diff --git a/examples/sftpclient/sftpclient.c b/examples/sftpclient/sftpclient.c index 4e4a0b2..9ac759b 100644 --- a/examples/sftpclient/sftpclient.c +++ b/examples/sftpclient/sftpclient.c @@ -442,6 +442,31 @@ static int wsUserAuth(byte authType, { int ret = WOLFSSH_USERAUTH_INVALID_AUTHTYPE; +#ifdef DEBUG_WOLFSSH + /* inspect supported types from server */ + printf("Server supports "); + if (authData->type & WOLFSSH_USERAUTH_PASSWORD) { + printf("password authentication"); + } + if (authData->type & WOLFSSH_USERAUTH_PUBLICKEY) { + printf(" and public key authentication"); + } + printf("\n"); + printf("wolfSSH requesting to use type %d\n", authType); +#endif + + /* We know hansel has a key, wait for request of public key */ + if (authData->type & WOLFSSH_USERAUTH_PUBLICKEY && + authData->username != NULL && + authData->usernameSz > 0 && + XSTRNCMP((char*)authData->username, "hansel", + authData->usernameSz) == 0) { + if (authType == WOLFSSH_USERAUTH_PASSWORD) { + printf("rejecting password type with hansel in favor of pub key\n"); + return WOLFSSH_USERAUTH_FAILURE; + } + } + if (authType == WOLFSSH_USERAUTH_PASSWORD) { const char* defaultPassword = (const char*)ctx; word32 passwordSz; diff --git a/src/internal.c b/src/internal.c index ad6be33..8658f09 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3817,6 +3817,7 @@ static int DoUserAuthFailure(WOLFSSH* ssh, byte authList[3]; /* Should only ever be password, publickey, hostname */ word32 authListSz = 3; byte partialSuccess; + byte authType = 0; int ret = WS_SUCCESS; WLOG(WS_LOG_DEBUG, "Entering DoUserAuthFailure()"); @@ -3835,35 +3836,32 @@ static int DoUserAuthFailure(WOLFSSH* ssh, /* check authList to see if authId is there */ for (i = 0; i < authListSz; i++) { - if (ssh->authId == authList[i]) { - ret = SendUserAuthRequest(ssh, ssh->authId, 0); - break; + word32 j; + for (j = 0; j < sizeof(ssh->supportedAuth); j++) { + if (authList[i] == ssh->supportedAuth[j]) { + switch(authList[i]) { + case ID_USERAUTH_PASSWORD: + authType |= WOLFSSH_USERAUTH_PASSWORD; + break; + case ID_USERAUTH_PUBLICKEY: + authType |= WOLFSSH_USERAUTH_PUBLICKEY; + break; + default: + break; + } + } } } /* the auth type attempted was not in the list */ - if (ret == WS_SUCCESS && i >= authListSz) { - WLOG(WS_LOG_DEBUG, "Auth ID %d did not match any in peers list", - ssh->authId); + if (authType == 0) { + WLOG(WS_LOG_DEBUG, "Did not match any auth IDs in peers list"); ret = WS_USER_AUTH_E; } + } - /* check if should attempt next auth type */ - if (ret != WS_SUCCESS) { - /* get the current index of the auth type */ - for (i =0; i < sizeof(ssh->supportedAuth); i++) { - if (ssh->authId == ssh->supportedAuth[i]) { - break; - } - } - - if (i + 1 < sizeof(ssh->supportedAuth)) { - ssh->authId = ssh->supportedAuth[i + 1]; - if (ssh->authId != ID_NONE) { - ret = WC_CHANGE_AUTH_E; /* retry with supported auth type */ - } - } - } + if (ret == WS_SUCCESS) { + ret = SendUserAuthRequest(ssh, authType, 0); } WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthFailure(), ret = %d", ret); @@ -7428,21 +7426,31 @@ int SendUserAuthRequest(WOLFSSH* ssh, byte authId, int addSig) authData.username = (const byte*)ssh->userName; authData.usernameSz = ssh->userNameSz; - if (authId == ID_USERAUTH_PASSWORD) { + if (authId & WOLFSSH_USERAUTH_PASSWORD) { ret = ssh->ctx->userAuthCb(WOLFSSH_USERAUTH_PASSWORD, &authData, ssh->userAuthCtx); if (ret != WOLFSSH_USERAUTH_SUCCESS) { WLOG(WS_LOG_DEBUG, "SUAR: Couldn't get password"); ret = WS_FATAL_ERROR; } + else { + WLOG(WS_LOG_DEBUG, "SUAR: Callback successful password"); + authData.type = authId = ID_USERAUTH_PASSWORD; + } } - else if (authId == ID_USERAUTH_PUBLICKEY) { + + /* fall into public key case if password case was not successful */ + if ((ret == WS_FATAL_ERROR) && (authId & WOLFSSH_USERAUTH_PUBLICKEY)) { ret = ssh->ctx->userAuthCb(WOLFSSH_USERAUTH_PUBLICKEY, &authData, ssh->userAuthCtx); if (ret != WOLFSSH_USERAUTH_SUCCESS) { WLOG(WS_LOG_DEBUG, "SUAR: Couldn't get key"); ret = WS_FATAL_ERROR; } + else { + WLOG(WS_LOG_DEBUG, "SUAR: Callback successful public key"); + authData.type = authId = ID_USERAUTH_PUBLICKEY; + } } } else { diff --git a/src/ssh.c b/src/ssh.c index b5d52db..c6ed3ce 100644 --- a/src/ssh.c +++ b/src/ssh.c @@ -750,11 +750,6 @@ int wolfSSH_connect(WOLFSSH* ssh) if (DoReceive(ssh) < WS_SUCCESS) { WLOG(WS_LOG_DEBUG, connectError, "CLIENT_USERAUTH_SENT", ssh->error); - if (ssh->error == WC_CHANGE_AUTH_E) { - /* retry with supported auth type */ - ssh->error = WS_SUCCESS; - continue; - } return WS_FATAL_ERROR; } } diff --git a/wolfssh/ssh.h b/wolfssh/ssh.h index fa6d9bd..853db01 100644 --- a/wolfssh/ssh.h +++ b/wolfssh/ssh.h @@ -238,10 +238,9 @@ enum WS_FormatTypes { }; -enum WS_UserAuthTypes { - WOLFSSH_USERAUTH_PASSWORD, - WOLFSSH_USERAUTH_PUBLICKEY -}; +/* bit map */ +#define WOLFSSH_USERAUTH_PASSWORD 0x01 +#define WOLFSSH_USERAUTH_PUBLICKEY 0x02 enum WS_UserAuthResults {