]>
Commit | Line | Data |
---|---|---|
3c23a751 TB |
1 | /* |
2 | * Copyright (C) 2016 Tobias Brunner | |
3 | * Hochschule fuer Technik Rapperswil | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify it | |
6 | * under the terms of the GNU General Public License as published by the | |
7 | * Free Software Foundation; either version 2 of the License, or (at your | |
8 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
9 | * | |
10 | * This program is distributed in the hope that it will be useful, but | |
11 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
12 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
13 | * for more details. | |
14 | */ | |
15 | ||
16 | #include "test_suite.h" | |
17 | ||
18 | #include <credentials/auth_cfg.h> | |
19 | ||
20 | struct { | |
21 | char *constraints; | |
22 | signature_scheme_t sig[5]; | |
23 | signature_scheme_t ike[5]; | |
24 | } sig_constraints_tests[] = { | |
40f2589a AS |
25 | { "rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, {0}}, |
26 | { "rsa-sha256-sha512", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PKCS1_SHA2_512, 0 }, {0}}, | |
3c23a751 | 27 | { "ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, |
40f2589a AS |
28 | { "rsa-sha256-ecdsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, |
29 | { "pubkey-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }, {0}}, | |
30 | { "ike:rsa-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }}, | |
31 | { "ike:rsa-sha256-rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }}, | |
32 | { "rsa-sha256-ike:rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }}, | |
33 | { "ike:pubkey-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }}, | |
3c23a751 TB |
34 | { "rsa-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, |
35 | { "rsa-4096-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, | |
36 | { "rsa-4096-ecdsa-256-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, | |
40f2589a | 37 | { "rsa-ecdsa256-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, {0}}, |
3c23a751 TB |
38 | { "rsa4096-sha256", {0}, {0}}, |
39 | { "sha256", {0}, {0}}, | |
40 | { "ike:sha256", {0}, {0}}, | |
41 | }; | |
42 | ||
43 | static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type, | |
44 | signature_scheme_t expected[]) | |
45 | { | |
46 | enumerator_t *enumerator; | |
47 | auth_rule_t t; | |
54f8d092 | 48 | signature_params_t *value; |
3c23a751 TB |
49 | int i = 0; |
50 | ||
51 | enumerator = cfg->create_enumerator(cfg); | |
52 | while (enumerator->enumerate(enumerator, &t, &value)) | |
53 | { | |
54 | if (t == type) | |
55 | { | |
56 | ck_assert(expected[i]); | |
54f8d092 | 57 | ck_assert_int_eq(expected[i], value->scheme); |
3c23a751 TB |
58 | i++; |
59 | } | |
60 | } | |
61 | enumerator->destroy(enumerator); | |
62 | ck_assert(!expected[i]); | |
63 | } | |
64 | ||
65 | START_TEST(test_sig_contraints) | |
66 | { | |
67 | auth_cfg_t *cfg; | |
68 | signature_scheme_t none[] = {0}; | |
69 | ||
70 | cfg = auth_cfg_create(); | |
71 | cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, FALSE); | |
72 | check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig); | |
73 | check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, none); | |
74 | cfg->destroy(cfg); | |
75 | ||
76 | lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints", | |
77 | FALSE, lib->ns); | |
78 | ||
79 | cfg = auth_cfg_create(); | |
80 | cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE); | |
81 | check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig); | |
82 | check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike); | |
83 | cfg->destroy(cfg); | |
84 | } | |
85 | END_TEST | |
86 | ||
87 | START_TEST(test_ike_contraints_fallback) | |
88 | { | |
89 | auth_cfg_t *cfg; | |
90 | ||
91 | lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints", | |
92 | TRUE, lib->ns); | |
93 | ||
94 | cfg = auth_cfg_create(); | |
95 | cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE); | |
96 | check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig); | |
97 | if (sig_constraints_tests[_i].ike[0]) | |
98 | { | |
99 | check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike); | |
100 | } | |
101 | else | |
102 | { | |
103 | check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig); | |
104 | } | |
105 | cfg->destroy(cfg); | |
106 | } | |
107 | END_TEST | |
108 | ||
634c6ba8 TB |
109 | typedef union { |
110 | rsa_pss_params_t pss; | |
111 | } signature_param_types_t; | |
112 | ||
113 | struct { | |
114 | char *constraints; | |
115 | signature_scheme_t sig[5]; | |
116 | signature_param_types_t p[5]; | |
117 | } sig_constraints_params_tests[] = { | |
118 | { "rsa/pss-sha256", { SIGN_RSA_EMSA_PSS, 0 }, { | |
119 | { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}}, | |
120 | { "rsa/pss-sha256-sha384", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PSS, 0 }, { | |
121 | { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, | |
122 | { .pss = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, .salt_len = HASH_SIZE_SHA384, }}}}, | |
123 | { "rsa/pss-sha256-rsa-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { | |
124 | { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}}, | |
125 | { "rsa-sha256-rsa/pss-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PSS, 0 }, { | |
126 | {}, | |
127 | { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}}, | |
128 | { "rsa/pss", { 0 }, {}}, | |
129 | }; | |
130 | ||
131 | static void check_sig_constraints_params(auth_cfg_t *cfg, auth_rule_t type, | |
132 | signature_scheme_t scheme[], | |
133 | signature_param_types_t p[]) | |
134 | { | |
135 | enumerator_t *enumerator; | |
136 | auth_rule_t t; | |
137 | signature_params_t *value; | |
138 | int i = 0; | |
139 | ||
140 | enumerator = cfg->create_enumerator(cfg); | |
141 | while (enumerator->enumerate(enumerator, &t, &value)) | |
142 | { | |
143 | if (t == type) | |
144 | { | |
145 | if (scheme[i] == SIGN_RSA_EMSA_PSS) | |
146 | { | |
147 | signature_params_t expected = { | |
148 | .scheme = scheme[i], | |
149 | .params = &p[i].pss, | |
150 | }; | |
151 | ck_assert(signature_params_equal(value, &expected)); | |
152 | } | |
153 | else | |
154 | { | |
155 | ck_assert(scheme[i]); | |
156 | ck_assert(!value->params); | |
157 | ck_assert_int_eq(scheme[i], value->scheme); | |
158 | } | |
159 | i++; | |
160 | } | |
161 | } | |
162 | enumerator->destroy(enumerator); | |
163 | ck_assert(!scheme[i]); | |
164 | } | |
165 | ||
166 | START_TEST(test_sig_contraints_params) | |
167 | { | |
168 | auth_cfg_t *cfg; | |
169 | ||
170 | cfg = auth_cfg_create(); | |
171 | cfg->add_pubkey_constraints(cfg, sig_constraints_params_tests[_i].constraints, TRUE); | |
172 | check_sig_constraints_params(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, | |
173 | sig_constraints_params_tests[_i].sig, | |
174 | sig_constraints_params_tests[_i].p); | |
175 | cfg->destroy(cfg); | |
176 | } | |
177 | END_TEST | |
178 | ||
fde0c763 TB |
179 | struct { |
180 | char *constraints; | |
181 | signature_scheme_t sig[6]; | |
182 | signature_param_types_t p[6]; | |
183 | } sig_constraints_rsa_pss_tests[] = { | |
184 | { "pubkey-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }, { | |
185 | { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, {}, {}, {}, {}}}, | |
186 | { "rsa-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { | |
187 | { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, {}}}, | |
188 | }; | |
189 | ||
190 | START_TEST(test_sig_contraints_rsa_pss) | |
191 | { | |
192 | auth_cfg_t *cfg; | |
193 | ||
194 | lib->settings->set_bool(lib->settings, "%s.rsa_pss", TRUE, lib->ns); | |
195 | ||
196 | cfg = auth_cfg_create(); | |
197 | cfg->add_pubkey_constraints(cfg, sig_constraints_rsa_pss_tests[_i].constraints, TRUE); | |
198 | check_sig_constraints_params(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, | |
199 | sig_constraints_rsa_pss_tests[_i].sig, | |
200 | sig_constraints_rsa_pss_tests[_i].p); | |
201 | cfg->destroy(cfg); | |
202 | } | |
203 | END_TEST | |
204 | ||
3c23a751 TB |
205 | Suite *auth_cfg_suite_create() |
206 | { | |
207 | Suite *s; | |
208 | TCase *tc; | |
209 | ||
210 | s = suite_create("auth_cfg"); | |
211 | ||
212 | tc = tcase_create("add_pubkey_constraints"); | |
213 | tcase_add_loop_test(tc, test_sig_contraints, 0, countof(sig_constraints_tests)); | |
214 | tcase_add_loop_test(tc, test_ike_contraints_fallback, 0, countof(sig_constraints_tests)); | |
215 | suite_add_tcase(s, tc); | |
216 | ||
634c6ba8 TB |
217 | tc = tcase_create("add_pubkey_constraints parameters"); |
218 | tcase_add_loop_test(tc, test_sig_contraints_params, 0, countof(sig_constraints_params_tests)); | |
fde0c763 | 219 | tcase_add_loop_test(tc, test_sig_contraints_rsa_pss, 0, countof(sig_constraints_rsa_pss_tests)); |
634c6ba8 TB |
220 | suite_add_tcase(s, tc); |
221 | ||
3c23a751 TB |
222 | return s; |
223 | } |