1. Added extra debugging logs to the user authentication.

2. Reject invalid user names.
3. Fix the readme with regards to the public key log in testing.

README.md

@@ -41,6 +41,12 @@ If the characters are echoed twice, the client has local echo enabled.
 testing notes
 -------------
 
+After cloning the repository, be sure to make the testing private keys read-
+only for the user, otherwise ssh_client will tell you to do it.
+
+    $ chmod 0600 ./certs/key-gretel.pem ./certs/key-hansel.pem \
+                 ./certs/key-ecc.pem
+
 Authentication against the example echoserver can be done with a password or
 public key. To use a password the command line:
 
@@ -53,7 +59,7 @@ Where the `USER` and password pairs are:
 
 To use public key authentication use the command line:
 
-    $ ssh_client -l ./certs/key-USER.pem -p 22222 USER@localhost
+    $ ssh_client -i ./certs/key-USER.pem -p 22222 USER@localhost
 
 Where the user can be `gretel` or `hansel`.
 

src/internal.c

@@ -129,6 +129,9 @@ const char* GetErrorString(int err)
         case WS_RESOURCE_E:
             return "insufficient resources for new channel";
 
+        case WS_INVALID_USERNAME:
+            return "invalid user name";
+
         default:
             return "Unknown error code";
     }
@@ -1389,20 +1392,30 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData,
     }
 
     if (ssh->ctx->userAuthCb != NULL) {
-        WLOG(WS_LOG_DEBUG, "DUAR: Checking the password");
+        WLOG(WS_LOG_DEBUG, "DUARPW: Calling the userauth callback");
         ret = ssh->ctx->userAuthCb(WOLFSSH_USERAUTH_PASSWORD,
                                    authData, ssh->userAuthCtx);
-        if (ret == WS_SUCCESS) {
-            WLOG(WS_LOG_DEBUG, "DUAR: password check successful");
+        if (ret == WOLFSSH_USERAUTH_SUCCESS) {
+            WLOG(WS_LOG_DEBUG, "DUARPW: password check successful");
             ssh->clientState = CLIENT_USERAUTH_DONE;
         }
         else {
-            WLOG(WS_LOG_DEBUG, "DUAR: password check failed");
-            SendUserAuthFailure(ssh, 0);
+            WLOG(WS_LOG_DEBUG, "DUARPW: password check failed");
+            if (ret != WOLFSSH_USERAUTH_SUCCESS) {
+                switch (ret) {
+                    case WOLFSSH_USERAUTH_INVALID_USER:
+                        SendDisconnect(ssh,
+                                       WOLFSSH_DISCONNECT_ILLEGAL_USER_NAME);
+                        break;
+                    default:
+                        SendUserAuthFailure(ssh, 0);
+                }
+            }
         }
     }
     else {
-        WLOG(WS_LOG_DEBUG, "DUAR: No user auth callback");
+        WLOG(WS_LOG_DEBUG, "DUARPW: No user auth callback");
+        SendUserAuthFailure(ssh, 0);
     }
 
     *idx = begin;
@@ -1425,6 +1438,7 @@ static int DoUserAuthRequestRsa(WOLFSSH* ssh, WS_UserAuthData_PublicKey* pk,
     uint32_t i = 0;
     int ret;
 
+    WLOG(WS_LOG_DEBUG, "Entering DoUserAuthRequestRsa()");
     /* First check that the public key's type matches the one we are
      * expecting. */
     GetUint32(&publicKeyTypeSz, pk->publicKey, pk->publicKeySz, &i);
@@ -1475,6 +1489,8 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
     WS_UserAuthData_PublicKey* pk = &authData->sf.publicKey;
     int ret = WS_SUCCESS;
 
+    WLOG(WS_LOG_DEBUG, "Entering DoUserAuthRequestPublicKey()");
+
     authData->type = WOLFSSH_USERAUTH_PUBLICKEY;
     GetBoolean(&pk->hasSignature, buf, len, &begin);
     GetUint32(&pk->publicKeyTypeSz, buf, len, &begin);
@@ -1495,12 +1511,26 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
     }
 
     if (ssh->ctx->userAuthCb != NULL) {
+        WLOG(WS_LOG_DEBUG, "DUARPK: Calling the userauth callback");
         ret = ssh->ctx->userAuthCb(WOLFSSH_USERAUTH_PUBLICKEY,
                                    authData, ssh->userAuthCtx);
+        WLOG(WS_LOG_DEBUG, "DUARPK: callback result = %d", ret);
+        if (ret != WOLFSSH_USERAUTH_SUCCESS) {
+            switch (ret) {
+                case WOLFSSH_USERAUTH_INVALID_USER:
+                    SendDisconnect(ssh, WOLFSSH_DISCONNECT_ILLEGAL_USER_NAME);
+                    break;
+                default:
+                    SendUserAuthFailure(ssh, 0);
+            }
+        }
+    }
+    else {
+        WLOG(WS_LOG_DEBUG, "DUARPK: no userauth callback set");
     }
 
     if (pk->signature == NULL) {
-        WLOG(WS_LOG_DEBUG, "DUAR: Send the PK OK");
+        WLOG(WS_LOG_DEBUG, "DUARPK: Send the PK OK");
         ret = SendUserAuthPkOk(ssh, pk->publicKeyType, pk->publicKeyTypeSz,
                                pk->publicKey, pk->publicKeySz);
     }
@@ -1555,7 +1585,7 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
             sizeCompare = encDigestSz != checkDigestSz;
 
             if (compare || sizeCompare || ret < 0) {
-                WLOG(WS_LOG_DEBUG, "signature compare failure");
+                WLOG(WS_LOG_DEBUG, "DUARPK: signature compare failure");
                 SendUserAuthFailure(ssh, 0);
             }
             else {
@@ -2860,7 +2890,7 @@ int SendServiceAccept(WOLFSSH* ssh)
 }
 
 
-static const char cannedAuths[] = "publickey";
+static const char cannedAuths[] = "publickey,password";
 static const uint32_t cannedAuthsSz = sizeof(cannedAuths) - 1;
 
 

wolfssh/error.h

@@ -66,6 +66,7 @@ enum WS_ErrorCodes {
     WS_CREATE_MAC_E    = -24,
     WS_RESOURCE_E      = -25,   /* insufficient resources for new channel */
     WS_INVALID_CHANTYPE = -26,  /* invalid channel type */
+    WS_INVALID_USERNAME = -28
 };