ikev2: Diversify signature scheme rule
[strongswan.git] / src / libcharon / sa / ikev2 / authenticators / pubkey_authenticator.c
1 /*
2 * Copyright (C) 2008-2015 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "pubkey_authenticator.h"
19
20 #include <daemon.h>
21 #include <encoding/payloads/auth_payload.h>
22 #include <sa/ikev2/keymat_v2.h>
23 #include <asn1/asn1.h>
24 #include <asn1/oid.h>
25 #include <collections/array.h>
26
27 typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
28
29 /**
30 * Private data of an pubkey_authenticator_t object.
31 */
32 struct private_pubkey_authenticator_t {
33
34 /**
35 * Public authenticator_t interface.
36 */
37 pubkey_authenticator_t public;
38
39 /**
40 * Assigned IKE_SA
41 */
42 ike_sa_t *ike_sa;
43
44 /**
45 * nonce to include in AUTH calculation
46 */
47 chunk_t nonce;
48
49 /**
50 * IKE_SA_INIT message data to include in AUTH calculation
51 */
52 chunk_t ike_sa_init;
53
54 /**
55 * Reserved bytes of ID payload
56 */
57 char reserved[3];
58
59 /**
60 * Whether to store signature schemes on remote auth configs.
61 */
62 bool store_signature_scheme;
63 };
64
65 /**
66 * Parse authentication data used for Signature Authentication as per RFC 7427
67 */
68 static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type,
69 signature_scheme_t *scheme)
70 {
71 u_int8_t len;
72 int oid;
73
74 if (!auth_data->len)
75 {
76 return FALSE;
77 }
78 len = auth_data->ptr[0];
79 *auth_data = chunk_skip(*auth_data, 1);
80 /* we currently don't support schemes that require parameters */
81 oid = asn1_parse_algorithmIdentifier(*auth_data, 1, NULL);
82 *scheme = signature_scheme_from_oid(oid);
83 if (*scheme == SIGN_UNKNOWN)
84 {
85 return FALSE;
86 }
87 *key_type = key_type_from_signature_scheme(*scheme);
88 *auth_data = chunk_skip(*auth_data, len);
89 return TRUE;
90 }
91
92 /**
93 * Build authentication data used for Signature Authentication as per RFC 7427
94 */
95 static bool build_signature_auth_data(chunk_t *auth_data,
96 signature_scheme_t scheme)
97 {
98 chunk_t data;
99 u_int8_t len;
100 int oid;
101
102 oid = signature_scheme_to_oid(scheme);
103 if (oid == OID_UNKNOWN)
104 {
105 return FALSE;
106 }
107 data = asn1_algorithmIdentifier(oid);
108 len = data.len;
109 *auth_data = chunk_cat("cmm", chunk_from_thing(len), data, *auth_data);
110 return TRUE;
111 }
112
113 /**
114 * Selects possible signature schemes based on our configuration, the other
115 * peer's capabilities and the private key
116 */
117 static array_t *select_signature_schemes(keymat_v2_t *keymat,
118 auth_cfg_t *auth, private_key_t *private)
119 {
120 enumerator_t *enumerator;
121 signature_scheme_t scheme;
122 uintptr_t config;
123 auth_rule_t rule;
124 key_type_t key_type;
125 bool have_config = FALSE;
126 array_t *selected;
127
128 selected = array_create(sizeof(signature_scheme_t), 0);
129 key_type = private->get_type(private);
130 enumerator = auth->create_enumerator(auth);
131 while (enumerator->enumerate(enumerator, &rule, &config))
132 {
133 if (rule != AUTH_RULE_IKE_SIGNATURE_SCHEME)
134 {
135 continue;
136 }
137 have_config = TRUE;
138 if (key_type == key_type_from_signature_scheme(config) &&
139 keymat->hash_algorithm_supported(keymat,
140 hasher_from_signature_scheme(config)))
141 {
142 scheme = config;
143 array_insert(selected, ARRAY_TAIL, &scheme);
144 }
145 }
146 enumerator->destroy(enumerator);
147
148 if (!have_config)
149 {
150 /* if no specific configuration, find schemes appropriate for the key
151 * and supported by the other peer */
152 enumerator = signature_schemes_for_key(key_type,
153 private->get_keysize(private));
154 while (enumerator->enumerate(enumerator, &scheme))
155 {
156 if (keymat->hash_algorithm_supported(keymat,
157 hasher_from_signature_scheme(scheme)))
158 {
159 array_insert(selected, ARRAY_TAIL, &scheme);
160 }
161 }
162 enumerator->destroy(enumerator);
163
164 /* for RSA we tried at least SHA-512, also try other schemes down to
165 * what we'd use with classic authentication */
166 if (key_type == KEY_RSA)
167 {
168 signature_scheme_t schemes[] = {
169 SIGN_RSA_EMSA_PKCS1_SHA384,
170 SIGN_RSA_EMSA_PKCS1_SHA256,
171 SIGN_RSA_EMSA_PKCS1_SHA1,
172 }, contained;
173 bool found;
174 int i, j;
175
176 for (i = 0; i < countof(schemes); i++)
177 {
178 scheme = schemes[i];
179 found = FALSE;
180 for (j = 0; j < array_count(selected); j++)
181 {
182 array_get(selected, j, &contained);
183 if (scheme == contained)
184 {
185 found = TRUE;
186 break;
187 }
188 }
189 if (!found && keymat->hash_algorithm_supported(keymat,
190 hasher_from_signature_scheme(scheme)))
191 {
192 array_insert(selected, ARRAY_TAIL, &scheme);
193 }
194 }
195 }
196 }
197 return selected;
198 }
199
200 /**
201 * Create a signature using RFC 7427 signature authentication
202 */
203 static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
204 auth_cfg_t *auth, private_key_t *private,
205 identification_t *id, chunk_t *auth_data)
206 {
207 enumerator_t *enumerator;
208 keymat_v2_t *keymat;
209 signature_scheme_t scheme = SIGN_UNKNOWN, *schemep;
210 array_t *schemes;
211 chunk_t octets = chunk_empty;
212 status_t status = FAILED;
213
214 keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
215 schemes = select_signature_schemes(keymat, auth, private);
216 if (!array_count(schemes))
217 {
218 DBG1(DBG_IKE, "no common hash algorithm found to create signature "
219 "with %N key", key_type_names, private->get_type(private));
220 array_destroy(schemes);
221 return FAILED;
222 }
223
224 if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
225 this->nonce, id, this->reserved, &octets))
226 {
227 enumerator = array_create_enumerator(schemes);
228 while (enumerator->enumerate(enumerator, &schemep))
229 {
230 scheme = *schemep;
231 if (private->sign(private, scheme, octets, auth_data) &&
232 build_signature_auth_data(auth_data, scheme))
233 {
234 status = SUCCESS;
235 break;
236 }
237 else
238 {
239 DBG2(DBG_IKE, "unable to create %N signature for %N key",
240 signature_scheme_names, scheme, key_type_names,
241 private->get_type(private));
242 }
243 }
244 enumerator->destroy(enumerator);
245 }
246 DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
247 signature_scheme_names, scheme,
248 status == SUCCESS ? "successful" : "failed");
249 array_destroy(schemes);
250 chunk_free(&octets);
251 return status;
252 }
253
254 /**
255 * Create a classic IKEv2 signature
256 */
257 static status_t sign_classic(private_pubkey_authenticator_t *this,
258 auth_cfg_t *auth, private_key_t *private,
259 identification_t *id, auth_method_t *auth_method,
260 chunk_t *auth_data)
261 {
262 signature_scheme_t scheme;
263 keymat_v2_t *keymat;
264 chunk_t octets = chunk_empty;
265 status_t status = FAILED;
266
267 switch (private->get_type(private))
268 {
269 case KEY_RSA:
270 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
271 *auth_method = AUTH_RSA;
272 break;
273 case KEY_ECDSA:
274 /* deduct the signature scheme from the keysize */
275 switch (private->get_keysize(private))
276 {
277 case 256:
278 scheme = SIGN_ECDSA_256;
279 *auth_method = AUTH_ECDSA_256;
280 break;
281 case 384:
282 scheme = SIGN_ECDSA_384;
283 *auth_method = AUTH_ECDSA_384;
284 break;
285 case 521:
286 scheme = SIGN_ECDSA_521;
287 *auth_method = AUTH_ECDSA_521;
288 break;
289 default:
290 DBG1(DBG_IKE, "%d bit ECDSA private key size not supported",
291 private->get_keysize(private));
292 return FAILED;
293 }
294 break;
295 default:
296 DBG1(DBG_IKE, "private key of type %N not supported",
297 key_type_names, private->get_type(private));
298 return FAILED;
299 }
300
301 keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
302 if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
303 this->nonce, id, this->reserved, &octets) &&
304 private->sign(private, scheme, octets, auth_data))
305 {
306 status = SUCCESS;
307 }
308 DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
309 auth_method_names, *auth_method,
310 status == SUCCESS ? "successful" : "failed");
311 chunk_free(&octets);
312 return status;
313 }
314
315 METHOD(authenticator_t, build, status_t,
316 private_pubkey_authenticator_t *this, message_t *message)
317 {
318 private_key_t *private;
319 identification_t *id;
320 auth_cfg_t *auth;
321 chunk_t auth_data;
322 status_t status;
323 auth_payload_t *auth_payload;
324 auth_method_t auth_method = AUTH_NONE;
325
326 id = this->ike_sa->get_my_id(this->ike_sa);
327 auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
328 private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
329 if (!private)
330 {
331 DBG1(DBG_IKE, "no private key found for '%Y'", id);
332 return NOT_FOUND;
333 }
334
335 if (this->ike_sa->supports_extension(this->ike_sa, EXT_SIGNATURE_AUTH))
336 {
337 auth_method = AUTH_DS;
338 status = sign_signature_auth(this, auth, private, id, &auth_data);
339 }
340 else
341 {
342 status = sign_classic(this, auth, private, id, &auth_method,
343 &auth_data);
344 }
345 private->destroy(private);
346
347 if (status == SUCCESS)
348 {
349 auth_payload = auth_payload_create();
350 auth_payload->set_auth_method(auth_payload, auth_method);
351 auth_payload->set_data(auth_payload, auth_data);
352 chunk_free(&auth_data);
353 message->add_payload(message, (payload_t*)auth_payload);
354 }
355 return status;
356 }
357
358 METHOD(authenticator_t, process, status_t,
359 private_pubkey_authenticator_t *this, message_t *message)
360 {
361 public_key_t *public;
362 auth_method_t auth_method;
363 auth_payload_t *auth_payload;
364 chunk_t auth_data, octets;
365 identification_t *id;
366 auth_cfg_t *auth, *current_auth;
367 enumerator_t *enumerator;
368 key_type_t key_type = KEY_ECDSA;
369 signature_scheme_t scheme;
370 status_t status = NOT_FOUND;
371 keymat_v2_t *keymat;
372 const char *reason = "unsupported";
373
374 auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH);
375 if (!auth_payload)
376 {
377 return FAILED;
378 }
379 auth_method = auth_payload->get_auth_method(auth_payload);
380 auth_data = auth_payload->get_data(auth_payload);
381 switch (auth_method)
382 {
383 case AUTH_RSA:
384 key_type = KEY_RSA;
385 scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
386 break;
387 case AUTH_ECDSA_256:
388 scheme = SIGN_ECDSA_256;
389 break;
390 case AUTH_ECDSA_384:
391 scheme = SIGN_ECDSA_384;
392 break;
393 case AUTH_ECDSA_521:
394 scheme = SIGN_ECDSA_521;
395 break;
396 case AUTH_DS:
397 if (parse_signature_auth_data(&auth_data, &key_type, &scheme))
398 {
399 break;
400 }
401 reason = "payload invalid";
402 /* fall-through */
403 default:
404 DBG1(DBG_IKE, "%N authentication %s", auth_method_names,
405 auth_method, reason);
406 return INVALID_ARG;
407 }
408 id = this->ike_sa->get_other_id(this->ike_sa);
409 keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
410 if (!keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
411 this->nonce, id, this->reserved, &octets))
412 {
413 return FAILED;
414 }
415 auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
416 enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
417 key_type, id, auth);
418 while (enumerator->enumerate(enumerator, &public, &current_auth))
419 {
420 if (public->verify(public, scheme, octets, auth_data))
421 {
422 DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
423 auth_method == AUTH_DS ? signature_scheme_names : auth_method_names,
424 auth_method == AUTH_DS ? scheme : auth_method);
425 status = SUCCESS;
426 auth->merge(auth, current_auth, FALSE);
427 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
428 if (this->store_signature_scheme)
429 {
430 auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME,
431 (uintptr_t)scheme);
432 }
433 break;
434 }
435 else
436 {
437 status = FAILED;
438 DBG1(DBG_IKE, "signature validation failed, looking for another key");
439 }
440 }
441 enumerator->destroy(enumerator);
442 chunk_free(&octets);
443 if (status == NOT_FOUND)
444 {
445 DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
446 key_type_names, key_type, id);
447 }
448 return status;
449 }
450
451 METHOD(authenticator_t, destroy, void,
452 private_pubkey_authenticator_t *this)
453 {
454 free(this);
455 }
456
457 /*
458 * Described in header.
459 */
460 pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
461 chunk_t received_nonce, chunk_t sent_init,
462 char reserved[3])
463 {
464 private_pubkey_authenticator_t *this;
465
466 INIT(this,
467 .public = {
468 .authenticator = {
469 .build = _build,
470 .process = (void*)return_failed,
471 .is_mutual = (void*)return_false,
472 .destroy = _destroy,
473 },
474 },
475 .ike_sa = ike_sa,
476 .ike_sa_init = sent_init,
477 .nonce = received_nonce,
478 );
479 memcpy(this->reserved, reserved, sizeof(this->reserved));
480
481 return &this->public;
482 }
483
484 /*
485 * Described in header.
486 */
487 pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
488 chunk_t sent_nonce, chunk_t received_init,
489 char reserved[3])
490 {
491 private_pubkey_authenticator_t *this;
492
493 INIT(this,
494 .public = {
495 .authenticator = {
496 .build = (void*)return_failed,
497 .process = _process,
498 .is_mutual = (void*)return_false,
499 .destroy = _destroy,
500 },
501 },
502 .ike_sa = ike_sa,
503 .ike_sa_init = received_init,
504 .nonce = sent_nonce,
505 .store_signature_scheme = lib->settings->get_bool(lib->settings,
506 "%s.signature_authentication_constraints", TRUE, lib->ns),
507 );
508 memcpy(this->reserved, reserved, sizeof(this->reserved));
509
510 return &this->public;
511 }