authentication manager feature addition#270
authentication manager feature addition#270JacobBarthelmeh wants to merge 53 commits intowolfSSL:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request adds a comprehensive authentication and authorization manager to wolfHSM, enabling user management, login/logout functionality, and permission-based access control for HSM operations.
Changes:
- New authentication manager with PIN and certificate-based authentication support
- Authorization system with group and action-level permission checks
- User management APIs for adding, deleting, and modifying users and their credentials
- Complete client and server implementation with message translation support
Reviewed changes
Copilot reviewed 22 out of 23 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfhsm/wh_auth.h | Core auth manager types, structures, and API definitions |
| wolfhsm/wh_message_auth.h | Message structures and translation functions for auth operations |
| wolfhsm/wh_server_auth.h | Server-side auth request handler declaration |
| wolfhsm/wh_client.h | Client-side auth API function declarations |
| wolfhsm/wh_server.h | Server context updated with auth context pointer |
| wolfhsm/wh_message.h | New auth message group and action enums |
| wolfhsm/wh_error.h | New auth-specific error codes |
| src/wh_auth.c | Core auth manager implementation with callback wrappers |
| src/wh_message_auth.c | Message translation implementations for auth messages |
| src/wh_server_auth.c | Server-side request handler for auth operations |
| src/wh_client_auth.c | Client-side auth API implementations |
| src/wh_server.c | Server integration with authorization checks |
| src/wh_client.c | Minor formatting fixes |
| port/posix/posix_auth.h | POSIX auth backend declarations |
| port/posix/posix_auth.c | POSIX auth backend implementation with in-memory user storage |
| test/wh_test_auth.h | Auth test suite declarations |
| test/wh_test_auth.c | Comprehensive auth test suite implementation |
| test/wh_test.c | Test integration for auth tests |
| examples/posix/wh_posix_server/* | Server configuration with auth context setup |
| examples/demo/client/wh_demo_client_all.c | Demo integration for auth |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 24 out of 25 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
JacobBarthelmeh
force-pushed
the
auth_manager
branch
2 times, most recently
from
6b32384 to
1bd722a
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 29 out of 30 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
JacobBarthelmeh
assigned
bigbrett,
wolfSSL-Bot and
billphipps and unassigned
JacobBarthelmeh
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 29 out of 30 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@JacobBarthelmeh merge conflicts |
JacobBarthelmeh
force-pushed
the
auth_manager
branch
from
04bd058 to
4d0af48
Compare
|
Force pushed to resolve merge conflict. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 28 out of 29 changed files in this pull request and generated 17 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…d test that authorization callback override is being called when set
…ique max credentials, add force zero to utils
… to auth translation layer, admin user add restriction, duplicate user name restriction
JacobBarthelmeh
force-pushed
the
auth_manager
branch
from
0c79e67 to
bebc912
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 41 out of 43 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
JacobBarthelmeh
force-pushed
the
auth_manager
branch
from
a6b484b to
fce94f6
Compare
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #270
Scan targets checked: wolfhsm-consttime, wolfhsm-core-bugs, wolfhsm-defaults, wolfhsm-mutation, wolfhsm-proptest, wolfhsm-src, wolfhsm-zeroize
Findings: 7
7 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
…ve data before function return
JacobBarthelmeh
force-pushed
the
auth_manager
branch
from
fce94f6 to
6dfa0cf
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 41 out of 43 changed files in this pull request and generated 6 comments.
Comments suppressed due to low confidence (1)
wolfhsm/wh_auth.h:1
- The comment says this macro enables the group and only the given action bit, but the implementation ORs the bit into the existing mask (it does not clear other action bits). Either update the comment to match behavior ("enables the given action bit") or change the macro to clear all action words for the group before setting the single bit.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 42 out of 44 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
bigbrett
left a comment
bigbrett
left a comment
There was a problem hiding this comment.
As discussed offline, one blocking bugfix needed, as well as a documentation update to tag this feature as experimental. I will post a list of the other issues found in a subsequent review that can then be addressed with follow-up PRs
| /* do not allow duplicate users with same name */ | ||
| if (strcmp(users[i].user.username, username) == 0) { | ||
| return WH_ERROR_BADARGS; | ||
| } |
There was a problem hiding this comment.
The uniqueness loop in UserAdd breaks at the first empty slot instead of scanning the whole array. UserDelete zeroes slots in place without compacting, so any delete creates a gap that blinds the check to everything past it.
The attack (identity confusion / lockout):
- State:
[0]=bob, [1]=admin. - Admin deletes bob →
[0]=empty, [1]=admin. - Attacker with
USER_ADDperm callsUserAdd(username="admin", ...)with their own PIN. - Loop breaks at slot 0 (empty), never scans slot 1 → duplicate admin is inserted.
FindUser("admin")returns the first match → always the impostor.- Real admin's login fails (PIN doesn't match impostor's hash) = locked out. Attacker logs in as "admin" at their own (non-admin) permissions = identity confusion.
Key insight: The attacker doesn't gain admin rights — they gain the name "admin", which is enough to shadow the real account in every name-based lookup.
Fix: Two-pass the loop — scan all slots for duplicates, then find a free slot. Or compact the array on delete.
… is a experimental feature in development
The authentication manager feature adds support for a user login and checking a users permissions for performing a group+action. The API was designed with PKCS11 in mind.
Some things of note: