bitwarden · quexten · Dec 12, 2024 · Dec 18, 2024 · Dec 18, 2024 · Dec 18, 2024
@@ -10,20 +10,20 @@ default = ["sys"]
 manual_test = []
 
 sys = [
-  "dep:widestring",
-  "dep:windows",
-  "dep:core-foundation",
-  "dep:security-framework",
-  "dep:security-framework-sys",
-  "dep:zbus",
-  "dep:zbus_polkit",
+    "dep:widestring",
+    "dep:windows",
+    "dep:core-foundation",
+    "dep:security-framework",
+    "dep:security-framework-sys",
+    "dep:zbus",
+    "dep:zbus_polkit",
 ]
 
 [dependencies]
 aes = "=0.8.4"
 anyhow = "=1.0.94"
 arboard = { version = "=3.4.1", default-features = false, features = [
-  "wayland-data-control",
+    "wayland-data-control",
 ] }
 argon2 = { version = "=0.5.3", features = ["zeroize"] }
 async-stream = "=0.3.6"
@@ -44,12 +44,12 @@ scopeguard = "=1.2.0"
 sha2 = "=0.10.8"
 ssh-encoding = "=0.2.0"
 ssh-key = { version = "=0.6.7", default-features = false, features = [
-  "encryption",
-  "ed25519",
-  "rsa",
-  "getrandom",
+    "encryption",
+    "ed25519",
+    "rsa",
+    "getrandom",
 ] }
-bitwarden-russh = { git = "https://github.com/bitwarden/bitwarden-russh.git", rev = "23b50e3bbe6d56ef19ab0e98e8bb1462cb6d77ae" }
+bitwarden-russh = { git = "https://github.com/bitwarden/bitwarden-russh.git", rev = "3d48f140fd506412d186203238993163a8c4e536" }
 tokio = { version = "=1.41.1", features = ["io-util", "sync", "macros", "net"] }
 tokio-stream = { version = "=0.1.15", features = ["net"] }
 tokio-util = { version = "=0.7.12", features = ["codec"] }
@@ -64,16 +64,16 @@ sysinfo = { version = "0.32.0", features = ["windows"] }
 [target.'cfg(windows)'.dependencies]
 widestring = { version = "=1.1.0", optional = true }
 windows = { version = "=0.58.0", features = [
-  "Foundation",
-  "Security_Credentials_UI",
-  "Security_Cryptography",
-  "Storage_Streams",
-  "Win32_Foundation",
-  "Win32_Security_Credentials",
-  "Win32_System_WinRT",
-  "Win32_UI_Input_KeyboardAndMouse",
-  "Win32_UI_WindowsAndMessaging",
-  "Win32_System_Pipes",
+    "Foundation",
+    "Security_Credentials_UI",
+    "Security_Cryptography",
+    "Storage_Streams",
+    "Win32_Foundation",
+    "Win32_Security_Credentials",
+    "Win32_System_WinRT",
+    "Win32_UI_Input_KeyboardAndMouse",
+    "Win32_UI_WindowsAndMessaging",
+    "Win32_System_Pipes",
 ], optional = true }
 
 [target.'cfg(windows)'.dev-dependencies]

@@ -19,6 +19,8 @@ mod peercred_unix_listener_stream;
 pub mod generator;
 pub mod importer;
 pub mod peerinfo;
+mod request_parser;
+
 #[derive(Clone)]
 pub struct BitwardenDesktopAgent {
     keystore: ssh_agent::KeyStore,
@@ -36,19 +38,43 @@ pub struct SshAgentUIRequest {
     pub cipher_id: Option<String>,
     pub process_name: String,
     pub is_list: bool,
+    pub is_sig: bool,
+    pub is_git: bool,
+    pub is_forwarding: bool,
 }
 
 impl ssh_agent::Agent<peerinfo::models::PeerInfo> for BitwardenDesktopAgent {
-    async fn confirm(&self, ssh_key: Key, info: &peerinfo::models::PeerInfo) -> bool {
+    async fn confirm(&self, ssh_key: Key, data: &[u8], info: &peerinfo::models::PeerInfo) -> bool {
         if !self.is_running() {
             println!("[BitwardenDesktopAgent] Agent is not running, but tried to call confirm");
             return false;
         }
 
         let request_id = self.get_request_id().await;
+        let request_data = request_parser::parse_request(data);
+        if let Err(e) = request_data {
+            println!("[SSH Agent] Error while parsing request: {}", e);
+            return false;
+        }
+        let request_data = request_data.unwrap();
+        let is_sig = match request_data {
+            request_parser::SshAgentSignRequest::SshSigRequest(_) => true,
+            request_parser::SshAgentSignRequest::SignRequest(_) => false,
+        };
+        let is_git = is_sig
+            && match request_data {
+                request_parser::SshAgentSignRequest::SshSigRequest(ref req) => {
+                    req.namespace == "git"
+                }
+                _ => false,
+            };
+
         println!(
-            "[SSH Agent] Confirming request from application: {}",
-            info.process_name()
+            "[SSH Agent] Confirming request from application: {}, is_forwarding: {}, is_sshsig: {}, is_git: {}",
+            info.process_name(),
+            info.is_forwarding(),
+            is_sig,
+            is_git
         );
 
         let mut rx_channel = self.get_ui_response_rx.lock().await.resubscribe();
@@ -58,6 +84,9 @@ impl ssh_agent::Agent<peerinfo::models::PeerInfo> for BitwardenDesktopAgent {
                 cipher_id: Some(ssh_key.cipher_uuid.clone()),
                 process_name: info.process_name().to_string(),
                 is_list: false,
+                is_sig,
+                is_git,
+                is_forwarding: info.is_forwarding(),
             })
             .await
             .expect("Should send request to ui");
@@ -82,6 +111,9 @@ impl ssh_agent::Agent<peerinfo::models::PeerInfo> for BitwardenDesktopAgent {
             cipher_id: None,
             process_name: info.process_name().to_string(),
             is_list: true,
+            is_sig: false,
+            is_git: false,
+            is_forwarding: info.is_forwarding(),
         };
         self.show_ui_request_tx
             .send(message)
@@ -94,6 +126,17 @@ impl ssh_agent::Agent<peerinfo::models::PeerInfo> for BitwardenDesktopAgent {
         }
         false
     }
+
+    async fn set_is_forwarding(
+        &self,
+        is_forwarding: bool,
+        connection_info: &peerinfo::models::PeerInfo,
+    ) -> () {
+        // is_forwarding can only be added but never removed from a connection
+        if is_forwarding {
+            connection_info.set_forwarding(is_forwarding);
+        }
+    }
 }
 
 impl BitwardenDesktopAgent {

@@ -37,12 +37,7 @@ impl Stream for PeercredUnixListenerStream {
                             ))));
                         }
                     },
-                    Err(err) => {
-                        return Poll::Ready(Some(Err(io::Error::new(
-                            io::ErrorKind::Other,
-                            format!("Failed to get peer credentials: {}", err),
-                        ))));
-                    }
+                    Err(_) => return Poll::Ready(Some(Ok((stream, PeerInfo::unknown())))),
                 };
                 let peer_info = peerinfo::gather::get_peer_info(pid as u32);
                 match peer_info {

@@ -1,3 +1,5 @@
+use std::sync::{atomic::AtomicBool, Arc};
+
 /**
 * Peerinfo represents the information of a peer process connecting over a socket.
 * This can be later extended to include more information (icon, app name) for the corresponding application.
@@ -7,6 +9,7 @@ pub struct PeerInfo {
     uid: u32,
     pid: u32,
     process_name: String,
+    is_forwarding: Arc<AtomicBool>,
 }
 
 impl PeerInfo {
@@ -15,6 +18,16 @@ impl PeerInfo {
             uid,
             pid,
             process_name,
+            is_forwarding: Arc::new(AtomicBool::new(false)),
+        }
+    }
+
+    pub fn unknown() -> Self {
+        Self {
+            uid: 0,
+            pid: 0,
+            process_name: "Unknown".to_string(),
+            is_forwarding: Arc::new(AtomicBool::new(false)),
         }
     }
 
@@ -29,4 +42,14 @@ impl PeerInfo {
     pub fn process_name(&self) -> &str {
         &self.process_name
     }
+
+    pub fn is_forwarding(&self) -> bool {
+        self.is_forwarding
+            .load(std::sync::atomic::Ordering::Relaxed)
+    }
+
+    pub fn set_forwarding(&self, value: bool) {
+        self.is_forwarding
+            .store(value, std::sync::atomic::Ordering::Relaxed);
+    }
 }
@@ -0,0 +1,47 @@
+#[derive(Debug)]
+pub(crate) struct SshSigRequest {
+    pub namespace: String,
+}
+
+#[derive(Debug)]
+pub(crate) struct SignRequest {}
+
+#[derive(Debug)]
+pub(crate) enum SshAgentSignRequest {
+    SshSigRequest(SshSigRequest),
+    SignRequest(SignRequest),
+}
+
+pub(crate) fn parse_request(data: &[u8]) -> Result<SshAgentSignRequest, anyhow::Error> {
+    let magic_header = "SSHSIG";
+    let mut data_iter = data.to_vec().into_iter();
+    let header = data_iter
+        .by_ref()
+        .take(magic_header.len())
+        .collect::<Vec<u8>>();
+
+    // sshsig; based on https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.sshsig
+    if header == magic_header.as_bytes() {
+        let version = data_iter.by_ref().take(4).collect::<Vec<u8>>();
+        let _version = u32::from_be_bytes(
+            version
+                .try_into()
+                .map_err(|_| anyhow::anyhow!("Invalid version"))?,
+        );
+
+        // read until null byte
+        let namespace = data_iter
+            .by_ref()
+            .take_while(|&x| x != 0)
+            .collect::<Vec<u8>>();
+        let namespace =
+            String::from_utf8(namespace).map_err(|_| anyhow::anyhow!("Invalid namespace"))?;
+
+        Ok(SshAgentSignRequest::SshSigRequest(SshSigRequest {
+            namespace,
+        }))
+    } else {
+        // regular sign request
+        Ok(SshAgentSignRequest::SignRequest(SignRequest {}))
+    }
+}
@@ -67,7 +67,7 @@ export declare namespace sshagent {
     status: SshKeyImportStatus
     sshKey?: SshKey
   }
-  export function serve(callback: (err: Error | null, arg0: string | undefined | null, arg1: boolean, arg2: string) => any): Promise<SshAgentState>
+  export function serve(callback: (err: Error | null, arg0: string | undefined | null, arg1: boolean, arg2: string, arg3: boolean, arg4: boolean, arg5: boolean) => any): Promise<SshAgentState>
   export function stop(agentState: SshAgentState): void
   export function isRunning(agentState: SshAgentState): boolean
   export function setKeys(agentState: SshAgentState, newKeys: Array<PrivateKey>): void

@@ -247,7 +247,10 @@ pub mod sshagent {
 
     #[napi]
     pub async fn serve(
-        callback: ThreadsafeFunction<(Option<String>, bool, String), CalleeHandled>,
+        callback: ThreadsafeFunction<
+            (Option<String>, bool, String, bool, bool, bool),
+            CalleeHandled,
+        >,
     ) -> napi::Result<SshAgentState> {
         let (auth_request_tx, mut auth_request_rx) =
             tokio::sync::mpsc::channel::<desktop_core::ssh_agent::SshAgentUIRequest>(32);
@@ -268,6 +271,9 @@ pub mod sshagent {
                             request.cipher_id,
                             request.is_list,
                             request.process_name,
+                            request.is_forwarding,
+                            request.is_sig,
+                            request.is_git,
                         )))
                         .await;
                     match promise_result {

diff --git a/apps/desktop/src/locales/en/messages.json b/apps/desktop/src/locales/en/messages.json
@@ -3371,9 +3371,27 @@
   "sshkeyApprovalTitle": {
     "message": "Confirm SSH key usage"
   },
+  "agentForwardingWarningTitle": {
+    "message": "Warning: Agent Forwarding"
+  },
+  "agentForwardingWarningText": {
+    "message": "This request comes from a remote device that you are logged into"
+  },
   "sshkeyApprovalMessageInfix": {
     "message": "is requesting access to"
   },
+  "sshkeyApprovalMessageSuffix": {
+    "message": "in order to"
+  },
+  "sshActionLogin": {
+    "message": "authenticate to a server"
+  },
+  "sshActionSign": {
+    "message": "sign a message"
+  },
+  "sshActionGitSign": {
+    "message": "sign a git commit"
+  },
   "unknownApplication": {
     "message": "An application"
   },

@@ -2,8 +2,17 @@
   <bit-dialog>
     <div class="tw-font-semibold" bitDialogTitle>{{ "sshkeyApprovalTitle" | i18n }}</div>
     <div bitDialogContent>
+      <app-callout
+        type="warning"
+        title="{{ 'agentForwardingWarningTitle' | i18n }}"
+        *ngIf="params.isAgentForwarding"
+      >
+        {{ 'agentForwardingWarningText' | i18n }}
+      </app-callout>
+
       <b>{{params.applicationName}}</b> {{ "sshkeyApprovalMessageInfix" | i18n }}
-      <b>{{params.cipherName}}</b>.
+      <b>{{params.cipherName}}</b>
+      {{ "sshkeyApprovalMessageSuffix" | i18n }} {{ params.action | i18n }}
     </div>
     <div bitDialogFooter>
       <button type="submit" bitButton bitFormButton buttonType="primary">