From patchwork Fri Feb 19 20:01:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luka Logar X-Patchwork-Id: 1442439 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=OQbqX2Xt; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=cifra.si header.i=@cifra.si header.a=rsa-sha256 header.s=dkim header.b=o6EkF/K+; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Dj2bd3G4Nz9sW2 for ; Sat, 20 Feb 2021 07:04:29 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=djNf4YybSPOgyS+JiweBqmkD7Zh/wKPxv4CSoatXfA8=; b=OQbqX2XtuckqSmiZnh1iClDqr7 rdgoHt2CI4DKCJBcKPFrZqpwrw2lk/oCh2KqoEYA0hefWPiBeW02I04YeoeIFCTsKbfzl0vsy2Y9H fG9ej7RaF+K1VCXSrcOw6zRLUoKgAGGiU65sMXqsr0yYHVKWP9LqZPlRxBnyXM3KCTfcRFTXXy6x4 grfcoa3KTsSSiSNJaYDQ4CHqwPmV5SvEtqhXTU8TlL5W8Kk+9/YDb85j40IAZLM3e/bj4JBv46Z+V tSBpvXPhawP6cgSM3b/hD9nQSvg5AvK2fJEoHZq8J9WiIVuY110sPcnIqoPo6nfnVNQj35RKWKJux 2yNFaSJA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1lDByd-00013I-PM; Fri, 19 Feb 2021 20:02:11 +0000 Received: from cifra.si ([84.255.231.188] helo=mail.cifra.si) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1lDByZ-00011T-LX for openwrt-devel@lists.openwrt.org; Fri, 19 Feb 2021 20:02:09 +0000 dkim-signature: v=1; a=rsa-sha256; d=cifra.si; s=dkim; c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Transfer-Encoding; bh=WA4WpNeQZBk87PIPAmf48Of/yAYTOGkBQTOxk43QPiE=; b=o6EkF/K+9CW94ZPzwK2s1s3UUSO44xJIvi4kwJzr4MJoWLdn7T0Lji01+mFXlfaqKubu+5KnxkAW2hpLbNLIoe9GdjKCNi9pU4C9o6Fc7L/zDEi4HY4f51twOo16C1Me1ZUe76PwIenfWI1QNG/FZdXapJ2nmaJ888SPT+Bpq/I= Received: from localhost.localdomain (vm2.cifra.si [10.0.0.208]) by mail.cifra.si with ESMTP ; Fri, 19 Feb 2021 21:01:51 +0100 From: Luka Logar To: openwrt-devel@lists.openwrt.org Subject: [PATCH] rpcd: implement certificate authentication Date: Fri, 19 Feb 2021 21:01:51 +0100 Message-Id: <20210219200151.1346005-1-luka.logar@cifra.si> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210219_150208_479886_6F898920 X-CRM114-Status: GOOD ( 12.17 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Luka Logar Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org When the TLS client certificate is used for LuCI authentication, ubus session login is called with username = subject name password = certificate hash mode = 'cert' Extra parameter 'mode' is needed to differentiate a regular username/password login attempt from the client certificate auth. Otherwise one could fake the certificate login using the standard username/password method entering subject name as username and cert hash as password, both of which are public/known/not-secret. Session login is successful if the password/certificate hash matches the one stored in the /etc/config/rpcd file. Signed-off-by: Luka Logar --- session.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/session.c b/session.c index 908e298..b577475 100644 --- a/session.c +++ b/session.c @@ -120,12 +120,14 @@ enum { RPC_L_USERNAME, RPC_L_PASSWORD, RPC_L_TIMEOUT, + RPC_L_MODE, __RPC_L_MAX, }; static const struct blobmsg_policy login_policy[__RPC_L_MAX] = { [RPC_L_USERNAME] = { .name = "username", .type = BLOBMSG_TYPE_STRING }, [RPC_L_PASSWORD] = { .name = "password", .type = BLOBMSG_TYPE_STRING }, [RPC_L_TIMEOUT] = { .name = "timeout", .type = BLOBMSG_TYPE_INT32 }, + [RPC_L_MODE] = { .name = "mode", .type = BLOBMSG_TYPE_STRING }, }; /* @@ -827,7 +829,7 @@ rpc_login_test_password(const char *hash, const char *password) static struct uci_section * rpc_login_test_login(struct uci_context *uci, - const char *username, const char *password) + const char *username, const char *password, const char *mode) { struct uci_package *p = NULL; struct uci_section *s; @@ -877,6 +879,13 @@ rpc_login_test_login(struct uci_context *uci, if (ptr.o->type != UCI_TYPE_STRING) continue; + if (mode && !strcmp(mode, "cert")) + { + if (!strcasecmp(ptr.o->v.string, password)) + return ptr.s; + continue; + } + if (rpc_login_test_password(ptr.o->v.string, password)) return ptr.s; } @@ -1137,7 +1146,8 @@ rpc_handle_login(struct ubus_context *ctx, struct ubus_object *obj, } login = rpc_login_test_login(uci, blobmsg_get_string(tb[RPC_L_USERNAME]), - blobmsg_get_string(tb[RPC_L_PASSWORD])); + blobmsg_get_string(tb[RPC_L_PASSWORD]), + blobmsg_get_string(tb[RPC_L_MODE])); if (!login) { rv = UBUS_STATUS_PERMISSION_DENIED; @@ -1296,7 +1306,7 @@ rpc_session_from_blob(struct uci_context *uci, struct blob_attr *attr) } if (uci && user) { - login = rpc_login_test_login(uci, user, NULL); + login = rpc_login_test_login(uci, user, NULL, NULL); if (login) rpc_login_setup_acls(ses, login); }