auth-cfg: Parse rsa/pss auth tokens
This commit is contained in:
parent
54f8d09261
commit
634c6ba8ce
|
@ -536,11 +536,12 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
|
|||
private_auth_cfg_t *this, char* constraints, bool ike)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
bool is_ike = FALSE, ike_added = FALSE;
|
||||
bool ike_added = FALSE;
|
||||
key_type_t expected_type = -1;
|
||||
auth_rule_t expected_strength = AUTH_RULE_MAX;
|
||||
signature_params_t *params;
|
||||
int strength;
|
||||
char *token;
|
||||
char *token, *key_token = NULL;
|
||||
auth_rule_t type;
|
||||
void *value;
|
||||
|
||||
|
@ -589,72 +590,108 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
|
|||
}
|
||||
if (streq(token, "rsa") || streq(token, "ike:rsa"))
|
||||
{
|
||||
key_token = token;
|
||||
expected_type = KEY_RSA;
|
||||
expected_strength = AUTH_RULE_RSA_STRENGTH;
|
||||
continue;
|
||||
}
|
||||
if (streq(token, "rsa/pss") || streq(token, "ike:rsa/pss"))
|
||||
{
|
||||
key_token = token;
|
||||
expected_type = KEY_RSA;
|
||||
expected_strength = AUTH_RULE_RSA_STRENGTH;
|
||||
is_ike = strpfx(token, "ike:");
|
||||
continue;
|
||||
}
|
||||
if (streq(token, "ecdsa") || streq(token, "ike:ecdsa"))
|
||||
{
|
||||
key_token = token;
|
||||
expected_type = KEY_ECDSA;
|
||||
expected_strength = AUTH_RULE_ECDSA_STRENGTH;
|
||||
is_ike = strpfx(token, "ike:");
|
||||
continue;
|
||||
}
|
||||
if (streq(token, "ed25519") || streq(token, "ike:ed25519"))
|
||||
{
|
||||
key_token = token;
|
||||
expected_type = KEY_ED25519;
|
||||
is_ike = strpfx(token, "ike:");
|
||||
continue;
|
||||
}
|
||||
if (streq(token, "ed448") || streq(token, "ike:ed448"))
|
||||
{
|
||||
key_token = token;
|
||||
expected_type = KEY_ED448;
|
||||
is_ike = strpfx(token, "ike:");
|
||||
continue;
|
||||
}
|
||||
if (streq(token, "bliss") || streq(token, "ike:bliss"))
|
||||
{
|
||||
key_token = token;
|
||||
expected_type = KEY_BLISS;
|
||||
expected_strength = AUTH_RULE_BLISS_STRENGTH;
|
||||
is_ike = strpfx(token, "ike:");
|
||||
continue;
|
||||
}
|
||||
if (streq(token, "pubkey") || streq(token, "ike:pubkey"))
|
||||
{
|
||||
key_token = token;
|
||||
expected_type = KEY_ANY;
|
||||
is_ike = strpfx(token, "ike:");
|
||||
continue;
|
||||
}
|
||||
if (is_ike && !ike)
|
||||
if (key_token && strpfx(key_token, "ike:") && !ike)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
for (i = 0; i < countof(schemes); i++)
|
||||
{
|
||||
if (streq(schemes[i].name, token))
|
||||
if (key_token && streq(key_token + strlen(key_token) - 3, "pss"))
|
||||
{ /* these are not added automatically with 'pubkey' */
|
||||
hash_algorithm_t hash;
|
||||
if (enum_from_name(hash_algorithm_short_names, token, &hash))
|
||||
{
|
||||
if (expected_type == KEY_ANY || expected_type == schemes[i].key)
|
||||
rsa_pss_params_t pss = {
|
||||
.hash = hash,
|
||||
.mgf1_hash = hash,
|
||||
.salt_len = RSA_PSS_SALT_LEN_DEFAULT,
|
||||
};
|
||||
signature_params_t pss_params = {
|
||||
.scheme = SIGN_RSA_EMSA_PSS,
|
||||
.params = &pss,
|
||||
};
|
||||
params = signature_params_clone(&pss_params);
|
||||
if (strpfx(key_token, "ike:"))
|
||||
{
|
||||
signature_params_t *params;
|
||||
|
||||
INIT(params,
|
||||
.scheme = schemes[i].scheme,
|
||||
);
|
||||
if (is_ike)
|
||||
{
|
||||
add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, params);
|
||||
ike_added = TRUE;
|
||||
}
|
||||
else
|
||||
{
|
||||
add(this, AUTH_RULE_SIGNATURE_SCHEME, params);
|
||||
}
|
||||
add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, params);
|
||||
ike_added = TRUE;
|
||||
}
|
||||
else
|
||||
{
|
||||
add(this, AUTH_RULE_SIGNATURE_SCHEME, params);
|
||||
}
|
||||
found = TRUE;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
for (i = 0; i < countof(schemes); i++)
|
||||
{
|
||||
if (streq(schemes[i].name, token))
|
||||
{
|
||||
if (expected_type == KEY_ANY ||
|
||||
expected_type == schemes[i].key)
|
||||
{
|
||||
INIT(params,
|
||||
.scheme = schemes[i].scheme,
|
||||
);
|
||||
if (strpfx(key_token, "ike:"))
|
||||
{
|
||||
add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, params);
|
||||
ike_added = TRUE;
|
||||
}
|
||||
else
|
||||
{
|
||||
add(this, AUTH_RULE_SIGNATURE_SCHEME, params);
|
||||
}
|
||||
}
|
||||
found = TRUE;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!found)
|
||||
{
|
||||
DBG1(DBG_CFG, "ignoring invalid auth token: '%s'", token);
|
||||
|
|
|
@ -106,6 +106,76 @@ START_TEST(test_ike_contraints_fallback)
|
|||
}
|
||||
END_TEST
|
||||
|
||||
typedef union {
|
||||
rsa_pss_params_t pss;
|
||||
} signature_param_types_t;
|
||||
|
||||
struct {
|
||||
char *constraints;
|
||||
signature_scheme_t sig[5];
|
||||
signature_param_types_t p[5];
|
||||
} sig_constraints_params_tests[] = {
|
||||
{ "rsa/pss-sha256", { SIGN_RSA_EMSA_PSS, 0 }, {
|
||||
{ .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}},
|
||||
{ "rsa/pss-sha256-sha384", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PSS, 0 }, {
|
||||
{ .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }},
|
||||
{ .pss = { .hash = HASH_SHA384, .mgf1_hash = HASH_SHA384, .salt_len = HASH_SIZE_SHA384, }}}},
|
||||
{ "rsa/pss-sha256-rsa-sha256", { SIGN_RSA_EMSA_PSS, SIGN_RSA_EMSA_PKCS1_SHA2_256, 0 }, {
|
||||
{ .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}},
|
||||
{ "rsa-sha256-rsa/pss-sha256", { SIGN_RSA_EMSA_PKCS1_SHA2_256, SIGN_RSA_EMSA_PSS, 0 }, {
|
||||
{},
|
||||
{ .pss = { .hash = HASH_SHA256, .mgf1_hash = HASH_SHA256, .salt_len = HASH_SIZE_SHA256, }}}},
|
||||
{ "rsa/pss", { 0 }, {}},
|
||||
};
|
||||
|
||||
static void check_sig_constraints_params(auth_cfg_t *cfg, auth_rule_t type,
|
||||
signature_scheme_t scheme[],
|
||||
signature_param_types_t p[])
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
auth_rule_t t;
|
||||
signature_params_t *value;
|
||||
int i = 0;
|
||||
|
||||
enumerator = cfg->create_enumerator(cfg);
|
||||
while (enumerator->enumerate(enumerator, &t, &value))
|
||||
{
|
||||
if (t == type)
|
||||
{
|
||||
if (scheme[i] == SIGN_RSA_EMSA_PSS)
|
||||
{
|
||||
signature_params_t expected = {
|
||||
.scheme = scheme[i],
|
||||
.params = &p[i].pss,
|
||||
};
|
||||
ck_assert(signature_params_equal(value, &expected));
|
||||
}
|
||||
else
|
||||
{
|
||||
ck_assert(scheme[i]);
|
||||
ck_assert(!value->params);
|
||||
ck_assert_int_eq(scheme[i], value->scheme);
|
||||
}
|
||||
i++;
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
ck_assert(!scheme[i]);
|
||||
}
|
||||
|
||||
START_TEST(test_sig_contraints_params)
|
||||
{
|
||||
auth_cfg_t *cfg;
|
||||
|
||||
cfg = auth_cfg_create();
|
||||
cfg->add_pubkey_constraints(cfg, sig_constraints_params_tests[_i].constraints, TRUE);
|
||||
check_sig_constraints_params(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME,
|
||||
sig_constraints_params_tests[_i].sig,
|
||||
sig_constraints_params_tests[_i].p);
|
||||
cfg->destroy(cfg);
|
||||
}
|
||||
END_TEST
|
||||
|
||||
Suite *auth_cfg_suite_create()
|
||||
{
|
||||
Suite *s;
|
||||
|
@ -118,5 +188,9 @@ Suite *auth_cfg_suite_create()
|
|||
tcase_add_loop_test(tc, test_ike_contraints_fallback, 0, countof(sig_constraints_tests));
|
||||
suite_add_tcase(s, tc);
|
||||
|
||||
tc = tcase_create("add_pubkey_constraints parameters");
|
||||
tcase_add_loop_test(tc, test_sig_contraints_params, 0, countof(sig_constraints_params_tests));
|
||||
suite_add_tcase(s, tc);
|
||||
|
||||
return s;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue