auth-cfg: Parse rsa/pss auth tokens
authorTobias Brunner <tobias@strongswan.org>
Fri, 13 Oct 2017 13:32:29 +0000 (15:32 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 8 Nov 2017 15:48:10 +0000 (16:48 +0100)
src/libstrongswan/credentials/auth_cfg.c
src/libstrongswan/tests/suites/test_auth_cfg.c

index bb7ad87..4c29af1 100644 (file)
@@ -536,11 +536,12 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
        private_auth_cfg_t *this, char* constraints, bool ike)
 {
        enumerator_t *enumerator;
-       bool is_ike = FALSE, ike_added = FALSE;
+       bool ike_added = FALSE;
        key_type_t expected_type = -1;
        auth_rule_t expected_strength = AUTH_RULE_MAX;
+       signature_params_t *params;
        int strength;
-       char *token;
+       char *token, *key_token = NULL;
        auth_rule_t type;
        void *value;
 
@@ -589,70 +590,106 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
                }
                if (streq(token, "rsa") || streq(token, "ike:rsa"))
                {
+                       key_token = token;
+                       expected_type = KEY_RSA;
+                       expected_strength = AUTH_RULE_RSA_STRENGTH;
+                       continue;
+               }
+               if (streq(token, "rsa/pss") || streq(token, "ike:rsa/pss"))
+               {
+                       key_token = token;
                        expected_type = KEY_RSA;
                        expected_strength = AUTH_RULE_RSA_STRENGTH;
-                       is_ike = strpfx(token, "ike:");
                        continue;
                }
                if (streq(token, "ecdsa") || streq(token, "ike:ecdsa"))
                {
+                       key_token = token;
                        expected_type = KEY_ECDSA;
                        expected_strength = AUTH_RULE_ECDSA_STRENGTH;
-                       is_ike = strpfx(token, "ike:");
                        continue;
                }
                if (streq(token, "ed25519") || streq(token, "ike:ed25519"))
                {
+                       key_token = token;
                        expected_type = KEY_ED25519;
-                       is_ike = strpfx(token, "ike:");
                        continue;
                }
                if (streq(token, "ed448") || streq(token, "ike:ed448"))
                {
+                       key_token = token;
                        expected_type = KEY_ED448;
-                       is_ike = strpfx(token, "ike:");
                        continue;
                }
                if (streq(token, "bliss") || streq(token, "ike:bliss"))
                {
+                       key_token = token;
                        expected_type = KEY_BLISS;
                        expected_strength = AUTH_RULE_BLISS_STRENGTH;
-                       is_ike = strpfx(token, "ike:");
                        continue;
                }
                if (streq(token, "pubkey") || streq(token, "ike:pubkey"))
                {
+                       key_token = token;
                        expected_type = KEY_ANY;
-                       is_ike = strpfx(token, "ike:");
                        continue;
                }
-               if (is_ike && !ike)
+               if (key_token && strpfx(key_token, "ike:") && !ike)
                {
                        continue;
                }
 
-               for (i = 0; i < countof(schemes); i++)
+               if (key_token && streq(key_token + strlen(key_token) - 3, "pss"))
+               {       /* these are not added automatically with 'pubkey' */
+                       hash_algorithm_t hash;
+                       if (enum_from_name(hash_algorithm_short_names, token, &hash))
+                       {
+                               rsa_pss_params_t pss = {
+                                       .hash = hash,
+                                       .mgf1_hash = hash,
+                                       .salt_len = RSA_PSS_SALT_LEN_DEFAULT,
+                               };
+                               signature_params_t pss_params = {
+                                       .scheme = SIGN_RSA_EMSA_PSS,
+                                       .params = &pss,
+                               };
+                               params = signature_params_clone(&pss_params);
+                               if (strpfx(key_token, "ike:"))
+                               {
+                                       add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, params);
+                                       ike_added = TRUE;
+                               }
+                               else
+                               {
+                                       add(this, AUTH_RULE_SIGNATURE_SCHEME, params);
+                               }
+                               found = TRUE;
+                       }
+               }
+               else
                {
-                       if (streq(schemes[i].name, token))
+                       for (i = 0; i < countof(schemes); i++)
                        {
-                               if (expected_type == KEY_ANY || expected_type == schemes[i].key)
+                               if (streq(schemes[i].name, token))
                                {
-                                       signature_params_t *params;
-
-                                       INIT(params,
-                                               .scheme = schemes[i].scheme,
-                                       );
-                                       if (is_ike)
-                                       {
-                                               add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, params);
-                                               ike_added = TRUE;
-                                       }
-                                       else
+                                       if (expected_type == KEY_ANY ||
+                                               expected_type == schemes[i].key)
                                        {
-                                               add(this, AUTH_RULE_SIGNATURE_SCHEME, params);
+                                               INIT(params,
+                                                       .scheme = schemes[i].scheme,
+                                               );
+                                               if (strpfx(key_token, "ike:"))
+                                               {
+                                                       add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, params);
+                                                       ike_added = TRUE;
+                                               }
+                                               else
+                                               {
+                                                       add(this, AUTH_RULE_SIGNATURE_SCHEME, params);
+                                               }
                                        }
+                                       found = TRUE;
                                }
-                               found = TRUE;
                        }
                }
                if (!found)
index 3e30e0d..0c5baaf 100644 (file)
@@ -106,6 +106,76 @@ START_TEST(test_ike_contraints_fallback)
 }
 END_TEST
 
+typedef union {
+       rsa_pss_params_t pss;
+} signature_param_types_t;
+
+struct {
+       char *constraints;
+       signature_scheme_t sig[5];
+       signature_param_types_t p[5];
+} sig_constraints_params_tests[] = {
+       { "rsa/pss-sha256", { SIGN_RSA_EMSA_PSS, 0 }, {
+               { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}},
+       { "rsa/pss-sha256-sha384", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PSS, 0 }, {
+               { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }},
+               { .pss = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, .salt_len = HASH_SIZE_SHA384, }}}},
+       { "rsa/pss-sha256-rsa-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, {
+               { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}},
+       { "rsa-sha256-rsa/pss-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PSS, 0 }, {
+               {},
+               { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}},
+       { "rsa/pss", { 0 }, {}},
+};
+
+static void check_sig_constraints_params(auth_cfg_t *cfg, auth_rule_t type,
+                                                                                signature_scheme_t scheme[],
+                                                                                signature_param_types_t p[])
+{
+       enumerator_t *enumerator;
+       auth_rule_t t;
+       signature_params_t *value;
+       int i = 0;
+
+       enumerator = cfg->create_enumerator(cfg);
+       while (enumerator->enumerate(enumerator, &t, &value))
+       {
+               if (t == type)
+               {
+                       if (scheme[i] == SIGN_RSA_EMSA_PSS)
+                       {
+                               signature_params_t expected = {
+                                       .scheme = scheme[i],
+                                       .params = &p[i].pss,
+                               };
+                               ck_assert(signature_params_equal(value, &expected));
+                       }
+                       else
+                       {
+                               ck_assert(scheme[i]);
+                               ck_assert(!value->params);
+                               ck_assert_int_eq(scheme[i], value->scheme);
+                       }
+                       i++;
+               }
+       }
+       enumerator->destroy(enumerator);
+       ck_assert(!scheme[i]);
+}
+
+START_TEST(test_sig_contraints_params)
+{
+       auth_cfg_t *cfg;
+
+       cfg = auth_cfg_create();
+       cfg->add_pubkey_constraints(cfg, sig_constraints_params_tests[_i].constraints, TRUE);
+       check_sig_constraints_params(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME,
+                                                                sig_constraints_params_tests[_i].sig,
+                                                                sig_constraints_params_tests[_i].p);
+       cfg->destroy(cfg);
+}
+END_TEST
+
 Suite *auth_cfg_suite_create()
 {
        Suite *s;
@@ -118,5 +188,9 @@ Suite *auth_cfg_suite_create()
        tcase_add_loop_test(tc, test_ike_contraints_fallback, 0, countof(sig_constraints_tests));
        suite_add_tcase(s, tc);
 
+       tc = tcase_create("add_pubkey_constraints parameters");
+       tcase_add_loop_test(tc, test_sig_contraints_params, 0, countof(sig_constraints_params_tests));
+       suite_add_tcase(s, tc);
+
        return s;
 }