authentication manager feature addition#270
authentication manager feature addition#270JacobBarthelmeh wants to merge 44 commits intowolfSSL:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds a comprehensive authentication and authorization manager to wolfHSM, enabling user management, login/logout functionality, and permission-based access control for HSM operations.
Changes:
- New authentication manager with PIN and certificate-based authentication support
- Authorization system with group and action-level permission checks
- User management APIs for adding, deleting, and modifying users and their credentials
- Complete client and server implementation with message translation support
Reviewed changes
Copilot reviewed 22 out of 23 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfhsm/wh_auth.h | Core auth manager types, structures, and API definitions |
| wolfhsm/wh_message_auth.h | Message structures and translation functions for auth operations |
| wolfhsm/wh_server_auth.h | Server-side auth request handler declaration |
| wolfhsm/wh_client.h | Client-side auth API function declarations |
| wolfhsm/wh_server.h | Server context updated with auth context pointer |
| wolfhsm/wh_message.h | New auth message group and action enums |
| wolfhsm/wh_error.h | New auth-specific error codes |
| src/wh_auth.c | Core auth manager implementation with callback wrappers |
| src/wh_message_auth.c | Message translation implementations for auth messages |
| src/wh_server_auth.c | Server-side request handler for auth operations |
| src/wh_client_auth.c | Client-side auth API implementations |
| src/wh_server.c | Server integration with authorization checks |
| src/wh_client.c | Minor formatting fixes |
| port/posix/posix_auth.h | POSIX auth backend declarations |
| port/posix/posix_auth.c | POSIX auth backend implementation with in-memory user storage |
| test/wh_test_auth.h | Auth test suite declarations |
| test/wh_test_auth.c | Comprehensive auth test suite implementation |
| test/wh_test.c | Test integration for auth tests |
| examples/posix/wh_posix_server/* | Server configuration with auth context setup |
| examples/demo/client/wh_demo_client_all.c | Demo integration for auth |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 24 out of 25 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
JacobBarthelmeh
force-pushed
the
auth_manager
branch
2 times, most recently
from
6b32384 to
1bd722a
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 29 out of 30 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
JacobBarthelmeh
assigned
bigbrett,
wolfSSL-Bot and
billphipps and unassigned
JacobBarthelmeh
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 29 out of 30 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@JacobBarthelmeh merge conflicts |
JacobBarthelmeh
force-pushed
the
auth_manager
branch
from
04bd058 to
4d0af48
Compare
|
Force pushed to resolve merge conflict. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 28 out of 29 changed files in this pull request and generated 17 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ouch up for test cases
JacobBarthelmeh
force-pushed
the
auth_manager
branch
from
9c1c042 to
4f5b452
Compare
src/wh_auth.c
Outdated
| rc = WH_ERROR_OK; | ||
| } | ||
| else { | ||
| if (user->permissions.groupPermissions & group) { |
There was a problem hiding this comment.
This is wrong / a bug. As written, it would grant users access to groups they don't belong to.
This check treats permissions.groupPermissions as a bitmask but compares it directly against group identifier values like WH_MESSAGE_GROUP_AUTH (0x0D00), which are not intended as bitmasks (e.g. not limited to powers of two). This means a permission set intended to allow only AUTH (0x0D00) also unintentionally authorizes COMM (0x0100), CRYPTO (0x0400), and COUNTER (0x0800) because those bits overlap.
You need to reconsolidate this logic to clearly define what is a identifier, what is a bit position index, and what is a bitmask. Pls make sure they are clearly identified and not easily mixed up when reading the code. Recommend helper macros to easily convert between the two representations (logical group ID and the actual group bit permission flag)
port/posix/posix_auth.h
Outdated
| */ | ||
| int posixAuth_Login(void* context, uint8_t client_id, whAuthMethod method, | ||
| const char* username, const void* auth_data, | ||
| uint16_t auth_data_len, uint16_t* out_user_id, |
There was a problem hiding this comment.
user ID here (and elsewhere in this file) should be whUserId not uint16_t right?
port/posix/posix_auth.c
Outdated
| unsigned char credentials[WH_AUTH_BASE_MAX_CREDENTIALS_LEN]; | ||
| uint16_t credentials_len; | ||
| } whAuthBase_User; | ||
| /* TODO: Thread safety - The global users array is not protected by any |
There was a problem hiding this comment.
FYI #275 merged. Want to take a crack at adding the lock protection? Can also defer to a subsequent PR too.
There was a problem hiding this comment.
-
I'm wondering if this shouldn't be scoped to the POSIX port and called "posix auth" since there is nothing POSIX-specific about it. You could theoretically use this on any of our ports. Perhaps we can include this as a built-in auth mechanism that could be used by any port, similar to our shared memory transport impl (
wh_transport_mem.{c,h}). Any objection to this? Could call itwh_auth_basicor something like that? -
Did you have a scheme to persist the auth database in mind? Here it seems like it is intended for the server to have a hardcoded list and just iterate over each element and "add user" on startup before processing requests. Is that the intent? Could we add an
InitFromNvmfunction that takes an object ID as an argument, where the auth list could be pulled out of NVM and configured out-of-band (e.g. provisioned into NVM at factory)? I know there will be the typical issues of serializing a raw struct, compat across build config updates, but perhaps this is ok for now?
There was a problem hiding this comment.
-
Yeah it could be moved to a non posix location, at one point considered placing it in the examples directory. Showing it as a simplified example of user database. I'll look at moving it there or in demo's, I think in a different location than port makes sense for it.
-
NVM had crossed my mind and it would be great for persistence. Wanted to keep this initial users setup as simple as possible though while ironing out the authentication part of the feature in wolfHSM itself.
bigbrett
left a comment
bigbrett
left a comment
There was a problem hiding this comment.
(part 2, sorry terminated my last review early)
wolfhsm/wh_message_auth.h
Outdated
| enum WH_MESSAGE_AUTH_ACTION_ENUM { | ||
| WH_MESSAGE_AUTH_ACTION_AUTHENTICATE = 0x01, | ||
| WH_MESSAGE_AUTH_ACTION_LOGIN = 0x02, | ||
| WH_MESSAGE_AUTH_ACTION_LOGOUT = 0x03, | ||
| WH_MESSAGE_AUTH_ACTION_USER_ADD = 0x04, | ||
| WH_MESSAGE_AUTH_ACTION_USER_DELETE = 0x05, | ||
| WH_MESSAGE_AUTH_ACTION_USER_GET = 0x06, | ||
| WH_MESSAGE_AUTH_ACTION_USER_SET_PERMISSIONS = 0x07, | ||
| WH_MESSAGE_AUTH_ACTION_USER_SET_CREDENTIALS = 0x08, | ||
| }; |
There was a problem hiding this comment.
these are duplicated in wh_message.h
| WH_AUTH_ACTION_USER_DELETE, | ||
| WH_AUTH_ACTION_USER_MODIFY, | ||
| WH_AUTH_ACTION_PERMISSION_SET, | ||
| }; |
There was a problem hiding this comment.
duplicated in wh_message_auth.h. Imagine these ones can be deleted?
src/wh_server.c
Outdated
| /* Helper to format an authorization error response for any group/action. | ||
| * All response structures have int32_t rc as the first field. | ||
| * Returns the response size to send. */ | ||
| static uint16_t _wh_Server_FormatAuthErrorResponse(uint16_t magic, |
There was a problem hiding this comment.
| static uint16_t _wh_Server_FormatAuthErrorResponse(uint16_t magic, | |
| static uint16_t _FormatAuthErrorResponse(uint16_t magic, |
wolfhsm/wh_auth.h
Outdated
| WH_AUTH_METHOD_CERTIFICATE, | ||
| } whAuthMethod; | ||
|
|
||
| #define WH_NUMBER_OF_GROUPS 14 |
There was a problem hiding this comment.
This shouldn't be hardcoded here. It should ideally be defined with the actual groups in wh_message.h. Perhaps can be auto-computed based on the new group ID fields you may need to create to fix the bug in the previous review?
| /* Get word index and bitmask for this action */ | ||
| uint32_t wordAndBit = WH_AUTH_ACTION_TO_WORD_AND_BIT(action); | ||
| uint32_t wordIndex = WH_AUTH_ACTION_WORD(wordAndBit); | ||
| uint32_t bitmask = WH_AUTH_ACTION_BIT(wordAndBit); | ||
|
|
||
| if (wordIndex < WH_AUTH_ACTION_WORDS && | ||
| (user->permissions.actionPermissions[groupIndex] | ||
| [wordIndex] & | ||
| bitmask)) { | ||
| rc = WH_ERROR_OK; |
There was a problem hiding this comment.
Think there is another bug here: The packing scheme here has a collision problem. The macros pack two values into overlapping bit ranges. The word index is stored in bits 16-23, but the bitmask occupies bits 0-31 - so when action % 32 > 16, the bitmask bleeds into the word index bits.
For example, action 49 gives word=1 and bit position=17. The packed value becomes (1 << 16) | (1 << 17) = 0x30000. When we extract the word index with (0x30000 >> 16) & 0xFF, we get 3 instead of 1. The bitmask extraction is also wrong - we get 0x30000 instead of 0x20000
This affects actions 48-63, 80-95, 112-127, 144-159, 176-191, 208-223, and 240-255 (about half of all possible actions). Authorization checks for these actions will look at the wrong word in the permissions array and check the wrong bits.
Suggest switching to a uint64_t return type with the word index in the upper 32 bits to avoid any overlap.
wolfhsm/wh_auth.h
Outdated
| void* context; | ||
| } whAuthContext; | ||
|
|
||
| #define WOLFHSM_MAX_CERTIFICATE_LEN 2048 |
There was a problem hiding this comment.
this should not be defined here. Don't we already have a macro for this? It should also be WOFHSM_CFG_XXX if you are adding a new config value.
src/wh_auth.c
Outdated
| (void)context; | ||
| (void)action; /* Action could be used for future fine-grained key access |
There was a problem hiding this comment.
why are we void-casting these?
wolfhsm/wh_message_auth.h
Outdated
| #include "wolfhsm/wh_auth.h" | ||
|
|
||
| enum WH_MESSAGE_AUTH_ACTION_ENUM { | ||
| WH_MESSAGE_AUTH_ACTION_AUTHENTICATE = 0x01, |
There was a problem hiding this comment.
This isn't ever used. Is there a future intent here?
…d test that authorization callback override is being called when set
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 36 out of 37 changed files in this pull request and generated 13 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 39 out of 41 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ique max credentials, add force zero to utils
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 39 out of 41 changed files in this pull request and generated 7 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
4 participants
The authentication manager feature adds support for a user login and checking a users permissions for performing a group+action. The API was designed with PKCS11 in mind.
Some things of note: