[Swan] using esp=null, auth=null for testing/devel..

Fri Sep 1 21:04:50 UTC 2017

On Fri, 1 Sep 2017, Paul Wouters wrote:

>> I'd like to set up both esp and auth to NULL to test some kernel
>> code (for perf, so want to eliminate the cost of crypto).

Try the attached patch (untested other then seeing the connection loaded):

# ipsec auto --add nulltest
036 Failed to add connection "nulltest", esp="null-null" is invalid: non-AEAD ESP encryption algorithm 'null' cannot have a 'null' integrity algorithm, enc_alg="null"(0), auth_alg="null", modp=""
# ipsec whack --impair-allow-null-null
# ipsec auto --add nulltest
002 added connection description "nulltest"

Paul
-------------- next part --------------

diff --git a/include/pluto_constants.h b/include/pluto_constants.h
index 3667415..7beedb6 100644
--- a/include/pluto_constants.h
+++ b/include/pluto_constants.h
@@ -334,6 +334,7 @@ enum {
 	IMPAIR_DIE_ONINFO_IX,			/* cause state to be deleted upon receipt of information payload */
 	IMPAIR_JACOB_TWO_TWO_IX,		/* cause pluto to send all messages twice. */
 						/* cause pluto to send all messages twice. */
+	IMPAIR_ALLOW_NULL_NULL_IX,			/* cause pluto to allow esp=null-null and ah=null for testing */
 	IMPAIR_MAJOR_VERSION_BUMP_IX,		/* cause pluto to send an IKE major version that's higher then we support. */
 	IMPAIR_MINOR_VERSION_BUMP_IX,		/* cause pluto to send an IKE minor version that's higher then we support. */
 	IMPAIR_RETRANSMITS_IX,			/* cause pluto to never retransmit */
@@ -382,6 +383,7 @@ enum {
 #define IMPAIR_SA_CREATION	LELEM(IMPAIR_SA_CREATION_IX)
 #define IMPAIR_DIE_ONINFO	LELEM(IMPAIR_DIE_ONINFO_IX)
 #define IMPAIR_JACOB_TWO_TWO	LELEM(IMPAIR_JACOB_TWO_TWO_IX)
+#define IMPAIR_ALLOW_NULL_NULL	LELEM(IMPAIR_ALLOW_NULL_NULL_IX)
 #define IMPAIR_MAJOR_VERSION_BUMP	LELEM(IMPAIR_MAJOR_VERSION_BUMP_IX)
 #define IMPAIR_MINOR_VERSION_BUMP	LELEM(IMPAIR_MINOR_VERSION_BUMP_IX)
 #define IMPAIR_RETRANSMITS	LELEM(IMPAIR_RETRANSMITS_IX)
diff --git a/lib/libswan/alg_info.c b/lib/libswan/alg_info.c
index 600f04e..ab857b6 100644
--- a/lib/libswan/alg_info.c
+++ b/lib/libswan/alg_info.c
@@ -423,8 +423,8 @@ static const char *add_proposal_defaults(const struct parser_param *param,
 		return add_proposal_defaults(param, policy, defaults,
 					     alg_info, &merged_proposal,
 					     err_buf, err_buf_len);
-	} else if (proposal->encrypt != NULL && !ike_alg_is_aead(proposal->encrypt)
-		   && proposal->integ != NULL && proposal->integ == &ike_alg_integ_null) {
+	} else if (!DBGP(IMPAIR_ALLOW_NULL_NULL) && (proposal->encrypt != NULL && !ike_alg_is_aead(proposal->encrypt)
+		   && proposal->integ != NULL && proposal->integ == &ike_alg_integ_null)) {
 		/*
 		 * For instance, esp=aes_gcm-sha1" is invalid.
 		 */
diff --git a/lib/libswan/esp_info.c b/lib/libswan/esp_info.c
index 78ef680..3362f46 100644
--- a/lib/libswan/esp_info.c
+++ b/lib/libswan/esp_info.c
@@ -83,6 +83,9 @@ static bool ah_proposal_ok(const struct parser_policy *const policy UNUSED,
 	passert(proposal->prf == NULL);
 	passert(proposal->integ != NULL);
 
+	if (DBGP(IMPAIR_ALLOW_NULL_NULL))
+		return true;
+
 	/* ah=null is invalid */
 	if (proposal->integ == &ike_alg_integ_null) {
 		snprintf(err_buf, err_buf_len,
diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c
index 1bc7b5c..bd8edf7 100644
--- a/programs/pluto/plutomain.c
+++ b/programs/pluto/plutomain.c
@@ -608,6 +608,7 @@ static const struct option long_opts[] = {
 	I("sa-creation\0", IMPAIR_SA_CREATION_IX),
 	I("die-oninfo\0", IMPAIR_DIE_ONINFO_IX),
 	I("jacob-two-two\0", IMPAIR_JACOB_TWO_TWO_IX),
+	I("impair-allow-null-null\0", IMPAIR_ALLOW_NULL_NULL_IX),
 	I("major-version-bump\0", IMPAIR_MAJOR_VERSION_BUMP_IX),
 	I("minor-version-bump\0", IMPAIR_MINOR_VERSION_BUMP_IX),
 	I("retransmits\0", IMPAIR_RETRANSMITS_IX),
@@ -1702,6 +1703,8 @@ int main(int argc, char **argv)
 		libreswan_log("Warning: IMPAIR_SA_CREATION enabled");
 	if (DBGP(IMPAIR_JACOB_TWO_TWO))
 		libreswan_log("Warning: IMPAIR_JACOB_TWO_TWO enabled");
+	if (DBGP(IMPAIR_ALLOW_NULL_NULL))
+		libreswan_log("Warning: IMPAIR_ALLOW_NULL_NULL enabled");
 	if (DBGP(IMPAIR_DIE_ONINFO))
 		libreswan_log("Warning: IMPAIR_DIE_ONINFO enabled");
 	if (DBGP(IMPAIR_MAJOR_VERSION_BUMP))
diff --git a/programs/whack/whack.c b/programs/whack/whack.c
index 8018fc4..38cb235 100644
--- a/programs/whack/whack.c
+++ b/programs/whack/whack.c
@@ -748,6 +748,8 @@ static const struct option long_opts[] = {
 	{ "impair-die-oninfo", no_argument, NULL, IMPAIR_DIE_ONINFO_IX  + DO },
 	{ "impair-jacob-two-two", no_argument, NULL,
 		IMPAIR_JACOB_TWO_TWO_IX + DO },
+	{ "impair-allow-null-null", no_argument, NULL,
+		IMPAIR_ALLOW_NULL_NULL_IX + DO },
 	{ "impair-major-version-bump", no_argument, NULL,
 		IMPAIR_MAJOR_VERSION_BUMP_IX + DO },
 	{ "impair-minor-version-bump", no_argument, NULL,
