add TrustedSystemCAKeys sshd option for system CA load

Author: JacobBarthelmeh

apps/wolfsshd/configuration.c

@@ -89,6 +89,7 @@ struct WOLFSSHD_CONFIG {
     byte permitRootLogin:1;
     byte permitEmptyPasswords:1;
     byte authKeysFileSet:1; /* if not set then no explicit authorized keys */
+    byte useSystemCA:1;
 };
 
 int CountWhitespace(const char* in, int inSz, byte inv);
@@ -348,10 +349,11 @@ enum {
     OPT_FORCE_CMD               = 19,
     OPT_HOST_CERT               = 20,
     OPT_TRUSTED_USER_CA_KEYS    = 21,
-    OPT_PIDFILE                 = 22,
+    OPT_TRUSTED_SYSTEM_CA_KEYS  = 22,
+    OPT_PIDFILE                 = 23,
 };
 enum {
-    NUM_OPTIONS = 23
+    NUM_OPTIONS = 24
 };
 
 static const CONFIG_OPTION options[NUM_OPTIONS] = {
@@ -377,6 +379,7 @@ static const CONFIG_OPTION options[NUM_OPTIONS] = {
     {OPT_FORCE_CMD,               "ForceCommand"},
     {OPT_HOST_CERT,               "HostCertificate"},
     {OPT_TRUSTED_USER_CA_KEYS,    "TrustedUserCAKeys"},
+    {OPT_TRUSTED_SYSTEM_CA_KEYS,  "TrustedSystemCAKeys"},
     {OPT_PIDFILE,                 "PidFile"},
 };
 
@@ -1019,6 +1022,9 @@ static int HandleConfigOption(WOLFSSHD_CONFIG** conf, int opt,
             /* TODO: Add logic to check if file exists? */
             ret = wolfSSHD_ConfigSetUserCAKeysFile(*conf, value);
             break;
+        case OPT_TRUSTED_SYSTEM_CA_KEYS:
+            ret = wolfSSHD_ConfigSetSystemCA(*conf, value);
+            break;
         case OPT_PIDFILE:
             ret = SetFileString(&(*conf)->pidFile, value, (*conf)->heap);
             break;
@@ -1304,6 +1310,44 @@ char* wolfSSHD_ConfigGetHostCertFile(const WOLFSSHD_CONFIG* conf)
     return ret;
 }
 
+
+/* getter function for if using system CAs
+ * return 1 if true and 0 if false */
+int wolfSSHD_ConfigGetSystemCA(const WOLFSSHD_CONFIG* conf)
+{
+    if (conf != NULL) {
+        return conf->useSystemCA;
+    }
+    return 0;
+}
+
+
+/* setter function for if using system CAs
+ * 'yes' if true and 'no' if false
+ * returns WS_SUCCESS on success */
+int wolfSSHD_ConfigSetSystemCA(WOLFSSHD_CONFIG* conf, const char* value)
+{
+    int ret = WS_SUCCESS;
+
+    if (conf != NULL) {
+        if (WSTRCMP(value, "yes") == 0) {
+            wolfSSH_Log(WS_LOG_INFO, "[SSHD] System CAs enabled");
+            conf->useSystemCA = 1;
+        }
+        else if (WSTRCMP(value, "no") == 0) {
+            wolfSSH_Log(WS_LOG_INFO, "[SSHD] System CAs disabled");
+            conf->useSystemCA = 0;
+        }
+        else {
+            wolfSSH_Log(WS_LOG_INFO, "[SSHD] System CAs unexpected flag");
+            ret = WS_FATAL_ERROR;
+        }
+    }
+
+    return ret;
+}
+
+
 char* wolfSSHD_ConfigGetUserCAKeysFile(const WOLFSSHD_CONFIG* conf)
 {
     char* ret = NULL;

apps/wolfsshd/configuration.h

@@ -42,6 +42,8 @@ char* wolfSSHD_ConfigGetHostCertFile(const WOLFSSHD_CONFIG* conf);
 char* wolfSSHD_ConfigGetUserCAKeysFile(const WOLFSSHD_CONFIG* conf);
 int wolfSSHD_ConfigSetHostKeyFile(WOLFSSHD_CONFIG* conf, const char* file);
 int wolfSSHD_ConfigSetHostCertFile(WOLFSSHD_CONFIG* conf, const char* file);
+int wolfSSHD_ConfigSetSystemCA(WOLFSSHD_CONFIG* conf, const char* value);
+int wolfSSHD_ConfigGetSystemCA(const WOLFSSHD_CONFIG* conf);
 int wolfSSHD_ConfigSetUserCAKeysFile(WOLFSSHD_CONFIG* conf, const char* file);
 word16 wolfSSHD_ConfigGetPort(const WOLFSSHD_CONFIG* conf);
 char* wolfSSHD_ConfigGetAuthKeysFile(const WOLFSSHD_CONFIG* conf);

apps/wolfsshd/wolfsshd.c

@@ -406,6 +406,39 @@ static int SetupCTX(WOLFSSHD_CONFIG* conf, WOLFSSH_CTX** ctx)
 #endif /* WOLFSSH_OSSH_CERTS || WOLFSSH_CERTS */
 
 #ifdef WOLFSSH_CERTS
+    /* check if loading in system CA certs */
+    if (ret == WS_SUCCESS && wolfSSHD_ConfigGetSystemCA(conf)) {
+        WOLFSSL_CTX* sslCtx;
+
+        wolfSSH_Log(WS_LOG_INFO, "[SSHD] Using system CAs");
+        sslCtx = wolfSSL_CTX_new(wolfSSLv23_method());
+        if (sslCtx == NULL) {
+            wolfSSH_Log(WS_LOG_INFO, "[SSHD] Unable to create temporary CTX");
+            ret = WS_FATAL_ERROR;
+        }
+
+        if (ret == WS_SUCCESS) {
+            if (wolfSSL_CTX_load_system_CA_certs(sslCtx) != WOLFSSL_SUCCESS) {
+                wolfSSH_Log(WS_LOG_INFO, "[SSHD] Issue loading system CAs");
+                ret = WS_FATAL_ERROR;
+            }
+        }
+
+        if (ret == WS_SUCCESS) {
+            if (wolfSSH_SetCertManager(*ctx,
+                wolfSSL_CTX_GetCertManager(sslCtx)) != WS_SUCCESS) {
+                wolfSSH_Log(WS_LOG_INFO,
+                    "[SSHD] Issue copying over system CAs");
+                ret = WS_FATAL_ERROR;
+            }
+        }
+
+        if (sslCtx != NULL) {
+            wolfSSL_CTX_free(sslCtx);
+        }
+    }
+
+    /* load in CA certs from file set */
     if (ret == WS_SUCCESS) {
         char* caCert = wolfSSHD_ConfigGetUserCAKeysFile(conf);
         if (caCert != NULL) {

examples/echoserver/echoserver.c

@@ -2856,8 +2856,6 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
 #endif /* NO_WOLFSSH_SERVER */
 
 
-void wolfSSL_Debugging_ON(void);
-
 int wolfSSH_Echoserver(int argc, char** argv)
 {
     func_args args;

src/certman.c

@@ -36,7 +36,6 @@
 #endif
 
 
-#include <wolfssl/ssl.h>
 #include <wolfssl/ocsp.h>
 #include <wolfssl/wolfcrypt/error-crypt.h>
 #include <wolfssl/error-ssl.h>
@@ -84,6 +83,26 @@ struct WOLFSSH_CERTMAN {
 };
 
 
+/* used to import an external cert manager, frees and replaces existing manager
+ * returns WS_SUCCESS on success
+ */
+int wolfSSH_SetCertManager(WOLFSSH_CTX* ctx, WOLFSSL_CERT_MANAGER* cm)
+{
+    if (ctx == NULL || cm == NULL) {
+        return WS_BAD_ARGUMENT;
+    }
+
+    /* free up existing cm if present */
+    if (ctx->certMan != NULL && ctx->certMan->cm != NULL) {
+        wolfSSL_CertManagerFree(ctx->certMan->cm);
+    }
+    wolfSSL_CertManager_up_ref(cm);
+    ctx->certMan->cm = cm;
+
+    return WS_SUCCESS;
+}
+
+
 static WOLFSSH_CERTMAN* _CertMan_init(WOLFSSH_CERTMAN* cm, void* heap)
 {
     WOLFSSH_CERTMAN* ret = NULL;

wolfssh/certman.h

@@ -30,6 +30,7 @@
 
 #include <wolfssh/settings.h>
 #include <wolfssh/port.h>
+#include <wolfssl/ssl.h> /* included for WOLFSSL_CERT_MANAGER struct */
 
 #ifdef __cplusplus
 extern "C" {
@@ -40,6 +41,9 @@ struct WOLFSSH_CERTMAN;
 typedef struct WOLFSSH_CERTMAN WOLFSSH_CERTMAN;
 
 
+WOLFSSH_API
+int wolfSSH_SetCertManager(WOLFSSH_CTX* ctx, WOLFSSL_CERT_MANAGER* cm);
+
 WOLFSSH_API
 WOLFSSH_CERTMAN* wolfSSH_CERTMAN_new(void* heap);
 

wolfssh/test.h

@@ -1117,6 +1117,7 @@ static INLINE void build_addr_ipv6(struct sockaddr_in6* addr, const char* peer,
 
 #define BAD 0xFF
 
+#ifndef WOLFSSL_BASE16
 static const byte hexDecode[] =
 {
     0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
@@ -1183,7 +1184,9 @@ static int Base16_Decode(const byte* in, word32 inLen,
     *outLen = outIdx;
     return 0;
 }
-
+#else
+    #include <wolfssl/wolfcrypt/coding.h>
+#endif /* !WOLFSSL_BASE16 */
 
 static void FreeBins(byte* b1, byte* b2, byte* b3, byte* b4)
 {