gmp: Support of SHA-3 RSA signatures
[strongswan.git] / src / libcharon / sa / ikev2 / authenticators / pubkey_authenticator.c
index 179be39..592f497 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
  * Copyright (C) 2005-2009 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -20,6 +20,9 @@
 #include <daemon.h>
 #include <encoding/payloads/auth_payload.h>
 #include <sa/ikev2/keymat_v2.h>
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+#include <collections/array.h>
 
 typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
 
@@ -54,81 +57,296 @@ struct private_pubkey_authenticator_t {
        char reserved[3];
 };
 
-METHOD(authenticator_t, build, status_t,
-       private_pubkey_authenticator_t *this, message_t *message)
+/**
+ * Parse authentication data used for Signature Authentication as per RFC 7427
+ */
+static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type,
+                                                                         signature_scheme_t *scheme)
 {
-       chunk_t octets, auth_data;
-       status_t status = FAILED;
-       private_key_t *private;
-       identification_t *id;
-       auth_cfg_t *auth;
-       auth_payload_t *auth_payload;
-       auth_method_t auth_method;
+       uint8_t len;
+       int oid;
+
+       if (!auth_data->len)
+       {
+               return FALSE;
+       }
+       len = auth_data->ptr[0];
+       *auth_data = chunk_skip(*auth_data, 1);
+       /* we currently don't support schemes that require parameters */
+       oid = asn1_parse_algorithmIdentifier(*auth_data, 1, NULL);
+       *scheme = signature_scheme_from_oid(oid);
+       if (*scheme == SIGN_UNKNOWN)
+       {
+               return FALSE;
+       }
+       *key_type = key_type_from_signature_scheme(*scheme);
+       *auth_data = chunk_skip(*auth_data, len);
+       return TRUE;
+}
+
+/**
+ * Build authentication data used for Signature Authentication as per RFC 7427
+ */
+static bool build_signature_auth_data(chunk_t *auth_data,
+                                                                         signature_scheme_t scheme)
+{
+       chunk_t data;
+       uint8_t len;
+       int oid;
+
+       oid = signature_scheme_to_oid(scheme);
+       if (oid == OID_UNKNOWN)
+       {
+               return FALSE;
+       }
+       data = asn1_algorithmIdentifier(oid);
+       len = data.len;
+       *auth_data = chunk_cat("cmm", chunk_from_thing(len), data, *auth_data);
+       return TRUE;
+}
+
+/**
+ * Selects possible signature schemes based on our configuration, the other
+ * peer's capabilities and the private key
+ */
+static array_t *select_signature_schemes(keymat_v2_t *keymat,
+                                                                       auth_cfg_t *auth, private_key_t *private)
+{
+       enumerator_t *enumerator;
        signature_scheme_t scheme;
+       uintptr_t config;
+       auth_rule_t rule;
+       key_type_t key_type;
+       bool have_config = FALSE;
+       array_t *selected;
+
+       selected = array_create(sizeof(signature_scheme_t), 0);
+       key_type = private->get_type(private);
+       enumerator = auth->create_enumerator(auth);
+       while (enumerator->enumerate(enumerator, &rule, &config))
+       {
+               if (rule != AUTH_RULE_IKE_SIGNATURE_SCHEME)
+               {
+                       continue;
+               }
+               have_config = TRUE;
+               if (key_type == key_type_from_signature_scheme(config) &&
+                       keymat->hash_algorithm_supported(keymat,
+                                                                               hasher_from_signature_scheme(config)))
+               {
+                       scheme = config;
+                       array_insert(selected, ARRAY_TAIL, &scheme);
+               }
+       }
+       enumerator->destroy(enumerator);
+
+       if (!have_config)
+       {
+               /* if no specific configuration, find schemes appropriate for the key
+                * and supported by the other peer */
+               enumerator = signature_schemes_for_key(key_type,
+                                                                                          private->get_keysize(private));
+               while (enumerator->enumerate(enumerator, &scheme))
+               {
+                       if (keymat->hash_algorithm_supported(keymat,
+                                                                               hasher_from_signature_scheme(scheme)))
+                       {
+                               array_insert(selected, ARRAY_TAIL, &scheme);
+                       }
+               }
+               enumerator->destroy(enumerator);
+
+               /* for RSA we tried at least SHA-512, also try other schemes down to
+                * what we'd use with classic authentication */
+               if (key_type == KEY_RSA)
+               {
+                       signature_scheme_t schemes[] = {
+                               SIGN_RSA_EMSA_PKCS1_SHA2_384,
+                               SIGN_RSA_EMSA_PKCS1_SHA2_256,
+                               SIGN_RSA_EMSA_PKCS1_SHA1,
+                       }, contained;
+                       bool found;
+                       int i, j;
+
+                       for (i = 0; i < countof(schemes); i++)
+                       {
+                               scheme = schemes[i];
+                               found = FALSE;
+                               for (j = 0; j < array_count(selected); j++)
+                               {
+                                       array_get(selected, j, &contained);
+                                       if (scheme == contained)
+                                       {
+                                               found = TRUE;
+                                               break;
+                                       }
+                               }
+                               if (!found && keymat->hash_algorithm_supported(keymat,
+                                                                               hasher_from_signature_scheme(scheme)))
+                               {
+                                       array_insert(selected, ARRAY_TAIL, &scheme);
+                               }
+                       }
+               }
+       }
+       return selected;
+}
+
+/**
+ * Create a signature using RFC 7427 signature authentication
+ */
+static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
+                                                       auth_cfg_t *auth, private_key_t *private,
+                                                       identification_t *id, chunk_t *auth_data)
+{
+       enumerator_t *enumerator;
        keymat_v2_t *keymat;
+       signature_scheme_t scheme = SIGN_UNKNOWN, *schemep;
+       array_t *schemes;
+       chunk_t octets = chunk_empty;
+       status_t status = FAILED;
 
-       id = this->ike_sa->get_my_id(this->ike_sa);
-       auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
-       private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
-       if (private == NULL)
+       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
+       schemes = select_signature_schemes(keymat, auth, private);
+       if (!array_count(schemes))
        {
-               DBG1(DBG_IKE, "no private key found for '%Y'", id);
-               return NOT_FOUND;
+               DBG1(DBG_IKE, "no common hash algorithm found to create signature "
+                        "with %N key", key_type_names, private->get_type(private));
+               array_destroy(schemes);
+               return FAILED;
        }
 
+       if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
+                                                               this->nonce, id, this->reserved, &octets))
+       {
+               enumerator = array_create_enumerator(schemes);
+               while (enumerator->enumerate(enumerator, &schemep))
+               {
+                       scheme = *schemep;
+                       if (private->sign(private, scheme, octets, auth_data) &&
+                               build_signature_auth_data(auth_data, scheme))
+                       {
+                               status = SUCCESS;
+                               break;
+                       }
+                       else
+                       {
+                               DBG2(DBG_IKE, "unable to create %N signature for %N key",
+                                        signature_scheme_names, scheme, key_type_names,
+                                        private->get_type(private));
+                       }
+               }
+               enumerator->destroy(enumerator);
+       }
+       DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
+                signature_scheme_names, scheme,
+                status == SUCCESS ? "successful" : "failed");
+       array_destroy(schemes);
+       chunk_free(&octets);
+       return status;
+}
+
+/**
+ * Create a classic IKEv2 signature
+ */
+static status_t sign_classic(private_pubkey_authenticator_t *this,
+                                                        auth_cfg_t *auth, private_key_t *private,
+                                                        identification_t *id, auth_method_t *auth_method,
+                                                        chunk_t *auth_data)
+{
+       signature_scheme_t scheme;
+       keymat_v2_t *keymat;
+       chunk_t octets = chunk_empty;
+       status_t status = FAILED;
+
        switch (private->get_type(private))
        {
                case KEY_RSA:
-                       /* we currently use always SHA1 for signatures,
-                        * TODO: support other hashes depending on configuration/auth */
                        scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
-                       auth_method = AUTH_RSA;
+                       *auth_method = AUTH_RSA;
                        break;
                case KEY_ECDSA:
-                       /* we try to deduct the signature scheme from the keysize */
+                       /* deduct the signature scheme from the keysize */
                        switch (private->get_keysize(private))
                        {
                                case 256:
                                        scheme = SIGN_ECDSA_256;
-                                       auth_method = AUTH_ECDSA_256;
+                                       *auth_method = AUTH_ECDSA_256;
                                        break;
                                case 384:
                                        scheme = SIGN_ECDSA_384;
-                                       auth_method = AUTH_ECDSA_384;
+                                       *auth_method = AUTH_ECDSA_384;
                                        break;
                                case 521:
                                        scheme = SIGN_ECDSA_521;
-                                       auth_method = AUTH_ECDSA_521;
+                                       *auth_method = AUTH_ECDSA_521;
                                        break;
                                default:
                                        DBG1(DBG_IKE, "%d bit ECDSA private key size not supported",
-                                                       private->get_keysize(private));
-                                       return status;
+                                                private->get_keysize(private));
+                                       return FAILED;
                        }
                        break;
                default:
                        DBG1(DBG_IKE, "private key of type %N not supported",
-                                       key_type_names, private->get_type(private));
-                       return status;
+                                key_type_names, private->get_type(private));
+                       return FAILED;
        }
+
        keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-       octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
-                                                                        this->nonce, id, this->reserved);
-       if (private->sign(private, scheme, octets, &auth_data))
+       if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
+                                                               this->nonce, id, this->reserved, &octets) &&
+               private->sign(private, scheme, octets, auth_data))
        {
-               auth_payload = auth_payload_create();
-               auth_payload->set_auth_method(auth_payload, auth_method);
-               auth_payload->set_data(auth_payload, auth_data);
-               chunk_free(&auth_data);
-               message->add_payload(message, (payload_t*)auth_payload);
                status = SUCCESS;
        }
        DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
-                auth_method_names, auth_method,
-                (status == SUCCESS)? "successful":"failed");
+                auth_method_names, *auth_method,
+                status == SUCCESS ? "successful" : "failed");
        chunk_free(&octets);
+       return status;
+}
+
+METHOD(authenticator_t, build, status_t,
+       private_pubkey_authenticator_t *this, message_t *message)
+{
+       private_key_t *private;
+       identification_t *id;
+       auth_cfg_t *auth;
+       chunk_t auth_data;
+       status_t status;
+       auth_payload_t *auth_payload;
+       auth_method_t auth_method = AUTH_NONE;
+
+       id = this->ike_sa->get_my_id(this->ike_sa);
+       auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+       private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
+       if (!private)
+       {
+               DBG1(DBG_IKE, "no private key found for '%Y'", id);
+               return NOT_FOUND;
+       }
+
+       if (this->ike_sa->supports_extension(this->ike_sa, EXT_SIGNATURE_AUTH))
+       {
+               auth_method = AUTH_DS;
+               status = sign_signature_auth(this, auth, private, id, &auth_data);
+       }
+       else
+       {
+               status = sign_classic(this, auth, private, id, &auth_method,
+                                                         &auth_data);
+       }
        private->destroy(private);
 
+       if (status == SUCCESS)
+       {
+               auth_payload = auth_payload_create();
+               auth_payload->set_auth_method(auth_payload, auth_method);
+               auth_payload->set_data(auth_payload, auth_data);
+               chunk_free(&auth_data);
+               message->add_payload(message, (payload_t*)auth_payload);
+       }
        return status;
 }
 
@@ -146,18 +364,19 @@ METHOD(authenticator_t, process, status_t,
        signature_scheme_t scheme;
        status_t status = NOT_FOUND;
        keymat_v2_t *keymat;
+       const char *reason = "unsupported";
+       bool online;
 
-       auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+       auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH);
        if (!auth_payload)
        {
                return FAILED;
        }
        auth_method = auth_payload->get_auth_method(auth_payload);
+       auth_data = auth_payload->get_data(auth_payload);
        switch (auth_method)
        {
                case AUTH_RSA:
-                       /* We currently accept SHA1 signatures only
-                        * TODO: allow other hash algorithms and note it in "auth" */
                        key_type = KEY_RSA;
                        scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
                        break;
@@ -170,26 +389,45 @@ METHOD(authenticator_t, process, status_t,
                case AUTH_ECDSA_521:
                        scheme = SIGN_ECDSA_521;
                        break;
+               case AUTH_DS:
+                       if (parse_signature_auth_data(&auth_data, &key_type, &scheme))
+                       {
+                               break;
+                       }
+                       reason = "payload invalid";
+                       /* fall-through */
                default:
+                       DBG1(DBG_IKE, "%N authentication %s", auth_method_names,
+                                auth_method, reason);
                        return INVALID_ARG;
        }
-       auth_data = auth_payload->get_data(auth_payload);
        id = this->ike_sa->get_other_id(this->ike_sa);
        keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-       octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
-                                                                        this->nonce, id, this->reserved);
+       if (!keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
+                                                                this->nonce, id, this->reserved, &octets))
+       {
+               return FAILED;
+       }
        auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+       online = !this->ike_sa->has_condition(this->ike_sa,
+                                                                                 COND_ONLINE_VALIDATION_SUSPENDED);
        enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-                                                                                                               key_type, id, auth);
+                                                                                                       key_type, id, auth, online);
        while (enumerator->enumerate(enumerator, &public, &current_auth))
        {
                if (public->verify(public, scheme, octets, auth_data))
                {
-                       DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
-                                                  id, auth_method_names, auth_method);
+                       DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
+                                auth_method == AUTH_DS ? signature_scheme_names : auth_method_names,
+                                auth_method == AUTH_DS ? scheme : auth_method);
                        status = SUCCESS;
                        auth->merge(auth, current_auth, FALSE);
                        auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+                       auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+                       if (!online)
+                       {
+                               auth->add(auth, AUTH_RULE_CERT_VALIDATION_SUSPENDED, TRUE);
+                       }
                        break;
                }
                else