From df74449ea1074e2b25c4a891b88911bbb8250c5f Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 28 May 2020 15:15:38 -0700 Subject: [PATCH] Auth Type None 1. Added a compile time option to allow None as an authentication type, mainly for testing. 2. Added a couple updates for VxWorks builds. --- examples/echoserver/echoserver.c | 90 +++++++++++++++++++++++++++++--- src/internal.c | 58 +++++++++++++++++++- wolfssh/ssh.h | 1 + wolfssh/test.h | 4 +- 4 files changed, 145 insertions(+), 8 deletions(-) diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 3c9fe0f..c90a86a 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -583,11 +583,13 @@ static PwMap* PwMapNew(PwMapList* list, byte type, const byte* username, map->username[usernameSz] = 0; map->usernameSz = usernameSz; - wc_InitSha256(&sha); - c32toa(pSz, flatSz); - wc_Sha256Update(&sha, flatSz, sizeof(flatSz)); - wc_Sha256Update(&sha, p, pSz); - wc_Sha256Final(&sha, map->p); + if (type != WOLFSSH_USERAUTH_NONE) { + wc_InitSha256(&sha); + c32toa(pSz, flatSz); + wc_Sha256Update(&sha, flatSz, sizeof(flatSz)); + wc_Sha256Update(&sha, p, pSz); + wc_Sha256Final(&sha, map->p); + } map->next = list->head; list->head = map; @@ -640,6 +642,45 @@ static const char samplePublicKeyRsaBuffer[] = "biE57dK6BrH5iZwVLTQKux31uCJLPhiktI3iLbdlGZEctJkTasfVSsUizwVIyRjhVKmbdI" "RGwkU38D043AR1h0mUoGCPIKuqcFMf gretel\n"; +static const char sampleNoneBuffer[] = + "holmes\n" + "watson\n"; + + +static int LoadNoneBuffer(byte* buf, word32 bufSz, PwMapList* list) +{ + char* str = (char*)buf; + char* username; + + /* Each line of none list is in the format + * username\n + * This function modifies the passed-in buffer. */ + + if (list == NULL) + return -1; + + if (buf == NULL || bufSz == 0) + return 0; + + while (*str != 0) { + username = str; + str = strchr(username, '\n'); + if (str == NULL) { + return -1; + } + *str = 0; + str++; + if (PwMapNew(list, WOLFSSH_USERAUTH_NONE, + (byte*)username, (word32)strlen(username), + NULL, 0) == NULL ) { + + return -1; + } + } + + return 0; +} + static int LoadPasswordBuffer(byte* buf, word32 bufSz, PwMapList* list) { @@ -762,6 +803,9 @@ static int wsUserAuth(byte authType, } if (authType != WOLFSSH_USERAUTH_PASSWORD && +#ifdef WOLFSSH_ALLOW_USERAUTH_NONE + authType != WOLFSSH_USERAUTH_NONE && +#endif authType != WOLFSSH_USERAUTH_PUBLICKEY) { return WOLFSSH_USERAUTH_FAILURE; @@ -794,7 +838,36 @@ static int wsUserAuth(byte authType, while (map != NULL) { if (authData->usernameSz == map->usernameSz && - memcmp(authData->username, map->username, map->usernameSz) == 0) { + memcmp(authData->username, map->username, map->usernameSz) == 0 && + authData->type == map->type) { + + if (authData->type == WOLFSSH_USERAUTH_PUBLICKEY) { + if (memcmp(map->p, authHash, WC_SHA256_DIGEST_SIZE) == 0) { + return WOLFSSH_USERAUTH_SUCCESS; + } + else { + return WOLFSSH_USERAUTH_INVALID_PUBLICKEY; + } + } + else if (authData->type == WOLFSSH_USERAUTH_PASSWORD) { + if (memcmp(map->p, authHash, WC_SHA256_DIGEST_SIZE) == 0) { + return WOLFSSH_USERAUTH_SUCCESS; + } + else { + passwdRetry--; + return (passwdRetry > 0) ? + WOLFSSH_USERAUTH_INVALID_PASSWORD : + WOLFSSH_USERAUTH_REJECTED; + } + } +#ifdef WOLFSSH_ALLOW_USERAUTH_NONE + else if (authData->type == WOLFSSH_USERAUTH_NONE) { + return WOLFSSH_USERAUTH_SUCCESS; + } +#endif /* WOLFSSH_ALLOW_USERAUTH_NONE */ + else { + return WOLFSSH_USERAUTH_INVALID_AUTHTYPE; + } if (authData->type == map->type) { if (memcmp(map->p, authHash, WC_SHA256_DIGEST_SIZE) == 0) { @@ -975,6 +1048,11 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args) memcpy(buf, bufName, bufSz); buf[bufSz] = 0; LoadPublicKeyBuffer(buf, bufSz, &pwMapList); + + bufSz = (word32)strlen(sampleNoneBuffer); + memcpy(buf, sampleNoneBuffer, bufSz); + buf[bufSz] = 0; + LoadNoneBuffer(buf, bufSz, &pwMapList); } #ifdef WOLFSSL_NUCLEUS { diff --git a/src/internal.c b/src/internal.c index 8eef403..502b0bf 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3354,6 +3354,62 @@ static int DoServiceAccept(WOLFSSH* ssh, } +#ifdef WOLFSSH_ALLOW_USERAUTH_NONE +/* Utility for DoUserAuthRequest() */ +static int DoUserAuthRequestNone(WOLFSSH* ssh, WS_UserAuthData* authData, + byte* buf, word32 len, word32* idx) +{ + int ret = WS_SUCCESS; + WLOG(WS_LOG_DEBUG, "Entering DoUserAuthRequestNone()"); + + (void)len; + + if (ssh == NULL || authData == NULL || + buf == NULL || idx == NULL) { + + ret = WS_BAD_ARGUMENT; + } + + if (ret == WS_SUCCESS) { + authData->type = WOLFSSH_USERAUTH_NONE; + if (ssh->ctx->userAuthCb != NULL) { + WLOG(WS_LOG_DEBUG, "DUARN: Calling the userauth callback"); + ret = ssh->ctx->userAuthCb(WOLFSSH_USERAUTH_NONE, + authData, ssh->userAuthCtx); + if (ret == WOLFSSH_USERAUTH_SUCCESS) { + WLOG(WS_LOG_DEBUG, "DUARN: none check successful"); + ssh->clientState = CLIENT_USERAUTH_DONE; + ret = WS_SUCCESS; + } + else if (ret == WOLFSSH_USERAUTH_REJECTED) { + WLOG(WS_LOG_DEBUG, "DUARN: password rejected"); + #ifndef NO_FAILURE_ON_REJECTED + ret = SendUserAuthFailure(ssh, 0); + if (ret == WS_SUCCESS) + ret = WS_USER_AUTH_E; + #else + ret = WS_USER_AUTH_E; + #endif + } + else { + WLOG(WS_LOG_DEBUG, "DUARN: none check failed, retry"); + ret = SendUserAuthFailure(ssh, 0); + } + } + else { + WLOG(WS_LOG_DEBUG, "DUARN: No user auth callback"); + ret = SendUserAuthFailure(ssh, 0); + if (ret == WS_SUCCESS) + ret = WS_FATAL_ERROR; + } + } + + WLOG(WS_LOG_DEBUG, "Leaving DoUserAuthRequestNone(), ret = %d", ret); + return ret; +} +#endif + + /* Utility for DoUserAuthRequest() */ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData, byte* buf, word32 len, word32* idx) @@ -3918,7 +3974,7 @@ static int DoUserAuthRequest(WOLFSSH* ssh, } #ifdef WOLFSSH_ALLOW_USERAUTH_NONE else if (authNameId == ID_NONE) { - ssh->clientState = CLIENT_USERAUTH_DONE; + ret = DoUserAuthRequestNone(ssh, &authData, buf, len, &begin); } #endif else { diff --git a/wolfssh/ssh.h b/wolfssh/ssh.h index c8e3948..c9796c6 100644 --- a/wolfssh/ssh.h +++ b/wolfssh/ssh.h @@ -242,6 +242,7 @@ enum WS_FormatTypes { /* bit map */ #define WOLFSSH_USERAUTH_PASSWORD 0x01 #define WOLFSSH_USERAUTH_PUBLICKEY 0x02 +#define WOLFSSH_USERAUTH_NONE 0x04 enum WS_UserAuthResults { diff --git a/wolfssh/test.h b/wolfssh/test.h index 6cbf0b3..64f88e0 100644 --- a/wolfssh/test.h +++ b/wolfssh/test.h @@ -49,6 +49,8 @@ #include #include #include + #include + #include #include #include #include @@ -376,7 +378,7 @@ static INLINE void build_addr(SOCKADDR_IN_T* addr, const char* peer, NU_HOSTENT h; entry = &h; NU_Get_Host_By_Name((char*)peer, entry); - #else + #else struct hostent* entry = gethostbyname(peer); #endif