auth-cfg: Store signature schemes as signature_params_t objects
authorTobias Brunner <tobias@strongswan.org>
Fri, 13 Oct 2017 13:02:02 +0000 (15:02 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 8 Nov 2017 15:48:10 +0000 (16:48 +0100)
Due to circular references the hasher_from_signature_scheme() helper
does not take a signature_params_t object.

src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
src/libcharon/sa/ikev2/tasks/ike_init.c
src/libstrongswan/credentials/auth_cfg.c
src/libstrongswan/credentials/auth_cfg.h
src/libstrongswan/credentials/credential_manager.c
src/libstrongswan/crypto/hashers/hasher.c
src/libstrongswan/crypto/hashers/hasher.h
src/libstrongswan/tests/suites/test_auth_cfg.c
src/libstrongswan/tests/suites/test_hasher.c
src/pki/pki.c

index befdfe3..dbdde59 100644 (file)
@@ -114,7 +114,7 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 {
        enumerator_t *enumerator;
        signature_scheme_t scheme;
-       uintptr_t config;
+       signature_params_t *config;
        auth_rule_t rule;
        key_type_t key_type;
        bool have_config = FALSE;
@@ -130,11 +130,12 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
                        continue;
                }
                have_config = TRUE;
-               if (key_type == key_type_from_signature_scheme(config) &&
+               if (key_type == key_type_from_signature_scheme(config->scheme) &&
                        keymat->hash_algorithm_supported(keymat,
-                                                                               hasher_from_signature_scheme(config)))
+                                                               hasher_from_signature_scheme(config->scheme,
+                                                                                                                        config->params)))
                {
-                       scheme = config;
+                       scheme = config->scheme;
                        array_insert(selected, ARRAY_TAIL, &scheme);
                }
        }
@@ -149,7 +150,8 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
                while (enumerator->enumerate(enumerator, &scheme))
                {
                        if (keymat->hash_algorithm_supported(keymat,
-                                                                               hasher_from_signature_scheme(scheme)))
+                                                                               hasher_from_signature_scheme(scheme,
+                                                                                                                                        NULL)))
                        {
                                array_insert(selected, ARRAY_TAIL, &scheme);
                        }
@@ -180,7 +182,8 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
                                        }
                                }
                                if (!found && keymat->hash_algorithm_supported(keymat,
-                                                                               hasher_from_signature_scheme(scheme)))
+                                                                               hasher_from_signature_scheme(scheme,
+                                                                                                                                        NULL)))
                                {
                                        array_insert(selected, ARRAY_TAIL, &scheme);
                                }
@@ -383,7 +386,7 @@ METHOD(authenticator_t, process, status_t,
        auth_cfg_t *auth, *current_auth;
        enumerator_t *enumerator;
        key_type_t key_type = KEY_ECDSA;
-       signature_scheme_t scheme;
+       signature_params_t params;
        status_t status = NOT_FOUND;
        const char *reason = "unsupported";
        bool online;
@@ -399,19 +402,19 @@ METHOD(authenticator_t, process, status_t,
        {
                case AUTH_RSA:
                        key_type = KEY_RSA;
-                       scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+                       params.scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
                        break;
                case AUTH_ECDSA_256:
-                       scheme = SIGN_ECDSA_256;
+                       params.scheme = SIGN_ECDSA_256;
                        break;
                case AUTH_ECDSA_384:
-                       scheme = SIGN_ECDSA_384;
+                       params.scheme = SIGN_ECDSA_384;
                        break;
                case AUTH_ECDSA_521:
-                       scheme = SIGN_ECDSA_521;
+                       params.scheme = SIGN_ECDSA_521;
                        break;
                case AUTH_DS:
-                       if (parse_signature_auth_data(&auth_data, &key_type, &scheme))
+                       if (parse_signature_auth_data(&auth_data, &key_type, &params.scheme))
                        {
                                break;
                        }
@@ -423,7 +426,7 @@ METHOD(authenticator_t, process, status_t,
                        return INVALID_ARG;
        }
        id = this->ike_sa->get_other_id(this->ike_sa);
-       if (!get_auth_octets_scheme(this, TRUE, id, &octets, &scheme))
+       if (!get_auth_octets_scheme(this, TRUE, id, &octets, &params.scheme))
        {
                return FAILED;
        }
@@ -434,15 +437,16 @@ METHOD(authenticator_t, process, status_t,
                                                                                                        key_type, id, auth, online);
        while (enumerator->enumerate(enumerator, &public, &current_auth))
        {
-               if (public->verify(public, scheme, NULL, octets, auth_data))
+               if (public->verify(public, params.scheme, NULL, octets, auth_data))
                {
                        DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
                                 auth_method == AUTH_DS ? signature_scheme_names : auth_method_names,
-                                auth_method == AUTH_DS ? scheme : auth_method);
+                                auth_method == AUTH_DS ? params.scheme : auth_method);
                        status = SUCCESS;
                        auth->merge(auth, current_auth, FALSE);
                        auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-                       auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+                       auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME,
+                                         signature_params_clone(&params));
                        if (!online)
                        {
                                auth->add(auth, AUTH_RULE_CERT_VALIDATION_SUSPENDED, TRUE);
index f974b9f..d75d217 100644 (file)
@@ -158,7 +158,7 @@ static void send_supported_hash_algorithms(private_ike_init_t *this,
        peer_cfg_t *peer;
        auth_cfg_t *auth;
        auth_rule_t rule;
-       uintptr_t config;
+       signature_params_t *config;
        int written;
        size_t len = BUF_LEN;
        char buf[len];
@@ -177,7 +177,8 @@ static void send_supported_hash_algorithms(private_ike_init_t *this,
                        {
                                if (rule == AUTH_RULE_IKE_SIGNATURE_SCHEME)
                                {
-                                       hash = hasher_from_signature_scheme(config);
+                                       hash = hasher_from_signature_scheme(config->scheme,
+                                                                                                               config->params);
                                        if (hasher_algorithm_for_ikev2(hash))
                                        {
                                                algos->add(algos, hash);
index 07da596..bb7ad87 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2016 Tobias Brunner
+ * Copyright (C) 2008-2017 Tobias Brunner
  * Copyright (C) 2007-2009 Martin Willi
  * Copyright (C) 2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
@@ -216,8 +216,6 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args)
                case AUTH_RULE_RSA_STRENGTH:
                case AUTH_RULE_ECDSA_STRENGTH:
                case AUTH_RULE_BLISS_STRENGTH:
-               case AUTH_RULE_SIGNATURE_SCHEME:
-               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
                        /* integer type */
                        this->value = (void*)(uintptr_t)va_arg(args, u_int);
@@ -232,6 +230,8 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args)
                case AUTH_RULE_IM_CERT:
                case AUTH_RULE_SUBJECT_CERT:
                case AUTH_RULE_CERT_POLICY:
+               case AUTH_RULE_SIGNATURE_SCHEME:
+               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                case AUTH_HELPER_IM_CERT:
                case AUTH_HELPER_SUBJECT_CERT:
                case AUTH_HELPER_IM_HASH_URL:
@@ -267,8 +267,6 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
                case AUTH_RULE_RSA_STRENGTH:
                case AUTH_RULE_ECDSA_STRENGTH:
                case AUTH_RULE_BLISS_STRENGTH:
-               case AUTH_RULE_SIGNATURE_SCHEME:
-               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
                {
                        return e1->value == e2->value;
@@ -301,6 +299,11 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
 
                        return id1->equals(id1, id2);
                }
+               case AUTH_RULE_SIGNATURE_SCHEME:
+               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+               {
+                       return signature_params_equal(e1->value, e2->value);
+               }
                case AUTH_RULE_CERT_POLICY:
                case AUTH_RULE_XAUTH_BACKEND:
                case AUTH_HELPER_IM_HASH_URL:
@@ -351,6 +354,12 @@ static void destroy_entry_value(entry_t *entry)
                        free(entry->value);
                        break;
                }
+               case AUTH_RULE_SIGNATURE_SCHEME:
+               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+               {
+                       signature_params_destroy(entry->value);
+                       break;
+               }
                case AUTH_RULE_IDENTITY_LOOSE:
                case AUTH_RULE_AUTH_CLASS:
                case AUTH_RULE_EAP_TYPE:
@@ -360,8 +369,6 @@ static void destroy_entry_value(entry_t *entry)
                case AUTH_RULE_RSA_STRENGTH:
                case AUTH_RULE_ECDSA_STRENGTH:
                case AUTH_RULE_BLISS_STRENGTH:
-               case AUTH_RULE_SIGNATURE_SCHEME:
-               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
                case AUTH_RULE_MAX:
                        break;
@@ -394,8 +401,6 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
                        case AUTH_RULE_RSA_STRENGTH:
                        case AUTH_RULE_ECDSA_STRENGTH:
                        case AUTH_RULE_BLISS_STRENGTH:
-                       case AUTH_RULE_SIGNATURE_SCHEME:
-                       case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                        case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
                                /* integer type */
                                entry->value = (void*)(uintptr_t)va_arg(args, u_int);
@@ -410,6 +415,8 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
                        case AUTH_RULE_IM_CERT:
                        case AUTH_RULE_SUBJECT_CERT:
                        case AUTH_RULE_CERT_POLICY:
+                       case AUTH_RULE_SIGNATURE_SCHEME:
+                       case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                        case AUTH_HELPER_IM_CERT:
                        case AUTH_HELPER_SUBJECT_CERT:
                        case AUTH_HELPER_IM_HASH_URL:
@@ -472,9 +479,6 @@ METHOD(auth_cfg_t, get, void*,
                case AUTH_RULE_ECDSA_STRENGTH:
                case AUTH_RULE_BLISS_STRENGTH:
                        return (void*)0;
-               case AUTH_RULE_SIGNATURE_SCHEME:
-               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
-                       return (void*)HASH_UNKNOWN;
                case AUTH_RULE_CRL_VALIDATION:
                case AUTH_RULE_OCSP_VALIDATION:
                        return (void*)VALIDATION_FAILED;
@@ -491,6 +495,8 @@ METHOD(auth_cfg_t, get, void*,
                case AUTH_RULE_IM_CERT:
                case AUTH_RULE_SUBJECT_CERT:
                case AUTH_RULE_CERT_POLICY:
+               case AUTH_RULE_SIGNATURE_SCHEME:
+               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                case AUTH_HELPER_IM_CERT:
                case AUTH_HELPER_SUBJECT_CERT:
                case AUTH_HELPER_IM_HASH_URL:
@@ -631,16 +637,19 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
                        {
                                if (expected_type == KEY_ANY || expected_type == schemes[i].key)
                                {
+                                       signature_params_t *params;
+
+                                       INIT(params,
+                                               .scheme = schemes[i].scheme,
+                                       );
                                        if (is_ike)
                                        {
-                                               add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME,
-                                                       (uintptr_t)schemes[i].scheme);
+                                               add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, params);
                                                ike_added = TRUE;
                                        }
                                        else
                                        {
-                                               add(this, AUTH_RULE_SIGNATURE_SCHEME,
-                                                  (uintptr_t)schemes[i].scheme);
+                                               add(this, AUTH_RULE_SIGNATURE_SCHEME, params);
                                        }
                                }
                                found = TRUE;
@@ -666,7 +675,7 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
                        if (type == AUTH_RULE_SIGNATURE_SCHEME)
                        {
                                add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME,
-                                       (uintptr_t)value);
+                                       signature_params_clone(value));
                        }
                }
                enumerator->destroy(enumerator);
@@ -681,20 +690,20 @@ static bool complies_scheme(private_auth_cfg_t *this, auth_cfg_t *constraints,
 {
        enumerator_t *e1, *e2;
        auth_rule_t t1, t2;
-       signature_scheme_t scheme;
-       void *value;
+       signature_params_t *params, *constraint;
        bool success = TRUE;
 
        e2 = create_enumerator(this);
-       while (e2->enumerate(e2, &t2, &scheme))
+       while (e2->enumerate(e2, &t2, &params))
        {
                if (t2 == type)
                {
                        success = FALSE;
                        e1 = constraints->create_enumerator(constraints);
-                       while (e1->enumerate(e1, &t1, &value))
+                       while (e1->enumerate(e1, &t1, &constraint))
                        {
-                               if (t1 == type && (uintptr_t)value == scheme)
+                               if (t1 == type &&
+                                       signature_params_comply(constraint, params))
                                {
                                        success = TRUE;
                                        break;
@@ -707,7 +716,7 @@ static bool complies_scheme(private_auth_cfg_t *this, auth_cfg_t *constraints,
                                {
                                        DBG1(DBG_CFG, "%s signature scheme %N not acceptable",
                                                 AUTH_RULE_SIGNATURE_SCHEME == type ? "X.509" : "IKE",
-                                                signature_scheme_names, (int)scheme);
+                                                signature_scheme_names, params->scheme);
                                }
                                break;
                        }
@@ -725,7 +734,7 @@ METHOD(auth_cfg_t, complies, bool,
        bool ca_match = FALSE, cert_match = FALSE;
        identification_t *require_group = NULL;
        certificate_t *require_ca = NULL, *require_cert = NULL;
-       signature_scheme_t ike_scheme = SIGN_UNKNOWN, scheme = SIGN_UNKNOWN;
+       signature_params_t *ike_scheme = NULL, *scheme = NULL;
        u_int strength = 0;
        auth_rule_t t1, t2;
        char *key_type;
@@ -928,12 +937,12 @@ METHOD(auth_cfg_t, complies, bool,
                        }
                        case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                        {
-                               ike_scheme = (uintptr_t)value;
+                               ike_scheme = value;
                                break;
                        }
                        case AUTH_RULE_SIGNATURE_SCHEME:
                        {
-                               scheme = (uintptr_t)value;
+                               scheme = value;
                                break;
                        }
                        case AUTH_RULE_CERT_POLICY:
@@ -983,12 +992,12 @@ METHOD(auth_cfg_t, complies, bool,
 
        /* Check if we have a matching constraint (or none at all) for used
         * signature schemes. */
-       if (success && scheme != SIGN_UNKNOWN)
+       if (success && scheme)
        {
                success = complies_scheme(this, constraints,
                                                                  AUTH_RULE_SIGNATURE_SCHEME, log_error);
        }
-       if (success && ike_scheme != SIGN_UNKNOWN)
+       if (success && ike_scheme)
        {
                success = complies_scheme(this, constraints,
                                                                  AUTH_RULE_IKE_SIGNATURE_SCHEME, log_error);
@@ -1114,8 +1123,6 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
                                case AUTH_RULE_RSA_STRENGTH:
                                case AUTH_RULE_ECDSA_STRENGTH:
                                case AUTH_RULE_BLISS_STRENGTH:
-                               case AUTH_RULE_SIGNATURE_SCHEME:
-                               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                                case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
                                {
                                        add(this, type, (uintptr_t)value);
@@ -1132,6 +1139,12 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
                                        add(this, type, id->clone(id));
                                        break;
                                }
+                               case AUTH_RULE_SIGNATURE_SCHEME:
+                               case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+                               {
+                                       add(this, type, signature_params_clone(value));
+                                       break;
+                               }
                                case AUTH_RULE_XAUTH_BACKEND:
                                case AUTH_RULE_CERT_POLICY:
                                case AUTH_HELPER_IM_HASH_URL:
@@ -1286,11 +1299,15 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
                        case AUTH_RULE_RSA_STRENGTH:
                        case AUTH_RULE_ECDSA_STRENGTH:
                        case AUTH_RULE_BLISS_STRENGTH:
-                       case AUTH_RULE_SIGNATURE_SCHEME:
-                       case AUTH_RULE_IKE_SIGNATURE_SCHEME:
                        case AUTH_RULE_CERT_VALIDATION_SUSPENDED:
                                clone->add(clone, type, (uintptr_t)value);
                                break;
+                       case AUTH_RULE_SIGNATURE_SCHEME:
+                       case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+                       {
+                               clone->add(clone, type, signature_params_clone(value));
+                               break;
+                       }
                        case AUTH_RULE_MAX:
                                break;
                }
index 7191dc1..2eb4485 100644 (file)
@@ -106,9 +106,9 @@ enum auth_rule_t {
        AUTH_RULE_ECDSA_STRENGTH,
        /** required BLISS public key strength, u_int in bits */
        AUTH_RULE_BLISS_STRENGTH,
-       /** required signature scheme, signature_scheme_t */
+       /** required signature scheme, signature_params_t* */
        AUTH_RULE_SIGNATURE_SCHEME,
-       /** required signature scheme for IKE authentication, signature_scheme_t */
+       /** required signature scheme for IKE authentication, signature_params_t* */
        AUTH_RULE_IKE_SIGNATURE_SCHEME,
        /** certificatePolicy constraint, numerical OID as char* */
        AUTH_RULE_CERT_POLICY,
index a4a092e..21b23f5 100644 (file)
@@ -750,8 +750,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
                                DBG1(DBG_CFG, "  using trusted intermediate ca certificate "
                                         "\"%Y\"", issuer->get_subject(issuer));
                        }
-                       auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme->scheme);
-                       signature_params_destroy(scheme);
+                       auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
                }
                else
                {
@@ -769,8 +768,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
                                auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
                                DBG1(DBG_CFG, "  using untrusted intermediate certificate "
                                         "\"%Y\"", issuer->get_subject(issuer));
-                               auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme->scheme);
-                               signature_params_destroy(scheme);
+                               auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, scheme);
                        }
                        else
                        {
index c04835b..713d7be 100644 (file)
@@ -19,6 +19,7 @@
 #include "hasher.h"
 
 #include <asn1/oid.h>
+#include <credentials/keys/signature_params.h>
 
 ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_IDENTITY,
        "HASH_SHA1",
@@ -483,14 +484,21 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
 /*
  * Defined in header.
  */
-hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme)
+hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme,
+                                                                                         void *params)
 {
        switch (scheme)
        {
                case SIGN_UNKNOWN:
                case SIGN_RSA_EMSA_PKCS1_NULL:
                case SIGN_ECDSA_WITH_NULL:
+                       break;
                case SIGN_RSA_EMSA_PSS:
+                       if (params)
+                       {
+                               rsa_pss_params_t *pss = params;
+                               return pss->hash;
+                       }
                        break;
                case SIGN_ED25519:
                case SIGN_ED448:
index 96de7e2..d1f11fa 100644 (file)
@@ -206,8 +206,10 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key);
  * Determine the hash algorithm associated with a given signature scheme.
  *
  * @param scheme               signature scheme
+ * @param params               optional parameters
  * @return                             hash algorithm (could be HASH_UNKNOWN)
  */
-hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme);
+hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme,
+                                                                                         void *params);
 
 #endif /** HASHER_H_ @}*/
index 139b730..3e30e0d 100644 (file)
@@ -45,7 +45,7 @@ static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type,
 {
        enumerator_t *enumerator;
        auth_rule_t t;
-       void *value;
+       signature_params_t *value;
        int i = 0;
 
        enumerator = cfg->create_enumerator(cfg);
@@ -54,7 +54,7 @@ static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type,
                if (t == type)
                {
                        ck_assert(expected[i]);
-                       ck_assert_int_eq(expected[i], (signature_scheme_t)value);
+                       ck_assert_int_eq(expected[i], value->scheme);
                        i++;
                }
        }
index 9f77419..7bf5273 100644 (file)
@@ -90,12 +90,10 @@ START_TEST(test_hasher_sig_to_oid)
 }
 END_TEST
 
-typedef struct {
+static struct {
        signature_scheme_t scheme;
        hash_algorithm_t alg;
-}hasher_sig_scheme_t;
-
-static hasher_sig_scheme_t sig_schemes[] = {
+} sig_schemes[] = {
        { SIGN_UNKNOWN,               HASH_UNKNOWN    },
        { SIGN_RSA_EMSA_PKCS1_NULL,   HASH_UNKNOWN    },
        { SIGN_RSA_EMSA_PKCS1_MD5,    HASH_MD5        },
@@ -108,6 +106,7 @@ static hasher_sig_scheme_t sig_schemes[] = {
        { SIGN_RSA_EMSA_PKCS1_SHA3_256, HASH_SHA3_256 },
        { SIGN_RSA_EMSA_PKCS1_SHA3_384, HASH_SHA3_384 },
        { SIGN_RSA_EMSA_PKCS1_SHA3_512, HASH_SHA3_512 },
+       { SIGN_RSA_EMSA_PSS,              HASH_UNKNOWN    },
        { SIGN_ECDSA_WITH_SHA1_DER,   HASH_SHA1       },
        { SIGN_ECDSA_WITH_SHA256_DER, HASH_SHA256     },
        { SIGN_ECDSA_WITH_SHA384_DER, HASH_SHA384     },
@@ -124,16 +123,35 @@ static hasher_sig_scheme_t sig_schemes[] = {
        { SIGN_BLISS_WITH_SHA3_512,   HASH_SHA3_512   },
        { SIGN_ED25519,               HASH_IDENTITY   },
        { SIGN_ED448,                 HASH_IDENTITY   },
-       { 30,                                             HASH_UNKNOWN    }
+       { 30,                                             HASH_UNKNOWN    },
 };
 
 START_TEST(test_hasher_from_sig_scheme)
 {
-       ck_assert(hasher_from_signature_scheme(sig_schemes[_i].scheme) ==
+       ck_assert(hasher_from_signature_scheme(sig_schemes[_i].scheme, NULL) ==
                                                                                   sig_schemes[_i].alg);
 }
 END_TEST
 
+static struct {
+       signature_scheme_t scheme;
+       union {
+               rsa_pss_params_t pss;
+       } p;
+       hash_algorithm_t alg;
+} sig_schemes_params[] = {
+       { SIGN_RSA_EMSA_PSS, .p.pss = { .hash = HASH_SHA256 }, HASH_SHA256 },
+       { SIGN_RSA_EMSA_PSS, .p.pss = { .hash = HASH_SHA512 }, HASH_SHA512 },
+       { SIGN_RSA_EMSA_PKCS1_SHA2_256, .p.pss = { .hash = HASH_SHA512 }, HASH_SHA256 },
+};
+
+START_TEST(test_hasher_from_sig_scheme_params)
+{
+       ck_assert(hasher_from_signature_scheme(sig_schemes_params[_i].scheme,
+                                       &sig_schemes_params[_i].p) == sig_schemes_params[_i].alg);
+}
+END_TEST
+
 typedef struct {
        pseudo_random_function_t prf;
        hash_algorithm_t alg;
@@ -269,6 +287,7 @@ Suite *hasher_suite_create()
 
        tc = tcase_create("from_sig_scheme");
        tcase_add_loop_test(tc, test_hasher_from_sig_scheme, 0, countof(sig_schemes));
+       tcase_add_loop_test(tc, test_hasher_from_sig_scheme_params, 0, countof(sig_schemes_params));
        suite_add_tcase(s, tc);
 
        tc = tcase_create("from_prf");
index 0fdab2a..44fe1f7 100644 (file)
@@ -250,7 +250,7 @@ hash_algorithm_t get_default_digest(private_key_t *private)
                                                                                   private->get_keysize(private));
        if (enumerator->enumerate(enumerator, &scheme))
        {
-               alg = hasher_from_signature_scheme(scheme);
+               alg = hasher_from_signature_scheme(scheme, NULL);
        }
        enumerator->destroy(enumerator);