ikev2: Try all eligible signature schemes
[strongswan.git] / src / libcharon / sa / ikev2 / authenticators / pubkey_authenticator.c
1 /*
2 * Copyright (C) 2008-2015 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "pubkey_authenticator.h"
19
20 #include <daemon.h>
21 #include <encoding/payloads/auth_payload.h>
22 #include <sa/ikev2/keymat_v2.h>
23 #include <asn1/asn1.h>
24 #include <asn1/oid.h>
25 #include <collections/array.h>
26
27 typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
28
29 /**
30 * Private data of an pubkey_authenticator_t object.
31 */
32 struct private_pubkey_authenticator_t {
33
34 /**
35 * Public authenticator_t interface.
36 */
37 pubkey_authenticator_t public;
38
39 /**
40 * Assigned IKE_SA
41 */
42 ike_sa_t *ike_sa;
43
44 /**
45 * nonce to include in AUTH calculation
46 */
47 chunk_t nonce;
48
49 /**
50 * IKE_SA_INIT message data to include in AUTH calculation
51 */
52 chunk_t ike_sa_init;
53
54 /**
55 * Reserved bytes of ID payload
56 */
57 char reserved[3];
58
59 /**
60 * Whether to store signature schemes on remote auth configs.
61 */
62 bool store_signature_scheme;
63 };
64
65 /**
66 * Parse authentication data used for Signature Authentication as per RFC 7427
67 */
68 static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type,
69 signature_scheme_t *scheme)
70 {
71 u_int8_t len;
72 int oid;
73
74 if (!auth_data->len)
75 {
76 return FALSE;
77 }
78 len = auth_data->ptr[0];
79 *auth_data = chunk_skip(*auth_data, 1);
80 /* we currently don't support schemes that require parameters */
81 oid = asn1_parse_algorithmIdentifier(*auth_data, 1, NULL);
82 *scheme = signature_scheme_from_oid(oid);
83 if (*scheme == SIGN_UNKNOWN)
84 {
85 return FALSE;
86 }
87 *key_type = key_type_from_signature_scheme(*scheme);
88 *auth_data = chunk_skip(*auth_data, len);
89 return TRUE;
90 }
91
92 /**
93 * Build authentication data used for Signature Authentication as per RFC 7427
94 */
95 static bool build_signature_auth_data(chunk_t *auth_data,
96 signature_scheme_t scheme)
97 {
98 chunk_t data;
99 u_int8_t len;
100 int oid;
101
102 oid = signature_scheme_to_oid(scheme);
103 if (oid == OID_UNKNOWN)
104 {
105 return FALSE;
106 }
107 data = asn1_algorithmIdentifier(oid);
108 len = data.len;
109 *auth_data = chunk_cat("cmm", chunk_from_thing(len), data, *auth_data);
110 return TRUE;
111 }
112
113 /**
114 * Selects possible signature schemes based on our configuration, the other
115 * peer's capabilities and the private key
116 */
117 static array_t *select_signature_schemes(keymat_v2_t *keymat,
118 auth_cfg_t *auth, private_key_t *private)
119 {
120 enumerator_t *enumerator;
121 signature_scheme_t scheme;
122 uintptr_t config;
123 auth_rule_t rule;
124 key_type_t key_type;
125 bool have_config = FALSE;
126 array_t *selected;
127
128 selected = array_create(sizeof(signature_scheme_t), 0);
129 key_type = private->get_type(private);
130 enumerator = auth->create_enumerator(auth);
131 while (enumerator->enumerate(enumerator, &rule, &config))
132 {
133 if (rule != AUTH_RULE_SIGNATURE_SCHEME)
134 {
135 continue;
136 }
137 have_config = TRUE;
138 if (key_type == key_type_from_signature_scheme(config) &&
139 keymat->hash_algorithm_supported(keymat,
140 hasher_from_signature_scheme(config)))
141 {
142 scheme = config;
143 array_insert(selected, ARRAY_TAIL, &scheme);
144 }
145 }
146 enumerator->destroy(enumerator);
147
148 if (!have_config)
149 {
150 /* if no specific configuration, find schemes appropriate for the key
151 * and supported by the other peer */
152 enumerator = signature_schemes_for_key(key_type,
153 private->get_keysize(private));
154 while (enumerator->enumerate(enumerator, &scheme))
155 {
156 if (keymat->hash_algorithm_supported(keymat,
157 hasher_from_signature_scheme(scheme)))
158 {
159 array_insert(selected, ARRAY_TAIL, &scheme);
160 }
161 }
162 enumerator->destroy(enumerator);
163
164 /* for RSA we tried at least SHA-512, also try other schemes down to
165 * what we'd use with classic authentication */
166 if (key_type == KEY_RSA)
167 {
168 signature_scheme_t schemes[] = {
169 SIGN_RSA_EMSA_PKCS1_SHA384,
170 SIGN_RSA_EMSA_PKCS1_SHA256,
171 SIGN_RSA_EMSA_PKCS1_SHA1,
172 }, contained;
173 bool found;
174 int i, j;
175
176 for (i = 0; i < countof(schemes); i++)
177 {
178 scheme = schemes[i];
179 found = FALSE;
180 for (j = 0; j < array_count(selected); j++)
181 {
182 array_get(selected, j, &contained);
183 if (scheme == contained)
184 {
185 found = TRUE;
186 break;
187 }
188 }
189 if (!found && keymat->hash_algorithm_supported(keymat,
190 hasher_from_signature_scheme(scheme)))
191 {
192 array_insert(selected, ARRAY_TAIL, &scheme);
193 }
194 }
195 }
196 }
197 return selected;
198 }
199
200 METHOD(authenticator_t, build, status_t,
201 private_pubkey_authenticator_t *this, message_t *message)
202 {
203 enumerator_t *enumerator;
204 chunk_t octets = chunk_empty, auth_data;
205 status_t status = FAILED;
206 private_key_t *private;
207 identification_t *id;
208 auth_cfg_t *auth;
209 auth_payload_t *auth_payload;
210 auth_method_t auth_method;
211 signature_scheme_t scheme = SIGN_UNKNOWN, *schemep;
212 keymat_v2_t *keymat;
213 array_t *schemes;
214
215 id = this->ike_sa->get_my_id(this->ike_sa);
216 auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
217 private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
218 if (private == NULL)
219 {
220 DBG1(DBG_IKE, "no private key found for '%Y'", id);
221 return NOT_FOUND;
222 }
223 keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
224
225 if (this->ike_sa->supports_extension(this->ike_sa, EXT_SIGNATURE_AUTH))
226 {
227 schemes = select_signature_schemes(keymat, auth, private);
228 if (!array_count(schemes))
229 {
230 DBG1(DBG_IKE, "no common hash algorithm found to create signature "
231 "with %N key", key_type_names, private->get_type(private));
232 array_destroy(schemes);
233 return status;
234 }
235 auth_method = AUTH_DS;
236 if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
237 this->nonce, id, this->reserved, &octets))
238 {
239 enumerator = array_create_enumerator(schemes);
240 while (enumerator->enumerate(enumerator, &schemep))
241 {
242 scheme = *schemep;
243 if (private->sign(private, scheme, octets, &auth_data) &&
244 build_signature_auth_data(&auth_data, scheme))
245 {
246 status = SUCCESS;
247 break;
248 }
249 else
250 {
251 DBG2(DBG_IKE, "unable to create %N signature for %N key",
252 signature_scheme_names, scheme, key_type_names,
253 private->get_type(private));
254 }
255 }
256 enumerator->destroy(enumerator);
257 }
258 array_destroy(schemes);
259 }
260 else
261 {
262 switch (private->get_type(private))
263 {
264 case KEY_RSA:
265 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
266 auth_method = AUTH_RSA;
267 break;
268 case KEY_ECDSA:
269 /* deduct the signature scheme from the keysize */
270 switch (private->get_keysize(private))
271 {
272 case 256:
273 scheme = SIGN_ECDSA_256;
274 auth_method = AUTH_ECDSA_256;
275 break;
276 case 384:
277 scheme = SIGN_ECDSA_384;
278 auth_method = AUTH_ECDSA_384;
279 break;
280 case 521:
281 scheme = SIGN_ECDSA_521;
282 auth_method = AUTH_ECDSA_521;
283 break;
284 default:
285 DBG1(DBG_IKE, "%d bit ECDSA private key size not "
286 "supported", private->get_keysize(private));
287 return status;
288 }
289 break;
290 default:
291 DBG1(DBG_IKE, "private key of type %N not supported",
292 key_type_names, private->get_type(private));
293 return status;
294 }
295 if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
296 this->nonce, id, this->reserved, &octets) &&
297 private->sign(private, scheme, octets, &auth_data))
298 {
299 status = SUCCESS;
300 }
301 }
302 if (status == SUCCESS)
303 {
304 auth_payload = auth_payload_create();
305 auth_payload->set_auth_method(auth_payload, auth_method);
306 auth_payload->set_data(auth_payload, auth_data);
307 chunk_free(&auth_data);
308 message->add_payload(message, (payload_t*)auth_payload);
309 }
310 DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
311 auth_method == AUTH_DS ? signature_scheme_names : auth_method_names,
312 auth_method == AUTH_DS ? scheme : auth_method,
313 status == SUCCESS ? "successful" : "failed");
314 chunk_free(&octets);
315 private->destroy(private);
316
317 return status;
318 }
319
320 METHOD(authenticator_t, process, status_t,
321 private_pubkey_authenticator_t *this, message_t *message)
322 {
323 public_key_t *public;
324 auth_method_t auth_method;
325 auth_payload_t *auth_payload;
326 chunk_t auth_data, octets;
327 identification_t *id;
328 auth_cfg_t *auth, *current_auth;
329 enumerator_t *enumerator;
330 key_type_t key_type = KEY_ECDSA;
331 signature_scheme_t scheme;
332 status_t status = NOT_FOUND;
333 keymat_v2_t *keymat;
334
335 auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH);
336 if (!auth_payload)
337 {
338 return FAILED;
339 }
340 auth_method = auth_payload->get_auth_method(auth_payload);
341 auth_data = auth_payload->get_data(auth_payload);
342 switch (auth_method)
343 {
344 case AUTH_RSA:
345 key_type = KEY_RSA;
346 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
347 break;
348 case AUTH_ECDSA_256:
349 scheme = SIGN_ECDSA_256;
350 break;
351 case AUTH_ECDSA_384:
352 scheme = SIGN_ECDSA_384;
353 break;
354 case AUTH_ECDSA_521:
355 scheme = SIGN_ECDSA_521;
356 break;
357 case AUTH_DS:
358 if (parse_signature_auth_data(&auth_data, &key_type, &scheme))
359 {
360 break;
361 }
362 /* fall-through */
363 default:
364 return INVALID_ARG;
365 }
366 id = this->ike_sa->get_other_id(this->ike_sa);
367 keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
368 if (!keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
369 this->nonce, id, this->reserved, &octets))
370 {
371 return FAILED;
372 }
373 auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
374 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
375 key_type, id, auth);
376 while (enumerator->enumerate(enumerator, &public, &current_auth))
377 {
378 if (public->verify(public, scheme, octets, auth_data))
379 {
380 DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
381 auth_method == AUTH_DS ? signature_scheme_names : auth_method_names,
382 auth_method == AUTH_DS ? scheme : auth_method);
383 status = SUCCESS;
384 auth->merge(auth, current_auth, FALSE);
385 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
386 if (this->store_signature_scheme)
387 {
388 auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme);
389 }
390 break;
391 }
392 else
393 {
394 status = FAILED;
395 DBG1(DBG_IKE, "signature validation failed, looking for another key");
396 }
397 }
398 enumerator->destroy(enumerator);
399 chunk_free(&octets);
400 if (status == NOT_FOUND)
401 {
402 DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
403 key_type_names, key_type, id);
404 }
405 return status;
406 }
407
408 METHOD(authenticator_t, destroy, void,
409 private_pubkey_authenticator_t *this)
410 {
411 free(this);
412 }
413
414 /*
415 * Described in header.
416 */
417 pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
418 chunk_t received_nonce, chunk_t sent_init,
419 char reserved[3])
420 {
421 private_pubkey_authenticator_t *this;
422
423 INIT(this,
424 .public = {
425 .authenticator = {
426 .build = _build,
427 .process = (void*)return_failed,
428 .is_mutual = (void*)return_false,
429 .destroy = _destroy,
430 },
431 },
432 .ike_sa = ike_sa,
433 .ike_sa_init = sent_init,
434 .nonce = received_nonce,
435 );
436 memcpy(this->reserved, reserved, sizeof(this->reserved));
437
438 return &this->public;
439 }
440
441 /*
442 * Described in header.
443 */
444 pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
445 chunk_t sent_nonce, chunk_t received_init,
446 char reserved[3])
447 {
448 private_pubkey_authenticator_t *this;
449
450 INIT(this,
451 .public = {
452 .authenticator = {
453 .build = (void*)return_failed,
454 .process = _process,
455 .is_mutual = (void*)return_false,
456 .destroy = _destroy,
457 },
458 },
459 .ike_sa = ike_sa,
460 .ike_sa_init = received_init,
461 .nonce = sent_nonce,
462 .store_signature_scheme = lib->settings->get_bool(lib->settings,
463 "%s.signature_authentication_constraints", TRUE, lib->ns),
464 );
465 memcpy(this->reserved, reserved, sizeof(this->reserved));
466
467 return &this->public;
468 }