From: Tobias Brunner Date: Mon, 4 Nov 2019 15:17:30 +0000 (+0100) Subject: unit-tests: Add tests for IKE_SA rekeying with multiple key exchanges X-Git-Tag: 6.0.0rc1~56^2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=329a7b331de7532964fec0f3d1528ea07977a3d1;p=thirdparty%2Fstrongswan.git unit-tests: Add tests for IKE_SA rekeying with multiple key exchanges --- diff --git a/src/libcharon/tests/suites/test_ike_rekey.c b/src/libcharon/tests/suites/test_ike_rekey.c index efc27542a0..98c588b1eb 100644 --- a/src/libcharon/tests/suites/test_ike_rekey.c +++ b/src/libcharon/tests/suites/test_ike_rekey.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2016 Tobias Brunner + * Copyright (C) 2016-2020 Tobias Brunner * * Copyright (C) secunet Security Networks AG * @@ -103,6 +103,110 @@ START_TEST(test_regular) } END_TEST +/** + * Config for multiple KE exchange tests + */ +static exchange_test_sa_conf_t multi_ke_conf = { + .initiator = { + .ike = "aes256-sha256-modp3072-ke1_ecp256", + }, + .responder = { + .ike = "aes256-sha256-modp3072-ke1_ecp256", + }, +}; + +/** + * Regular IKE_SA rekeying with multiple key exchanges either initiated by the + * original initiator or responder of the IKE_SA. + */ +START_TEST(test_regular_multi_ke) +{ + ike_sa_t *a, *b, *new_sa; + status_t s; + + if (_i) + { /* responder rekeys the IKE_SA */ + exchange_test_helper->establish_sa(exchange_test_helper, + &b, &a, &multi_ke_conf); + } + else + { /* initiator rekeys the IKE_SA */ + exchange_test_helper->establish_sa(exchange_test_helper, + &a, &b, &multi_ke_conf); + } + /* these should never get called as this results in a successful rekeying */ + assert_hook_not_called(ike_updown); + assert_hook_not_called(child_updown); + + initiate_rekey(a); + + /* CREATE_CHILD_SA { SA, Ni, KEi } --> */ + assert_hook_not_called(ike_rekey); + assert_no_notify(IN, REKEY_SA); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_ike_sa_state(b, IKE_REKEYING); + assert_child_sa_count(b, 1); + assert_ike_sa_count(0); + assert_hook(); + + /* <-- CREATE_CHILD_SA { SA, Nr, KEr, N(ADD_KE) } */ + assert_hook_not_called(ike_rekey); + assert_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_ike_sa_state(a, IKE_REKEYING); + assert_child_sa_count(a, 1); + assert_ike_sa_count(0); + assert_hook(); + + /* IKE_FOLLOWUP_KE { KEi, N(ADD_KE) } --> */ + assert_hook_rekey(ike_rekey, 1, 3); + assert_payload(IN, PLV2_KEY_EXCHANGE); + assert_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_ike_sa_state(b, IKE_REKEYED); + assert_child_sa_count(b, 0); + new_sa = assert_ike_sa_checkout(3, 4, FALSE); + assert_ike_sa_state(new_sa, IKE_ESTABLISHED); + assert_child_sa_count(new_sa, 1); + assert_ike_sa_count(1); + assert_hook(); + + /* <-- IKE_FOLLOWUP_KE { KEr } */ + assert_hook_rekey(ike_rekey, 1, 3); + assert_payload(IN, PLV2_KEY_EXCHANGE); + assert_no_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_ike_sa_state(a, IKE_DELETING); + assert_child_sa_count(a, 0); + new_sa = assert_ike_sa_checkout(3, 4, TRUE); + assert_ike_sa_state(new_sa, IKE_ESTABLISHED); + assert_child_sa_count(new_sa, 1); + assert_ike_sa_count(2); + assert_hook(); + + /* we don't expect this hook to get called anymore */ + assert_hook_not_called(ike_rekey); + + /* INFORMATIONAL { D } --> */ + assert_single_payload(IN, PLV2_DELETE); + s = exchange_test_helper->process_message(exchange_test_helper, b, NULL); + ck_assert_int_eq(DESTROY_ME, s); + call_ikesa(b, destroy); + /* <-- INFORMATIONAL { } */ + assert_message_empty(IN); + s = exchange_test_helper->process_message(exchange_test_helper, a, NULL); + ck_assert_int_eq(DESTROY_ME, s); + call_ikesa(a, destroy); + + /* ike_rekey/ike_updown/child_updown */ + assert_hook(); + assert_hook(); + assert_hook(); + + charon->ike_sa_manager->flush(charon->ike_sa_manager); +} +END_TEST + /** * IKE_SA rekeying where the responder does not agree with the DH group selected * by the initiator, either initiated by the original initiator or responder of @@ -204,6 +308,126 @@ START_TEST(test_regular_ke_invalid) } END_TEST +/** + * IKE_SA rekeying with multiple key exchanges where the responder does not + * agree with the first DH group selected by the initiator, either initiated by + * the original initiator or responder of the IKE_SA. + */ +START_TEST(test_regular_ke_invalid_multi_ke) +{ + exchange_test_sa_conf_t conf = { + .initiator = { + .ike = "aes128-sha256-modp2048-modp3072-ke1_ecp256", + }, + .responder = { + .ike = "aes128-sha256-modp3072-modp2048-ke1_ecp256", + }, + }; + ike_sa_t *a, *b, *sa; + status_t s; + + lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals", + FALSE, lib->ns); + if (_i) + { /* responder rekeys the IKE_SA */ + exchange_test_helper->establish_sa(exchange_test_helper, + &b, &a, &conf); + } + else + { /* initiator rekeys the IKE_SA */ + exchange_test_helper->establish_sa(exchange_test_helper, + &a, &b, &conf); + } + /* these should never get called as this results in a successful rekeying */ + assert_hook_not_called(ike_updown); + assert_hook_not_called(child_updown); + + lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals", + TRUE, lib->ns); + lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group", + FALSE, lib->ns); + + initiate_rekey(a); + + /* CREATE_CHILD_SA { SA, Ni, KEi } --> */ + assert_hook_not_called(ike_rekey); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_ike_sa_state(b, IKE_ESTABLISHED); + assert_child_sa_count(b, 1); + assert_ike_sa_count(0); + + /* <-- CREATE_CHILD_SA { N(INVAL_KE) } */ + assert_single_notify(IN, INVALID_KE_PAYLOAD); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_ike_sa_state(a, IKE_REKEYING); + assert_child_sa_count(a, 1); + assert_ike_sa_count(0); + assert_hook(); + + /* CREATE_CHILD_SA { SA, Ni, KEi } --> */ + assert_hook_not_called(ike_rekey); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_ike_sa_state(b, IKE_REKEYING); + assert_child_sa_count(b, 1); + assert_ike_sa_count(0); + assert_hook(); + + /* <-- CREATE_CHILD_SA { SA, Nr, KEr, N(ADD_KE) } */ + assert_hook_not_called(ike_rekey); + assert_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_ike_sa_state(a, IKE_REKEYING); + assert_child_sa_count(a, 1); + assert_ike_sa_count(0); + assert_hook(); + + /* IKE_FOLLOWUP_KE { KEi, N(ADD_KE) } --> */ + assert_hook_rekey(ike_rekey, 1, 3); + assert_payload(IN, PLV2_KEY_EXCHANGE); + assert_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_ike_sa_state(b, IKE_REKEYED); + assert_child_sa_count(b, 0); + sa = assert_ike_sa_checkout(3, 5, FALSE); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(1); + assert_hook(); + + /* <-- CREATE_CHILD_SA { SA, Nr, KEr } */ + assert_hook_rekey(ike_rekey, 1, 3); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_ike_sa_state(a, IKE_DELETING); + assert_child_sa_count(a, 0); + sa = assert_ike_sa_checkout(3, 5, TRUE); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(2); + assert_hook(); + + /* we don't expect this hook to get called anymore */ + assert_hook_not_called(ike_rekey); + + /* INFORMATIONAL { D } --> */ + assert_single_payload(IN, PLV2_DELETE); + s = exchange_test_helper->process_message(exchange_test_helper, b, NULL); + ck_assert_int_eq(DESTROY_ME, s); + call_ikesa(b, destroy); + /* <-- INFORMATIONAL { } */ + assert_message_empty(IN); + s = exchange_test_helper->process_message(exchange_test_helper, a, NULL); + ck_assert_int_eq(DESTROY_ME, s); + call_ikesa(a, destroy); + + /* ike_rekey/ike_updown/child_updown */ + assert_hook(); + assert_hook(); + assert_hook(); + + charon->ike_sa_manager->flush(charon->ike_sa_manager); +} +END_TEST + /** * Both peers initiate the IKE_SA rekeying concurrently and should handle the * collision properly depending on the nonces. @@ -269,81 +493,456 @@ START_TEST(test_collision) assert_ike_sa_count(0); assert_hook(); - /* simplify next steps by checking in original IKE_SAs */ - charon->ike_sa_manager->checkin(charon->ike_sa_manager, a); - charon->ike_sa_manager->checkin(charon->ike_sa_manager, b); - assert_ike_sa_count(2); + /* simplify next steps by checking in original IKE_SAs */ + charon->ike_sa_manager->checkin(charon->ike_sa_manager, a); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, b); + assert_ike_sa_count(2); + + /* <-- CREATE_CHILD_SA { SA, Nr, KEr } */ + assert_hook_rekey(ike_rekey, 1, data[_i].spi_i); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + /* as original initiator, a is initiator of both SAs it could delete */ + sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, TRUE); + assert_ike_sa_state(sa, IKE_DELETING); + assert_child_sa_count(sa, 0); + /* if b won, it will delete the original SA a initiated */ + sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, + data[_i].del_b_i == 1); + assert_ike_sa_state(sa, IKE_REKEYED); + assert_child_sa_count(sa, 0); + sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r, + data[_i].del_a_i == 1); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(4); + assert_hook(); + + /* CREATE_CHILD_SA { SA, Nr, KEr } --> */ + assert_hook_rekey(ike_rekey, 1, data[_i].spi_i); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + /* if b wins, it deletes the SA originally initiated by a */ + sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, + data[_i].del_b_i != 1); + assert_ike_sa_state(sa, IKE_DELETING); + assert_child_sa_count(sa, 0); + /* a only deletes SAs for which b is responder */ + sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, FALSE); + assert_ike_sa_state(sa, IKE_REKEYED); + assert_child_sa_count(sa, 0); + sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r, + data[_i].del_b_i == 1); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(6); + assert_hook(); + + /* we don't expect this hook to get called anymore */ + assert_hook_not_called(ike_rekey); + + /* INFORMATIONAL { D } --> */ + assert_single_payload(IN, PLV2_DELETE); + sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, FALSE); + status = exchange_test_helper->process_message(exchange_test_helper, sa, + NULL); + ck_assert_int_eq(DESTROY_ME, status); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); + assert_ike_sa_count(5); + /* <-- INFORMATIONAL { D } */ + assert_single_payload(IN, PLV2_DELETE); + sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, + data[_i].del_b_i == 1); + status = exchange_test_helper->process_message(exchange_test_helper, sa, + NULL); + ck_assert_int_eq(DESTROY_ME, status); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); + assert_ike_sa_count(4); + /* <-- INFORMATIONAL { } */ + assert_message_empty(IN); + sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, TRUE); + status = exchange_test_helper->process_message(exchange_test_helper, sa, + NULL); + ck_assert_int_eq(DESTROY_ME, status); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); + assert_ike_sa_count(3); + /* INFORMATIONAL { } --> */ + assert_message_empty(IN); + sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, + data[_i].del_b_i != 1); + status = exchange_test_helper->process_message(exchange_test_helper, sa, + NULL); + ck_assert_int_eq(DESTROY_ME, status); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); + assert_ike_sa_count(2); + + /* ike_rekey/ike_updown/child_updown */ + assert_hook(); + assert_hook(); + assert_hook(); + + charon->ike_sa_manager->flush(charon->ike_sa_manager); +} +END_TEST + +/** + * Both peers initiate the IKE_SA rekeying with multiple key exchanges + * concurrently and should handle the collision properly depending on the + * nonces. + */ +START_TEST(test_collision_multi_ke) +{ + ike_sa_t *a, *b, *sa; + status_t status; + + exchange_test_helper->establish_sa(exchange_test_helper, + &a, &b, &multi_ke_conf); + + /* When rekeyings collide we get two IKE_SAs with a total of four nonces. + * The IKE_SA with the lowest nonce SHOULD be deleted by the peer that + * created that IKE_SA. However, with multiple key exchanges, no IKE_SA + * has yet been established, so the losing peer just doesn't continue with + * IKE_FOLLOWUP_KE exchanges (i.e. that SA is not explicitly deleted later). + * The replaced IKE_SA is deleted by the peer that initiated the + * surviving SA. Four nonces and SPIs are needed (SPI 1 and 2 are used for + * the initial IKE_SA): + * N1/3 -----\ /----- N2/4 + * \--/-----> N3/5 + * N4/6 <-------/ /----- ... + * ... -----\ + * We test this four times, each time a different nonce is the lowest. + */ + struct { + /* Nonces used at each point */ + u_char nonces[4]; + /* SPIs of the "deleted" IKE_SAs (either redundant or replaced) */ + uint32_t del_a_i, del_a_r; + uint32_t del_b_i, del_b_r; + /* SPIs of the kept IKE_SA */ + uint32_t spi_i, spi_r; + } data[] = { + { { 0x00, 0xFF, 0xFF, 0xFF }, 3, 5, 1, 2, 4, 6 }, + { { 0xFF, 0x00, 0xFF, 0xFF }, 1, 2, 4, 6, 3, 5 }, + { { 0xFF, 0xFF, 0x00, 0xFF }, 3, 5, 1, 2, 4, 6 }, + { { 0xFF, 0xFF, 0xFF, 0x00 }, 1, 2, 4, 6, 3, 5 }, + }; + /* these should never get called as this results in a successful rekeying */ + assert_hook_not_called(ike_updown); + assert_hook_not_called(child_updown); + + exchange_test_helper->nonce_first_byte = data[_i].nonces[0]; + initiate_rekey(a); + exchange_test_helper->nonce_first_byte = data[_i].nonces[1]; + initiate_rekey(b); + + /* CREATE_CHILD_SA { SA, Ni, KEi } --> */ + exchange_test_helper->nonce_first_byte = data[_i].nonces[2]; + assert_hook_not_called(ike_rekey); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_ike_sa_state(b, IKE_REKEYING); + assert_child_sa_count(b, 1); + assert_ike_sa_count(0); + assert_hook(); + + /* <-- CREATE_CHILD_SA { SA, Ni, KEi } */ + exchange_test_helper->nonce_first_byte = data[_i].nonces[3]; + assert_hook_not_called(ike_rekey); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_ike_sa_state(a, IKE_REKEYING); + assert_child_sa_count(a, 1); + assert_ike_sa_count(0); + assert_hook(); + + /* simplify next steps by checking in original IKE_SAs */ + charon->ike_sa_manager->checkin(charon->ike_sa_manager, a); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, b); + assert_ike_sa_count(2); + + /* <-- CREATE_CHILD_SA { SA, Nr, KEr, N(ADD_KE) } */ + assert_hook_not_called(ike_rekey); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + /* if a won, it must remove the passive task, otherwise the active task, + * no new SA is yet created */ + assert_num_tasks(a, data[_i].del_a_i == 1 ? 0 : 1, TASK_QUEUE_PASSIVE); + assert_num_tasks(a, data[_i].del_a_i == 1 ? 1 : 0, TASK_QUEUE_ACTIVE); + assert_ike_sa_state(a, IKE_REKEYING); + assert_ike_sa_count(2); + assert_hook(); + + /* CREATE_CHILD_SA { SA, Nr, KEr, N(ADD_KE) } --> */ + assert_hook_not_called(ike_rekey); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_num_tasks(b, data[_i].del_b_i == 1 ? 0 : 1, TASK_QUEUE_PASSIVE); + assert_num_tasks(b, data[_i].del_b_i == 1 ? 1 : 0, TASK_QUEUE_ACTIVE); + assert_ike_sa_state(b, IKE_REKEYING); + assert_ike_sa_count(2); + assert_hook(); + + /* IKE_FOLLOWUP_KE { KEi, N(ADD_KE) } --> (direction depends on who won) */ + assert_hook_rekey(ike_rekey, 1, data[_i].spi_i); + assert_payload(IN, PLV2_KEY_EXCHANGE); + assert_notify(IN, ADDITIONAL_KEY_EXCHANGE); + /* if a won, this message is sent to b */ + sa = assert_ike_sa_checkout(1, 2, data[_i].del_a_i != 1); + exchange_test_helper->process_message(exchange_test_helper, sa, NULL); + assert_ike_sa_state(sa, IKE_REKEYED); + assert_child_sa_count(sa, 0); + sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r, FALSE); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(3); + assert_hook(); + + /* <-- IKE_FOLLOWUP_KE { KEr } */ + assert_hook_rekey(ike_rekey, 1, data[_i].spi_i); + assert_payload(IN, PLV2_KEY_EXCHANGE); + assert_no_notify(IN, ADDITIONAL_KEY_EXCHANGE); + sa = assert_ike_sa_checkout(1, 2, data[_i].del_a_i == 1); + exchange_test_helper->process_message(exchange_test_helper, sa, NULL); + assert_ike_sa_state(sa, IKE_DELETING); + assert_child_sa_count(sa, 0); + sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r, TRUE); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(4); + assert_hook(); + + /* we don't expect this hook to get called anymore */ + assert_hook_not_called(ike_rekey); + + /* INFORMATIONAL { D } --> */ + assert_single_payload(IN, PLV2_DELETE); + sa = assert_ike_sa_checkout(1, 2, data[_i].del_a_i != 1); + status = exchange_test_helper->process_message(exchange_test_helper, sa, + NULL); + ck_assert_int_eq(DESTROY_ME, status); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); + assert_ike_sa_count(3); + /* <-- INFORMATIONAL { } */ + assert_message_empty(IN); + sa = assert_ike_sa_checkout(1, 2, data[_i].del_a_i == 1); + status = exchange_test_helper->process_message(exchange_test_helper, sa, + NULL); + ck_assert_int_eq(DESTROY_ME, status); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); + assert_ike_sa_count(2); + + /* ike_rekey/ike_updown/child_updown */ + assert_hook(); + assert_hook(); + assert_hook(); + + charon->ike_sa_manager->flush(charon->ike_sa_manager); +} +END_TEST + +/** + * Both peers initiate an IKE_SA rekeying concurrently, but only one of them + * proposes multiple key exchanges, they should still handle the collision + * properly. + */ +START_TEST(test_collision_mixed) +{ + exchange_test_sa_conf_t conf = { + .initiator = { + .ike = "aes256-sha256-modp3072-ke1_ecp256,aes256-sha256-modp3072", + }, + .responder = { + .ike = "aes256-sha256-modp3072,aes256-sha256-modp3072-ke1_ecp256", + }, + }; + ike_sa_t *a, *b, *sa; + status_t status; + + /* let's accept what the peer proposes first */ + lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals", + FALSE, lib->ns); + + exchange_test_helper->establish_sa(exchange_test_helper, + &a, &b, &conf); + + /* When rekeyings collide, we get two IKE_SAs with a total of four nonces. + * The IKE_SA with the lowest nonce SHOULD be deleted by the peer that + * created that IKE_SA. In this mixed scenario, there might already be + * a complete IKE_SA depending on who initiates the rekeying. This has then + * to be deleted properly (like with regular collisions). + * The replaced IKE_SA is deleted by the peer that initiated the + * surviving SA. Four nonces and SPIs are needed (SPI 1 and 2 are used for + * the initial IKE_SA): + * N1/3 -----\ /----- N2/4 + * \--/-----> N3/5 + * N4/6 <-------/ /----- ... + * ... -----\ + * We test this four times, each time a different nonce is the lowest. + */ + struct { + /* Nonces used at each point */ + u_char nonces[4]; + /* SPIs of the "deleted" IKE_SAs (either redundant or replaced) */ + uint32_t del_a_i, del_a_r; + uint32_t del_b_i, del_b_r; + /* SPIs of the kept IKE_SA */ + uint32_t spi_i, spi_r; + } data[] = { + { { 0x00, 0xFF, 0xFF, 0xFF }, 3, 5, 1, 2, 4, 6 }, + { { 0xFF, 0x00, 0xFF, 0xFF }, 1, 2, 4, 6, 3, 5 }, + { { 0xFF, 0xFF, 0x00, 0xFF }, 3, 5, 1, 2, 4, 6 }, + { { 0xFF, 0xFF, 0xFF, 0x00 }, 1, 2, 4, 6, 3, 5 }, + }; + /* these should never get called as this results in a successful rekeying */ + assert_hook_not_called(ike_updown); + assert_hook_not_called(child_updown); + + exchange_test_helper->nonce_first_byte = data[_i].nonces[0]; + initiate_rekey(a); + exchange_test_helper->nonce_first_byte = data[_i].nonces[1]; + initiate_rekey(b); + + /* CREATE_CHILD_SA { SA, Ni, KEi } --> */ + exchange_test_helper->nonce_first_byte = data[_i].nonces[2]; + assert_hook_not_called(ike_rekey); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_ike_sa_state(b, IKE_REKEYING); + assert_child_sa_count(b, 1); + assert_ike_sa_count(0); + assert_hook(); + + /* <-- CREATE_CHILD_SA { SA, Ni, KEi } */ + exchange_test_helper->nonce_first_byte = data[_i].nonces[3]; + assert_hook_not_called(ike_rekey); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_ike_sa_state(a, IKE_REKEYING); + assert_child_sa_count(a, 1); + assert_ike_sa_count(0); + assert_hook(); + + /* simplify next steps by checking in original IKE_SAs */ + charon->ike_sa_manager->checkin(charon->ike_sa_manager, a); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, b); + assert_ike_sa_count(2); + + /* <-- CREATE_CHILD_SA { SA, Nr, KEr, N(ADD_KE) } */ + if (data[_i].del_a_i == 1) + { /* if A won, it will continue with the multi-KE rekeying, while B has to + * delete the redundant SA it created */ + assert_hook_not_called(ike_rekey); + assert_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + /* B's rekeying is single KE, so we never expect a passive task */ + assert_num_tasks(a, 0, TASK_QUEUE_PASSIVE); + assert_num_tasks(a, 1, TASK_QUEUE_ACTIVE); + assert_ike_sa_state(a, IKE_REKEYING); + /* B is expected to delete this redundant SA */ + sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, FALSE); + assert_ike_sa_state(sa, IKE_REKEYED); + assert_child_sa_count(sa, 0); + assert_ike_sa_count(3); + + /* CREATE_CHILD_SA { SA, Nr, KEr } --> */ + assert_no_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_num_tasks(b, 1, TASK_QUEUE_PASSIVE); + assert_num_tasks(b, 0, TASK_QUEUE_ACTIVE); + assert_ike_sa_state(b, IKE_REKEYING); + sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, TRUE); + assert_ike_sa_state(sa, IKE_DELETING); + assert_child_sa_count(sa, 0); + assert_ike_sa_count(4); + /* ike_rekey */ + assert_hook(); + + /* IKE_FOLLOWUP_KE { KEi, N(ADD_KE) } --> */ + assert_hook_rekey(ike_rekey, 1, data[_i].spi_i); + assert_payload(IN, PLV2_KEY_EXCHANGE); + assert_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_ike_sa_state(b, IKE_REKEYED); + assert_child_sa_count(b, 0); + sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r, FALSE); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(5); + assert_hook(); + + /* <-- INFORMATIONAL { D } */ + assert_hook_not_called(ike_rekey); + assert_single_payload(IN, PLV2_DELETE); + sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, FALSE); + status = exchange_test_helper->process_message(exchange_test_helper, sa, + NULL); + ck_assert_int_eq(DESTROY_ME, status); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); + assert_ike_sa_count(4); + assert_hook(); - /* <-- CREATE_CHILD_SA { SA, Nr, KEr } */ - assert_hook_rekey(ike_rekey, 1, data[_i].spi_i); - exchange_test_helper->process_message(exchange_test_helper, a, NULL); - /* as original initiator a is initiator of both SAs it could delete */ - sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, TRUE); - assert_ike_sa_state(sa, IKE_DELETING); - assert_child_sa_count(sa, 0); - /* if b won it will delete the original SA a initiated */ - sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, - data[_i].del_b_i == 1); - assert_ike_sa_state(sa, IKE_REKEYED); - assert_child_sa_count(sa, 0); - sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r, - data[_i].del_a_i == 1); - assert_ike_sa_state(sa, IKE_ESTABLISHED); - assert_child_sa_count(sa, 1); - assert_ike_sa_count(4); - assert_hook(); + /* <-- IKE_FOLLOWUP_KE { KEr } */ + assert_hook_rekey(ike_rekey, 1, data[_i].spi_i); + assert_payload(IN, PLV2_KEY_EXCHANGE); + assert_no_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_ike_sa_state(a, IKE_DELETING); + assert_child_sa_count(a, 0); + sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r, TRUE); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(5); + assert_hook(); - /* CREATE_CHILD_SA { SA, Nr, KEr } --> */ - assert_hook_rekey(ike_rekey, 1, data[_i].spi_i); - exchange_test_helper->process_message(exchange_test_helper, b, NULL); - /* if b wins it deletes the SA originally initiated by a */ - sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, - data[_i].del_b_i != 1); - assert_ike_sa_state(sa, IKE_DELETING); - assert_child_sa_count(sa, 0); - /* a only deletes SAs for which b is responder */ - sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, FALSE); - assert_ike_sa_state(sa, IKE_REKEYED); - assert_child_sa_count(sa, 0); - sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r, - data[_i].del_b_i == 1); - assert_ike_sa_state(sa, IKE_ESTABLISHED); - assert_child_sa_count(sa, 1); - assert_ike_sa_count(6); - assert_hook(); + /* INFORMATIONAL { } --> */ + assert_hook_not_called(ike_rekey); + assert_message_empty(IN); + sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, TRUE); + status = exchange_test_helper->process_message(exchange_test_helper, sa, + NULL); + ck_assert_int_eq(DESTROY_ME, status); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); + assert_ike_sa_count(4); + assert_hook(); + } + else + { /* if lost, the active rekeying is aborted and the passive completed, + * there is nothing to delete */ + assert_hook_rekey(ike_rekey, 1, data[_i].spi_i); + assert_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_num_tasks(a, 0, TASK_QUEUE_PASSIVE); + assert_num_tasks(a, 0, TASK_QUEUE_ACTIVE); + assert_ike_sa_state(a, IKE_REKEYED); + assert_child_sa_count(a, 0); + /* the passively created SA is completed */ + sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r, FALSE); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(3); + assert_hook(); + + /* CREATE_CHILD_SA { SA, Nr, KEr } --> */ + assert_hook_rekey(ike_rekey, 1, data[_i].spi_i); + assert_no_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_num_tasks(b, 0, TASK_QUEUE_PASSIVE); + assert_num_tasks(b, 1, TASK_QUEUE_ACTIVE); + assert_ike_sa_state(b, IKE_DELETING); + assert_child_sa_count(b, 0); + sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r, TRUE); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(4); + assert_hook(); + } /* we don't expect this hook to get called anymore */ assert_hook_not_called(ike_rekey); /* INFORMATIONAL { D } --> */ assert_single_payload(IN, PLV2_DELETE); - sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, FALSE); - status = exchange_test_helper->process_message(exchange_test_helper, sa, - NULL); - ck_assert_int_eq(DESTROY_ME, status); - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); - assert_ike_sa_count(5); - /* <-- INFORMATIONAL { D } */ - assert_single_payload(IN, PLV2_DELETE); - sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, - data[_i].del_b_i == 1); - status = exchange_test_helper->process_message(exchange_test_helper, sa, - NULL); - ck_assert_int_eq(DESTROY_ME, status); - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); - assert_ike_sa_count(4); - /* <-- INFORMATIONAL { } */ - assert_message_empty(IN); - sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, TRUE); + sa = assert_ike_sa_checkout(1, 2, data[_i].del_a_i != 1); status = exchange_test_helper->process_message(exchange_test_helper, sa, NULL); ck_assert_int_eq(DESTROY_ME, status); charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); assert_ike_sa_count(3); - /* INFORMATIONAL { } --> */ + /* <-- INFORMATIONAL { } */ assert_message_empty(IN); - sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, - data[_i].del_b_i != 1); + sa = assert_ike_sa_checkout(1, 2, data[_i].del_a_i == 1); status = exchange_test_helper->process_message(exchange_test_helper, sa, NULL); ck_assert_int_eq(DESTROY_ME, status); @@ -901,43 +1500,244 @@ START_TEST(test_collision_delayed_response) data[_i].del_a_i == 1); assert_ike_sa_state(sa, IKE_ESTABLISHED); assert_child_sa_count(sa, 1); - assert_ike_sa_count(6); + assert_ike_sa_count(6); + assert_hook(); + + /* we don't expect this hook to get called anymore */ + assert_hook_not_called(ike_rekey); + + /* INFORMATIONAL { D } --> */ + assert_single_payload(IN, PLV2_DELETE); + sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, FALSE); + s = exchange_test_helper->process_message(exchange_test_helper, sa, + NULL); + ck_assert_int_eq(DESTROY_ME, s); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); + assert_ike_sa_count(5); + /* <-- INFORMATIONAL { } */ + assert_message_empty(IN); + sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, TRUE); + s = exchange_test_helper->process_message(exchange_test_helper, sa, + NULL); + ck_assert_int_eq(DESTROY_ME, s); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); + assert_ike_sa_count(4); + + /* <-- INFORMATIONAL { D } (retransmit/delayed) */ + assert_single_payload(IN, PLV2_DELETE); + sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, FALSE); + s = exchange_test_helper->process_message(exchange_test_helper, sa, d); + ck_assert_int_eq(DESTROY_ME, s); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); + assert_ike_sa_count(3); + /* INFORMATIONAL { } --> */ + assert_message_empty(IN); + sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, TRUE); + s = exchange_test_helper->process_message(exchange_test_helper, sa, + NULL); + ck_assert_int_eq(DESTROY_ME, s); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); + assert_ike_sa_count(2); + /* ike_rekey */ + assert_hook(); + } + + /* ike_updown/child_updown */ + assert_hook(); + assert_hook(); + + charon->ike_sa_manager->flush(charon->ike_sa_manager); +} +END_TEST + +/** + * This is like a regular rekey collision, but one CREATE_CHILD_SA response + * is delayed: + * Peer A Peer B + * rekey ----\ /---- rekey + * \-----/----> detect collision + * detect collision <---------/ /---- + * -----------/----> + * handle KE <---------/------ send additional KE (if won) + * ---------/------> + * handle rekey <-------/ + * additional KE ----------------> handle KE (if lost) + * <---------------- + * ... the winner deletes the old SA + * + * If A wins the collision, this is just a regular collision as B will simply + * wait until A receives the response and continues with its IKE_FOLLOWUP_KE + * request. So we only look at the cases in which B wins. + * + * Besides the scenario depicted above, i.e. where the response arrives after + * handling B's IKE_FOLLOwUP_KE request, we also test when it arrives after + * handling the delete (A assumes that B didn't notice the collision, so it just + * completes the passive rekeying and the response will eventually be dropped + * because the SA is gone). + */ +START_TEST(test_collision_delayed_response_multi_ke) +{ + ike_sa_t *a, *b, *sa; + message_t *msg; + status_t s; + bool after_delete = _i >= 2; + + _i %= 2; + + exchange_test_helper->establish_sa(exchange_test_helper, + &a, &b, &multi_ke_conf); + + /* Four nonces and SPIs are needed (SPI 1 and 2 are used for the initial + * IKE_SA): + * N1/3 -----\ /----- N2/4 + * \--/-----> N3/5 + * N4/6 <-------/ /----- ... + * ... -----\ + * We test this four times, B wins each time (with either of its nonces), + * but the response arrives at different times. + */ + struct { + /* Nonces used at each point */ + u_char nonces[4]; + /* SPIs of the deleted IKE_SAs (either redundant or replaced) */ + uint32_t del_a_i, del_a_r; + uint32_t del_b_i, del_b_r; + /* SPIs of the kept IKE_SA */ + uint32_t spi_i, spi_r; + } data[] = { + { { 0x00, 0xFF, 0xFF, 0xFF }, 3, 5, 1, 2, 4, 6 }, + { { 0xFF, 0xFF, 0x00, 0xFF }, 3, 5, 1, 2, 4, 6 }, + }; + /* these should never get called as this results in a successful rekeying */ + assert_hook_not_called(ike_updown); + assert_hook_not_called(child_updown); + + exchange_test_helper->nonce_first_byte = data[_i].nonces[0]; + initiate_rekey(a); + exchange_test_helper->nonce_first_byte = data[_i].nonces[1]; + initiate_rekey(b); + + /* CREATE_CHILD_SA { SA, Ni, KEi } --> */ + exchange_test_helper->nonce_first_byte = data[_i].nonces[2]; + assert_hook_not_called(ike_rekey); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_ike_sa_state(b, IKE_REKEYING); + assert_child_sa_count(b, 1); + assert_ike_sa_count(0); + assert_hook(); + + /* <-- CREATE_CHILD_SA { SA, Ni, KEi } */ + exchange_test_helper->nonce_first_byte = data[_i].nonces[3]; + assert_hook_not_called(ike_rekey); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_ike_sa_state(a, IKE_REKEYING); + assert_child_sa_count(a, 1); + assert_ike_sa_count(0); + assert_hook(); + + /* delay the CREATE_CHILD_SA response from b to a */ + msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender); + + /* simplify next steps by checking in original IKE_SAs */ + charon->ike_sa_manager->checkin(charon->ike_sa_manager, a); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, b); + assert_ike_sa_count(2); + + /* CREATE_CHILD_SA { SA, Nr, KEr, N(ADD_KE) } --> */ + assert_hook_not_called(ike_rekey); + assert_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_num_tasks(b, 0, TASK_QUEUE_PASSIVE); + assert_num_tasks(b, 1, TASK_QUEUE_ACTIVE); + assert_ike_sa_state(b, IKE_REKEYING); + assert_ike_sa_count(2); + assert_hook(); + + /* <-- IKE_FOLLOWUP_KE { KEi, N(ADD_KE) } */ + assert_hook_not_called(ike_rekey); + assert_payload(IN, PLV2_KEY_EXCHANGE); + assert_notify(IN, ADDITIONAL_KEY_EXCHANGE); + /* a waits until it receives the CREATE_CHILD_SA response */ + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_ike_sa_state(a, IKE_REKEYING); + assert_child_sa_count(a, 1); + assert_ike_sa_count(2); + assert_hook(); + + if (!after_delete) + { /* a receives the response right after the IKE_FOLLOWUP_KE, the passive + * rekeying is completed and the active aborted */ + /* <-- CREATE_CHILD_SA { SA, Nr, KEr } (delayed) */ + assert_hook_rekey(ike_rekey, 1, data[_i].spi_i); + exchange_test_helper->process_message(exchange_test_helper, a, msg); + assert_num_tasks(a, 0, TASK_QUEUE_PASSIVE); + assert_num_tasks(a, 0, TASK_QUEUE_ACTIVE); + assert_ike_sa_state(a, IKE_REKEYED); + assert_child_sa_count(a, 0); + sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r, FALSE); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(3); + assert_hook(); + } + + /* IKE_FOLLOWUP_KE { KEr } --> */ + assert_hook_rekey(ike_rekey, 1, data[_i].spi_i); + assert_payload(IN, PLV2_KEY_EXCHANGE); + assert_no_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_ike_sa_state(b, IKE_DELETING); + assert_child_sa_count(b, 0); + sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r, TRUE); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(after_delete ? 3 : 4); + assert_hook(); + + /* <-- INFORMATIONAL { D } */ + if (after_delete) + { + assert_hook_rekey(ike_rekey, 1, data[_i].spi_i); + assert_single_payload(IN, PLV2_DELETE); + s = exchange_test_helper->process_message(exchange_test_helper, a, + NULL); + ck_assert_int_eq(DESTROY_ME, s); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, a); + sa = assert_ike_sa_checkout(data[_i].spi_i, data[_i].spi_r, FALSE); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(3); assert_hook(); - /* we don't expect this hook to get called anymore */ - assert_hook_not_called(ike_rekey); + /* <-- CREATE_CHILD_SA { SA, Nr, KEr } (delayed) */ + /* the IKE_SA (a) does not exist anymore */ + msg->destroy(msg); - /* INFORMATIONAL { D } --> */ - assert_single_payload(IN, PLV2_DELETE); - sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, FALSE); - s = exchange_test_helper->process_message(exchange_test_helper, sa, - NULL); - ck_assert_int_eq(DESTROY_ME, s); - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); - assert_ike_sa_count(5); - /* <-- INFORMATIONAL { } */ + /* INFORMATIONAL { } --> */ + assert_hook_not_called(ike_rekey); assert_message_empty(IN); - sa = assert_ike_sa_checkout(data[_i].del_a_i, data[_i].del_a_r, TRUE); - s = exchange_test_helper->process_message(exchange_test_helper, sa, + s = exchange_test_helper->process_message(exchange_test_helper, b, NULL); ck_assert_int_eq(DESTROY_ME, s); - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); - assert_ike_sa_count(4); - - /* <-- INFORMATIONAL { D } (retransmit/delayed) */ + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, b); + assert_ike_sa_count(2); + assert_hook(); + } + else + { + assert_hook_not_called(ike_rekey); assert_single_payload(IN, PLV2_DELETE); - sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, FALSE); - s = exchange_test_helper->process_message(exchange_test_helper, sa, d); + s = exchange_test_helper->process_message(exchange_test_helper, a, + NULL); ck_assert_int_eq(DESTROY_ME, s); - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); - assert_ike_sa_count(3); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, a); + /* INFORMATIONAL { } --> */ assert_message_empty(IN); - sa = assert_ike_sa_checkout(data[_i].del_b_i, data[_i].del_b_r, TRUE); - s = exchange_test_helper->process_message(exchange_test_helper, sa, + s = exchange_test_helper->process_message(exchange_test_helper, b, NULL); ck_assert_int_eq(DESTROY_ME, s); - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, b); assert_ike_sa_count(2); /* ike_rekey */ assert_hook(); @@ -1288,6 +2088,179 @@ START_TEST(test_collision_delayed_request_and_delete) } END_TEST +/** + * In this scenario one of the peers does not notice that there is a rekey + * collision because the other request is delayed: + * + * rekey ----\ /---- rekey + * \ / + * detect collision <-----\---/ + * -------\--------> + * \ /---- send additional KE + * \-/----> detect collision + * handle KE <---------/ /---- TEMP_FAIL + * -----------/----> + * <---------/------ delete old SA + * delete ---------/------> + * rekey done / + * sa already gone <------/ + * + * In a variation of this scenario, the TEMP_FAIL notify arrives before + * the delete does. + */ +START_TEST(test_collision_delayed_request_multi_ke) +{ + ike_sa_t *a, *b, *sa; + message_t *msg; + status_t s; + bool after_delete = _i >= 3; + + _i %= 3; + + exchange_test_helper->establish_sa(exchange_test_helper, + &a, &b, &multi_ke_conf); + + /* Three nonces and SPIs are needed (SPI 1 and 2 are used for the initial + * CHILD_SA): + * N1/3 -----\ /----- N2/4 + * N3/5 <-----\--/ + * ... -----\ \-------> ... + * We test this three times, each time a different nonce is the lowest. + */ + struct { + /* Nonces used at each point */ + u_char nonces[3]; + /* SPIs of the deleted IKE_SAs (either redundant or replaced) */ + uint32_t del_a_i, del_a_r; + uint32_t del_b_i, del_b_r; + /* SPIs of the kept IKE_SA */ + uint32_t spi_i, spi_r; + } data[] = { + { { 0x00, 0xFF, 0xFF }, 3, 5, 1, 2, 4, 6 }, + { { 0xFF, 0x00, 0xFF }, 1, 2, 4, 6, 3, 5 }, + { { 0xFF, 0xFF, 0x00 }, 3, 5, 1, 2, 4, 6 }, + { { 0xFF, 0xFF, 0xFF }, 1, 2, 4, 6, 3, 5 }, + }; + /* these should never get called as this results in a successful rekeying */ + assert_hook_not_called(ike_updown); + assert_hook_not_called(child_updown); + + exchange_test_helper->nonce_first_byte = data[_i].nonces[0]; + initiate_rekey(a); + exchange_test_helper->nonce_first_byte = data[_i].nonces[1]; + initiate_rekey(b); + + /* delay the CREATE_CHILD_SA request from a to b */ + msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender); + + /* <-- CREATE_CHILD_SA { SA, Ni, KEi } */ + exchange_test_helper->nonce_first_byte = data[_i].nonces[2]; + assert_hook_not_called(ike_rekey); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_ike_sa_state(a, IKE_REKEYING); + assert_child_sa_count(a, 1); + assert_ike_sa_count(0); + assert_hook(); + + /* CREATE_CHILD_SA { SA, Ni, KEr, N(ADD_KE) } --> */ + assert_hook_not_called(ike_rekey); + assert_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_ike_sa_state(b, IKE_REKEYING); + assert_ike_sa_count(0); + assert_hook(); + + /* CREATE_CHILD_SA { SA, Ni, KEi } --> (delayed) */ + assert_single_notify(OUT, TEMPORARY_FAILURE); + exchange_test_helper->process_message(exchange_test_helper, b, msg); + assert_ike_sa_state(b, IKE_REKEYING); + + /* <-- IKE_FOLLOWUP_KE { KEi, N(ADD_KE) } */ + assert_hook_not_called(ike_rekey); + assert_payload(IN, PLV2_KEY_EXCHANGE); + assert_notify(IN, ADDITIONAL_KEY_EXCHANGE); + /* a waits until it receives the CREATE_CHILD_SA response or a delete */ + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_ike_sa_state(a, IKE_REKEYING); + assert_child_sa_count(a, 1); + assert_ike_sa_count(0); + assert_hook(); + + /* <-- CREATE_CHILD_SA { N(TEMP_FAIL) } */ + if (!after_delete) + { + assert_hook_rekey(ike_rekey, 1, 4); + assert_no_jobs_scheduled(); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_ike_sa_state(a, IKE_REKEYED); + assert_child_sa_count(a, 0); + sa = assert_ike_sa_checkout(4, 5, FALSE); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(1); + assert_scheduler(); + assert_hook(); + } + else + { + /* the SA will already be gone later */ + msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender); + msg->destroy(msg); + } + + /* IKE_FOLLOWUP_KE { KEr } --> */ + assert_hook_rekey(ike_rekey, 1, 4); + assert_payload(IN, PLV2_KEY_EXCHANGE); + assert_no_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_ike_sa_state(b, IKE_DELETING); + assert_child_sa_count(b, 0); + sa = assert_ike_sa_checkout(4, 5, TRUE); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(after_delete ? 1 : 2); + assert_hook(); + + /* <-- INFORMATIONAL { D } */ + if (after_delete) + { + assert_hook_rekey(ike_rekey, 1, 4); + assert_single_payload(IN, PLV2_DELETE); + s = exchange_test_helper->process_message(exchange_test_helper, a, NULL); + ck_assert_int_eq(DESTROY_ME, s); + call_ikesa(a, destroy); + sa = assert_ike_sa_checkout(4, 5, FALSE); + assert_ike_sa_state(sa, IKE_ESTABLISHED); + assert_child_sa_count(sa, 1); + assert_ike_sa_count(2); + assert_hook(); + } + else + { + assert_hook_not_called(ike_rekey); + assert_single_payload(IN, PLV2_DELETE); + s = exchange_test_helper->process_message(exchange_test_helper, a, NULL); + ck_assert_int_eq(DESTROY_ME, s); + call_ikesa(a, destroy); + assert_hook(); + } + + /* INFORMATIONAL { } --> */ + assert_hook_not_called(ike_rekey); + assert_message_empty(IN); + s = exchange_test_helper->process_message(exchange_test_helper, b, NULL); + ck_assert_int_eq(DESTROY_ME, s); + call_ikesa(b, destroy); + assert_hook(); + + /* ike_updown/child_updown */ + assert_hook(); + assert_hook(); + + charon->ike_sa_manager->flush(charon->ike_sa_manager); +} +END_TEST + /** * One of the hosts initiates a DELETE of the IKE_SA the other peer is * concurrently trying to rekey. @@ -1370,6 +2343,91 @@ START_TEST(test_collision_delete) } END_TEST +/** + * One of the hosts initiates a DELETE of the IKE_SA the other peer is + * concurrently attempting to rekey with multiple key exchanges. + * + * rekey ----------------> + * <---------------- + * additional ke ----\ /---- delete + * \-----/----> detect collision + * detect collision <---------/ /---- TEMP_FAIL + * delete -----------/----> + * sa already gone <---------/ + */ +START_TEST(test_collision_delete_multi_ke) +{ + ike_sa_t *a, *b; + message_t *msg; + status_t s; + + if (_i) + { /* responder rekeys the IKE_SA */ + exchange_test_helper->establish_sa(exchange_test_helper, + &b, &a, &multi_ke_conf); + } + else + { /* initiator rekeys the IKE_SA */ + exchange_test_helper->establish_sa(exchange_test_helper, + &a, &b, &multi_ke_conf); + } + /* this should never get called as this does not result in a successful + * rekeying on either side */ + assert_hook_not_called(ike_rekey); + + initiate_rekey(a); + + /* CREATE_CHILD_SA { SA, Ni, KEi } --> */ + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_ike_sa_state(b, IKE_REKEYING); + assert_child_sa_count(b, 1); + assert_ike_sa_count(0); + + /* <-- CREATE_CHILD_SA { SA, Nr, KEr, N(ADD_KE) } */ + assert_notify(IN, ADDITIONAL_KEY_EXCHANGE); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_ike_sa_state(a, IKE_REKEYING); + assert_ike_sa_count(0); + + call_ikesa(b, delete, FALSE); + assert_ike_sa_state(b, IKE_DELETING); + + /* IKE_FOLLOWUP_KE { KEi, N(ADD_KE) } --> */ + assert_single_notify(OUT, TEMPORARY_FAILURE); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_ike_sa_state(b, IKE_DELETING); + assert_ike_sa_count(0); + + /* <-- INFORMATIONAL { D } */ + assert_hook_updown(ike_updown, FALSE); + assert_hook_updown(child_updown, FALSE); + assert_single_payload(IN, PLV2_DELETE); + assert_message_empty(OUT); + s = exchange_test_helper->process_message(exchange_test_helper, a, NULL); + ck_assert_int_eq(DESTROY_ME, s); + call_ikesa(a, destroy); + assert_hook(); + assert_hook(); + + /* <-- IKE_FOLLOWUP_KE { N(TEMP_FAIL) } */ + /* the SA is already gone */ + msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender); + msg->destroy(msg); + + /* INFORMATIONAL { } --> */ + assert_hook_updown(ike_updown, FALSE); + assert_hook_updown(child_updown, FALSE); + s = exchange_test_helper->process_message(exchange_test_helper, b, NULL); + ck_assert_int_eq(DESTROY_ME, s); + call_ikesa(b, destroy); + assert_hook(); + assert_hook(); + + /* ike_rekey */ + assert_hook(); +} +END_TEST + /** * One of the hosts initiates a DELETE of the IKE_SA the other peer is * concurrently trying to rekey. However, the delete request is delayed or @@ -1465,21 +2523,28 @@ Suite *ike_rekey_suite_create() tc = tcase_create("regular"); tcase_add_loop_test(tc, test_regular, 0, 2); + tcase_add_loop_test(tc, test_regular_multi_ke, 0, 2); tcase_add_loop_test(tc, test_regular_ke_invalid, 0, 2); + tcase_add_loop_test(tc, test_regular_ke_invalid_multi_ke, 0, 2); suite_add_tcase(s, tc); tc = tcase_create("collisions rekey"); tcase_add_loop_test(tc, test_collision, 0, 4); + tcase_add_loop_test(tc, test_collision_multi_ke, 0, 4); + tcase_add_loop_test(tc, test_collision_mixed, 0, 4); tcase_add_loop_test(tc, test_collision_ke_invalid, 0, 4); tcase_add_loop_test(tc, test_collision_ke_invalid_delayed_retry, 0, 3); tcase_add_loop_test(tc, test_collision_delayed_response, 0, 4); + tcase_add_loop_test(tc, test_collision_delayed_response_multi_ke, 0, 4); tcase_add_loop_test(tc, test_collision_dropped_request, 0, 3); tcase_add_loop_test(tc, test_collision_delayed_request, 0, 3); tcase_add_loop_test(tc, test_collision_delayed_request_and_delete, 0, 3); + tcase_add_loop_test(tc, test_collision_delayed_request_multi_ke, 0, 6); suite_add_tcase(s, tc); tc = tcase_create("collisions delete"); tcase_add_loop_test(tc, test_collision_delete, 0, 2); + tcase_add_loop_test(tc, test_collision_delete_multi_ke, 0, 2); tcase_add_loop_test(tc, test_collision_delete_drop_delete, 0, 2); suite_add_tcase(s, tc); diff --git a/src/libcharon/tests/utils/exchange_test_helper.c b/src/libcharon/tests/utils/exchange_test_helper.c index 23f1132c06..42530be44b 100644 --- a/src/libcharon/tests/utils/exchange_test_helper.c +++ b/src/libcharon/tests/utils/exchange_test_helper.c @@ -277,6 +277,7 @@ METHOD(exchange_test_helper_t, establish_sa, void, ike_sa_id_t *id_i, *id_r; ike_sa_t *sa_i, *sa_r; child_cfg_t *child_i; + proposal_t *proposal; child_i = create_sa(this, init, resp, conf); @@ -294,6 +295,17 @@ METHOD(exchange_test_helper_t, establish_sa, void, /* <-- IKE_SA_INIT */ id_i->set_responder_spi(id_i, id_r->get_responder_spi(id_r)); process_message(this, sa_i, NULL); + + proposal = sa_i->get_proposal(sa_i); + if (proposal->get_algorithm(proposal, ADDITIONAL_KEY_EXCHANGE_1, NULL, + NULL)) + { + /* IKE_INTERMEDIATE --> */ + process_message(this, sa_r, NULL); + /* <-- IKE_INTERMEDIATE */ + process_message(this, sa_i, NULL); + } + /* IKE_AUTH --> */ process_message(this, sa_r, NULL); /* <-- IKE_AUTH */