diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/libcharon/sa/child_sa.c | 4 | ||||
-rw-r--r-- | src/libcharon/sa/ikev2/tasks/ike_auth.c | 44 | ||||
-rw-r--r-- | src/libimcv/tcg/tcg_attr.c | 10 | ||||
-rw-r--r-- | src/libimcv/tcg/tcg_attr.h | 2 | ||||
-rw-r--r-- | src/libstrongswan/crypto/iv/iv_gen_seq.c | 32 | ||||
-rw-r--r-- | src/libstrongswan/tests/Makefile.am | 1 | ||||
-rw-r--r-- | src/libstrongswan/tests/Makefile.in | 19 | ||||
-rw-r--r-- | src/libstrongswan/tests/suites/test_iv_gen.c | 73 | ||||
-rw-r--r-- | src/libstrongswan/tests/tests.h | 1 |
9 files changed, 174 insertions, 12 deletions
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index e0db2e655..94cf07c33 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -698,7 +698,7 @@ METHOD(child_sa_t, install, status_t, this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS, &esn, NULL); - if (!this->reqid_allocated) + if (!this->reqid_allocated && !this->reqid) { status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface, my_ts, other_ts, this->mark_in, this->mark_out, @@ -826,7 +826,7 @@ METHOD(child_sa_t, add_policies, status_t, traffic_selector_t *my_ts, *other_ts; status_t status = SUCCESS; - if (!this->reqid_allocated) + if (!this->reqid_allocated && !this->reqid) { /* trap policy, get or confirm reqid */ status = hydra->kernel_interface->alloc_reqid( diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c index bf747a49e..2554496c1 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_auth.c +++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c @@ -112,6 +112,11 @@ struct private_ike_auth_t { * received an INITIAL_CONTACT? */ bool initial_contact; + + /** + * Is EAP acceptable, did we strictly authenticate peer? + */ + bool eap_acceptable; }; /** @@ -879,6 +884,37 @@ static void send_auth_failed_informational(private_ike_auth_t *this, message->destroy(message); } +/** + * Check if strict constraint fullfillment required to continue current auth + */ +static bool require_strict(private_ike_auth_t *this, bool mutual_eap) +{ + auth_cfg_t *cfg; + + if (this->eap_acceptable) + { + return FALSE; + } + + cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); + switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS)) + { + case AUTH_CLASS_EAP: + if (mutual_eap && this->my_auth) + { + this->eap_acceptable = TRUE; + return !this->my_auth->is_mutual(this->my_auth); + } + return TRUE; + case AUTH_CLASS_PSK: + return TRUE; + case AUTH_CLASS_PUBKEY: + case AUTH_CLASS_ANY: + default: + return FALSE; + } +} + METHOD(task_t, process_i, status_t, private_ike_auth_t *this, message_t *message) { @@ -1014,6 +1050,14 @@ METHOD(task_t, process_i, status_t, } } + if (require_strict(this, mutual_eap)) + { + if (!update_cfg_candidates(this, TRUE)) + { + goto peer_auth_failed; + } + } + if (this->my_auth) { switch (this->my_auth->process(this->my_auth, message)) diff --git a/src/libimcv/tcg/tcg_attr.c b/src/libimcv/tcg/tcg_attr.c index 79492913b..3ed6e8699 100644 --- a/src/libimcv/tcg/tcg_attr.c +++ b/src/libimcv/tcg/tcg_attr.c @@ -47,16 +47,18 @@ ENUM_BEGIN(tcg_attr_names, TCG_SCAP_REFERENCES, "SCAP Results", "SCAP Summary Results"); ENUM_NEXT(tcg_attr_names, TCG_SWID_REQUEST, - TCG_SWID_TAG_EVENTS, + TCG_SWID_SUBSCRIPTION_STATUS_RESP, TCG_SCAP_SUMMARY_RESULTS, "SWID Request", "SWID Tag Identifier Inventory", "SWID Tag Identifier Events", "SWID Tag Inventory", - "SWID Tag Events"); + "SWID Tag Events", + "SWID Subscription Status Request", + "SWID Subscription Status Response"); ENUM_NEXT(tcg_attr_names, TCG_SEG_MAX_ATTR_SIZE_REQ, TCG_SEG_CANCEL_SEG_EXCH, - TCG_SWID_TAG_EVENTS, + TCG_SWID_SUBSCRIPTION_STATUS_RESP, "Max Attribute Size Request", "Max Attribute Size Response", "Attribute Segment Envelope", @@ -253,6 +255,8 @@ pa_tnc_attr_t* tcg_attr_create_from_data(u_int32_t type, size_t length, chunk_t /* unsupported TCG/SWID attributes */ case TCG_SWID_TAG_ID_EVENTS: case TCG_SWID_TAG_EVENTS: + case TCG_SWID_SUBSCRIPTION_STATUS_REQ: + case TCG_SWID_SUBSCRIPTION_STATUS_RESP: /* unsupported TCG/PTS attributes */ case TCG_PTS_REQ_TEMPL_REF_MANI_SET_META: case TCG_PTS_TEMPL_REF_MANI_SET_META: diff --git a/src/libimcv/tcg/tcg_attr.h b/src/libimcv/tcg/tcg_attr.h index 9523f8e18..3a9a7b2e7 100644 --- a/src/libimcv/tcg/tcg_attr.h +++ b/src/libimcv/tcg/tcg_attr.h @@ -45,6 +45,8 @@ enum tcg_attr_t { TCG_SWID_TAG_ID_EVENTS = 0x00000013, TCG_SWID_TAG_INVENTORY = 0x00000014, TCG_SWID_TAG_EVENTS = 0x00000015, + TCG_SWID_SUBSCRIPTION_STATUS_REQ = 0x00000016, + TCG_SWID_SUBSCRIPTION_STATUS_RESP = 0x00000017, /* IF-M Attribute Segmentation */ TCG_SEG_MAX_ATTR_SIZE_REQ = 0x00000021, diff --git a/src/libstrongswan/crypto/iv/iv_gen_seq.c b/src/libstrongswan/crypto/iv/iv_gen_seq.c index 4de13744d..9f99c5192 100644 --- a/src/libstrongswan/crypto/iv/iv_gen_seq.c +++ b/src/libstrongswan/crypto/iv/iv_gen_seq.c @@ -19,6 +19,7 @@ * Magic value for the initial IV state */ #define SEQ_IV_INIT_STATE (~(u_int64_t)0) +#define SEQ_IV_HIGH_MASK (1ULL << 63) typedef struct private_iv_gen_t private_iv_gen_t; @@ -33,9 +34,14 @@ struct private_iv_gen_t { iv_gen_t public; /** - * Previously passed sequence number to enforce uniqueness + * Previously passed sequence number in lower space to enforce uniqueness */ - u_int64_t prev; + u_int64_t prevl; + + /** + * Previously passed sequence number in upper space to enforce uniqueness + */ + u_int64_t prevh; /** * Salt to mask counter @@ -57,15 +63,26 @@ METHOD(iv_gen_t, get_iv, bool, { return FALSE; } - if (this->prev != SEQ_IV_INIT_STATE && seq <= this->prev) + if (this->prevl != SEQ_IV_INIT_STATE && seq <= this->prevl) { - return FALSE; + seq |= SEQ_IV_HIGH_MASK; + if (this->prevh != SEQ_IV_INIT_STATE && seq <= this->prevh) + { + return FALSE; + } } - if (seq == SEQ_IV_INIT_STATE) + if ((seq | SEQ_IV_HIGH_MASK) == SEQ_IV_INIT_STATE) { return FALSE; } - this->prev = seq; + if (seq & SEQ_IV_HIGH_MASK) + { + this->prevh = seq; + } + else + { + this->prevl = seq; + } if (len > sizeof(u_int64_t)) { len = sizeof(u_int64_t); @@ -107,7 +124,8 @@ iv_gen_t *iv_gen_seq_create() .allocate_iv = _allocate_iv, .destroy = _destroy, }, - .prev = SEQ_IV_INIT_STATE, + .prevl = SEQ_IV_INIT_STATE, + .prevh = SEQ_IV_INIT_STATE, ); rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am index 8c081c673..d86584ad1 100644 --- a/src/libstrongswan/tests/Makefile.am +++ b/src/libstrongswan/tests/Makefile.am @@ -47,6 +47,7 @@ tests_SOURCES = tests.h tests.c \ suites/test_hasher.c \ suites/test_crypter.c \ suites/test_crypto_factory.c \ + suites/test_iv_gen.c \ suites/test_pen.c \ suites/test_asn1.c \ suites/test_asn1_parser.c \ diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in index 97e24bdb7..13fd4cc25 100644 --- a/src/libstrongswan/tests/Makefile.in +++ b/src/libstrongswan/tests/Makefile.in @@ -143,6 +143,7 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \ suites/tests-test_hasher.$(OBJEXT) \ suites/tests-test_crypter.$(OBJEXT) \ suites/tests-test_crypto_factory.$(OBJEXT) \ + suites/tests-test_iv_gen.$(OBJEXT) \ suites/tests-test_pen.$(OBJEXT) \ suites/tests-test_asn1.$(OBJEXT) \ suites/tests-test_asn1_parser.$(OBJEXT) \ @@ -507,6 +508,7 @@ tests_SOURCES = tests.h tests.c \ suites/test_hasher.c \ suites/test_crypter.c \ suites/test_crypto_factory.c \ + suites/test_iv_gen.c \ suites/test_pen.c \ suites/test_asn1.c \ suites/test_asn1_parser.c \ @@ -652,6 +654,8 @@ suites/tests-test_crypter.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_crypto_factory.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) +suites/tests-test_iv_gen.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_pen.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_asn1.$(OBJEXT): suites/$(am__dirstamp) \ @@ -701,6 +705,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_hashtable.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_host.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_identification.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_iv_gen.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_mgf1.Po@am__quote@ @@ -1156,6 +1161,20 @@ suites/tests-test_crypto_factory.obj: suites/test_crypto_factory.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_crypto_factory.obj `if test -f 'suites/test_crypto_factory.c'; then $(CYGPATH_W) 'suites/test_crypto_factory.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypto_factory.c'; fi` +suites/tests-test_iv_gen.o: suites/test_iv_gen.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_iv_gen.o -MD -MP -MF suites/$(DEPDIR)/tests-test_iv_gen.Tpo -c -o suites/tests-test_iv_gen.o `test -f 'suites/test_iv_gen.c' || echo '$(srcdir)/'`suites/test_iv_gen.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_iv_gen.Tpo suites/$(DEPDIR)/tests-test_iv_gen.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_iv_gen.c' object='suites/tests-test_iv_gen.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_iv_gen.o `test -f 'suites/test_iv_gen.c' || echo '$(srcdir)/'`suites/test_iv_gen.c + +suites/tests-test_iv_gen.obj: suites/test_iv_gen.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_iv_gen.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_iv_gen.Tpo -c -o suites/tests-test_iv_gen.obj `if test -f 'suites/test_iv_gen.c'; then $(CYGPATH_W) 'suites/test_iv_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_iv_gen.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_iv_gen.Tpo suites/$(DEPDIR)/tests-test_iv_gen.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_iv_gen.c' object='suites/tests-test_iv_gen.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_iv_gen.obj `if test -f 'suites/test_iv_gen.c'; then $(CYGPATH_W) 'suites/test_iv_gen.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_iv_gen.c'; fi` + suites/tests-test_pen.o: suites/test_pen.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_pen.o -MD -MP -MF suites/$(DEPDIR)/tests-test_pen.Tpo -c -o suites/tests-test_pen.o `test -f 'suites/test_pen.c' || echo '$(srcdir)/'`suites/test_pen.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_pen.Tpo suites/$(DEPDIR)/tests-test_pen.Po diff --git a/src/libstrongswan/tests/suites/test_iv_gen.c b/src/libstrongswan/tests/suites/test_iv_gen.c new file mode 100644 index 000000000..4e45c8538 --- /dev/null +++ b/src/libstrongswan/tests/suites/test_iv_gen.c @@ -0,0 +1,73 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include <crypto/iv/iv_gen_seq.h> +#include <utils/test.h> + +START_TEST(test_iv_gen_seq) +{ + iv_gen_t *iv_gen; + u_int64_t iv0, iv1_1, iv1_2; + + iv_gen = iv_gen_seq_create(); + ck_assert(iv_gen->get_iv(iv_gen, 0, 8, (u_int8_t*)&iv0)); + ck_assert(iv_gen->get_iv(iv_gen, 1, 8, (u_int8_t*)&iv1_1)); + ck_assert(iv0 != iv1_1); + /* every sequence number may be used twice, but results in a different IV */ + ck_assert(iv_gen->get_iv(iv_gen, 1, 8, (u_int8_t*)&iv1_2)); + ck_assert(iv0 != iv1_2); + ck_assert(iv1_1 != iv1_2); + ck_assert(!iv_gen->get_iv(iv_gen, 1, 8, (u_int8_t*)&iv1_2)); + iv_gen->destroy(iv_gen); +} +END_TEST + +START_TEST(test_iv_gen_seq_len) +{ + iv_gen_t *iv_gen; + u_int64_t iv; + u_int8_t buf[9]; + + iv_gen = iv_gen_seq_create(); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 0, (u_int8_t*)&iv)); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 1, (u_int8_t*)&iv)); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 2, (u_int8_t*)&iv)); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 3, (u_int8_t*)&iv)); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 4, (u_int8_t*)&iv)); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 5, (u_int8_t*)&iv)); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 6, (u_int8_t*)&iv)); + ck_assert(!iv_gen->get_iv(iv_gen, 0, 7, (u_int8_t*)&iv)); + ck_assert(iv_gen->get_iv(iv_gen, 0, 8, (u_int8_t*)&iv)); + ck_assert(iv_gen->get_iv(iv_gen, 0, 9, buf)); + iv_gen->destroy(iv_gen); +} +END_TEST + +Suite *iv_gen_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("iv-gen"); + + tc = tcase_create("iv-gen-seq"); + tcase_add_test(tc, test_iv_gen_seq); + tcase_add_test(tc, test_iv_gen_seq_len); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h index e1d8ca4ba..e1074b931 100644 --- a/src/libstrongswan/tests/tests.h +++ b/src/libstrongswan/tests/tests.h @@ -40,6 +40,7 @@ TEST_SUITE(printf_suite_create) TEST_SUITE(hasher_suite_create) TEST_SUITE(crypter_suite_create) TEST_SUITE(crypto_factory_suite_create) +TEST_SUITE(iv_gen_suite_create) TEST_SUITE(pen_suite_create) TEST_SUITE(asn1_suite_create) TEST_SUITE(asn1_parser_suite_create) |