[Swan] using esp=null, auth=null for testing/devel..
Paul Wouters
paul at nohats.ca
Fri Sep 1 21:04:50 UTC 2017
On Fri, 1 Sep 2017, Paul Wouters wrote:
>> I'd like to set up both esp and auth to NULL to test some kernel
>> code (for perf, so want to eliminate the cost of crypto).
Try the attached patch (untested other then seeing the connection loaded):
# ipsec auto --add nulltest
036 Failed to add connection "nulltest", esp="null-null" is invalid: non-AEAD ESP encryption algorithm 'null' cannot have a 'null' integrity algorithm, enc_alg="null"(0), auth_alg="null", modp=""
# ipsec whack --impair-allow-null-null
# ipsec auto --add nulltest
002 added connection description "nulltest"
Paul
-------------- next part --------------
diff --git a/include/pluto_constants.h b/include/pluto_constants.h
index 3667415..7beedb6 100644
--- a/include/pluto_constants.h
+++ b/include/pluto_constants.h
@@ -334,6 +334,7 @@ enum {
IMPAIR_DIE_ONINFO_IX, /* cause state to be deleted upon receipt of information payload */
IMPAIR_JACOB_TWO_TWO_IX, /* cause pluto to send all messages twice. */
/* cause pluto to send all messages twice. */
+ IMPAIR_ALLOW_NULL_NULL_IX, /* cause pluto to allow esp=null-null and ah=null for testing */
IMPAIR_MAJOR_VERSION_BUMP_IX, /* cause pluto to send an IKE major version that's higher then we support. */
IMPAIR_MINOR_VERSION_BUMP_IX, /* cause pluto to send an IKE minor version that's higher then we support. */
IMPAIR_RETRANSMITS_IX, /* cause pluto to never retransmit */
@@ -382,6 +383,7 @@ enum {
#define IMPAIR_SA_CREATION LELEM(IMPAIR_SA_CREATION_IX)
#define IMPAIR_DIE_ONINFO LELEM(IMPAIR_DIE_ONINFO_IX)
#define IMPAIR_JACOB_TWO_TWO LELEM(IMPAIR_JACOB_TWO_TWO_IX)
+#define IMPAIR_ALLOW_NULL_NULL LELEM(IMPAIR_ALLOW_NULL_NULL_IX)
#define IMPAIR_MAJOR_VERSION_BUMP LELEM(IMPAIR_MAJOR_VERSION_BUMP_IX)
#define IMPAIR_MINOR_VERSION_BUMP LELEM(IMPAIR_MINOR_VERSION_BUMP_IX)
#define IMPAIR_RETRANSMITS LELEM(IMPAIR_RETRANSMITS_IX)
diff --git a/lib/libswan/alg_info.c b/lib/libswan/alg_info.c
index 600f04e..ab857b6 100644
--- a/lib/libswan/alg_info.c
+++ b/lib/libswan/alg_info.c
@@ -423,8 +423,8 @@ static const char *add_proposal_defaults(const struct parser_param *param,
return add_proposal_defaults(param, policy, defaults,
alg_info, &merged_proposal,
err_buf, err_buf_len);
- } else if (proposal->encrypt != NULL && !ike_alg_is_aead(proposal->encrypt)
- && proposal->integ != NULL && proposal->integ == &ike_alg_integ_null) {
+ } else if (!DBGP(IMPAIR_ALLOW_NULL_NULL) && (proposal->encrypt != NULL && !ike_alg_is_aead(proposal->encrypt)
+ && proposal->integ != NULL && proposal->integ == &ike_alg_integ_null)) {
/*
* For instance, esp=aes_gcm-sha1" is invalid.
*/
diff --git a/lib/libswan/esp_info.c b/lib/libswan/esp_info.c
index 78ef680..3362f46 100644
--- a/lib/libswan/esp_info.c
+++ b/lib/libswan/esp_info.c
@@ -83,6 +83,9 @@ static bool ah_proposal_ok(const struct parser_policy *const policy UNUSED,
passert(proposal->prf == NULL);
passert(proposal->integ != NULL);
+ if (DBGP(IMPAIR_ALLOW_NULL_NULL))
+ return true;
+
/* ah=null is invalid */
if (proposal->integ == &ike_alg_integ_null) {
snprintf(err_buf, err_buf_len,
diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c
index 1bc7b5c..bd8edf7 100644
--- a/programs/pluto/plutomain.c
+++ b/programs/pluto/plutomain.c
@@ -608,6 +608,7 @@ static const struct option long_opts[] = {
I("sa-creation\0", IMPAIR_SA_CREATION_IX),
I("die-oninfo\0", IMPAIR_DIE_ONINFO_IX),
I("jacob-two-two\0", IMPAIR_JACOB_TWO_TWO_IX),
+ I("impair-allow-null-null\0", IMPAIR_ALLOW_NULL_NULL_IX),
I("major-version-bump\0", IMPAIR_MAJOR_VERSION_BUMP_IX),
I("minor-version-bump\0", IMPAIR_MINOR_VERSION_BUMP_IX),
I("retransmits\0", IMPAIR_RETRANSMITS_IX),
@@ -1702,6 +1703,8 @@ int main(int argc, char **argv)
libreswan_log("Warning: IMPAIR_SA_CREATION enabled");
if (DBGP(IMPAIR_JACOB_TWO_TWO))
libreswan_log("Warning: IMPAIR_JACOB_TWO_TWO enabled");
+ if (DBGP(IMPAIR_ALLOW_NULL_NULL))
+ libreswan_log("Warning: IMPAIR_ALLOW_NULL_NULL enabled");
if (DBGP(IMPAIR_DIE_ONINFO))
libreswan_log("Warning: IMPAIR_DIE_ONINFO enabled");
if (DBGP(IMPAIR_MAJOR_VERSION_BUMP))
diff --git a/programs/whack/whack.c b/programs/whack/whack.c
index 8018fc4..38cb235 100644
--- a/programs/whack/whack.c
+++ b/programs/whack/whack.c
@@ -748,6 +748,8 @@ static const struct option long_opts[] = {
{ "impair-die-oninfo", no_argument, NULL, IMPAIR_DIE_ONINFO_IX + DO },
{ "impair-jacob-two-two", no_argument, NULL,
IMPAIR_JACOB_TWO_TWO_IX + DO },
+ { "impair-allow-null-null", no_argument, NULL,
+ IMPAIR_ALLOW_NULL_NULL_IX + DO },
{ "impair-major-version-bump", no_argument, NULL,
IMPAIR_MAJOR_VERSION_BUMP_IX + DO },
{ "impair-minor-version-bump", no_argument, NULL,
More information about the Swan
mailing list