signature-params: Use helper to build MGF1 algorithmIdentifier
[strongswan.git] / src / libcharon / sa / ikev2 / authenticators / pubkey_authenticator.c
1 /*
2 * Copyright (C) 2008-2017 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "pubkey_authenticator.h"
19
20 #include <daemon.h>
21 #include <encoding/payloads/auth_payload.h>
22 #include <sa/ikev2/keymat_v2.h>
23 #include <asn1/asn1.h>
24 #include <asn1/oid.h>
25 #include <collections/array.h>
26
27 typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
28
29 /**
30 * Private data of an pubkey_authenticator_t object.
31 */
32 struct private_pubkey_authenticator_t {
33
34 /**
35 * Public authenticator_t interface.
36 */
37 pubkey_authenticator_t public;
38
39 /**
40 * Assigned IKE_SA
41 */
42 ike_sa_t *ike_sa;
43
44 /**
45 * nonce to include in AUTH calculation
46 */
47 chunk_t nonce;
48
49 /**
50 * IKE_SA_INIT message data to include in AUTH calculation
51 */
52 chunk_t ike_sa_init;
53
54 /**
55 * Reserved bytes of ID payload
56 */
57 char reserved[3];
58 };
59
60 /**
61 * Parse authentication data used for Signature Authentication as per RFC 7427
62 */
63 static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type,
64 signature_params_t *params)
65 {
66 chunk_t parameters = chunk_empty;
67 uint8_t len;
68 int oid;
69
70 if (!auth_data->len)
71 {
72 return FALSE;
73 }
74 len = auth_data->ptr[0];
75 *auth_data = chunk_skip(*auth_data, 1);
76 oid = asn1_parse_algorithmIdentifier(*auth_data, 1, &parameters);
77 params->scheme = signature_scheme_from_oid(oid);
78 switch (params->scheme)
79 {
80 case SIGN_UNKNOWN:
81 return FALSE;
82 case SIGN_RSA_EMSA_PSS:
83 {
84 rsa_pss_params_t *pss = malloc_thing(rsa_pss_params_t);
85
86 if (!rsa_pss_params_parse(parameters, 0, pss))
87 {
88 DBG1(DBG_IKE, "failed parsing RSASSA-PSS parameters");
89 free(pss);
90 return FALSE;
91 }
92 params->params = pss;
93 break;
94 }
95 default:
96 break;
97 }
98 *key_type = key_type_from_signature_scheme(params->scheme);
99 *auth_data = chunk_skip(*auth_data, len);
100 return TRUE;
101 }
102
103 /**
104 * Build authentication data used for Signature Authentication as per RFC 7427
105 */
106 static bool build_signature_auth_data(chunk_t *auth_data,
107 signature_scheme_t scheme)
108 {
109 chunk_t data;
110 uint8_t len;
111 int oid;
112
113 oid = signature_scheme_to_oid(scheme);
114 if (oid == OID_UNKNOWN)
115 {
116 return FALSE;
117 }
118 data = asn1_algorithmIdentifier(oid);
119 len = data.len;
120 *auth_data = chunk_cat("cmm", chunk_from_thing(len), data, *auth_data);
121 return TRUE;
122 }
123
124 /**
125 * Selects possible signature schemes based on our configuration, the other
126 * peer's capabilities and the private key
127 */
128 static array_t *select_signature_schemes(keymat_v2_t *keymat,
129 auth_cfg_t *auth, private_key_t *private)
130 {
131 enumerator_t *enumerator;
132 signature_scheme_t scheme;
133 signature_params_t *config;
134 auth_rule_t rule;
135 key_type_t key_type;
136 bool have_config = FALSE;
137 array_t *selected;
138
139 selected = array_create(0, 0);
140 key_type = private->get_type(private);
141 enumerator = auth->create_enumerator(auth);
142 while (enumerator->enumerate(enumerator, &rule, &config))
143 {
144 if (rule != AUTH_RULE_IKE_SIGNATURE_SCHEME)
145 {
146 continue;
147 }
148 have_config = TRUE;
149 if (key_type == key_type_from_signature_scheme(config->scheme) &&
150 keymat->hash_algorithm_supported(keymat,
151 hasher_from_signature_scheme(config->scheme,
152 config->params)))
153 {
154 array_insert(selected, ARRAY_TAIL, signature_params_clone(config));
155 }
156 }
157 enumerator->destroy(enumerator);
158
159 if (!have_config)
160 {
161 /* if no specific configuration, find schemes appropriate for the key
162 * and supported by the other peer */
163 enumerator = signature_schemes_for_key(key_type,
164 private->get_keysize(private));
165 while (enumerator->enumerate(enumerator, &scheme))
166 {
167 if (keymat->hash_algorithm_supported(keymat,
168 hasher_from_signature_scheme(scheme,
169 NULL)))
170 {
171 INIT(config,
172 .scheme = scheme,
173 )
174 array_insert(selected, ARRAY_TAIL, config);
175 }
176 }
177 enumerator->destroy(enumerator);
178
179 /* for RSA we tried at least SHA-512, also try other schemes */
180 if (key_type == KEY_RSA)
181 {
182 signature_scheme_t schemes[] = {
183 SIGN_RSA_EMSA_PKCS1_SHA2_384,
184 SIGN_RSA_EMSA_PKCS1_SHA2_256,
185 }, contained;
186 bool found;
187 int i, j;
188
189 for (i = 0; i < countof(schemes); i++)
190 {
191 scheme = schemes[i];
192 found = FALSE;
193 for (j = 0; j < array_count(selected); j++)
194 {
195 array_get(selected, j, &contained);
196 if (scheme == contained)
197 {
198 found = TRUE;
199 break;
200 }
201 }
202 if (!found && keymat->hash_algorithm_supported(keymat,
203 hasher_from_signature_scheme(scheme,
204 NULL)))
205 {
206 INIT(config,
207 .scheme = scheme,
208 )
209 array_insert(selected, ARRAY_TAIL, config);
210 }
211 }
212 }
213 }
214 return selected;
215 }
216
217 CALLBACK(destroy_scheme, void,
218 signature_params_t *params, int idx, void *user)
219 {
220 signature_params_destroy(params);
221 }
222
223 /**
224 * Create a signature using RFC 7427 signature authentication
225 */
226 static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
227 auth_cfg_t *auth, private_key_t *private,
228 identification_t *id, chunk_t *auth_data)
229 {
230 enumerator_t *enumerator;
231 keymat_v2_t *keymat;
232 signature_scheme_t scheme = SIGN_UNKNOWN;
233 signature_params_t *params;
234 array_t *schemes;
235 chunk_t octets = chunk_empty;
236 status_t status = FAILED;
237
238 keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
239 schemes = select_signature_schemes(keymat, auth, private);
240 if (!array_count(schemes))
241 {
242 DBG1(DBG_IKE, "no common hash algorithm found to create signature "
243 "with %N key", key_type_names, private->get_type(private));
244 array_destroy(schemes);
245 return FAILED;
246 }
247
248 if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
249 this->nonce, id, this->reserved, &octets,
250 schemes))
251 {
252 enumerator = array_create_enumerator(schemes);
253 while (enumerator->enumerate(enumerator, &params))
254 {
255 scheme = params->scheme;
256 if (private->sign(private, scheme, NULL, octets, auth_data) &&
257 build_signature_auth_data(auth_data, scheme))
258 {
259 status = SUCCESS;
260 break;
261 }
262 else
263 {
264 DBG2(DBG_IKE, "unable to create %N signature for %N key",
265 signature_scheme_names, scheme, key_type_names,
266 private->get_type(private));
267 }
268 }
269 enumerator->destroy(enumerator);
270 }
271 DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
272 signature_scheme_names, scheme,
273 status == SUCCESS ? "successful" : "failed");
274 array_destroy_function(schemes, destroy_scheme, NULL);
275 chunk_free(&octets);
276 return status;
277 }
278
279 /**
280 * Get the auth octets and the signature scheme (in case it is changed by the
281 * keymat).
282 */
283 static bool get_auth_octets_scheme(private_pubkey_authenticator_t *this,
284 bool verify, identification_t *id,
285 chunk_t *octets, signature_params_t **scheme)
286 {
287 keymat_v2_t *keymat;
288 array_t *schemes;
289 bool success = FALSE;
290
291 schemes = array_create(0, 0);
292 array_insert(schemes, ARRAY_TAIL, *scheme);
293
294 keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
295 if (keymat->get_auth_octets(keymat, verify, this->ike_sa_init, this->nonce,
296 id, this->reserved, octets, schemes) &&
297 array_remove(schemes, 0, scheme))
298 {
299 success = TRUE;
300 }
301 else
302 {
303 *scheme = NULL;
304 }
305 array_destroy_function(schemes, destroy_scheme, NULL);
306 return success;
307 }
308
309 /**
310 * Create a classic IKEv2 signature
311 */
312 static status_t sign_classic(private_pubkey_authenticator_t *this,
313 auth_cfg_t *auth, private_key_t *private,
314 identification_t *id, auth_method_t *auth_method,
315 chunk_t *auth_data)
316 {
317 signature_scheme_t scheme;
318 signature_params_t *params;
319 chunk_t octets = chunk_empty;
320 status_t status = FAILED;
321
322 switch (private->get_type(private))
323 {
324 case KEY_RSA:
325 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
326 *auth_method = AUTH_RSA;
327 break;
328 case KEY_ECDSA:
329 /* deduct the signature scheme from the keysize */
330 switch (private->get_keysize(private))
331 {
332 case 256:
333 scheme = SIGN_ECDSA_256;
334 *auth_method = AUTH_ECDSA_256;
335 break;
336 case 384:
337 scheme = SIGN_ECDSA_384;
338 *auth_method = AUTH_ECDSA_384;
339 break;
340 case 521:
341 scheme = SIGN_ECDSA_521;
342 *auth_method = AUTH_ECDSA_521;
343 break;
344 default:
345 DBG1(DBG_IKE, "%d bit ECDSA private key size not supported",
346 private->get_keysize(private));
347 return FAILED;
348 }
349 break;
350 default:
351 DBG1(DBG_IKE, "private key of type %N not supported",
352 key_type_names, private->get_type(private));
353 return FAILED;
354 }
355
356 INIT(params,
357 .scheme = scheme,
358 );
359 if (get_auth_octets_scheme(this, FALSE, id, &octets, &params) &&
360 private->sign(private, params->scheme, NULL, octets, auth_data))
361 {
362 status = SUCCESS;
363 }
364 if (params)
365 {
366 signature_params_destroy(params);
367 }
368 DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
369 auth_method_names, *auth_method,
370 status == SUCCESS ? "successful" : "failed");
371 chunk_free(&octets);
372 return status;
373 }
374
375 METHOD(authenticator_t, build, status_t,
376 private_pubkey_authenticator_t *this, message_t *message)
377 {
378 private_key_t *private;
379 identification_t *id;
380 auth_cfg_t *auth;
381 chunk_t auth_data;
382 status_t status;
383 auth_payload_t *auth_payload;
384 auth_method_t auth_method = AUTH_NONE;
385
386 id = this->ike_sa->get_my_id(this->ike_sa);
387 auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
388 private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
389 if (!private)
390 {
391 DBG1(DBG_IKE, "no private key found for '%Y'", id);
392 return NOT_FOUND;
393 }
394
395 if (this->ike_sa->supports_extension(this->ike_sa, EXT_SIGNATURE_AUTH))
396 {
397 auth_method = AUTH_DS;
398 status = sign_signature_auth(this, auth, private, id, &auth_data);
399 }
400 else
401 {
402 status = sign_classic(this, auth, private, id, &auth_method,
403 &auth_data);
404 }
405 private->destroy(private);
406
407 if (status == SUCCESS)
408 {
409 auth_payload = auth_payload_create();
410 auth_payload->set_auth_method(auth_payload, auth_method);
411 auth_payload->set_data(auth_payload, auth_data);
412 chunk_free(&auth_data);
413 message->add_payload(message, (payload_t*)auth_payload);
414 }
415 return status;
416 }
417
418 METHOD(authenticator_t, process, status_t,
419 private_pubkey_authenticator_t *this, message_t *message)
420 {
421 public_key_t *public;
422 auth_method_t auth_method;
423 auth_payload_t *auth_payload;
424 chunk_t auth_data, octets;
425 identification_t *id;
426 auth_cfg_t *auth, *current_auth;
427 enumerator_t *enumerator;
428 key_type_t key_type = KEY_ECDSA;
429 signature_params_t *params;
430 status_t status = NOT_FOUND;
431 const char *reason = "unsupported";
432 bool online;
433
434 auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH);
435 if (!auth_payload)
436 {
437 return FAILED;
438 }
439 INIT(params);
440 auth_method = auth_payload->get_auth_method(auth_payload);
441 auth_data = auth_payload->get_data(auth_payload);
442 switch (auth_method)
443 {
444 case AUTH_RSA:
445 key_type = KEY_RSA;
446 params->scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
447 break;
448 case AUTH_ECDSA_256:
449 params->scheme = SIGN_ECDSA_256;
450 break;
451 case AUTH_ECDSA_384:
452 params->scheme = SIGN_ECDSA_384;
453 break;
454 case AUTH_ECDSA_521:
455 params->scheme = SIGN_ECDSA_521;
456 break;
457 case AUTH_DS:
458 if (parse_signature_auth_data(&auth_data, &key_type, params))
459 {
460 break;
461 }
462 reason = "payload invalid";
463 /* fall-through */
464 default:
465 DBG1(DBG_IKE, "%N authentication %s", auth_method_names,
466 auth_method, reason);
467 signature_params_destroy(params);
468 return INVALID_ARG;
469 }
470 id = this->ike_sa->get_other_id(this->ike_sa);
471 if (!get_auth_octets_scheme(this, TRUE, id, &octets, &params))
472 {
473 return FAILED;
474 }
475 auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
476 online = !this->ike_sa->has_condition(this->ike_sa,
477 COND_ONLINE_VALIDATION_SUSPENDED);
478 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
479 key_type, id, auth, online);
480 while (enumerator->enumerate(enumerator, &public, &current_auth))
481 {
482 if (public->verify(public, params->scheme, params->params, octets,
483 auth_data))
484 {
485 DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
486 auth_method == AUTH_DS ? signature_scheme_names : auth_method_names,
487 auth_method == AUTH_DS ? params->scheme : auth_method);
488 status = SUCCESS;
489 auth->merge(auth, current_auth, FALSE);
490 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
491 auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME,
492 signature_params_clone(params));
493 if (!online)
494 {
495 auth->add(auth, AUTH_RULE_CERT_VALIDATION_SUSPENDED, TRUE);
496 }
497 break;
498 }
499 else
500 {
501 status = FAILED;
502 DBG1(DBG_IKE, "signature validation failed, looking for another key");
503 }
504 }
505 enumerator->destroy(enumerator);
506 chunk_free(&octets);
507 signature_params_destroy(params);
508 if (status == NOT_FOUND)
509 {
510 DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
511 key_type_names, key_type, id);
512 }
513 return status;
514 }
515
516 METHOD(authenticator_t, destroy, void,
517 private_pubkey_authenticator_t *this)
518 {
519 free(this);
520 }
521
522 /*
523 * Described in header.
524 */
525 pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
526 chunk_t received_nonce, chunk_t sent_init,
527 char reserved[3])
528 {
529 private_pubkey_authenticator_t *this;
530
531 INIT(this,
532 .public = {
533 .authenticator = {
534 .build = _build,
535 .process = (void*)return_failed,
536 .is_mutual = (void*)return_false,
537 .destroy = _destroy,
538 },
539 },
540 .ike_sa = ike_sa,
541 .ike_sa_init = sent_init,
542 .nonce = received_nonce,
543 );
544 memcpy(this->reserved, reserved, sizeof(this->reserved));
545
546 return &this->public;
547 }
548
549 /*
550 * Described in header.
551 */
552 pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
553 chunk_t sent_nonce, chunk_t received_init,
554 char reserved[3])
555 {
556 private_pubkey_authenticator_t *this;
557
558 INIT(this,
559 .public = {
560 .authenticator = {
561 .build = (void*)return_failed,
562 .process = _process,
563 .is_mutual = (void*)return_false,
564 .destroy = _destroy,
565 },
566 },
567 .ike_sa = ike_sa,
568 .ike_sa_init = received_init,
569 .nonce = sent_nonce,
570 );
571 memcpy(this->reserved, reserved, sizeof(this->reserved));
572
573 return &this->public;
574 }