ikev2: Diversify signature scheme rule

This allows for different signature schemes for IKE authentication and
trustchain verification.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>

4 files changed, 72 insertions, 33 deletions

diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 2929033aa..64cd775ad 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -130,7 +130,7 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat,
 	enumerator = auth->create_enumerator(auth);
 	while (enumerator->enumerate(enumerator, &rule, &config))
 	{
-		if (rule != AUTH_RULE_SIGNATURE_SCHEME)
+		if (rule != AUTH_RULE_IKE_SIGNATURE_SCHEME)
 		{
 			continue;
 		}
@@ -427,7 +427,8 @@ METHOD(authenticator_t, process, status_t,
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
 			if (this->store_signature_scheme)
 			{
-				auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+				auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME,
+						 (uintptr_t)scheme);
 			}
 			break;
 		}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 5cfb51807..78579be95 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -171,7 +171,7 @@ static void send_supported_hash_algorithms(private_ike_init_t *this,
 			enumerator = auth->create_enumerator(auth);
 			while (enumerator->enumerate(enumerator, &rule, &config))
 			{
-				if (rule == AUTH_RULE_SIGNATURE_SCHEME)
+				if (rule == AUTH_RULE_IKE_SIGNATURE_SCHEME)
 				{
 					hash = hasher_from_signature_scheme(config);
 					if (hasher_algorithm_for_ikev2(hash))
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index e2047e88f..2f18cb6cd 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -51,6 +51,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT,
 	"RULE_ECDSA_STRENGTH",
 	"RULE_BLISS_STRENGTH",
 	"RULE_SIGNATURE_SCHEME",
+	"RULE_IKE_SIGNATURE_SCHEME",
 	"RULE_CERT_POLICY",
 	"HELPER_IM_CERT",
 	"HELPER_SUBJECT_CERT",
@@ -91,6 +92,7 @@ static inline bool is_multi_value_rule(auth_rule_t type)
 		case AUTH_RULE_IM_CERT:
 		case AUTH_RULE_CERT_POLICY:
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 		case AUTH_HELPER_IM_CERT:
 		case AUTH_HELPER_IM_HASH_URL:
 		case AUTH_HELPER_REVOCATION_CERT:
@@ -211,6 +213,7 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args)
 		case AUTH_RULE_ECDSA_STRENGTH:
 		case AUTH_RULE_BLISS_STRENGTH:
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 			/* integer type */
 			this->value = (void*)(uintptr_t)va_arg(args, u_int);
 			break;
@@ -260,6 +263,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
 		case AUTH_RULE_ECDSA_STRENGTH:
 		case AUTH_RULE_BLISS_STRENGTH:
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 		{
 			return e1->value == e2->value;
 		}
@@ -351,6 +355,7 @@ static void destroy_entry_value(entry_t *entry)
 		case AUTH_RULE_ECDSA_STRENGTH:
 		case AUTH_RULE_BLISS_STRENGTH:
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 		case AUTH_RULE_MAX:
 			break;
 	}
@@ -383,6 +388,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
 			case AUTH_RULE_ECDSA_STRENGTH:
 			case AUTH_RULE_BLISS_STRENGTH:
 			case AUTH_RULE_SIGNATURE_SCHEME:
+			case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 				/* integer type */
 				entry->value = (void*)(uintptr_t)va_arg(args, u_int);
 				break;
@@ -459,6 +465,7 @@ METHOD(auth_cfg_t, get, void*,
 		case AUTH_RULE_BLISS_STRENGTH:
 			return (void*)0;
 		case AUTH_RULE_SIGNATURE_SCHEME:
+		case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 			return (void*)HASH_UNKNOWN;
 		case AUTH_RULE_CRL_VALIDATION:
 		case AUTH_RULE_OCSP_VALIDATION:
@@ -619,6 +626,50 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
 	enumerator->destroy(enumerator);
 }
 
+/**
+ * Check if signature schemes of a specific type are compliant
+ */
+static bool complies_scheme(private_auth_cfg_t *this, auth_cfg_t *constraints,
+							auth_rule_t type, bool log_error)
+{
+	enumerator_t *e1, *e2;
+	auth_rule_t t1, t2;
+	signature_scheme_t scheme;
+	void *value;
+	bool success = TRUE;
+
+	e2 = create_enumerator(this);
+	while (e2->enumerate(e2, &t2, &scheme))
+	{
+		if (t2 == type)
+		{
+			success = FALSE;
+			e1 = constraints->create_enumerator(constraints);
+			while (e1->enumerate(e1, &t1, &value))
+			{
+				if (t1 == type && (uintptr_t)value == scheme)
+				{
+					success = TRUE;
+					break;
+				}
+			}
+			e1->destroy(e1);
+			if (!success)
+			{
+				if (log_error)
+				{
+					DBG1(DBG_CFG, "%s signature scheme %N not acceptable",
+						 AUTH_RULE_SIGNATURE_SCHEME == type ? "X.509" : "IKE",
+						 signature_scheme_names, (int)scheme);
+				}
+				break;
+			}
+		}
+	}
+	e2->destroy(e2);
+	return success;
+}
+
 METHOD(auth_cfg_t, complies, bool,
 	private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error)
 {
@@ -627,7 +678,7 @@ METHOD(auth_cfg_t, complies, bool,
 	bool ca_match = FALSE, cert_match = FALSE;
 	identification_t *require_group = NULL;
 	certificate_t *require_ca = NULL, *require_cert = NULL;
-	signature_scheme_t scheme = SIGN_UNKNOWN;
+	signature_scheme_t ike_scheme = SIGN_UNKNOWN, scheme = SIGN_UNKNOWN;
 	u_int strength = 0;
 	auth_rule_t t1, t2;
 	char *key_type;
@@ -823,6 +874,11 @@ METHOD(auth_cfg_t, complies, bool,
 				strength = (uintptr_t)value;
 				break;
 			}
+			case AUTH_RULE_IKE_SIGNATURE_SCHEME:
+			{
+				ike_scheme = (uintptr_t)value;
+				break;
+			}
 			case AUTH_RULE_SIGNATURE_SCHEME:
 			{
 				scheme = (uintptr_t)value;
@@ -875,35 +931,13 @@ METHOD(auth_cfg_t, complies, bool,
 	 * signature schemes. */
 	if (success && scheme != SIGN_UNKNOWN)
 	{
-		e2 = create_enumerator(this);
-		while (e2->enumerate(e2, &t2, &scheme))
-		{
-			if (t2 == AUTH_RULE_SIGNATURE_SCHEME)
-			{
-				success = FALSE;
-				e1 = constraints->create_enumerator(constraints);
-				while (e1->enumerate(e1, &t1, &value))
-				{
-					if (t1 == AUTH_RULE_SIGNATURE_SCHEME &&
-						(uintptr_t)value == scheme)
-					{
-						success = TRUE;
-						break;
-					}
-				}
-				e1->destroy(e1);
-				if (!success)
-				{
-					if (log_error)
-					{
-						DBG1(DBG_CFG, "signature scheme %N not acceptable",
-							 signature_scheme_names, (int)scheme);
-					}
-					break;
-				}
-			}
-		}
-		e2->destroy(e2);
+		success = complies_scheme(this, constraints,
+								  AUTH_RULE_SIGNATURE_SCHEME, log_error);
+	}
+	if (success && ike_scheme != SIGN_UNKNOWN)
+	{
+		success = complies_scheme(this, constraints,
+								  AUTH_RULE_IKE_SIGNATURE_SCHEME, log_error);
 	}
 
 	/* Check if we have a matching constraint (or none at all) for used
@@ -1027,6 +1061,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
 				case AUTH_RULE_ECDSA_STRENGTH:
 				case AUTH_RULE_BLISS_STRENGTH:
 				case AUTH_RULE_SIGNATURE_SCHEME:
+				case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 				{
 					add(this, type, (uintptr_t)value);
 					break;
@@ -1197,6 +1232,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
 			case AUTH_RULE_ECDSA_STRENGTH:
 			case AUTH_RULE_BLISS_STRENGTH:
 			case AUTH_RULE_SIGNATURE_SCHEME:
+			case AUTH_RULE_IKE_SIGNATURE_SCHEME:
 				clone->add(clone, type, (uintptr_t)value);
 				break;
 			case AUTH_RULE_MAX:
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 07e5a6bd3..f00e64f7e 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -106,6 +106,8 @@ enum auth_rule_t {
 	AUTH_RULE_BLISS_STRENGTH,
 	/** required signature scheme, signature_scheme_t */
 	AUTH_RULE_SIGNATURE_SCHEME,
+	/** required signature scheme for IKE authentication, signature_scheme_t */
+	AUTH_RULE_IKE_SIGNATURE_SCHEME,
 	/** certificatePolicy constraint, numerical OID as char* */
 	AUTH_RULE_CERT_POLICY,