Hello community, here is the log from the commit of package strongswan for openSUSE:Factory checked in at 2014-11-26 10:33:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/strongswan (Old) and /work/SRC/openSUSE:Factory/.strongswan.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "strongswan" Changes: -------- --- /work/SRC/openSUSE:Factory/strongswan/strongswan.changes 2014-07-21 22:35:06.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.strongswan.new/strongswan.changes 2014-11-26 10:33:58.000000000 +0100 @@ -1,0 +2,44 @@ +Tue Nov 25 11:22:06 UTC 2014 - mt@suse.de + +- Updated strongswan-hmac package description (bsc#856322). + +------------------------------------------------------------------- +Fri Nov 21 12:03:59 UTC 2014 - mt@suse.de + +- Disabled explicit gpg validation; osc source_validator does it. +- Guarded fipscheck and hmac package in the spec file for >13.1. + +------------------------------------------------------------------- +Thu Nov 20 07:43:43 UTC 2014 - mt@suse.de + +- Added generation of fips hmac hash files using fipshmac utility + and a _fipscheck script to verify binaries/libraries/plugings + shipped in the strongswan-hmac package. + With enabled fips in the kernel, the ipsec script will call it + before any action or in a enforced/manual "ipsec _fipscheck" call. + Added config file to load openssl and kernel af-alg plugins, but + not all the other modules which provide further/alternative algs. + Applied a filter disallowing non-approved algorithms in fips mode. + (fate#316931,bnc#856322). + [+ strongswan_fipscheck.patch, strongswan_fipsfilter.patch] +- Fixed file list in the optional (disabled) strongswan-test package. +- Fixed build of the strongswan built-in integrity checksum library + and enabled building it only on architectures tested to work. +- Fix to use bug number 897048 instead 856322 in last changes entry. +- Applied an upstream patch reverting to store algorithms in the + registration order again as ordering them by identifier caused + weaker algorithms to be proposed first by default (bsc#897512). + [+0001-restore-registration-algorithm-order.bug897512.patch] + +------------------------------------------------------------------- +Fri Sep 26 16:02:09 UTC 2014 - mt@suse.de + +- Re-enabled gcrypt plugin and reverted to not enforce fips again + as this breaks gcrypt and openssl plugins when the fips pattern + option is not installed (fate#316931,bnc#856322). + [- strongswan-fips-disablegcrypt.patch] +- Added empty strongswan-hmac package supposed to provide fips hmac + files and enforce fips compliant operation later (bnc#856322). +- Cleaned up conditional build flags in the rpm spec file. + +------------------------------------------------------------------- Old: ---- strongswan-fips-disablegcrypt.patch New: ---- 0001-restore-registration-algorithm-order.bug897512.patch fips-enforce.conf fipscheck.sh.in strongswan_fipscheck.patch strongswan_fipsfilter.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ strongswan.spec ++++++ --- /var/tmp/diff_new_pack.kd5GaV/_old 2014-11-26 10:34:00.000000000 +0100 +++ /var/tmp/diff_new_pack.kd5GaV/_new 2014-11-26 10:34:00.000000000 +0100 @@ -31,16 +31,27 @@ %else %bcond_with tests %endif -%if 0%{suse_version} > 1110 -%bcond_without mysql +%if 0%{suse_version} > 1310 +%bcond_without fipscheck %else -%bcond_with mysql +%bcond_with fipscheck +%endif +%ifarch %{ix86} ppc64le +%bcond_without integrity +%else +%bcond_with integrity %endif %if 0%{suse_version} > 1110 +%bcond_without farp +%bcond_without afalg +%bcond_without mysql %bcond_without sqlite %bcond_without gcrypt %bcond_without nm %else +%bcond_with farp +%bcond_with afalg +%bcond_with mysql %bcond_with sqlite %bcond_with gcrypt %bcond_with nm @@ -61,16 +72,23 @@ Source3: %{name}-%{version}-rpmlintrc Source4: README.SUSE Source5: %{name}.keyring +%if %{with fipscheck} +Source6: fipscheck.sh.in +Source7: fips-enforce.conf +%endif Patch1: %{name}_modprobe_syslog.patch Patch2: %{name}_ipsec_service.patch -Patch3: %{name}-fips-disablegcrypt.patch +%if %{with fipscheck} +Patch3: %{name}_fipscheck.patch +Patch4: %{name}_fipsfilter.patch +%endif +Patch5: 0001-restore-registration-algorithm-order.bug897512.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel BuildRequires: flex BuildRequires: gmp-devel BuildRequires: gperf -BuildRequires: gpg-offline BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: libsoup-devel @@ -91,11 +109,21 @@ BuildRequires: NetworkManager-devel %endif %if %{with systemd} -BuildRequires: pkgconfig(systemd) +%{?systemd_requires} %endif BuildRequires: iptables +%if %{with systemd} %{!?_rundir: %global _rundir /run} %{!?_tmpfilesdir: %global _tmpfilesdir /usr/lib/tmpfiles.d} +%else +%{!?_rundir: %global _rundir /var/run} +%endif +BuildRequires: autoconf +BuildRequires: automake +%if %{with fipscheck} +BuildRequires: fipscheck +%endif +BuildRequires: libtool %description StrongSwan is an OpenSource IPsec-based VPN Solution for Linux @@ -161,6 +189,24 @@ This package provides the strongswan library and plugins. +%if %{with fipscheck} + +%package hmac +Summary: HMAC files for FIPS-140-2 integrity +Group: Productivity/Networking/Security +Requires: fipscheck +Requires: strongswan-ipsec = %{version} +Requires: strongswan-libs0 = %{version} + +%description hmac +The package provides HMAC hash files for FIPS-140-2 integrity checks, +a config file disabling alternative algorithm implementations and a +_fipscheck helper script preforming the integrity checks before e.g. +"ipsec start" action is executed, when FIPS-140-2 compliant operation +mode is enabled. + +%endif + %package ipsec Summary: OpenSource IPsec-based VPN Solution Group: Productivity/Networking/Security @@ -240,39 +286,58 @@ %endif %prep -%gpg_verify %{S:1} %setup -q -n %{name}-%{upstream_version} %patch1 -p0 %patch2 -p0 -%patch3 -p1 +%if %{with fipscheck} +%patch3 -p0 +%patch4 -p1 +%endif +%patch5 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init +%if %{with fipscheck} +sed -e 's|@IPSEC_DIR@|%{_libexecdir}/ipsec|g' \ + -e 's|@IPSEC_LIBDIR@|%{_libdir}/ipsec|g' \ + -e 's|@IPSEC_SBINDIR@|%{_sbindir}|g' \ + -e 's|@IPSEC_BINDIR@|%{_bindir}|g' \ + < $RPM_SOURCE_DIR/fipscheck.sh.in \ + > _fipscheck +%endif %build CFLAGS="$RPM_OPT_FLAGS -W -Wall -Wno-pointer-sign -Wno-strict-aliasing -Wno-unused-parameter" export RPM_OPT_FLAGS CFLAGS -#libtoolize --force -#autoreconf +autoreconf --force --install %configure \ - --enable-conftest \ +%if %{with integrity} --enable-integrity-test \ +%endif --with-capabilities=libcap \ --with-plugindir=%{strongswan_plugins} \ - --with-fips=2 \ --with-resolv-conf=%{_rundir}/%{name}/resolv.conf \ --with-piddir=%{_rundir}/%{name} \ +%if %{with systemd} + --with-systemdsystemunitdir=%{_unitdir} \ +%endif --enable-pkcs11 \ --enable-openssl \ --enable-agent \ +%if %{with gcrypt} --enable-gcrypt \ +%else + --disable-gcrypt \ +%endif --enable-blowfish \ --enable-ctr \ --enable-ccm \ --enable-gcm \ --enable-unity \ --enable-md4 \ +%if %{with afalg} --enable-af-alg \ +%endif --enable-eap-sim \ --enable-eap-sim-file \ --enable-eap-sim-pcsc \ @@ -305,7 +370,9 @@ --enable-imv-scanner \ --enable-ha \ --enable-dhcp \ +%if %{with farp} --enable-farp \ +%endif --enable-smp \ --enable-sql \ --enable-attr-sql \ @@ -322,15 +389,13 @@ %if %{with sqlite} --enable-sqlite \ %endif -%if %{with gcrypt} - --enable-gcrypt \ -%endif %if %{with nm} --enable-nm \ %else --disable-nm \ %endif %if %{with tests} + --enable-conftest \ --enable-load-tester \ --enable-test-vectors \ %endif @@ -344,14 +409,44 @@ export RPM_BUILD_ROOT install -d -m755 ${RPM_BUILD_ROOT}%{_sbindir}/ install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.d/ -%if ! %{with systemd} +%if %{with systemd} +ln -sf %_sbindir/service ${RPM_BUILD_ROOT}%_sbindir/rcstrongswan +%else install -d -m755 ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ install -m755 strongswan.init ${RPM_BUILD_ROOT}%{_sysconfdir}/init.d/ipsec ln -s %{_sysconfdir}/init.d/ipsec ${RPM_BUILD_ROOT}%{_sbindir}/rcipsec %endif # +# Ensure, plugin -> library dependencies can be resolved +# (e.g. libtls) to avoid plugin segment checksum errors. +# +LD_LIBRARY_PATH="$RPM_BUILD_ROOT-$$%{strongswan_libdir}" \ make install DESTDIR="$RPM_BUILD_ROOT" # +# checksums are calculated during make install using the +# installed binaries/libraries... but find-debuginfo.sh +# extracts debuginfo/debugsource breaking file checksums. +# let find-debuginfo.sh run on a build root copy and then +# calculate the checksums. +# +%if %{with integrity} +%{?__debug_package: + if test -x %{_rpmconfigdir}/find-debuginfo.sh ; then + cp -a "${RPM_BUILD_ROOT}" "${RPM_BUILD_ROOT}-$$" + RPM_BUILD_ROOT="$RPM_BUILD_ROOT-$$" \ + %{_rpmconfigdir}/find-debuginfo.sh \ + %{?_find_debuginfo_opts} "${RPM_BUILD_ROOT}-$$" + make -C src/checksum clean + rm -f src/checksum/checksum_builder + LD_LIBRARY_PATH="$RPM_BUILD_ROOT-$$%{strongswan_libdir}" \ + make -C src/checksum install DESTDIR="$RPM_BUILD_ROOT-$$" + mv "$RPM_BUILD_ROOT-$$%{strongswan_libdir}/libchecksum.so" \ + "$RPM_BUILD_ROOT%{strongswan_libdir}/libchecksum.so" + rm -rf "${RPM_BUILD_ROOT}-$$" + fi +} +%endif +# rm -f ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets cat << EOT > ${RPM_BUILD_ROOT}%{_sysconfdir}/ipsec.secrets # @@ -362,6 +457,12 @@ # EOT # +%if ! %{with mysql} +rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/mysql.sql +%endif +%if ! %{with sqlite} +rm -f $RPM_BUILD_ROOT%{strongswan_templates}/database/sql/sqlite.sql +%endif rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{charon,hydra,strongswan,pttls}.so rm -f $RPM_BUILD_ROOT%{strongswan_libdir}/lib{radius,simaka,tls,tnccs,imcv}.so find $RPM_BUILD_ROOT%{strongswan_libdir} -type f -name "*.la" -delete @@ -372,26 +473,62 @@ ${RPM_BUILD_ROOT}%{strongswan_docdir}/ install -c -m644 ${RPM_SOURCE_DIR}/README.SUSE \ ${RPM_BUILD_ROOT}%{strongswan_docdir}/ - +%if %{with systemd} %{__install} -d -m 0755 %{buildroot}%{_tmpfilesdir} echo 'd %{_rundir}/%{name} 0770 root root' > %{buildroot}%{_tmpfilesdir}/%{name}.conf - -%post libs0 -p /sbin/ldconfig +%endif +%if %{with fipscheck} +# +# note: keep the following, _fipscheck's and file lists in sync +# +install -c -m750 _fipscheck ${RPM_BUILD_ROOT}%{_libexecdir}/ipsec/ +install -c -m644 ${RPM_SOURCE_DIR}/fips-enforce.conf \ + ${RPM_BUILD_ROOT}%{strongswan_configs}/charon/zzz_fips-enforce.conf +# create fips hmac hashes _after_ install post run +%{expand:%%global __os_install_post {%__os_install_post + for f in $RPM_BUILD_ROOT%{strongswan_libdir}/lib*.so.*.*.* \ + $RPM_BUILD_ROOT%{strongswan_libdir}/imcvs/*.so \ + $RPM_BUILD_ROOT%{strongswan_plugins}/*.so \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/charon \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/charon-nm \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/stroke \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/starter \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/pool \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/scepclient \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/pt-tls-client \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/imv_policy_manager \ + $RPM_BUILD_ROOT%{_libexecdir}/ipsec/_fipscheck \ + $RPM_BUILD_ROOT%{_sbindir}/ipsec \ + ; + do + /usr/bin/fipshmac "$f" + done +}} +%endif + +%post libs0 +/sbin/ldconfig +%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/%{name}.conf} +%{!?tmpfiles_create:test -d %{_rundir}/%{name} || %{__mkdir_p} %{_rundir}/%{name}} %postun libs0 -p /sbin/ldconfig %pre ipsec +%if %{with systemd} %service_add_pre %{name}.service +%endif %post ipsec -%if ! %{with systemd} +%if %{with systemd} +%service_add_post %{name}.service +%else %{fillup_and_insserv ipsec} %endif -%{?tmpfiles_create: %tmpfiles_create %{_tmpfilesdir}/%{name}.conf } -%service_add_post %{name}.service %preun ipsec -%if ! %{with systemd} +%if %{with systemd} +%service_del_preun %{name}.service +%else %{stop_on_removal ipsec} %endif if test -s %{_sysconfdir}/ipsec.secrets.rpmsave ; then @@ -402,20 +539,38 @@ cp -p --backup=numbered %{_sysconfdir}/ipsec.conf.rpmsave \ %{_sysconfdir}/ipsec.conf.rpmsave.old fi -%service_del_preun %{name}.service %postun ipsec -%if ! %{with systemd} +%if %{with systemd} +%service_del_postun %{name}.service +%else %{insserv_cleanup} %endif -%service_del_postun %{name}.service - %files %defattr(-,root,root) %dir %{strongswan_docdir} %{strongswan_docdir}/README.SUSE +%if %{with fipscheck} + +%files hmac +%defattr(-,root,root) +%dir %{strongswan_configs} +%dir %{strongswan_configs}/charon +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/zzz_fips-enforce.conf +%dir %{strongswan_libdir} +%{strongswan_libdir}/.*.hmac +%{strongswan_libdir}/imcvs/.*.hmac +%dir %{strongswan_plugins} +%{strongswan_plugins}/.*.hmac +%dir %{_libexecdir}/ipsec +%{_libexecdir}/ipsec/_fipscheck +%{_libexecdir}/ipsec/.*.hmac +%{_sbindir}/.ipsec.hmac + +%endif + %files ipsec %defattr(-,root,root) %config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf @@ -431,6 +586,7 @@ %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private %if %{with systemd} %{_unitdir}/strongswan.service +%{_sbindir}/rcstrongswan %else %config %{_sysconfdir}/init.d/ipsec %{_sbindir}/rcipsec @@ -446,7 +602,9 @@ %{_libexecdir}/ipsec/_copyright %{_libexecdir}/ipsec/_updown %{_libexecdir}/ipsec/_updown_espmark +%if %{with test} %{_libexecdir}/ipsec/conftest +%endif %{_libexecdir}/ipsec/duplicheck %{_libexecdir}/ipsec/pool %{_libexecdir}/ipsec/pt-tls-client @@ -459,7 +617,6 @@ %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-stroke.so %{strongswan_plugins}/libstrongswan-updown.so -%{_tmpfilesdir}/%{name}.conf %files doc %defattr(-,root,root) @@ -477,6 +634,9 @@ %files libs0 %defattr(-,root,root) +%if %{with systemd} +%{_tmpfilesdir}/%{name}.conf +%endif %config(noreplace) %attr(600,root,root) %{_sysconfdir}/strongswan.conf %dir %{strongswan_configs} %dir %{strongswan_configs}/charon @@ -489,7 +649,9 @@ %config(noreplace) %attr(600,root,root) %{strongswan_configs}/tools.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf +%if %{with afalg} %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf +%endif %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/agent.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/attr-sql.conf @@ -523,10 +685,14 @@ %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tls.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-tnc.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/eap-ttls.conf +%if %{with farp} %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/farp.conf +%endif %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/fips-prf.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcm.conf +%if %{with gcrypt} %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gcrypt.conf +%endif %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/gmp.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/ha.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/hmac.conf @@ -573,7 +739,9 @@ %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xauth-pam.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/xcbc.conf %dir %{strongswan_libdir} +%if %{with integrity} %{strongswan_libdir}/libchecksum.so +%endif %{strongswan_libdir}/libcharon.so.* %{strongswan_libdir}/libhydra.so.* %{strongswan_libdir}/libpttls.so.* @@ -591,7 +759,9 @@ %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-addrblock.so %{strongswan_plugins}/libstrongswan-aes.so +%if %{with afalg} %{strongswan_plugins}/libstrongswan-af-alg.so +%endif %{strongswan_plugins}/libstrongswan-agent.so %{strongswan_plugins}/libstrongswan-attr.so %{strongswan_plugins}/libstrongswan-attr-sql.so @@ -625,7 +795,9 @@ %{strongswan_plugins}/libstrongswan-eap-tls.so %{strongswan_plugins}/libstrongswan-eap-tnc.so %{strongswan_plugins}/libstrongswan-eap-ttls.so +%if %{with farp} %{strongswan_plugins}/libstrongswan-farp.so +%endif %{strongswan_plugins}/libstrongswan-fips-prf.so %{strongswan_plugins}/libstrongswan-gcm.so %if %{with gcrypt} @@ -685,7 +857,9 @@ %{strongswan_templates}/config/strongswan.conf %{strongswan_templates}/config/plugins/addrblock.conf %{strongswan_templates}/config/plugins/aes.conf +%if %{with afalg} %{strongswan_templates}/config/plugins/af-alg.conf +%endif %{strongswan_templates}/config/plugins/agent.conf %{strongswan_templates}/config/plugins/attr-sql.conf %{strongswan_templates}/config/plugins/attr.conf @@ -719,10 +893,14 @@ %{strongswan_templates}/config/plugins/eap-tls.conf %{strongswan_templates}/config/plugins/eap-tnc.conf %{strongswan_templates}/config/plugins/eap-ttls.conf +%if %{with farp} %{strongswan_templates}/config/plugins/farp.conf +%endif %{strongswan_templates}/config/plugins/fips-prf.conf %{strongswan_templates}/config/plugins/gcm.conf +%if %{with gcrypt} %{strongswan_templates}/config/plugins/gcrypt.conf +%endif %{strongswan_templates}/config/plugins/gmp.conf %{strongswan_templates}/config/plugins/ha.conf %{strongswan_templates}/config/plugins/hmac.conf @@ -831,6 +1009,18 @@ %files tests %defattr(-,root,root) +%dir %{strongswan_configs} +%dir %{strongswan_configs}/charon +%{strongswan_configs}/charon/load-tester.conf +%{strongswan_configs}/charon/test-vectors.conf +%dir %{strongswan_templates} +%dir %{strongswan_templates}/config +%dir %{strongswan_templates}/config/plugins +%{strongswan_templates}/config/plugins/load-tester.conf +%{strongswan_templates}/config/plugins/test-vectors.conf +%dir %{_libexecdir}/ipsec +%{_libexecdir}/ipsec/conftest +%{_libexecdir}/ipsec/load-tester %dir %{strongswan_libdir} %dir %{strongswan_plugins} %{strongswan_plugins}/libstrongswan-load-tester.so ++++++ 0001-restore-registration-algorithm-order.bug897512.patch ++++++
From 76ad8a6f4c83c999b9eb6d1a3506b1a8e593307e Mon Sep 17 00:00:00 2001 From: Tobias Brunner
Date: Fri, 20 Jun 2014 16:22:15 +0200 Subject: [PATCH] Merge branch 'algorithm-order' Upstream: yes References: bsc#897512
Restores the behavior we had before 2e22333fb (except for RNGs), that is,
algorithms are stored in the registration order again. Which is not optimal
as we must rely on plugins to register them in a sensible order, but ordering
them by identifier definitely caused weaker algorithms to be proposed first
in the default proposal, which was even worse.
---
src/libstrongswan/crypto/crypto_factory.c | 18 +-
src/libstrongswan/tests/Makefile.am | 1 +
.../tests/suites/test_crypto_factory.c | 312 +++++++++++++++++++++
src/libstrongswan/tests/tests.h | 1 +
4 files changed, 327 insertions(+), 5 deletions(-)
create mode 100644 src/libstrongswan/tests/suites/test_crypto_factory.c
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index 6dea30e..96fbc0d 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -392,10 +392,10 @@ METHOD(crypto_factory_t, create_dh, diffie_hellman_t*,
/**
* Insert an algorithm entry to a list
*
- * Entries are sorted by algorithm identifier (which is important for RNGs)
- * while maintaining the order in which algorithms were added, unless they were
+ * Entries maintain the order in which algorithms were added, unless they were
* benchmarked and speed is provided, which then is used to order entries of
* the same algorithm.
+ * An exception are RNG entries, which are sorted by algorithm identifier.
*/
static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
int algo, const char *plugin_name,
@@ -403,6 +403,7 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
{
enumerator_t *enumerator;
entry_t *entry, *current;
+ bool sort = (list == this->rngs), found = FALSE;
INIT(entry,
.algo = algo,
@@ -415,12 +416,19 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, ¤t))
{
- if (current->algo > algo)
+ if (sort && current->algo > algo)
{
break;
}
- else if (current->algo == algo && speed &&
- current->speed < speed)
+ else if (current->algo == algo)
+ {
+ if (speed > current->speed)
+ {
+ break;
+ }
+ found = TRUE;
+ }
+ else if (found)
{
break;
}
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index 331a548..0bdf2b3 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -42,6 +42,7 @@ tests_SOURCES = tests.h tests.c \
suites/test_host.c \
suites/test_hasher.c \
suites/test_crypter.c \
+ suites/test_crypto_factory.c \
suites/test_pen.c \
suites/test_asn1.c \
suites/test_asn1_parser.c \
diff --git a/src/libstrongswan/tests/suites/test_crypto_factory.c b/src/libstrongswan/tests/suites/test_crypto_factory.c
new file mode 100644
index 0000000..94f45da
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_crypto_factory.c
@@ -0,0 +1,312 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See http://www.fsf.org/copyleft/gpl.txt.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include