diff options
| -rw-r--r-- | Android.common.mk | 2 | ||||
| -rw-r--r-- | NEWS | 10 | ||||
| -rwxr-xr-x | configure | 20 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | scripts/Makefile.am | 2 | ||||
| -rw-r--r-- | scripts/Makefile.in | 5 | ||||
| -rw-r--r-- | src/libcharon/sa/child_sa.c | 4 | ||||
| -rw-r--r-- | src/libcharon/sa/ikev2/tasks/ike_auth.c | 44 | ||||
| -rw-r--r-- | src/libimcv/tcg/tcg_attr.c | 10 | ||||
| -rw-r--r-- | src/libimcv/tcg/tcg_attr.h | 2 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/iv/iv_gen_seq.c | 32 | ||||
| -rw-r--r-- | src/libstrongswan/tests/Makefile.am | 1 | ||||
| -rw-r--r-- | src/libstrongswan/tests/Makefile.in | 19 | ||||
| -rw-r--r-- | src/libstrongswan/tests/suites/test_iv_gen.c | 73 | ||||
| -rw-r--r-- | src/libstrongswan/tests/tests.h | 1 |
15 files changed, 200 insertions, 27 deletions
diff --git a/Android.common.mk b/Android.common.mk index f75efedca..3a7a04320 100644 --- a/Android.common.mk +++ b/Android.common.mk @@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \ ) # strongSwan version, replaced by top Makefile -strongswan_VERSION := "5.3.1" +strongswan_VERSION := "5.3.2" @@ -1,3 +1,13 @@ +strongswan-5.3.2 +---------------- + +- Fixed a vulnerability that allowed rogue servers with a valid certificate + accepted by the client to trick it into disclosing its username and even + password (if the client accepts EAP-GTC). This was caused because constraints + against the responder's authentication were enforced too late. + This vulnerability has been registered as CVE-2015-4171. + + strongswan-5.3.1 ---------------- @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for strongSwan 5.3.1. +# Generated by GNU Autoconf 2.69 for strongSwan 5.3.2. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='5.3.1' -PACKAGE_STRING='strongSwan 5.3.1' +PACKAGE_VERSION='5.3.2' +PACKAGE_STRING='strongSwan 5.3.2' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -2018,7 +2018,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 5.3.1 to adapt to many kinds of systems. +\`configure' configures strongSwan 5.3.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -2088,7 +2088,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 5.3.1:";; + short | recursive ) echo "Configuration of strongSwan 5.3.2:";; esac cat <<\_ACEOF @@ -2526,7 +2526,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 5.3.1 +strongSwan configure 5.3.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3048,7 +3048,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 5.3.1, which was +It was created by strongSwan $as_me 5.3.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3911,7 +3911,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='5.3.1' + VERSION='5.3.2' cat >>confdefs.h <<_ACEOF @@ -25663,7 +25663,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 5.3.1, which was +This file was extended by strongSwan $as_me 5.3.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -25729,7 +25729,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 5.3.1 +strongSwan config.status 5.3.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index d8278db54..65098d7ee 100644 --- a/configure.ac +++ b/configure.ac @@ -19,7 +19,7 @@ # initialize & set some vars # ============================ -AC_INIT([strongSwan],[5.3.1]) +AC_INIT([strongSwan],[5.3.2]) AM_INIT_AUTOMAKE(m4_esyscmd([ echo tar-ustar echo subdir-objects diff --git a/scripts/Makefile.am b/scripts/Makefile.am index c5155efc2..a793800b7 100644 --- a/scripts/Makefile.am +++ b/scripts/Makefile.am @@ -42,7 +42,7 @@ fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la aes_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la settings_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -timeattack_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +timeattack_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(RTLIB) key2keyid.o : $(top_builddir)/config.status diff --git a/scripts/Makefile.in b/scripts/Makefile.in index b03ff9d4f..bdb8e5ffc 100644 --- a/scripts/Makefile.in +++ b/scripts/Makefile.in @@ -180,7 +180,8 @@ thread_analysis_LDADD = $(LDADD) am_timeattack_OBJECTS = timeattack.$(OBJEXT) timeattack_OBJECTS = $(am_timeattack_OBJECTS) timeattack_DEPENDENCIES = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(am__DEPENDENCIES_1) am__tls_test_SOURCES_DIST = tls_test.c @USE_TLS_TRUE@am_tls_test_OBJECTS = tls_test.$(OBJEXT) tls_test_OBJECTS = $(am_tls_test_OBJECTS) @@ -523,7 +524,7 @@ fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la dnssec_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la aes_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la settings_test_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -timeattack_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +timeattack_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(RTLIB) all: all-am .SUFFIXES: diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index e0db2e655..94cf07c33 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -698,7 +698,7 @@ METHOD(child_sa_t, install, status_t, this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS, &esn, NULL); - if (!this->reqid_allocated) + if (!this->reqid_allocated && !this->reqid) { status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface, my_ts, other_ts, this->mark_in, this->mark_out, @@ -826,7 +826,7 @@ METHOD(child_sa_t, add_policies, status_t, traffic_selector_t *my_ts, *other_ts; status_t status = SUCCESS; - if (!this->reqid_allocated) + if (!this->reqid_allocated && !this->reqid) { /* trap policy, get or confirm reqid */ status = hydra->kernel_interface->alloc_reqid( diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index bf747a49e..2554496c1 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -112,6 +112,11 @@ struct private_ike_auth_t { * received an INITIAL_CONTACT? */ bool initial_contact; + + /** + * Is EAP acceptable, did we strictly authenticate peer? + */ + bool eap_acceptable; }; /** @@ -879,6 +884,37 @@ static void send_auth_failed_informational(private_ike_auth_t *this, message->destroy(message); } +/** + * Check if strict constraint fullfillment required to continue current auth + */ +static bool require_strict(private_ike_auth_t *this, bool mutual_eap) +{ + auth_cfg_t *cfg; + + if (this->eap_acceptable) + { + return FALSE; + } + + cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); + switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS)) + { + case AUTH_CLASS_EAP: + if (mutual_eap && this->my_auth) + { + this->eap_acceptable = TRUE; + return !this->my_auth->is_mutual(this->my_auth); + } + return TRUE; + case AUTH_CLASS_PSK: + return TRUE; + case AUTH_CLASS_PUBKEY: + case AUTH_CLASS_ANY: + default: + return FALSE; + } +} + METHOD(task_t, process_i, status_t, private_ike_auth_t *this, message_t *message) { @@ -1014,6 +1050,14 @@ METHOD(task_t, process_i, status_t, } } + if (require_strict(this, mutual_eap)) + { + if (!update_cfg_candidates(this, TRUE)) + { + goto peer_auth_failed; + } + } + if (this->my_auth) { switch (this->my_auth->process(this->my_auth, message)) diff --git a/src/libimcv/tcg/tcg_attr.c b/src/libimcv/tcg/tcg_attr.c index 79492913b..3ed6e8699 100644 --- a/src/libimcv/tcg/tcg_attr.c +++ b/src/libimcv/tcg/tcg_attr.c @@ -47,16 +47,18 @@ ENUM_BEGIN(tcg_attr_names, TCG_SCAP_REFERENCES, "SCAP Results", "SCAP Summary Results"); ENUM_NEXT(tcg_attr_names, TCG_SWID_REQUEST, - TCG_SWID_TAG_EVENTS, + TCG_SWID_SUBSCRIPTION_STATUS_RESP, TCG_SCAP_SUMMARY_RESULTS, "SWID Request", "SWID Tag Identifier Inventory", "SWID Tag Identifier Events", "SWID Tag Inventory", - "SWID Tag Events"); + "SWID Tag Events", + "SWID Subscription Status Request", + "SWID Subscription Status Response"); ENUM_NEXT(tcg_attr_names, TCG_SEG_MAX_ATTR_SIZE_REQ, TCG_SEG_CANCEL_SEG_EXCH, - TCG_SWID_TAG_EVENTS, + TCG_SWID_SUBSCRIPTION_STATUS_RESP, "Max Attribute Size Request", "Max Attribute Size Response", "Attribute Segment Envelope", @@ -253,6 +255,8 @@ pa_tnc_attr_t* tcg_attr_create_from_data(u_int32_t type, size_t length, chunk_t /* unsupported TCG/SWID attributes */ case TCG_SWID_TAG_ID_EVENTS: case TCG_SWID_TAG_EVENTS: + case TCG_SWID_SUBSCRIPTION_STATUS_REQ: + case TCG_SWID_SUBSCRIPTION_STATUS_RESP: /* unsupported TCG/PTS attributes */ case TCG_PTS_REQ_TEMPL_REF_MANI_SET_META: case TCG_PTS_TEMPL_REF_MANI_SET_META: diff --git a/src/libimcv/tcg/tcg_attr.h b/src/libimcv/tcg/tcg_attr.h index 9523f8e18..3a9a7b2e7 100644 --- a/src/libimcv/tcg/tcg_attr.h +++ b/src/libimcv/tcg/tcg_attr.h @@ -45,6 +45,8 @@ enum tcg_attr_t { TCG_SWID_TAG_ID_EVENTS = 0x00000013, TCG_SWID_TAG_INVENTORY = 0x00000014, TCG_SWID_TAG_EVENTS = 0x00000015, + TCG_SWID_SUBSCRIPTION_STATUS_REQ = 0x00000016, + TCG_SWID_SUBSCRIPTION_STATUS_RESP = 0x00000017, /* IF-M Attribute Segmentation */ TCG_SEG_MAX_ATTR_SIZE_REQ = 0x00000021, diff --git a/src/libstrongswan/crypto/iv/iv_gen_seq.c b/src/libstrongswan/crypto/iv/iv_gen_seq.c index 4de13744d..9f99c5192 100644 --- a/src/libstrongswan/crypto/iv/iv_gen_seq.c +++ b/src/libstrongswan/crypto/iv/iv_gen_seq.c @@ -19,6 +19,7 @@ * Magic value for the initial IV state */ #define SEQ_IV_INIT_STATE (~(u_int64_t)0) +#define SEQ_IV_HIGH_MASK (1ULL << 63) typedef struct private_iv_gen_t private_iv_gen_t; @@ -33,9 +34,14 @@ struct private_iv_gen_t { iv_gen_t public; /** - * Previously passed sequence number to enforce uniqueness + * Previously passed sequence number in lower space to enforce uniqueness */ - u_int64_t prev; + u_int64_t prevl; + + /** + * Previously passed sequence number in upper space to enforce uniqueness + */ + u_int64_t prevh; /** * Salt to mask counter @@ -57,15 +63,26 @@ METHOD(iv_gen_t, get_iv, bool, { return FALSE; } - if (this->prev != SEQ_IV_INIT_STATE && seq <= this->prev) + if (this->prevl != SEQ_IV_INIT_STATE && seq <= this->prevl) { - return FALSE; + seq |= SEQ_IV_HIGH_MASK; + if (this->prevh != SEQ_IV_INIT_STATE && seq <= this->prevh) + { + return FALSE; + } } - if (seq == SEQ_IV_INIT_STATE) + if ((seq | SEQ_IV_HIGH_MASK) == SEQ_IV_INIT_STATE) { return FALSE; } - this->prev = seq; + if (seq & SEQ_IV_HIGH_MASK) + { + this->prevh = seq; + } + else + { + this->prevl = seq; + } if (len > sizeof(u_int64_t)) { len = sizeof(u_int64_t); @@ -107,7 +124,8 @@ iv_gen_t *iv_gen_seq_create() .allocate_iv = _allocate_iv, .destroy = _destroy, }, - .prev = SEQ_IV_INIT_STATE, + .prevl = SEQ_IV_INIT_STATE, + .prevh = SEQ_IV_INIT_STATE, ); rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am index 8c081c673..d86584ad1 100644 --- a/src/libstrongswan/tests/Makefile.am +++ b/src/libstrongswan/tests/Makefile.am @@ -47,6 +47,7 @@ tests_SOURCES = tests.h tests.c \ suites/test_hasher.c \ suites/test_crypter.c \ suites/test_crypto_factory.c \ + suites/test_iv_gen.c \ suites/test_pen.c \ suites/test_asn1.c \ suites/test_asn1_parser.c \ diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in index 97e24bdb7..13fd4cc25 100644 --- a/src/libstrongswan/tests/Makefile.in +++ b/src/libstrongswan/tests/Makefile.in @@ -143,6 +143,7 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \ suites/tests-test_hasher.$(OBJEXT) \ suites/tests-test_crypter.$(OBJEXT) \ suites/tests-test_crypto_factory.$(OBJEXT) \ + suites/tests-test_iv_gen.$(OBJEXT) \ suites/tests-test_pen.$(OBJEXT) \ suites/tests-test_asn1.$(OBJEXT) \ suites/tests-test_asn1_parser.$(OBJEXT) \ @@ -507,6 +508,7 @@ tests_SOURCES = tests.h tests.c \ suites/test_hasher.c \ suites/test_crypter.c \ suites/test_crypto_factory.c \ + suites/test_iv_gen.c \ suites/test_pen.c \ suites/test_asn1.c \ suites/test_asn1_parser.c \ @@ -652,6 +654,8 @@ suites/tests-test_crypter.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_crypto_factory.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) +suites/tests-test_iv_gen.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_pen.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_asn1.$(OBJEXT): suites/$(am__dirstamp) \ @@ -701,6 +705,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_hashtable.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_host.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_identification.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_iv_gen.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_mgf1.Po@am__quote@ @@ -1156,6 +1161,20 @@ suites/tests-test_crypto_factory.obj: suites/test_crypto_factory.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypto_factory.obj `if test -f 'suites/test_crypto_factory.c'; then $(CYGPATH_W) 'suites/test_crypto_factory.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypto_factory.c'; fi` +suites/tests-test_iv_gen.o: suites/test_iv_gen.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_iv_gen.o -MD -MP -MF suites/$(DEPDIR)/tests-test_iv_gen.Tpo -c -o suites/tests-test_iv_gen.o `test -f 'suites/test_iv_gen.c' || echo '$(srcdir)/'`suites/test_iv_gen.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_iv_gen.Tpo suites/$(DEPDIR)/tests-test_iv_gen.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_iv_gen.c' object='suites/tests-test_iv_gen.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_iv_gen.o `test -f 'suites/test_iv_gen.c' || echo '$(srcdir)/'`suites/test_iv_gen.c + +suites/tests-test_iv_gen.obj: suites/test_iv_gen.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_iv_gen.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_iv_gen.Tpo -c -o suites/tests-test_iv_gen.obj `if test -f 'suites/test_iv_gen.c'; then $(CYGPATH_W) 'suites/test_iv_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_iv_gen.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_iv_gen.Tpo suites/$(DEPDIR)/tests-test_iv_gen.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_iv_gen.c' object='suites/tests-test_iv_gen.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_iv_gen.obj `if test -f 'suites/test_iv_gen.c'; then $(CYGPATH_W) 'suites/test_iv_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_iv_gen.c'; fi` + suites/tests-test_pen.o: suites/test_pen.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_pen.o -MD -MP -MF suites/$(DEPDIR)/tests-test_pen.Tpo -c -o suites/tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_pen.Tpo suites/$(DEPDIR)/tests-test_pen.Po diff --git a/src/libstrongswan/tests/suites/test_iv_gen.c b/src/libstrongswan/tests/suites/test_iv_gen.c new file mode 100644 index 000000000..4e45c8538 --- /dev/null +++ b/src/libstrongswan/tests/suites/test_iv_gen.c @@ -0,0 +1,73 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include <crypto/iv/iv_gen_seq.h> +#include <utils/test.h> + +START_TEST(test_iv_gen_seq) +{ + iv_gen_t *iv_gen; + u_int64_t iv0, iv1_1, iv1_2; + + iv_gen = iv_gen_seq_create(); + ck_assert(iv_gen->get_iv(iv_gen, 0, 8, (u_int8_t*)&iv0)); + ck_assert(iv_gen->get_iv(iv_gen, 1, 8, (u_int8_t*)&iv1_1)); + ck_assert(iv0 != iv1_1); + /* every sequence number may be used twice, but results in a different IV */ + ck_assert(iv_gen->get_iv(iv_gen, 1, 8, (u_int8_t*)&iv1_2)); + ck_assert(iv0 != iv1_2); + ck_assert(iv1_1 != iv1_2); + ck_assert(!iv_gen->get_iv(iv_gen, 1, 8, (u_int8_t*)&iv1_2)); + iv_gen->destroy(iv_gen); +} +END_TEST + +START_TEST(test_iv_gen_seq_len) +{ + iv_gen_t *iv_gen; + u_int64_t iv; + u_int8_t buf[9]; + + iv_gen = iv_gen_seq_create(); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 0, (u_int8_t*)&iv)); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 1, (u_int8_t*)&iv)); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 2, (u_int8_t*)&iv)); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 3, (u_int8_t*)&iv)); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 4, (u_int8_t*)&iv)); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 5, (u_int8_t*)&iv)); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 6, (u_int8_t*)&iv)); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 7, (u_int8_t*)&iv)); + ck_assert(iv_gen->get_iv(iv_gen, 0, 8, (u_int8_t*)&iv)); + ck_assert(iv_gen->get_iv(iv_gen, 0, 9, buf)); + iv_gen->destroy(iv_gen); +} +END_TEST + +Suite *iv_gen_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("iv-gen"); + + tc = tcase_create("iv-gen-seq"); + tcase_add_test(tc, test_iv_gen_seq); + tcase_add_test(tc, test_iv_gen_seq_len); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h index e1d8ca4ba..e1074b931 100644 --- a/src/libstrongswan/tests/tests.h +++ b/src/libstrongswan/tests/tests.h @@ -40,6 +40,7 @@ TEST_SUITE(printf_suite_create) TEST_SUITE(hasher_suite_create) TEST_SUITE(crypter_suite_create) TEST_SUITE(crypto_factory_suite_create) +TEST_SUITE(iv_gen_suite_create) TEST_SUITE(pen_suite_create) TEST_SUITE(asn1_suite_create) TEST_SUITE(asn1_parser_suite_create) |