]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon_test/racoon_test.c
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-332.100.1.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon_test / racoon_test.c
1 //
2 // racoon_test.c
3 // ipsec
4 //
5 // Copyright (c) 2017 Apple Inc. All rights reserved.
6 //
7
8 #include "oakley.h"
9 #include "crypto_cssm.h"
10 #include "racoon_certs_data.h"
11 #include "ipsec_doi.h"
12 #include "remoteconf.h"
13 #include "plog.h"
14 #include "isakmp.h"
15 #include "oakley.h"
16 #include "proposal.h"
17 #include "isakmp_cfg.h"
18 #include "racoon_types.h"
19 #include "handler.h"
20 #include "vmbuf.h"
21 #include "vpn_control.h"
22 #include "pfkey.h"
23
24 #include <TargetConditionals.h>
25 #include <Security/SecCertificate.h>
26 #include <sysexits.h>
27 #include <getopt.h>
28 #include <net/pfkeyv2.h>
29 #include <netinet6/ipsec.h>
30
31 #define racoon_test_pass 0
32 #define racoon_test_failure 1
33
34 struct localconf *lcconf;
35
36 static struct option long_options[] =
37 {
38 {"unit_test", no_argument, 0, 'u'},
39 {"help" , no_argument, 0, 'h'}
40 };
41
42 static void
43 print_usage(char *name)
44 {
45 printf("Usage: %s\n", name);
46 printf(" -unit_test\n");
47 }
48
49 int
50 xauth_attr_reply(iph1, attr, id)
51 phase1_handle_t *iph1;
52 struct isakmp_data *attr;
53 int id;
54 {
55 __builtin_unreachable();
56 return 0;
57 }
58
59 void
60 isakmp_unity_reply(iph1, attr)
61 phase1_handle_t *iph1;
62 struct isakmp_data *attr;
63 {
64 __builtin_unreachable();
65 return;
66 }
67
68 int
69 vpncontrol_notify_phase_change(int start, u_int16_t from, phase1_handle_t *iph1, phase2_handle_t *iph2)
70 {
71 __builtin_unreachable();
72 return 0;
73 }
74
75 phase2_handle_t *
76 ike_session_newph2(unsigned int version, int type)
77 {
78 __builtin_unreachable();
79 return NULL;
80 }
81
82 int
83 ike_session_link_ph2_to_ph1 (phase1_handle_t *iph1, phase2_handle_t *iph2)
84 {
85 __builtin_unreachable();
86 return 0;
87 }
88
89 vchar_t *
90 isakmp_xauth_req(iph1, attr)
91 phase1_handle_t *iph1;
92 struct isakmp_data *attr;
93 {
94 __builtin_unreachable();
95 return NULL;
96 }
97
98 int
99 isakmp_ph2resend(iph2)
100 phase2_handle_t *iph2;
101 {
102 __builtin_unreachable();
103 return NULL;
104 }
105
106 void
107 ike_session_start_xauth_timer (phase1_handle_t *iph1)
108 {
109 __builtin_unreachable();
110 return;
111 }
112
113 int
114 isakmp_send(iph1, sbuf)
115 phase1_handle_t *iph1;
116 vchar_t *sbuf;
117 {
118 __builtin_unreachable();
119 return 0;
120 }
121
122 int
123 ike_session_unlink_phase2 (phase2_handle_t *iph2)
124 {
125 __builtin_unreachable();
126 return 0;
127 }
128
129 int
130 ike_session_add_recvdpkt(remote, local, sbuf, rbuf, non_esp, frag_flags)
131 struct sockaddr_storage *remote, *local;
132 vchar_t *sbuf, *rbuf;
133 size_t non_esp;
134 u_int32_t frag_flags;
135 {
136 __builtin_unreachable();
137 return 0;
138 }
139
140 int
141 ike_session_is_client_ph1_rekey (phase1_handle_t *iph1)
142 {
143 return 0;
144 }
145
146 int
147 vpncontrol_notify_need_authinfo(phase1_handle_t *iph1, void* attr_list, size_t attr_len)
148 {
149 __builtin_unreachable();
150 return 0;
151 }
152
153 u_int32_t
154 isakmp_newmsgid2(iph1)
155 phase1_handle_t *iph1;
156 {
157 __builtin_unreachable();
158 return 0;
159 }
160
161 void
162 fsm_set_state(int *var, int state)
163 {
164 __builtin_unreachable();
165 return;
166 }
167
168 int
169 xauth_check(iph1)
170 phase1_handle_t *iph1;
171 {
172 __builtin_unreachable();
173 return 0;
174 }
175
176 void
177 ike_session_delph2(phase2_handle_t *iph2)
178 {
179 __builtin_unreachable();
180 return;
181 }
182
183 vchar_t *
184 isakmp_unity_req(iph1, attr)
185 phase1_handle_t *iph1;
186 struct isakmp_data *attr;
187 {
188 __builtin_unreachable();
189 return NULL;
190 }
191
192 int
193 isakmp_info_send_d1(phase1_handle_t *iph1)
194 {
195 __builtin_unreachable();
196 return 0;
197 }
198
199 vchar_t *
200 isakmp_xauth_set(iph1, attr)
201 phase1_handle_t *iph1;
202 struct isakmp_data *attr;
203 {
204 __builtin_unreachable();
205 return NULL;
206 }
207
208 void
209 isakmp_ph1expire(iph1)
210 phase1_handle_t *iph1;
211 {
212 __builtin_unreachable();
213 return;
214 }
215
216 void
217 check_auto_exit(void)
218 {
219 return;
220 }
221
222 static int
223 racoon_cert_validity_test(void)
224 {
225 int result = racoon_test_pass;
226 #ifndef HAVE_OPENSSL
227 /*
228 * Below tests are applicable only for embedded
229 * because the crypto_cssm_check_x509cert_dates()
230 * does nothing on osx.
231 */
232 cert_status_t cert_status;
233
234 fprintf(stdout, "[TEST] RacoonCertValidity\n");
235
236 // For certificate info, look at past_cert.der
237 fprintf(stdout, "\t[BEGIN] ExpiredCertTest\n");
238 CFDataRef past_cert_data = CFDataCreate(kCFAllocatorDefault, past_cert_der, sizeof(past_cert_der));
239 SecCertificateRef past_cert_ref = SecCertificateCreateWithData(NULL, past_cert_data);
240 cert_status = crypto_cssm_check_x509cert_dates (past_cert_ref);
241 if (cert_status != CERT_STATUS_EXPIRED) {
242 fprintf(stdout, "\t[FAIL] ExpiredCertTest\n");
243 result = racoon_test_failure;
244 } else {
245 fprintf(stdout, "\t[PASS] ExpiredCertTest\n");
246 }
247
248 // For certificate info, look at future_cert.der
249 fprintf(stdout, "\t[BEGIN] PrematureCertTest\n");
250 CFDataRef future_cert_data = CFDataCreate(kCFAllocatorDefault, future_cert_der, sizeof(future_cert_der));
251 SecCertificateRef future_cert_ref = SecCertificateCreateWithData(NULL, future_cert_data);
252 cert_status = crypto_cssm_check_x509cert_dates (future_cert_ref);
253 if (cert_status != CERT_STATUS_PREMATURE) {
254 fprintf(stdout, "\t[FAIL] PrematureCertTest\n");
255 result = racoon_test_failure;
256 } else {
257 fprintf(stdout, "\t[PASS] PrematureCertTest\n");
258 }
259
260
261 // For certificate info, look at valid_cert.der
262 fprintf(stdout, "\t[BEGIN] ValidCertTest\n");
263 CFDataRef valid_cert_data = CFDataCreate(kCFAllocatorDefault, valid_cert_der, sizeof(valid_cert_der));
264 SecCertificateRef valid_cert_ref = SecCertificateCreateWithData(NULL, valid_cert_data);
265 cert_status = crypto_cssm_check_x509cert_dates (valid_cert_ref);
266 if (cert_status != CERT_STATUS_OK) {
267 fprintf(stdout, "\t[FAIL] ValidCertTest\n");
268 result = racoon_test_failure;
269 } else {
270 fprintf(stdout, "\t[PASS] ValidCertTest\n");
271 }
272 #endif // HAVE_OPENSSL
273 return result;
274 }
275
276 static int
277 racoon_test_overflow_transform_attributes(void)
278 {
279 #define TEST_GEN_PAYLOAD_LEN 4
280 void *payload = NULL;
281
282 // Test ISAKMP overflow
283 payload = malloc(2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN));
284 if (payload == NULL) {
285 fprintf(stdout, "malloc failed");
286 return racoon_test_failure;
287 }
288 memset(payload, 0, (2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN)));
289
290 fprintf(stdout, "\t[BEGIN] TransformPayloadTest\n");
291
292 struct isakmp_pl_t *trans = (struct isakmp_pl_t *)payload;
293 struct isakmp_data *data = (struct isakmp_data *)(trans + 1);
294 uint32_t *gen1 = (uint32_t *)(data + 1);
295 struct isakmpsa sa = {0};
296
297 data->type = htons(OAKLEY_ATTR_GRP_GEN_ONE);
298 data->lorv = htons(TEST_GEN_PAYLOAD_LEN);
299 *gen1 = htonl(0x11111111);
300
301 // Transform header total length shorter than data header
302 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1);
303 if (t2isakmpsa(trans, &sa) == 0) {
304 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
305 return racoon_test_failure;
306 }
307
308 // Transform header total length shorter than data header + payload without flag
309 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
310 if (t2isakmpsa(trans, &sa) == 0) {
311 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
312 return racoon_test_failure;
313 }
314
315 // Transform header total length equal to data header + payload without flag
316 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN);
317 if (t2isakmpsa(trans, &sa) < 0) {
318 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
319 return racoon_test_failure;
320 }
321
322 // Transform header total length shorter than data header + payload with flag set
323 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
324 data->type = htons(OAKLEY_ATTR_GRP_GEN_ONE | ISAKMP_GEN_MASK);
325 if (t2isakmpsa(trans, &sa) == 0) {
326 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
327 return racoon_test_failure;
328 }
329
330 // Transform header total length shorter than data header + payload with flag set for Gen 2
331 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
332 data->type = htons(OAKLEY_ATTR_GRP_GEN_TWO | ISAKMP_GEN_MASK);
333 if (t2isakmpsa(trans, &sa) == 0) {
334 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
335 return racoon_test_failure;
336 }
337
338 // Transform header total length shorter than data header + payload with flag set for Encryption
339 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) );
340 data->type = htons(OAKLEY_ATTR_ENC_ALG);
341 if (t2isakmpsa(trans, &sa) == 0) {
342 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
343 return racoon_test_failure;
344 }
345
346 // Transform header total length equal to data header + payload with flag set for Encryption
347 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
348 data->type = htons(OAKLEY_ATTR_ENC_ALG | ISAKMP_GEN_MASK);
349 if (t2isakmpsa(trans, &sa) < 0) {
350 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
351 return racoon_test_failure;
352 }
353
354 // Transform header total length shorter than 2 * data header + payload with flag set for Encryption
355 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + sizeof(struct isakmp_data) - 1);
356 data->type = htons(OAKLEY_ATTR_ENC_ALG | ISAKMP_GEN_MASK);
357 if (t2isakmpsa(trans, &sa) == 0) {
358 fprintf(stdout, "\t[FAIL] TransformPayloadTest\n");
359 return racoon_test_failure;
360 }
361
362 fprintf(stdout, "\t[PASS] TransformPayloadTest\n");
363 return racoon_test_pass;
364 }
365
366 static int
367 racoon_test_overflow_attribute(void)
368 {
369 void *payload = NULL;
370
371 #define TEST_GEN_PAYLOAD_LEN 4
372
373 payload = malloc(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
374 if (payload == NULL) {
375 fprintf(stdout, "malloc failed");
376 return racoon_test_failure;
377 }
378 memset(payload, 0, sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
379
380 fprintf(stdout, "\t[BEGIN] AttributeTest\n");
381
382 struct isakmp_pl_t *trans = (struct isakmp_pl_t *)payload;
383 struct isakmp_data *data = (struct isakmp_data *)(trans + 1);
384
385 data->type = htons(OAKLEY_ATTR_GRP_GEN_ONE);
386 data->lorv = htons(TEST_GEN_PAYLOAD_LEN);
387
388 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1);
389 if (check_attr_isakmp(trans) == 0) {
390 fprintf(stdout, "\t[FAIL] AttributeTest\n");
391 return racoon_test_failure;
392 }
393
394 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN - 1);
395 if (check_attr_isakmp(trans) == 0) {
396 fprintf(stdout, "\t[FAIL] AttributeTest\n");
397 return racoon_test_failure;
398 }
399
400 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN);
401 if (check_attr_isakmp(trans) < 0) {
402 fprintf(stdout, "\t[FAIL] AttributeTest\n");
403 return racoon_test_failure;
404 }
405
406 fprintf(stdout, "\t[PASS] AttributeTest\n");
407 return racoon_test_pass;
408 }
409
410 static int
411 racoon_test_overflow_ipsec_attribute(void)
412 {
413 void *payload = NULL;
414 #define LA_PAYLOAD_LEN 4
415
416 payload = malloc(2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN));
417 if (payload == NULL) {
418 fprintf(stdout, "malloc failed");
419 return racoon_test_failure;
420 }
421 memset(payload, 0, (2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN)));
422
423 fprintf(stdout, "\t[BEGIN] AttributeIPsecTest\n");
424
425 struct isakmp_pl_t *trans = (struct isakmp_pl_t *)payload;
426 struct isakmp_data *data = (struct isakmp_data *)(trans + 1);
427
428 data->type = htons(IPSECDOI_ATTR_SA_LD);
429 data->lorv = htons(LA_PAYLOAD_LEN);
430
431 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1);
432 if (check_attr_ipsec(IPSECDOI_PROTO_IPSEC_AH, trans) == 0) {
433 fprintf(stdout, "\t[FAIL] AttributeIPsecTest\n");
434 return racoon_test_failure;
435 }
436
437 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN - 1);
438 if (check_attr_ipsec(IPSECDOI_PROTO_IPSEC_AH, trans) == 0) {
439 fprintf(stdout, "\t[FAIL] AttributeIPsecTest\n");
440 return racoon_test_failure;
441 }
442
443 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN + sizeof(struct isakmp_data));
444 struct isakmp_data *auth_data = (struct isakmp_data *)((uint8_t *)data + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN);
445 auth_data->type = htons(IPSECDOI_ATTR_AUTH | ISAKMP_GEN_MASK);
446 auth_data->lorv = htons(IPSECDOI_ATTR_AUTH_HMAC_MD5);
447 trans->t_id = IPSECDOI_AH_MD5;
448 if (check_attr_ipsec(IPSECDOI_PROTO_IPSEC_AH, trans) < 0) {
449 fprintf(stdout, "\t[FAIL] AttributeIPsecTest\n");
450 return racoon_test_failure;
451 }
452
453 fprintf(stdout, "\t[PASS] AttributeIPsecTest\n");
454 return racoon_test_pass;
455 }
456
457 static int
458 racoon_test_overflow_ipcomp_attribute(void)
459 {
460 void *payload = NULL;
461 #define LA_PAYLOAD_LEN 4
462
463 payload = malloc(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
464 if (payload == NULL) {
465 fprintf(stdout, "malloc failed");
466 return racoon_test_failure;
467 }
468 memset(payload, 0, sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data));
469
470 fprintf(stdout, "\t[BEGIN] AttributeIPCOMPTest\n");
471
472 struct isakmp_pl_t *trans = (struct isakmp_pl_t *)payload;
473 struct isakmp_data *data = (struct isakmp_data *)(trans + 1);
474
475 data->type = htons(IPSECDOI_ATTR_SA_LD);
476 data->lorv = htons(LA_PAYLOAD_LEN);
477
478 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1);
479 if (check_attr_ipcomp(trans) == 0) {
480 fprintf(stdout, "\t[FAIL] AttributeIPCOMPTest\n");
481 return racoon_test_failure;
482 }
483
484 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN - 1);
485 if (check_attr_ipcomp(trans) == 0) {
486 fprintf(stdout, "\t[FAIL] AttributeIPCOMPTest\n");
487 return racoon_test_failure;
488 }
489
490 trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN);
491 if (check_attr_ipcomp(trans) < 0) {
492 fprintf(stdout, "\t[FAIL] AttributeIPCOMPTest\n");
493 return racoon_test_failure;
494 }
495
496 fprintf(stdout, "\t[PASS] AttributeIPCOMPTest\n");
497 return racoon_test_pass;
498 }
499
500 static int
501 racoon_test_overflow_proposal(void)
502 {
503 void *payload = NULL;
504
505 #define LD_PAYLOAD_LEN 4
506
507 payload = malloc(2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LD_PAYLOAD_LEN));
508 if (payload == NULL) {
509 fprintf(stdout, "malloc failed");
510 return racoon_test_failure;
511 }
512 memset(payload, 0, (2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LD_PAYLOAD_LEN)));
513
514 fprintf(stdout, "\t[BEGIN] ProposalTest\n");
515
516 struct isakmp_pl_t *ik_payload = (struct isakmp_pl_t *)payload;
517 struct isakmp_data *data = (struct isakmp_data *)(ik_payload + 1);
518 struct saprop pp = {0};
519 struct saproto pr = {0};
520 struct satrns tr = {0};
521
522 ik_payload->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1);
523 if (ipsecdoi_t2satrns(ik_payload, &pp, &pr, &tr) == 0) {
524 fprintf(stdout, "\t[FAIL] ProposalTest\n");
525 return racoon_test_failure;
526 }
527
528 data->type = htons(IPSECDOI_ATTR_SA_LD_TYPE | ISAKMP_GEN_MASK);
529 data->lorv = htons(IPSECDOI_ATTR_SA_LD_TYPE_SEC);
530
531 struct isakmp_data *ld_data = data + 1;
532 ld_data->type = htons(IPSECDOI_ATTR_SA_LD);
533 ld_data->lorv = htons(LD_PAYLOAD_LEN);
534 uint32_t *ld_payload = (uint32_t *)(ld_data + 1);
535 *ld_payload = 0x1111;
536 ik_payload->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + sizeof(struct isakmp_data) + LD_PAYLOAD_LEN - 1);
537 if (ipsecdoi_t2satrns(ik_payload, &pp, &pr, &tr) == 0) {
538 fprintf(stdout, "\t[FAIL] ProposalTest\n");
539 return racoon_test_failure;
540 }
541
542 ik_payload->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + sizeof(struct isakmp_data) + LD_PAYLOAD_LEN);
543 if (ipsecdoi_t2satrns(ik_payload, &pp, &pr, &tr) < 0) {
544 fprintf(stdout, "\t[FAIL] ProposalTest\n");
545 return racoon_test_failure;
546 }
547
548 data->type = htons(IPSECDOI_ATTR_AUTH);
549 data->lorv = htons(IPSECDOI_ATTR_AUTH_HMAC_SHA1_96);
550
551 ik_payload->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + sizeof(struct isakmp_data));
552 if (ipsecdoi_t2satrns(ik_payload, &pp, &pr, &tr) == 0) {
553 fprintf(stdout, "\t[FAIL] ProposalTest\n");
554 return racoon_test_failure;
555 }
556
557 fprintf(stdout, "\t[PASS] ProposalTest\n");
558 return racoon_test_pass;
559 }
560
561 static int
562 racoon_test_overflow_config_reply(void)
563 {
564 void *payload = NULL;
565
566 #define DUMMY_PAYLOAD_LEN 20
567
568 payload = malloc(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN);
569 if (payload == NULL) {
570 fprintf(stdout, "malloc failed");
571 return racoon_test_failure;
572 }
573 memset(payload, 0, sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN);
574
575 fprintf(stdout, "\t[BEGIN] ConfigReplyTest\n");
576
577 struct isakmp_pl_attr *ik_payload = (struct isakmp_pl_attr *)payload;
578 struct isakmp_data *data = (struct isakmp_data *)(ik_payload + 1);
579 phase1_handle_t iph1 = {0};
580 struct isakmp_cfg_state mode_cfg = {0};
581 iph1.mode_cfg = &mode_cfg;
582
583 ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) - 1);
584 if (isakmp_cfg_reply(&iph1, ik_payload) == 0) {
585 fprintf(stdout, "\t[FAIL] ConfigReplyTest\n");
586 return racoon_test_failure;
587 }
588
589 data->type = htons(INTERNAL_IP4_SUBNET);
590 data->lorv = htons(DUMMY_PAYLOAD_LEN);
591 ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data));
592 if (isakmp_cfg_reply(&iph1, ik_payload) == 0) {
593 fprintf(stdout, "\t[FAIL] ConfigReplyTest\n");
594 return racoon_test_failure;
595 }
596
597 ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN);
598 if (isakmp_cfg_reply(&iph1, ik_payload) < 0) {
599 fprintf(stdout, "\t[FAIL] ConfigReplyTest\n");
600 return racoon_test_failure;
601 }
602
603 fprintf(stdout, "\t[PASS] ConfigReplyTest\n");
604 return racoon_test_pass;
605 }
606
607 static int
608 racoon_test_overflow_config_request(void)
609 {
610 void *payload = NULL;
611
612 #define DUMMY_PAYLOAD_LEN 20
613
614 payload = malloc(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN);
615 if (payload == NULL) {
616 fprintf(stdout, "malloc failed");
617 return racoon_test_failure;
618 }
619 memset(payload, 0, sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN);
620
621 fprintf(stdout, "\t[BEGIN] ConfigRequestTest\n");
622
623 struct isakmp_pl_attr *ik_payload = (struct isakmp_pl_attr *)payload;
624 struct isakmp_data *data = (struct isakmp_data *)(ik_payload + 1);
625 phase1_handle_t iph1 = {0};
626 struct isakmp_cfg_state mode_cfg = {0};
627 vchar_t msg = {0};
628 iph1.mode_cfg = &mode_cfg;
629
630 ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) - 1);
631 if (isakmp_cfg_request(&iph1, ik_payload, &msg) == 0) {
632 fprintf(stdout, "\t[FAIL] ConfigRequestTest\n");
633 return racoon_test_failure;
634 }
635
636 data->type = htons(INTERNAL_ADDRESS_EXPIRY);
637 data->lorv = htons(DUMMY_PAYLOAD_LEN);
638 ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data));
639 if (isakmp_cfg_request(&iph1, ik_payload, &msg) == 0) {
640 fprintf(stdout, "\t[FAIL] ConfigRequestTest\n");
641 return racoon_test_failure;
642 }
643
644 fprintf(stdout, "\t[PASS] ConfigRequestTest\n");
645 return racoon_test_pass;
646 }
647
648 static int
649 racoon_test_overflow_config_set(void)
650 {
651 void *payload = NULL;
652
653 #define DUMMY_PAYLOAD_LEN 20
654
655 payload = malloc(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN);
656 if (payload == NULL) {
657 fprintf(stdout, "malloc failed");
658 return racoon_test_failure;
659 }
660 memset(payload, 0, sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN);
661
662 fprintf(stdout, "\t[BEGIN] ConfigRequestSetTest\n");
663
664 struct isakmp_pl_attr *ik_payload = (struct isakmp_pl_attr *)payload;
665 struct isakmp_data *data = (struct isakmp_data *)(ik_payload + 1);
666 phase1_handle_t iph1 = {0};
667 struct isakmp_cfg_state mode_cfg = {0};
668 vchar_t msg = {0};
669 iph1.mode_cfg = &mode_cfg;
670
671 ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) - 1);
672 if (isakmp_cfg_set(&iph1, ik_payload, &msg) == 0) {
673 fprintf(stdout, "\t[FAIL] ConfigRequestSetTest\n");
674 return racoon_test_failure;
675 }
676
677 data->type = htons(XAUTH_CHALLENGE);
678 data->lorv = htons(DUMMY_PAYLOAD_LEN);
679 ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data));
680 if (isakmp_cfg_set(&iph1, ik_payload, &msg) == 0) {
681 fprintf(stdout, "\t[FAIL] ConfigRequestSetTest\n");
682 return racoon_test_failure;
683 }
684
685 fprintf(stdout, "\t[PASS] ConfigRequestSetTest\n");
686 return racoon_test_pass;
687 }
688
689 static int
690 racoon_test_overflow_pfkey_add_sp(void)
691 {
692 void *mhp[SADB_EXT_MAX];
693
694 memset(mhp, 0, sizeof(mhp));
695
696 fprintf(stdout, "\t[BEGIN] PFKeyAddSPTest\n");
697
698 struct sadb_address saddr = {0};
699 struct sadb_address daddr = {0};
700 struct sadb_x_policy *xpl = (struct sadb_x_policy *)malloc(sizeof(*xpl) + sizeof(struct sadb_x_ipsecrequest) + 20 + 20);
701 if (xpl == NULL) {
702 fprintf(stdout, "malloc failed");
703 return racoon_test_failure;
704 }
705 memset(xpl, 0, sizeof(*xpl) + sizeof(struct sadb_x_ipsecrequest));
706
707 mhp[SADB_EXT_ADDRESS_SRC] = (void *)&saddr;
708 mhp[SADB_EXT_ADDRESS_DST] = (void *)&daddr;
709 mhp[SADB_X_EXT_POLICY] = (void *)xpl;
710
711 xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) - 1);
712 if (addnewsp(&mhp) == 0) {
713 fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n");
714 return racoon_test_failure;
715 }
716
717 xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
718 struct sadb_x_ipsecrequest *xisr = xpl + 1;
719 xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + 20;
720 xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + sizeof(*xisr));
721 if (addnewsp(&mhp) == 0) {
722 fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n");
723 return racoon_test_failure;
724 }
725
726 struct sockaddr *srcaddr = (struct sockaddr *)(xisr + 1);
727 srcaddr->sa_len = 20;
728 struct sockaddr *dstaddr = ((uint8_t *)(srcaddr) + 20);
729 dstaddr->sa_len = 20;
730
731 xisr->sadb_x_ipsecrequest_proto = IPPROTO_ESP;
732 xisr->sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT;
733 xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_DEFAULT;
734
735 xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + sizeof(struct sockaddr) - 1;
736 xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + xisr->sadb_x_ipsecrequest_len + 1);
737 if (addnewsp(&mhp) == 0) {
738 fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n");
739 return racoon_test_failure;
740 }
741
742 xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + srcaddr->sa_len - 1;
743 xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + xisr->sadb_x_ipsecrequest_len + 8);
744 if (addnewsp(&mhp) == 0) {
745 fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n");
746 return racoon_test_failure;
747 }
748
749 xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + srcaddr->sa_len + sizeof(struct sockaddr) - 1;
750 xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + xisr->sadb_x_ipsecrequest_len + 8);
751 if (addnewsp(&mhp) == 0) {
752 fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n");
753 return racoon_test_failure;
754 }
755
756 xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + srcaddr->sa_len + dstaddr->sa_len - 1;
757 xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + xisr->sadb_x_ipsecrequest_len + 8);
758 if (addnewsp(&mhp) == 0) {
759 fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n");
760 return racoon_test_failure;
761 }
762
763 fprintf(stdout, "\t[PASS] PFKeyAddSPTest\n");
764 return racoon_test_pass;
765 }
766
767 static int
768 racoon_test_overflow(void)
769 {
770 fprintf(stdout, "[TEST] Racoon Overflow\n");
771
772 if (racoon_test_overflow_transform_attributes() == racoon_test_failure) {
773 return racoon_test_failure;
774 }
775
776 if (racoon_test_overflow_attribute() == racoon_test_failure) {
777 return racoon_test_failure;
778 }
779
780 if (racoon_test_overflow_ipsec_attribute() == racoon_test_failure) {
781 return racoon_test_failure;
782 }
783
784 if (racoon_test_overflow_ipcomp_attribute() == racoon_test_failure) {
785 return racoon_test_failure;
786 }
787
788 if (racoon_test_overflow_proposal() == racoon_test_failure) {
789 return racoon_test_failure;
790 }
791
792 if (racoon_test_overflow_config_reply() == racoon_test_failure) {
793 return racoon_test_failure;
794 }
795
796 if (racoon_test_overflow_config_request() == racoon_test_failure) {
797 return racoon_test_failure;
798 }
799
800 if (racoon_test_overflow_config_set() == racoon_test_failure) {
801 return racoon_test_failure;
802 }
803
804 if (racoon_test_overflow_pfkey_add_sp() == racoon_test_failure) {
805 return racoon_test_failure;
806 }
807
808 return racoon_test_pass;
809 }
810
811 static void
812 racoon_unit_test(void)
813 {
814 int result = racoon_test_pass;
815
816 if (racoon_cert_validity_test() == racoon_test_failure) {
817 result = racoon_test_failure;
818 } else if (racoon_test_overflow() == racoon_test_failure) {
819 result = racoon_test_failure;
820 }
821
822 if (result == racoon_test_pass) {
823 fprintf(stdout, "\nAll Tests Passed\n\n");
824 }
825 }
826
827 int
828 main(int argc, char *argv[])
829 {
830 int opt = 0;
831 int opt_index = 0;
832
833 plog_ne_log_enabled = 1;
834
835 if (argc < 2) {
836 print_usage(argv[0]);
837 return (0);
838 }
839
840 while ((opt = getopt_long_only(argc, argv, "", long_options, &opt_index)) != -1) {
841 switch (opt) {
842 case 'u':
843 {
844 racoon_unit_test();
845 break;
846 }
847 case 'h':
848 default:
849 {
850 print_usage(argv[0]);
851 exit(EXIT_FAILURE);
852 }
853 }
854 }
855
856 return (0);
857 }
mirror of ipsec