-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: permit-open #1402
Merged
Merged
feat: permit-open #1402
Changes from 2 commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
f6a5f06
feat: permit-open
XavierChanth 2c4d59f
chore: clean up
XavierChanth 126c57a
Merge branch 'trunk' into c-sshnpd-permit-open
XavierChanth 90808fa
chore: add todo
XavierChanth e9f16be
fix: tests
XavierChanth 9421613
test: permit open parsing and regression tests
XavierChanth e609b41
ci: add unit tests
XavierChanth a769e5f
fix: add test dependency
XavierChanth 32b47ae
Merge branch 'trunk' into c-sshnpd-permit-open
XavierChanth ebb1072
Merge branch 'trunk' into c-sshnpd-permit-open
gkc File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
#ifndef SSHNPD_PERMITOPEN_H | ||
#define SSHNPD_PERMITOPEN_H | ||
#include <atlogger/atlogger.h> | ||
#include <stdbool.h> | ||
#include <stddef.h> | ||
#include <stdint.h> | ||
|
||
// atlogger won't be available during the initial parsing of the parameters | ||
// (since we are waiting for the verbose flag to be set) | ||
int parse_permitopen(char *input, char ***permitopen_hosts, uint16_t **permitopen_ports, size_t *permitopen_len, | ||
bool is_logger_available); | ||
|
||
struct _permitopen_params { | ||
char *requested_host; | ||
uint16_t requested_port; | ||
|
||
char **permitopen_hosts; | ||
uint16_t *permitopen_ports; | ||
size_t permitopen_len; | ||
}; | ||
|
||
typedef struct _permitopen_params permitopen_params; | ||
|
||
bool should_permitopen(struct _permitopen_params *params); | ||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
#include "atclient/request_options.h" | ||
#include "sshnpd/params.h" | ||
#include "sshnpd/permitopen.h" | ||
#include "sshnpd/sshnpd.h" | ||
#include <atchops/aes.h> | ||
#include <atchops/base64.h> | ||
|
@@ -106,6 +106,24 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
return; | ||
} | ||
|
||
// NPT ONLY | ||
// Don't try optimizing this to reuse the permitopen struct from main.c. | ||
// none of the memory duplication here is expensive, and it's a surface for bugs | ||
permitopen_params permitopen; | ||
permitopen.permitopen_len = params->permitopen_len; | ||
permitopen.permitopen_hosts = params->permitopen_hosts; | ||
permitopen.permitopen_ports = params->permitopen_ports; | ||
permitopen.requested_host = cJSON_GetStringValue(requested_host); | ||
permitopen.requested_port = cJSON_GetNumberValue(requested_port); | ||
|
||
if (!should_permitopen(&permitopen)) { | ||
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_DEBUG, "Ignoring request to localhost:%d\n", | ||
permitopen.requested_port); | ||
cJSON_Delete(envelope); | ||
return; | ||
} | ||
// END NPT ONLY | ||
|
||
Comment on lines
+109
to
+126
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. handle permit open check for npt, after envelope has been decoded |
||
// These values do not need to be asserted for v4 compatibility, only for v5 | ||
|
||
cJSON *auth_to_rvd = cJSON_GetObjectItem(payload, "authenticateToRvd"); | ||
|
@@ -138,15 +156,13 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
char *buffer = NULL; | ||
|
||
res = atclient_get_public_key(atclient, &atkey, &buffer, NULL); | ||
atclient_atkey_free(&atkey); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The rest of this file is memory clean up |
||
if (res != 0) { | ||
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to get public key\n"); | ||
atclient_atkey_free(&atkey); | ||
cJSON_Delete(envelope); | ||
return; | ||
} | ||
|
||
atclient_atkey_free(&atkey); | ||
|
||
atchops_rsa_key_public_key requesting_atsign_publickey; | ||
atchops_rsa_key_public_key_init(&requesting_atsign_publickey); | ||
|
||
|
@@ -272,7 +288,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
if (!encrypt_rvd_traffic) { | ||
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "encryptRvdTraffic=false is not supported by this daemon\n"); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
cJSON_Delete(envelope); | ||
return; | ||
|
@@ -284,7 +300,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
"encryptRvdTraffic was requested, but no client ephemeral public key / key type was provided\n"); | ||
|
||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
cJSON_Delete(envelope); | ||
return; | ||
|
@@ -294,7 +310,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
if ((res = atchops_aes_generate_key(key, ATCHOPS_AES_256)) != 0) { | ||
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to generate session aes key\n"); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
cJSON_Delete(envelope); | ||
return; | ||
|
@@ -305,7 +321,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
if (res != 0) { | ||
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to generate session aes key\n"); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
cJSON_Delete(envelope); | ||
return; | ||
|
@@ -315,7 +331,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
if ((res = atchops_iv_generate(iv)) != 0) { | ||
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to generate session iv\n"); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
cJSON_Delete(envelope); | ||
return; | ||
|
@@ -326,7 +342,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
if (res != 0) { | ||
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to generate session iv\n"); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
cJSON_Delete(envelope); | ||
return; | ||
|
@@ -348,7 +364,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to populate client ephemeral pk\n"); | ||
atchops_rsa_key_public_key_free(&ac); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
cJSON_Delete(envelope); | ||
return; | ||
|
@@ -360,7 +376,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
"Failed to allocate memory to encrypt the session aes key\n"); | ||
atchops_rsa_key_public_key_free(&ac); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
cJSON_Delete(envelope); | ||
return; | ||
|
@@ -371,7 +387,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to encrypt the session aes key\n"); | ||
atchops_rsa_key_public_key_free(&ac); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
free(session_aes_key_encrypted); | ||
cJSON_Delete(envelope); | ||
|
@@ -387,7 +403,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
"Failed to allocate memory to base64 encode the session aes key\n"); | ||
atchops_rsa_key_public_key_free(&ac); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
free(session_aes_key_encrypted); | ||
cJSON_Delete(envelope); | ||
|
@@ -402,7 +418,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to base64 encode the session aes key\n"); | ||
atchops_rsa_key_public_key_free(&ac); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
free(session_aes_key_base64); | ||
free(session_aes_key_encrypted); | ||
|
@@ -418,7 +434,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to allocate memory to encrypt the session iv\n"); | ||
atchops_rsa_key_public_key_free(&ac); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
free(session_aes_key_base64); | ||
cJSON_Delete(envelope); | ||
|
@@ -431,7 +447,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
if (res != 0) { | ||
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to encrypt the session iv\n"); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
free(session_iv_encrypted); | ||
free(session_aes_key_base64); | ||
|
@@ -446,7 +462,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, | ||
"Failed to allocate memory to base64 encode the session iv\n"); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
free(session_iv_encrypted); | ||
free(session_aes_key_base64); | ||
|
@@ -461,7 +477,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
if (res != 0) { | ||
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, "Failed to base64 encode the session iv\n"); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
free(session_iv_base64); | ||
free(session_iv_encrypted); | ||
|
@@ -480,7 +496,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
atlogger_log(LOGGER_TAG, ATLOGGER_LOGGING_LEVEL_ERROR, | ||
"%s is not an accepted key type for encrypting the aes key\n", pk_type); | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
cJSON_Delete(envelope); | ||
return; | ||
|
@@ -517,13 +533,10 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
|
||
int res = run_srv_process(rvd_host_str, rvd_port_int, requested_host_str, requested_port_int, authenticate_to_rvd, | ||
rvd_auth_string, encrypt_rvd_traffic, multi, session_aes_key, session_iv); | ||
free(rvd_host_str); | ||
free(requested_host_str); | ||
|
||
*is_child_process = true; | ||
|
||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
cJSON_Delete(envelope); | ||
exit(res); | ||
|
@@ -652,7 +665,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
clean_res: { free(keyname); } | ||
clean_final_res_value: { | ||
atclient_atkey_free(&final_res_atkey); | ||
free(final_res_value); | ||
cJSON_free(final_res_value); | ||
} | ||
clean_json: { | ||
cJSON_Delete(final_res_envelope); | ||
|
@@ -665,7 +678,7 @@ void handle_npt_request(atclient *atclient, pthread_mutex_t *atclient_lock, sshn | |
} | ||
cancel: | ||
if (authenticate_to_rvd) { | ||
free(rvd_auth_string); | ||
cJSON_free(rvd_auth_string); | ||
} | ||
if (free_session_base64) { | ||
free(session_iv_base64); | ||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
previously permitopen was a list of strings, but now it is split up into a list of hosts and list of ports, "*" for port = 0