From 09027ea190e4c363b0c467dbbfe60815fbdeb56e Mon Sep 17 00:00:00 2001 From: Kareem Date: Fri, 12 Apr 2024 16:28:56 -0700 Subject: [PATCH] Add support for loading user CA certs from a configurable Windows cert store. --- apps/wolfsshd/configuration.c | 142 +++++++++++++++++++++++++++++++++- apps/wolfsshd/configuration.h | 8 ++ apps/wolfsshd/wolfsshd.c | 25 ++++-- 3 files changed, 169 insertions(+), 6 deletions(-) diff --git a/apps/wolfsshd/configuration.c b/apps/wolfsshd/configuration.c index fcac65ba8..3bc152aff 100644 --- a/apps/wolfsshd/configuration.c +++ b/apps/wolfsshd/configuration.c @@ -80,6 +80,9 @@ struct WOLFSSHD_CONFIG { char* authKeysFile; char* forceCmd; char* pidFile; + char* winUserStores; + char* winUserDwFlags; + char* winUserPvPara; WOLFSSHD_CONFIG* next; /* next config in list */ long loginTimer; word16 port; @@ -90,6 +93,7 @@ struct WOLFSSHD_CONFIG { byte permitEmptyPasswords:1; byte authKeysFileSet:1; /* if not set then no explicit authorized keys */ byte useSystemCA:1; + byte useUserCAStore:1; }; int CountWhitespace(const char* in, int inSz, byte inv); @@ -313,6 +317,9 @@ void wolfSSHD_ConfigFree(WOLFSSHD_CONFIG* conf) FreeString(¤t->hostKeyFile, heap); FreeString(¤t->hostCertFile, heap); FreeString(¤t->pidFile, heap); + FreeString(¤t->winUserStores, heap); + FreeString(¤t->winUserDwFlags, heap); + FreeString(¤t->winUserPvPara, heap); WFREE(current, heap, DYNTYPE_SSHD); current = next; @@ -351,9 +358,13 @@ enum { OPT_TRUSTED_USER_CA_KEYS = 21, OPT_TRUSTED_SYSTEM_CA_KEYS = 22, OPT_PIDFILE = 23, + OPT_TRUSTED_USER_CA_STORE = 24, + OPT_WIN_USER_STORES = 25, + OPT_WIN_USER_DW_FLAGS = 26, + OPT_WIN_USER_PV_PARA = 27, }; enum { - NUM_OPTIONS = 24 + NUM_OPTIONS = 28 }; static const CONFIG_OPTION options[NUM_OPTIONS] = { @@ -381,6 +392,10 @@ static const CONFIG_OPTION options[NUM_OPTIONS] = { {OPT_TRUSTED_USER_CA_KEYS, "TrustedUserCAKeys"}, {OPT_TRUSTED_SYSTEM_CA_KEYS, "TrustedSystemCAKeys"}, {OPT_PIDFILE, "PidFile"}, + {OPT_TRUSTED_USER_CA_STORE, "TrustedUserCaStore"}, + {OPT_WIN_USER_STORES, "WinUserStores"}, + {OPT_WIN_USER_DW_FLAGS, "WinUserDwFlags"}, + {OPT_WIN_USER_PV_PARA, "WinUserPvPara"}, }; /* returns WS_SUCCESS on success */ @@ -1028,6 +1043,18 @@ static int HandleConfigOption(WOLFSSHD_CONFIG** conf, int opt, case OPT_PIDFILE: ret = SetFileString(&(*conf)->pidFile, value, (*conf)->heap); break; + case OPT_TRUSTED_USER_CA_STORE: + ret = wolfSSHD_ConfigSetUserCAStore(*conf, value); + break; + case OPT_WIN_USER_STORES: + ret = wolfSSHD_ConfigSetWinUserStores(*conf, value); + break; + case OPT_WIN_USER_DW_FLAGS: + ret = wolfSSHD_ConfigSetWinUserDwFlags(*conf, value); + break; + case OPT_WIN_USER_PV_PARA: + ret = wolfSSHD_ConfigSetWinUserPvPara(*conf, value); + break; default: break; } @@ -1347,6 +1374,119 @@ int wolfSSHD_ConfigSetSystemCA(WOLFSSHD_CONFIG* conf, const char* value) return ret; } +/* getter function for if using user CA store + * return 1 if true and 0 if false */ +int wolfSSHD_ConfigGetUserCAStore(const WOLFSSHD_CONFIG* conf) +{ + if (conf != NULL) { + return conf->useUserCAStore; + } + return 0; +} + + +/* setter function for if using user CA store + * 'yes' if true and 'no' if false + * returns WS_SUCCESS on success */ +int wolfSSHD_ConfigSetUserCAStore(WOLFSSHD_CONFIG* conf, const char* value) +{ + int ret = WS_SUCCESS; + + if (conf != NULL) { + if (WSTRCMP(value, "yes") == 0) { + wolfSSH_Log(WS_LOG_INFO, "[SSHD] User CA store enabled. Note this " + "is currently only supported on Windows."); + conf->useUserCAStore = 1; + } + else if (WSTRCMP(value, "no") == 0) { + wolfSSH_Log(WS_LOG_INFO, "[SSHD] User CA store disabled"); + conf->useUserCAStore = 0; + } + else { + wolfSSH_Log(WS_LOG_INFO, "[SSHD] User CA store unexpected flag"); + ret = WS_FATAL_ERROR; + } + } + + return ret; +} + +char* wolfSSHD_ConfigGetWinUserStores(WOLFSSHD_CONFIG* conf) { + if (conf != NULL) { + if (conf->winUserStores == NULL) { + /* If no value was specified, default to CERT_STORE_PROV_SYSTEM */ + CreateString(&conf->winUserStores, "CERT_STORE_PROV_SYSTEM", + (int)WSTRLEN("CERT_STORE_PROV_SYSTEM"), conf->heap); + } + + return conf->winUserStores; + } + + return NULL; +} + +int wolfSSHD_ConfigSetWinUserStores(WOLFSSHD_CONFIG* conf, const char* value) { + int ret = WS_SUCCESS; + + if (conf == NULL) { + ret = WS_BAD_ARGUMENT; + } + + ret = CreateString(&conf->winUserStores, value, (int)WSTRLEN(value), conf->heap); + + return ret; +} + +char* wolfSSHD_ConfigGetWinUserDwFlags(WOLFSSHD_CONFIG* conf) { + if (conf != NULL) { + if (conf->winUserDwFlags == NULL) { + /* If no value was specified, default to CERT_SYSTEM_STORE_CURRENT_USER */ + CreateString(&conf->winUserDwFlags, "CERT_SYSTEM_STORE_CURRENT_USER", + (int)WSTRLEN("CERT_SYSTEM_STORE_CURRENT_USER"), conf->heap); + } + + return conf->winUserDwFlags; + } + + return NULL; +} + +int wolfSSHD_ConfigSetWinUserDwFlags(WOLFSSHD_CONFIG* conf, const char* value) { + int ret = WS_SUCCESS; + + if (conf == NULL) { + ret = WS_BAD_ARGUMENT; + } + + ret = CreateString(&conf->winUserDwFlags, value, (int)WSTRLEN(value), conf->heap); + + return ret; +} + +char* wolfSSHD_ConfigGetWinUserPvPara(WOLFSSHD_CONFIG* conf) { + if (conf != NULL) { + if (conf->winUserPvPara == NULL) { + /* If no value was specified, default to MY */ + CreateString(&conf->winUserPvPara, "MY", (int)WSTRLEN("MY"), conf->heap); + } + + return conf->winUserPvPara; + } + + return NULL; +} + +int wolfSSHD_ConfigSetWinUserPvPara(WOLFSSHD_CONFIG* conf, const char* value) { + int ret = WS_SUCCESS; + + if (conf == NULL) { + ret = WS_BAD_ARGUMENT; + } + + ret = CreateString(&conf->winUserPvPara, value, (int)WSTRLEN(value), conf->heap); + + return ret; +} char* wolfSSHD_ConfigGetUserCAKeysFile(const WOLFSSHD_CONFIG* conf) { diff --git a/apps/wolfsshd/configuration.h b/apps/wolfsshd/configuration.h index 8f45302fd..5551a69bd 100644 --- a/apps/wolfsshd/configuration.h +++ b/apps/wolfsshd/configuration.h @@ -44,6 +44,14 @@ int wolfSSHD_ConfigSetHostKeyFile(WOLFSSHD_CONFIG* conf, const char* file); int wolfSSHD_ConfigSetHostCertFile(WOLFSSHD_CONFIG* conf, const char* file); int wolfSSHD_ConfigSetSystemCA(WOLFSSHD_CONFIG* conf, const char* value); int wolfSSHD_ConfigGetSystemCA(const WOLFSSHD_CONFIG* conf); +int wolfSSHD_ConfigSetUserCAStore(WOLFSSHD_CONFIG* conf, const char* value); +int wolfSSHD_ConfigGetUserCAStore(const WOLFSSHD_CONFIG* conf); +char* wolfSSHD_ConfigGetWinUserStores(WOLFSSHD_CONFIG* conf); +int wolfSSHD_ConfigSetWinUserStores(WOLFSSHD_CONFIG* conf, const char* value); +char* wolfSSHD_ConfigGetWinUserDwFlags(WOLFSSHD_CONFIG* conf); +int wolfSSHD_ConfigSetWinUserDwFlags(WOLFSSHD_CONFIG* conf, const char* value); +char* wolfSSHD_ConfigGetWinUserPvPara(WOLFSSHD_CONFIG* conf); +int wolfSSHD_ConfigSetWinUserPvPara(WOLFSSHD_CONFIG* conf, const char* value); int wolfSSHD_ConfigSetUserCAKeysFile(WOLFSSHD_CONFIG* conf, const char* file); word16 wolfSSHD_ConfigGetPort(const WOLFSSHD_CONFIG* conf); char* wolfSSHD_ConfigGetAuthKeysFile(const WOLFSSHD_CONFIG* conf); diff --git a/apps/wolfsshd/wolfsshd.c b/apps/wolfsshd/wolfsshd.c index 63f3a6ecc..bc0a5a27c 100644 --- a/apps/wolfsshd/wolfsshd.c +++ b/apps/wolfsshd/wolfsshd.c @@ -406,9 +406,10 @@ static int SetupCTX(WOLFSSHD_CONFIG* conf, WOLFSSH_CTX** ctx) #endif /* WOLFSSH_OSSH_CERTS || WOLFSSH_CERTS */ #ifdef WOLFSSH_CERTS - /* check if loading in system CA certs */ + /* check if loading in system and/or user CA certs */ #ifdef WOLFSSL_SYS_CA_CERTS - if (ret == WS_SUCCESS && wolfSSHD_ConfigGetSystemCA(conf)) { + if (ret == WS_SUCCESS && (wolfSSHD_ConfigGetSystemCA(conf) + || wolfSSHD_ConfigGetUserCAStore(conf))) { WOLFSSL_CTX* sslCtx; wolfSSH_Log(WS_LOG_INFO, "[SSHD] Using system CAs"); @@ -419,9 +420,23 @@ static int SetupCTX(WOLFSSHD_CONFIG* conf, WOLFSSH_CTX** ctx) } if (ret == WS_SUCCESS) { - if (wolfSSL_CTX_load_system_CA_certs(sslCtx) != WOLFSSL_SUCCESS) { - wolfSSH_Log(WS_LOG_INFO, "[SSHD] Issue loading system CAs"); - ret = WS_FATAL_ERROR; + if (wolfSSHD_ConfigGetSystemCA(conf)) { + if (wolfSSL_CTX_load_system_CA_certs(sslCtx) != WOLFSSL_SUCCESS) { + wolfSSH_Log(WS_LOG_INFO, "[SSHD] Issue loading system CAs"); + ret = WS_FATAL_ERROR; + } + } + } + + if (ret == WS_SUCCESS) { + if (wolfSSHD_ConfigGetUserCAStore(conf)) { + if (wolfSSL_CTX_load_windows_user_CA_certs(sslCtx, + wolfSSHD_ConfigGetWinUserStores(conf), + wolfSSHD_ConfigGetWinUserDwFlags(conf), + wolfSSHD_ConfigGetWinUserPvPara(conf)) != WOLFSSL_SUCCESS) { + wolfSSH_Log(WS_LOG_INFO, "[SSHD] Issue loading user CAs"); + ret = WS_FATAL_ERROR; + } } }