Merge pull request openwsn-berkeley#162 from geonnave/ead-zeroconf-demo

Demo for lake-authz
geonnave · Dec 4, 2023 · 00b91f7 · 00b91f7
2 parents 98c1511 + defe1e1
commit 00b91f7
Show file tree

Hide file tree

Showing 3 changed files with 109 additions and 9 deletions.
diff --git a/consts/src/lib.rs b/consts/src/lib.rs
@@ -186,6 +186,16 @@ impl EdhocMessageBuffer {
         self.content.get(index).copied()
     }
 
+    pub fn push(&mut self, item: u8) -> Result<(), ()> {
+        if self.len < self.content.len() {
+            self.content[self.len] = item;
+            self.len += 1;
+            Ok(())
+        } else {
+            Err(())
+        }
+    }
+
     pub fn get_slice(&self, start: usize, len: usize) -> Option<&[u8]> {
         self.content.get(start..start + len)
     }

diff --git a/ead/edhoc-ead-zeroconf/src/lib.rs b/ead/edhoc-ead-zeroconf/src/lib.rs
@@ -480,11 +480,20 @@ pub fn encode_voucher_request(
 pub struct MockEADServerState {
     pub(crate) cred_v: EdhocMessageBuffer, // identifier of the device (U), equivalent to ID_CRED_I in EDHOC
     pub(crate) w: BytesP256ElemLen,        // public key of the enrollment server (W)
+    pub acl: Option<EdhocMessageBuffer>, // access control list, each device identified by an u8 kid
 }
 impl MockEADServerState {
-    pub fn new(cred_v: &[u8], w: BytesP256ElemLen) -> Self {
+    pub fn new(cred_v: &[u8], w: BytesP256ElemLen, acl: Option<EdhocMessageBuffer>) -> Self {
         let cred_v: EdhocMessageBuffer = cred_v.try_into().unwrap();
-        MockEADServerState { cred_v, w }
+        MockEADServerState { cred_v, w, acl }
+    }
+    pub fn authorized(self, kid: u8) -> bool {
+        if let Some(acl) = self.acl {
+            acl.content.contains(&kid)
+        } else {
+            // if no acl then allow it
+            true
+        }
     }
 }
 static mut MOCK_EAD_SERVER_GLOBAL_STATE: MockEADServerState = MockEADServerState {
@@ -493,6 +502,7 @@ static mut MOCK_EAD_SERVER_GLOBAL_STATE: MockEADServerState = MockEADServerState
         len: 0,
     },
     w: [0; P256_ELEM_LEN],
+    acl: None,
 };
 pub fn mock_ead_server_get_global_state() -> &'static MockEADServerState {
     unsafe { &MOCK_EAD_SERVER_GLOBAL_STATE }
@@ -540,13 +550,16 @@ fn handle_voucher_request<Crypto: CryptoTrait>(
 
     let (_loc_w, enc_id) = parse_ead_1_value(&ead_1.unwrap().value.unwrap())?;
     let id_u_encoded = decrypt_enc_id(crypto, &prk, &enc_id, EDHOC_SUPPORTED_SUITES[0])?;
-    let _id_u = decode_id_u(id_u_encoded)?;
+    let id_u = decode_id_u(id_u_encoded)?;
 
-    // TODO: use id_u to perform authorization, e.g. if authorized_devices.contains(id_u) then proceed else stop
-
-    let voucher = prepare_voucher(crypto, &h_message_1, cred_v, &prk);
-    let voucher_response = encode_voucher_response(&message_1, &voucher, &opaque_state);
-    Ok(voucher_response)
+    let server_state = mock_ead_server_get_global_state();
+    if server_state.acl.is_none() || server_state.authorized(id_u.content[3]) {
+        let voucher = prepare_voucher(crypto, &h_message_1, cred_v, &prk);
+        let voucher_response = encode_voucher_response(&message_1, &voucher, &opaque_state);
+        Ok(voucher_response)
+    } else {
+        Err(EDHOCError::EADError)
+    }
 }
 
 fn decode_id_u(id_u_bstr: EdhocMessageBuffer) -> Result<EdhocMessageBuffer, EDHOCError> {
@@ -915,6 +928,7 @@ mod test_responder {
         mock_ead_server_set_global_state(MockEADServerState::new(
             CRED_V_TV,
             W_TV.try_into().unwrap(),
+            None,
         ));
 
         let res = r_process_ead_1(&mut default_crypto(), &ead_1, &message_1_tv);
@@ -1030,6 +1044,12 @@ mod test_enrollment_server {
         let g_x_tv: BytesP256ElemLen = G_X_TV.try_into().unwrap();
         let voucher_response_tv: EdhocMessageBuffer = VOUCHER_RESPONSE_TV.try_into().unwrap();
 
+        mock_ead_server_set_global_state(MockEADServerState::new(
+            CRED_V_TV,
+            W_TV.try_into().unwrap(),
+            None,
+        ));
+
         let res = handle_voucher_request(
             &mut default_crypto(),
             &voucher_request_tv,
@@ -1095,6 +1115,12 @@ mod test_stateless_operation {
         let g_x_tv: BytesP256ElemLen = G_X_TV.try_into().unwrap();
         let voucher_response_tv: EdhocMessageBuffer = SLO_VOUCHER_RESPONSE_TV.try_into().unwrap();
 
+        mock_ead_server_set_global_state(MockEADServerState::new(
+            CRED_V_TV,
+            W_TV.try_into().unwrap(),
+            None,
+        ));
+
         let res = handle_voucher_request(
             &mut default_crypto(),
             &voucher_request_tv,

diff --git a/lib/src/lib.rs b/lib/src/lib.rs
@@ -478,6 +478,7 @@ mod test {
     const G_W_TV: &[u8] = &hex!("FFA4F102134029B3B156890B88C9D9619501196574174DCB68A07DB0588E4D41");
     const LOC_W_TV: &[u8] = &hex!("636F61703A2F2F656E726F6C6C6D656E742E736572766572");
 
+    // TODO: have a setup_test function that prepares the common objects for the ead tests
     #[cfg(feature = "ead-zeroconf")]
     #[test]
     fn test_ead_zeroconf() {
@@ -510,7 +511,14 @@ mod test {
             EADResponderProtocolState::Start
         );
 
-        mock_ead_server_set_global_state(MockEADServerState::new(CRED_R, W_TV.try_into().unwrap()));
+        let mut acl = EdhocMessageBuffer::new();
+        let (_g, kid_i) = parse_cred(CRED_I).unwrap();
+        acl.push(kid_i).unwrap();
+        mock_ead_server_set_global_state(MockEADServerState::new(
+            CRED_R,
+            W_TV.try_into().unwrap(),
+            Some(acl),
+        ));
 
         let c_i = generate_connection_identifier_cbor(&mut default_crypto());
         let (initiator, message_1) = initiator.prepare_message_1(c_i).unwrap();
@@ -549,4 +557,60 @@ mod test {
             EADResponderProtocolState::Completed
         );
     }
+
+    #[cfg(feature = "ead-zeroconf")]
+    #[test]
+    fn test_ead_zeroconf_not_authorized() {
+        // ==== initialize edhoc ====
+        let initiator = EdhocInitiator::new(Default::default(), default_crypto(), I, CRED_I, None);
+        let responder = EdhocResponder::new(
+            Default::default(),
+            default_crypto(),
+            R,
+            CRED_R,
+            Some(CRED_I),
+        );
+
+        // ==== initialize ead-zeroconf ====
+        let id_u: EdhocMessageBuffer = ID_U_TV.try_into().unwrap();
+        let g_w: BytesP256ElemLen = G_W_TV.try_into().unwrap();
+        let loc_w: EdhocMessageBuffer = LOC_W_TV.try_into().unwrap();
+
+        ead_initiator_set_global_state(EADInitiatorState::new(id_u, g_w, loc_w));
+        let ead_initiator_state = ead_initiator_get_global_state();
+        assert_eq!(
+            ead_initiator_state.protocol_state,
+            EADInitiatorProtocolState::Start
+        );
+
+        ead_responder_set_global_state(EADResponderState::new());
+        let ead_responder_state = ead_responder_get_global_state();
+        assert_eq!(
+            ead_responder_state.protocol_state,
+            EADResponderProtocolState::Start
+        );
+
+        let mut acl = EdhocMessageBuffer::new();
+        let (_g, kid_i) = parse_cred(CRED_I).unwrap();
+        let invalid_kid = kid_i + 1;
+        acl.push(invalid_kid).unwrap();
+        mock_ead_server_set_global_state(MockEADServerState::new(
+            CRED_R,
+            W_TV.try_into().unwrap(),
+            Some(acl),
+        ));
+
+        let c_i = generate_connection_identifier_cbor(&mut default_crypto());
+        let (initiator, message_1) = initiator.prepare_message_1(c_i).unwrap();
+        assert_eq!(
+            ead_initiator_state.protocol_state,
+            EADInitiatorProtocolState::WaitEAD2
+        );
+
+        // ==== begin edhoc with ead-zeroconf ====
+        assert_eq!(
+            responder.process_message_1(&message_1).unwrap_err(),
+            EDHOCError::EADError
+        );
+    }
 }