From 3e4d9c0b956073db871ab5e9af5fe54195e9b002 Mon Sep 17 00:00:00 2001
From: Andrew Hutchings <andrew@wolfssl.com>
Date: Tue, 6 May 2025 09:44:06 +0100
Subject: [PATCH] Keyboard Interactive bug fixes

* `keyboardAuthCb` was not initalized correctly, meaning we could
  enable the mode without callback.
* `SendUserAuthKeyboardRequest` didn't check `keyboardAuthCb` for
  `NULL`.
* `DoUserAuthInfoResponse` left `authData` partially uninitialized.
* `DoUserAuthInfoResponse` new checks that KB auth is in progress.
---
 src/internal.c | 18 +++++++++++++++++-
 tests/auth.c   |  5 +++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/internal.c b/src/internal.c
index e1a042e4..7e7b0827 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -872,6 +872,9 @@ WOLFSSH_CTX* CtxInit(WOLFSSH_CTX* ctx, byte side, void* heap)
     ctx->algoListCipher = cannedEncAlgoNames;
     ctx->algoListMac = cannedMacAlgoNames;
     ctx->algoListKeyAccepted = cannedKeyAlgoNames;
+#ifdef WOLFSSH_KEYBOARD_INTERACTIVE
+    ctx->keyboardAuthCb = NULL;
+#endif
 
     count = (word32)(sizeof(ctx->privateKey)
             / sizeof(ctx->privateKey[0]));
@@ -6421,11 +6424,16 @@ static int DoUserAuthInfoResponse(WOLFSSH* ssh,
 
 
     if (ssh == NULL || buf == NULL || len == 0 || idx == NULL) {
-
         ret = WS_BAD_ARGUMENT;
     }
 
+    if ((ret == WS_SUCCESS) && (ssh->authId != ID_USERAUTH_KEYBOARD)) {
+        WLOG(WS_LOG_DEBUG, "DoUserAuthInfoResponse on non-keyboard auth");
+        ret = WS_FATAL_ERROR;
+    }
+
     if (ret == WS_SUCCESS) {
+        WMEMSET(&authData, 0, sizeof(authData));
         begin = *idx;
         kb = &authData.sf.keyboard;
         authData.type = WOLFSSH_USERAUTH_KEYBOARD;
@@ -7784,6 +7792,7 @@ static int DoUserAuthRequest(WOLFSSH* ssh,
         authData.authName = buf + begin;
         begin += authData.authNameSz;
         authNameId = NameToId((char*)authData.authName, authData.authNameSz);
+        ssh->authId = authNameId;
 
         if (authNameId == ID_USERAUTH_PASSWORD)
             ret = DoUserAuthRequestPassword(ssh, &authData, buf, len, &begin);
@@ -8044,6 +8053,8 @@ static int DoUserAuthInfoRequest(WOLFSSH* ssh, byte* buf, word32 len,
         ret = SendUserAuthKeyboardResponse(ssh);
     }
 
+    ssh->authId = ID_USERAUTH_KEYBOARD;
+
     WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthInfoRequest(), ret = %d", ret);
 
     return ret;
@@ -13348,6 +13359,11 @@ int SendUserAuthKeyboardRequest(WOLFSSH* ssh, WS_UserAuthData* authData)
         ret = WS_BAD_ARGUMENT;
     }
 
+    if (ssh->ctx->keyboardAuthCb == NULL) {
+        WLOG(WS_LOG_DEBUG, "SendUserAuthKeyboardRequest called with no Cb set");
+        ret = WS_BAD_USAGE;
+    }
+
     if (ret == WS_SUCCESS) {
         ret = ssh->ctx->keyboardAuthCb(&authData->sf.keyboard,
                                        ssh->keyboardAuthCtx);
diff --git a/tests/auth.c b/tests/auth.c
index 147db829..cf57a3c1 100644
--- a/tests/auth.c
+++ b/tests/auth.c
@@ -586,6 +586,11 @@ int wolfSSH_AuthTest(int argc, char** argv)
     defined(NO_FILESYSTEM) || !defined(WOLFSSH_KEYBOARD_INTERACTIVE)
     return 77;
 #else
+
+#if defined(DEBUG_WOLFSSH)
+    wolfSSH_Debugging_ON();
+#endif
+
     AssertIntEQ(wolfSSH_Init(), WS_SUCCESS);
 
     #if defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,2)