From 674a30cecc483b9b8740e4571080bc9c8ddb6545 Mon Sep 17 00:00:00 2001 From: Apple Date: Wed, 3 Jun 2020 04:20:44 +0000 Subject: [PATCH] ipsec-326.120.2.tar.gz --- ipsec-tools/racoon/ipsec_doi.c | 129 ++++- ipsec-tools/racoon/ipsec_doi.h | 4 + ipsec-tools/racoon/isakmp_cfg.c | 42 +- ipsec-tools/racoon/oakley.c | 7 +- ipsec-tools/racoon/pfkey.h | 2 + ipsec-tools/racoon/pfkey_racoon.c | 40 +- ipsec-tools/racoon_test/racoon_test.c | 753 +++++++++++++++++++++++++- ipsec.xcodeproj/project.pbxproj | 19 + 8 files changed, 956 insertions(+), 40 deletions(-) diff --git a/ipsec-tools/racoon/ipsec_doi.c b/ipsec-tools/racoon/ipsec_doi.c index 87a3088..5b6934d 100644 --- a/ipsec-tools/racoon/ipsec_doi.c +++ b/ipsec-tools/racoon/ipsec_doi.c @@ -96,7 +96,6 @@ int verbose_proposal_check = 1; static vchar_t *get_ph1approval (phase1_handle_t *, struct prop_pair **); void print_ph1mismatched (struct prop_pair *, struct isakmpsa *); -static int t2isakmpsa (struct isakmp_pl_t *, struct isakmpsa *); static int cmp_aproppair_i (struct prop_pair *, struct prop_pair *); static struct prop_pair *get_ph2approval (phase2_handle_t *, struct prop_pair **); @@ -133,11 +132,8 @@ static int (*check_transform[]) (int) = { check_trns_ipcomp, /* IPSECDOI_PROTO_IPCOMP */ }; -static int check_attr_isakmp (struct isakmp_pl_t *); static int check_attr_ah (struct isakmp_pl_t *); static int check_attr_esp (struct isakmp_pl_t *); -static int check_attr_ipsec (int, struct isakmp_pl_t *); -static int check_attr_ipcomp (struct isakmp_pl_t *); static int (*check_attributes[]) (struct isakmp_pl_t *) = { 0, check_attr_isakmp, /* IPSECDOI_PROTO_ISAKMP */ @@ -533,7 +529,7 @@ print_ph1mismatched(p, proposal) /* * get ISAKMP data attributes */ -static int +int t2isakmpsa(trns, sa) struct isakmp_pl_t *trns; struct isakmpsa *sa; @@ -560,6 +556,12 @@ t2isakmpsa(trns, sa) goto err; while (tlen > 0) { + if (tlen < sizeof(struct isakmp_data)) { + plog(ASL_LEVEL_ERR, + "t2isakmpsa invalid length of isakmp data, expected %zu actual %d\n", + sizeof(struct isakmp_data), tlen); + goto err; + } type = ntohs(d->type) & ~ISAKMP_GEN_MASK; flag = ntohs(d->type) & ISAKMP_GEN_MASK; @@ -583,10 +585,10 @@ t2isakmpsa(trns, sa) p = (u_char *)&d->lorv; } else { /*TLV*/ len = ntohs(d->lorv); - if (len > tlen) { - plog(ASL_LEVEL_ERR, - "invalid ISAKMP-SA attr, attr-len %d, overall-len %d\n", - len, tlen); + if ((len + sizeof(struct isakmp_data)) > tlen) { + plog(ASL_LEVEL_ERR, + "invalid ISAKMP-SA attr(%d), attr-len %d, overall-len %lu\n", + type, len, (tlen - sizeof(struct isakmp_data))); return -1; } p = (u_char *)(d + 1); @@ -640,6 +642,14 @@ t2isakmpsa(trns, sa) sa->dhgrp->gen1 = 0; if (len > 4) return -1; + + if ((len + sizeof(struct isakmp_data)) > tlen) { + plog(ASL_LEVEL_ERR, + "invalid ISAKMP-SA attr - OAKLEY_ATTR_GRP_GEN_ONE, attr-len %d, overall-len %lu\n", + len, (tlen - sizeof(struct isakmp_data))); + return -1; + } + memcpy(&sa->dhgrp->gen1, d + 1, len); sa->dhgrp->gen1 = ntohl(sa->dhgrp->gen1); } @@ -654,6 +664,14 @@ t2isakmpsa(trns, sa) sa->dhgrp->gen2 = 0; if (len > 4) return -1; + + if ((len + sizeof(struct isakmp_data)) > tlen) { + plog(ASL_LEVEL_ERR, + "invalid ISAKMP-SA attr - OAKLEY_ATTR_GRP_GEN_TWO, attr-len %d, overall-len %lu\n", + len, (tlen - sizeof(struct isakmp_data))); + return -1; + } + memcpy(&sa->dhgrp->gen2, d + 1, len); sa->dhgrp->gen2 = ntohl(sa->dhgrp->gen2); } @@ -749,6 +767,13 @@ t2isakmpsa(trns, sa) d = (struct isakmp_data *)((char *)d + sizeof(*d)); } else { tlen -= (sizeof(*d) + ntohs(d->lorv)); + if (tlen < 0) { + plog(ASL_LEVEL_ERR, + "t2isakmpsa: packet too short - attr length %u for type %d\n", + ntohs(d->lorv), type); + return -1; + } + d = (struct isakmp_data *)((char *)d + sizeof(*d) + ntohs(d->lorv)); } } @@ -1250,6 +1275,14 @@ get_proppair(sa, mode) goto bad; } + if (pa->len < sizeof(struct isakmp_pl_p)) { + plog(ASL_LEVEL_ERR, + "get_proppair invalid length of proposal, expected %lu actual %d\n", + sizeof(struct isakmp_pl_p), pa->len); + vfree(pbuf); + goto bad; + } + prop = (struct isakmp_pl_p *)pa->ptr; proplen = pa->len; @@ -1277,6 +1310,14 @@ get_proppair(sa, mode) if (check_spi_size(prop->proto_id, prop->spi_size) < 0) continue; + if (pa->len < (sizeof(struct isakmp_pl_p) + prop->spi_size)) { + plog(ASL_LEVEL_ERR, + "get_proppair invalid length of proposal spi size, expected %u actual %zu\n", + prop->spi_size, (pa->len - sizeof(struct isakmp_pl_p))); + vfree(pbuf); + goto bad; + } + /* get transform */ if (get_transform(prop, pair, &num_p) < 0) { vfree(pbuf); @@ -1395,6 +1436,13 @@ get_transform(prop, pair, num_p) break; } + if (pa->len < sizeof(struct isakmp_pl_t)) { + plog(ASL_LEVEL_ERR, + "get_transform invalid length of transform, expected %lu actual %d\n", + sizeof(struct isakmp_pl_t), pa->len); + break; + } + trns = (struct isakmp_pl_t *)pa->ptr; trnslen = pa->len; @@ -1962,7 +2010,7 @@ check_trns_ipcomp(t_id) /* * check data attributes in IKE. */ -static int +int check_attr_isakmp(trns) struct isakmp_pl_t *trns; { @@ -1975,6 +2023,13 @@ check_attr_isakmp(trns) d = (struct isakmp_data *)((caddr_t)trns + sizeof(struct isakmp_pl_t)); while (tlen > 0) { + if (tlen < sizeof(struct isakmp_data)) { + plog(ASL_LEVEL_ERR, + "check_attr_isakmp invalid length of isakmp data, expected %zu actual %d\n", + sizeof(struct isakmp_data), tlen); + return -1; + } + type = ntohs(d->type) & ~ISAKMP_GEN_MASK; flag = ntohs(d->type) & ISAKMP_GEN_MASK; lorv = ntohs(d->lorv); @@ -2153,6 +2208,12 @@ check_attr_isakmp(trns) tlen -= (sizeof(*d) + lorv); d = (struct isakmp_data *)((char *)d + sizeof(*d) + lorv); + if (tlen < 0) { + plog(ASL_LEVEL_ERR, + "check_attr_isakmp: packet too short - attr length %u for type %d\n", + lorv, type); + return -1; + } } } @@ -2176,7 +2237,7 @@ check_attr_esp(trns) return check_attr_ipsec(IPSECDOI_PROTO_IPSEC_ESP, trns); } -static int +int check_attr_ipsec(proto_id, trns) int proto_id; struct isakmp_pl_t *trns; @@ -2192,6 +2253,13 @@ check_attr_ipsec(proto_id, trns) memset(attrseen, 0, sizeof(attrseen)); while (tlen > 0) { + if (tlen < sizeof(struct isakmp_data)) { + plog(ASL_LEVEL_ERR, + "check_attr_ipsec invalid length of isakmp data, expected %zu actual %d\n", + sizeof(struct isakmp_data), tlen); + return -1; + } + type = ntohs(d->type) & ~ISAKMP_GEN_MASK; flag = ntohs(d->type) & ISAKMP_GEN_MASK; lorv = ntohs(d->lorv); @@ -2367,6 +2435,12 @@ ahmismatch: tlen -= (sizeof(*d) + lorv); d = (struct isakmp_data *)((caddr_t)d + sizeof(*d) + lorv); + if (tlen < 0) { + plog(ASL_LEVEL_ERR, + "check_attr_ipsec: packet too short - attr length %u for type %d\n", + lorv, type); + return -1; + } } } @@ -2388,7 +2462,7 @@ ahmismatch: return 0; } -static int +int check_attr_ipcomp(trns) struct isakmp_pl_t *trns; { @@ -2403,6 +2477,13 @@ check_attr_ipcomp(trns) memset(attrseen, 0, sizeof(attrseen)); while (tlen > 0) { + if (tlen < sizeof(struct isakmp_data)) { + plog(ASL_LEVEL_ERR, + "check_attr_ipcomp: invalid length of isakmp data, expected %zu actual %d\n", + sizeof(struct isakmp_data), tlen); + return -1; + } + type = ntohs(d->type) & ~ISAKMP_GEN_MASK; flag = ntohs(d->type) & ISAKMP_GEN_MASK; lorv = ntohs(d->lorv); @@ -2518,6 +2599,12 @@ check_attr_ipcomp(trns) tlen -= (sizeof(*d) + lorv); d = (struct isakmp_data *)((caddr_t)d + sizeof(*d) + lorv); + if (tlen < 0) { + plog(ASL_LEVEL_ERR, + "check_attr_ipcomp: packet too short - attr length %u for type %d\n", + lorv, type); + return -1; + } } } @@ -4596,6 +4683,12 @@ ipsecdoi_t2satrns(t, pp, pr, tr) tr->authtype = IPSECDOI_ATTR_AUTH_NONE; while (tlen > 0) { + if (tlen < sizeof(struct isakmp_data)) { + plog(ASL_LEVEL_ERR, + "ipsecdoi_t2satrns invalid length of isakmp data, expected %zu actual %d\n", + sizeof(struct isakmp_data), tlen); + return -1; + } type = ntohs(d->type) & ~ISAKMP_GEN_MASK; flag = ntohs(d->type) & ISAKMP_GEN_MASK; @@ -4647,6 +4740,12 @@ ipsecdoi_t2satrns(t, pp, pr, tr) memcpy(ld_buf->v, &d->lorv, sizeof(d->lorv)); } else { int len = ntohs(d->lorv); + if ((len + sizeof(struct isakmp_data)) > tlen) { + plog(ASL_LEVEL_ERR, + "invalid IPsec attr(%d), attr-len %d, overall-len %lu\n", + type, len, (tlen - sizeof(struct isakmp_data))); + return -1; + } /* i.e. ISAKMP_GEN_TLV */ ld_buf = vmalloc(len); if (ld_buf == NULL) { @@ -4767,6 +4866,12 @@ ipsecdoi_t2satrns(t, pp, pr, tr) } else { tlen -= (sizeof(*d) + ntohs(d->lorv)); d = (struct isakmp_data *)((caddr_t)d + sizeof(*d) + ntohs(d->lorv)); + if (tlen < 0) { + plog(ASL_LEVEL_ERR, + "ipsecdoi_t2satrns: packet too short - attr length %u for type %d\n", + ntohs(d->lorv), type); + goto end; + } } } diff --git a/ipsec-tools/racoon/ipsec_doi.h b/ipsec-tools/racoon/ipsec_doi.h index 476c369..5369810 100644 --- a/ipsec-tools/racoon/ipsec_doi.h +++ b/ipsec-tools/racoon/ipsec_doi.h @@ -220,6 +220,10 @@ struct saproto; struct satrns; struct prop_pair; +extern int t2isakmpsa(struct isakmp_pl_t *, struct isakmpsa *); +extern int check_attr_isakmp (struct isakmp_pl_t *); +extern int check_attr_ipsec (int, struct isakmp_pl_t *); +extern int check_attr_ipcomp (struct isakmp_pl_t *); extern struct isakmpsa *get_ph1approvalx (struct prop_pair *, struct isakmpsa *, struct isakmpsa *, int); extern int ipsecdoi_checkph1proposal (vchar_t *, phase1_handle_t *); diff --git a/ipsec-tools/racoon/isakmp_cfg.c b/ipsec-tools/racoon/isakmp_cfg.c index da12c1d..4308558 100644 --- a/ipsec-tools/racoon/isakmp_cfg.c +++ b/ipsec-tools/racoon/isakmp_cfg.c @@ -363,6 +363,12 @@ isakmp_cfg_reply(iph1, attrpl) tlen -= sizeof(*attrpl); while (tlen > 0) { + if (tlen < sizeof(struct isakmp_data)) { + plog(ASL_LEVEL_ERR, + "isakmp_cfg_reply invalid length of isakmp data, expected %zu actual %d\n", + sizeof(struct isakmp_data), tlen); + return -1; + } type = ntohs(attr->type); /* Handle short attributes */ @@ -398,10 +404,10 @@ isakmp_cfg_reply(iph1, attrpl) alen = ntohs(attr->lorv); /* Check that the attribute fit in the packet */ - if (tlen < alen) { - plog(ASL_LEVEL_ERR, - "Short attribute %s\n", - s_isakmp_cfg_type(type)); + if (tlen < (alen + sizeof(struct isakmp_data))) { + plog(ASL_LEVEL_ERR, + "Short attribute %s len %zu\n", + s_isakmp_cfg_type(type), alen); return -1; } @@ -571,6 +577,12 @@ isakmp_cfg_request(iph1, attrpl, msg) memset(payload->v, 0, sizeof(*reply)); while (tlen > 0) { + if (tlen < sizeof(struct isakmp_data)) { + plog(ASL_LEVEL_ERR, + "isakmp_cfg_request invalid length of isakmp data, expected %zu actual %d\n", + sizeof(struct isakmp_data), tlen); + goto end; + } reply_attr = NULL; type = ntohs(attr->type); @@ -608,10 +620,10 @@ isakmp_cfg_request(iph1, attrpl, msg) alen = ntohs(attr->lorv); /* Check that the attribute fit in the packet */ - if (tlen < alen) { - plog(ASL_LEVEL_ERR, - "Short attribute %s\n", - s_isakmp_cfg_type(type)); + if (tlen < (sizeof(struct isakmp_data) + alen)) { + plog(ASL_LEVEL_ERR, + "Short attribute %s len %zu\n", + s_isakmp_cfg_type(type), alen); goto end; } @@ -726,6 +738,13 @@ isakmp_cfg_set(iph1, attrpl, msg) * We should send ack for the attributes we accepted */ while (tlen > 0) { + if (tlen < sizeof(struct isakmp_data)) { + plog(ASL_LEVEL_ERR, + "isakmp_cfg_set invalid length of isakmp data, expected %zu actual %d\n", + sizeof(struct isakmp_data), tlen); + vfree(payload); + return error; + } reply_attr = NULL; type = ntohs(attr->type); @@ -758,6 +777,13 @@ isakmp_cfg_set(iph1, attrpl, msg) attr++; } else { alen = ntohs(attr->lorv); + if (tlen < (sizeof(*attr) + alen)) { + plog(ASL_LEVEL_ERR, + "isakmp_cfg_set packet too short for type %d, expected %zu actual %zu\n", + type, alen, tlen - sizeof(*attr)); + vfree(payload); + return error; + } tlen -= (sizeof(*attr) + alen); npp = (char *)attr; attr = (struct isakmp_data *) diff --git a/ipsec-tools/racoon/oakley.c b/ipsec-tools/racoon/oakley.c index 24bdba8..101e5f7 100644 --- a/ipsec-tools/racoon/oakley.c +++ b/ipsec-tools/racoon/oakley.c @@ -1509,8 +1509,13 @@ oakley_validate_auth(phase1_handle_t *iph1) return ISAKMP_NTYPE_AUTHENTICATION_FAILED; break; } - } else + } else { hostname = CFStringCreateWithBytes(NULL, (u_int8_t *)id_spec->id->v, id_spec->id->l, kCFStringEncodingUTF8, FALSE); + } + if (hostname == NULL) { + plog(ASL_LEVEL_ERR, "missing hostname for peers identifier.\n"); + return ISAKMP_NTYPE_INVALID_ID_INFORMATION; + } } error = crypto_cssm_check_x509cert(oakley_get_peer_cert_from_certchain(iph1), iph1->cert_p, hostname, &publicKeyRef); if (hostname) diff --git a/ipsec-tools/racoon/pfkey.h b/ipsec-tools/racoon/pfkey.h index 5c113b6..c247e0e 100644 --- a/ipsec-tools/racoon/pfkey.h +++ b/ipsec-tools/racoon/pfkey.h @@ -78,4 +78,6 @@ extern u_int32_t pk_getseq (void); extern const char *sadbsecas2str (struct sockaddr_storage *, struct sockaddr_storage *, int, u_int32_t, int); +extern int addnewsp (caddr_t *); + #endif /* _PFKEY_H */ diff --git a/ipsec-tools/racoon/pfkey_racoon.c b/ipsec-tools/racoon/pfkey_racoon.c index efa1f6c..6a85ced 100644 --- a/ipsec-tools/racoon/pfkey_racoon.c +++ b/ipsec-tools/racoon/pfkey_racoon.c @@ -165,8 +165,6 @@ NULL, /* SADB_MIGRATE */ #endif }; -static int addnewsp (caddr_t *); - /* cope with old kame headers - ugly */ #ifndef SADB_X_AALG_MD5 #define SADB_X_AALG_MD5 SADB_AALG_MD5 @@ -2929,13 +2927,14 @@ pk_getseq() return eay_random(); } -static int +int addnewsp(mhp) caddr_t *mhp; { struct secpolicy *new; struct sadb_address *saddr, *daddr; struct sadb_x_policy *xpl; + struct sadb_ext *ext; /* sanity check */ if (mhp[SADB_EXT_ADDRESS_SRC] == NULL @@ -2948,7 +2947,14 @@ addnewsp(mhp) saddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; // Wcast-align fix (void*) - mhp contains pointers to aligned structs in malloc'd msg buffer daddr = ALIGNED_CAST(struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; + xpl = ALIGNED_CAST(struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; + /* validity check */ + if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) { + plog(ASL_LEVEL_ERR, + "invalid msg length.\n"); + return -1; + } new = newsp(); if (new == NULL) { @@ -2977,17 +2983,16 @@ addnewsp(mhp) struct sadb_x_ipsecrequest *xisr; struct ipsecrequest **p_isr = &new->req; - /* validity check */ - if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) { - plog(ASL_LEVEL_ERR, - "invalid msg length.\n"); - return -1; - } - tlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl); xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); while (tlen > 0) { + if (tlen < sizeof(*xisr) || + tlen < xisr->sadb_x_ipsecrequest_len) { + plog(ASL_LEVEL_ERR, + "invalid msg length for ipsec request.\n"); + return -1; + } /* length check */ if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) { @@ -3054,13 +3059,28 @@ addnewsp(mhp) /* set IP addresses if there */ if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { struct sockaddr *paddr; + int rem_buf_len = xisr->sadb_x_ipsecrequest_len - sizeof(*xisr); paddr = (struct sockaddr *)(xisr + 1); + if (rem_buf_len < sizeof(*paddr) || + rem_buf_len < sysdep_sa_len(paddr)) { + plog(ASL_LEVEL_ERR, + "invalid msg length for src ip address.\n"); + return -1; + } bcopy(paddr, &(*p_isr)->saidx.src, sysdep_sa_len(paddr)); + rem_buf_len -= sysdep_sa_len(paddr); + paddr = (struct sockaddr *)((caddr_t)paddr + sysdep_sa_len(paddr)); + if (rem_buf_len < sizeof(*paddr) || + rem_buf_len < sysdep_sa_len(paddr)) { + plog(ASL_LEVEL_ERR, + "invalid msg length for dst ip address.\n"); + return -1; + } bcopy(paddr, &(*p_isr)->saidx.dst, sysdep_sa_len(paddr)); } diff --git a/ipsec-tools/racoon_test/racoon_test.c b/ipsec-tools/racoon_test/racoon_test.c index 4aca62f..778c08e 100644 --- a/ipsec-tools/racoon_test/racoon_test.c +++ b/ipsec-tools/racoon_test/racoon_test.c @@ -8,15 +8,31 @@ #include "oakley.h" #include "crypto_cssm.h" #include "racoon_certs_data.h" +#include "ipsec_doi.h" +#include "remoteconf.h" +#include "plog.h" +#include "isakmp.h" +#include "oakley.h" +#include "proposal.h" +#include "isakmp_cfg.h" +#include "racoon_types.h" +#include "handler.h" +#include "vmbuf.h" +#include "vpn_control.h" +#include "pfkey.h" #include #include #include #include +#include +#include #define racoon_test_pass 0 #define racoon_test_failure 1 +struct localconf *lcconf; + static struct option long_options[] = { {"unit_test", no_argument, 0, 'u'}, @@ -30,6 +46,186 @@ print_usage(char *name) printf(" -unit_test\n"); } +int +xauth_attr_reply(iph1, attr, id) + phase1_handle_t *iph1; + struct isakmp_data *attr; + int id; +{ + __builtin_unreachable(); + return 0; +} + +void +isakmp_unity_reply(iph1, attr) + phase1_handle_t *iph1; + struct isakmp_data *attr; +{ + __builtin_unreachable(); + return; +} + +int +vpncontrol_notify_phase_change(int start, u_int16_t from, phase1_handle_t *iph1, phase2_handle_t *iph2) +{ + __builtin_unreachable(); + return 0; +} + +phase2_handle_t * +ike_session_newph2(unsigned int version, int type) +{ + __builtin_unreachable(); + return NULL; +} + +int +ike_session_link_ph2_to_ph1 (phase1_handle_t *iph1, phase2_handle_t *iph2) +{ + __builtin_unreachable(); + return 0; +} + +vchar_t * +isakmp_xauth_req(iph1, attr) + phase1_handle_t *iph1; + struct isakmp_data *attr; +{ + __builtin_unreachable(); + return NULL; +} + +int +isakmp_ph2resend(iph2) + phase2_handle_t *iph2; +{ + __builtin_unreachable(); + return NULL; +} + +void +ike_session_start_xauth_timer (phase1_handle_t *iph1) +{ + __builtin_unreachable(); + return; +} + +int +isakmp_send(iph1, sbuf) + phase1_handle_t *iph1; + vchar_t *sbuf; +{ + __builtin_unreachable(); + return 0; +} + +int +ike_session_unlink_phase2 (phase2_handle_t *iph2) +{ + __builtin_unreachable(); + return 0; +} + +int +ike_session_add_recvdpkt(remote, local, sbuf, rbuf, non_esp, frag_flags) +struct sockaddr_storage *remote, *local; +vchar_t *sbuf, *rbuf; +size_t non_esp; +u_int32_t frag_flags; +{ + __builtin_unreachable(); + return 0; +} + +int +ike_session_is_client_ph1_rekey (phase1_handle_t *iph1) +{ + return 0; +} + +int +vpncontrol_notify_need_authinfo(phase1_handle_t *iph1, void* attr_list, size_t attr_len) +{ + __builtin_unreachable(); + return 0; +} + +u_int32_t +isakmp_newmsgid2(iph1) + phase1_handle_t *iph1; +{ + __builtin_unreachable(); + return 0; +} + +void +fsm_set_state(int *var, int state) +{ + __builtin_unreachable(); + return; +} + +int +xauth_check(iph1) + phase1_handle_t *iph1; +{ + __builtin_unreachable(); + return 0; +} + +void +ike_session_delph2(phase2_handle_t *iph2) +{ + __builtin_unreachable(); + return; +} + +vchar_t * +isakmp_unity_req(iph1, attr) + phase1_handle_t *iph1; + struct isakmp_data *attr; +{ + __builtin_unreachable(); + return NULL; +} + +int +isakmp_info_send_d1(phase1_handle_t *iph1) +{ + __builtin_unreachable(); + return 0; +} + +vchar_t * +isakmp_xauth_set(iph1, attr) + phase1_handle_t *iph1; + struct isakmp_data *attr; +{ + __builtin_unreachable(); + return NULL; +} + +void +isakmp_ph1expire(iph1) + phase1_handle_t *iph1; +{ + __builtin_unreachable(); + return; +} + +void +check_auto_exit(void) +{ + return; +} + +void +ipsecSessionTracerEvent (ike_session_t *session, ipsecSessionEventCode_t eventCode, const char *event, const char *failure_reason) +{ + __builtin_unreachable(); + return; +} + static int racoon_cert_validity_test(void) { @@ -45,45 +241,580 @@ racoon_cert_validity_test(void) fprintf(stdout, "[TEST] RacoonCertValidity\n"); // For certificate info, look at past_cert.der - fprintf(stdout, "[BEGIN] ExpiredCertTest\n"); + fprintf(stdout, "\t[BEGIN] ExpiredCertTest\n"); CFDataRef past_cert_data = CFDataCreate(kCFAllocatorDefault, past_cert_der, sizeof(past_cert_der)); SecCertificateRef past_cert_ref = SecCertificateCreateWithData(NULL, past_cert_data); cert_status = crypto_cssm_check_x509cert_dates (past_cert_ref); if (cert_status != CERT_STATUS_EXPIRED) { - fprintf(stdout, "[FAIL] ExpiredCertTest\n"); + fprintf(stdout, "\t[FAIL] ExpiredCertTest\n"); result = racoon_test_failure; } else { - fprintf(stdout, "[PASS] ExpiredCertTest\n"); + fprintf(stdout, "\t[PASS] ExpiredCertTest\n"); } // For certificate info, look at future_cert.der - fprintf(stdout, "[BEGIN] PrematureCertTest\n"); + fprintf(stdout, "\t[BEGIN] PrematureCertTest\n"); CFDataRef future_cert_data = CFDataCreate(kCFAllocatorDefault, future_cert_der, sizeof(future_cert_der)); SecCertificateRef future_cert_ref = SecCertificateCreateWithData(NULL, future_cert_data); cert_status = crypto_cssm_check_x509cert_dates (future_cert_ref); if (cert_status != CERT_STATUS_PREMATURE) { - fprintf(stdout, "[FAIL] PrematureCertTest\n"); + fprintf(stdout, "\t[FAIL] PrematureCertTest\n"); result = racoon_test_failure; } else { - fprintf(stdout, "[PASS] PrematureCertTest\n"); + fprintf(stdout, "\t[PASS] PrematureCertTest\n"); } // For certificate info, look at valid_cert.der - fprintf(stdout, "[BEGIN] ValidCertTest\n"); + fprintf(stdout, "\t[BEGIN] ValidCertTest\n"); CFDataRef valid_cert_data = CFDataCreate(kCFAllocatorDefault, valid_cert_der, sizeof(valid_cert_der)); SecCertificateRef valid_cert_ref = SecCertificateCreateWithData(NULL, valid_cert_data); cert_status = crypto_cssm_check_x509cert_dates (valid_cert_ref); if (cert_status != CERT_STATUS_OK) { - fprintf(stdout, "[FAIL] ValidCertTest\n"); + fprintf(stdout, "\t[FAIL] ValidCertTest\n"); result = racoon_test_failure; } else { - fprintf(stdout, "[PASS] ValidCertTest\n"); + fprintf(stdout, "\t[PASS] ValidCertTest\n"); } #endif // HAVE_OPENSSL return result; } +static int +racoon_test_overflow_transform_attributes(void) +{ +#define TEST_GEN_PAYLOAD_LEN 4 + void *payload = NULL; + + // Test ISAKMP overflow + payload = malloc(2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN)); + if (payload == NULL) { + fprintf(stdout, "malloc failed"); + return racoon_test_failure; + } + memset(payload, 0, (2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN))); + + fprintf(stdout, "\t[BEGIN] TransformPayloadTest\n"); + + struct isakmp_pl_t *trans = (struct isakmp_pl_t *)payload; + struct isakmp_data *data = (struct isakmp_data *)(trans + 1); + uint32_t *gen1 = (uint32_t *)(data + 1); + struct isakmpsa sa = {0}; + + data->type = htons(OAKLEY_ATTR_GRP_GEN_ONE); + data->lorv = htons(TEST_GEN_PAYLOAD_LEN); + *gen1 = htonl(0x11111111); + + // Transform header total length shorter than data header + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1); + if (t2isakmpsa(trans, &sa) == 0) { + fprintf(stdout, "\t[FAIL] TransformPayloadTest\n"); + return racoon_test_failure; + } + + // Transform header total length shorter than data header + payload without flag + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data)); + if (t2isakmpsa(trans, &sa) == 0) { + fprintf(stdout, "\t[FAIL] TransformPayloadTest\n"); + return racoon_test_failure; + } + + // Transform header total length equal to data header + payload without flag + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN); + if (t2isakmpsa(trans, &sa) < 0) { + fprintf(stdout, "\t[FAIL] TransformPayloadTest\n"); + return racoon_test_failure; + } + + // Transform header total length shorter than data header + payload with flag set + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data)); + data->type = htons(OAKLEY_ATTR_GRP_GEN_ONE | ISAKMP_GEN_MASK); + if (t2isakmpsa(trans, &sa) == 0) { + fprintf(stdout, "\t[FAIL] TransformPayloadTest\n"); + return racoon_test_failure; + } + + // Transform header total length shorter than data header + payload with flag set for Gen 2 + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data)); + data->type = htons(OAKLEY_ATTR_GRP_GEN_TWO | ISAKMP_GEN_MASK); + if (t2isakmpsa(trans, &sa) == 0) { + fprintf(stdout, "\t[FAIL] TransformPayloadTest\n"); + return racoon_test_failure; + } + + // Transform header total length shorter than data header + payload with flag set for Encryption + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) ); + data->type = htons(OAKLEY_ATTR_ENC_ALG); + if (t2isakmpsa(trans, &sa) == 0) { + fprintf(stdout, "\t[FAIL] TransformPayloadTest\n"); + return racoon_test_failure; + } + + // Transform header total length equal to data header + payload with flag set for Encryption + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data)); + data->type = htons(OAKLEY_ATTR_ENC_ALG | ISAKMP_GEN_MASK); + if (t2isakmpsa(trans, &sa) < 0) { + fprintf(stdout, "\t[FAIL] TransformPayloadTest\n"); + return racoon_test_failure; + } + + // Transform header total length shorter than 2 * data header + payload with flag set for Encryption + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + sizeof(struct isakmp_data) - 1); + data->type = htons(OAKLEY_ATTR_ENC_ALG | ISAKMP_GEN_MASK); + if (t2isakmpsa(trans, &sa) == 0) { + fprintf(stdout, "\t[FAIL] TransformPayloadTest\n"); + return racoon_test_failure; + } + + fprintf(stdout, "\t[PASS] TransformPayloadTest\n"); + return racoon_test_pass; +} + +static int +racoon_test_overflow_attribute(void) +{ + void *payload = NULL; + +#define TEST_GEN_PAYLOAD_LEN 4 + + payload = malloc(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data)); + if (payload == NULL) { + fprintf(stdout, "malloc failed"); + return racoon_test_failure; + } + memset(payload, 0, sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data)); + + fprintf(stdout, "\t[BEGIN] AttributeTest\n"); + + struct isakmp_pl_t *trans = (struct isakmp_pl_t *)payload; + struct isakmp_data *data = (struct isakmp_data *)(trans + 1); + + data->type = htons(OAKLEY_ATTR_GRP_GEN_ONE); + data->lorv = htons(TEST_GEN_PAYLOAD_LEN); + + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1); + if (check_attr_isakmp(trans) == 0) { + fprintf(stdout, "\t[FAIL] AttributeTest\n"); + return racoon_test_failure; + } + + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN - 1); + if (check_attr_isakmp(trans) == 0) { + fprintf(stdout, "\t[FAIL] AttributeTest\n"); + return racoon_test_failure; + } + + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + TEST_GEN_PAYLOAD_LEN); + if (check_attr_isakmp(trans) < 0) { + fprintf(stdout, "\t[FAIL] AttributeTest\n"); + return racoon_test_failure; + } + + fprintf(stdout, "\t[PASS] AttributeTest\n"); + return racoon_test_pass; +} + +static int +racoon_test_overflow_ipsec_attribute(void) +{ + void *payload = NULL; +#define LA_PAYLOAD_LEN 4 + + payload = malloc(2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN)); + if (payload == NULL) { + fprintf(stdout, "malloc failed"); + return racoon_test_failure; + } + memset(payload, 0, (2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN))); + + fprintf(stdout, "\t[BEGIN] AttributeIPsecTest\n"); + + struct isakmp_pl_t *trans = (struct isakmp_pl_t *)payload; + struct isakmp_data *data = (struct isakmp_data *)(trans + 1); + + data->type = htons(IPSECDOI_ATTR_SA_LD); + data->lorv = htons(LA_PAYLOAD_LEN); + + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1); + if (check_attr_ipsec(IPSECDOI_PROTO_IPSEC_AH, trans) == 0) { + fprintf(stdout, "\t[FAIL] AttributeIPsecTest\n"); + return racoon_test_failure; + } + + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN - 1); + if (check_attr_ipsec(IPSECDOI_PROTO_IPSEC_AH, trans) == 0) { + fprintf(stdout, "\t[FAIL] AttributeIPsecTest\n"); + return racoon_test_failure; + } + + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN + sizeof(struct isakmp_data)); + struct isakmp_data *auth_data = (struct isakmp_data *)((uint8_t *)data + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN); + auth_data->type = htons(IPSECDOI_ATTR_AUTH | ISAKMP_GEN_MASK); + auth_data->lorv = htons(IPSECDOI_ATTR_AUTH_HMAC_MD5); + trans->t_id = IPSECDOI_AH_MD5; + if (check_attr_ipsec(IPSECDOI_PROTO_IPSEC_AH, trans) < 0) { + fprintf(stdout, "\t[FAIL] AttributeIPsecTest\n"); + return racoon_test_failure; + } + + fprintf(stdout, "\t[PASS] AttributeIPsecTest\n"); + return racoon_test_pass; +} + +static int +racoon_test_overflow_ipcomp_attribute(void) +{ + void *payload = NULL; +#define LA_PAYLOAD_LEN 4 + + payload = malloc(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data)); + if (payload == NULL) { + fprintf(stdout, "malloc failed"); + return racoon_test_failure; + } + memset(payload, 0, sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data)); + + fprintf(stdout, "\t[BEGIN] AttributeIPCOMPTest\n"); + + struct isakmp_pl_t *trans = (struct isakmp_pl_t *)payload; + struct isakmp_data *data = (struct isakmp_data *)(trans + 1); + + data->type = htons(IPSECDOI_ATTR_SA_LD); + data->lorv = htons(LA_PAYLOAD_LEN); + + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1); + if (check_attr_ipcomp(trans) == 0) { + fprintf(stdout, "\t[FAIL] AttributeIPCOMPTest\n"); + return racoon_test_failure; + } + + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN - 1); + if (check_attr_ipcomp(trans) == 0) { + fprintf(stdout, "\t[FAIL] AttributeIPCOMPTest\n"); + return racoon_test_failure; + } + + trans->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LA_PAYLOAD_LEN); + if (check_attr_ipcomp(trans) < 0) { + fprintf(stdout, "\t[FAIL] AttributeIPCOMPTest\n"); + return racoon_test_failure; + } + + fprintf(stdout, "\t[PASS] AttributeIPCOMPTest\n"); + return racoon_test_pass; +} + +static int +racoon_test_overflow_proposal(void) +{ + void *payload = NULL; + +#define LD_PAYLOAD_LEN 4 + + payload = malloc(2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LD_PAYLOAD_LEN)); + if (payload == NULL) { + fprintf(stdout, "malloc failed"); + return racoon_test_failure; + } + memset(payload, 0, (2 * (sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + LD_PAYLOAD_LEN))); + + fprintf(stdout, "\t[BEGIN] ProposalTest\n"); + + struct isakmp_pl_t *ik_payload = (struct isakmp_pl_t *)payload; + struct isakmp_data *data = (struct isakmp_data *)(ik_payload + 1); + struct saprop pp = {0}; + struct saproto pr = {0}; + struct satrns tr = {0}; + + ik_payload->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) - 1); + if (ipsecdoi_t2satrns(ik_payload, &pp, &pr, &tr) == 0) { + fprintf(stdout, "\t[FAIL] ProposalTest\n"); + return racoon_test_failure; + } + + data->type = htons(IPSECDOI_ATTR_SA_LD_TYPE | ISAKMP_GEN_MASK); + data->lorv = htons(IPSECDOI_ATTR_SA_LD_TYPE_SEC); + + struct isakmp_data *ld_data = data + 1; + ld_data->type = htons(IPSECDOI_ATTR_SA_LD); + ld_data->lorv = htons(LD_PAYLOAD_LEN); + uint32_t *ld_payload = (uint32_t *)(ld_data + 1); + *ld_payload = 0x1111; + ik_payload->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + sizeof(struct isakmp_data) + LD_PAYLOAD_LEN - 1); + if (ipsecdoi_t2satrns(ik_payload, &pp, &pr, &tr) == 0) { + fprintf(stdout, "\t[FAIL] ProposalTest\n"); + return racoon_test_failure; + } + + ik_payload->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + sizeof(struct isakmp_data) + LD_PAYLOAD_LEN); + if (ipsecdoi_t2satrns(ik_payload, &pp, &pr, &tr) < 0) { + fprintf(stdout, "\t[FAIL] ProposalTest\n"); + return racoon_test_failure; + } + + data->type = htons(IPSECDOI_ATTR_AUTH); + data->lorv = htons(IPSECDOI_ATTR_AUTH_HMAC_SHA1_96); + + ik_payload->h.len = htons(sizeof(struct isakmp_pl_t) + sizeof(struct isakmp_data) + sizeof(struct isakmp_data)); + if (ipsecdoi_t2satrns(ik_payload, &pp, &pr, &tr) == 0) { + fprintf(stdout, "\t[FAIL] ProposalTest\n"); + return racoon_test_failure; + } + + fprintf(stdout, "\t[PASS] ProposalTest\n"); + return racoon_test_pass; +} + +static int +racoon_test_overflow_config_reply(void) +{ + void *payload = NULL; + +#define DUMMY_PAYLOAD_LEN 20 + + payload = malloc(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN); + if (payload == NULL) { + fprintf(stdout, "malloc failed"); + return racoon_test_failure; + } + memset(payload, 0, sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN); + + fprintf(stdout, "\t[BEGIN] ConfigReplyTest\n"); + + struct isakmp_pl_attr *ik_payload = (struct isakmp_pl_attr *)payload; + struct isakmp_data *data = (struct isakmp_data *)(ik_payload + 1); + phase1_handle_t iph1 = {0}; + struct isakmp_cfg_state mode_cfg = {0}; + iph1.mode_cfg = &mode_cfg; + + ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) - 1); + if (isakmp_cfg_reply(&iph1, ik_payload) == 0) { + fprintf(stdout, "\t[FAIL] ConfigReplyTest\n"); + return racoon_test_failure; + } + + data->type = htons(INTERNAL_IP4_SUBNET); + data->lorv = htons(DUMMY_PAYLOAD_LEN); + ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data)); + if (isakmp_cfg_reply(&iph1, ik_payload) == 0) { + fprintf(stdout, "\t[FAIL] ConfigReplyTest\n"); + return racoon_test_failure; + } + + ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN); + if (isakmp_cfg_reply(&iph1, ik_payload) < 0) { + fprintf(stdout, "\t[FAIL] ConfigReplyTest\n"); + return racoon_test_failure; + } + + fprintf(stdout, "\t[PASS] ConfigReplyTest\n"); + return racoon_test_pass; +} + +static int +racoon_test_overflow_config_request(void) +{ + void *payload = NULL; + +#define DUMMY_PAYLOAD_LEN 20 + + payload = malloc(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN); + if (payload == NULL) { + fprintf(stdout, "malloc failed"); + return racoon_test_failure; + } + memset(payload, 0, sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN); + + fprintf(stdout, "\t[BEGIN] ConfigRequestTest\n"); + + struct isakmp_pl_attr *ik_payload = (struct isakmp_pl_attr *)payload; + struct isakmp_data *data = (struct isakmp_data *)(ik_payload + 1); + phase1_handle_t iph1 = {0}; + struct isakmp_cfg_state mode_cfg = {0}; + vchar_t msg = {0}; + iph1.mode_cfg = &mode_cfg; + + ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) - 1); + if (isakmp_cfg_request(&iph1, ik_payload, &msg) == 0) { + fprintf(stdout, "\t[FAIL] ConfigRequestTest\n"); + return racoon_test_failure; + } + + data->type = htons(INTERNAL_ADDRESS_EXPIRY); + data->lorv = htons(DUMMY_PAYLOAD_LEN); + ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data)); + if (isakmp_cfg_request(&iph1, ik_payload, &msg) == 0) { + fprintf(stdout, "\t[FAIL] ConfigRequestTest\n"); + return racoon_test_failure; + } + + fprintf(stdout, "\t[PASS] ConfigRequestTest\n"); + return racoon_test_pass; +} + +static int +racoon_test_overflow_config_set(void) +{ + void *payload = NULL; + +#define DUMMY_PAYLOAD_LEN 20 + + payload = malloc(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN); + if (payload == NULL) { + fprintf(stdout, "malloc failed"); + return racoon_test_failure; + } + memset(payload, 0, sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) + DUMMY_PAYLOAD_LEN); + + fprintf(stdout, "\t[BEGIN] ConfigRequestSetTest\n"); + + struct isakmp_pl_attr *ik_payload = (struct isakmp_pl_attr *)payload; + struct isakmp_data *data = (struct isakmp_data *)(ik_payload + 1); + phase1_handle_t iph1 = {0}; + struct isakmp_cfg_state mode_cfg = {0}; + vchar_t msg = {0}; + iph1.mode_cfg = &mode_cfg; + + ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data) - 1); + if (isakmp_cfg_set(&iph1, ik_payload, &msg) == 0) { + fprintf(stdout, "\t[FAIL] ConfigRequestSetTest\n"); + return racoon_test_failure; + } + + data->type = htons(XAUTH_CHALLENGE); + data->lorv = htons(DUMMY_PAYLOAD_LEN); + ik_payload->h.len = htons(sizeof(struct isakmp_pl_attr) + sizeof(struct isakmp_data)); + if (isakmp_cfg_set(&iph1, ik_payload, &msg) == 0) { + fprintf(stdout, "\t[FAIL] ConfigRequestSetTest\n"); + return racoon_test_failure; + } + + fprintf(stdout, "\t[PASS] ConfigRequestSetTest\n"); + return racoon_test_pass; +} + +static int +racoon_test_overflow_pfkey_add_sp(void) +{ + void *mhp[SADB_EXT_MAX]; + + memset(mhp, 0, sizeof(mhp)); + + fprintf(stdout, "\t[BEGIN] PFKeyAddSPTest\n"); + + struct sadb_address saddr = {0}; + struct sadb_address daddr = {0}; + struct sadb_x_policy *xpl = (struct sadb_x_policy *)malloc(sizeof(*xpl) + sizeof(struct sadb_x_ipsecrequest) + 20 + 20); + if (xpl == NULL) { + fprintf(stdout, "malloc failed"); + return racoon_test_failure; + } + memset(xpl, 0, sizeof(*xpl) + sizeof(struct sadb_x_ipsecrequest)); + + mhp[SADB_EXT_ADDRESS_SRC] = (void *)&saddr; + mhp[SADB_EXT_ADDRESS_DST] = (void *)&daddr; + mhp[SADB_X_EXT_POLICY] = (void *)xpl; + + xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) - 1); + if (addnewsp(&mhp) == 0) { + fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n"); + return racoon_test_failure; + } + + xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC; + struct sadb_x_ipsecrequest *xisr = xpl + 1; + xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + 20; + xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + sizeof(*xisr)); + if (addnewsp(&mhp) == 0) { + fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n"); + return racoon_test_failure; + } + + struct sockaddr *srcaddr = (struct sockaddr *)(xisr + 1); + srcaddr->sa_len = 20; + struct sockaddr *dstaddr = ((uint8_t *)(srcaddr) + 20); + dstaddr->sa_len = 20; + + xisr->sadb_x_ipsecrequest_proto = IPPROTO_ESP; + xisr->sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT; + xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_DEFAULT; + + xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + sizeof(struct sockaddr) - 1; + xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + xisr->sadb_x_ipsecrequest_len + 1); + if (addnewsp(&mhp) == 0) { + fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n"); + return racoon_test_failure; + } + + xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + srcaddr->sa_len - 1; + xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + xisr->sadb_x_ipsecrequest_len + 8); + if (addnewsp(&mhp) == 0) { + fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n"); + return racoon_test_failure; + } + + xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + srcaddr->sa_len + sizeof(struct sockaddr) - 1; + xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + xisr->sadb_x_ipsecrequest_len + 8); + if (addnewsp(&mhp) == 0) { + fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n"); + return racoon_test_failure; + } + + xisr->sadb_x_ipsecrequest_len = sizeof(*xisr) + srcaddr->sa_len + dstaddr->sa_len - 1; + xpl->sadb_x_policy_len = PFKEY_UNIT64(sizeof(*xpl) + xisr->sadb_x_ipsecrequest_len + 8); + if (addnewsp(&mhp) == 0) { + fprintf(stdout, "\t[FAIL] PFKeyAddSPTest\n"); + return racoon_test_failure; + } + + fprintf(stdout, "\t[PASS] PFKeyAddSPTest\n"); + return racoon_test_pass; +} + +static int +racoon_test_overflow(void) +{ + fprintf(stdout, "[TEST] Racoon Overflow\n"); + + if (racoon_test_overflow_transform_attributes() == racoon_test_failure) { + return racoon_test_failure; + } + + if (racoon_test_overflow_attribute() == racoon_test_failure) { + return racoon_test_failure; + } + + if (racoon_test_overflow_ipsec_attribute() == racoon_test_failure) { + return racoon_test_failure; + } + + if (racoon_test_overflow_ipcomp_attribute() == racoon_test_failure) { + return racoon_test_failure; + } + + if (racoon_test_overflow_proposal() == racoon_test_failure) { + return racoon_test_failure; + } + + if (racoon_test_overflow_config_reply() == racoon_test_failure) { + return racoon_test_failure; + } + + if (racoon_test_overflow_config_request() == racoon_test_failure) { + return racoon_test_failure; + } + + if (racoon_test_overflow_config_set() == racoon_test_failure) { + return racoon_test_failure; + } + + if (racoon_test_overflow_pfkey_add_sp() == racoon_test_failure) { + return racoon_test_failure; + } + + return racoon_test_pass; +} + static void racoon_unit_test(void) { @@ -91,6 +822,8 @@ racoon_unit_test(void) if (racoon_cert_validity_test() == racoon_test_failure) { result = racoon_test_failure; + } else if (racoon_test_overflow() == racoon_test_failure) { + result = racoon_test_failure; } if (result == racoon_test_pass) { @@ -104,6 +837,8 @@ main(int argc, char *argv[]) int opt = 0; int opt_index = 0; + plog_ne_log_enabled = 1; + if (argc < 2) { print_usage(argv[0]); return (0); diff --git a/ipsec.xcodeproj/project.pbxproj b/ipsec.xcodeproj/project.pbxproj index 7ef6c45..537fee7 100644 --- a/ipsec.xcodeproj/project.pbxproj +++ b/ipsec.xcodeproj/project.pbxproj @@ -156,6 +156,15 @@ 6912CB741E78D9D800631D9A /* plog.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258FD0988657000D15623 /* plog.c */; }; 6912CB761E78DD7100631D9A /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 6912CB751E78DD7100631D9A /* SystemConfiguration.framework */; }; 6912CB771E78DD8800631D9A /* Preferences.c in Sources */ = {isa = PBXBuildFile; fileRef = BACD8C681496A50C0042DEA1 /* Preferences.c */; }; + 697EFE7324281E030032C70E /* ipsec_doi.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258CF0988657000D15623 /* ipsec_doi.c */; }; + 697EFE742428278D0032C70E /* strnames.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2591F0988657000D15623 /* strnames.c */; }; + 697EFE75242951900032C70E /* algorithm.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258AE0988657000D15623 /* algorithm.c */; }; + 697EFE77242952370032C70E /* oakley.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258F30988657000D15623 /* oakley.c */; }; + 697EFE78242952560032C70E /* crypto_openssl.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258B90988657000D15623 /* crypto_openssl.c */; }; + 697EFE7A2429CDAF0032C70E /* isakmp_cfg.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258D50988657000D15623 /* isakmp_cfg.c */; }; + 697EFE822429D70C0032C70E /* sockmisc.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F2591A0988657000D15623 /* sockmisc.c */; }; + 697EFE832429E4A00032C70E /* pfkey_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258F80988657000D15623 /* pfkey_racoon.c */; }; + 697EFE842429E4C80032C70E /* policy.c in Sources */ = {isa = PBXBuildFile; fileRef = 25F258FF0988657000D15623 /* policy.c */; }; 72265DDC0F818F9300730A7D /* ipsec.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 72265DDB0F818F9300730A7D /* ipsec.plist */; }; 723B6A30162F7BE300895EE5 /* xpc_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */; }; 723B6A31162F7BE300895EE5 /* xpc_racoon.c in Sources */ = {isa = PBXBuildFile; fileRef = 723B6A2F162F7BE300895EE5 /* xpc_racoon.c */; }; @@ -1538,6 +1547,15 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( + 697EFE842429E4C80032C70E /* policy.c in Sources */, + 697EFE832429E4A00032C70E /* pfkey_racoon.c in Sources */, + 697EFE822429D70C0032C70E /* sockmisc.c in Sources */, + 697EFE7A2429CDAF0032C70E /* isakmp_cfg.c in Sources */, + 697EFE78242952560032C70E /* crypto_openssl.c in Sources */, + 697EFE77242952370032C70E /* oakley.c in Sources */, + 697EFE75242951900032C70E /* algorithm.c in Sources */, + 697EFE742428278D0032C70E /* strnames.c in Sources */, + 697EFE7324281E030032C70E /* ipsec_doi.c in Sources */, 7253CC651E7B3F4600B2DDF5 /* racoon_test.c in Sources */, 6912CB771E78DD8800631D9A /* Preferences.c in Sources */, 6912CB741E78D9D800631D9A /* plog.c in Sources */, @@ -2179,6 +2197,7 @@ CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; "CODE_SIGN_IDENTITY[sdk=iphoneos*]" = "-"; COPY_PHASE_STRIP = NO; + DEAD_CODE_STRIPPING = YES; DEBUG_INFORMATION_FORMAT = dwarf; ENABLE_STRICT_OBJC_MSGSEND = YES; ENABLE_TESTABILITY = YES; -- 2.47.2