src/libstrongswan/tests/suites/test_auth_cfg.c

   1 /*
   2  * Copyright (C) 2016 Tobias Brunner
   3  * Hochschule fuer Technik Rapperswil
   4  *
   5  * This program is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License as published by the
   7  * Free Software Foundation; either version 2 of the License, or (at your
   8  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   9  *
  10  * This program is distributed in the hope that it will be useful, but
  11  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  12  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * for more details.
  14  */
  15
  16 #include "test_suite.h"
  17
  18 #include <credentials/auth_cfg.h>
  19
  20 struct {
  21         char *constraints;
  22         signature_scheme_t sig[5];
  23         signature_scheme_t ike[5];
  24 } sig_constraints_tests[] = {
  25         { "rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, {0}},
  26         { "rsa-sha256-sha512", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_RSA_EMSA_PKCS1_SHA512, 0 }, {0}},
  27         { "ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
  28         { "rsa-sha256-ecdsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
  29         { "pubkey-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }, {0}},
  30         { "ike:rsa-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
  31         { "ike:rsa-sha256-rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
  32         { "rsa-sha256-ike:rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }},
  33         { "ike:pubkey-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }},
  34         { "rsa-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
  35         { "rsa-4096-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
  36         { "rsa-4096-ecdsa-256-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}},
  37         { "rsa-ecdsa256-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, {0}},
  38         { "rsa4096-sha256", {0}, {0}},
  39         { "sha256", {0}, {0}},
  40         { "ike:sha256", {0}, {0}},
  41 };
  42
  43 static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type,
  44                                                                   signature_scheme_t expected[])
  45 {
  46         enumerator_t *enumerator;
  47         auth_rule_t t;
  48         void *value;
  49         int i = 0;
  50
  51         enumerator = cfg->create_enumerator(cfg);
  52         while (enumerator->enumerate(enumerator, &t, &value))
  53         {
  54                 if (t == type)
  55                 {
  56                         ck_assert(expected[i]);
  57                         ck_assert_int_eq(expected[i], (signature_scheme_t)value);
  58                         i++;
  59                 }
  60         }
  61         enumerator->destroy(enumerator);
  62         ck_assert(!expected[i]);
  63 }
  64
  65 START_TEST(test_sig_contraints)
  66 {
  67         auth_cfg_t *cfg;
  68         signature_scheme_t none[] = {0};
  69
  70         cfg = auth_cfg_create();
  71         cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, FALSE);
  72         check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
  73         check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, none);
  74         cfg->destroy(cfg);
  75
  76         lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints",
  77                                                         FALSE, lib->ns);
  78
  79         cfg = auth_cfg_create();
  80         cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE);
  81         check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
  82         check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike);
  83         cfg->destroy(cfg);
  84 }
  85 END_TEST
  86
  87 START_TEST(test_ike_contraints_fallback)
  88 {
  89         auth_cfg_t *cfg;
  90
  91         lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints",
  92                                                         TRUE, lib->ns);
  93
  94         cfg = auth_cfg_create();
  95         cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE);
  96         check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
  97         if (sig_constraints_tests[_i].ike[0])
  98         {
  99                 check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike);
 100         }
 101         else
 102         {
 103                 check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig);
 104         }
 105         cfg->destroy(cfg);
 106 }
 107 END_TEST
 108
 109 Suite *auth_cfg_suite_create()
 110 {
 111         Suite *s;
 112         TCase *tc;
 113
 114         s = suite_create("auth_cfg");
 115
 116         tc = tcase_create("add_pubkey_constraints");
 117         tcase_add_loop_test(tc, test_sig_contraints, 0, countof(sig_constraints_tests));
 118         tcase_add_loop_test(tc, test_ike_contraints_fallback, 0, countof(sig_constraints_tests));
 119         suite_add_tcase(s, tc);
 120
 121         return s;
 122 }