_t *ld_payload = (uint32_t *)(ld_data + 1);
542 *ld_payload = 0x1111;
543 ik_payload->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + sizeof(struct isakmp_data) + LD_PAYLOAD_LEN - 1);
544 if (ipsecdoi_t2satrns(ik_payload, &pp, &pr, &tr) == 0) {
545 fprintf(stdout, "\t[FAIL] ProposalTest\n");
546 return racoon_test_failure;
547 }
548
549 ik_payload->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + sizeof(struct isakmp_data) + LD_PAYLOAD_LEN);
550 if (ipsecdoi_t2satrns(ik_payload, &pp, &pr, &tr) < 0) {
551 fprintf(stdout, "\t[FAIL] ProposalTest\n");
552 return racoon_test_failure;
553 }
554
555 data->type = htons(IPSECDOI_ATTR_AUTH);
556 data->lorv = htons(IPSECDOI_ATTR_AUTH_HMAC_SHA1_96);
557
558 ik_payload->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + sizeof(struct isakmp_data));
559 if (ipsecdoi_t2satrns(ik_payload, &pp, &pr, &tr) == 0) {
560 fprintf(stdout, "\t[FAIL] ProposalTest\n");
561 return racoon_test_failure;
562 }
563
564 fprintf(stdout, "\t[PASS] ProposalTest\n");
565 return racoon_test_pass;
566 }
567
568 static int
569 racoon_test_overflow_config_reply(void)
570 {
571 void *payload = NULL;
572
573 #define DUMMY_PAYLOAD_LEN 20
574
575 payload = malloc(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN);
576 if (payload == NULL) {
577 fprintf(stdout, "malloc failed");
578 return racoon_test_failure;
579 }
580 memset(payload, 0, sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN);
581
582 fprintf(stdout, "\t[BEGIN] ConfigReplyTest\n");
583
584 struct isakmp_pl_attr *ik_payload = (struct isakmp_pl_attr *)payload;
585 struct isakmp_data *data = (struct isakmp_data *)(ik_payload + 1);
586 phase1_handle_t iph1 = {0};
587 struct isakmp_cfg_state mode_cfg = {0};
588 iph1.mode_cfg = &mode_cfg;
589
590 ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) - 1);
591 if (isakmp_cfg_reply(&iph1, ik_payload) == 0) {
592 fprintf(stdout, "\t[FAIL] ConfigReplyTest\n");
593 return racoon_test_failure;
594 }
595
596 data->type = htons(INTERNAL_IP4_SUBNET);
597 data->lorv = htons(DUMMY_PAYLOAD_LEN);
598 ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data));
599 if (isakmp_cfg_reply(&iph1, ik_payload) == 0) {
600 fprintf(stdout, "\t[FAIL] ConfigReplyTest\n");
601 return racoon_test_failure;
602 }
603
604 ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN);
605 if (isakmp_cfg_reply(&iph1, ik_payload) < 0) {
606 fprintf(stdout, "\t[FAIL] ConfigReplyTest\n");
607 return racoon_test_failure;
608 }
609
610 fprintf(stdout, "\t[PASS] ConfigReplyTest\n");
611 return racoon_test_pass;
612 }
613
614 static int
615 racoon_test_overflow_config_request(void)
616 {
617 void *payload = NULL;
618
619 #define DUMMY_PAYLOAD_LEN 20
620
621 payload = malloc(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN);
622 if (payload == NULL) {
623 fprintf(stdout, "malloc failed");
624 return racoon_test_failure;
625 }
626 memset(payload, 0, sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN);
627
628 fprintf(stdout, "\t[BEGIN] ConfigRequestTest\n");
629
630 struct isakmp_pl_attr *ik_payload = (struct isakmp_pl_attr *)payload;
631 struct isakmp_data *data = (struct isakmp_data *)(ik_payload + 1);
632 phase1_handle_t iph1 = {0};
633 struct isakmp_cfg_state mode_cfg = {0};
634 vchar_t msg = {0};
635 iph1.mode_cfg = &mode_cfg;
636
637 ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) - 1);
638 if (isakmp_cfg_request(&iph1, ik_payload, &msg) == 0) {
639 fprintf(stdout, "\t[FAIL] ConfigRequestTest\n");
640 return racoon_test_failure;
641 }
642
643 data->type = htons(INTERNAL_ADDRESS_EXPIRY);
644 data->lorv = htons(DUMMY_PAYLOAD_LEN);
645 ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data));
646 if (isakmp_cfg_request(&iph1, ik_payload, &msg) == 0) {
647 fprintf(stdout, "\t[FAIL] ConfigRequestTest\n");
648 return racoon_test_failure;
649 }
650
651 fprintf(stdout, "\t[PASS] ConfigRequestTest\n");
652 return racoon_test_pass;
653 }
654
655 static int
656 racoon_test_overflow_config_set(void)
657 {
658 void *payload = NULL;
659
660 #define DUMMY_PAYLOAD_LEN 20
661
662 payload = malloc(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN);
663 if (payload == NULL) {
664 fprintf(stdout, "malloc failed");
665 return racoon_test_failure;
666 }
667 memset(payload, 0, sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN);
668
669 fprintf(stdout, "\t[BEGIN] ConfigRequestSetTest\n");
670
671 struct isakmp_pl_attr *ik_payload = (struct isakmp_pl_attr *)payload;
672 struct isakmp_data *data = (struct isakmp_data *)(ik_payload + 1);
673 phase1_handle_t iph1 = {0};
674 struct isakmp_cfg_state mode_cfg = {0};
675 vchar_t msg = {0};
676 iph1.mode_cfg = &mode_cfg;
677
678 ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) - 1);
679 if (isakmp_cfg_set(&iph1, ik_payload, &msg) == 0) {
680 fprintf(stdout, "\t[FAIL] ConfigRequestSetTest\n");
681 return racoon_test_failure;
682 }
683
684 data->type = htons(XAUTH_CHALLENGE);
685 data->lorv = htons(DUMMY_PAYLOAD_LEN);
686 ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data));
687 if (isakmp_cfg_set(&iph1, ik_payload, &msg) == 0) {
688 fprintf(stdout, "\t[FAIL] ConfigRequestSetTest\n");
689 return racoon_test_failure;
690 }
691
692 fprintf(stdout, "\t[PASS] ConfigRequestSetTest\n");
693 return racoon_test_pass;
694 }
695
696 static int
697 racoon_test_overflow_pfkey_add_sp(void)
698 {
699 void *mhp[SADB_EXT_MAX];
700
701 memset(mhp, 0, sizeof(mhp));
702
703 fprintf(stdout, "\t[BEGIN] PFKeyAddSPTest\n");
704
705 struct sadb_address saddr = {0};
706 struct sadb_address daddr = {0};
707 struct sadb_x_policy *xpl = (struct sadb_x_policy *)malloc(sizeof(*xpl) + sizeof(struct sadb_x_ipsecrequest) + 20 + 20);
708 if (xpl == NULL) {
709 fprintf(stdout, "malloc failed");
710 return racoon_test_failure;
711 }
712 memset(xpl, 0, sizeof(*xpl) + sizeof(struct sadb_x_ipsecrequest));
713
714 mhp[SADB_EXT_ADDRESS_SRC] = (void *)&saddr;
715 mhp[SADB_EXT_ADDRESS_DST] = (void *)&daddr;
716 mhp[SADB_X_EXT_POLICY] = (void *)xpl;
717
718 xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) - 1);
719 if (addnewsp(&mhp) == 0) {
720 fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n");
721 return racoon_test_failure;
722 }
723
724 xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
725 struct sadb_x_ipsecrequest *xisr = xpl + 1;
726 xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + 20;
727 xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + sizeof(*xisr));
728 if (addnewsp(&mhp) == 0) {
729 fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n");
730 return racoon_test_failure;
731 }
732
733 struct sockaddr *srcaddr = (struct sockaddr *)(xisr + 1);
734 srcaddr->sa_len = 20;
735 struct sockaddr *dstaddr = ((uint8_t *)(srcaddr) + 20);
736 dstaddr->sa_len = 20;
737
738 xisr->sadb_x_ipsecrequest_proto = IPPROTO_ESP;
739 xisr->sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT;
740 xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_DEFAULT;
741
742 xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + sizeof(struct sockaddr) - 1;
743 xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + xisr->sadb_x_ipsecrequest_len + 1);
744 if (addnewsp(&mhp) == 0) {
745 fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n");
746 return racoon_test_failure;
747 }
748
749 xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + srcaddr->sa_len - 1;
750 xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + xisr->sadb_x_ipsecrequest_len + 8);
751 if (addnewsp(&mhp) == 0) {
752 fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n");
753 return racoon_test_failure;
754 }
755
756 xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + srcaddr->sa_len + sizeof(struct sockaddr) - 1;
757 xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + xisr->sadb_x_ipsecrequest_len + 8);
758 if (addnewsp(&mhp) == 0) {
759 fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n");
760 return racoon_test_failure;
761 }
762
763 xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + srcaddr->sa_len + dstaddr->sa_len - 1;
764 xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + xisr->sadb_x_ipsecrequest_len + 8);
765 if (addnewsp(&mhp) == 0) {
766 fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n");
767 return racoon_test_failure;
768 }
769
770 fprintf(stdout, "\t[PASS] PFKeyAddSPTest\n");
771 return racoon_test_pass;
772 }
773
774 static int
775 racoon_test_overflow(void)
776 {
777 fprintf(stdout, "[TEST] Racoon Overflow\n");
778
779 if (racoon_test_overflow_transform_attributes() == racoon_test_failure) {
780 return racoon_test_failure;
781 }
782
783 if (racoon_test_overflow_attribute() == racoon_test_failure) {
784 return racoon_test_failure;
785 }
786
787 if (racoon_test_overflow_ipsec_attribute() == racoon_test_failure) {
788 return racoon_test_failure;
789 }
790
791 if (racoon_test_overflow_ipcomp_attribute() == racoon_test_failure) {
792 return racoon_test_failure;
793 }
794
795 if (racoon_test_overflow_proposal() == racoon_test_failure) {
796 return racoon_test_failure;
797 }
798
799 if (racoon_test_overflow_config_reply() == racoon_test_failure) {
800 return racoon_test_failure;
801 }
802
803 if (racoon_test_overflow_config_request() == racoon_test_failure) {
804 return racoon_test_failure;
805 }
806
807 if (racoon_test_overflow_config_set() == racoon_test_failure) {
808 return racoon_test_failure;
809 }
810
811 if (racoon_test_overflow_pfkey_add_sp() == racoon_test_failure) {
812 return racoon_test_failure;
813 }
814
815 return racoon_test_pass;
816 }
817
818 static void
819 racoon_unit_test(void)
820 {
821 int result = racoon_test_pass;
822
823 if (racoon_cert_validity_test() == racoon_test_failure) {
824 result = racoon_test_failure;
825 } else if (racoon_test_overflow() == racoon_test_failure) {
826 result = racoon_test_failure;
827 }
828
829 if (result == racoon_test_pass) {
830 fprintf(stdout, "\nAll Tests Passed\n\n");
831 }
832 }
833
834 int
835 main(int argc, char *argv[])
836 {
837 int opt = 0;
838 int opt_index = 0;
839
840 plog_ne_log_enabled = 1;
841
842 if (argc < 2) {
843 print_usage(argv[0]);
844 return (0);
845 }
846
847 while ((opt = getopt_long_only(argc, argv, "", long_options, &opt_index)) != -1) {
848 switch (opt) {
849 case 'u':
850 {
851 racoon_unit_test();
852 break;
853 }
854 case 'h':
855 default:
856 {
857 print_usage(argv[0]);
858 exit(EXIT_FAILURE);
859 }
860 }
861 }
862
863 return (0);
864 }
mirror of ipsec