comparison svr-authpubkey.c @ 1653:76189c9ffea2

External Public-Key Authentication API (#72) * Implemented dynamic loading of an external plug-in shared library to delegate public key authentication * Moved conditional compilation of the plugin infrastructure into the configure.ac script to be able to add -ldl to dropbear build only when the flag is enabled * Added tags file to the ignore list * Updated API to have the constructor to return function pointers in the pliugin instance. Added support for passing user name to the checkpubkey function. Added options to the session returned by the plugin and have dropbear to parse and process them * Added -rdynamic to the linker flags when EPKA is enabled * Changed the API to pass a previously created session to the checkPubKey function (created during preauth) * Added documentation to the API * Added parameter addrstring to plugin creation function * Modified the API to retrieve the auth options. Instead of having them as field of the EPKASession struct, they are stored internally (plugin-dependent) in the plugin/session and retrieved through a pointer to a function (in the session) * Changed option string to be a simple char * instead of unsigned char *
author fabriziobertocci <fabriziobertocci@gmail.com>
date Wed, 15 May 2019 09:43:57 -0400
parents 592a18dac250
children cc0fc5131c5c
comparison
equal deleted inserted replaced
1652:d2753238f35f 1653:76189c9ffea2
89 unsigned int sign_payload_length; 89 unsigned int sign_payload_length;
90 buffer * signbuf = NULL; 90 buffer * signbuf = NULL;
91 sign_key * key = NULL; 91 sign_key * key = NULL;
92 char* fp = NULL; 92 char* fp = NULL;
93 enum signkey_type type = -1; 93 enum signkey_type type = -1;
94 int auth_failure = 1;
94 95
95 TRACE(("enter pubkeyauth")) 96 TRACE(("enter pubkeyauth"))
96 97
97 /* 0 indicates user just wants to check if key can be used, 1 is an 98 /* 0 indicates user just wants to check if key can be used, 1 is an
98 * actual attempt*/ 99 * actual attempt*/
108 Avoids blind user enumeration though it isn't possible to prevent 109 Avoids blind user enumeration though it isn't possible to prevent
109 testing for user existence if the public key is known */ 110 testing for user existence if the public key is known */
110 send_msg_userauth_failure(0, 0); 111 send_msg_userauth_failure(0, 0);
111 goto out; 112 goto out;
112 } 113 }
113 114 #if DROPBEAR_EPKA
115 if (svr_ses.epka_instance != NULL) {
116 char *options_buf;
117 if (svr_ses.epka_instance->checkpubkey(
118 svr_ses.epka_instance,
119 &ses.epka_session,
120 algo,
121 algolen,
122 keyblob,
123 keybloblen,
124 ses.authstate.username) == DROPBEAR_SUCCESS) {
125 /* Success */
126 auth_failure = 0;
127
128 /* Options provided? */
129 options_buf = ses.epka_session->get_options(ses.epka_session);
130 if (options_buf) {
131 struct buf temp_buf = {
132 .data = (unsigned char *)options_buf,
133 .len = strlen(options_buf),
134 .pos = 0,
135 .size = 0
136 };
137 int ret = svr_add_pubkey_options(&temp_buf, 0, "N/A");
138 if (ret == DROPBEAR_FAILURE) {
139 /* Fail immediately as the plugin provided wrong options */
140 send_msg_userauth_failure(0, 0);
141 goto out;
142 }
143 }
144 }
145 }
146 #endif
114 /* check if the key is valid */ 147 /* check if the key is valid */
115 if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) { 148 if (auth_failure) {
149 auth_failure = checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE;
150 }
151
152 if (auth_failure) {
116 send_msg_userauth_failure(0, 0); 153 send_msg_userauth_failure(0, 0);
117 goto out; 154 goto out;
118 } 155 }
119 156
120 /* let them know that the key is ok to use */ 157 /* let them know that the key is ok to use */
154 if (buf_verify(ses.payload, key, signbuf) == DROPBEAR_SUCCESS) { 191 if (buf_verify(ses.payload, key, signbuf) == DROPBEAR_SUCCESS) {
155 dropbear_log(LOG_NOTICE, 192 dropbear_log(LOG_NOTICE,
156 "Pubkey auth succeeded for '%s' with key %s from %s", 193 "Pubkey auth succeeded for '%s' with key %s from %s",
157 ses.authstate.pw_name, fp, svr_ses.addrstring); 194 ses.authstate.pw_name, fp, svr_ses.addrstring);
158 send_msg_userauth_success(); 195 send_msg_userauth_success();
196 #if DROPBEAR_EPKA
197 if ((ses.epka_session != NULL) && (svr_ses.epka_instance->auth_success != NULL)) {
198 /* Was authenticated through the external plugin. tell plugin that signature verification was ok */
199 svr_ses.epka_instance->auth_success(ses.epka_session);
200 }
201 #endif
202
159 } else { 203 } else {
160 dropbear_log(LOG_WARNING, 204 dropbear_log(LOG_WARNING,
161 "Pubkey auth bad signature for '%s' with key %s from %s", 205 "Pubkey auth bad signature for '%s' with key %s from %s",
162 ses.authstate.pw_name, fp, svr_ses.addrstring); 206 ses.authstate.pw_name, fp, svr_ses.addrstring);
163 send_msg_userauth_failure(0, 1); 207 send_msg_userauth_failure(0, 1);