Expand native auth and benchmark gates
This commit is contained in:
+340
-26
@@ -5,7 +5,9 @@ use anyhow::{Context, Result, bail};
|
||||
use base64::Engine;
|
||||
use base64::engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD};
|
||||
use ed25519_dalek::{Signature, Signer, SigningKey, Verifier, VerifyingKey};
|
||||
use rsa::traits::PublicKeyParts;
|
||||
use serde::{Deserialize, Serialize};
|
||||
use signature::{SignatureEncoding, Signer as SignatureSigner, Verifier as SignatureVerifier};
|
||||
use std::fs;
|
||||
use std::io::Write;
|
||||
use std::net::IpAddr;
|
||||
@@ -339,6 +341,92 @@ pub fn sign_user_auth(
|
||||
Ok(auth)
|
||||
}
|
||||
|
||||
pub fn sign_user_auth_with_private_key(
|
||||
private_key: &ssh_key::PrivateKey,
|
||||
client: &NativeClientHello,
|
||||
server: &NativeServerHello,
|
||||
requested_forwardings: Vec<ForwardingRequest>,
|
||||
) -> Result<NativeUserAuth> {
|
||||
anyhow::ensure!(!private_key.is_encrypted(), "OpenSSH identity is encrypted");
|
||||
let public_key = private_key.public_key();
|
||||
let key_algorithm = public_key.algorithm().as_str().to_string();
|
||||
anyhow::ensure!(
|
||||
is_supported_user_key_algorithm(&key_algorithm),
|
||||
"unsupported native identity key algorithm {key_algorithm}"
|
||||
);
|
||||
let public_key_blob = ssh_public_blob_from_public_key(public_key)?;
|
||||
let public_key_for_auth = if key_algorithm == "ssh-ed25519" {
|
||||
parse_ssh_ed25519_public_blob(&public_key_blob)?.to_vec()
|
||||
} else {
|
||||
public_key_blob
|
||||
};
|
||||
let signature_algorithm = signature_algorithm_for_private_key(&key_algorithm)?;
|
||||
let mut auth = NativeUserAuth {
|
||||
public_key_algorithm: signature_algorithm.to_string(),
|
||||
public_key: public_key_for_auth,
|
||||
signature: Vec::new(),
|
||||
requested_forwardings,
|
||||
};
|
||||
let transcript = user_auth_transcript(client, server, &auth)?;
|
||||
auth.signature = if key_algorithm == "ssh-rsa" {
|
||||
sign_rsa_sha512_private_key(private_key, &transcript)?
|
||||
} else {
|
||||
let signature = SignatureSigner::try_sign(private_key, &transcript)
|
||||
.context("sign native user auth with OpenSSH private key")?;
|
||||
anyhow::ensure!(
|
||||
signature.algorithm().as_str() == auth.public_key_algorithm,
|
||||
"private key produced signature algorithm {}, expected {}",
|
||||
signature.algorithm().as_str(),
|
||||
auth.public_key_algorithm
|
||||
);
|
||||
signature.as_bytes().to_vec()
|
||||
};
|
||||
Ok(auth)
|
||||
}
|
||||
|
||||
fn sign_rsa_sha512_private_key(
|
||||
private_key: &ssh_key::PrivateKey,
|
||||
transcript: &[u8],
|
||||
) -> Result<Vec<u8>> {
|
||||
let rsa_keypair = private_key
|
||||
.key_data()
|
||||
.rsa()
|
||||
.ok_or_else(|| anyhow::anyhow!("OpenSSH identity is not ssh-rsa"))?;
|
||||
let rsa_private = rsa_private_key_from_ssh_keypair(rsa_keypair)?;
|
||||
let signing_key = rsa::pkcs1v15::SigningKey::<sha2::Sha512>::new(rsa_private);
|
||||
let signature: rsa::pkcs1v15::Signature = SignatureSigner::sign(&signing_key, transcript);
|
||||
Ok(signature.to_vec())
|
||||
}
|
||||
|
||||
fn rsa_private_key_from_ssh_keypair(
|
||||
keypair: &ssh_key::private::RsaKeypair,
|
||||
) -> Result<rsa::RsaPrivateKey> {
|
||||
let private = rsa::RsaPrivateKey::from_components(
|
||||
rsa::BigUint::try_from(&keypair.public.n).context("convert RSA modulus")?,
|
||||
rsa::BigUint::try_from(&keypair.public.e).context("convert RSA public exponent")?,
|
||||
rsa::BigUint::try_from(&keypair.private.d).context("convert RSA private exponent")?,
|
||||
vec![
|
||||
rsa::BigUint::try_from(&keypair.private.p).context("convert RSA p prime")?,
|
||||
rsa::BigUint::try_from(&keypair.private.q).context("convert RSA q prime")?,
|
||||
],
|
||||
)
|
||||
.context("convert OpenSSH RSA private key")?;
|
||||
anyhow::ensure!(
|
||||
private.size().saturating_mul(8) >= 2048,
|
||||
"OpenSSH RSA identity is smaller than 2048 bits"
|
||||
);
|
||||
Ok(private)
|
||||
}
|
||||
|
||||
fn signature_algorithm_for_private_key(key_algorithm: &str) -> Result<&'static str> {
|
||||
match key_algorithm {
|
||||
"ssh-ed25519" => Ok("ssh-ed25519"),
|
||||
"ecdsa-sha2-nistp256" => Ok("ecdsa-sha2-nistp256"),
|
||||
"ssh-rsa" => Ok("rsa-sha2-512"),
|
||||
_ => bail!("unsupported native identity key algorithm {key_algorithm}"),
|
||||
}
|
||||
}
|
||||
|
||||
pub fn verify_native_user_auth(
|
||||
client: &NativeClientHello,
|
||||
server: &NativeServerHello,
|
||||
@@ -347,37 +435,127 @@ pub fn verify_native_user_auth(
|
||||
source_ip: Option<IpAddr>,
|
||||
) -> Result<AuthorizedKey> {
|
||||
anyhow::ensure!(
|
||||
auth.public_key_algorithm == "ssh-ed25519",
|
||||
is_supported_user_signature_algorithm(&auth.public_key_algorithm),
|
||||
"unsupported native user key algorithm {}",
|
||||
auth.public_key_algorithm
|
||||
);
|
||||
anyhow::ensure!(
|
||||
auth.public_key.len() == 32,
|
||||
"ssh-ed25519 public key must be 32 bytes"
|
||||
);
|
||||
anyhow::ensure!(
|
||||
auth.signature.len() == 64,
|
||||
"ssh-ed25519 signature must be 64 bytes"
|
||||
);
|
||||
let authorized_algorithm = authorized_key_algorithm_for_auth(&auth.public_key_algorithm)?;
|
||||
let authorized = authorized_keys
|
||||
.iter()
|
||||
.find(|key| key.algorithm == "ssh-ed25519" && key.key == auth.public_key)
|
||||
.find(|key| key.algorithm == authorized_algorithm && key.key == auth.public_key)
|
||||
.ok_or_else(|| anyhow::anyhow!("native user key is not authorized"))?;
|
||||
authorized.ensure_native_allowed(auth, source_ip)?;
|
||||
|
||||
let mut public_key = [0u8; 32];
|
||||
public_key.copy_from_slice(&auth.public_key);
|
||||
let verifying_key = VerifyingKey::from_bytes(&public_key).context("parse user public key")?;
|
||||
let mut signature = [0u8; 64];
|
||||
signature.copy_from_slice(&auth.signature);
|
||||
let signature = Signature::from_bytes(&signature);
|
||||
let transcript = user_auth_transcript(client, server, auth)?;
|
||||
verifying_key
|
||||
.verify(&transcript, &signature)
|
||||
.context("verify native user signature")?;
|
||||
verify_native_user_signature(auth, &transcript)?;
|
||||
Ok(authorized.clone())
|
||||
}
|
||||
|
||||
pub fn supported_user_key_algorithms() -> Vec<String> {
|
||||
vec![
|
||||
"ssh-ed25519".to_string(),
|
||||
"ecdsa-sha2-nistp256".to_string(),
|
||||
"rsa-sha2-512".to_string(),
|
||||
"rsa-sha2-256".to_string(),
|
||||
]
|
||||
}
|
||||
|
||||
pub fn is_supported_user_key_algorithm(algorithm: &str) -> bool {
|
||||
matches!(algorithm, "ssh-ed25519" | "ecdsa-sha2-nistp256" | "ssh-rsa")
|
||||
}
|
||||
|
||||
pub fn is_supported_user_signature_algorithm(algorithm: &str) -> bool {
|
||||
matches!(
|
||||
algorithm,
|
||||
"ssh-ed25519" | "ecdsa-sha2-nistp256" | "rsa-sha2-512" | "rsa-sha2-256"
|
||||
)
|
||||
}
|
||||
|
||||
fn authorized_key_algorithm_for_auth(signature_algorithm: &str) -> Result<&'static str> {
|
||||
match signature_algorithm {
|
||||
"ssh-ed25519" => Ok("ssh-ed25519"),
|
||||
"ecdsa-sha2-nistp256" => Ok("ecdsa-sha2-nistp256"),
|
||||
"rsa-sha2-512" | "rsa-sha2-256" => Ok("ssh-rsa"),
|
||||
_ => bail!("unsupported native user key algorithm {signature_algorithm}"),
|
||||
}
|
||||
}
|
||||
|
||||
fn verify_native_user_signature(auth: &NativeUserAuth, transcript: &[u8]) -> Result<()> {
|
||||
match auth.public_key_algorithm.as_str() {
|
||||
"ssh-ed25519" => {
|
||||
anyhow::ensure!(
|
||||
auth.public_key.len() == 32,
|
||||
"ssh-ed25519 public key must be 32 bytes"
|
||||
);
|
||||
anyhow::ensure!(
|
||||
auth.signature.len() == 64,
|
||||
"ssh-ed25519 signature must be 64 bytes"
|
||||
);
|
||||
let mut public_key = [0u8; 32];
|
||||
public_key.copy_from_slice(&auth.public_key);
|
||||
let verifying_key =
|
||||
VerifyingKey::from_bytes(&public_key).context("parse user public key")?;
|
||||
let mut signature = [0u8; 64];
|
||||
signature.copy_from_slice(&auth.signature);
|
||||
let signature = Signature::from_bytes(&signature);
|
||||
verifying_key
|
||||
.verify(transcript, &signature)
|
||||
.context("verify native user signature")?;
|
||||
}
|
||||
"ecdsa-sha2-nistp256" => {
|
||||
let public_key = ssh_public_key_from_blob(&auth.public_key)
|
||||
.context("parse native user SSH public key")?;
|
||||
let algorithm =
|
||||
ssh_key::Algorithm::from_str(&auth.public_key_algorithm).with_context(|| {
|
||||
format!("parse signature algorithm {}", auth.public_key_algorithm)
|
||||
})?;
|
||||
let signature = ssh_key::Signature::new(algorithm, auth.signature.clone())
|
||||
.context("parse native user SSH signature")?;
|
||||
SignatureVerifier::verify(public_key.key_data(), transcript, &signature)
|
||||
.context("verify native user SSH signature")?;
|
||||
}
|
||||
"rsa-sha2-512" | "rsa-sha2-256" => {
|
||||
verify_rsa_sha2_signature(
|
||||
&auth.public_key,
|
||||
&auth.public_key_algorithm,
|
||||
transcript,
|
||||
&auth.signature,
|
||||
)?;
|
||||
}
|
||||
algorithm => bail!("unsupported native user key algorithm {algorithm}"),
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn verify_rsa_sha2_signature(
|
||||
public_key_blob: &[u8],
|
||||
signature_algorithm: &str,
|
||||
transcript: &[u8],
|
||||
signature: &[u8],
|
||||
) -> Result<()> {
|
||||
let (e, n) = parse_ssh_rsa_public_blob(public_key_blob)?;
|
||||
let public = rsa::RsaPublicKey::new(
|
||||
rsa::BigUint::from_bytes_be(n),
|
||||
rsa::BigUint::from_bytes_be(e),
|
||||
)
|
||||
.context("parse RSA public key")?;
|
||||
let signature =
|
||||
rsa::pkcs1v15::Signature::try_from(signature).context("parse RSA PKCS#1v1.5 signature")?;
|
||||
match signature_algorithm {
|
||||
"rsa-sha2-256" => {
|
||||
let key = rsa::pkcs1v15::VerifyingKey::<sha2::Sha256>::new(public);
|
||||
SignatureVerifier::verify(&key, transcript, &signature)
|
||||
.context("verify RSA-SHA256 signature")
|
||||
}
|
||||
"rsa-sha2-512" => {
|
||||
let key = rsa::pkcs1v15::VerifyingKey::<sha2::Sha512>::new(public);
|
||||
SignatureVerifier::verify(&key, transcript, &signature)
|
||||
.context("verify RSA-SHA512 signature")
|
||||
}
|
||||
_ => bail!("legacy ssh-rsa/SHA-1 signatures are not accepted"),
|
||||
}
|
||||
}
|
||||
|
||||
pub fn verify_native_user_auth_from_config(
|
||||
config: &ServerConfig,
|
||||
client: &NativeClientHello,
|
||||
@@ -470,6 +648,35 @@ pub fn load_ed25519_identity_with_passphrase(
|
||||
.with_context(|| format!("parse ssh-ed25519 identity {}", path.display()))
|
||||
}
|
||||
|
||||
pub fn load_native_identity(path: &Path) -> Result<ssh_key::PrivateKey> {
|
||||
load_native_identity_with_passphrase(path, None)
|
||||
}
|
||||
|
||||
pub fn load_native_identity_with_passphrase(
|
||||
path: &Path,
|
||||
passphrase: Option<&str>,
|
||||
) -> Result<ssh_key::PrivateKey> {
|
||||
let raw = fs::read_to_string(path).with_context(|| format!("read {}", path.display()))?;
|
||||
let private_key = ssh_key::PrivateKey::from_openssh(&raw)
|
||||
.with_context(|| format!("parse OpenSSH identity {}", path.display()))?;
|
||||
let private_key = if private_key.is_encrypted() {
|
||||
let passphrase = passphrase
|
||||
.ok_or_else(|| anyhow::anyhow!("OpenSSH identity {} is encrypted", path.display()))?;
|
||||
private_key
|
||||
.decrypt(passphrase)
|
||||
.with_context(|| format!("decrypt OpenSSH identity {}", path.display()))?
|
||||
} else {
|
||||
private_key
|
||||
};
|
||||
let algorithm = private_key.public_key().algorithm().as_str().to_string();
|
||||
anyhow::ensure!(
|
||||
is_supported_user_key_algorithm(&algorithm),
|
||||
"OpenSSH identity {} has unsupported native key algorithm {algorithm}",
|
||||
path.display()
|
||||
);
|
||||
Ok(private_key)
|
||||
}
|
||||
|
||||
impl AuthorizedKey {
|
||||
fn ensure_native_allowed(
|
||||
&self,
|
||||
@@ -565,7 +772,7 @@ fn parse_authorized_key_line(line_number: usize, line: &str) -> Result<Authorize
|
||||
fields.len() >= 2,
|
||||
"authorized_keys:{line_number}: expected key fields"
|
||||
);
|
||||
let (options, key_type_index) = if fields[0].starts_with("ssh-") {
|
||||
let (options, key_type_index) = if is_supported_user_key_algorithm(&fields[0]) {
|
||||
(AuthorizedKeyOptions::default(), 0)
|
||||
} else {
|
||||
(parse_authorized_key_options(&fields[0])?, 1)
|
||||
@@ -576,15 +783,20 @@ fn parse_authorized_key_line(line_number: usize, line: &str) -> Result<Authorize
|
||||
let key_blob = fields
|
||||
.get(key_type_index + 1)
|
||||
.with_context(|| format!("authorized_keys:{line_number}: missing key blob"))?;
|
||||
anyhow::ensure!(
|
||||
algorithm == "ssh-ed25519",
|
||||
"authorized_keys:{line_number}: unsupported key type {algorithm}"
|
||||
);
|
||||
let decoded = STANDARD
|
||||
.decode(key_blob)
|
||||
.with_context(|| format!("authorized_keys:{line_number}: decode key blob"))?;
|
||||
let key = parse_ssh_ed25519_public_blob(&decoded)
|
||||
.with_context(|| format!("authorized_keys:{line_number}: parse ssh-ed25519 key"))?;
|
||||
anyhow::ensure!(
|
||||
is_supported_user_key_algorithm(algorithm),
|
||||
"authorized_keys:{line_number}: unsupported key type {algorithm}"
|
||||
);
|
||||
validate_supported_public_key_blob(algorithm, &decoded)
|
||||
.with_context(|| format!("authorized_keys:{line_number}: parse {algorithm} key"))?;
|
||||
let key = if algorithm == "ssh-ed25519" {
|
||||
parse_ssh_ed25519_public_blob(&decoded)?.to_vec()
|
||||
} else {
|
||||
decoded
|
||||
};
|
||||
let comment = if fields.len() > key_type_index + 2 {
|
||||
Some(fields[key_type_index + 2..].join(" "))
|
||||
} else {
|
||||
@@ -598,6 +810,51 @@ fn parse_authorized_key_line(line_number: usize, line: &str) -> Result<Authorize
|
||||
})
|
||||
}
|
||||
|
||||
fn validate_supported_public_key_blob(algorithm: &str, blob: &[u8]) -> Result<()> {
|
||||
let blob_algorithm = ssh_public_key_blob_algorithm(blob)?;
|
||||
anyhow::ensure!(
|
||||
blob_algorithm == algorithm,
|
||||
"key blob type {blob_algorithm} does not match authorized_keys type {algorithm}"
|
||||
);
|
||||
match algorithm {
|
||||
"ssh-ed25519" => {
|
||||
parse_ssh_ed25519_public_blob(blob)?;
|
||||
}
|
||||
"ecdsa-sha2-nistp256" | "ssh-rsa" => {
|
||||
let _ = ssh_public_key_from_blob(blob)?;
|
||||
}
|
||||
_ => bail!("unsupported key type {algorithm}"),
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn ssh_public_key_blob_algorithm(blob: &[u8]) -> Result<String> {
|
||||
let mut cursor = blob;
|
||||
let algorithm = read_ssh_string(&mut cursor)?;
|
||||
Ok(String::from_utf8_lossy(algorithm).to_string())
|
||||
}
|
||||
|
||||
fn ssh_public_key_from_blob(blob: &[u8]) -> Result<ssh_key::PublicKey> {
|
||||
let algorithm = ssh_public_key_blob_algorithm(blob)?;
|
||||
let encoded = STANDARD.encode(blob);
|
||||
ssh_key::PublicKey::from_openssh(&format!("{algorithm} {encoded}"))
|
||||
.with_context(|| format!("parse OpenSSH public key blob {algorithm}"))
|
||||
}
|
||||
|
||||
fn ssh_public_blob_from_public_key(public_key: &ssh_key::PublicKey) -> Result<Vec<u8>> {
|
||||
let line = public_key
|
||||
.to_openssh()
|
||||
.context("encode OpenSSH public key")?;
|
||||
let mut fields = line.split_whitespace();
|
||||
let _algorithm = fields
|
||||
.next()
|
||||
.context("encoded public key missing algorithm")?;
|
||||
let encoded = fields.next().context("encoded public key missing blob")?;
|
||||
STANDARD
|
||||
.decode(encoded)
|
||||
.context("decode encoded OpenSSH public key blob")
|
||||
}
|
||||
|
||||
fn split_authorized_key_fields(line: &str) -> Vec<String> {
|
||||
line.split_whitespace().map(ToString::to_string).collect()
|
||||
}
|
||||
@@ -765,6 +1022,18 @@ pub fn parse_ssh_ed25519_public_blob(blob: &[u8]) -> Result<[u8; 32]> {
|
||||
Ok(out)
|
||||
}
|
||||
|
||||
fn parse_ssh_rsa_public_blob(blob: &[u8]) -> Result<(&[u8], &[u8])> {
|
||||
let mut cursor = blob;
|
||||
let key_type = read_ssh_string(&mut cursor)?;
|
||||
anyhow::ensure!(key_type == b"ssh-rsa", "key blob type mismatch");
|
||||
let e = read_ssh_mpint(&mut cursor)?;
|
||||
let n = read_ssh_mpint(&mut cursor)?;
|
||||
anyhow::ensure!(cursor.is_empty(), "trailing data in ssh-rsa key blob");
|
||||
anyhow::ensure!(!e.is_empty(), "ssh-rsa exponent is empty");
|
||||
anyhow::ensure!(!n.is_empty(), "ssh-rsa modulus is empty");
|
||||
Ok((e, n))
|
||||
}
|
||||
|
||||
pub fn ssh_ed25519_public_blob(public_key: &[u8; 32]) -> Vec<u8> {
|
||||
let mut out = Vec::new();
|
||||
write_ssh_string(&mut out, b"ssh-ed25519");
|
||||
@@ -772,6 +1041,12 @@ pub fn ssh_ed25519_public_blob(public_key: &[u8; 32]) -> Vec<u8> {
|
||||
out
|
||||
}
|
||||
|
||||
fn read_ssh_mpint<'a>(cursor: &mut &'a [u8]) -> Result<&'a [u8]> {
|
||||
let raw = read_ssh_string(cursor)?;
|
||||
let raw = raw.strip_prefix(&[0]).unwrap_or(raw);
|
||||
Ok(raw)
|
||||
}
|
||||
|
||||
fn read_ssh_string<'a>(cursor: &mut &'a [u8]) -> Result<&'a [u8]> {
|
||||
anyhow::ensure!(cursor.len() >= 4, "truncated SSH string length");
|
||||
let len = u32::from_be_bytes(cursor[..4].try_into().unwrap()) as usize;
|
||||
@@ -1084,6 +1359,45 @@ mod tests {
|
||||
assert!(verify_native_user_auth(&client, &server, &auth, &removed, None).is_err());
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn native_user_auth_accepts_ecdsa_p256_private_key() {
|
||||
let mut rng = rand::rngs::OsRng;
|
||||
let private = ssh_key::PrivateKey::random(
|
||||
&mut rng,
|
||||
ssh_key::Algorithm::Ecdsa {
|
||||
curve: ssh_key::EcdsaCurve::NistP256,
|
||||
},
|
||||
)
|
||||
.unwrap();
|
||||
let host_signing = SigningKey::from_bytes(&[10u8; 32]);
|
||||
let client = test_client_hello();
|
||||
let mut server = test_server_hello(&host_signing);
|
||||
sign_server_hello(&host_signing, &client, &mut server).unwrap();
|
||||
let auth = sign_user_auth_with_private_key(&private, &client, &server, Vec::new()).unwrap();
|
||||
let authorized =
|
||||
parse_authorized_keys(&private.public_key().to_openssh().unwrap()).unwrap();
|
||||
|
||||
assert_eq!(auth.public_key_algorithm, "ecdsa-sha2-nistp256");
|
||||
verify_native_user_auth(&client, &server, &auth, &authorized, None).unwrap();
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn native_user_auth_accepts_rsa_sha2_private_key() {
|
||||
let mut rng = rand::rngs::OsRng;
|
||||
let private =
|
||||
ssh_key::PrivateKey::random(&mut rng, ssh_key::Algorithm::Rsa { hash: None }).unwrap();
|
||||
let host_signing = SigningKey::from_bytes(&[11u8; 32]);
|
||||
let client = test_client_hello();
|
||||
let mut server = test_server_hello(&host_signing);
|
||||
sign_server_hello(&host_signing, &client, &mut server).unwrap();
|
||||
let auth = sign_user_auth_with_private_key(&private, &client, &server, Vec::new()).unwrap();
|
||||
let authorized =
|
||||
parse_authorized_keys(&private.public_key().to_openssh().unwrap()).unwrap();
|
||||
|
||||
assert_eq!(auth.public_key_algorithm, "rsa-sha2-512");
|
||||
verify_native_user_auth(&client, &server, &auth, &authorized, None).unwrap();
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn native_user_auth_rejects_tampered_transcript() {
|
||||
let host_signing = SigningKey::from_bytes(&[3u8; 32]);
|
||||
|
||||
Reference in New Issue
Block a user