atsign-foundation · gkc · Oct 1, 2024 · Sep 28, 2024 · Sep 28, 2024 · Sep 28, 2024
diff --git a/packages/c/sshnpd/CMakeLists.txt b/packages/c/sshnpd/CMakeLists.txt
@@ -18,6 +18,7 @@ set(
   ${CMAKE_CURRENT_LIST_DIR}/src/handler_commons.c
   ${CMAKE_CURRENT_LIST_DIR}/src/main.c
   ${CMAKE_CURRENT_LIST_DIR}/src/params.c
+  ${CMAKE_CURRENT_LIST_DIR}/src/permitopen.c
   ${CMAKE_CURRENT_LIST_DIR}/src/run_srv_process.c
 )
 

diff --git a/packages/c/sshnpd/include/sshnpd/params.h b/packages/c/sshnpd/include/sshnpd/params.h
@@ -21,8 +21,11 @@ struct _sshnpd_params {
   size_t manager_list_len;
   char **manager_list;
 
+  char *policy;
+
   size_t permitopen_len;
-  char **permitopen;
+  char **permitopen_hosts;
+  uint16_t *permitopen_ports; // 0 = '*'
   char *permitopen_str;
   bool should_free_permitopen_str;
 

diff --git a/packages/c/sshnpd/include/sshnpd/permitopen.h b/packages/c/sshnpd/include/sshnpd/permitopen.h
@@ -0,0 +1,25 @@
+#ifndef SSHNPD_PERMITOPEN_H
+#define SSHNPD_PERMITOPEN_H
+#include <atlogger/atlogger.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+// atlogger won't be available during the initial parsing of the parameters
+// (since we are waiting for the verbose flag to be set)
+int parse_permitopen(char *input, char ***permitopen_hosts, uint16_t **permitopen_ports, size_t *permitopen_len,
+                     bool is_logger_available);
+
+struct _permitopen_params {
+  char *requested_host;
+  uint16_t requested_port;
+
+  char **permitopen_hosts;
+  uint16_t *permitopen_ports;
+  size_t permitopen_len;
+};
+
+typedef struct _permitopen_params permitopen_params;
+
+bool should_permitopen(struct _permitopen_params *params);
+#endif
diff --git a/packages/c/sshnpd/src/handle_npt_request.c b/packages/c/sshnpd/src/handle_npt_request.c
@@ -1,5 +1,5 @@
-#include "atclient/request_options.h"
 #include "sshnpd/params.h"
+#include "sshnpd/permitopen.h"
 #include "sshnpd/sshnpd.h"
 #include <atchops/aes.h>
 #include <atchops/base64.h>
@@ -106,6 +106,24 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
     return;
   }
 
+  // NPT ONLY
+  // Don't try optimizing this to reuse the permitopen struct from main.c.
+  // none of the memory duplication here is expensive, and it's a surface for bugs
+  permitopen_params permitopen;
+  permitopen.permitopen_len = params->permitopen_len;
+  permitopen.permitopen_hosts = params->permitopen_hosts;
+  permitopen.permitopen_ports = params->permitopen_ports;
+  permitopen.requested_host = cJSON_GetStringValue(requested_host);
+  permitopen.requested_port = cJSON_GetNumberValue(requested_port);
+
+  if (!should_permitopen(&permitopen)) {
+    atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_DEBUG, "Ignoring request to localhost:%d\n",
+                 permitopen.requested_port);
+    cJSON_Delete(envelope);
+    return;
+  }
+  // END NPT ONLY
+
   // These values do not need to be asserted for v4 compatibility, only for v5
 
   cJSON *auth_to_rvd = cJSON_GetObjectItem(payload, "authenticateToRvd");
@@ -138,15 +156,13 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
   char *buffer = NULL;
 
   res = atclient_get_public_key(atclient, &atkey, &buffer, NULL);
+  atclient_atkey_free(&atkey);
   if (res != 0) {
     atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to get public key\n");
-    atclient_atkey_free(&atkey);
     cJSON_Delete(envelope);
     return;
   }
 
-  atclient_atkey_free(&atkey);
-
   atchops_rsa_key_public_key requesting_atsign_publickey;
   atchops_rsa_key_public_key_init(&requesting_atsign_publickey);
 
@@ -272,7 +288,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
   if (!encrypt_rvd_traffic) {
     atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "encryptRvdTraffic=false is not supported by this daemon\n");
     if (authenticate_to_rvd) {
-      free(rvd_auth_string);
+      cJSON_free(rvd_auth_string);
     }
     cJSON_Delete(envelope);
     return;
@@ -284,7 +300,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
                  "encryptRvdTraffic was requested, but no client ephemeral public key / key type was provided\n");
 
     if (authenticate_to_rvd) {
-      free(rvd_auth_string);
+      cJSON_free(rvd_auth_string);
     }
     cJSON_Delete(envelope);
     return;
@@ -294,7 +310,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
   if ((res = atchops_aes_generate_key(key, ATCHOPS_AES_256)) != 0) {
     atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to generate session aes key\n");
     if (authenticate_to_rvd) {
-      free(rvd_auth_string);
+      cJSON_free(rvd_auth_string);
     }
     cJSON_Delete(envelope);
     return;
@@ -305,7 +321,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
   if (res != 0) {
     atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to generate session aes key\n");
     if (authenticate_to_rvd) {
-      free(rvd_auth_string);
+      cJSON_free(rvd_auth_string);
     }
     cJSON_Delete(envelope);
     return;
@@ -315,7 +331,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
   if ((res = atchops_iv_generate(iv)) != 0) {
     atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to generate session iv\n");
     if (authenticate_to_rvd) {
-      free(rvd_auth_string);
+      cJSON_free(rvd_auth_string);
     }
     cJSON_Delete(envelope);
     return;
@@ -326,7 +342,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
   if (res != 0) {
     atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to generate session iv\n");
     if (authenticate_to_rvd) {
-      free(rvd_auth_string);
+      cJSON_free(rvd_auth_string);
     }
     cJSON_Delete(envelope);
     return;
@@ -348,7 +364,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
         atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to populate client ephemeral pk\n");
         atchops_rsa_key_public_key_free(&ac);
         if (authenticate_to_rvd) {
-          free(rvd_auth_string);
+          cJSON_free(rvd_auth_string);
         }
         cJSON_Delete(envelope);
         return;
@@ -360,7 +376,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
                      "Failed to allocate memory to encrypt the session aes key\n");
         atchops_rsa_key_public_key_free(&ac);
         if (authenticate_to_rvd) {
-          free(rvd_auth_string);
+          cJSON_free(rvd_auth_string);
         }
         cJSON_Delete(envelope);
         return;
@@ -371,7 +387,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
         atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to encrypt the session aes key\n");
         atchops_rsa_key_public_key_free(&ac);
         if (authenticate_to_rvd) {
-          free(rvd_auth_string);
+          cJSON_free(rvd_auth_string);
         }
         free(session_aes_key_encrypted);
         cJSON_Delete(envelope);
@@ -387,7 +403,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
                      "Failed to allocate memory to base64 encode the session aes key\n");
         atchops_rsa_key_public_key_free(&ac);
         if (authenticate_to_rvd) {
-          free(rvd_auth_string);
+          cJSON_free(rvd_auth_string);
         }
         free(session_aes_key_encrypted);
         cJSON_Delete(envelope);
@@ -402,7 +418,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
         atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to base64 encode the session aes key\n");
         atchops_rsa_key_public_key_free(&ac);
         if (authenticate_to_rvd) {
-          free(rvd_auth_string);
+          cJSON_free(rvd_auth_string);
         }
         free(session_aes_key_base64);
         free(session_aes_key_encrypted);
@@ -418,7 +434,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
         atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to allocate memory to encrypt the session iv\n");
         atchops_rsa_key_public_key_free(&ac);
         if (authenticate_to_rvd) {
-          free(rvd_auth_string);
+          cJSON_free(rvd_auth_string);
         }
         free(session_aes_key_base64);
         cJSON_Delete(envelope);
@@ -431,7 +447,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
       if (res != 0) {
         atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to encrypt the session iv\n");
         if (authenticate_to_rvd) {
-          free(rvd_auth_string);
+          cJSON_free(rvd_auth_string);
         }
         free(session_iv_encrypted);
         free(session_aes_key_base64);
@@ -446,7 +462,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
         atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR,
                      "Failed to allocate memory to base64 encode the session iv\n");
         if (authenticate_to_rvd) {
-          free(rvd_auth_string);
+          cJSON_free(rvd_auth_string);
         }
         free(session_iv_encrypted);
         free(session_aes_key_base64);
@@ -461,7 +477,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
       if (res != 0) {
         atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to base64 encode the session iv\n");
         if (authenticate_to_rvd) {
-          free(rvd_auth_string);
+          cJSON_free(rvd_auth_string);
         }
         free(session_iv_base64);
         free(session_iv_encrypted);
@@ -480,7 +496,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
     atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR,
                  "%s is not an accepted key type for encrypting the aes key\n", pk_type);
     if (authenticate_to_rvd) {
-      free(rvd_auth_string);
+      cJSON_free(rvd_auth_string);
     }
     cJSON_Delete(envelope);
     return;
@@ -517,13 +533,10 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
 
     int res = run_srv_process(rvd_host_str, rvd_port_int, requested_host_str, requested_port_int, authenticate_to_rvd,
                               rvd_auth_string, encrypt_rvd_traffic, multi, session_aes_key, session_iv);
-    free(rvd_host_str);
-    free(requested_host_str);
-
     *is_child_process = true;
 
     if (authenticate_to_rvd) {
-      free(rvd_auth_string);
+      cJSON_free(rvd_auth_string);
     }
     cJSON_Delete(envelope);
     exit(res);
@@ -652,7 +665,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
   clean_res: { free(keyname); }
   clean_final_res_value: {
     atclient_atkey_free(&final_res_atkey);
-    free(final_res_value);
+    cJSON_free(final_res_value);
   }
   clean_json: {
     cJSON_Delete(final_res_envelope);
@@ -665,7 +678,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn
   }
 cancel:
   if (authenticate_to_rvd) {
-    free(rvd_auth_string);
+    cJSON_free(rvd_auth_string);
   }
   if (free_session_base64) {
     free(session_iv_base64);