packetgen-plugin-ipsec 1.0.3 → 1.1.0

data/lib/packetgen/plugin/ike/sk.rb

@@ -29,7 +29,7 @@ module PacketGen::Plugin
     #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     #   ~                    Integrity Checksum Data                    ~
     #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    # Encrypted payloads are set in {#content} field, as a {PacketGen::Types::String}.
+    # Encrypted payloads are set in {#content} field, as a {BinStruct::String}.
     # All others fields are only set when decrypting a previously read SK
     # payload. They also may be set manually to encrypt IKE payloads.
     #
@@ -95,21 +95,7 @@ module PacketGen::Plugin
         opt = { salt: '', parse: true }.merge!(options)
 
         set_crypto cipher, opt[:intmode]
-
-        case confidentiality_mode
-        when 'gcm'
-          iv = self[:content].slice!(0, 8)
-          real_iv = force_binary(opt[:salt]) + iv
-        when 'cbc'
-          cipher.padding = 0
-          real_iv = iv = self[:content].slice!(0, 16)
-        when 'ctr'
-          iv = self[:content].slice!(0, 8)
-          real_iv = force_binary(opt[:salt]) + iv + [1].pack('N')
-        else
-          real_iv = iv = self[:content].slice!(0, 16)
-        end
-        cipher.iv = real_iv
+        iv = compute_iv_for_decrypting(opt[:salt].b, self[:content])
 
         if authenticated?
           if @icv_length.zero?
@@ -140,60 +126,28 @@ module PacketGen::Plugin
       # @option options [OpenSSL::HMAC] :intmode integrity mode to use with a
       #   confidentiality-only cipher. Only HMAC are supported.
       # @return [self]
-      def encrypt!(cipher, iv, options={})
+      def encrypt!(cipher, iv, options={}) # rubocop:disable Naming/MethodParameterName
         opt = { salt: '' }.merge!(options)
 
         set_crypto cipher, opt[:intmode]
-
-        real_iv = force_binary(opt[:salt]) + force_binary(iv)
-        real_iv += [1].pack('N') if confidentiality_mode == 'ctr'
-        cipher.iv = real_iv
+        compute_iv_for_encrypting iv, opt[:salt]
 
         authenticate_if_needed iv
-
-        if opt[:pad_length]
-          pad_length = opt[:pad_length]
-          padding = force_binary(opt[:padding] || ([0] * pad_length).pack('C*'))
-        else
-          pad_length = cipher.block_size
-          pad_length = 16 if cipher.block_size == 1 # Some AES mode returns 1...
-          pad_length -= (self[:body].sz + iv.size + 1) % cipher.block_size
-          pad_length = 0 if pad_length == 16
-          padding = force_binary(opt[:padding] || ([0] * pad_length).pack('C*'))
-          padding = padding[0, pad_length]
-        end
-        msg = self[:body].to_s + padding + PacketGen::Types::Int8.new(pad_length).to_s
-        encrypted_msg = encipher(msg)
-        cipher.final # message is already padded. No need for mode padding
-
-        if authenticated?
-          @icv_length = opt[:icv_length] if opt[:icv_length]
-          encrypted_msg << if @conf.authenticated?
-                             @conf.auth_tag[0, @icv_length]
-                           else
-                             @intg.digest[0, @icv_length]
-                           end
-        end
+        encrypted_msg = encrypt_body(iv, opt)
+        encrypted_msg << generate_auth_tag(opt) if authenticated?
         self[:content].read(iv + encrypted_msg)
 
         # Remove plain payloads
-        self[:body] = PacketGen::Types::String.new
-
-        # Remove enciphered payloads from packet
-        id = header_id(self)
-        if id < packet.headers.size - 1
-          (packet.headers.size - 1).downto(id + 1) do |index|
-            packet.headers.delete_at index
-          end
-        end
+        self[:body] = BinStruct::String.new
 
+        remove_enciphered_packets
         self.calc_length
         self
       end
 
       private
 
-      def authenticate_if_needed(iv, icv=nil)
+      def authenticate_if_needed(iv, icv=nil) # rubocop:disable Naming/MethodParameterName
         if @conf.authenticated?
           @conf.auth_tag = icv if icv
           @conf.auth_data = get_ad
@@ -207,51 +161,99 @@ module PacketGen::Plugin
         end
       end
 
+      def encrypt_body(iv, opt) # rubocop:disable Naming/MethodParameterName
+        padding, pad_length = compute_padding(iv, opt)
+        msg = self[:body].to_s + padding.b + BinStruct::Int8.new(value: pad_length).to_s
+        encrypted_msg = encipher(msg)
+        @conf.final # message is already padded. No need for mode padding
+        encrypted_msg
+      end
+
+      def compute_padding(iv, opt) # rubocop:disable Naming/MethodParameterName
+        if opt[:pad_length]
+          pad_length = opt[:pad_length]
+          padding = opt[:padding] || ([0] * pad_length).pack('C*')
+        else
+          pad_length = compute_pad_length(iv)
+          padding = opt[:padding] || ([0] * pad_length).pack('C*')
+          padding = padding[0, pad_length]
+        end
+        [padding, pad_length]
+      end
+
+      def compute_pad_length(iv) # rubocop:disable Naming/MethodParameterName
+        pad_length = @conf.block_size
+        pad_length = 16 if @conf.block_size == 1 # Some AES mode returns 1...
+        pad_length -= (self[:body].sz + iv.size + 1) % @conf.block_size
+        pad_length = 0 if pad_length == 16
+        pad_length
+      end
+
+      def generate_auth_tag(opt)
+        @icv_length = opt[:icv_length] if opt[:icv_length]
+        if @conf.authenticated?
+          @conf.auth_tag[0, @icv_length]
+        else
+          @intg.digest[0, @icv_length]
+        end
+      end
+
+      def remove_enciphered_packets
+        id = header_id(self)
+        return if id >= packet.headers.size - 1
+
+        (packet.headers.size - 1).downto(id + 1) do |index|
+          packet.headers.delete_at index
+        end
+      end
+
       # From RFC 7206, §5.1: The associated data MUST consist of the partial
       # contents of the IKEv2 message, starting from the first octet of the
       # Fixed IKE Plugin through the last octet of the Payload Plugin of the
       # Encrypted Payload (i.e., the fourth octet of the Encrypted Payload).
-      def get_ad
+      def get_ad # rubocop:disable Naming/AccessorMethodName
         str = packet.ike.to_s[0, IKE.new.sz]
         current_payload = packet.ike[:body]
         until current_payload.is_a? SK
-          str << current_payload.to_s[0, current_payload.to_s.length]
+          str << current_payload.to_s
           current_payload = current_payload[:body]
         end
         str << self.to_s[0, SK.new.sz]
       end
 
       def private_decrypt(options)
-        # decrypt
         plain_msg = decipher(content.to_s)
         # Remove cipher text
         self[:content].read ''
 
         # check authentication tag
-        if authenticated?
-          return false unless authenticate!
-        end
-
-        # remove padding
-        pad_len = PacketGen::Types::Int8.new.read(plain_msg[-1]).to_i
-        payloads = plain_msg[0, plain_msg.size - 1 - pad_len]
+        return false if authenticated? && !authenticate!
 
-        # parse IKE payloads
+        payloads = remove_padding(plain_msg)
         if options[:parse]
-          klass = IKE.constants.select do |c|
-            cst = IKE.const_get(c)
-            cst.is_a?(Class) && (cst < Payload) && (cst::PAYLOAD_TYPE == self.next)
-          end
-          klass = klass.nil? ? Payload : IKE.const_get(klass.first)
-          firsth = klass.protocol_name
-          pkt = PacketGen::Packet.parse(payloads, first_header: firsth)
-          packet.encapsulate(pkt, parsing: true) unless pkt.nil?
+          parse_ike_payloads(payloads)
         else
           self[:body].read payloads
         end
 
         true
       end
+
+      def remove_padding(msg)
+        pad_len = BinStruct::Int8.new.read(msg[-1]).to_i
+        msg[0, msg.size - 1 - pad_len]
+      end
+
+      def parse_ike_payloads(payloads)
+        klass = IKE.constants.select do |c|
+          cst = IKE.const_get(c)
+          cst.is_a?(Class) && (cst < Payload) && (self.next == cst::PAYLOAD_TYPE)
+        end
+        klass = klass.nil? ? Payload : IKE.const_get(klass.first)
+        firsth = klass.protocol_name
+        pkt = PacketGen::Packet.parse(payloads, first_header: firsth)
+        packet.encapsulate(pkt, parsing: true) unless pkt.nil?
+      end
     end
   end
 

data/lib/packetgen/plugin/ike/ts.rb

@@ -25,7 +25,7 @@ module PacketGen::Plugin
     #   |                                                               |
     #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     # @author Sylvain Daubert
-    class TrafficSelector < PacketGen::Types::Fields
+    class TrafficSelector < BinStruct::Struct
       # IPv4 traffic selector type
       TS_IPV4_ADDR_RANGE = 7
       # IPv6 traffic selector type
@@ -34,37 +34,40 @@ module PacketGen::Plugin
       # @!attribute [r] type
       #  8-bit TS type
       #  @return [Integer]
-      define_field :type, PacketGen::Types::Int8, default: 7
+      define_attr :type, BinStruct::Int8, default: 7
       # @!attribute [r] protocol
       #  8-bit protocol ID
       #  @return [Integer]
-      define_field :protocol, PacketGen::Types::Int8, default: 0
+      define_attr :protocol, BinStruct::Int8, default: 0
       # @!attribute length
       #  16-bit Selector Length
       #  @return [Integer]
-      define_field :length, PacketGen::Types::Int16
+      define_attr :length, BinStruct::Int16
       # @!attribute start_port
       #  16-bit Start port
       #  @return [Integer]
-      define_field :start_port, PacketGen::Types::Int16, default: 0
+      define_attr :start_port, BinStruct::Int16, default: 0
       # @!attribute end_port
       #  16-bit End port
       #  @return [Integer]
-      define_field :end_port, PacketGen::Types::Int16, default: 65_535
+      define_attr :end_port, BinStruct::Int16, default: 65_535
       # @!attribute start_addr
       #  starting address
       #  @return [IP::Addr, IPv6::Addr]
-      define_field :start_addr, PacketGen::Header::IP::Addr
+      define_attr :start_addr, PacketGen::Header::IP::Addr
       # @!attribute end_addr
       #  starting address
       #  @return [IP::Addr, IPv6::Addr]
-      define_field :end_addr, PacketGen::Header::IP::Addr
+      define_attr :end_addr, PacketGen::Header::IP::Addr
 
       # @param [Hash] options
+      # @options[Integer] :type
+      # @options[Integer] :protocol
+      # @options[Integer] :length
+      # @option [String] :start_addr
+      # @option [String] :end_addr
       # @option [Range] :ports port range
-      # @option [Integer] :start_port start port
-      # @option [Integer] :end_port end port
-      def initialize(options={})
+      def initialize(options={}) # rubocop:disable Metrics/AbcSize
         super
         select_addr options
         self[:start_addr].from_human(options[:start_addr]) if options[:start_addr]
@@ -186,7 +189,7 @@ module PacketGen::Plugin
 
     # Set of {TrafficSelector}, used by {TSi} and {TSr}.
     # @author Sylvain Daubert
-    class TrafficSelectors < PacketGen::Types::Array
+    class TrafficSelectors < BinStruct::Array
       set_of TrafficSelector
     end
 
@@ -223,22 +226,22 @@ module PacketGen::Plugin
       # Payload type number
       PAYLOAD_TYPE = 44
 
-      remove_field :content
+      remove_attr :content
 
       # @!attribute num_ts
       #   8-bit Number of TSs
       #   @return [Integer]
-      define_field_before :body, :num_ts, PacketGen::Types::Int8
+      define_attr_before :body, :num_ts, BinStruct::Int8
       # @!attribute rsv
       #   24-bit RESERVED field
       #   @return [Integer]
-      define_field_before :body, :rsv, PacketGen::Types::Int24
+      define_attr_before :body, :rsv, BinStruct::Int24
 
       # @!attribute traffic_selectors
       #  Set of {TrafficSelector}
       #  @return {TrafficSelectors}
-      define_field_before :body, :traffic_selectors, TrafficSelectors,
-                          builder: ->(h, t) { t.new(counter: h[:num_ts]) }
+      define_attr_before :body, :traffic_selectors, TrafficSelectors,
+                         builder: ->(h, t) { t.new(counter: h[:num_ts]) }
       alias selectors traffic_selectors
 
       # Compute length and set {#length} field

data/lib/packetgen/plugin/ike/vendor_id.rb

@@ -11,7 +11,7 @@ module PacketGen::Plugin
     # This class handles Vendor ID payloads, as defined in RFC 7296 §3.12.
     #
     # A Vendor ID payload contains a generic payload Plugin (see {Payload})
-    # and data field (type {PacketGen::Types::String}):
+    # and data field (type {BinStruct::String}):
     #                        1                   2                   3
     #    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     #   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

data/lib/packetgen/plugin/ike.rb

@@ -13,10 +13,10 @@ module PacketGen::Plugin
     # @!attribute non_esp_marker
     #  32-bit zero marker to differentiate IKE packet over UDP port 4500 from ESP ones
     #  @return [Integer]
-    define_field :non_esp_marker, PacketGen::Types::Int32, default: 0
+    define_attr :non_esp_marker, BinStruct::Int32, default: 0
     # @!attribute body
-    #  @return [PacketGen::Types::String,PacketGen::Header::Base]
-    define_field :body, PacketGen::Types::String
+    #  @return [BinStruct::String,PacketGen::Header::Base]
+    define_attr :body, BinStruct::String
 
     # Check non_esp_marker field
     # @see [PacketGen::Header::Base#parse?]
@@ -48,15 +48,15 @@ module PacketGen::Plugin
   #  |                            Length                             |
   #  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   # A IKE Plugin consists of:
-  # * a IKE SA initiator SPI ({#init_spi}, {PacketGen::Types::Int64} type),
-  # * a IKE SA responder SPI ({#resp_spi}, {PacketGen::Types::Int64} type),
-  # * a Next Payload field ({#next}, {PacketGen::Types::Int8} type),
-  # * a Version field ({#version}, {PacketGen::Types::Int8} type, with first 4-bit field
+  # * a IKE SA initiator SPI ({#init_spi}, {BinStruct::Int64} type),
+  # * a IKE SA responder SPI ({#resp_spi}, {BinStruct::Int64} type),
+  # * a Next Payload field ({#next}, {BinStruct::Int8} type),
+  # * a Version field ({#version}, {BinStruct::Int8} type, with first 4-bit field
   #   as major number, and last 4-bit field as minor number),
-  # * a Exchange type ({#exchange_type}, {PacketGen::Types::Int8} type),
-  # * a {#flags} field ({PacketGen::Types::Int8} type),
-  # * a Message ID ({#message_id}, {PacketGen::Types::Int32} type),
-  # * and a {#length} ({PacketGen::Types::Int32} type).
+  # * a Exchange type ({#exchange_type}, {BinStruct::Int8} type),
+  # * a {#flags} field ({BinStruct::Int8} type),
+  # * a Message ID ({#message_id}, {BinStruct::Int32} type),
+  # * and a {#length} ({BinStruct::Int32} type).
   #
   # == Create a IKE Plugin
   # === Standalone
@@ -94,48 +94,32 @@ module PacketGen::Plugin
     # @!attribute init_spi
     #  64-bit initiator SPI
     #  @return [Integer]
-    define_field :init_spi, PacketGen::Types::Int64
+    define_attr :init_spi, BinStruct::Int64
     # @!attribute resp_spi
     #  64-bit responder SPI
     #  @return [Integer]
-    define_field :resp_spi, PacketGen::Types::Int64
+    define_attr :resp_spi, BinStruct::Int64
     # @!attribute next
     #  8-bit next payload type
     #  @return [Integer]
-    define_field :next, PacketGen::Types::Int8
+    define_attr :next, BinStruct::Int8
     # @!attribute version
     #  8-bit IKE version
     #  @return [Integer]
-    define_field :version, PacketGen::Types::Int8, default: 0x20
+    # @!attribute mjver
+    #  4-bit major version value ({#version}'s 4 most significant bits)
+    #  @return [Integer]
+    # @!attribute mnver
+    #  4-bit minor version value ({#version}'s 4 least significant bits)
+    #  @return [Integer]
+    define_bit_attr :version, default: 0x20, mjver: 4, mver: 4
     # @!attribute [r] exchange_type
     #  8-bit exchange type
     #  @return [Integer]
-    define_field :exchange_type, PacketGen::Types::Int8Enum, enum: EXCHANGE_TYPES
-    # @!attribute flags
+    define_attr :exchange_type, BinStruct::Int8Enum, enum: EXCHANGE_TYPES
+    # @!attribute flags. See {#flag_r}, {#flag_v} and {#flag_i}.
     #  8-bit flags
     #  @return [Integer]
-    define_field :flags, PacketGen::Types::Int8
-    # @!attribute message_id
-    #  32-bit message ID
-    #  @return [Integer]
-    define_field :message_id, PacketGen::Types::Int32
-    # @!attribute length
-    #  32-bit length of total message (Plugin + payloads)
-    #  @return [Integer]
-    define_field :length, PacketGen::Types::Int32
-
-    # Defining a body permits using Packet#parse to parse IKE payloads.
-    # But this method is hidden as prefered way to access payloads is via #payloads
-    define_field :body, PacketGen::Types::String
-
-    # @!attribute mjver
-    #  4-bit major version value
-    #  @return [Integer]
-    # @!attribute mnver
-    #  4-bit minor version value
-    #  @return [Integer]
-    define_bit_fields_on :version, :mjver, 4, :mnver, 4
-
     # @!attribute rsv1
     #  @return [Integer]
     # @!attribute rsv2
@@ -149,7 +133,19 @@ module PacketGen::Plugin
     # @!attribute flag_v
     #  version flag. Ignored by IKEv2 peers, and should be set to 0
     #  @return [Boolean]
-    define_bit_fields_on :flags, :rsv1, 2, :flag_r, :flag_v, :flag_i, :rsv2, 3
+    define_bit_attr :flags, rsv1: 2, flag_r: 1, flag_v: 1, flag_i: 1, rsv2: 3
+    # @!attribute message_id
+    #  32-bit message ID
+    #  @return [Integer]
+    define_attr :message_id, BinStruct::Int32
+    # @!attribute length
+    #  32-bit length of total message (Plugin + payloads)
+    #  @return [Integer]
+    define_attr :length, BinStruct::Int32
+
+    # Defining a body permits using Packet#parse to parse IKE payloads.
+    # But this method is hidden as prefered way to access payloads is via #payloads
+    define_attr :body, BinStruct::String
 
     # @param [Hash] options
     # @see PacketGen::Header::Base#initialize
@@ -198,8 +194,7 @@ module PacketGen::Plugin
             str_flags << (send("flag_#{flag}?") ? flag.upcase : '.')
           end
           str = PacketGen::Inspect.shift_level
-          str << PacketGen::Inspect::FMT_ATTR % [self[attr].class.to_s.sub(/.*::/, ''), attr,
-                                      str_flags]
+          str << (PacketGen::Inspect::FMT_ATTR % [self[attr].class.to_s.sub(/.*::/, ''), attr, str_flags])
         end
       end
     end

data/lib/packetgen/plugin/ipsec_version.rb

@@ -8,6 +8,6 @@
 module PacketGen
   module Plugin
     # Version of ipsec plugin
-    IPSEC_VERSION = '1.0.3'
+    IPSEC_VERSION = '1.1.0'
   end
 end

data/lib/packetgen-plugin-ipsec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'packetgen'
 require_relative 'packetgen/plugin/ipsec_version'
 require_relative 'packetgen/plugin/esp'

data/packetgen-plugin-ipsec.gemspec

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'packetgen/plugin/ipsec_version'
@@ -8,8 +10,7 @@ Gem::Specification.new do |spec|
   spec.authors       = ['Sylvain Daubert']
   spec.email         = ['sylvain.daubert@laposte.net']
 
-  spec.summary       = %q{IPsec plugin for packetgen.}
-  #spec.description   = %q{TODO: Write a longer description or delete this line.}
+  spec.summary       = 'IPsec plugin for packetgen.'
   spec.homepage      = 'https://github.com/sdaubert/packetgen-plugin-ipsec'
 
   spec.files         = `git ls-files -z`.split("\x0").reject do |f|
@@ -17,7 +18,7 @@ Gem::Specification.new do |spec|
   end
   spec.require_paths = ['lib']
 
-  spec.required_ruby_version = '>= 2.4.0'
+  spec.required_ruby_version = '>= 3.0.0'
 
-  spec.add_dependency 'packetgen', '~>3.0', '>= 3.1.7'
+  spec.add_dependency 'packetgen', '~>4.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: packetgen-plugin-ipsec
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.1.0
 platform: ruby
 authors:
 - Sylvain Daubert
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-12-24 00:00:00.000000000 Z
+date: 2025-04-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: packetgen
@@ -16,21 +16,15 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.1.7
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.1.7
-description: 
+        version: '4.0'
+description:
 email:
 - sylvain.daubert@laposte.net
 executables: []
@@ -40,7 +34,6 @@ files:
 - ".github/workflows/specs.yml"
 - ".gitignore"
 - ".rubocop.yml"
-- ".travis.yml"
 - Gemfile
 - LICENSE
 - README.md
@@ -66,7 +59,7 @@ files:
 homepage: https://github.com/sdaubert/packetgen-plugin-ipsec
 licenses: []
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -74,16 +67,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.4.0
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6.2
-signing_key: 
+rubygems_version: 3.3.15
+signing_key:
 specification_version: 4
 summary: IPsec plugin for packetgen.
 test_files: []

data/.travis.yml

@@ -1,14 +0,0 @@
-language: ruby
-rvm:
-  - 2.3
-  - 2.4
-  - 2.5
-  - 2.6
-
-install:
-  - sudo apt-get update -qq
-  - sudo apt-get install libpcap-dev -qq
-  - gem install bundler
-  - bundle install --path vendor/bundle --jobs=3 --retry=3
-script:
-  - bundle exec rake