Skip to content

Commit

Permalink
Files from second public release 'embedded_ipsec_1.1.zip' added
Browse files Browse the repository at this point in the history 
- Bug fixed in ipsec_update_replay_window(): corrected error-bitmask update functionality
- Added test case for anti-replay code.

Signed-off-by: Christian Scheurer <git@tinytux.ch>
  • Loading branch information
@tinytux
tinytux committed Feb 22, 2017
1 parent 161e82d commit aebb95b
Show file tree
Hide file tree
Showing 3 changed files with 159 additions and 10 deletions.
4 changes: 4 additions & 0 deletions CHANGES
View file
Expand Up @@ -5,6 +5,10 @@
***************************************************************************** *****************************************************************************
* = public release versions * = public release versions


*Changes in 1.1 (28.06.2004) by CS&NS
- Bug fixed in ipsec_update_replay_window(): corrected error-bitmask update functionality
- Added test case for anti-replay code.

*Changes in 1.0 (12.12.2003) by CS&NS *Changes in 1.0 (12.12.2003) by CS&NS
- basic IPsec implementation for 16-bit embedded systems - basic IPsec implementation for 16-bit embedded systems
- First public release - First public release
Expand Down
19 changes: 11 additions & 8 deletions src/core/util.c
View file
Expand Up @@ -437,16 +437,19 @@ ipsec_audit ipsec_check_replay_window(__u32 seq, __u32 lastSeq, __u32 bitField)
if(seq > lastSeq) /* new larger sequence number */ if(seq > lastSeq) /* new larger sequence number */
{ {
diff = seq - lastSeq; diff = seq - lastSeq;

/* only accept new number if delta is not > IPSEC_SEQ_MAX_WINDOW */
if(diff >= IPSEC_SEQ_MAX_WINDOW) return IPSEC_AUDIT_SEQ_MISMATCH;
} }
else { /* new smaller sequence number */ else { /* new smaller sequence number */
diff = lastSeq - seq; diff = lastSeq - seq;

/* only accept new number if delta is not > IPSEC_SEQ_MAX_WINDOW */
if(diff >= IPSEC_SEQ_MAX_WINDOW) return IPSEC_AUDIT_SEQ_MISMATCH;

/* already seen */
if(bitField & ((__u32)1 << diff)) return IPSEC_AUDIT_SEQ_MISMATCH;
} }

/* only accept new number if delta is not > IPSEC_SEQ_MAX_WINDOW */
if(diff >= IPSEC_SEQ_MAX_WINDOW) return IPSEC_AUDIT_SEQ_MISMATCH;

/* already seen */
if(bitField & ((__u32)1 << diff)) return IPSEC_AUDIT_SEQ_MISMATCH;


return IPSEC_AUDIT_SUCCESS; return IPSEC_AUDIT_SUCCESS;
} }
Expand Down Expand Up @@ -474,8 +477,8 @@ ipsec_audit ipsec_update_replay_window(__u32 seq, __u32 *lastSeq, __u32 *bitFiel
diff = seq - *lastSeq; diff = seq - *lastSeq;
if (diff < IPSEC_SEQ_MAX_WINDOW) { /* In window */ if (diff < IPSEC_SEQ_MAX_WINDOW) { /* In window */
*bitField <<= diff; *bitField <<= diff;
*bitField |= IPSEC_AUDIT_SUCCESS; /* set bit for this packet */ *bitField |= 1; /* set bit for this packet */
} else *bitField = IPSEC_AUDIT_SUCCESS; /* This packet has a "way larger" */ } else *bitField = 1; /* This packet has a "way larger" */
*lastSeq = seq; *lastSeq = seq;
return IPSEC_AUDIT_SUCCESS; /* larger is good */ return IPSEC_AUDIT_SUCCESS; /* larger is good */
} }
Expand Down
146 changes: 144 additions & 2 deletions src/testing/structural/util_test.c
View file
Expand Up @@ -51,6 +51,7 @@


#include "ipsec/util.h" #include "ipsec/util.h"
#include "ipsec/debug.h" #include "ipsec/debug.h"
#include "ipsec/ipsec.h"
#include "testing/structural/structural_test.h" #include "testing/structural/structural_test.h"


/** /**
Expand Down Expand Up @@ -110,15 +111,154 @@ int test_ipsec_inet_addr(void)
return local_error_count ; return local_error_count ;
} }




/**
* Testfunciton for ipsec_update_replay_window
* @return int number of tests failed in this function
*/
int util_test_ipsec_update_replay_window()
{
int local_error_count = 0;
int i, errors;
__u32 bitmap; /* saved session state to detect replays - must be 32 bits. */
__u32 lastSeq; /* saved session state to detect replays */
__u32 test_sequence;



/* Test 1: sequence number is increasing strictly from 1 to 101 */
/* Expected result: checks and updates should pass error free */
bitmap = 0;
lastSeq = 0;
test_sequence = 1;
errors = 0;

for(i = 0; i < 100; i++)
{
/* check window */
if(ipsec_check_replay_window(test_sequence, lastSeq, bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay check (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}

/* update window */
if(ipsec_update_replay_window(test_sequence, (__u32 *)&lastSeq, (__u32 *)&bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay update (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}

/* update sequence */
test_sequence++;
}

if(errors != 0)
{
local_error_count++ ;
IPSEC_LOG_TST(util_test_ipsec_update_replay_window, "FAILURE", ("%d errors when sequence number is increasing strictly - this should be error free!", errors)) ;
}



/* Test 2: replay detection - sequence counting from 0..100, then repeating 90..95 */
/* Expected result: 6 packets should fail */
bitmap = 0xFFFFFFFF;
lastSeq = 0x00000064;
test_sequence = 0x00000065;
errors = 0;

// Simulate Replay of packet 90 to 95
test_sequence = 90;
for(i = 0; i < 6; i++)
{
/* check window */
if(ipsec_check_replay_window(test_sequence, lastSeq, bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay check (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}

/* update window */
if(ipsec_update_replay_window(test_sequence, (__u32 *)&lastSeq, (__u32 *)&bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay update (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}

/* update sequence */
test_sequence++;
}

if(errors != 12)
{
local_error_count++ ;
IPSEC_LOG_TST(util_test_ipsec_update_replay_window, "FAILURE", ("Replay check did not work - %d errors detected (expected: 12 errors)", errors)) ;
}



/* Test 3: out of window tests */
/* Expected result: sequence numbers outside the window should be rejected */
bitmap = 0xFFFFFFFF;
lastSeq = IPSEC_SEQ_MAX_WINDOW * 5 - 1;
test_sequence = IPSEC_SEQ_MAX_WINDOW * 5;
errors = 0;


// Test packet with too low sequence number
test_sequence = IPSEC_SEQ_MAX_WINDOW * 2;

/* check window */
if(ipsec_check_replay_window(test_sequence, lastSeq, bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay check (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}
/* update window */
if(ipsec_update_replay_window(test_sequence, (__u32 *)&lastSeq, (__u32 *)&bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay update (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}

// Test packet with too high sequence number
test_sequence = IPSEC_SEQ_MAX_WINDOW * 8;

/* check window */
if(ipsec_check_replay_window(test_sequence, lastSeq, bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay check (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}
/* update window */
if(ipsec_update_replay_window(test_sequence, (__u32 *)&lastSeq, (__u32 *)&bitmap) != IPSEC_AUDIT_SUCCESS)
{
// IPSEC_LOG_TST("util_test_ipsec_update_replay_window", "FAILURE", ("packet rejected by anti-replay update (lastSeq=%08lx, seq=%08lx, window size=%d)", lastSeq, test_sequence, IPSEC_SEQ_MAX_WINDOW) );
errors++;
}

if(errors != 3)
{
local_error_count++ ;
IPSEC_LOG_TST(util_test_ipsec_update_replay_window, "FAILURE", ("Out-of-window tests failed.")) ;
}



return local_error_count;
}

/** /**
* Test function for all the log functions * Test function for all the log functions
* (Note: some of these tests are commented out by default to make the log output more uniform) * (Note: some of these tests are commented out by default to make the log output more uniform)
*/ */
void util_debug_test(test_result *global_results) void util_debug_test(test_result *global_results)
{ {
test_result sub_results = { test_result sub_results = {
6, 9,
1, 2,
0, 0,
0, 0,
}; };
Expand All @@ -145,6 +285,8 @@ void util_debug_test(test_result *global_results)
retcode = test_ipsec_inet_addr() ; retcode = test_ipsec_inet_addr() ;
IPSEC_TESTING_EVALUATE(retcode, sub_results, "test_util_ipsec_inet_addr()", (" ")); IPSEC_TESTING_EVALUATE(retcode, sub_results, "test_util_ipsec_inet_addr()", (" "));


retcode = util_test_ipsec_update_replay_window();
IPSEC_TESTING_EVALUATE(retcode, sub_results, "util_test_ipsec_update_replay_window()", (" "));




global_results->tests += sub_results.tests; global_results->tests += sub_results.tests;
Expand Down

0 comments on commit aebb95b

Please sign in to comment.