ikev2: Support signing with RSASSA-PSS via RFC 7427 signature auth
[strongswan.git] / src / libcharon / sa / ikev2 / authenticators / pubkey_authenticator.c
1 /*
2 * Copyright (C) 2008-2017 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "pubkey_authenticator.h"
19
20 #include <daemon.h>
21 #include <encoding/payloads/auth_payload.h>
22 #include <sa/ikev2/keymat_v2.h>
23 #include <asn1/asn1.h>
24 #include <asn1/oid.h>
25 #include <collections/array.h>
26
27 typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
28
29 /**
30 * Private data of an pubkey_authenticator_t object.
31 */
32 struct private_pubkey_authenticator_t {
33
34 /**
35 * Public authenticator_t interface.
36 */
37 pubkey_authenticator_t public;
38
39 /**
40 * Assigned IKE_SA
41 */
42 ike_sa_t *ike_sa;
43
44 /**
45 * nonce to include in AUTH calculation
46 */
47 chunk_t nonce;
48
49 /**
50 * IKE_SA_INIT message data to include in AUTH calculation
51 */
52 chunk_t ike_sa_init;
53
54 /**
55 * Reserved bytes of ID payload
56 */
57 char reserved[3];
58 };
59
60 /**
61 * Parse authentication data used for Signature Authentication as per RFC 7427
62 */
63 static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type,
64 signature_params_t *params)
65 {
66 chunk_t parameters = chunk_empty;
67 uint8_t len;
68 int oid;
69
70 if (!auth_data->len)
71 {
72 return FALSE;
73 }
74 len = auth_data->ptr[0];
75 *auth_data = chunk_skip(*auth_data, 1);
76 oid = asn1_parse_algorithmIdentifier(*auth_data, 1, &parameters);
77 params->scheme = signature_scheme_from_oid(oid);
78 switch (params->scheme)
79 {
80 case SIGN_UNKNOWN:
81 return FALSE;
82 case SIGN_RSA_EMSA_PSS:
83 {
84 rsa_pss_params_t *pss = malloc_thing(rsa_pss_params_t);
85
86 if (!rsa_pss_params_parse(parameters, 0, pss))
87 {
88 DBG1(DBG_IKE, "failed parsing RSASSA-PSS parameters");
89 free(pss);
90 return FALSE;
91 }
92 params->params = pss;
93 break;
94 }
95 default:
96 break;
97 }
98 *key_type = key_type_from_signature_scheme(params->scheme);
99 *auth_data = chunk_skip(*auth_data, len);
100 return TRUE;
101 }
102
103 /**
104 * Build authentication data used for Signature Authentication as per RFC 7427
105 */
106 static bool build_signature_auth_data(chunk_t *auth_data,
107 signature_params_t *params)
108 {
109 chunk_t data, parameters = chunk_empty;
110 uint8_t len;
111 int oid;
112
113 oid = signature_scheme_to_oid(params->scheme);
114 if (oid == OID_UNKNOWN)
115 {
116 chunk_free(auth_data);
117 return FALSE;
118 }
119 if (params->scheme == SIGN_RSA_EMSA_PSS &&
120 !rsa_pss_params_build(params->params, &parameters))
121 {
122 chunk_free(auth_data);
123 return FALSE;
124 }
125 if (parameters.len)
126 {
127 data = asn1_algorithmIdentifier_params(oid, parameters);
128 }
129 else
130 {
131 data = asn1_algorithmIdentifier(oid);
132 }
133 len = data.len;
134 *auth_data = chunk_cat("cmm", chunk_from_thing(len), data, *auth_data);
135 return TRUE;
136 }
137
138 /**
139 * Selects possible signature schemes based on our configuration, the other
140 * peer's capabilities and the private key
141 */
142 static array_t *select_signature_schemes(keymat_v2_t *keymat,
143 auth_cfg_t *auth, private_key_t *private)
144 {
145 enumerator_t *enumerator;
146 signature_scheme_t scheme;
147 signature_params_t *config;
148 auth_rule_t rule;
149 key_type_t key_type;
150 bool have_config = FALSE;
151 array_t *selected;
152
153 selected = array_create(0, 0);
154 key_type = private->get_type(private);
155 enumerator = auth->create_enumerator(auth);
156 while (enumerator->enumerate(enumerator, &rule, &config))
157 {
158 if (rule != AUTH_RULE_IKE_SIGNATURE_SCHEME)
159 {
160 continue;
161 }
162 have_config = TRUE;
163 if (key_type == key_type_from_signature_scheme(config->scheme) &&
164 keymat->hash_algorithm_supported(keymat,
165 hasher_from_signature_scheme(config->scheme,
166 config->params)))
167 {
168 array_insert(selected, ARRAY_TAIL, signature_params_clone(config));
169 }
170 }
171 enumerator->destroy(enumerator);
172
173 if (!have_config)
174 {
175 /* if no specific configuration, find schemes appropriate for the key
176 * and supported by the other peer */
177 enumerator = signature_schemes_for_key(key_type,
178 private->get_keysize(private));
179 while (enumerator->enumerate(enumerator, &scheme))
180 {
181 if (keymat->hash_algorithm_supported(keymat,
182 hasher_from_signature_scheme(scheme,
183 NULL)))
184 {
185 INIT(config,
186 .scheme = scheme,
187 )
188 array_insert(selected, ARRAY_TAIL, config);
189 }
190 }
191 enumerator->destroy(enumerator);
192
193 /* for RSA we tried at least SHA-512, also try other schemes */
194 if (key_type == KEY_RSA)
195 {
196 signature_scheme_t schemes[] = {
197 SIGN_RSA_EMSA_PKCS1_SHA2_384,
198 SIGN_RSA_EMSA_PKCS1_SHA2_256,
199 }, contained;
200 bool found;
201 int i, j;
202
203 for (i = 0; i < countof(schemes); i++)
204 {
205 scheme = schemes[i];
206 found = FALSE;
207 for (j = 0; j < array_count(selected); j++)
208 {
209 array_get(selected, j, &contained);
210 if (scheme == contained)
211 {
212 found = TRUE;
213 break;
214 }
215 }
216 if (!found && keymat->hash_algorithm_supported(keymat,
217 hasher_from_signature_scheme(scheme,
218 NULL)))
219 {
220 INIT(config,
221 .scheme = scheme,
222 )
223 array_insert(selected, ARRAY_TAIL, config);
224 }
225 }
226 }
227 }
228 return selected;
229 }
230
231 CALLBACK(destroy_scheme, void,
232 signature_params_t *params, int idx, void *user)
233 {
234 signature_params_destroy(params);
235 }
236
237 /**
238 * Create a signature using RFC 7427 signature authentication
239 */
240 static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
241 auth_cfg_t *auth, private_key_t *private,
242 identification_t *id, chunk_t *auth_data)
243 {
244 enumerator_t *enumerator;
245 keymat_v2_t *keymat;
246 signature_scheme_t scheme = SIGN_UNKNOWN;
247 signature_params_t *params;
248 array_t *schemes;
249 chunk_t octets = chunk_empty;
250 status_t status = FAILED;
251
252 keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
253 schemes = select_signature_schemes(keymat, auth, private);
254 if (!array_count(schemes))
255 {
256 DBG1(DBG_IKE, "no common hash algorithm found to create signature "
257 "with %N key", key_type_names, private->get_type(private));
258 array_destroy(schemes);
259 return FAILED;
260 }
261
262 if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
263 this->nonce, id, this->reserved, &octets,
264 schemes))
265 {
266 enumerator = array_create_enumerator(schemes);
267 while (enumerator->enumerate(enumerator, &params))
268 {
269 scheme = params->scheme;
270 if (private->sign(private, scheme, params->params, octets,
271 auth_data) &&
272 build_signature_auth_data(auth_data, params))
273 {
274 status = SUCCESS;
275 break;
276 }
277 else
278 {
279 DBG2(DBG_IKE, "unable to create %N signature for %N key",
280 signature_scheme_names, scheme, key_type_names,
281 private->get_type(private));
282 }
283 }
284 enumerator->destroy(enumerator);
285 }
286 DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
287 signature_scheme_names, scheme,
288 status == SUCCESS ? "successful" : "failed");
289 array_destroy_function(schemes, destroy_scheme, NULL);
290 chunk_free(&octets);
291 return status;
292 }
293
294 /**
295 * Get the auth octets and the signature scheme (in case it is changed by the
296 * keymat).
297 */
298 static bool get_auth_octets_scheme(private_pubkey_authenticator_t *this,
299 bool verify, identification_t *id,
300 chunk_t *octets, signature_params_t **scheme)
301 {
302 keymat_v2_t *keymat;
303 array_t *schemes;
304 bool success = FALSE;
305
306 schemes = array_create(0, 0);
307 array_insert(schemes, ARRAY_TAIL, *scheme);
308
309 keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
310 if (keymat->get_auth_octets(keymat, verify, this->ike_sa_init, this->nonce,
311 id, this->reserved, octets, schemes) &&
312 array_remove(schemes, 0, scheme))
313 {
314 success = TRUE;
315 }
316 else
317 {
318 *scheme = NULL;
319 }
320 array_destroy_function(schemes, destroy_scheme, NULL);
321 return success;
322 }
323
324 /**
325 * Create a classic IKEv2 signature
326 */
327 static status_t sign_classic(private_pubkey_authenticator_t *this,
328 auth_cfg_t *auth, private_key_t *private,
329 identification_t *id, auth_method_t *auth_method,
330 chunk_t *auth_data)
331 {
332 signature_scheme_t scheme;
333 signature_params_t *params;
334 chunk_t octets = chunk_empty;
335 status_t status = FAILED;
336
337 switch (private->get_type(private))
338 {
339 case KEY_RSA:
340 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
341 *auth_method = AUTH_RSA;
342 break;
343 case KEY_ECDSA:
344 /* deduct the signature scheme from the keysize */
345 switch (private->get_keysize(private))
346 {
347 case 256:
348 scheme = SIGN_ECDSA_256;
349 *auth_method = AUTH_ECDSA_256;
350 break;
351 case 384:
352 scheme = SIGN_ECDSA_384;
353 *auth_method = AUTH_ECDSA_384;
354 break;
355 case 521:
356 scheme = SIGN_ECDSA_521;
357 *auth_method = AUTH_ECDSA_521;
358 break;
359 default:
360 DBG1(DBG_IKE, "%d bit ECDSA private key size not supported",
361 private->get_keysize(private));
362 return FAILED;
363 }
364 break;
365 default:
366 DBG1(DBG_IKE, "private key of type %N not supported",
367 key_type_names, private->get_type(private));
368 return FAILED;
369 }
370
371 INIT(params,
372 .scheme = scheme,
373 );
374 if (get_auth_octets_scheme(this, FALSE, id, &octets, &params) &&
375 private->sign(private, params->scheme, NULL, octets, auth_data))
376 {
377 status = SUCCESS;
378 }
379 if (params)
380 {
381 signature_params_destroy(params);
382 }
383 DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
384 auth_method_names, *auth_method,
385 status == SUCCESS ? "successful" : "failed");
386 chunk_free(&octets);
387 return status;
388 }
389
390 METHOD(authenticator_t, build, status_t,
391 private_pubkey_authenticator_t *this, message_t *message)
392 {
393 private_key_t *private;
394 identification_t *id;
395 auth_cfg_t *auth;
396 chunk_t auth_data;
397 status_t status;
398 auth_payload_t *auth_payload;
399 auth_method_t auth_method = AUTH_NONE;
400
401 id = this->ike_sa->get_my_id(this->ike_sa);
402 auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
403 private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
404 if (!private)
405 {
406 DBG1(DBG_IKE, "no private key found for '%Y'", id);
407 return NOT_FOUND;
408 }
409
410 if (this->ike_sa->supports_extension(this->ike_sa, EXT_SIGNATURE_AUTH))
411 {
412 auth_method = AUTH_DS;
413 status = sign_signature_auth(this, auth, private, id, &auth_data);
414 }
415 else
416 {
417 status = sign_classic(this, auth, private, id, &auth_method,
418 &auth_data);
419 }
420 private->destroy(private);
421
422 if (status == SUCCESS)
423 {
424 auth_payload = auth_payload_create();
425 auth_payload->set_auth_method(auth_payload, auth_method);
426 auth_payload->set_data(auth_payload, auth_data);
427 chunk_free(&auth_data);
428 message->add_payload(message, (payload_t*)auth_payload);
429 }
430 return status;
431 }
432
433 METHOD(authenticator_t, process, status_t,
434 private_pubkey_authenticator_t *this, message_t *message)
435 {
436 public_key_t *public;
437 auth_method_t auth_method;
438 auth_payload_t *auth_payload;
439 chunk_t auth_data, octets;
440 identification_t *id;
441 auth_cfg_t *auth, *current_auth;
442 enumerator_t *enumerator;
443 key_type_t key_type = KEY_ECDSA;
444 signature_params_t *params;
445 status_t status = NOT_FOUND;
446 const char *reason = "unsupported";
447 bool online;
448
449 auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH);
450 if (!auth_payload)
451 {
452 return FAILED;
453 }
454 INIT(params);
455 auth_method = auth_payload->get_auth_method(auth_payload);
456 auth_data = auth_payload->get_data(auth_payload);
457 switch (auth_method)
458 {
459 case AUTH_RSA:
460 key_type = KEY_RSA;
461 params->scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
462 break;
463 case AUTH_ECDSA_256:
464 params->scheme = SIGN_ECDSA_256;
465 break;
466 case AUTH_ECDSA_384:
467 params->scheme = SIGN_ECDSA_384;
468 break;
469 case AUTH_ECDSA_521:
470 params->scheme = SIGN_ECDSA_521;
471 break;
472 case AUTH_DS:
473 if (parse_signature_auth_data(&auth_data, &key_type, params))
474 {
475 break;
476 }
477 reason = "payload invalid";
478 /* fall-through */
479 default:
480 DBG1(DBG_IKE, "%N authentication %s", auth_method_names,
481 auth_method, reason);
482 signature_params_destroy(params);
483 return INVALID_ARG;
484 }
485 id = this->ike_sa->get_other_id(this->ike_sa);
486 if (!get_auth_octets_scheme(this, TRUE, id, &octets, &params))
487 {
488 return FAILED;
489 }
490 auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
491 online = !this->ike_sa->has_condition(this->ike_sa,
492 COND_ONLINE_VALIDATION_SUSPENDED);
493 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
494 key_type, id, auth, online);
495 while (enumerator->enumerate(enumerator, &public, &current_auth))
496 {
497 if (public->verify(public, params->scheme, params->params, octets,
498 auth_data))
499 {
500 DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
501 auth_method == AUTH_DS ? signature_scheme_names : auth_method_names,
502 auth_method == AUTH_DS ? params->scheme : auth_method);
503 status = SUCCESS;
504 auth->merge(auth, current_auth, FALSE);
505 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
506 auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME,
507 signature_params_clone(params));
508 if (!online)
509 {
510 auth->add(auth, AUTH_RULE_CERT_VALIDATION_SUSPENDED, TRUE);
511 }
512 break;
513 }
514 else
515 {
516 status = FAILED;
517 DBG1(DBG_IKE, "signature validation failed, looking for another key");
518 }
519 }
520 enumerator->destroy(enumerator);
521 chunk_free(&octets);
522 signature_params_destroy(params);
523 if (status == NOT_FOUND)
524 {
525 DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
526 key_type_names, key_type, id);
527 }
528 return status;
529 }
530
531 METHOD(authenticator_t, destroy, void,
532 private_pubkey_authenticator_t *this)
533 {
534 free(this);
535 }
536
537 /*
538 * Described in header.
539 */
540 pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
541 chunk_t received_nonce, chunk_t sent_init,
542 char reserved[3])
543 {
544 private_pubkey_authenticator_t *this;
545
546 INIT(this,
547 .public = {
548 .authenticator = {
549 .build = _build,
550 .process = (void*)return_failed,
551 .is_mutual = (void*)return_false,
552 .destroy = _destroy,
553 },
554 },
555 .ike_sa = ike_sa,
556 .ike_sa_init = sent_init,
557 .nonce = received_nonce,
558 );
559 memcpy(this->reserved, reserved, sizeof(this->reserved));
560
561 return &this->public;
562 }
563
564 /*
565 * Described in header.
566 */
567 pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
568 chunk_t sent_nonce, chunk_t received_init,
569 char reserved[3])
570 {
571 private_pubkey_authenticator_t *this;
572
573 INIT(this,
574 .public = {
575 .authenticator = {
576 .build = (void*)return_failed,
577 .process = _process,
578 .is_mutual = (void*)return_false,
579 .destroy = _destroy,
580 },
581 },
582 .ike_sa = ike_sa,
583 .ike_sa_init = received_init,
584 .nonce = sent_nonce,
585 );
586 memcpy(this->reserved, reserved, sizeof(this->reserved));
587
588 return &this->public;
589 }