Mercurial > dropbear
view pubkeyapi.h @ 1653:76189c9ffea2
External Public-Key Authentication API (#72)
* Implemented dynamic loading of an external plug-in shared library to delegate public key authentication
* Moved conditional compilation of the plugin infrastructure into the configure.ac script to be able to add -ldl to dropbear build only when the flag is enabled
* Added tags file to the ignore list
* Updated API to have the constructor to return function pointers in the pliugin instance. Added support for passing user name to the checkpubkey function. Added options to the session returned by the plugin and have dropbear to parse and process them
* Added -rdynamic to the linker flags when EPKA is enabled
* Changed the API to pass a previously created session to the checkPubKey function (created during preauth)
* Added documentation to the API
* Added parameter addrstring to plugin creation function
* Modified the API to retrieve the auth options. Instead of having them as field of the EPKASession struct, they are stored internally (plugin-dependent) in the plugin/session and retrieved through a pointer to a function (in the session)
* Changed option string to be a simple char * instead of unsigned char *
author | fabriziobertocci <fabriziobertocci@gmail.com> |
---|---|
date | Wed, 15 May 2019 09:43:57 -0400 |
parents | |
children | cc0fc5131c5c |
line wrap: on
line source
/* * Dropbear - a SSH2 server * * Copyright (c) 2002,2003 Matt Johnston * All rights reserved. * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE * SOFTWARE. */ #ifndef DROPBEAR_PUBKEY_H #define DROPBEAR_PUBKEY_H /* External Public Key API (EPKA) Plug-in Interface * * See: * https://github.com/fabriziobertocci/dropbear-epka * for additional information and examples about this API * */ struct EPKAInstance; struct EPKASession; /* API VERSION INFORMATION - * Dropbear will: * - Reject any plugin with a major version mismatch * - Load and print a warning if the plugin's minor version is HIGHER than * dropbear's minor version (assumes properties are added at the end of * EPKAInstance or EPKASession). This is a case of plugin newer than dropbear. * - Reject if the plugin minor version is SMALLER than dropbear one (case * of plugin older than dropbear). * - Load (with no warnings) if version match. */ #define DROPBEAR_EPKA_VERSION_MAJOR 1 #define DROPBEAR_EPKA_VERSION_MINOR 0 /* Creates an instance of the plugin. * * This is the main entry point of the plug-in and should be IMMUTABLE across * different API versions. Dropbear will check the version number * returned in the api_version to match the version it understands and reject * any plugin for which API major version does not match. * * If the version MINOR is different, dropbear will allow the plugin to run * only if: plugin_MINOR > dropbear_MINOR * * If plugin_MINOR < dropbeart_MINOR or if the MAJOR version is different * dropbear will reject the plugin and terminate the execution. * * addrstring is the IP address of the client. * * Returns NULL in case of failure, otherwise a void * of the instance that need * to be passed to all the subsequent call to the plugin */ typedef struct EPKAInstance *(* PubkeyExtPlugin_newFn)(int verbose, const char *options, const char *addrstring); #define DROPBEAR_PUBKEY_PLUGIN_FNNAME_NEW "plugin_new" /* Validate a client through public key authentication * * If session has not been already created, creates it and store it * in *sessionInOut. * If session is a non-NULL, it will reuse it. * * Returns DROPBEAR_SUCCESS (0) if success or DROPBEAR_FAILURE (-1) if * authentication fails */ typedef int (* PubkeyExtPlugin_checkPubKeyFn)(struct EPKAInstance *pluginInstance, struct EPKASession **sessionInOut, const char* algo, unsigned int algolen, const unsigned char* keyblob, unsigned int keybloblen, const char *username); /* Notify the plugin that auth completed (after signature verification) */ typedef void (* PubkeyExtPlugin_authSuccessFn)(struct EPKASession *session); /* Deletes a session * TODO: Add a reason why the session is terminated. See svr_dropbear_exit (in svr-session.c) */ typedef void (* PubkeyExtPlugin_sessionDeleteFn)(struct EPKASession *session); /* Deletes the plugin instance */ typedef void (* PubkeyExtPlugin_deleteFn)(struct EPKAInstance *pluginInstance); /* The EPKAInstance object - A simple container of the pointer to the functions used * by Dropbear. * * A plug-in can extend it to add its own properties * * The instance is created from the call to the plugin_new() function of the * shared library. * The delete_plugin function should delete the object. */ struct EPKAInstance { int api_version[2]; /* 0=Major, 1=Minor */ PubkeyExtPlugin_checkPubKeyFn checkpubkey; /* mandatory */ PubkeyExtPlugin_authSuccessFn auth_success; /* optional */ PubkeyExtPlugin_sessionDeleteFn delete_session; /* mandatory */ PubkeyExtPlugin_deleteFn delete_plugin; /* mandatory */ }; /***************************************************************************** * SESSION ****************************************************************************/ /* Returns the options from the session. * The returned buffer will be destroyed when the session is deleted. * Option buffer string NULL-terminated */ typedef char * (* PubkeyExtPlugin_getOptionsFn)(struct EPKASession *session); /* An SSH Session. Created during pre-auth and reused during the authentication. * The plug-in should delete this object (or any object extending it) from * the delete_session() function. * * Extend it to cache user and authentication information that can be * reused between pre-auth and auth (and to store whatever session-specific * variable you need to keep). * * Store any optional auth options in the auth_options property of the session. */ struct EPKASession { struct EPKAInstance * plugin_instance; PubkeyExtPlugin_getOptionsFn get_options; }; #endif