Merge pull request #453 from JacobBarthelmeh/sshd-certs

adding X509 authentication of host

Author: ejohnstown

apps/wolfsshd/auth.c

@@ -30,6 +30,7 @@ USER_NODE* AddNewUser(USER_NODE* list, byte type, const byte* username,
 
 void SetAuthKeysPattern(const char* pattern);
 int DefaultUserAuth(byte authType, WS_UserAuthData* authData, void* ctx);
+int DefaultUserAuthTypes(WOLFSSH* ssh, void* ctx);
 
 typedef struct WOLFSSHD_AUTH WOLFSSHD_AUTH;
 
@@ -51,8 +52,9 @@ typedef int (*CallbackCheckPassword)(const char* usr, const byte* psw,
  * Returns WSSHD_AUTH_SUCCESS if public key ok, WSSHD_AUTH_FAILURE if key not
  * ok, and negative values if an error occurs during checking.
  */
-typedef int (*CallbackCheckPublicKey)(const char* usr, const byte* key,
-    word32 keySz);
+typedef int (*CallbackCheckPublicKey)(const char* usr,
+                                      const WS_UserAuthData_PublicKey* pubKey,
+                                      const char* usrCaKeysFile);
 
 WOLFSSHD_AUTH* wolfSSHD_AuthCreateUser(void* heap, const WOLFSSHD_CONFIG* conf);
 int wolfSSHD_AuthFreeUser(WOLFSSHD_AUTH* auth);

apps/wolfsshd/auth.h

@@ -57,6 +57,8 @@ struct WOLFSSHD_CONFIG {
     char* chrootDir;
     char* ciphers;
     char* hostKeyFile;
+    char* hostCertFile;
+    char* userCAKeysFile;
     char* hostKeyAlgos;
     char* kekAlgos;
     char* listenAddress;
@@ -70,6 +72,7 @@ struct WOLFSSHD_CONFIG {
     byte pubKeyAuth:1;
     byte permitRootLogin:1;
     byte permitEmptyPasswords:1;
+    byte authKeysFileSet:1; /* if not set then no explicit authorized keys */
 };
 
 int CountWhitespace(const char* in, int inSz, byte inv);
@@ -290,6 +293,7 @@ void wolfSSHD_ConfigFree(WOLFSSHD_CONFIG* conf)
         FreeString(&current->listenAddress, heap);
         FreeString(&current->authKeysFile,  heap);
         FreeString(&current->hostKeyFile,   heap);
+        FreeString(&current->hostCertFile,  heap);
 
         WFREE(current, heap, DYNTYPE_SSHD);
         current = next;
@@ -324,9 +328,11 @@ enum {
     OPT_CHROOT_DIR              = 17,
     OPT_MATCH                   = 18,
     OPT_FORCE_CMD               = 19,
+    OPT_HOST_CERT               = 20,
+    OPT_TRUSTED_USER_CA_KEYS    = 21,
 };
 enum {
-    NUM_OPTIONS = 20
+    NUM_OPTIONS = 22
 };
 
 static const CONFIG_OPTION options[NUM_OPTIONS] = {
@@ -350,6 +356,8 @@ static const CONFIG_OPTION options[NUM_OPTIONS] = {
     {OPT_CHROOT_DIR,              "ChrootDirectory"},
     {OPT_MATCH,                   "Match"},
     {OPT_FORCE_CMD,               "ForceCommand"},
+    {OPT_HOST_CERT,               "HostCertificate"},
+    {OPT_TRUSTED_USER_CA_KEYS,    "TrustedUserCAKeys"},
 };
 
 /* returns WS_SUCCESS on success */
@@ -471,6 +479,7 @@ static int HandlePwAuth(WOLFSSHD_CONFIG* conf, const char* value)
 
     if (ret == WS_SUCCESS) {
         if (WSTRCMP(value, "no") == 0) {
+            wolfSSH_Log(WS_LOG_INFO, "[SSHD] password authentication disabled");
             conf->passwordAuth = 0;
         }
         else if (WSTRCMP(value, "yes") == 0) {
@@ -912,6 +921,7 @@ static int HandleConfigOption(WOLFSSHD_CONFIG** conf, int opt,
 
     switch (opt) {
         case OPT_AUTH_KEYS_FILE:
+            (*conf)->authKeysFileSet = 1;
             ret = wolfSSHD_ConfigSetAuthKeysFile(*conf, value);
             break;
         case OPT_PRIV_SEP:
@@ -955,6 +965,10 @@ static int HandleConfigOption(WOLFSSHD_CONFIG** conf, int opt,
             /* TODO: Add logic to check if file exists? */
             ret = wolfSSHD_ConfigSetHostKeyFile(*conf, value);
             break;
+        case OPT_HOST_CERT:
+            /* TODO: Add logic to check if file exists? */
+            ret = wolfSSHD_ConfigSetHostCertFile(*conf, value);
+            break;
         case OPT_PASSWORD_AUTH:
             ret = HandlePwAuth(*conf, value);
             break;
@@ -981,6 +995,10 @@ static int HandleConfigOption(WOLFSSHD_CONFIG** conf, int opt,
         case OPT_FORCE_CMD:
             ret = HandleForcedCommand(*conf, full, fullSz);
             break;
+        case OPT_TRUSTED_USER_CA_KEYS:
+            /* TODO: Add logic to check if file exists? */
+            ret = wolfSSHD_ConfigSetUserCAKeysFile(*conf, value);
+            break;
         default:
             break;
     }
@@ -1178,6 +1196,19 @@ char* wolfSSHD_ConfigGetAuthKeysFile(const WOLFSSHD_CONFIG* conf)
     return ret;
 }
 
+
+/* returns 1 if the authorized keys file was set and 0 if not */
+int wolfSSHD_ConfigGetAuthKeysFileSet(const WOLFSSHD_CONFIG* conf)
+{
+    int ret = 0;
+
+    if (conf != NULL) {
+        ret = conf->authKeysFileSet;
+    }
+
+    return ret;
+}
+
 int wolfSSHD_ConfigSetAuthKeysFile(WOLFSSHD_CONFIG* conf, const char* file)
 {
     int ret = WS_SUCCESS;
@@ -1234,29 +1265,95 @@ char* wolfSSHD_ConfigGetHostKeyFile(const WOLFSSHD_CONFIG* conf)
     return ret;
 }
 
-int wolfSSHD_ConfigSetHostKeyFile(WOLFSSHD_CONFIG* conf, const char* file)
+char* wolfSSHD_ConfigGetHostCertFile(const WOLFSSHD_CONFIG* conf)
+{
+    char* ret = NULL;
+
+    if (conf != NULL) {
+        ret = conf->hostCertFile;
+    }
+
+    return ret;
+}
+
+char* wolfSSHD_ConfigGetUserCAKeysFile(const WOLFSSHD_CONFIG* conf)
+{
+    char* ret = NULL;
+
+    if (conf != NULL) {
+        ret = conf->userCAKeysFile;
+    }
+
+    return ret;
+}
+
+static int SetFileString(char** dst, const char* src, void* heap)
 {
     int ret = WS_SUCCESS;
 
-    if (conf == NULL) {
+    if (dst == NULL) {
         ret = WS_BAD_ARGUMENT;
     }
 
     if (ret == WS_SUCCESS) {
-        if (conf->hostKeyFile != NULL) {
-            FreeString(&conf->hostKeyFile, conf->heap);
-            conf->hostKeyFile = NULL;
+        if (*dst != NULL) {
+            FreeString(dst, heap);
+            *dst = NULL;
         }
 
-        if (file != NULL) {
-            ret = CreateString(&conf->hostKeyFile, file,
-                                        (int)WSTRLEN(file), conf->heap);
+        if (src != NULL) {
+            ret = CreateString(dst, src, (int)WSTRLEN(src), heap);
         }
     }
 
     return ret;
 }
 
+int wolfSSHD_ConfigSetHostKeyFile(WOLFSSHD_CONFIG* conf, const char* file)
+{
+    int ret = WS_SUCCESS;
+
+    if (conf == NULL) {
+        ret = WS_BAD_ARGUMENT;
+    }
+
+    if (ret == WS_SUCCESS) {
+        ret = SetFileString(&conf->hostKeyFile, file, conf->heap);
+    }
+
+    return ret;
+}
+
+int wolfSSHD_ConfigSetHostCertFile(WOLFSSHD_CONFIG* conf, const char* file)
+{
+    int ret = WS_SUCCESS;
+
+    if (conf == NULL) {
+        ret = WS_BAD_ARGUMENT;
+    }
+
+    if (ret == WS_SUCCESS) {
+        ret = SetFileString(&conf->hostCertFile, file, conf->heap);
+    }
+
+    return ret;
+}
+
+int wolfSSHD_ConfigSetUserCAKeysFile(WOLFSSHD_CONFIG* conf, const char* file)
+{
+    int ret = WS_SUCCESS;
+
+    if (conf == NULL) {
+        ret = WS_BAD_ARGUMENT;
+    }
+
+    if (ret == WS_SUCCESS) {
+        ret = SetFileString(&conf->userCAKeysFile, file, conf->heap);
+    }
+
+    return ret;
+}
+
 word16 wolfSSHD_ConfigGetPort(const WOLFSSHD_CONFIG* conf)
 {
     word16 ret = 0;

apps/wolfsshd/configuration.c

@@ -38,9 +38,14 @@ char* wolfSSHD_ConfigGetForcedCmd(const WOLFSSHD_CONFIG* conf);
 char* wolfSSHD_ConfigGetBanner(const WOLFSSHD_CONFIG* conf);
 char* wolfSSHD_ConfigGetChroot(const WOLFSSHD_CONFIG* conf);
 char* wolfSSHD_ConfigGetHostKeyFile(const WOLFSSHD_CONFIG* conf);
+char* wolfSSHD_ConfigGetHostCertFile(const WOLFSSHD_CONFIG* conf);
+char* wolfSSHD_ConfigGetUserCAKeysFile(const WOLFSSHD_CONFIG* conf);
 int wolfSSHD_ConfigSetHostKeyFile(WOLFSSHD_CONFIG* conf, const char* file);
+int wolfSSHD_ConfigSetHostCertFile(WOLFSSHD_CONFIG* conf, const char* file);
+int wolfSSHD_ConfigSetUserCAKeysFile(WOLFSSHD_CONFIG* conf, const char* file);
 word16 wolfSSHD_ConfigGetPort(const WOLFSSHD_CONFIG* conf);
 char* wolfSSHD_ConfigGetAuthKeysFile(const WOLFSSHD_CONFIG* conf);
+int wolfSSHD_ConfigGetAuthKeysFileSet(const WOLFSSHD_CONFIG* conf);
 int wolfSSHD_ConfigSetAuthKeysFile(WOLFSSHD_CONFIG* conf, const char* file);
 byte wolfSSHD_ConfigGetPermitEmptyPw(const WOLFSSHD_CONFIG* conf);
 byte wolfSSHD_ConfigGetPermitRoot(const WOLFSSHD_CONFIG* conf);