dropbear: svr-authpubkey.c comparison

comparison svr-authpubkey.c @ 1653:76189c9ffea2

External Public-Key Authentication API (#72) * Implemented dynamic loading of an external plug-in shared library to delegate public key authentication * Moved conditional compilation of the plugin infrastructure into the configure.ac script to be able to add -ldl to dropbear build only when the flag is enabled * Added tags file to the ignore list * Updated API to have the constructor to return function pointers in the pliugin instance. Added support for passing user name to the checkpubkey function. Added options to the session returned by the plugin and have dropbear to parse and process them * Added -rdynamic to the linker flags when EPKA is enabled * Changed the API to pass a previously created session to the checkPubKey function (created during preauth) * Added documentation to the API * Added parameter addrstring to plugin creation function * Modified the API to retrieve the auth options. Instead of having them as field of the EPKASession struct, they are stored internally (plugin-dependent) in the plugin/session and retrieved through a pointer to a function (in the session) * Changed option string to be a simple char * instead of unsigned char *

author	fabriziobertocci <fabriziobertocci@gmail.com>
date	Wed, 15 May 2019 09:43:57 -0400
parents	592a18dac250
children	cc0fc5131c5c

comparison

equal deleted inserted replaced

-:d2753238f35f
+:76189c9ffea2
 	unsigned int sign_payload_length;
 	buffer * signbuf = NULL;
 	sign_key * key = NULL;
 	char* fp = NULL;
 	enum signkey_type type = -1;
+int auth_failure = 1;
 	TRACE(("enter pubkeyauth"))
 	/* 0 indicates user just wants to check if key can be used, 1 is an
 	 * actual attempt*/
 		Avoids blind user enumeration though it isn't possible to prevent
 		testing for user existence if the public key is known */
 		send_msg_userauth_failure(0, 0);
 		goto out;
 	}
+#if DROPBEAR_EPKA
+if (svr_ses.epka_instance != NULL) {
+char *options_buf;
+if (svr_ses.epka_instance->checkpubkey(
+svr_ses.epka_instance,
+&ses.epka_session,
+algo,
+algolen,
+keyblob,
+keybloblen,
+ses.authstate.username) == DROPBEAR_SUCCESS) {
+/* Success */
+auth_failure = 0;
+/* Options provided? */
+options_buf = ses.epka_session->get_options(ses.epka_session);
+if (options_buf) {
+struct buf temp_buf = {
+.data = (unsigned char *)options_buf,
+.len = strlen(options_buf),
+.pos = 0,
+.size = 0
+};
+int ret = svr_add_pubkey_options(&temp_buf, 0, "N/A");
+if (ret == DROPBEAR_FAILURE) {
+/* Fail immediately as the plugin provided wrong options */
+send_msg_userauth_failure(0, 0);
+goto out;
+}
+}
+}
+}
+#endif
 	/* check if the key is valid */
-	if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) {
+if (auth_failure) {
+auth_failure = checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE;
+}
+if (auth_failure) {
 		send_msg_userauth_failure(0, 0);
 		goto out;
 	}
 	/* let them know that the key is ok to use */
 	if (buf_verify(ses.payload, key, signbuf) == DROPBEAR_SUCCESS) {
 		dropbear_log(LOG_NOTICE,
 				"Pubkey auth succeeded for '%s' with key %s from %s",
 				ses.authstate.pw_name, fp, svr_ses.addrstring);
 		send_msg_userauth_success();
+#if DROPBEAR_EPKA
+if ((ses.epka_session != NULL) && (svr_ses.epka_instance->auth_success != NULL)) {
+/* Was authenticated through the external plugin. tell plugin that signature verification was ok */
+svr_ses.epka_instance->auth_success(ses.epka_session);
+}
+#endif
 	} else {
 		dropbear_log(LOG_WARNING,
 				"Pubkey auth bad signature for '%s' with key %s from %s",
 				ses.authstate.pw_name, fp, svr_ses.addrstring);
 		send_msg_userauth_failure(0, 1);

Mercurial > dropbear

comparison svr-authpubkey.c @ 1653:76189c9ffea2