# HG changeset patch # User fabriziobertocci # Date 1557927837 14400 # Node ID 76189c9ffea27285992555b0a9eb4b71b4f55bbe # Parent d2753238f35f2f80507d1241f03639a20285ef46 External Public-Key Authentication API (#72) * Implemented dynamic loading of an external plug-in shared library to delegate public key authentication * Moved conditional compilation of the plugin infrastructure into the configure.ac script to be able to add -ldl to dropbear build only when the flag is enabled * Added tags file to the ignore list * Updated API to have the constructor to return function pointers in the pliugin instance. Added support for passing user name to the checkpubkey function. Added options to the session returned by the plugin and have dropbear to parse and process them * Added -rdynamic to the linker flags when EPKA is enabled * Changed the API to pass a previously created session to the checkPubKey function (created during preauth) * Added documentation to the API * Added parameter addrstring to plugin creation function * Modified the API to retrieve the auth options. Instead of having them as field of the EPKASession struct, they are stored internally (plugin-dependent) in the plugin/session and retrieved through a pointer to a function (in the session) * Changed option string to be a simple char * instead of unsigned char * diff -r d2753238f35f -r 76189c9ffea2 .gitignore --- a/.gitignore Wed Mar 27 22:15:23 2019 +0800 +++ b/.gitignore Wed May 15 09:43:57 2019 -0400 @@ -5,6 +5,7 @@ *.bb *.bbg *.prof +.*.swp /autom4te.cache /config.log /config.status @@ -20,3 +21,4 @@ config.h.in configure default_options_guard.h +tags diff -r d2753238f35f -r 76189c9ffea2 Makefile.in --- a/Makefile.in Wed Mar 27 22:15:23 2019 +0800 +++ b/Makefile.in Wed May 15 09:43:57 2019 -0400 @@ -80,6 +80,15 @@ scpobjs=$(SCPOBJS) endif +ifeq (@DROPBEAR_EPKA@, 1) + # rdynamic makes all the global symbols of dropbear available to all the loaded shared libraries + # this allow a plugin to reuse existing crypto/utilities like base64_decode/base64_encode without + # the need to rewrite them. + EPKA_LIBS=-ldl -rdynamic +else + EPKA_LIBS= +endif + VPATH=@srcdir@ srcdir=@srcdir@ @@ -189,7 +198,7 @@ dropbearconvert: $(dropbearconvertobjs) dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile - $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ + $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ $(EPKA_LIBS) dbclient: $(HEADERS) $(LIBTOM_DEPS) Makefile $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) diff -r d2753238f35f -r 76189c9ffea2 common-session.c --- a/common-session.c Wed Mar 27 22:15:23 2019 +0800 +++ b/common-session.c Wed May 15 09:43:57 2019 -0400 @@ -147,6 +147,10 @@ ses.allowprivport = 0; +#if DROPBEAR_EPKA + ses.epka_session = NULL; +#endif + TRACE(("leave session_init")) } diff -r d2753238f35f -r 76189c9ffea2 configure.ac --- a/configure.ac Wed Mar 27 22:15:23 2019 +0800 +++ b/configure.ac Wed May 15 09:43:57 2019 -0400 @@ -323,6 +323,21 @@ ] ) +AC_ARG_ENABLE(epka, + [ --enable-epka Enable support for External Public Key Authentication plug-in], + [ + AC_DEFINE(DROPBEAR_EPKA, 1, External Public Key Authentication) + AC_MSG_NOTICE(Enabling support for External Public Key Authentication) + DROPBEAR_EPKA=1 + ], + [ + AC_DEFINE(DROPBEAR_EPKA, 0, External Public Key Authentication) + DROPBEAR_EPKA=0 + ] + +) +AC_SUBST(DROPBEAR_EPKA) + AC_ARG_ENABLE(fuzz, [ --enable-fuzz Build fuzzing. Not recommended for deployment.], [ diff -r d2753238f35f -r 76189c9ffea2 includes.h --- a/includes.h Wed Mar 27 22:15:23 2019 +0800 +++ b/includes.h Wed May 15 09:43:57 2019 -0400 @@ -164,6 +164,10 @@ #include #endif +#if DROPBEAR_EPKA +#include +#endif + #include "fake-rfc2553.h" #include "fuzz.h" diff -r d2753238f35f -r 76189c9ffea2 pubkeyapi.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/pubkeyapi.h Wed May 15 09:43:57 2019 -0400 @@ -0,0 +1,151 @@ +/* + * Dropbear - a SSH2 server + * + * Copyright (c) 2002,2003 Matt Johnston + * All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. */ +#ifndef DROPBEAR_PUBKEY_H +#define DROPBEAR_PUBKEY_H + + +/* External Public Key API (EPKA) Plug-in Interface + * + * See: + * https://github.com/fabriziobertocci/dropbear-epka + * for additional information and examples about this API + * + */ + +struct EPKAInstance; +struct EPKASession; + +/* API VERSION INFORMATION - + * Dropbear will: + * - Reject any plugin with a major version mismatch + * - Load and print a warning if the plugin's minor version is HIGHER than + * dropbear's minor version (assumes properties are added at the end of + * EPKAInstance or EPKASession). This is a case of plugin newer than dropbear. + * - Reject if the plugin minor version is SMALLER than dropbear one (case + * of plugin older than dropbear). + * - Load (with no warnings) if version match. + */ +#define DROPBEAR_EPKA_VERSION_MAJOR 1 +#define DROPBEAR_EPKA_VERSION_MINOR 0 + + +/* Creates an instance of the plugin. + * + * This is the main entry point of the plug-in and should be IMMUTABLE across + * different API versions. Dropbear will check the version number + * returned in the api_version to match the version it understands and reject + * any plugin for which API major version does not match. + * + * If the version MINOR is different, dropbear will allow the plugin to run + * only if: plugin_MINOR > dropbear_MINOR + * + * If plugin_MINOR < dropbeart_MINOR or if the MAJOR version is different + * dropbear will reject the plugin and terminate the execution. + * + * addrstring is the IP address of the client. + * + * Returns NULL in case of failure, otherwise a void * of the instance that need + * to be passed to all the subsequent call to the plugin + */ +typedef struct EPKAInstance *(* PubkeyExtPlugin_newFn)(int verbose, + const char *options, + const char *addrstring); +#define DROPBEAR_PUBKEY_PLUGIN_FNNAME_NEW "plugin_new" + + +/* Validate a client through public key authentication + * + * If session has not been already created, creates it and store it + * in *sessionInOut. + * If session is a non-NULL, it will reuse it. + * + * Returns DROPBEAR_SUCCESS (0) if success or DROPBEAR_FAILURE (-1) if + * authentication fails + */ +typedef int (* PubkeyExtPlugin_checkPubKeyFn)(struct EPKAInstance *pluginInstance, + struct EPKASession **sessionInOut, + const char* algo, + unsigned int algolen, + const unsigned char* keyblob, + unsigned int keybloblen, + const char *username); + +/* Notify the plugin that auth completed (after signature verification) + */ +typedef void (* PubkeyExtPlugin_authSuccessFn)(struct EPKASession *session); + +/* Deletes a session + * TODO: Add a reason why the session is terminated. See svr_dropbear_exit (in svr-session.c) + */ +typedef void (* PubkeyExtPlugin_sessionDeleteFn)(struct EPKASession *session); + +/* Deletes the plugin instance */ +typedef void (* PubkeyExtPlugin_deleteFn)(struct EPKAInstance *pluginInstance); + + +/* The EPKAInstance object - A simple container of the pointer to the functions used + * by Dropbear. + * + * A plug-in can extend it to add its own properties + * + * The instance is created from the call to the plugin_new() function of the + * shared library. + * The delete_plugin function should delete the object. + */ +struct EPKAInstance { + int api_version[2]; /* 0=Major, 1=Minor */ + + PubkeyExtPlugin_checkPubKeyFn checkpubkey; /* mandatory */ + PubkeyExtPlugin_authSuccessFn auth_success; /* optional */ + PubkeyExtPlugin_sessionDeleteFn delete_session; /* mandatory */ + PubkeyExtPlugin_deleteFn delete_plugin; /* mandatory */ +}; + +/***************************************************************************** + * SESSION + ****************************************************************************/ +/* Returns the options from the session. + * The returned buffer will be destroyed when the session is deleted. + * Option buffer string NULL-terminated + */ +typedef char * (* PubkeyExtPlugin_getOptionsFn)(struct EPKASession *session); + + +/* An SSH Session. Created during pre-auth and reused during the authentication. + * The plug-in should delete this object (or any object extending it) from + * the delete_session() function. + * + * Extend it to cache user and authentication information that can be + * reused between pre-auth and auth (and to store whatever session-specific + * variable you need to keep). + * + * Store any optional auth options in the auth_options property of the session. + */ +struct EPKASession { + struct EPKAInstance * plugin_instance; + + PubkeyExtPlugin_getOptionsFn get_options; +}; + +#endif diff -r d2753238f35f -r 76189c9ffea2 runopts.h --- a/runopts.h Wed Mar 27 22:15:23 2019 +0800 +++ b/runopts.h Wed May 15 09:43:57 2019 -0400 @@ -125,6 +125,11 @@ char * forced_command; +#if DROPBEAR_EPKA + char *pubkey_plugin; + char *pubkey_plugin_options; +#endif + } svr_runopts; extern svr_runopts svr_opts; diff -r d2753238f35f -r 76189c9ffea2 session.h --- a/session.h Wed Mar 27 22:15:23 2019 +0800 +++ b/session.h Wed May 15 09:43:57 2019 -0400 @@ -38,6 +38,9 @@ #include "chansession.h" #include "dbutil.h" #include "netio.h" +#if DROPBEAR_EPKA +#include "pubkeyapi.h" +#endif void common_session_init(int sock_in, int sock_out); void session_loop(void(*loophandler)(void)) ATTRIB_NORETURN; @@ -216,6 +219,10 @@ volatile int exitflag; /* set once the ses structure (and cli_ses/svr_ses) have been populated to their initial state */ int init_done; + +#if DROPBEAR_EPKA + struct EPKASession * epka_session; +#endif }; struct serversession { @@ -241,6 +248,14 @@ pid_t server_pid; #endif +#if DROPBEAR_EPKA + /* The shared library handle */ + void *epka_plugin_handle; + + /* The instance created by the plugin_new function */ + struct EPKAInstance *epka_instance; +#endif + }; typedef enum { diff -r d2753238f35f -r 76189c9ffea2 svr-authpubkey.c --- a/svr-authpubkey.c Wed Mar 27 22:15:23 2019 +0800 +++ b/svr-authpubkey.c Wed May 15 09:43:57 2019 -0400 @@ -91,6 +91,7 @@ sign_key * key = NULL; char* fp = NULL; enum signkey_type type = -1; + int auth_failure = 1; TRACE(("enter pubkeyauth")) @@ -110,9 +111,45 @@ send_msg_userauth_failure(0, 0); goto out; } +#if DROPBEAR_EPKA + if (svr_ses.epka_instance != NULL) { + char *options_buf; + if (svr_ses.epka_instance->checkpubkey( + svr_ses.epka_instance, + &ses.epka_session, + algo, + algolen, + keyblob, + keybloblen, + ses.authstate.username) == DROPBEAR_SUCCESS) { + /* Success */ + auth_failure = 0; + /* Options provided? */ + options_buf = ses.epka_session->get_options(ses.epka_session); + if (options_buf) { + struct buf temp_buf = { + .data = (unsigned char *)options_buf, + .len = strlen(options_buf), + .pos = 0, + .size = 0 + }; + int ret = svr_add_pubkey_options(&temp_buf, 0, "N/A"); + if (ret == DROPBEAR_FAILURE) { + /* Fail immediately as the plugin provided wrong options */ + send_msg_userauth_failure(0, 0); + goto out; + } + } + } + } +#endif /* check if the key is valid */ - if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) { + if (auth_failure) { + auth_failure = checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE; + } + + if (auth_failure) { send_msg_userauth_failure(0, 0); goto out; } @@ -156,6 +193,13 @@ "Pubkey auth succeeded for '%s' with key %s from %s", ses.authstate.pw_name, fp, svr_ses.addrstring); send_msg_userauth_success(); +#if DROPBEAR_EPKA + if ((ses.epka_session != NULL) && (svr_ses.epka_instance->auth_success != NULL)) { + /* Was authenticated through the external plugin. tell plugin that signature verification was ok */ + svr_ses.epka_instance->auth_success(ses.epka_session); + } +#endif + } else { dropbear_log(LOG_WARNING, "Pubkey auth bad signature for '%s' with key %s from %s", diff -r d2753238f35f -r 76189c9ffea2 svr-runopts.c --- a/svr-runopts.c Wed Mar 27 22:15:23 2019 +0800 +++ b/svr-runopts.c Wed May 15 09:43:57 2019 -0400 @@ -46,16 +46,16 @@ "-b bannerfile Display the contents of bannerfile" " before user login\n" " (default: none)\n" - "-r keyfile Specify hostkeys (repeatable)\n" + "-r keyfile Specify hostkeys (repeatable)\n" " defaults: \n" #if DROPBEAR_DSS - " dss %s\n" + " - dss %s\n" #endif #if DROPBEAR_RSA - " rsa %s\n" + " - rsa %s\n" #endif #if DROPBEAR_ECDSA - " ecdsa %s\n" + " - ecdsa %s\n" #endif #if DROPBEAR_DELAY_HOSTKEY "-R Create hostkeys as required\n" @@ -99,6 +99,10 @@ "-W (default %d, larger may be faster, max 1MB)\n" "-K (0 is never, default %d, in seconds)\n" "-I (0 is never, default %d, in seconds)\n" +#if DROPBEAR_EPKA + "-A [,]\n" + " Enable external public key auth through \n" +#endif "-V Version\n" #if DEBUG_TRACE "-v verbose (compiled with DEBUG_TRACE)\n" @@ -129,6 +133,9 @@ char* maxauthtries_arg = NULL; char* keyfile = NULL; char c; +#if DROPBEAR_EPKA + char* pubkey_plugin = NULL; +#endif /* see printhelp() for options */ @@ -156,6 +163,10 @@ #if DROPBEAR_SVR_REMOTETCPFWD svr_opts.noremotetcp = 0; #endif +#if DROPBEAR_EPKA + svr_opts.pubkey_plugin = NULL; + svr_opts.pubkey_plugin_options = NULL; +#endif #ifndef DISABLE_ZLIB opts.compress_mode = DROPBEAR_COMPRESS_DELAYED; @@ -274,6 +285,11 @@ case 'u': /* backwards compatibility with old urandom option */ break; +#if DROPBEAR_EPKA + case 'A': + next = &pubkey_plugin; + break; +#endif #if DEBUG_TRACE case 'v': debug_trace = 1; @@ -394,6 +410,17 @@ if (svr_opts.forced_command) { dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command); } +#if DROPBEAR_EPKA + if (pubkey_plugin) { + char *args = strchr(pubkey_plugin, ','); + if (args) { + *args='\0'; + ++args; + } + svr_opts.pubkey_plugin = pubkey_plugin; + svr_opts.pubkey_plugin_options = args; + } +#endif } static void addportandaddress(const char* spec) { diff -r d2753238f35f -r 76189c9ffea2 svr-session.c --- a/svr-session.c Wed Mar 27 22:15:23 2019 +0800 +++ b/svr-session.c Wed May 15 09:43:57 2019 -0400 @@ -88,6 +88,18 @@ m_free(svr_ses.remotehost); m_free(svr_ses.childpids); svr_ses.childpidsize = 0; + +#if DROPBEAR_EPKA + if (svr_ses.epka_plugin_handle != NULL) { + if (svr_ses.epka_instance) { + svr_ses.epka_instance->delete_plugin(svr_ses.epka_instance); + svr_ses.epka_instance = NULL; + } + + dlclose(svr_ses.epka_plugin_handle); + svr_ses.epka_plugin_handle = NULL; + } +#endif } void svr_session(int sock, int childpipe) { @@ -101,10 +113,6 @@ #if DROPBEAR_VFORK svr_ses.server_pid = getpid(); #endif - svr_authinitialise(); - chaninitialise(svr_chantypes); - svr_chansessinitialise(); - svr_algos_initialise(); /* for logging the remote address */ get_socket_address(ses.sock_in, NULL, NULL, &host, &port, 0); @@ -114,6 +122,56 @@ m_free(host); m_free(port); +#if DROPBEAR_EPKA + /* Initializes the EPKA Plugin */ + svr_ses.epka_plugin_handle = NULL; + svr_ses.epka_instance = NULL; + if (svr_opts.pubkey_plugin) { +#if DEBUG_TRACE + const int verbose = debug_trace; +#else + const int verbose = 0; +#endif + PubkeyExtPlugin_newFn pluginConstructor; + + /* RTLD_NOW: fails if not all the symbols are resolved now. Better fail now than at run-time */ + svr_ses.epka_plugin_handle = dlopen(svr_opts.pubkey_plugin, RTLD_NOW); + if (svr_ses.epka_plugin_handle == NULL) { + dropbear_exit("failed to load external pubkey plugin '%s': %s", svr_opts.pubkey_plugin, dlerror()); + } + pluginConstructor = (PubkeyExtPlugin_newFn)dlsym(svr_ses.epka_plugin_handle, DROPBEAR_PUBKEY_PLUGIN_FNNAME_NEW); + if (!pluginConstructor) { + dropbear_exit("plugin constructor method not found in external pubkey plugin"); + } + + /* Create an instance of the plugin */ + svr_ses.epka_instance = pluginConstructor(verbose, svr_opts.pubkey_plugin_options, svr_ses.addrstring); + if (svr_ses.epka_instance == NULL) { + dropbear_exit("external plugin initialization failed"); + } + /* Check if the plugin is compatible */ + if ( (svr_ses.epka_instance->api_version[0] != DROPBEAR_EPKA_VERSION_MAJOR) || + (svr_ses.epka_instance->api_version[1] < DROPBEAR_EPKA_VERSION_MINOR) ) { + dropbear_exit("plugin version check failed: " + "Dropbear=%d.%d, plugin=%d.%d", + DROPBEAR_EPKA_VERSION_MAJOR, DROPBEAR_EPKA_VERSION_MINOR, + svr_ses.epka_instance->api_version[0], svr_ses.epka_instance->api_version[1]); + } + if (svr_ses.epka_instance->api_version[1] > DROPBEAR_EPKA_VERSION_MINOR) { + dropbear_log(LOG_WARNING, "plugin API newer than dropbear API: " + "Dropbear=%d.%d, plugin=%d.%d", + DROPBEAR_EPKA_VERSION_MAJOR, DROPBEAR_EPKA_VERSION_MINOR, + svr_ses.epka_instance->api_version[0], svr_ses.epka_instance->api_version[1]); + } + dropbear_log(LOG_INFO, "successfully loaded and initialized pubkey plugin '%s'", svr_opts.pubkey_plugin); + } +#endif + + svr_authinitialise(); + chaninitialise(svr_chantypes); + svr_chansessinitialise(); + svr_algos_initialise(); + get_socket_address(ses.sock_in, NULL, NULL, &svr_ses.remotehost, NULL, 1); @@ -151,6 +209,13 @@ char fullmsg[300]; int i; +#if DROPBEAR_EPKA + if ((ses.epka_session != NULL)) { + svr_ses.epka_instance->delete_session(ses.epka_session); + } + ses.epka_session = NULL; +#endif + /* Render the formatted exit message */ vsnprintf(exitmsg, sizeof(exitmsg), format, param); diff -r d2753238f35f -r 76189c9ffea2 sysoptions.h --- a/sysoptions.h Wed Mar 27 22:15:23 2019 +0800 +++ b/sysoptions.h Wed May 15 09:43:57 2019 -0400 @@ -243,6 +243,9 @@ #error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended." #endif +#if (DROPBEAR_EPKA && !DROPBEAR_SVR_PUBKEY_AUTH) + #error "You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use External Public Key Authentication (EPKA)" +#endif #if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \ || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128)