Return to test_auth_cfg.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libstrongswan / tests / suites |
1.1 misho 1: /* 2: * Copyright (C) 2016 Tobias Brunner 3: * HSR Hochschule fuer Technik Rapperswil 4: * 5: * This program is free software; you can redistribute it and/or modify it 6: * under the terms of the GNU General Public License as published by the 7: * Free Software Foundation; either version 2 of the License, or (at your 8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. 9: * 10: * This program is distributed in the hope that it will be useful, but 11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13: * for more details. 14: */ 15: 16: #include "test_suite.h" 17: 18: #include <credentials/auth_cfg.h> 19: 20: struct { 21: char *constraints; 22: signature_scheme_t sig[5]; 23: signature_scheme_t ike[5]; 24: } sig_constraints_tests[] = { 25: { "rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, {0}}, 26: { "rsa-sha256-sha512", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PKCS1_SHA2_512, 0 }, {0}}, 27: { "ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, 28: { "rsa-sha256-ecdsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, 29: { "pubkey-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }, {0}}, 30: { "ike:rsa-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }}, 31: { "ike:rsa-sha256-rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }}, 32: { "rsa-sha256-ike:rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }}, 33: { "ike:pubkey-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }}, 34: { "rsa-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, 35: { "rsa-4096-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, 36: { "rsa-4096-ecdsa-256-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, 37: { "rsa-ecdsa256-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, {0}}, 38: { "rsa4096-sha256", {0}, {0}}, 39: { "sha256", {0}, {0}}, 40: { "ike:sha256", {0}, {0}}, 41: }; 42: 43: static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type, 44: signature_scheme_t expected[]) 45: { 46: enumerator_t *enumerator; 47: auth_rule_t t; 48: signature_params_t *value; 49: int i = 0; 50: 51: enumerator = cfg->create_enumerator(cfg); 52: while (enumerator->enumerate(enumerator, &t, &value)) 53: { 54: if (t == type) 55: { 56: ck_assert(expected[i]); 57: ck_assert_int_eq(expected[i], value->scheme); 58: i++; 59: } 60: } 61: enumerator->destroy(enumerator); 62: ck_assert(!expected[i]); 63: } 64: 65: START_TEST(test_sig_constraints) 66: { 67: auth_cfg_t *cfg; 68: signature_scheme_t none[] = {0}; 69: 70: cfg = auth_cfg_create(); 71: cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, FALSE); 72: check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig); 73: check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, none); 74: cfg->destroy(cfg); 75: 76: lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints", 77: FALSE, lib->ns); 78: 79: cfg = auth_cfg_create(); 80: cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE); 81: check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig); 82: check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike); 83: cfg->destroy(cfg); 84: } 85: END_TEST 86: 87: START_TEST(test_ike_constraints_fallback) 88: { 89: auth_cfg_t *cfg; 90: 91: lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints", 92: TRUE, lib->ns); 93: 94: cfg = auth_cfg_create(); 95: cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE); 96: check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig); 97: if (sig_constraints_tests[_i].ike[0]) 98: { 99: check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike); 100: } 101: else 102: { 103: check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig); 104: } 105: cfg->destroy(cfg); 106: } 107: END_TEST 108: 109: typedef union { 110: rsa_pss_params_t pss; 111: } signature_param_types_t; 112: 113: struct { 114: char *constraints; 115: signature_scheme_t sig[5]; 116: signature_param_types_t p[5]; 117: } sig_constraints_params_tests[] = { 118: { "rsa/pss-sha256", { SIGN_RSA_EMSA_PSS, 0 }, { 119: { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}}, 120: { "rsa/pss-sha256-sha384", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PSS, 0 }, { 121: { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, 122: { .pss = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, .salt_len = HASH_SIZE_SHA384, }}}}, 123: { "rsa/pss-sha256-rsa-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { 124: { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}}, 125: { "rsa-sha256-rsa/pss-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PSS, 0 }, { 126: {}, 127: { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}}, 128: { "rsa/pss", { 0 }, {}}, 129: }; 130: 131: static void check_sig_constraints_params(auth_cfg_t *cfg, auth_rule_t type, 132: signature_scheme_t scheme[], 133: signature_param_types_t p[]) 134: { 135: enumerator_t *enumerator; 136: auth_rule_t t; 137: signature_params_t *value; 138: int i = 0; 139: 140: enumerator = cfg->create_enumerator(cfg); 141: while (enumerator->enumerate(enumerator, &t, &value)) 142: { 143: if (t == type) 144: { 145: if (scheme[i] == SIGN_RSA_EMSA_PSS) 146: { 147: signature_params_t expected = { 148: .scheme = scheme[i], 149: .params = &p[i].pss, 150: }; 151: ck_assert(signature_params_equal(value, &expected)); 152: } 153: else 154: { 155: ck_assert(scheme[i]); 156: ck_assert(!value->params); 157: ck_assert_int_eq(scheme[i], value->scheme); 158: } 159: i++; 160: } 161: } 162: enumerator->destroy(enumerator); 163: ck_assert(!scheme[i]); 164: } 165: 166: START_TEST(test_sig_constraints_params) 167: { 168: auth_cfg_t *cfg; 169: 170: cfg = auth_cfg_create(); 171: cfg->add_pubkey_constraints(cfg, sig_constraints_params_tests[_i].constraints, TRUE); 172: check_sig_constraints_params(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, 173: sig_constraints_params_tests[_i].sig, 174: sig_constraints_params_tests[_i].p); 175: cfg->destroy(cfg); 176: } 177: END_TEST 178: 179: struct { 180: char *constraints; 181: signature_scheme_t sig[6]; 182: signature_param_types_t p[6]; 183: } sig_constraints_rsa_pss_tests[] = { 184: { "pubkey-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }, { 185: { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, {}, {}, {}, {}}}, 186: { "rsa-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, { 187: { .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}, {}}}, 188: }; 189: 190: START_TEST(test_sig_constraints_rsa_pss) 191: { 192: auth_cfg_t *cfg; 193: 194: lib->settings->set_bool(lib->settings, "%s.rsa_pss", TRUE, lib->ns); 195: 196: cfg = auth_cfg_create(); 197: cfg->add_pubkey_constraints(cfg, sig_constraints_rsa_pss_tests[_i].constraints, TRUE); 198: check_sig_constraints_params(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, 199: sig_constraints_rsa_pss_tests[_i].sig, 200: sig_constraints_rsa_pss_tests[_i].p); 201: cfg->destroy(cfg); 202: } 203: END_TEST 204: 205: Suite *auth_cfg_suite_create() 206: { 207: Suite *s; 208: TCase *tc; 209: 210: s = suite_create("auth_cfg"); 211: 212: tc = tcase_create("add_pubkey_constraints"); 213: tcase_add_loop_test(tc, test_sig_constraints, 0, countof(sig_constraints_tests)); 214: tcase_add_loop_test(tc, test_ike_constraints_fallback, 0, countof(sig_constraints_tests)); 215: suite_add_tcase(s, tc); 216: 217: tc = tcase_create("add_pubkey_constraints parameters"); 218: tcase_add_loop_test(tc, test_sig_constraints_params, 0, countof(sig_constraints_params_tests)); 219: tcase_add_loop_test(tc, test_sig_constraints_rsa_pss, 0, countof(sig_constraints_rsa_pss_tests)); 220: suite_add_tcase(s, tc); 221: 222: return s; 223: }