#!/bin/sh
# The IKE Scanner (ike-scan) is Copyright (C) 2003-2007 Roy Hills,
# NTA Monitor Ltd.
#
# This file is part of ike-scan.
#
# ike-scan is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# ike-scan is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ike-scan.  If not, see <http://www.gnu.org/licenses/>.
#
# check-decode -- Shell script to test ike-scan packet decoding
#
# Author: Roy Hills
# Date: 02 January 2007
#
# This script checks that ike-scan decodes and displays IKE packets correctly
# It uses the undocumented ike-scan option --readpktfromfile to read the
# packet from a file rather than from the network.
#
# The packet data files contain example responses from various VPN servers.
# In each case the initiator cookie is set to "deadbeefdeadbeef", so we
# specify this to ike-scan to ensure that the packet will be matched and
# displayed.
#
IKESCANOUTPUT=/tmp/ike-scan-output.$$.tmp
EXAMPLEOUTPUT=/tmp/example-output.$$.tmp

# Main Mode response from CheckPoint Firewall-1 NGX R60
SAMPLE01="$srcdir/pkt-main-mode-response.dat"

# Aggressive Mode response from Netscreen ScreenOS 5.4.0
SAMPLE02="$srcdir/pkt-aggr-mode-response.dat"

# Notify response from CheckPoint Firewall-1 NGX R60
SAMPLE03="$srcdir/pkt-notify-response.dat"

# IKEv2 SA_INIT response from strongSwan 4.0.5
SAMPLE04="$srcdir/pkt-v2-sainit-response.dat"

# IKEv2 notify response from strongSwan 4.0.5
SAMPLE05="$srcdir/pkt-v2-notify-response.dat"

# Aggressive Mode response with certificate from Borderware 3.8
SAMPLE06="$srcdir/pkt-aggr-cert-response.dat"

# Main Mode response with NAT-T from CheckPoint NGX
SAMPLE07="$srcdir/pkt-main-natt-response.dat"

# Checkpoint 9101 notify response from fw-1 4.0
SAMPLE08="$srcdir/pkt-checkpoint-notify.dat"
#
echo "Checking ike-scan main mode decode using $SAMPLE01 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1	(0.0.0.0) Main Mode Handshake returned
	HDR=(CKY-R=636fa075dcf8ba90)
	SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
	VID=f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d459becd70000000018000000 (Firewall-1 NGX or later)

_EOF_
IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE01 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
#
echo "Checking ike-scan aggressive mode decode using $SAMPLE02 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1	(0.0.0.0) Aggressive Mode Handshake returned
	HDR=(CKY-R=61a878367079dd35)
	SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
	VID=166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000 (Netscreen-15)
	VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
	VID=4865617274426561745f4e6f74696679386b0100 (HeartBeat_Notify)
	KeyExchange(128 bytes)
	Nonce(20 bytes)
	ID(Type=ID_IPV4_ADDR, Value=62.3.105.251)
	Hash(20 bytes)

IKE PSK parameters (g_xr:g_xi:cky_r:cky_i:sai_b:idir_b:ni_b:nr_b:hash_r):
9a1f1fce36808165e6b253df5845567aebe67bcbcfed3f3347ca6349926bbc9f9bdc2ce1a3297ae7ffaf0fe86b4ae05ae63e2bf084b7f78c19d154560067b9a1492259a203df7d3d286dc093e1ea64f0683fb7bc1bbdd98fd34cd6568a9547573a9933f0d44aab7b21499d5995797cf183392a3dac51cb320fa56c0c57cff1bd:745db39c98420dc9f9d777c58f7eacc7b1da54dc17a1c845e92490269a5cc6461e20d232ab7e47cd9e84aed0ec9e48f57c1fa8281a1f3de07635bb1dbae9995b78e84d0370374180dc1da17c456df7ae506dbd54c9a373b67fc979cdf6c0c85efe092719af8daa8f3296550ef00eca80fb5652714c5486032539ab0522f7d7c5:61a878367079dd35:deadbeefdeadbeef:00000001000000010000009801010004030000240101000080010005800200028003000180040002800b0001000c000400007080030000240201000080010005800200018003000180040002800b0001000c000400007080030000240301000080010001800200028003000180040002800b0001000c000400007080000000240401000080010001800200018003000180040002800b0001000c000400007080:011101f43e0369fb:2f6b0731d3e2667f2685429f35dc5dd1ccec0e70:8ffc97aebdf3ea384341f12392043badce30c230:950d8c8ea94a4af3d0b078372e81608890485b54
_EOF_
IKEARGS="-s 0 -r 1 -N -A -M --randomseed=1234 -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef --pskcrack"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE02 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
#
echo "Checking ike-scan notify message decode using $SAMPLE03 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1	(0.0.0.0) Notify message 14 (NO-PROPOSAL-CHOSEN)
	HDR=(CKY-R=0000000000000000, msgid=41a8534e)

_EOF_
IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE03 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
#
echo "Checking ike-scan IKEv2 SA_INIT decode using $SAMPLE04 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1	(0.0.0.0) IKEv2 SA_INIT Handshake returned
	HDR=(CKY-R=224bb31e5cd6a0db, IKEv2)
	SA=(Encr=AES_CBC,KeyLength=128 Integ=HMAC_SHA1_96 Prf=HMAC_SHA1 DH_Group=14:modp2048)
	KeyExchange(132 bytes)
	Nonce(16 bytes)

_EOF_
IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE04 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
#
echo "Checking ike-scan IKEv2 notify decode using $SAMPLE05 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1	(0.0.0.0) Notify message 14 (NO_PROPOSAL_CHOSEN)
	HDR=(CKY-R=16d65a5a981a7c48, IKEv2)

_EOF_
IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE05 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
#
echo "Checking ike-scan certificate decode using $SAMPLE06 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1	(0.0.0.0) Aggressive Mode Handshake returned
	HDR=(CKY-R=94403c1b3fcacf94)
	SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
	KeyExchange(128 bytes)
	Nonce(20 bytes)
	ID(Type=ID_IPV4_ADDR, Value=172.16.3.27)
	Certificate(Type=X.509 Certificate - Signature, Length=1376 bytes)
	Signature(256 bytes)

_EOF_
IKEARGS="-s 0 -r 1 -N -A -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE06 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
#
echo "Checking ike-scan NAT-T decode using $SAMPLE07 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1	(0.0.0.0) Main Mode Handshake returned
	HDR=(CKY-R=f92704e8a4245b38)
	SA=(Enc=3DES Hash=SHA1 Auth=RSA_Sig Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
	VID=f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d459d15d80000000018000000 (Firewall-1 NGX or later)

_EOF_
IKEARGS="--nat-t -s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE07 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
#
echo "Checking ike-scan CheckPoint Notify decode using $SAMPLE08 ..."
cat >$EXAMPLEOUTPUT <<_EOF_
127.0.0.1	(0.0.0.0) Notify message 9101 (Firewall-1) Message="User testing unknown.\000"
	HDR=(CKY-R=0000000000000000)

_EOF_
IKEARGS="-s 0 -r 1 -N -M -I $srcdir/ike-vendor-ids --cookie=deadbeefdeadbeef"
$srcdir/ike-scan $IKEARGS --readpktfromfile=$SAMPLE08 127.0.0.1 | grep -v '^Starting ike-scan ' | grep -v '^Ending ike-scan ' >$IKESCANOUTPUT 2>&1
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
cmp -s $IKESCANOUTPUT $EXAMPLEOUTPUT
if test $? -ne 0; then
   rm -f $IKESCANOUTPUT
   rm -f $EXAMPLEOUTPUT
   echo "FAILED"
   exit 1
fi
echo "ok"
rm -f $IKESCANOUTPUT
rm -f $EXAMPLEOUTPUT
