Re: [Swan] using esp=null, auth=null for testing/devel..

Fri, 01 Sep 2017 14:06:08 -0700 

On Fri, 1 Sep 2017, Paul Wouters wrote:


I'd like to set up both esp and auth to NULL to test some kernel
code (for perf, so want to eliminate the cost of crypto).


Try the attached patch (untested other then seeing the connection loaded):

# ipsec auto --add nulltest
036 Failed to add connection "nulltest", esp="null-null" is invalid: non-AEAD ESP encryption algorithm 'null' 
cannot have a 'null' integrity algorithm, enc_alg="null"(0), auth_alg="null", modp=""
# ipsec whack --impair-allow-null-null
# ipsec auto --add nulltest
002 added connection description "nulltest"

Paul
diff --git a/include/pluto_constants.h b/include/pluto_constants.h
index 3667415..7beedb6 100644
--- a/include/pluto_constants.h
+++ b/include/pluto_constants.h
@@ -334,6 +334,7 @@ enum {
        IMPAIR_DIE_ONINFO_IX,                   /* cause state to be deleted 
upon receipt of information payload */
        IMPAIR_JACOB_TWO_TWO_IX,                /* cause pluto to send all 
messages twice. */
                                                /* cause pluto to send all 
messages twice. */
+       IMPAIR_ALLOW_NULL_NULL_IX,                      /* cause pluto to allow 
esp=null-null and ah=null for testing */
        IMPAIR_MAJOR_VERSION_BUMP_IX,           /* cause pluto to send an IKE 
major version that's higher then we support. */
        IMPAIR_MINOR_VERSION_BUMP_IX,           /* cause pluto to send an IKE 
minor version that's higher then we support. */
        IMPAIR_RETRANSMITS_IX,                  /* cause pluto to never 
retransmit */
@@ -382,6 +383,7 @@ enum {
 #define IMPAIR_SA_CREATION     LELEM(IMPAIR_SA_CREATION_IX)
 #define IMPAIR_DIE_ONINFO      LELEM(IMPAIR_DIE_ONINFO_IX)
 #define IMPAIR_JACOB_TWO_TWO   LELEM(IMPAIR_JACOB_TWO_TWO_IX)
+#define IMPAIR_ALLOW_NULL_NULL LELEM(IMPAIR_ALLOW_NULL_NULL_IX)
 #define IMPAIR_MAJOR_VERSION_BUMP      LELEM(IMPAIR_MAJOR_VERSION_BUMP_IX)
 #define IMPAIR_MINOR_VERSION_BUMP      LELEM(IMPAIR_MINOR_VERSION_BUMP_IX)
 #define IMPAIR_RETRANSMITS     LELEM(IMPAIR_RETRANSMITS_IX)
diff --git a/lib/libswan/alg_info.c b/lib/libswan/alg_info.c
index 600f04e..ab857b6 100644
--- a/lib/libswan/alg_info.c
+++ b/lib/libswan/alg_info.c
@@ -423,8 +423,8 @@ static const char *add_proposal_defaults(const struct 
parser_param *param,
                return add_proposal_defaults(param, policy, defaults,
                                             alg_info, &merged_proposal,
                                             err_buf, err_buf_len);
-       } else if (proposal->encrypt != NULL && 
!ike_alg_is_aead(proposal->encrypt)
-                  && proposal->integ != NULL && proposal->integ == 
&ike_alg_integ_null) {
+       } else if (!DBGP(IMPAIR_ALLOW_NULL_NULL) && (proposal->encrypt != NULL 
&& !ike_alg_is_aead(proposal->encrypt)
+                  && proposal->integ != NULL && proposal->integ == 
&ike_alg_integ_null)) {
                /*
                 * For instance, esp=aes_gcm-sha1" is invalid.
                 */
diff --git a/lib/libswan/esp_info.c b/lib/libswan/esp_info.c
index 78ef680..3362f46 100644
--- a/lib/libswan/esp_info.c
+++ b/lib/libswan/esp_info.c
@@ -83,6 +83,9 @@ static bool ah_proposal_ok(const struct parser_policy *const 
policy UNUSED,
        passert(proposal->prf == NULL);
        passert(proposal->integ != NULL);
 
+       if (DBGP(IMPAIR_ALLOW_NULL_NULL))
+               return true;
+
        /* ah=null is invalid */
        if (proposal->integ == &ike_alg_integ_null) {
                snprintf(err_buf, err_buf_len,
diff --git a/programs/pluto/plutomain.c b/programs/pluto/plutomain.c
index 1bc7b5c..bd8edf7 100644
--- a/programs/pluto/plutomain.c
+++ b/programs/pluto/plutomain.c
@@ -608,6 +608,7 @@ static const struct option long_opts[] = {
        I("sa-creation\0", IMPAIR_SA_CREATION_IX),
        I("die-oninfo\0", IMPAIR_DIE_ONINFO_IX),
        I("jacob-two-two\0", IMPAIR_JACOB_TWO_TWO_IX),
+       I("impair-allow-null-null\0", IMPAIR_ALLOW_NULL_NULL_IX),
        I("major-version-bump\0", IMPAIR_MAJOR_VERSION_BUMP_IX),
        I("minor-version-bump\0", IMPAIR_MINOR_VERSION_BUMP_IX),
        I("retransmits\0", IMPAIR_RETRANSMITS_IX),
@@ -1702,6 +1703,8 @@ int main(int argc, char **argv)
                libreswan_log("Warning: IMPAIR_SA_CREATION enabled");
        if (DBGP(IMPAIR_JACOB_TWO_TWO))
                libreswan_log("Warning: IMPAIR_JACOB_TWO_TWO enabled");
+       if (DBGP(IMPAIR_ALLOW_NULL_NULL))
+               libreswan_log("Warning: IMPAIR_ALLOW_NULL_NULL enabled");
        if (DBGP(IMPAIR_DIE_ONINFO))
                libreswan_log("Warning: IMPAIR_DIE_ONINFO enabled");
        if (DBGP(IMPAIR_MAJOR_VERSION_BUMP))
diff --git a/programs/whack/whack.c b/programs/whack/whack.c
index 8018fc4..38cb235 100644
--- a/programs/whack/whack.c
+++ b/programs/whack/whack.c
@@ -748,6 +748,8 @@ static const struct option long_opts[] = {
        { "impair-die-oninfo", no_argument, NULL, IMPAIR_DIE_ONINFO_IX  + DO },
        { "impair-jacob-two-two", no_argument, NULL,
                IMPAIR_JACOB_TWO_TWO_IX + DO },
+       { "impair-allow-null-null", no_argument, NULL,
+               IMPAIR_ALLOW_NULL_NULL_IX + DO },
        { "impair-major-version-bump", no_argument, NULL,
                IMPAIR_MAJOR_VERSION_BUMP_IX + DO },
        { "impair-minor-version-bump", no_argument, NULL,

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to