authentication manager feature addition#270
authentication manager feature addition#270JacobBarthelmeh wants to merge 47 commits intowolfSSL:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds a comprehensive authentication and authorization manager to wolfHSM, enabling user management, login/logout functionality, and permission-based access control for HSM operations.
Changes:
- New authentication manager with PIN and certificate-based authentication support
- Authorization system with group and action-level permission checks
- User management APIs for adding, deleting, and modifying users and their credentials
- Complete client and server implementation with message translation support
Reviewed changes
Copilot reviewed 22 out of 23 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfhsm/wh_auth.h | Core auth manager types, structures, and API definitions |
| wolfhsm/wh_message_auth.h | Message structures and translation functions for auth operations |
| wolfhsm/wh_server_auth.h | Server-side auth request handler declaration |
| wolfhsm/wh_client.h | Client-side auth API function declarations |
| wolfhsm/wh_server.h | Server context updated with auth context pointer |
| wolfhsm/wh_message.h | New auth message group and action enums |
| wolfhsm/wh_error.h | New auth-specific error codes |
| src/wh_auth.c | Core auth manager implementation with callback wrappers |
| src/wh_message_auth.c | Message translation implementations for auth messages |
| src/wh_server_auth.c | Server-side request handler for auth operations |
| src/wh_client_auth.c | Client-side auth API implementations |
| src/wh_server.c | Server integration with authorization checks |
| src/wh_client.c | Minor formatting fixes |
| port/posix/posix_auth.h | POSIX auth backend declarations |
| port/posix/posix_auth.c | POSIX auth backend implementation with in-memory user storage |
| test/wh_test_auth.h | Auth test suite declarations |
| test/wh_test_auth.c | Comprehensive auth test suite implementation |
| test/wh_test.c | Test integration for auth tests |
| examples/posix/wh_posix_server/* | Server configuration with auth context setup |
| examples/demo/client/wh_demo_client_all.c | Demo integration for auth |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 24 out of 25 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
JacobBarthelmeh
force-pushed
the
auth_manager
branch
2 times, most recently
from
6b32384 to
1bd722a
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 29 out of 30 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
JacobBarthelmeh
assigned
bigbrett,
wolfSSL-Bot and
billphipps and unassigned
JacobBarthelmeh
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 29 out of 30 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@JacobBarthelmeh merge conflicts |
JacobBarthelmeh
force-pushed
the
auth_manager
branch
from
04bd058 to
4d0af48
Compare
|
Force pushed to resolve merge conflict. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 28 out of 29 changed files in this pull request and generated 17 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…g WOLFHSM_CFG_ENABLE_AUTHENTICATION
…ouch up for test cases
…d test that authorization callback override is being called when set
…ique max credentials, add force zero to utils
… to auth translation layer, admin user add restriction, duplicate user name restriction
JacobBarthelmeh
force-pushed
the
auth_manager
branch
from
0c79e67 to
bebc912
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 41 out of 43 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -138,6 +139,7 @@ typedef struct { | |||
| typedef struct whServerConfig_t { | |||
| whCommServerConfig* comm_config; | |||
| whNvmContext* nvm; | |||
| whAuthContext* auth; | |||
|
|
|||
| #ifndef WOLFHSM_CFG_NO_CRYPTO | |||
| whServerCryptoContext* crypto; | |||
| @@ -160,6 +162,7 @@ typedef struct whServerConfig_t { | |||
| /* Context structure to maintain the state of an HSM server */ | |||
| struct whServerContext_t { | |||
| whNvmContext* nvm; | |||
| whAuthContext* auth; | |||
| whCommServer comm[1]; | |||
There was a problem hiding this comment.
whServerConfig / whServerContext now unconditionally include whAuthContext* auth and #include "wolfhsm/wh_auth.h", which changes the public struct layout/ABI even when authentication is not enabled. If auth is meant to be optional (as other features are), consider wrapping the include and these struct members in #ifdef WOLFHSM_CFG_ENABLE_AUTHENTICATION (or adding an opaque extension pointer) to avoid forcing an ABI break and extra footprint in non-auth builds.
| size_t len; | ||
|
|
||
| if (username == NULL) { | ||
| return 0; | ||
| } | ||
|
|
||
| len = strnlen(username, WH_MESSAGE_AUTH_MAX_USERNAME_LEN); | ||
| return (len < WH_MESSAGE_AUTH_MAX_USERNAME_LEN); |
There was a problem hiding this comment.
_UserNameIsValid() relies on strnlen(), which is not ISO C90/C99 and may not exist on some embedded/libc configurations. Also, it currently accepts the empty string as a valid username. Consider switching to a small bounded loop (or memchr) for portability and require username[0] != '\0' to prevent empty-user edge cases.
| size_t len; | |
| if (username == NULL) { | |
| return 0; | |
| } | |
| len = strnlen(username, WH_MESSAGE_AUTH_MAX_USERNAME_LEN); | |
| return (len < WH_MESSAGE_AUTH_MAX_USERNAME_LEN); | |
| size_t i; | |
| if (username == NULL || username[0] == '\0') { | |
| return 0; | |
| } | |
| for (i = 0; i < WH_MESSAGE_AUTH_MAX_USERNAME_LEN; i++) { | |
| if (username[i] == '\0') { | |
| return 1; | |
| } | |
| } | |
| return 0; |
| /* Secure zeroization that resists compiler optimization. | ||
| * Uses volatile to prevent the compiler from optimizing away the writes. */ | ||
| void wh_Utils_ForceZero(void* mem, uint32_t size) | ||
| { | ||
| volatile uint8_t* p = (volatile uint8_t*)mem; | ||
| while (size > 0) { | ||
| *p = 0; | ||
| p++; | ||
| size--; | ||
| } | ||
| } |
There was a problem hiding this comment.
wh_Utils_ForceZero() will dereference mem when size > 0 even if mem == NULL, which can crash callers. Consider guarding if (mem == NULL || size == 0) return; (and optionally using memset_s/explicit_bzero where available) so it’s safe as a general-purpose utility.
| static whAuthBase_User* wh_Auth_BaseCheckPin(const char* username, | ||
| const void* auth_data, | ||
| uint16_t auth_data_len) | ||
| { | ||
| whAuthBase_User* found_user; | ||
| unsigned char authCheck[WH_AUTH_BASE_MAX_CREDENTIALS_LEN]; | ||
| uint16_t authCheck_len; | ||
| int rc; | ||
|
|
||
| /* Process auth_data: hash if crypto enabled, copy if disabled */ | ||
| rc = wh_Auth_BaseHashPin(auth_data, auth_data_len, authCheck); | ||
| if (rc != WH_ERROR_OK) { | ||
| return NULL; | ||
| } | ||
| #ifndef WOLFHSM_CFG_NO_CRYPTO | ||
| authCheck_len = WC_SHA256_DIGEST_SIZE; | ||
| #else | ||
| authCheck_len = auth_data_len; | ||
| #endif /* WOLFHSM_CFG_NO_CRYPTO */ | ||
|
|
||
| found_user = wh_Auth_BaseFindUser(username); | ||
| if (found_user != NULL && found_user->method == WH_AUTH_METHOD_PIN && | ||
| found_user->credentials_len == authCheck_len && | ||
| wh_Utils_ConstantCompare(found_user->credentials, authCheck, | ||
| authCheck_len) == 0) { | ||
| return found_user; | ||
| } | ||
| return NULL; |
There was a problem hiding this comment.
wh_Auth_BaseCheckPin() leaves the derived credential material (authCheck) on the stack after returning. Since this buffer contains a PIN hash / PIN copy (when NO_CRYPTO), consider zeroizing authCheck (and any temporary hashes) with wh_Utils_ForceZero() before returning to reduce credential lifetime in memory.
| /* Pick up compile-time configuration */ | ||
| #include "wolfhsm/wh_settings.h" | ||
|
|
||
| #include <stdint.h> | ||
| #include <stddef.h> | ||
| #include <string.h> | ||
|
|
||
| #include "wolfhsm/wh_common.h" | ||
| #include "wolfhsm/wh_error.h" | ||
|
|
||
| #include "wolfhsm/wh_auth.h" | ||
| #include "wolfhsm/wh_message_auth.h" | ||
|
|
There was a problem hiding this comment.
Auth sources (e.g., this file) are compiled unconditionally, while other optional subsystems (e.g., certificate manager: src/wh_message_cert.c) are fully gated by feature macros. If WOLFHSM_CFG_ENABLE_AUTHENTICATION is intended to exclude auth code from non-auth builds (as docs state), consider wrapping these implementations in #ifdef WOLFHSM_CFG_ENABLE_AUTHENTICATION and providing minimal stubs (returning WH_AUTH_NOT_ENABLED) when disabled.
The authentication manager feature adds support for a user login and checking a users permissions for performing a group+action. The API was designed with PKCS11 in mind.
Some things of note: