gmp: Support of SHA-3 RSA signatures
[strongswan.git] / src / libcharon / sa / ikev2 / authenticators / pubkey_authenticator.c
index 965f70a..592f497 100644 (file)
@@ -22,6 +22,7 @@
 #include <sa/ikev2/keymat_v2.h>
 #include <asn1/asn1.h>
 #include <asn1/oid.h>
+#include <collections/array.h>
 
 typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
 
@@ -54,11 +55,6 @@ struct private_pubkey_authenticator_t {
         * Reserved bytes of ID payload
         */
        char reserved[3];
-
-       /**
-        * Whether to store signature schemes on remote auth configs.
-        */
-       bool store_signature_scheme;
 };
 
 /**
@@ -67,7 +63,7 @@ struct private_pubkey_authenticator_t {
 static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type,
                                                                          signature_scheme_t *scheme)
 {
-       u_int8_t len;
+       uint8_t len;
        int oid;
 
        if (!auth_data->len)
@@ -95,7 +91,7 @@ static bool build_signature_auth_data(chunk_t *auth_data,
                                                                          signature_scheme_t scheme)
 {
        chunk_t data;
-       u_int8_t len;
+       uint8_t len;
        int oid;
 
        oid = signature_scheme_to_oid(scheme);
@@ -110,24 +106,26 @@ static bool build_signature_auth_data(chunk_t *auth_data,
 }
 
 /**
- * Select a signature scheme based on our configuration, the other peer's
- * capabilities and the private key
+ * Selects possible signature schemes based on our configuration, the other
+ * peer's capabilities and the private key
  */
-static signature_scheme_t select_signature_scheme(keymat_v2_t *keymat,
+static array_t *select_signature_schemes(keymat_v2_t *keymat,
                                                                        auth_cfg_t *auth, private_key_t *private)
 {
        enumerator_t *enumerator;
-       signature_scheme_t selected = SIGN_UNKNOWN, scheme;
+       signature_scheme_t scheme;
        uintptr_t config;
        auth_rule_t rule;
        key_type_t key_type;
        bool have_config = FALSE;
+       array_t *selected;
 
+       selected = array_create(sizeof(signature_scheme_t), 0);
        key_type = private->get_type(private);
        enumerator = auth->create_enumerator(auth);
        while (enumerator->enumerate(enumerator, &rule, &config))
        {
-               if (rule != AUTH_RULE_SIGNATURE_SCHEME)
+               if (rule != AUTH_RULE_IKE_SIGNATURE_SCHEME)
                {
                        continue;
                }
@@ -136,15 +134,15 @@ static signature_scheme_t select_signature_scheme(keymat_v2_t *keymat,
                        keymat->hash_algorithm_supported(keymat,
                                                                                hasher_from_signature_scheme(config)))
                {
-                       selected = config;
-                       break;
+                       scheme = config;
+                       array_insert(selected, ARRAY_TAIL, &scheme);
                }
        }
        enumerator->destroy(enumerator);
 
-       if (selected == SIGN_UNKNOWN && !have_config)
+       if (!have_config)
        {
-               /* if no specific configuration, find a scheme appropriate for the key
+               /* if no specific configuration, find schemes appropriate for the key
                 * and supported by the other peer */
                enumerator = signature_schemes_for_key(key_type,
                                                                                           private->get_keysize(private));
@@ -153,30 +151,40 @@ static signature_scheme_t select_signature_scheme(keymat_v2_t *keymat,
                        if (keymat->hash_algorithm_supported(keymat,
                                                                                hasher_from_signature_scheme(scheme)))
                        {
-                               selected = scheme;
-                               break;
+                               array_insert(selected, ARRAY_TAIL, &scheme);
                        }
                }
                enumerator->destroy(enumerator);
 
                /* for RSA we tried at least SHA-512, also try other schemes down to
                 * what we'd use with classic authentication */
-               if (selected == SIGN_UNKNOWN && key_type == KEY_RSA)
+               if (key_type == KEY_RSA)
                {
                        signature_scheme_t schemes[] = {
-                               SIGN_RSA_EMSA_PKCS1_SHA384,
-                               SIGN_RSA_EMSA_PKCS1_SHA256,
+                               SIGN_RSA_EMSA_PKCS1_SHA2_384,
+                               SIGN_RSA_EMSA_PKCS1_SHA2_256,
                                SIGN_RSA_EMSA_PKCS1_SHA1,
-                       };
-                       int i;
+                       }, contained;
+                       bool found;
+                       int i, j;
 
                        for (i = 0; i < countof(schemes); i++)
                        {
-                               if (keymat->hash_algorithm_supported(keymat,
-                                                                       hasher_from_signature_scheme(schemes[i])))
+                               scheme = schemes[i];
+                               found = FALSE;
+                               for (j = 0; j < array_count(selected); j++)
                                {
-                                       selected = scheme;
-                                       break;
+                                       array_get(selected, j, &contained);
+                                       if (scheme == contained)
+                                       {
+                                               found = TRUE;
+                                               break;
+                                       }
+                               }
+                               if (!found && keymat->hash_algorithm_supported(keymat,
+                                                                               hasher_from_signature_scheme(scheme)))
+                               {
+                                       array_insert(selected, ARRAY_TAIL, &scheme);
                                }
                        }
                }
@@ -184,99 +192,161 @@ static signature_scheme_t select_signature_scheme(keymat_v2_t *keymat,
        return selected;
 }
 
+/**
+ * Create a signature using RFC 7427 signature authentication
+ */
+static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
+                                                       auth_cfg_t *auth, private_key_t *private,
+                                                       identification_t *id, chunk_t *auth_data)
+{
+       enumerator_t *enumerator;
+       keymat_v2_t *keymat;
+       signature_scheme_t scheme = SIGN_UNKNOWN, *schemep;
+       array_t *schemes;
+       chunk_t octets = chunk_empty;
+       status_t status = FAILED;
+
+       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
+       schemes = select_signature_schemes(keymat, auth, private);
+       if (!array_count(schemes))
+       {
+               DBG1(DBG_IKE, "no common hash algorithm found to create signature "
+                        "with %N key", key_type_names, private->get_type(private));
+               array_destroy(schemes);
+               return FAILED;
+       }
+
+       if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
+                                                               this->nonce, id, this->reserved, &octets))
+       {
+               enumerator = array_create_enumerator(schemes);
+               while (enumerator->enumerate(enumerator, &schemep))
+               {
+                       scheme = *schemep;
+                       if (private->sign(private, scheme, octets, auth_data) &&
+                               build_signature_auth_data(auth_data, scheme))
+                       {
+                               status = SUCCESS;
+                               break;
+                       }
+                       else
+                       {
+                               DBG2(DBG_IKE, "unable to create %N signature for %N key",
+                                        signature_scheme_names, scheme, key_type_names,
+                                        private->get_type(private));
+                       }
+               }
+               enumerator->destroy(enumerator);
+       }
+       DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
+                signature_scheme_names, scheme,
+                status == SUCCESS ? "successful" : "failed");
+       array_destroy(schemes);
+       chunk_free(&octets);
+       return status;
+}
+
+/**
+ * Create a classic IKEv2 signature
+ */
+static status_t sign_classic(private_pubkey_authenticator_t *this,
+                                                        auth_cfg_t *auth, private_key_t *private,
+                                                        identification_t *id, auth_method_t *auth_method,
+                                                        chunk_t *auth_data)
+{
+       signature_scheme_t scheme;
+       keymat_v2_t *keymat;
+       chunk_t octets = chunk_empty;
+       status_t status = FAILED;
+
+       switch (private->get_type(private))
+       {
+               case KEY_RSA:
+                       scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+                       *auth_method = AUTH_RSA;
+                       break;
+               case KEY_ECDSA:
+                       /* deduct the signature scheme from the keysize */
+                       switch (private->get_keysize(private))
+                       {
+                               case 256:
+                                       scheme = SIGN_ECDSA_256;
+                                       *auth_method = AUTH_ECDSA_256;
+                                       break;
+                               case 384:
+                                       scheme = SIGN_ECDSA_384;
+                                       *auth_method = AUTH_ECDSA_384;
+                                       break;
+                               case 521:
+                                       scheme = SIGN_ECDSA_521;
+                                       *auth_method = AUTH_ECDSA_521;
+                                       break;
+                               default:
+                                       DBG1(DBG_IKE, "%d bit ECDSA private key size not supported",
+                                                private->get_keysize(private));
+                                       return FAILED;
+                       }
+                       break;
+               default:
+                       DBG1(DBG_IKE, "private key of type %N not supported",
+                                key_type_names, private->get_type(private));
+                       return FAILED;
+       }
+
+       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
+       if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
+                                                               this->nonce, id, this->reserved, &octets) &&
+               private->sign(private, scheme, octets, auth_data))
+       {
+               status = SUCCESS;
+       }
+       DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
+                auth_method_names, *auth_method,
+                status == SUCCESS ? "successful" : "failed");
+       chunk_free(&octets);
+       return status;
+}
+
 METHOD(authenticator_t, build, status_t,
        private_pubkey_authenticator_t *this, message_t *message)
 {
-       chunk_t octets = chunk_empty, auth_data;
-       status_t status = FAILED;
        private_key_t *private;
        identification_t *id;
        auth_cfg_t *auth;
+       chunk_t auth_data;
+       status_t status;
        auth_payload_t *auth_payload;
-       auth_method_t auth_method;
-       signature_scheme_t scheme = SIGN_UNKNOWN;
-       keymat_v2_t *keymat;
+       auth_method_t auth_method = AUTH_NONE;
 
        id = this->ike_sa->get_my_id(this->ike_sa);
        auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
        private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
-       if (private == NULL)
+       if (!private)
        {
                DBG1(DBG_IKE, "no private key found for '%Y'", id);
                return NOT_FOUND;
        }
-       keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
 
        if (this->ike_sa->supports_extension(this->ike_sa, EXT_SIGNATURE_AUTH))
        {
-               scheme = select_signature_scheme(keymat, auth, private);
                auth_method = AUTH_DS;
-               if (scheme == SIGN_UNKNOWN)
-               {
-                       DBG1(DBG_IKE, "no common hash algorithm found to create signature "
-                                "with %N key", key_type_names, private->get_type(private));
-                       return status;
-               }
+               status = sign_signature_auth(this, auth, private, id, &auth_data);
        }
        else
        {
-               switch (private->get_type(private))
-               {
-                       case KEY_RSA:
-                               scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
-                               auth_method = AUTH_RSA;
-                               break;
-                       case KEY_ECDSA:
-                               /* deduct the signature scheme from the keysize */
-                               switch (private->get_keysize(private))
-                               {
-                                       case 256:
-                                               scheme = SIGN_ECDSA_256;
-                                               auth_method = AUTH_ECDSA_256;
-                                               break;
-                                       case 384:
-                                               scheme = SIGN_ECDSA_384;
-                                               auth_method = AUTH_ECDSA_384;
-                                               break;
-                                       case 521:
-                                               scheme = SIGN_ECDSA_521;
-                                               auth_method = AUTH_ECDSA_521;
-                                               break;
-                                       default:
-                                               DBG1(DBG_IKE, "%d bit ECDSA private key size not "
-                                                        "supported", private->get_keysize(private));
-                                               return status;
-                               }
-                               break;
-                       default:
-                               DBG1(DBG_IKE, "private key of type %N not supported",
-                                        key_type_names, private->get_type(private));
-                               return status;
-               }
+               status = sign_classic(this, auth, private, id, &auth_method,
+                                                         &auth_data);
        }
+       private->destroy(private);
 
-       if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
-                                                               this->nonce, id, this->reserved, &octets) &&
-               private->sign(private, scheme, octets, &auth_data))
+       if (status == SUCCESS)
        {
-               if (auth_method != AUTH_DS ||
-                       build_signature_auth_data(&auth_data, scheme))
-               {
-                       auth_payload = auth_payload_create();
-                       auth_payload->set_auth_method(auth_payload, auth_method);
-                       auth_payload->set_data(auth_payload, auth_data);
-                       chunk_free(&auth_data);
-                       message->add_payload(message, (payload_t*)auth_payload);
-                       status = SUCCESS;
-               }
+               auth_payload = auth_payload_create();
+               auth_payload->set_auth_method(auth_payload, auth_method);
+               auth_payload->set_data(auth_payload, auth_data);
+               chunk_free(&auth_data);
+               message->add_payload(message, (payload_t*)auth_payload);
        }
-       DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
-                auth_method == AUTH_DS ? signature_scheme_names : auth_method_names,
-                auth_method == AUTH_DS ? scheme : auth_method,
-                status == SUCCESS ? "successful" : "failed");
-       chunk_free(&octets);
-       private->destroy(private);
-
        return status;
 }
 
@@ -294,6 +364,8 @@ METHOD(authenticator_t, process, status_t,
        signature_scheme_t scheme;
        status_t status = NOT_FOUND;
        keymat_v2_t *keymat;
+       const char *reason = "unsupported";
+       bool online;
 
        auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH);
        if (!auth_payload)
@@ -322,8 +394,11 @@ METHOD(authenticator_t, process, status_t,
                        {
                                break;
                        }
+                       reason = "payload invalid";
                        /* fall-through */
                default:
+                       DBG1(DBG_IKE, "%N authentication %s", auth_method_names,
+                                auth_method, reason);
                        return INVALID_ARG;
        }
        id = this->ike_sa->get_other_id(this->ike_sa);
@@ -334,8 +409,10 @@ METHOD(authenticator_t, process, status_t,
                return FAILED;
        }
        auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+       online = !this->ike_sa->has_condition(this->ike_sa,
+                                                                                 COND_ONLINE_VALIDATION_SUSPENDED);
        enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-                                                                                                               key_type, id, auth);
+                                                                                                       key_type, id, auth, online);
        while (enumerator->enumerate(enumerator, &public, &current_auth))
        {
                if (public->verify(public, scheme, octets, auth_data))
@@ -346,9 +423,10 @@ METHOD(authenticator_t, process, status_t,
                        status = SUCCESS;
                        auth->merge(auth, current_auth, FALSE);
                        auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
-                       if (this->store_signature_scheme)
+                       auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+                       if (!online)
                        {
-                               auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+                               auth->add(auth, AUTH_RULE_CERT_VALIDATION_SUSPENDED, TRUE);
                        }
                        break;
                }
@@ -422,8 +500,6 @@ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
                .ike_sa = ike_sa,
                .ike_sa_init = received_init,
                .nonce = sent_nonce,
-               .store_signature_scheme = lib->settings->get_bool(lib->settings,
-                                       "%s.signature_authentication_constraints", TRUE, lib->ns),
        );
        memcpy(this->reserved, reserved, sizeof(this->reserved));