Annotation of embedaddon/strongswan/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (C) 2008-2018 Tobias Brunner
3: * Copyright (C) 2005-2009 Martin Willi
4: * Copyright (C) 2005 Jan Hutter
5: * HSR Hochschule fuer Technik Rapperswil
6: *
7: * This program is free software; you can redistribute it and/or modify it
8: * under the terms of the GNU General Public License as published by the
9: * Free Software Foundation; either version 2 of the License, or (at your
10: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11: *
12: * This program is distributed in the hope that it will be useful, but
13: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15: * for more details.
16: */
17:
18: #include "pubkey_authenticator.h"
19:
20: #include <daemon.h>
21: #include <encoding/payloads/auth_payload.h>
22: #include <sa/ikev2/keymat_v2.h>
23: #include <asn1/asn1.h>
24: #include <asn1/oid.h>
25: #include <collections/array.h>
26: #include <credentials/certificates/x509.h>
27:
28: typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
29:
30: /**
31: * Private data of an pubkey_authenticator_t object.
32: */
33: struct private_pubkey_authenticator_t {
34:
35: /**
36: * Public authenticator_t interface.
37: */
38: pubkey_authenticator_t public;
39:
40: /**
41: * Assigned IKE_SA
42: */
43: ike_sa_t *ike_sa;
44:
45: /**
46: * nonce to include in AUTH calculation
47: */
48: chunk_t nonce;
49:
50: /**
51: * IKE_SA_INIT message data to include in AUTH calculation
52: */
53: chunk_t ike_sa_init;
54:
55: /**
56: * Reserved bytes of ID payload
57: */
58: char reserved[3];
59:
60: /**
61: * PPK to use
62: */
63: chunk_t ppk;
64:
65: /**
66: * Add a NO_PPK_AUTH notify
67: */
68: bool no_ppk_auth;
69: };
70:
71: /**
72: * Parse authentication data used for Signature Authentication as per RFC 7427
73: */
74: static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type,
75: signature_params_t *params)
76: {
77: uint8_t len;
78:
79: if (!auth_data->len)
80: {
81: return FALSE;
82: }
83: len = auth_data->ptr[0];
84: *auth_data = chunk_skip(*auth_data, 1);
85: if (!signature_params_parse(*auth_data, 1, params))
86: {
87: return FALSE;
88: }
89: *key_type = key_type_from_signature_scheme(params->scheme);
90: *auth_data = chunk_skip(*auth_data, len);
91: return TRUE;
92: }
93:
94: /**
95: * Build authentication data used for Signature Authentication as per RFC 7427
96: */
97: static bool build_signature_auth_data(chunk_t *auth_data,
98: signature_params_t *params)
99: {
100: chunk_t data;
101: uint8_t len;
102:
103: if (!signature_params_build(params, &data))
104: {
105: chunk_free(auth_data);
106: return FALSE;
107: }
108: len = data.len;
109: *auth_data = chunk_cat("cmm", chunk_from_thing(len), data, *auth_data);
110: return TRUE;
111: }
112:
113: /**
114: * Check if the given scheme is supported by the key and, if so, add it to the
115: * first array (we add the scheme supported by the key in case the parameters
116: * are different)
117: */
118: static void add_scheme_if_supported(array_t *selected, array_t *supported,
119: signature_params_t *config)
120: {
121: signature_params_t *sup;
122: int i;
123:
124: if (!supported)
125: {
126: array_insert(selected, ARRAY_TAIL, signature_params_clone(config));
127: return;
128: }
129:
130: for (i = 0; i < array_count(supported); i++)
131: {
132: array_get(supported, i, &sup);
133: if (signature_params_comply(sup, config))
134: {
135: array_insert(selected, ARRAY_TAIL, signature_params_clone(sup));
136: return;
137: }
138: }
139: }
140:
141: CALLBACK(destroy_scheme, void,
142: signature_params_t *params, int idx, void *user)
143: {
144: signature_params_destroy(params);
145: }
146:
147: /**
148: * Selects possible signature schemes based on our configuration, the other
149: * peer's capabilities and the private key
150: */
151: static array_t *select_signature_schemes(keymat_v2_t *keymat,
152: auth_cfg_t *auth, private_key_t *private)
153: {
154: enumerator_t *enumerator;
155: signature_scheme_t scheme;
156: signature_params_t *config;
157: auth_rule_t rule;
158: key_type_t key_type;
159: bool have_config = FALSE;
160: array_t *supported = NULL, *selected;
161:
162: selected = array_create(0, 0);
163: key_type = private->get_type(private);
164:
165: if (private->supported_signature_schemes)
166: {
167: enumerator = private->supported_signature_schemes(private);
168: while (enumerator->enumerate(enumerator, &config))
169: {
170: if (keymat->hash_algorithm_supported(keymat,
171: hasher_from_signature_scheme(config->scheme,
172: config->params)))
173: {
174: array_insert_create(&supported, ARRAY_TAIL,
175: signature_params_clone(config));
176: }
177: }
178: enumerator->destroy(enumerator);
179:
180: if (!supported)
181: {
182: return selected;
183: }
184: }
185:
186: enumerator = auth->create_enumerator(auth);
187: while (enumerator->enumerate(enumerator, &rule, &config))
188: {
189: if (rule != AUTH_RULE_IKE_SIGNATURE_SCHEME)
190: {
191: continue;
192: }
193: if (key_type == key_type_from_signature_scheme(config->scheme) &&
194: keymat->hash_algorithm_supported(keymat,
195: hasher_from_signature_scheme(config->scheme,
196: config->params)))
197: {
198: add_scheme_if_supported(selected, supported, config);
199: }
200: have_config = TRUE;
201: }
202: enumerator->destroy(enumerator);
203:
204: if (have_config)
205: {
206: array_destroy_function(supported, destroy_scheme, NULL);
207: }
208: else
209: {
210: /* if we have no config, return either whatever schemes the key (and
211: * peer) support or.. */
212: if (supported)
213: {
214: array_destroy(selected);
215: return supported;
216: }
217:
218: /* ...find schemes appropriate for the key and supported by the peer */
219: enumerator = signature_schemes_for_key(key_type,
220: private->get_keysize(private));
221: while (enumerator->enumerate(enumerator, &config))
222: {
223: if (config->scheme == SIGN_RSA_EMSA_PSS &&
224: !lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE,
225: lib->ns))
226: {
227: continue;
228: }
229: if (keymat->hash_algorithm_supported(keymat,
230: hasher_from_signature_scheme(config->scheme,
231: config->params)))
232: {
233: array_insert(selected, ARRAY_TAIL,
234: signature_params_clone(config));
235: }
236: }
237: enumerator->destroy(enumerator);
238:
239: /* for RSA we tried at least SHA-512, also try other schemes */
240: if (key_type == KEY_RSA)
241: {
242: signature_scheme_t schemes[] = {
243: SIGN_RSA_EMSA_PKCS1_SHA2_384,
244: SIGN_RSA_EMSA_PKCS1_SHA2_256,
245: };
246: bool found;
247: int i, j;
248:
249: for (i = 0; i < countof(schemes); i++)
250: {
251: scheme = schemes[i];
252: found = FALSE;
253: for (j = 0; j < array_count(selected); j++)
254: {
255: array_get(selected, j, &config);
256: if (scheme == config->scheme)
257: {
258: found = TRUE;
259: break;
260: }
261: }
262: if (!found && keymat->hash_algorithm_supported(keymat,
263: hasher_from_signature_scheme(scheme,
264: NULL)))
265: {
266: INIT(config,
267: .scheme = scheme,
268: )
269: array_insert(selected, ARRAY_TAIL, config);
270: }
271: }
272: }
273: }
274: return selected;
275: }
276:
277: /**
278: * Adds the given auth data to the message, either in an AUTH payload or
279: * a NO_PPK_AUTH notify.
280: *
281: * The data is freed.
282: */
283: static void add_auth_to_message(message_t *message, auth_method_t method,
284: chunk_t data, bool notify)
285: {
286: auth_payload_t *auth_payload;
287:
288: if (notify)
289: {
290: message->add_notify(message, FALSE, NO_PPK_AUTH, data);
291: }
292: else
293: {
294: auth_payload = auth_payload_create();
295: auth_payload->set_auth_method(auth_payload, method);
296: auth_payload->set_data(auth_payload, data);
297: message->add_payload(message, (payload_t*)auth_payload);
298: }
299: chunk_free(&data);
300: }
301:
302: /**
303: * Create a signature using RFC 7427 signature authentication
304: */
305: static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
306: auth_cfg_t *auth, private_key_t *private,
307: identification_t *id, message_t *message)
308: {
309: enumerator_t *enumerator;
310: keymat_v2_t *keymat;
311: signature_params_t *params = NULL;
312: array_t *schemes;
313: chunk_t octets = chunk_empty, auth_data;
314: status_t status = FAILED;
315:
316: keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
317: schemes = select_signature_schemes(keymat, auth, private);
318: if (!array_count(schemes))
319: {
320: DBG1(DBG_IKE, "no common hash algorithm found to create signature "
321: "with %N key", key_type_names, private->get_type(private));
322: array_destroy(schemes);
323: return FAILED;
324: }
325:
326: if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, this->nonce,
327: this->ppk, id, this->reserved, &octets, schemes))
328: {
329: enumerator = array_create_enumerator(schemes);
330: while (enumerator->enumerate(enumerator, ¶ms))
331: {
332: if (!private->sign(private, params->scheme, params->params, octets,
333: &auth_data) ||
334: !build_signature_auth_data(&auth_data, params))
335: {
336: DBG2(DBG_IKE, "unable to create %N signature for %N key",
337: signature_scheme_names, params->scheme, key_type_names,
338: private->get_type(private));
339: continue;
340: }
341: add_auth_to_message(message, AUTH_DS, auth_data, FALSE);
342: status = SUCCESS;
343:
344: if (this->no_ppk_auth)
345: {
346: chunk_free(&octets);
347:
348: if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
349: this->nonce, chunk_empty, id,
350: this->reserved, &octets, schemes) &&
351: private->sign(private, params->scheme, params->params,
352: octets, &auth_data) &&
353: build_signature_auth_data(&auth_data, params))
354: {
355: add_auth_to_message(message, AUTH_DS, auth_data, TRUE);
356: }
357: else
358: {
359: DBG2(DBG_IKE, "unable to create %N signature for %N key "
360: "without PPK", signature_scheme_names, params->scheme,
361: key_type_names, private->get_type(private));
362: status = FAILED;
363: }
364: }
365: break;
366: }
367: enumerator->destroy(enumerator);
368: }
369: if (params)
370: {
371: if (params->scheme == SIGN_RSA_EMSA_PSS)
372: {
373: rsa_pss_params_t *pss = params->params;
374: DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N_%N_SALT_%zd "
375: "%s", id, signature_scheme_names, params->scheme,
376: hash_algorithm_short_names_upper, pss->hash, pss->salt_len,
377: status == SUCCESS ? "successful" : "failed");
378: }
379: else
380: {
381: DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
382: signature_scheme_names, params->scheme,
383: status == SUCCESS ? "successful" : "failed");
384: }
385: }
386: else
387: {
388: DBG1(DBG_IKE, "authentication of '%Y' (myself) failed", id);
389: }
390: array_destroy_function(schemes, destroy_scheme, NULL);
391: chunk_free(&octets);
392: return status;
393: }
394:
395: /**
396: * Get the auth octets and the signature scheme (in case it is changed by the
397: * keymat).
398: */
399: static bool get_auth_octets_scheme(private_pubkey_authenticator_t *this,
400: bool verify, identification_t *id, chunk_t ppk,
401: chunk_t *octets, signature_params_t **scheme)
402: {
403: keymat_v2_t *keymat;
404: array_t *schemes;
405: bool success = FALSE;
406:
407: schemes = array_create(0, 0);
408: array_insert(schemes, ARRAY_TAIL, *scheme);
409:
410: keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
411: if (keymat->get_auth_octets(keymat, verify, this->ike_sa_init, this->nonce,
412: ppk, id, this->reserved, octets,
413: schemes) &&
414: array_remove(schemes, 0, scheme))
415: {
416: success = TRUE;
417: }
418: else
419: {
420: *scheme = NULL;
421: }
422: array_destroy_function(schemes, destroy_scheme, NULL);
423: return success;
424: }
425:
426: /**
427: * Create a classic IKEv2 signature
428: */
429: static status_t sign_classic(private_pubkey_authenticator_t *this,
430: auth_cfg_t *auth, private_key_t *private,
431: identification_t *id, message_t *message)
432: {
433: signature_scheme_t scheme;
434: signature_params_t *params;
435: auth_method_t auth_method = AUTH_NONE;
436: chunk_t octets = chunk_empty, auth_data;
437: status_t status = FAILED;
438:
439: switch (private->get_type(private))
440: {
441: case KEY_RSA:
442: scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
443: auth_method = AUTH_RSA;
444: break;
445: case KEY_ECDSA:
446: /* deduct the signature scheme from the keysize */
447: switch (private->get_keysize(private))
448: {
449: case 256:
450: scheme = SIGN_ECDSA_256;
451: auth_method = AUTH_ECDSA_256;
452: break;
453: case 384:
454: scheme = SIGN_ECDSA_384;
455: auth_method = AUTH_ECDSA_384;
456: break;
457: case 521:
458: scheme = SIGN_ECDSA_521;
459: auth_method = AUTH_ECDSA_521;
460: break;
461: default:
462: DBG1(DBG_IKE, "%d bit ECDSA private key size not supported",
463: private->get_keysize(private));
464: return FAILED;
465: }
466: break;
467: default:
468: DBG1(DBG_IKE, "private key of type %N not supported",
469: key_type_names, private->get_type(private));
470: return FAILED;
471: }
472:
473: INIT(params,
474: .scheme = scheme,
475: );
476: if (get_auth_octets_scheme(this, FALSE, id, this->ppk, &octets, ¶ms) &&
477: private->sign(private, params->scheme, NULL, octets, &auth_data))
478: {
479: add_auth_to_message(message, auth_method, auth_data, FALSE);
480: status = SUCCESS;
481:
482: if (this->no_ppk_auth)
483: {
484: chunk_free(&octets);
485: if (get_auth_octets_scheme(this, FALSE, id, chunk_empty, &octets,
486: ¶ms) &&
487: private->sign(private, params->scheme, NULL, octets,
488: &auth_data))
489: {
490: add_auth_to_message(message, auth_method, auth_data, TRUE);
491: }
492: else
493: {
494: status = FAILED;
495: }
496: }
497: }
498: if (params)
499: {
500: signature_params_destroy(params);
501: }
502: DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
503: auth_method_names, auth_method,
504: status == SUCCESS ? "successful" : "failed");
505: chunk_free(&octets);
506: return status;
507: }
508:
509: METHOD(authenticator_t, build, status_t,
510: private_pubkey_authenticator_t *this, message_t *message)
511: {
512: private_key_t *private;
513: identification_t *id;
514: auth_cfg_t *auth;
515: status_t status;
516:
517: id = this->ike_sa->get_my_id(this->ike_sa);
518: auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
519: private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
520: if (!private)
521: {
522: DBG1(DBG_IKE, "no private key found for '%Y'", id);
523: return NOT_FOUND;
524: }
525:
526: if (this->ike_sa->supports_extension(this->ike_sa, EXT_SIGNATURE_AUTH))
527: {
528: status = sign_signature_auth(this, auth, private, id, message);
529: }
530: else
531: {
532: status = sign_classic(this, auth, private, id, message);
533: }
534: private->destroy(private);
535: return status;
536: }
537:
538: /**
539: * Check if the end-entity certificate, if any, is compliant with RFC 4945
540: */
541: static bool is_compliant_cert(auth_cfg_t *auth)
542: {
543: certificate_t *cert;
544: x509_t *x509;
545:
546: cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
547: if (!cert || cert->get_type(cert) != CERT_X509)
548: {
549: return TRUE;
550: }
551: x509 = (x509_t*)cert;
552: if (x509->get_flags(x509) & X509_IKE_COMPLIANT)
553: {
554: return TRUE;
555: }
556: DBG1(DBG_IKE, "rejecting certificate without digitalSignature or "
557: "nonRepudiation keyUsage flags");
558: return FALSE;
559: }
560:
561: METHOD(authenticator_t, process, status_t,
562: private_pubkey_authenticator_t *this, message_t *message)
563: {
564: public_key_t *public;
565: auth_method_t auth_method;
566: auth_payload_t *auth_payload;
567: notify_payload_t *notify;
568: chunk_t auth_data, octets;
569: identification_t *id;
570: auth_cfg_t *auth, *current_auth;
571: enumerator_t *enumerator;
572: key_type_t key_type = KEY_ECDSA;
573: signature_params_t *params;
574: status_t status = NOT_FOUND;
575: const char *reason = "unsupported";
576: bool online;
577:
578: auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH);
579: if (!auth_payload)
580: {
581: return FAILED;
582: }
583: auth_method = auth_payload->get_auth_method(auth_payload);
584: auth_data = auth_payload->get_data(auth_payload);
585:
586: if (this->ike_sa->supports_extension(this->ike_sa, EXT_PPK) &&
587: !this->ppk.ptr)
588: { /* look for a NO_PPK_AUTH notify if we have no PPK */
589: notify = message->get_notify(message, NO_PPK_AUTH);
590: if (notify)
591: {
592: DBG1(DBG_IKE, "no PPK available, using NO_PPK_AUTH notify");
593: auth_data = notify->get_notification_data(notify);
594: }
595: }
596:
597: INIT(params);
598: switch (auth_method)
599: {
600: case AUTH_RSA:
601: key_type = KEY_RSA;
602: params->scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
603: break;
604: case AUTH_ECDSA_256:
605: params->scheme = SIGN_ECDSA_256;
606: break;
607: case AUTH_ECDSA_384:
608: params->scheme = SIGN_ECDSA_384;
609: break;
610: case AUTH_ECDSA_521:
611: params->scheme = SIGN_ECDSA_521;
612: break;
613: case AUTH_DS:
614: if (parse_signature_auth_data(&auth_data, &key_type, params))
615: {
616: break;
617: }
618: reason = "payload invalid";
619: /* fall-through */
620: default:
621: DBG1(DBG_IKE, "%N authentication %s", auth_method_names,
622: auth_method, reason);
623: signature_params_destroy(params);
624: return INVALID_ARG;
625: }
626: id = this->ike_sa->get_other_id(this->ike_sa);
627: if (!get_auth_octets_scheme(this, TRUE, id, this->ppk, &octets, ¶ms))
628: {
629: return FAILED;
630: }
631: auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
632: online = !this->ike_sa->has_condition(this->ike_sa,
633: COND_ONLINE_VALIDATION_SUSPENDED);
634: enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
635: key_type, id, auth, online);
636: while (enumerator->enumerate(enumerator, &public, ¤t_auth))
637: {
638: if (public->verify(public, params->scheme, params->params, octets,
639: auth_data) &&
640: is_compliant_cert(current_auth))
641: {
642: if (auth_method != AUTH_DS)
643: {
644: DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
645: auth_method_names, auth_method);
646: }
647: else if (params->scheme == SIGN_RSA_EMSA_PSS)
648: {
649: rsa_pss_params_t *pss = params->params;
650: DBG1(DBG_IKE, "authentication of '%Y' with %N_%N_SALT_%zd "
651: "successful", id, signature_scheme_names, params->scheme,
652: hash_algorithm_short_names_upper, pss->hash, pss->salt_len);
653: }
654: else
655: {
656: DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
657: signature_scheme_names, params->scheme);
658: }
659: status = SUCCESS;
660: auth->merge(auth, current_auth, FALSE);
661: auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
662: auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME,
663: signature_params_clone(params));
664: if (!online)
665: {
666: auth->add(auth, AUTH_RULE_CERT_VALIDATION_SUSPENDED, TRUE);
667: }
668: break;
669: }
670: else
671: {
672: status = FAILED;
673: DBG1(DBG_IKE, "signature validation failed, looking for another key");
674: }
675: }
676: enumerator->destroy(enumerator);
677: chunk_free(&octets);
678: signature_params_destroy(params);
679: if (status == NOT_FOUND)
680: {
681: DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
682: key_type_names, key_type, id);
683: }
684: return status;
685: }
686:
687: METHOD(authenticator_t, use_ppk, void,
688: private_pubkey_authenticator_t *this, chunk_t ppk, bool no_ppk_auth)
689: {
690: this->ppk = ppk;
691: this->no_ppk_auth = no_ppk_auth;
692: }
693:
694: METHOD(authenticator_t, destroy, void,
695: private_pubkey_authenticator_t *this)
696: {
697: free(this);
698: }
699:
700: /*
701: * Described in header.
702: */
703: pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
704: chunk_t received_nonce, chunk_t sent_init,
705: char reserved[3])
706: {
707: private_pubkey_authenticator_t *this;
708:
709: INIT(this,
710: .public = {
711: .authenticator = {
712: .build = _build,
713: .process = (void*)return_failed,
714: .use_ppk = _use_ppk,
715: .is_mutual = (void*)return_false,
716: .destroy = _destroy,
717: },
718: },
719: .ike_sa = ike_sa,
720: .ike_sa_init = sent_init,
721: .nonce = received_nonce,
722: );
723: memcpy(this->reserved, reserved, sizeof(this->reserved));
724:
725: return &this->public;
726: }
727:
728: /*
729: * Described in header.
730: */
731: pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
732: chunk_t sent_nonce, chunk_t received_init,
733: char reserved[3])
734: {
735: private_pubkey_authenticator_t *this;
736:
737: INIT(this,
738: .public = {
739: .authenticator = {
740: .build = (void*)return_failed,
741: .process = _process,
742: .use_ppk = _use_ppk,
743: .is_mutual = (void*)return_false,
744: .destroy = _destroy,
745: },
746: },
747: .ike_sa = ike_sa,
748: .ike_sa_init = received_init,
749: .nonce = sent_nonce,
750: );
751: memcpy(this->reserved, reserved, sizeof(this->reserved));
752:
753: return &this->public;
754: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>