Imported Upstream version 5.3.2

9 files changed, 174 insertions, 12 deletions

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index e0db2e655..94cf07c33 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -698,7 +698,7 @@ METHOD(child_sa_t, install, status_t,
 	this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS,
 								  &esn, NULL);
 
-	if (!this->reqid_allocated)
+	if (!this->reqid_allocated && !this->reqid)
 	{
 		status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface,
 							my_ts, other_ts, this->mark_in, this->mark_out,
@@ -826,7 +826,7 @@ METHOD(child_sa_t, add_policies, status_t,
 	traffic_selector_t *my_ts, *other_ts;
 	status_t status = SUCCESS;
 
-	if (!this->reqid_allocated)
+	if (!this->reqid_allocated && !this->reqid)
 	{
 		/* trap policy, get or confirm reqid */
 		status = hydra->kernel_interface->alloc_reqid(
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index bf747a49e..2554496c1 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -112,6 +112,11 @@ struct private_ike_auth_t {
 	 * received an INITIAL_CONTACT?
 	 */
 	bool initial_contact;
+
+	/**
+	 * Is EAP acceptable, did we strictly authenticate peer?
+	 */
+	bool eap_acceptable;
 };
 
 /**
@@ -879,6 +884,37 @@ static void send_auth_failed_informational(private_ike_auth_t *this,
 	message->destroy(message);
 }
 
+/**
+ * Check if strict constraint fullfillment required to continue current auth
+ */
+static bool require_strict(private_ike_auth_t *this, bool mutual_eap)
+{
+	auth_cfg_t *cfg;
+
+	if (this->eap_acceptable)
+	{
+		return FALSE;
+	}
+
+	cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+	switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
+	{
+		case AUTH_CLASS_EAP:
+			if (mutual_eap && this->my_auth)
+			{
+				this->eap_acceptable = TRUE;
+				return !this->my_auth->is_mutual(this->my_auth);
+			}
+			return TRUE;
+		case AUTH_CLASS_PSK:
+			return TRUE;
+		case AUTH_CLASS_PUBKEY:
+		case AUTH_CLASS_ANY:
+		default:
+			return FALSE;
+	}
+}
+
 METHOD(task_t, process_i, status_t,
 	private_ike_auth_t *this, message_t *message)
 {
@@ -1014,6 +1050,14 @@ METHOD(task_t, process_i, status_t,
 		}
 	}
 
+	if (require_strict(this, mutual_eap))
+	{
+		if (!update_cfg_candidates(this, TRUE))
+		{
+			goto peer_auth_failed;
+		}
+	}
+
 	if (this->my_auth)
 	{
 		switch (this->my_auth->process(this->my_auth, message))
diff --git a/src/libimcv/tcg/tcg_attr.c b/src/libimcv/tcg/tcg_attr.c
index 79492913b..3ed6e8699 100644
--- a/src/libimcv/tcg/tcg_attr.c
+++ b/src/libimcv/tcg/tcg_attr.c
@@ -47,16 +47,18 @@ ENUM_BEGIN(tcg_attr_names,	TCG_SCAP_REFERENCES,
 	"SCAP Results",
 	"SCAP Summary Results");
 ENUM_NEXT(tcg_attr_names,	TCG_SWID_REQUEST,
-							TCG_SWID_TAG_EVENTS,
+							TCG_SWID_SUBSCRIPTION_STATUS_RESP,
 							TCG_SCAP_SUMMARY_RESULTS,
 	"SWID Request",
 	"SWID Tag Identifier Inventory",
 	"SWID Tag Identifier Events",
 	"SWID Tag Inventory",
-	"SWID Tag Events");
+	"SWID Tag Events",
+	"SWID Subscription Status Request",
+	"SWID Subscription Status Response");
 ENUM_NEXT(tcg_attr_names,	TCG_SEG_MAX_ATTR_SIZE_REQ,
 							TCG_SEG_CANCEL_SEG_EXCH,
-							TCG_SWID_TAG_EVENTS,
+							TCG_SWID_SUBSCRIPTION_STATUS_RESP,
 	"Max Attribute Size Request",
 	"Max Attribute Size Response",
 	"Attribute Segment Envelope",
@@ -253,6 +255,8 @@ pa_tnc_attr_t* tcg_attr_create_from_data(u_int32_t type, size_t length, chunk_t
 		/* unsupported TCG/SWID attributes */
 		case TCG_SWID_TAG_ID_EVENTS:
 		case TCG_SWID_TAG_EVENTS:
+		case TCG_SWID_SUBSCRIPTION_STATUS_REQ:
+		case TCG_SWID_SUBSCRIPTION_STATUS_RESP:
 		/* unsupported TCG/PTS attributes */
 		case TCG_PTS_REQ_TEMPL_REF_MANI_SET_META:
 		case TCG_PTS_TEMPL_REF_MANI_SET_META:
diff --git a/src/libimcv/tcg/tcg_attr.h b/src/libimcv/tcg/tcg_attr.h
index 9523f8e18..3a9a7b2e7 100644
--- a/src/libimcv/tcg/tcg_attr.h
+++ b/src/libimcv/tcg/tcg_attr.h
@@ -45,6 +45,8 @@ enum tcg_attr_t {
 	TCG_SWID_TAG_ID_EVENTS =              0x00000013,
 	TCG_SWID_TAG_INVENTORY =              0x00000014,
 	TCG_SWID_TAG_EVENTS =                 0x00000015,
+	TCG_SWID_SUBSCRIPTION_STATUS_REQ =    0x00000016,
+	TCG_SWID_SUBSCRIPTION_STATUS_RESP =   0x00000017,
 
 	/* IF-M Attribute Segmentation */
 	TCG_SEG_MAX_ATTR_SIZE_REQ =           0x00000021,
diff --git a/src/libstrongswan/crypto/iv/iv_gen_seq.c b/src/libstrongswan/crypto/iv/iv_gen_seq.c
index 4de13744d..9f99c5192 100644
--- a/src/libstrongswan/crypto/iv/iv_gen_seq.c
+++ b/src/libstrongswan/crypto/iv/iv_gen_seq.c
@@ -19,6 +19,7 @@
  * Magic value for the initial IV state
  */
 #define SEQ_IV_INIT_STATE (~(u_int64_t)0)
+#define SEQ_IV_HIGH_MASK (1ULL << 63)
 
 typedef struct private_iv_gen_t private_iv_gen_t;
 
@@ -33,9 +34,14 @@ struct private_iv_gen_t {
 	iv_gen_t public;
 
 	/**
-	 * Previously passed sequence number to enforce uniqueness
+	 * Previously passed sequence number in lower space to enforce uniqueness
 	 */
-	u_int64_t prev;
+	u_int64_t prevl;
+
+	/**
+	 * Previously passed sequence number in upper space to enforce uniqueness
+	 */
+	u_int64_t prevh;
 
 	/**
 	 * Salt to mask counter
@@ -57,15 +63,26 @@ METHOD(iv_gen_t, get_iv, bool,
 	{
 		return FALSE;
 	}
-	if (this->prev != SEQ_IV_INIT_STATE && seq <= this->prev)
+	if (this->prevl != SEQ_IV_INIT_STATE && seq <= this->prevl)
 	{
-		return FALSE;
+		seq |= SEQ_IV_HIGH_MASK;
+		if (this->prevh != SEQ_IV_INIT_STATE && seq <= this->prevh)
+		{
+			return FALSE;
+		}
 	}
-	if (seq == SEQ_IV_INIT_STATE)
+	if ((seq | SEQ_IV_HIGH_MASK) == SEQ_IV_INIT_STATE)
 	{
 		return FALSE;
 	}
-	this->prev = seq;
+	if (seq & SEQ_IV_HIGH_MASK)
+	{
+		this->prevh = seq;
+	}
+	else
+	{
+		this->prevl = seq;
+	}
 	if (len > sizeof(u_int64_t))
 	{
 		len = sizeof(u_int64_t);
@@ -107,7 +124,8 @@ iv_gen_t *iv_gen_seq_create()
 			.allocate_iv = _allocate_iv,
 			.destroy = _destroy,
 		},
-		.prev = SEQ_IV_INIT_STATE,
+		.prevl = SEQ_IV_INIT_STATE,
+		.prevh = SEQ_IV_INIT_STATE,
 	);
 
 	rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index 8c081c673..d86584ad1 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -47,6 +47,7 @@ tests_SOURCES = tests.h tests.c \
   suites/test_hasher.c \
   suites/test_crypter.c \
   suites/test_crypto_factory.c \
+  suites/test_iv_gen.c \
   suites/test_pen.c \
   suites/test_asn1.c \
   suites/test_asn1_parser.c \
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index 97e24bdb7..13fd4cc25 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -143,6 +143,7 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \
 	suites/tests-test_hasher.$(OBJEXT) \
 	suites/tests-test_crypter.$(OBJEXT) \
 	suites/tests-test_crypto_factory.$(OBJEXT) \
+	suites/tests-test_iv_gen.$(OBJEXT) \
 	suites/tests-test_pen.$(OBJEXT) \
 	suites/tests-test_asn1.$(OBJEXT) \
 	suites/tests-test_asn1_parser.$(OBJEXT) \
@@ -507,6 +508,7 @@ tests_SOURCES = tests.h tests.c \
   suites/test_hasher.c \
   suites/test_crypter.c \
   suites/test_crypto_factory.c \
+  suites/test_iv_gen.c \
   suites/test_pen.c \
   suites/test_asn1.c \
   suites/test_asn1_parser.c \
@@ -652,6 +654,8 @@ suites/tests-test_crypter.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_crypto_factory.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_iv_gen.$(OBJEXT): suites/$(am__dirstamp) \
+	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_pen.$(OBJEXT): suites/$(am__dirstamp) \
 	suites/$(DEPDIR)/$(am__dirstamp)
 suites/tests-test_asn1.$(OBJEXT): suites/$(am__dirstamp) \
@@ -701,6 +705,7 @@ distclean-compile:
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_hashtable.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_host.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_identification.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_iv_gen.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_mgf1.Po@am__quote@
@@ -1156,6 +1161,20 @@ suites/tests-test_crypto_factory.obj: suites/test_crypto_factory.c
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypto_factory.obj `if test -f 'suites/test_crypto_factory.c'; then $(CYGPATH_W) 'suites/test_crypto_factory.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypto_factory.c'; fi`
 
+suites/tests-test_iv_gen.o: suites/test_iv_gen.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_iv_gen.o -MD -MP -MF suites/$(DEPDIR)/tests-test_iv_gen.Tpo -c -o suites/tests-test_iv_gen.o `test -f 'suites/test_iv_gen.c' || echo '$(srcdir)/'`suites/test_iv_gen.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_iv_gen.Tpo suites/$(DEPDIR)/tests-test_iv_gen.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_iv_gen.c' object='suites/tests-test_iv_gen.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_iv_gen.o `test -f 'suites/test_iv_gen.c' || echo '$(srcdir)/'`suites/test_iv_gen.c
+
+suites/tests-test_iv_gen.obj: suites/test_iv_gen.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_iv_gen.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_iv_gen.Tpo -c -o suites/tests-test_iv_gen.obj `if test -f 'suites/test_iv_gen.c'; then $(CYGPATH_W) 'suites/test_iv_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_iv_gen.c'; fi`
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_iv_gen.Tpo suites/$(DEPDIR)/tests-test_iv_gen.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='suites/test_iv_gen.c' object='suites/tests-test_iv_gen.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_iv_gen.obj `if test -f 'suites/test_iv_gen.c'; then $(CYGPATH_W) 'suites/test_iv_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_iv_gen.c'; fi`
+
 suites/tests-test_pen.o: suites/test_pen.c
 @am__fastdepCC_TRUE@	$(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_pen.o -MD -MP -MF suites/$(DEPDIR)/tests-test_pen.Tpo -c -o suites/tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c
 @am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_pen.Tpo suites/$(DEPDIR)/tests-test_pen.Po
diff --git a/src/libstrongswan/tests/suites/test_iv_gen.c b/src/libstrongswan/tests/suites/test_iv_gen.c
new file mode 100644
index 000000000..4e45c8538
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_iv_gen.c
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <crypto/iv/iv_gen_seq.h>
+#include <utils/test.h>
+
+START_TEST(test_iv_gen_seq)
+{
+	iv_gen_t *iv_gen;
+	u_int64_t iv0, iv1_1, iv1_2;
+
+	iv_gen = iv_gen_seq_create();
+	ck_assert(iv_gen->get_iv(iv_gen, 0, 8, (u_int8_t*)&iv0));
+	ck_assert(iv_gen->get_iv(iv_gen, 1, 8, (u_int8_t*)&iv1_1));
+	ck_assert(iv0 != iv1_1);
+	/* every sequence number may be used twice, but results in a different IV */
+	ck_assert(iv_gen->get_iv(iv_gen, 1, 8, (u_int8_t*)&iv1_2));
+	ck_assert(iv0 != iv1_2);
+	ck_assert(iv1_1 != iv1_2);
+	ck_assert(!iv_gen->get_iv(iv_gen, 1, 8, (u_int8_t*)&iv1_2));
+	iv_gen->destroy(iv_gen);
+}
+END_TEST
+
+START_TEST(test_iv_gen_seq_len)
+{
+	iv_gen_t *iv_gen;
+	u_int64_t iv;
+	u_int8_t buf[9];
+
+	iv_gen = iv_gen_seq_create();
+	ck_assert(!iv_gen->get_iv(iv_gen, 0, 0, (u_int8_t*)&iv));
+	ck_assert(!iv_gen->get_iv(iv_gen, 0, 1, (u_int8_t*)&iv));
+	ck_assert(!iv_gen->get_iv(iv_gen, 0, 2, (u_int8_t*)&iv));
+	ck_assert(!iv_gen->get_iv(iv_gen, 0, 3, (u_int8_t*)&iv));
+	ck_assert(!iv_gen->get_iv(iv_gen, 0, 4, (u_int8_t*)&iv));
+	ck_assert(!iv_gen->get_iv(iv_gen, 0, 5, (u_int8_t*)&iv));
+	ck_assert(!iv_gen->get_iv(iv_gen, 0, 6, (u_int8_t*)&iv));
+	ck_assert(!iv_gen->get_iv(iv_gen, 0, 7, (u_int8_t*)&iv));
+	ck_assert(iv_gen->get_iv(iv_gen, 0, 8, (u_int8_t*)&iv));
+	ck_assert(iv_gen->get_iv(iv_gen, 0, 9, buf));
+	iv_gen->destroy(iv_gen);
+}
+END_TEST
+
+Suite *iv_gen_suite_create()
+{
+	Suite *s;
+	TCase *tc;
+
+	s = suite_create("iv-gen");
+
+	tc = tcase_create("iv-gen-seq");
+	tcase_add_test(tc, test_iv_gen_seq);
+	tcase_add_test(tc, test_iv_gen_seq_len);
+	suite_add_tcase(s, tc);
+
+	return s;
+}
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
index e1d8ca4ba..e1074b931 100644
--- a/src/libstrongswan/tests/tests.h
+++ b/src/libstrongswan/tests/tests.h
@@ -40,6 +40,7 @@ TEST_SUITE(printf_suite_create)
 TEST_SUITE(hasher_suite_create)
 TEST_SUITE(crypter_suite_create)
 TEST_SUITE(crypto_factory_suite_create)
+TEST_SUITE(iv_gen_suite_create)
 TEST_SUITE(pen_suite_create)
 TEST_SUITE(asn1_suite_create)
 TEST_SUITE(asn1_parser_suite_create)