From patchwork Fri Feb 19 20:01:51 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Luka Logar <luka.logar@cifra.si>
X-Patchwork-Id: 1442439
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org
 (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=merlin.20170209 header.b=OQbqX2Xt;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=cifra.si header.i=@cifra.si header.a=rsa-sha256
 header.s=dkim header.b=o6EkF/K+;
	dkim-atps=neutral
Received: from merlin.infradead.org (merlin.infradead.org
 [IPv6:2001:8b0:10b:1231::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4Dj2bd3G4Nz9sW2
	for <incoming@patchwork.ozlabs.org>; Sat, 20 Feb 2021 07:04:29 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding:
	Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive:
	List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From:
	Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
	:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner;
	bh=djNf4YybSPOgyS+JiweBqmkD7Zh/wKPxv4CSoatXfA8=; b=OQbqX2XtuckqSmiZnh1iClDqr7
	rdgoHt2CI4DKCJBcKPFrZqpwrw2lk/oCh2KqoEYA0hefWPiBeW02I04YeoeIFCTsKbfzl0vsy2Y9H
	fG9ej7RaF+K1VCXSrcOw6zRLUoKgAGGiU65sMXqsr0yYHVKWP9LqZPlRxBnyXM3KCTfcRFTXXy6x4
	grfcoa3KTsSSiSNJaYDQ4CHqwPmV5SvEtqhXTU8TlL5W8Kk+9/YDb85j40IAZLM3e/bj4JBv46Z+V
	tSBpvXPhawP6cgSM3b/hD9nQSvg5AvK2fJEoHZq8J9WiIVuY110sPcnIqoPo6nfnVNQj35RKWKJux
	2yNFaSJA==;
Received: from localhost ([::1] helo=merlin.infradead.org)
	by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux))
	id 1lDByd-00013I-PM; Fri, 19 Feb 2021 20:02:11 +0000
Received: from cifra.si ([84.255.231.188] helo=mail.cifra.si)
 by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux))
 id 1lDByZ-00011T-LX
 for openwrt-devel@lists.openwrt.org; Fri, 19 Feb 2021 20:02:09 +0000
dkim-signature: v=1; a=rsa-sha256; d=cifra.si; s=dkim;
 c=relaxed/relaxed; q=dns/txt;
 h=From:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Transfer-Encoding;
 bh=WA4WpNeQZBk87PIPAmf48Of/yAYTOGkBQTOxk43QPiE=;
 b=o6EkF/K+9CW94ZPzwK2s1s3UUSO44xJIvi4kwJzr4MJoWLdn7T0Lji01+mFXlfaqKubu+5KnxkAW2hpLbNLIoe9GdjKCNi9pU4C9o6Fc7L/zDEi4HY4f51twOo16C1Me1ZUe76PwIenfWI1QNG/FZdXapJ2nmaJ888SPT+Bpq/I=
Received: from localhost.localdomain (vm2.cifra.si [10.0.0.208])
 by mail.cifra.si with ESMTP ; Fri, 19 Feb 2021 21:01:51 +0100
From: Luka Logar <luka.logar@cifra.si>
To: openwrt-devel@lists.openwrt.org
Subject: [PATCH] rpcd: implement certificate authentication
Date: Fri, 19 Feb 2021 21:01:51 +0100
Message-Id: <20210219200151.1346005-1-luka.logar@cifra.si>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210219_150208_479886_6F898920 
X-CRM114-Status: GOOD (  12.17  )
X-Spam-Score: -0.2 (/)
X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary:
 Content analysis details:   (-0.2 points)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Cc: Luka Logar <luka.logar@cifra.si>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

When the TLS client certificate is used for LuCI authentication, ubus session login is called with

  username = subject name
  password = certificate hash
  mode = 'cert'

Extra parameter 'mode' is needed to differentiate a regular username/password login attempt from the client
certificate auth. Otherwise one could fake the certificate login using the standard username/password
method entering subject name as username and cert hash as password, both of which are public/known/not-secret.
Session login is successful if the password/certificate hash matches the one stored in the /etc/config/rpcd
file.

Signed-off-by: Luka Logar <luka.logar@cifra.si>
---
 session.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/session.c b/session.c
index 908e298..b577475 100644
--- a/session.c
+++ b/session.c
@@ -120,12 +120,14 @@ enum {
 	RPC_L_USERNAME,
 	RPC_L_PASSWORD,
 	RPC_L_TIMEOUT,
+	RPC_L_MODE,
 	__RPC_L_MAX,
 };
 static const struct blobmsg_policy login_policy[__RPC_L_MAX] = {
 	[RPC_L_USERNAME] = { .name = "username", .type = BLOBMSG_TYPE_STRING },
 	[RPC_L_PASSWORD] = { .name = "password", .type = BLOBMSG_TYPE_STRING },
 	[RPC_L_TIMEOUT]  = { .name = "timeout", .type = BLOBMSG_TYPE_INT32 },
+	[RPC_L_MODE]     = { .name = "mode", .type = BLOBMSG_TYPE_STRING },
 };
 
 /*
@@ -827,7 +829,7 @@ rpc_login_test_password(const char *hash, const char *password)
 
 static struct uci_section *
 rpc_login_test_login(struct uci_context *uci,
-                     const char *username, const char *password)
+                     const char *username, const char *password, const char *mode)
 {
 	struct uci_package *p = NULL;
 	struct uci_section *s;
@@ -877,6 +879,13 @@ rpc_login_test_login(struct uci_context *uci,
 		if (ptr.o->type != UCI_TYPE_STRING)
 			continue;
 
+		if (mode && !strcmp(mode, "cert"))
+		{
+			if (!strcasecmp(ptr.o->v.string, password))
+				return ptr.s;
+			continue;
+		}
+
 		if (rpc_login_test_password(ptr.o->v.string, password))
 			return ptr.s;
 	}
@@ -1137,7 +1146,8 @@ rpc_handle_login(struct ubus_context *ctx, struct ubus_object *obj,
 	}
 
 	login = rpc_login_test_login(uci, blobmsg_get_string(tb[RPC_L_USERNAME]),
-	                                  blobmsg_get_string(tb[RPC_L_PASSWORD]));
+	                                  blobmsg_get_string(tb[RPC_L_PASSWORD]),
+	                                  blobmsg_get_string(tb[RPC_L_MODE]));
 
 	if (!login) {
 		rv = UBUS_STATUS_PERMISSION_DENIED;
@@ -1296,7 +1306,7 @@ rpc_session_from_blob(struct uci_context *uci, struct blob_attr *attr)
 	}
 
 	if (uci && user) {
-		login = rpc_login_test_login(uci, user, NULL);
+		login = rpc_login_test_login(uci, user, NULL, NULL);
 		if (login)
 			rpc_login_setup_acls(ses, login);
 	}