From c26f72cf983c0751127c8a9ec0d076db34de2f44 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Sun, 1 Nov 2020 19:49:03 -0800
Subject: [PATCH] Maintenance 1. If the public key user authentication fails,
 don't retry it. 2. Add some more specific logging about the type of a
 signature getting generated.

---
 src/internal.c     | 10 +++++++---
 wolfssh/internal.h |  1 +
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index f6f73d1..2190e66 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -2721,6 +2721,7 @@ static int DoKexDhInit(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
                 && ssh->handshake->kexIdGuess != ssh->handshake->kexId) {
 
             /* skip this message. */
+            WLOG(WS_LOG_DEBUG, "Skipping the client's KEX init function.");
             ssh->handshake->kexPacketFollows = 0;
             *idx += len;
             return WS_SUCCESS;
@@ -6936,7 +6937,8 @@ int SendKexDhReply(WOLFSSH* ssh)
                     ret = WS_CRYPTO_FAILED;
                 }
                 else {
-                    WLOG(WS_LOG_INFO, "Signing hash with RSA.");
+                    WLOG(WS_LOG_INFO, "Signing hash with %s.",
+                            IdToName(ssh->handshake->pubKeyId));
                     sigSz = wc_RsaSSL_Sign(encSig, encSigSz, sig, sizeof(sig),
                                            &sigKeyBlock.sk.rsa.key, ssh->rng);
                     if (sigSz <= 0) {
@@ -6948,7 +6950,8 @@ int SendKexDhReply(WOLFSSH* ssh)
             }
             else {
 #ifndef WOLFSSH_NO_ECDSA
-                WLOG(WS_LOG_INFO, "Signing hash with ECDSA.");
+                WLOG(WS_LOG_INFO, "Signing hash with %s.",
+                        IdToName(ssh->handshake->pubKeyId));
                 sigSz = sizeof(sig);
                 ret = wc_ecc_sign_hash(digest, wc_HashGetDigestSize(sigHashId),
                                        sig, &sigSz,
@@ -8360,8 +8363,9 @@ int SendUserAuthRequest(WOLFSSH* ssh, byte authId, int addSig)
 
         if (authId == ID_USERAUTH_PASSWORD)
             ret = PrepareUserAuthRequestPassword(ssh, &payloadSz, &authData);
-        else if (authId == ID_USERAUTH_PUBLICKEY) {
+        else if (authId == ID_USERAUTH_PUBLICKEY && !ssh->userAuthPkDone) {
             authData.sf.publicKey.hasSignature = 1;
+            ssh->userAuthPkDone = 1;
             ret = PrepareUserAuthRequestPublicKey(ssh, &payloadSz, &authData,
                     &keySig);
         }
diff --git a/wolfssh/internal.h b/wolfssh/internal.h
index 683a440..542eea9 100644
--- a/wolfssh/internal.h
+++ b/wolfssh/internal.h
@@ -610,6 +610,7 @@ struct WOLFSSH {
     word32 peerProtoIdSz;
     void* publicKeyCheckCtx;
     byte  sendTerminalRequest;
+    byte userAuthPkDone;
 
 #ifdef USE_WINDOWS_API
     word32 defaultAttr; /* default windows attributes */