packetgen-plugin-ipsec 1.0.3 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6000090bef8439281eed6482a399f0e05b188e7594d3de3e92d32a9088e32b88
-  data.tar.gz: 0a753bf7266628b968ca9937f9d8f41c657c0bdd166b233b4c1e94eef4c71f89
+  metadata.gz: 63e6c93595c3d2f6361e87c0c5dd6cf60a792fadf6f15ecd52a8fe38be56bf29
+  data.tar.gz: 7759ddd4bdb74e1b510db940114c38e89ac6865d803c8966ebbc2b80c7379f97
 SHA512:
-  metadata.gz: fdb0b0828199209621044b6c8a916018225cd025afd403a1f30d0137f5fad3f30bbcba0d58d924d1b2c6cef04690277d3b6de036c016ac20ced6d868b8576224
-  data.tar.gz: 2b76622be17f0fdb03b9703bc25eceddd9cafbc968b5d99991d387926d886b4fea3c6fc2437528b9ab662584997a374387a053991dc896fe164cd7cdf6b47f2b
+  metadata.gz: dab304078f641492b8b6f431777ee1fc1a1a701d3351660ea276321cea9d6a3f00def177c6da41e30c76970f684a29a2e26558b90fa6e43527d41af7e9598235
+  data.tar.gz: 475aeb08d49dcbfd0c45c40181546c96c531f8d1772a253c64d3314337d65380b08d3c9a718e08c8c9aedc68396585e7e951c2e7a0013e2f503b3972367d38df

data/.github/workflows/specs.yml

@@ -1,28 +1,32 @@
 name: Specs
+
 on:
   push:
     branches: [ master ]
   pull_request:
     branches: [ master ]
+
 jobs:
   test:
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-latest]
-        ruby: [2.4, 2.5, 2.6, 2.7]
+        ruby: ['3.0', '3.1', '3.2', '3.3', '3.4']
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Install dependencies
       run: sudo apt-get update -qq && sudo apt-get install libpcap-dev -qq
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby }}
-    - name: Run tests
+    - name: Install Gems
       run: |
         bundle config set path 'vendor/bundle'
         bundle config set --local without noci
         bundle install
+    - name: Run tests
+      run: |
         bundle exec rake

data/.rubocop.yml

@@ -1,21 +1,39 @@
-require:
+plugins:
   - rubocop-performance
 AllCops:
-  TargetRubyVersion: 2.4
+  TargetRubyVersion: "3.0"
+  NewCops: enable
+  Exclude:
+    - .git/**/*
+    - spec/**/*
+    - vendor/**/*
 Layout/LineLength:
-  Max: 150
+  Enabled: false
 Layout/SpaceAroundEqualsInParameterDefault:
   EnforcedStyle: no_space
 Lint/EmptyWhen:
   Enabled: false
 Lint/Void:
   Enabled: false
-Metrics:
+Metrics/AbcSize:
+  Max: 20
+Metrics/ClassLength:
+  Max: 200
+Metrics/MethodLength:
+  Max: 20
+Metrics/ParameterLists:
+  MaxOptionalParameters: 4
+Naming/FileName:
+  Enabled: false
+Style/AccessModifierDeclarations:
   Enabled: false
 Style/AsciiComments:
   Enabled: false
 Style/ClassAndModuleChildren:
-  EnforcedStyle: compact
+  Enabled: false
+Style/Documentation:
+  # Too many false positives!
+  Enabled: false
 Style/Encoding:
   Enabled: false
 Style/EvalWithLocation:
@@ -23,7 +41,7 @@ Style/EvalWithLocation:
 Style/FormatString:
   EnforcedStyle: percent
 Style/FormatStringToken:
-  EnforcedStyle: unannotated
+  MaxUnannotatedPlaceholdersAllowed: 3
 Style/PerlBackrefs:
   Enabled: false
 Style/RedundantSelf:

data/Gemfile

@@ -1,14 +1,21 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 gemspec
 
 gem 'bundler', '>= 1.17', '< 3'
-gem 'rake', '~> 12.3'
-gem 'rspec', '~> 3.10'
+
+group :development do
+  gem 'rake', '~>13.0', require: false
+  gem 'rspec', '~>3.13'
+end
 
 group :noci do
-  gem 'rubocop', '~> 1.6'
-  gem 'rubocop-performance', '~> 1.9'
-  gem 'simplecov', '~> 0.18'
-  gem 'yard', '~> 0.9'
+  gem 'rubocop', '~> 1.12', require: false
+  gem 'rubocop-performance', '~> 1.13', require: false
+  gem 'ruby-lsp', require: false
+  gem 'ruby-lsp-rspec', require: false
+  gem 'simplecov', '~> 0.21', require: false
+  gem 'yard', '~> 0.9', require: false
 end

data/README.md

@@ -3,13 +3,15 @@
 
 # packetgen-plugin-ipsec
 
-**Warning:** this repository is a work-in-progress. It will be available with packetgen3.
-
 This is a plugin for [PacketGen gem](https://github.com/sdaubert/packetgen). It adds two protocols:
 
 * `PacketGen::Plugin::ESP`: IP Encapsulating Security Payload ([RFC 4303](https://tools.ietf.org/html/rfc4303)),
 * `PacketGen::Plugin::IKE`: Internet Key Exchange v2 ([RFC 7296](https://tools.ietf.org/html/rfc7296)).
 
+Versions 1.0.x are compatible with PacketGen 3.x.
+
+Versions 1.1.x are compatible with PacketGen 4.x.
+
 ## Installation
 
 Add this line to your application's Gemfile:
@@ -20,11 +22,15 @@ gem 'packetgen-plugin-ipsec'
 
 And then execute:
 
-    $ bundle
+```bash
+bundle
+```
 
 Or install it yourself as:
 
-    $ gem install packetgen-plugin-ipsec
+```bash
+gem install packetgen-plugin-ipsec
+```
 
 ## Usage
 
@@ -86,7 +92,7 @@ pkt.to_w
 
 ## See also
 
-API documentation: http://www.rubydoc.info/gems/packetgen-plugin-ipsec
+API documentation: <http://www.rubydoc.info/gems/packetgen-plugin-ipsec>
 
 ## License
 
@@ -94,4 +100,4 @@ MIT License (see [LICENSE](https://github.com/sdaubert/packetgen-plugin-ipsec/bl
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/sdaubert/packetgen-plugin-ipsec.
+Bug reports and pull requests are welcome on GitHub at <https://github.com/sdaubert/packetgen-plugin-ipsec>.

data/lib/packetgen/plugin/crypto.rb

@@ -72,5 +72,37 @@ module PacketGen::Plugin
       @intg&.update(data)
       @conf.update(data)
     end
+
+    # Compute and set IV for deciphering mode
+    # @param [BinStruct::String] salt
+    # @param [String] msg ciphered message
+    # @return [String] iv
+    def compute_iv_for_decrypting(salt, msg)
+      case confidentiality_mode
+      when 'gcm'
+        iv = msg.slice!(0, 8)
+        real_iv = salt + iv
+      when 'cbc'
+        @conf.padding = 0
+        real_iv = iv = msg.slice!(0, 16)
+      when 'ctr'
+        iv = msg.slice!(0, 8)
+        real_iv = salt + iv + [1].pack('N')
+      else
+        real_iv = iv = msg.slice!(0, 16)
+      end
+      @conf.iv = real_iv
+      iv
+    end
+
+    # Compute and set real IV for ciphering mode
+    # @param [String] iv IV to use
+    # @param [String] salt salt to use
+    # @return [void]
+    def compute_iv_for_encrypting(iv, salt) # rubocop:disable Naming/MethodParameterName
+      real_iv = salt.b + iv.b
+      real_iv += [1].pack('N') if confidentiality_mode == 'ctr'
+      @conf.iv = real_iv
+    end
   end
 end

data/lib/packetgen/plugin/esp.rb

@@ -7,14 +7,16 @@
 
 require_relative 'crypto'
 
+# rubocop:disable Metrics/ClassLength
+
 module PacketGen::Plugin
   # A ESP header consists of:
-  # * a Security Parameters Index (#{spi}, {PacketGen::Types::Int32} type),
+  # * a Security Parameters Index (#{spi}, {BinStruct::Int32} type),
   # * a Sequence Number ({#sn}, +Int32+ type),
   # * a {#body} (variable length),
   # * an optional TFC padding ({#tfc}, variable length),
   # * an optional {#padding} (to align ESP on 32-bit boundary, variable length),
-  # * a {#pad_length} ({PacketGen::Types::Int8}),
+  # * a {#pad_length} ({BinStruct::Int8}),
   # * a Next header field ({#next}, +Int8+),
   # * and an optional Integrity Check Value ({#icv}, variable length).
   #
@@ -78,34 +80,34 @@ module PacketGen::Plugin
     # @!attribute spi
     #  32-bit Security Parameter Index
     #  @return [Integer]
-    define_field :spi, PacketGen::Types::Int32
+    define_attr :spi, BinStruct::Int32
     # @!attribute sn
     #  32-bit Sequence Number
     #  @return [Integer]
-    define_field :sn, PacketGen::Types::Int32
+    define_attr :sn, BinStruct::Int32
     # @!attribute body
-    #  @return [PacketGen::Types::String,PacketGen::Header::Base]
-    define_field :body, PacketGen::Types::String
+    #  @return [BinStruct::String,PacketGen::Header::Base]
+    define_attr :body, BinStruct::String
     # @!attribute tfc
     #  Traffic Flow Confidentiality padding
-    #  @return [PacketGen::Types::String,PacketGen::Header::Base]
-    define_field :tfc, PacketGen::Types::String
+    #  @return [BinStruct::String,PacketGen::Header::Base]
+    define_attr :tfc, BinStruct::String
     # @!attribute padding
     #  ESP padding
-    #  @return [PacketGen::Types::String,PacketGen::Header::Base]
-    define_field :padding, PacketGen::Types::String
+    #  @return [BinStruct::String,PacketGen::Header::Base]
+    define_attr :padding, BinStruct::String
     # @!attribute pad_length
     #  8-bit padding length
     #  @return [Integer]
-    define_field :pad_length, PacketGen::Types::Int8
+    define_attr :pad_length, BinStruct::Int8
     # @!attribute next
     #  8-bit next protocol value
     #  @return [Integer]
-    define_field :next, PacketGen::Types::Int8
+    define_attr :next, BinStruct::Int8
     # @!attribute icv
     #  Integrity Check Value
-    #  @return [PacketGen::Types::String,PacketGen::Header::Base]
-    define_field :icv, PacketGen::Types::String
+    #  @return [BinStruct::String,PacketGen::Header::Base]
+    define_attr :icv, BinStruct::String
 
     # ICV (Integrity Check Value) length
     # @return [Integer]
@@ -138,15 +140,14 @@ module PacketGen::Plugin
     def read(str)
       return self if str.nil?
 
-      force_binary str
-      self[:spi].read str[0, 4]
-      self[:sn].read str[4, 4]
-      self[:body].read str[8...-@icv_length - 2]
-      self[:tfc].read ''
-      self[:padding].read ''
-      self[:pad_length].read str[-@icv_length - 2, 1]
-      self[:next].read str[-@icv_length - 1, 1]
-      self[:icv].read str[-@icv_length, @icv_length] if @icv_length
+      str = str.b
+      self[:spi].read(str[0, 4])
+      self[:sn].read(str[4, 4])
+      self[:tfc].read('')
+      self[:padding].read('')
+
+      read_icv_dependent_fields(str[8..])
+      read_icv(str)
       self
     end
 
@@ -177,72 +178,20 @@ module PacketGen::Plugin
     # @option options [OpenSSL::HMAC] :intmode integrity mode to use with a
     #   confidentiality-only cipher. Only HMAC are supported.
     # @return [self]
-    def encrypt!(cipher, iv, options={})
+    def encrypt!(cipher, iv, options={}) # rubocop:disable Naming/MethodParameterName
       opt = { salt: '', tfc_size: 1444 }.merge(options)
 
       set_crypto cipher, opt[:intmode]
-
-      real_iv = force_binary(opt[:salt]) + force_binary(iv)
-      real_iv += [1].pack('N') if confidentiality_mode == 'ctr'
-      cipher.iv = real_iv
+      compute_iv_for_encrypting iv, opt[:salt]
 
       authenticate_esp_header_if_needed options, iv
 
-      case confidentiality_mode
-      when 'cbc'
-        cipher_len = self[:body].sz + 2
-        self.pad_length = (16 - (cipher_len % 16)) % 16
-      else
-        mod4 = to_s.size % 4
-        self.pad_length = 4 - mod4 if mod4.positive?
-      end
-
-      if opt[:pad_length]
-        self.pad_length = opt[:pad_length]
-        padding = force_binary(opt[:padding] || (1..self.pad_length).to_a.pack('C*'))
-        self[:padding].read padding
-      else
-        padding = force_binary(opt[:padding] || (1..self.pad_length).to_a.pack('C*'))
-        self[:padding].read padding[0...self.pad_length]
-      end
-
-      tfc = ''
-      if opt[:tfc]
-        tfc_size = opt[:tfc_size] - self[:body].sz
-        if tfc_size.positive?
-          tfc_size = case confidentiality_mode
-                     when 'cbc'
-                       (tfc_size / 16) * 16
-                     else
-                       (tfc_size / 4) * 4
-                     end
-          tfc = force_binary("\0" * tfc_size)
-        end
-      end
-
-      msg = self[:body].to_s + tfc
-      msg += self[:padding].to_s + self[:pad_length].to_s + self[:next].to_s
-      enc_msg = encipher(msg)
-      # as padding is used to pad for CBC mode, this is unused
-      cipher.final
-
-      self[:body] = PacketGen::Types::String.new.read(iv)
-      self[:body] << enc_msg[0..-3]
-      self[:pad_length].read enc_msg[-2]
-      self[:next].read enc_msg[-1]
-
-      # reset padding field as it has no sense in encrypted ESP
-      self[:padding].read ''
+      encrypt_set_pad_length
+      encrypt_set_padding(opt)
+      encrypt_body(opt, iv)
 
       set_esp_icv_if_needed
-
-      # Remove enciphered headers from packet
-      id = header_id(self)
-      if id < packet.headers.size - 1
-        (packet.headers.size - 1).downto(id + 1) do |index|
-          packet.headers.delete_at index
-        end
-      end
+      remove_enciphered_packets
 
       self
     end
@@ -265,51 +214,38 @@ module PacketGen::Plugin
       opt = { salt: '', parse: true }.merge(options)
 
       set_crypto cipher, opt[:intmode]
-
-      case confidentiality_mode
-      when 'gcm'
-        iv = self[:body].slice!(0, 8)
-        real_iv = opt[:salt] + iv
-      when 'cbc'
-        cipher.padding = 0
-        real_iv = iv = self[:body].slice!(0, 16)
-      when 'ctr'
-        iv = self[:body].slice!(0, 8)
-        real_iv = opt[:salt] + iv + [1].pack('N')
-      else
-        real_iv = iv = self[:body].slice!(0, 16)
-      end
-      cipher.iv = real_iv
-
+      iv = compute_iv_for_decrypting(opt[:salt], self[:body])
       if authenticated? && (@icv_length.zero? || opt[:icv_length])
-        raise PacketGen::ParseError, 'unknown ICV size' unless opt[:icv_length]
-
-        @icv_length = opt[:icv_length].to_i
-        # reread ESP to handle new ICV size
-        msg = self[:body].to_s + self[:pad_length].to_s
-        msg += self[:next].to_s
-        self[:icv].read msg.slice!(-@icv_length, @icv_length)
-        self[:body].read msg[0..-3]
-        self[:pad_length].read msg[-2]
-        self[:next].read msg[-1]
+        check_icv_length(opt)
+        decrypt_format_packet
       end
-
       authenticate_esp_header_if_needed options, iv, icv
       private_decrypt opt
     end
 
     private
 
+    def read_icv_dependent_fields(str)
+      body_end = -@icv_length - 2
+      self[:body].read str[0...body_end]
+      self[:pad_length].read str[body_end, 1]
+      self[:next].read str[body_end + 1, 1]
+    end
+
+    def read_icv(str)
+      self[:icv].read str[-@icv_length, @icv_length] if @icv_length
+    end
+
     def get_auth_data(opt)
       ad = self[:spi].to_s
       if opt[:esn]
-        @esn = PacketGen::Types::Int32.new(opt[:esn])
+        @esn = BinStruct::Int32.new(value: opt[:esn])
         ad << @esn.to_s if @conf.authenticated?
       end
       ad << self[:sn].to_s
     end
 
-    def authenticate_esp_header_if_needed(opt, iv, icv=nil)
+    def authenticate_esp_header_if_needed(opt, iv, icv=nil) # rubocop:disable Naming/MethodParameterName
       if @conf.authenticated?
         @conf.auth_tag = icv if icv
         @conf.auth_data = get_auth_data(opt)
@@ -323,6 +259,65 @@ module PacketGen::Plugin
       end
     end
 
+    def encrypt_set_pad_length
+      case confidentiality_mode
+      when 'cbc'
+        cipher_len = self[:body].sz + 2
+        self.pad_length = (16 - (cipher_len % 16)) % 16
+      else
+        mod4 = to_s.size % 4
+        self.pad_length = 4 - mod4 if mod4.positive?
+      end
+    end
+
+    def encrypt_set_padding(opt)
+      if opt[:pad_length]
+        self.pad_length = opt[:pad_length]
+        padding = opt[:padding] || (1..self.pad_length).to_a.pack('C*')
+      else
+        padding = opt[:padding] || (1..self.pad_length).to_a.pack('C*')
+        padding = padding[0...self.pad_length]
+      end
+      self[:padding].read(padding)
+    end
+
+    def generate_tfc(opt)
+      tfc = ''
+      return tfc unless opt[:tfc]
+
+      tfc_size = opt[:tfc_size] - self[:body].sz
+      if tfc_size.positive?
+        tfc_size = case confidentiality_mode
+                   when 'cbc'
+                     (tfc_size / 16) * 16
+                   else
+                     (tfc_size / 4) * 4
+                   end
+        tfc = "\0".b * tfc_size
+      end
+      tfc
+    end
+
+    def encrypt_body(opt, iv) # rubocop:disable Naming/MethodParameterName
+      msg = self[:body].to_s + generate_tfc(opt)
+      msg += self[:padding].to_s + self[:pad_length].to_s + self[:next].to_s
+      enc_msg = encipher(msg)
+      # as padding is used to pad for CBC mode, this is unused
+      @conf.final
+
+      encrypt_set_encrypted_fields(enc_msg, iv)
+    end
+
+    def encrypt_set_encrypted_fields(msg, iv) # rubocop:disable Naming/MethodParameterName
+      self[:body] = BinStruct::String.new.read(iv)
+      self[:body] << msg[0..-3]
+      self[:pad_length].read msg[-2]
+      self[:next].read msg[-1]
+
+      # reset padding field as it has no sense in encrypted ESP
+      self[:padding].read ''
+    end
+
     def set_esp_icv_if_needed
       return unless authenticated?
 
@@ -333,29 +328,62 @@ module PacketGen::Plugin
       end
     end
 
-    def private_decrypt(options)
-      # decrypt
-      msg = self.body.to_s
-      msg += self.padding + self[:pad_length].to_s + self[:next].to_s
-      plain_msg = decipher(msg)
+    def remove_enciphered_packets
+      id = header_id(self)
+      return if id >= packet.headers.size - 1
+
+      (packet.headers.size - 1).downto(id + 1) do |index|
+        packet.headers.delete_at index
+      end
+    end
+
+    def check_icv_length(opt)
+      raise PacketGen::ParseError, 'unknown ICV size' unless opt[:icv_length]
+
+      @icv_length = opt[:icv_length].to_i
+    end
 
+    def decrypt_format_packet
+      # reread ESP to handle new ICV size
+      msg = self[:body].to_s + self[:pad_length].to_s
+      msg << self[:next].to_s
+      read_icv_dependent_fields(msg)
+      read_icv(msg)
+    end
+
+    def private_decrypt(options)
+      plain_msg = decrypt_body
       # check authentication tag
       return false if authenticated? && !authenticate!
 
-      # Set ESP fields
+      new_pkt = fill_decrypted_fields_and_generate_plain_packet(plain_msg)
+      packet.encapsulate new_pkt if options[:parse] && !new_pkt.nil?
+      true
+    end
+
+    def decrypt_body
+      msg = self.body.to_s
+      msg += self.padding + self[:pad_length].to_s + self[:next].to_s
+      decipher(msg)
+    end
+
+    def fill_decrypted_fields_and_generate_plain_packet(plain_msg)
       self[:body].read plain_msg[0..-3]
       self[:pad_length].read plain_msg[-2]
       self[:next].read plain_msg[-1]
 
-      # Set padding
-      if self.pad_length.positive?
-        len = self.pad_length
-        self[:padding].read self[:body].slice!(-len, len)
-      end
+      fill_padding_field
+      generate_plain_pkt
+    end
+
+    def fill_padding_field
+      return unless self.pad_length.positive?
 
-      # Set TFC padding
-      encap_length = 0
-      pkt = nil
+      len = self.pad_length
+      self[:padding].read self[:body].slice!(-len, len)
+    end
+
+    def generate_plain_pkt # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
       case self.next
       when 4   # IPv4
         pkt = PacketGen::Packet.parse(body, first_header: 'IP')
@@ -381,19 +409,19 @@ module PacketGen::Plugin
         encap_length = self[:body].sz
       else
         # Unmanaged encapsulated protocol
+        pkt = nil
         encap_length = self[:body].sz
       end
 
-      if encap_length < self[:body].sz
-        tfc_len = self[:body].sz - encap_length
-        self[:tfc].read self[:body].slice!(encap_length, tfc_len)
-      end
+      remove_tfc_if_needed(encap_length)
+      pkt
+    end
 
-      if options[:parse]
-        packet.encapsulate pkt unless pkt.nil?
-      end
+    def remove_tfc_if_needed(real_length)
+      return if real_length == self[:body].sz
 
-      true
+      tfc_len = self[:body].sz - real_length
+      self[:tfc].read self[:body].slice!(real_length, tfc_len)
     end
   end
 
@@ -405,7 +433,7 @@ module PacketGen::Plugin
                                            lambda { |f|
                                              (f.dport == ESP::UDP_PORT ||
                                              f.sport == ESP::UDP_PORT) &&
-                                               PacketGen::Types::Int32.new.read(f.body[0..3]).to_i.positive?
+                                               BinStruct::Int32.new.read(f.body[0..3]).to_i.positive?
                                            }]
   ESP.bind PacketGen::Header::IP, next: 4
   ESP.bind PacketGen::Header::IPv6, next: 41
@@ -414,3 +442,4 @@ module PacketGen::Plugin
   ESP.bind PacketGen::Header::ICMP, next: PacketGen::Header::ICMP::IP_PROTOCOL
   ESP.bind PacketGen::Header::ICMPv6, next: PacketGen::Header::ICMPv6::IP_PROTOCOL
 end
+# rubocop:enable Metrics/ClassLength