changeset 1653:76189c9ffea2

External Public-Key Authentication API (#72) * Implemented dynamic loading of an external plug-in shared library to delegate public key authentication * Moved conditional compilation of the plugin infrastructure into the configure.ac script to be able to add -ldl to dropbear build only when the flag is enabled * Added tags file to the ignore list * Updated API to have the constructor to return function pointers in the pliugin instance. Added support for passing user name to the checkpubkey function. Added options to the session returned by the plugin and have dropbear to parse and process them * Added -rdynamic to the linker flags when EPKA is enabled * Changed the API to pass a previously created session to the checkPubKey function (created during preauth) * Added documentation to the API * Added parameter addrstring to plugin creation function * Modified the API to retrieve the auth options. Instead of having them as field of the EPKASession struct, they are stored internally (plugin-dependent) in the plugin/session and retrieved through a pointer to a function (in the session) * Changed option string to be a simple char * instead of unsigned char *
author fabriziobertocci <fabriziobertocci@gmail.com>
date Wed, 15 May 2019 09:43:57 -0400
parents d2753238f35f
children cc0fc5131c5c
files .gitignore Makefile.in common-session.c configure.ac includes.h pubkeyapi.h runopts.h session.h svr-authpubkey.c svr-runopts.c svr-session.c sysoptions.h
diffstat 12 files changed, 354 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/.gitignore	Wed Mar 27 22:15:23 2019 +0800
+++ b/.gitignore	Wed May 15 09:43:57 2019 -0400
@@ -5,6 +5,7 @@
 *.bb
 *.bbg
 *.prof
+.*.swp
 /autom4te.cache
 /config.log
 /config.status
@@ -20,3 +21,4 @@
 config.h.in
 configure
 default_options_guard.h
+tags
--- a/Makefile.in	Wed Mar 27 22:15:23 2019 +0800
+++ b/Makefile.in	Wed May 15 09:43:57 2019 -0400
@@ -80,6 +80,15 @@
 	scpobjs=$(SCPOBJS)
 endif
 
+ifeq (@DROPBEAR_EPKA@, 1)
+    # rdynamic makes all the global symbols of dropbear available to all the loaded shared libraries
+    # this allow a plugin to reuse existing crypto/utilities like base64_decode/base64_encode without
+    # the need to rewrite them.
+    EPKA_LIBS=-ldl -rdynamic
+else
+    EPKA_LIBS=
+endif
+
 VPATH=@srcdir@
 srcdir=@srcdir@
 
@@ -189,7 +198,7 @@
 dropbearconvert: $(dropbearconvertobjs)
 
 dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile
-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@
+	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ $(EPKA_LIBS)
 
 dbclient: $(HEADERS) $(LIBTOM_DEPS) Makefile
 	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
--- a/common-session.c	Wed Mar 27 22:15:23 2019 +0800
+++ b/common-session.c	Wed May 15 09:43:57 2019 -0400
@@ -147,6 +147,10 @@
 
 	ses.allowprivport = 0;
 
+#if DROPBEAR_EPKA
+        ses.epka_session = NULL;
+#endif
+
 	TRACE(("leave session_init"))
 }
 
--- a/configure.ac	Wed Mar 27 22:15:23 2019 +0800
+++ b/configure.ac	Wed May 15 09:43:57 2019 -0400
@@ -323,6 +323,21 @@
 	]
 )
 
+AC_ARG_ENABLE(epka,
+	[  --enable-epka           Enable support for External Public Key Authentication plug-in],
+	[
+		AC_DEFINE(DROPBEAR_EPKA, 1, External Public Key Authentication)
+		AC_MSG_NOTICE(Enabling support for External Public Key Authentication)
+		DROPBEAR_EPKA=1
+	],
+	[
+		AC_DEFINE(DROPBEAR_EPKA, 0, External Public Key Authentication)
+		DROPBEAR_EPKA=0
+	]
+
+)
+AC_SUBST(DROPBEAR_EPKA)
+
 AC_ARG_ENABLE(fuzz,
 	[  --enable-fuzz           Build fuzzing. Not recommended for deployment.],
 	[
--- a/includes.h	Wed Mar 27 22:15:23 2019 +0800
+++ b/includes.h	Wed May 15 09:43:57 2019 -0400
@@ -164,6 +164,10 @@
 #include <linux/pkt_sched.h>
 #endif
 
+#if DROPBEAR_EPKA
+#include <dlfcn.h>
+#endif
+
 #include "fake-rfc2553.h"
 
 #include "fuzz.h"
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/pubkeyapi.h	Wed May 15 09:43:57 2019 -0400
@@ -0,0 +1,151 @@
+/*
+ * Dropbear - a SSH2 server
+ * 
+ * Copyright (c) 2002,2003 Matt Johnston
+ * All rights reserved.
+ * 
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * 
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE. */
+#ifndef DROPBEAR_PUBKEY_H
+#define DROPBEAR_PUBKEY_H
+
+
+/* External Public Key API (EPKA) Plug-in Interface
+ *
+ * See:
+ *      https://github.com/fabriziobertocci/dropbear-epka
+ * for additional information and examples about this API
+ *
+ */
+
+struct EPKAInstance;
+struct EPKASession;
+
+/* API VERSION INFORMATION - 
+ * Dropbear will:
+ * - Reject any plugin with a major version mismatch
+ * - Load and print a warning if the plugin's minor version is HIGHER than
+ *   dropbear's minor version (assumes properties are added at the end of
+ *   EPKAInstance or EPKASession). This is a case of plugin newer than dropbear. 
+ * - Reject if the plugin minor version is SMALLER than dropbear one (case
+ *   of plugin older than dropbear).
+ * - Load (with no warnings) if version match.
+ */
+#define DROPBEAR_EPKA_VERSION_MAJOR     1
+#define DROPBEAR_EPKA_VERSION_MINOR     0
+
+
+/* Creates an instance of the plugin.
+ *
+ * This is the main entry point of the plug-in and should be IMMUTABLE across
+ * different API versions. Dropbear will check the version number
+ * returned in the api_version to match the version it understands and reject
+ * any plugin for which API major version does not match.
+ *
+ * If the version MINOR is different, dropbear will allow the plugin to run 
+ * only if: plugin_MINOR > dropbear_MINOR
+ *
+ * If plugin_MINOR < dropbeart_MINOR or if the MAJOR version is different
+ * dropbear will reject the plugin and terminate the execution.
+ *
+ * addrstring is the IP address of the client.
+ *
+ * Returns NULL in case of failure, otherwise a void * of the instance that need
+ * to be passed to all the subsequent call to the plugin
+ */
+typedef struct EPKAInstance *(* PubkeyExtPlugin_newFn)(int verbose, 
+        const char *options,
+        const char *addrstring);
+#define DROPBEAR_PUBKEY_PLUGIN_FNNAME_NEW               "plugin_new"
+
+
+/* Validate a client through public key authentication
+ *
+ * If session has not been already created, creates it and store it 
+ * in *sessionInOut.
+ * If session is a non-NULL, it will reuse it.
+ *
+ * Returns DROPBEAR_SUCCESS (0) if success or DROPBEAR_FAILURE (-1) if
+ * authentication fails
+ */
+typedef int (* PubkeyExtPlugin_checkPubKeyFn)(struct EPKAInstance *pluginInstance,
+        struct EPKASession **sessionInOut,
+        const char* algo, 
+        unsigned int algolen,
+        const unsigned char* keyblob, 
+        unsigned int keybloblen,
+        const char *username);
+
+/* Notify the plugin that auth completed (after signature verification)
+ */
+typedef void (* PubkeyExtPlugin_authSuccessFn)(struct EPKASession *session);
+
+/* Deletes a session
+ * TODO: Add a reason why the session is terminated. See svr_dropbear_exit (in svr-session.c)
+ */
+typedef void (* PubkeyExtPlugin_sessionDeleteFn)(struct EPKASession *session);
+
+/* Deletes the plugin instance */
+typedef void (* PubkeyExtPlugin_deleteFn)(struct EPKAInstance *pluginInstance);
+
+
+/* The EPKAInstance object - A simple container of the pointer to the functions used
+ * by Dropbear.
+ *
+ * A plug-in can extend it to add its own properties
+ *
+ * The instance is created from the call to the plugin_new() function of the 
+ * shared library.
+ * The delete_plugin function should delete the object.
+ */
+struct EPKAInstance {
+    int                             api_version[2];         /* 0=Major, 1=Minor */
+
+    PubkeyExtPlugin_checkPubKeyFn   checkpubkey;            /* mandatory */
+    PubkeyExtPlugin_authSuccessFn   auth_success;           /* optional */
+    PubkeyExtPlugin_sessionDeleteFn delete_session;         /* mandatory */
+    PubkeyExtPlugin_deleteFn        delete_plugin;          /* mandatory */
+};
+
+/*****************************************************************************
+ * SESSION
+ ****************************************************************************/
+/* Returns the options from the session. 
+ * The returned buffer will be destroyed when the session is deleted.
+ * Option buffer string NULL-terminated
+ */
+typedef char * (* PubkeyExtPlugin_getOptionsFn)(struct EPKASession *session);
+
+
+/* An SSH Session. Created during pre-auth and reused during the authentication.
+ * The plug-in should delete this object (or any object extending it) from 
+ * the delete_session() function.
+ *
+ * Extend it to cache user and authentication information that can be
+ * reused between pre-auth and auth (and to store whatever session-specific
+ * variable you need to keep).
+ *
+ * Store any optional auth options in the auth_options property of the session.
+ */
+struct EPKASession {
+    struct EPKAInstance *  plugin_instance;
+
+    PubkeyExtPlugin_getOptionsFn   get_options;
+};
+
+#endif
--- a/runopts.h	Wed Mar 27 22:15:23 2019 +0800
+++ b/runopts.h	Wed May 15 09:43:57 2019 -0400
@@ -125,6 +125,11 @@
 
 	char * forced_command;
 
+#if DROPBEAR_EPKA 
+        char *pubkey_plugin;
+        char *pubkey_plugin_options;
+#endif
+
 } svr_runopts;
 
 extern svr_runopts svr_opts;
--- a/session.h	Wed Mar 27 22:15:23 2019 +0800
+++ b/session.h	Wed May 15 09:43:57 2019 -0400
@@ -38,6 +38,9 @@
 #include "chansession.h"
 #include "dbutil.h"
 #include "netio.h"
+#if DROPBEAR_EPKA
+#include "pubkeyapi.h"
+#endif
 
 void common_session_init(int sock_in, int sock_out);
 void session_loop(void(*loophandler)(void)) ATTRIB_NORETURN;
@@ -216,6 +219,10 @@
 	volatile int exitflag;
 	/* set once the ses structure (and cli_ses/svr_ses) have been populated to their initial state */
 	int init_done;
+
+#if DROPBEAR_EPKA
+        struct EPKASession * epka_session;
+#endif
 };
 
 struct serversession {
@@ -241,6 +248,14 @@
 	pid_t server_pid;
 #endif
 
+#if DROPBEAR_EPKA
+        /* The shared library handle */
+        void *epka_plugin_handle;
+
+        /* The instance created by the plugin_new function */
+        struct EPKAInstance *epka_instance;
+#endif
+
 };
 
 typedef enum {
--- a/svr-authpubkey.c	Wed Mar 27 22:15:23 2019 +0800
+++ b/svr-authpubkey.c	Wed May 15 09:43:57 2019 -0400
@@ -91,6 +91,7 @@
 	sign_key * key = NULL;
 	char* fp = NULL;
 	enum signkey_type type = -1;
+        int auth_failure = 1;
 
 	TRACE(("enter pubkeyauth"))
 
@@ -110,9 +111,45 @@
 		send_msg_userauth_failure(0, 0);
 		goto out;
 	}
+#if DROPBEAR_EPKA
+        if (svr_ses.epka_instance != NULL) {
+            char *options_buf;
+            if (svr_ses.epka_instance->checkpubkey(
+                        svr_ses.epka_instance,
+                        &ses.epka_session,
+                        algo, 
+                        algolen, 
+                        keyblob, 
+                        keybloblen,
+                        ses.authstate.username) == DROPBEAR_SUCCESS) {
+                /* Success */
+                auth_failure = 0;
 
+                /* Options provided? */
+                options_buf = ses.epka_session->get_options(ses.epka_session);
+                if (options_buf) {
+                    struct buf temp_buf = { 
+                        .data = (unsigned char *)options_buf,
+                        .len = strlen(options_buf),
+                        .pos = 0,
+                        .size = 0
+                    };
+                    int ret = svr_add_pubkey_options(&temp_buf, 0, "N/A");
+                    if (ret == DROPBEAR_FAILURE) {
+                        /* Fail immediately as the plugin provided wrong options */
+                        send_msg_userauth_failure(0, 0);
+                        goto out;
+                    }
+                }
+            }
+        }
+#endif
 	/* check if the key is valid */
-	if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) {
+        if (auth_failure) {
+            auth_failure = checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE;
+        }
+
+        if (auth_failure) {
 		send_msg_userauth_failure(0, 0);
 		goto out;
 	}
@@ -156,6 +193,13 @@
 				"Pubkey auth succeeded for '%s' with key %s from %s",
 				ses.authstate.pw_name, fp, svr_ses.addrstring);
 		send_msg_userauth_success();
+#if DROPBEAR_EPKA
+                if ((ses.epka_session != NULL) && (svr_ses.epka_instance->auth_success != NULL)) {
+                    /* Was authenticated through the external plugin. tell plugin that signature verification was ok */
+                    svr_ses.epka_instance->auth_success(ses.epka_session);
+                }
+#endif
+                
 	} else {
 		dropbear_log(LOG_WARNING,
 				"Pubkey auth bad signature for '%s' with key %s from %s",
--- a/svr-runopts.c	Wed Mar 27 22:15:23 2019 +0800
+++ b/svr-runopts.c	Wed May 15 09:43:57 2019 -0400
@@ -46,16 +46,16 @@
 					"-b bannerfile	Display the contents of bannerfile"
 					" before user login\n"
 					"		(default: none)\n"
-					"-r keyfile  Specify hostkeys (repeatable)\n"
+					"-r keyfile      Specify hostkeys (repeatable)\n"
 					"		defaults: \n"
 #if DROPBEAR_DSS
-					"		dss %s\n"
+					"		- dss %s\n"
 #endif
 #if DROPBEAR_RSA
-					"		rsa %s\n"
+					"		- rsa %s\n"
 #endif
 #if DROPBEAR_ECDSA
-					"		ecdsa %s\n"
+					"		- ecdsa %s\n"
 #endif
 #if DROPBEAR_DELAY_HOSTKEY
 					"-R		Create hostkeys as required\n" 
@@ -99,6 +99,10 @@
 					"-W <receive_window_buffer> (default %d, larger may be faster, max 1MB)\n"
 					"-K <keepalive>  (0 is never, default %d, in seconds)\n"
 					"-I <idle_timeout>  (0 is never, default %d, in seconds)\n"
+#if DROPBEAR_EPKA
+                                        "-A <authplugin>[,<options>]\n"
+                                        "               Enable external public key auth through <authplugin>\n"
+#endif
 					"-V    Version\n"
 #if DEBUG_TRACE
 					"-v		verbose (compiled with DEBUG_TRACE)\n"
@@ -129,6 +133,9 @@
 	char* maxauthtries_arg = NULL;
 	char* keyfile = NULL;
 	char c;
+#if DROPBEAR_EPKA
+        char* pubkey_plugin = NULL;
+#endif
 
 
 	/* see printhelp() for options */
@@ -156,6 +163,10 @@
 #if DROPBEAR_SVR_REMOTETCPFWD
 	svr_opts.noremotetcp = 0;
 #endif
+#if DROPBEAR_EPKA
+        svr_opts.pubkey_plugin = NULL;
+        svr_opts.pubkey_plugin_options = NULL;
+#endif
 
 #ifndef DISABLE_ZLIB
 	opts.compress_mode = DROPBEAR_COMPRESS_DELAYED;
@@ -274,6 +285,11 @@
 				case 'u':
 					/* backwards compatibility with old urandom option */
 					break;
+#if DROPBEAR_EPKA
+                                case 'A':
+                                        next = &pubkey_plugin;
+                                        break;
+#endif
 #if DEBUG_TRACE
 				case 'v':
 					debug_trace = 1;
@@ -394,6 +410,17 @@
 	if (svr_opts.forced_command) {
 		dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command);
 	}
+#if DROPBEAR_EPKA
+        if (pubkey_plugin) {
+            char *args = strchr(pubkey_plugin, ',');
+            if (args) {
+                *args='\0';
+                ++args;
+            }
+            svr_opts.pubkey_plugin = pubkey_plugin;
+            svr_opts.pubkey_plugin_options = args;
+        }
+#endif
 }
 
 static void addportandaddress(const char* spec) {
--- a/svr-session.c	Wed Mar 27 22:15:23 2019 +0800
+++ b/svr-session.c	Wed May 15 09:43:57 2019 -0400
@@ -88,6 +88,18 @@
 	m_free(svr_ses.remotehost);
 	m_free(svr_ses.childpids);
 	svr_ses.childpidsize = 0;
+
+#if DROPBEAR_EPKA
+        if (svr_ses.epka_plugin_handle != NULL) {
+            if (svr_ses.epka_instance) {
+                svr_ses.epka_instance->delete_plugin(svr_ses.epka_instance);
+                svr_ses.epka_instance = NULL;
+            }
+
+            dlclose(svr_ses.epka_plugin_handle);
+            svr_ses.epka_plugin_handle = NULL;
+        }
+#endif
 }
 
 void svr_session(int sock, int childpipe) {
@@ -101,10 +113,6 @@
 #if DROPBEAR_VFORK
 	svr_ses.server_pid = getpid();
 #endif
-	svr_authinitialise();
-	chaninitialise(svr_chantypes);
-	svr_chansessinitialise();
-	svr_algos_initialise();
 
 	/* for logging the remote address */
 	get_socket_address(ses.sock_in, NULL, NULL, &host, &port, 0);
@@ -114,6 +122,56 @@
 	m_free(host);
 	m_free(port);
 
+#if DROPBEAR_EPKA
+        /* Initializes the EPKA Plugin */
+        svr_ses.epka_plugin_handle = NULL;
+        svr_ses.epka_instance = NULL;
+        if (svr_opts.pubkey_plugin) {
+#if DEBUG_TRACE
+            const int verbose = debug_trace;
+#else
+            const int verbose = 0;
+#endif
+            PubkeyExtPlugin_newFn  pluginConstructor;
+
+            /* RTLD_NOW: fails if not all the symbols are resolved now. Better fail now than at run-time */
+            svr_ses.epka_plugin_handle = dlopen(svr_opts.pubkey_plugin, RTLD_NOW);
+            if (svr_ses.epka_plugin_handle == NULL) {
+                dropbear_exit("failed to load external pubkey plugin '%s': %s", svr_opts.pubkey_plugin, dlerror());
+            }
+            pluginConstructor = (PubkeyExtPlugin_newFn)dlsym(svr_ses.epka_plugin_handle, DROPBEAR_PUBKEY_PLUGIN_FNNAME_NEW);
+            if (!pluginConstructor) {
+                dropbear_exit("plugin constructor method not found in external pubkey plugin");
+            }
+
+            /* Create an instance of the plugin */
+            svr_ses.epka_instance = pluginConstructor(verbose, svr_opts.pubkey_plugin_options, svr_ses.addrstring);
+            if (svr_ses.epka_instance == NULL) {
+                dropbear_exit("external plugin initialization failed");
+            }
+            /* Check if the plugin is compatible */
+            if ( (svr_ses.epka_instance->api_version[0] != DROPBEAR_EPKA_VERSION_MAJOR) ||
+                 (svr_ses.epka_instance->api_version[1] < DROPBEAR_EPKA_VERSION_MINOR) ) {
+                dropbear_exit("plugin version check failed: "
+                              "Dropbear=%d.%d, plugin=%d.%d",
+                        DROPBEAR_EPKA_VERSION_MAJOR, DROPBEAR_EPKA_VERSION_MINOR,
+                        svr_ses.epka_instance->api_version[0], svr_ses.epka_instance->api_version[1]);
+            }
+            if (svr_ses.epka_instance->api_version[1] > DROPBEAR_EPKA_VERSION_MINOR) {
+                dropbear_log(LOG_WARNING, "plugin API newer than dropbear API: "
+                              "Dropbear=%d.%d, plugin=%d.%d",
+                        DROPBEAR_EPKA_VERSION_MAJOR, DROPBEAR_EPKA_VERSION_MINOR,
+                        svr_ses.epka_instance->api_version[0], svr_ses.epka_instance->api_version[1]);
+            }
+            dropbear_log(LOG_INFO, "successfully loaded and initialized pubkey plugin '%s'", svr_opts.pubkey_plugin);
+        }
+#endif
+
+	svr_authinitialise();
+	chaninitialise(svr_chantypes);
+	svr_chansessinitialise();
+	svr_algos_initialise();
+
 	get_socket_address(ses.sock_in, NULL, NULL, 
 			&svr_ses.remotehost, NULL, 1);
 
@@ -151,6 +209,13 @@
 	char fullmsg[300];
 	int i;
 
+#if DROPBEAR_EPKA
+        if ((ses.epka_session != NULL)) {
+            svr_ses.epka_instance->delete_session(ses.epka_session);
+        }
+        ses.epka_session = NULL;
+#endif
+
 	/* Render the formatted exit message */
 	vsnprintf(exitmsg, sizeof(exitmsg), format, param);
 
--- a/sysoptions.h	Wed Mar 27 22:15:23 2019 +0800
+++ b/sysoptions.h	Wed May 15 09:43:57 2019 -0400
@@ -243,6 +243,9 @@
 	#error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended."
 #endif
 
+#if (DROPBEAR_EPKA && !DROPBEAR_SVR_PUBKEY_AUTH)
+	#error "You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use External Public Key Authentication (EPKA)"
+#endif
 
 #if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \
       || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128)