Permalink
Browse files

Files from second public release 'embedded_ipsec_1.1.zip' added

- Bug fixed in ipsec_update_replay_window(): corrected error-bitmask update functionality
- Added test case for anti-replay code.

Signed-off-by: Christian Scheurer <git@tinytux.ch>
  • Loading branch information...
tinytux committed Feb 22, 2017
1 parent 161e82d commit aebb95b310c7a82ee396b903f88e54e2f4074f56
Showing with 159 additions and 10 deletions.
  1. +4 −0 CHANGES
  2. +11 −8 src/core/util.c
  3. +144 −2 src/testing/structural/util_test.c
View
@@ -5,6 +5,10 @@
*****************************************************************************
* = public release versions
*Changes in 1.1 (28.06.2004) by CS&NS
- Bug fixed in ipsec_update_replay_window(): corrected error-bitmask update functionality
- Added test case for anti-replay code.
*Changes in 1.0 (12.12.2003) by CS&NS
- basic IPsec implementation for 16-bit embedded systems
- First public release
View
@@ -437,16 +437,19 @@ ipsec_audit ipsec_check_replay_window(__u32 seq, __u32 lastSeq, __u32 bitField)
if(seq > lastSeq) /* new larger sequence number */
{
diff = seq - lastSeq;
/* only accept new number if delta is not > IPSEC_SEQ_MAX_WINDOW */
if(diff >= IPSEC_SEQ_MAX_WINDOW) return IPSEC_AUDIT_SEQ_MISMATCH;
}
else { /* new smaller sequence number */
diff = lastSeq - seq;
/* only accept new number if delta is not > IPSEC_SEQ_MAX_WINDOW */
if(diff >= IPSEC_SEQ_MAX_WINDOW) return IPSEC_AUDIT_SEQ_MISMATCH;
/* already seen */
if(bitField & ((__u32)1 << diff)) return IPSEC_AUDIT_SEQ_MISMATCH;
}
/* only accept new number if delta is not > IPSEC_SEQ_MAX_WINDOW */
if(diff >= IPSEC_SEQ_MAX_WINDOW) return IPSEC_AUDIT_SEQ_MISMATCH;
/* already seen */
if(bitField & ((__u32)1 << diff)) return IPSEC_AUDIT_SEQ_MISMATCH;
return IPSEC_AUDIT_SUCCESS;
}
@@ -474,8 +477,8 @@ ipsec_audit ipsec_update_replay_window(__u32 seq, __u32 *lastSeq, __u32 *bitFiel
diff = seq - *lastSeq;
if (diff < IPSEC_SEQ_MAX_WINDOW) { /* In window */
*bitField <<= diff;
*bitField |= IPSEC_AUDIT_SUCCESS; /* set bit for this packet */
} else *bitField = IPSEC_AUDIT_SUCCESS; /* This packet has a "way larger" */
*bitField |= 1; /* set bit for this packet */
} else *bitField = 1; /* This packet has a "way larger" */
*lastSeq = seq;
return IPSEC_AUDIT_SUCCESS; /* larger is good */
}
@@ -51,6 +51,7 @@
#include "ipsec/util.h"
#include "ipsec/debug.h"
#include "ipsec/ipsec.h"
#include "testing/structural/structural_test.h"
/**
@@ -110,15 +111,154 @@ int test_ipsec_inet_addr(void)
return local_error_count ;
}
/**
* Testfunciton for ipsec_update_replay_window
* @return int number of tests failed in this function
*/
int util_test_ipsec_update_replay_window()
{
int local_error_count = 0;
int i, errors;
__u32 bitmap; /* saved session state to detect replays - must be 32 bits. */
__u32 lastSeq; /* saved session state to detect replays */
__u32 test_sequence;
/* Test 1: sequence number is increasing strictly from 1 to 101 */
/* Expected result: checks and updates should pass error free */
bitmap = 0;
lastSeq = 0;
test_sequence = 1;
errors = 0;
for(i = 0; i < 100; i++)
{
/* check window */
if(ipsec_check_replay_window(test_sequence, lastSeq, bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay check (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}
/* update window */
if(ipsec_update_replay_window(test_sequence, (__u32 *)&lastSeq, (__u32 *)&bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay update (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}
/* update sequence */
test_sequence++;
}
if(errors != 0)
{
local_error_count++ ;
IPSEC_LOG_TST(util_test_ipsec_update_replay_window, "FAILURE", ("%d errors when sequence number is increasing strictly - this should be error free!", errors)) ;
}
/* Test 2: replay detection - sequence counting from 0..100, then repeating 90..95 */
/* Expected result: 6 packets should fail */
bitmap = 0xFFFFFFFF;
lastSeq = 0x00000064;
test_sequence = 0x00000065;
errors = 0;
// Simulate Replay of packet 90 to 95
test_sequence = 90;
for(i = 0; i < 6; i++)
{
/* check window */
if(ipsec_check_replay_window(test_sequence, lastSeq, bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay check (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}
/* update window */
if(ipsec_update_replay_window(test_sequence, (__u32 *)&lastSeq, (__u32 *)&bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay update (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}
/* update sequence */
test_sequence++;
}
if(errors != 12)
{
local_error_count++ ;
IPSEC_LOG_TST(util_test_ipsec_update_replay_window, "FAILURE", ("Replay check did not work - %d errors detected (expected: 12 errors)", errors)) ;
}
/* Test 3: out of window tests */
/* Expected result: sequence numbers outside the window should be rejected */
bitmap = 0xFFFFFFFF;
lastSeq = IPSEC_SEQ_MAX_WINDOW * 5 - 1;
test_sequence = IPSEC_SEQ_MAX_WINDOW * 5;
errors = 0;
// Test packet with too low sequence number
test_sequence = IPSEC_SEQ_MAX_WINDOW * 2;
/* check window */
if(ipsec_check_replay_window(test_sequence, lastSeq, bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay check (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}
/* update window */
if(ipsec_update_replay_window(test_sequence, (__u32 *)&lastSeq, (__u32 *)&bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay update (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}
// Test packet with too high sequence number
test_sequence = IPSEC_SEQ_MAX_WINDOW * 8;
/* check window */
if(ipsec_check_replay_window(test_sequence, lastSeq, bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay check (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}
/* update window */
if(ipsec_update_replay_window(test_sequence, (__u32 *)&lastSeq, (__u32 *)&bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay update (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}
if(errors != 3)
{
local_error_count++ ;
IPSEC_LOG_TST(util_test_ipsec_update_replay_window, "FAILURE", ("Out-of-window tests failed.")) ;
}
return local_error_count;
}
/**
* Test function for all the log functions
* (Note: some of these tests are commented out by default to make the log output more uniform)
*/
void util_debug_test(test_result *global_results)
{
test_result sub_results = {
6,
1,
9,
2,
0,
0,
};
@@ -145,6 +285,8 @@ void util_debug_test(test_result *global_results)
retcode = test_ipsec_inet_addr() ;
IPSEC_TESTING_EVALUATE(retcode, sub_results, "test_util_ipsec_inet_addr()", (" "));
retcode = util_test_ipsec_update_replay_window();
IPSEC_TESTING_EVALUATE(retcode, sub_results, "util_test_ipsec_update_replay_window()", (" "));
global_results->tests += sub_results.tests;

0 comments on commit aebb95b

Please sign in to comment.