packetgen-plugin-ipsec 1.0.0

data/lib/packetgen/plugin/ike/certreq.rb

@@ -0,0 +1,66 @@
+# coding: utf-8
+# This file is part of IPsec packetgen plugin.
+# See https://github.com/sdaubert/packetgen-plugin-ipsec for more informations
+# Copyright (c) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+# frozen_string_literal: true
+
+module PacketGen
+  module Plugin
+    class IKE
+      # This class handles Certificate Request payloads.
+      #
+      # A CertReq payload consists of the IKE generic payload Plugin (see {Payload})
+      # and some specific fields:
+      #                        1                   2                   3
+      #    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #   | Next Payload  |C|  RESERVED   |         Payload Length        |
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #   | Cert Encoding |                                               |
+      #   +-+-+-+-+-+-+-+-+                                               +
+      #   |                                                               |
+      #   ~                      Certification Authority                  ~
+      #   |                                                               |
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      # These specific fields are:
+      # * {#encoding},
+      # * and {#content} (Certification Authority).
+      #
+      # == Create a CertReq payload
+      #   # Create a IKE packet with a CertReq payload
+      #   pkt = PacketGen.gen('IP').add('UDP').add('IKE').add('IKE::CertReq', encoding: 'X509_CERT_SIG')
+      #   pkt.ike_certreq.content.read OpenSSL::Digest::SHA1.digest(ca_cert.to_der)
+      #   pkt.calc_length
+      # @author Sylvain Daubert
+      class CertReq < Cert
+        # Payload type number
+        PAYLOAD_TYPE = 38
+
+        # Get list of 20-byte string (SHA-1 hashes)
+        # @return [String]
+        def human_content
+          strs = []
+          idx = 0
+          while idx < content.size
+            strs << content[idx, 20]
+            idx += 20
+          end
+          strs.map(&:inspect).join(',')
+        end
+
+        # @return [String]
+        def inspect
+          super do |attr|
+            next unless attr == :content
+            str = Inspect.shift_level
+            str << Inspect::FMT_ATTR % ['hashes', :content, human_content]
+          end
+        end
+      end
+    end
+
+    Header.add_class IKE::CertReq
+  end
+end

data/lib/packetgen/plugin/ike/id.rb

@@ -0,0 +1,99 @@
+# coding: utf-8
+# This file is part of IPsec packetgen plugin.
+# See https://github.com/sdaubert/packetgen-plugin-ipsec for more informations
+# Copyright (c) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+# frozen_string_literal: true
+
+module PacketGen
+  module Plugin
+    class IKE
+      # This class handles Identification - Initiator payloads, denoted IDi
+      # (see RFC 7296, §3.5).
+      #
+      # A ID payload consists of the IKE generic payload Plugin (see {Payload})
+      # and some specific fields:
+      #                        1                   2                   3
+      #    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #   | Next Payload  |C|  RESERVED   |         Payload Length        |
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #   |   ID Type     |                 RESERVED                      |
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #   |                                                               |
+      #   ~                   Identification Data                         ~
+      #   |                                                               |
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      # These specific fields are:
+      # * {#type} (ID type),
+      # * {#reserved},
+      # * and {#content} (Identification Data).
+      #
+      # == Create a IDi payload
+      #   # Create a IKE packet with a IDi payload
+      #   pkt = PacketGen.gen('IP').add('UDP').add('IKE').add('IKE::IDi', type: 'FQDN')
+      #   pkt.ike_idi.content.read 'fqdn.example.org'
+      #   pkt.calc_length
+      # @author Sylvain Daubert
+      class IDi < Payload
+        # Payload type number
+        PAYLOAD_TYPE = 35
+
+        TYPES = {
+          'IPV4_ADDR'   => 1,
+          'FQDN'        => 2,
+          'RFC822_ADDR' => 3,
+          'IPV6_ADDR'   => 5,
+          'DER_ASN1_DN' => 9,
+          'DER_ASN1_GN' => 10,
+          'KEY_ID'      => 11
+        }.freeze
+
+        # @attribute [r] type
+        #   8-bit ID type
+        #   @return [Integer]
+        define_field_before :content, :type, PacketGen::Types::Int8Enum, enum: TYPES
+        # @attribute reserved
+        #   24-bit reserved field
+        #   @return [Integer]
+        define_field_before :content, :reserved, PacketGen::Types::Int24
+
+        # Get ID type name
+        # @return [String]
+        def human_type
+          self[:type].to_human
+        end
+
+        # Get human readable content, from {#type}
+        # @return [String]
+        def human_content
+          case type
+          when TYPES['IPV4_ADDR'], TYPES['IPV4_ADDR']
+            IPAddr.ntop(content)
+          when TYPES['DER_ASN1_DN'], TYPES['DER_ASN1_GN']
+            OpenSSL::X509::Name.new(content).to_s
+          else
+            content.inspect
+          end
+        end
+      end
+
+      # This class handles Identification - Responder payloads, denoted IDr.
+      # See {IDi}.
+      #
+      # == Create a IDr payload
+      #   # Create a IKE packet with a IDr payload
+      #   pkt = PacketGen.gen('IP').add('UDP').add('IKE').add('IKE::IDr', type: 'FQDN')
+      #   pkt.ike_idr.content.read 'fqdn.example.org'
+      # @author Sylvain Daubert
+      class IDr < IDi
+        # Payload type number
+        PAYLOAD_TYPE = 36
+      end
+    end
+
+    Header.add_class IKE::IDi
+    Header.add_class IKE::IDr
+  end
+end

data/lib/packetgen/plugin/ike/ke.rb

@@ -0,0 +1,79 @@
+# coding: utf-8
+# This file is part of IPsec packetgen plugin.
+# See https://github.com/sdaubert/packetgen-plugin-ipsec for more informations
+# Copyright (c) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+# frozen_string_literal: true
+
+module PacketGen
+  module Plugin
+    class IKE
+      # This class handles Key Exchange payloads, as defined in RFC 7296 §3.4
+      #
+      # A KE payload contains a generic payload Plugin (see {Payload}) and some
+      # specific fields:
+      #                        1                   2                   3
+      #    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #   | Next Payload  |C|  RESERVED   |         Payload Length        |
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #   |   Diffie-Hellman Group Num    |           RESERVED            |
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #   |                                                               |
+      #   ~                       Key Exchange Data                       ~
+      #   |                                                               |
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      # These specific fields are:
+      # * {#group_num} (type {PacketGen::Types::Int16}),
+      # * {#reserved} (type {PacketGen::Types::Int16}),
+      # * and {#content} (type {PacketGen::Types::String}).
+      #
+      # == Create a KE payload
+      #   # Create a IKE packet with a KE payload
+      #   pkt = PacketGen.gen('IP').add('UDP').add('IKE')
+      #   # group name is taken from Transform::DH_* constants
+      #   pkt.add('IKE::KE', group: 'MODP4096')
+      #   # group number may also be used
+      #   pkt.ike_ke.group = 1
+      #   pkt.calc_length
+      # @author Sylvain Daubert
+      class KE < Payload
+        # Payload type number
+        PAYLOAD_TYPE = 34
+
+        # @!attribute group_num
+        #  16-bit DH group number
+        #  @return [Integer]
+        define_field_before :content, :group_num, PacketGen::Types::Int16
+        # @!attribute reserved
+        #  16-bit reserved field
+        #  @return [Integer]
+        define_field_before :content, :reserved, PacketGen::Types::Int16, default: 0
+
+        def initialize(options={})
+          super
+          self.group = options[:group] if options[:group]
+        end
+
+        # Set group
+        # @param [Integer,String] value may be a String taken from
+        #   {Transform}+::DH_*+ constant names.
+        # @return [Integer]
+        def group=(value)
+          group = case value
+                  when Integer
+                    value
+                  else
+                    cname = "DH_#{value}"
+                    Transform.const_defined?(cname) ? Transform.const_get(cname) : nil
+                  end
+          raise ArgumentError, "unknown group #{value.inspect}" unless group
+          self[:group_num].value = group
+        end
+      end
+    end
+
+    Header.add_class IKE::KE
+  end
+end

data/lib/packetgen/plugin/ike/nonce.rb

@@ -0,0 +1,40 @@
+# coding: utf-8
+# This file is part of IPsec packetgen plugin.
+# See https://github.com/sdaubert/packetgen-plugin-ipsec for more informations
+# Copyright (c) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+# frozen_string_literal: true
+
+module PacketGen
+  module Plugin
+    class IKE
+      # This class handles Nonce payloads, as defined in RFC 7296 §3.9.
+      #
+      # A Nonce payload contains a generic payload Plugin (see {Payload}) and
+      # data field (type {PacketGen::Types::String}):
+      #                        1                   2                   3
+      #    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #   | Next Payload  |C|  RESERVED   |         Payload Length        |
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #   |                                                               |
+      #   ~                            Nonce Data                         ~
+      #   |                                                               |
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #
+      # == Create a Nonce payload
+      #   # Create a IKE packet with a Nonce payload
+      #   pkt = PacketGen.gen('IP').add('UDP').add('IKE')
+      #   pkt.add('IKE::Nonce', data: "abcdefgh")
+      #   pkt.calc_length
+      # @author Sylvain Daubert
+      class Nonce < Payload
+        # Payload type number
+        PAYLOAD_TYPE = 40
+      end
+    end
+
+    Header.add_class IKE::Nonce
+  end
+end

data/lib/packetgen/plugin/ike/notify.rb

@@ -0,0 +1,159 @@
+# coding: utf-8
+# This file is part of IPsec packetgen plugin.
+# See https://github.com/sdaubert/packetgen-plugin-ipsec for more informations
+# Copyright (c) 2018 Sylvain Daubert <sylvain.daubert@laposte.net>
+# This program is published under MIT license.
+
+# frozen_string_literal: true
+
+module PacketGen
+  module Plugin
+    class IKE
+      # This class handles Notify payloads, as defined in RFC 7296 §3.10.
+      #
+      # A Notify payload contains a generic payload Plugin (see {Payload}) and
+      # some specific fields:
+      #                        1                   2                   3
+      #    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #   | Next Payload  |C|  RESERVED   |         Payload Length        |
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #   |  Protocol ID  |   SPI Size    |      Notify Message Type      |
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #   |                                                               |
+      #   ~                Security Parameter Index (SPI)                 ~
+      #   |                                                               |
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      #   |                                                               |
+      #   ~                       Notification Data                       ~
+      #   |                                                               |
+      #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      # These specific fields are:
+      # * {#protocol} (type {PacketGen::Types::Int8}),
+      # * {#spi_size} (type {PacketGen::Types::Int8}),
+      # * {#message_type} (type {PacketGen::Types::Int16}),
+      # * {#spi} (type {PacketGen::Types::String}),
+      # * {#content} (type {PacketGen::Types::String}).
+      #
+      # == Create a Notify payload
+      #   # Create a IKE packet with a Notify payload
+      #   pkt = PacketGen.gen('IP').add('UDP').add('IKE').add('IKE::Notify', protocol: 'IKE', type: 'INVALID_SYNTAX')
+      #   pkt.ike_notify.spi      # => ""
+      #   pkt.ike_notify.content  # => ""
+      #   pkt.calc_length
+      # == Create a Notify payload with a SPI
+      #   # Create a IKE packet with a Notify payload
+      #   pkt = PacketGen.gen('IP').add('UDP').add('IKE').add('IKE::Notify', protocol: 'ESP', spi_size: 4, type: 'INVALID_SYNTAX')
+      #   pkt.ike_notify.spi.read PacketGen::Types::Int32.new(0x12345678).to_s
+      #   pkt.calc_length
+      #   @author Sylvain Daubert
+      class Notify < Payload
+        # Payload type number
+        PAYLOAD_TYPE = 41
+
+        # Message types
+        TYPES = {
+          'UNSUPPORTED_CRITICAL_PAYLOAD'  => 1,
+          'INVALID_IKE_SPI'               => 4,
+          'INVALID_MAJOR_VERSION'         => 5,
+          'INVALID_SYNTAX'                => 7,
+          'INVALID_MESSAGE_ID'            => 9,
+          'INVALID_SPI'                   => 11,
+          'NO_PROPOSAL_CHOSEN'            => 14,
+          'INVALID_KE_PAYLOAD'            => 17,
+          'AUTHENTICATION_FAILED'         => 24,
+          'SINGLE_PAIR_REQUIRED'          => 34,
+          'NO_ADDITIONAL_SAS'             => 35,
+          'INTERNAL_ADDRESS_FAILURE'      => 36,
+          'FAILED_CP_REQUIRED'            => 37,
+          'TS_UNACCEPTABLE'               => 38,
+          'INVALID_SELECTORS'             => 39,
+          'TEMPORARY_FAILURE'             => 43,
+          'CHILD_SA_NOT_FOUND'            => 44,
+          'INITIAL_CONTACT'               => 16_384,
+          'SET_WINDOW_SIZE'               => 16_385,
+          'ADDITIONAL_TS_POSSIBLE'        => 16_386,
+          'IPCOMP_SUPPORTED'              => 16_387,
+          'NAT_DETECTION_SOURCE_IP'       => 16_388,
+          'NAT_DETECTION_DESTINATION_IP'  => 16_389,
+          'COOKIE'                        => 16_390,
+          'USE_TRANSPORT_MODE'            => 16_391,
+          'HTTP_CERT_LOOKUP_SUPPORTED'    => 16_392,
+          'REKEY_SA'                      => 16_393,
+          'ESP_TFC_PADDING_NOT_SUPPORTED' => 16_394,
+          'NON_FIRST_FRAGMENTS_ALSO'      => 16_395,
+        }.freeze
+
+        # @!attribute [r] protocol
+        #  8-bit protocol ID. If this notification concerns an existing
+        #  SA whose SPI is given in the SPI field, this field indicates the
+        #  type of that SA.  For notifications concerning Child SAs, this
+        #  field MUST contain either (2) to indicate AH or (3) to indicate
+        #  ESP.  Of the notifications defined in this document, the SPI is
+        #  included only with INVALID_SELECTORS, REKEY_SA, and
+        #  CHILD_SA_NOT_FOUND.  If the SPI field is empty, this field MUST be
+        #  sent as zero and MUST be ignored on receipt.
+        #  @return [Integer]
+        define_field_before :content, :protocol, PacketGen::Types::Int8Enum, enum: PROTOCOLS
+        # @!attribute spi_size
+        #  8-bit SPI size. Give size of SPI field. Length in octets of the SPI as
+        #  defined by the IPsec protocol ID or zero if no SPI is applicable. For a
+        #  notification concerning the IKE SA, the SPI Size MUST be zero and
+        #  the field must be empty.Set to 0 for an initial IKE SA
+        #  negotiation, as SPI is obtained from outer Plugin.
+        #  @return [Integer]
+        define_field_before :content, :spi_size, PacketGen::Types::Int8, default: 0
+        # @!attribute message_type
+        #  16-bit notify message type. Specifies the type of notification message.
+        #  @return [Integer]
+        define_field_before :content, :message_type, PacketGen::Types::Int16Enum, enum: TYPES, default: 0
+        # @!attribute spi
+        #   the sending entity's SPI. When the {#spi_size} field is zero,
+        #   this field is not present in the proposal.
+        #   @return [String]
+        define_field_before :content, :spi, PacketGen::Types::String,
+                            builder: ->(h, t) { t.new(length_from: h[:spi_size]) }
+
+        alias type message_type
+
+        def initialize(options={})
+          if options[:spi] && options[:spi_size].nil?
+            options[:spi_size] = options[:spi].size
+          end
+          super
+          self.protocol = options[:protocol] if options[:protocol]
+          self.message_type = options[:message_type] if options[:message_type]
+          self.message_type = options[:type] if options[:type]
+        end
+
+        alias type= message_type=
+
+        # Get protocol name
+        # @return [String]
+        def human_protocol
+          self[:protocol].to_human
+        end
+
+        # Get message type name
+        # @return [String]
+        def human_message_type
+          self[:message_type].to_human
+        end
+        alias human_type human_message_type
+
+        # @return [String]
+        def inspect
+          super do |attr|
+            next unless attr == :protocol
+
+            str = Inspect.shift_level
+            str << Inspect::FMT_ATTR % [self[attr].class.to_s.sub(/.*::/, ''), attr,
+                                        human_protocol]
+          end
+        end
+      end
+    end
+
+    Header.add_class IKE::Notify
+  end
+end