From 650bdf40b4ac149fd7ad13d613cba3ad3563966c Mon Sep 17 00:00:00 2001 From: Takashi Kojo Date: Wed, 26 Jun 2019 13:27:14 +0900 Subject: [PATCH 1/5] Pasword retry out --- examples/echoserver/echoserver.c | 12 +++++++++--- src/internal.c | 12 +++++++++++- wolfssh/ssh.h | 1 + 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 6b20133..0cfe821 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -683,6 +683,8 @@ static int LoadPublicKeyBuffer(byte* buf, word32 bufSz, PwMapList* list) return 0; } +#define MAX_PASSWD_RETRY 3 +static int passwdRetry = MAX_PASSWD_RETRY; static int wsUserAuth(byte authType, WS_UserAuthData* authData, @@ -691,6 +693,7 @@ static int wsUserAuth(byte authType, PwMapList* list; PwMap* map; byte authHash[SHA256_DIGEST_SIZE]; + int ret; if (ctx == NULL) { fprintf(stderr, "wsUserAuth: ctx not set"); @@ -737,9 +740,12 @@ static int wsUserAuth(byte authType, return WOLFSSH_USERAUTH_SUCCESS; } else { - return (authType == WOLFSSH_USERAUTH_PASSWORD ? - WOLFSSH_USERAUTH_INVALID_PASSWORD : - WOLFSSH_USERAUTH_INVALID_PUBLICKEY); + ret = (authType == WOLFSSH_USERAUTH_PASSWORD ? + (--passwdRetry > 0 ? + WOLFSSH_USERAUTH_INVALID_PASSWORD : WOLFSSH_USERAUTH_PASSWORD_RETRYOUT) + : WOLFSSH_USERAUTH_INVALID_PUBLICKEY); + if (passwdRetry == 0)passwdRetry = MAX_PASSWD_RETRY; + return ret; } } else { diff --git a/src/internal.c b/src/internal.c index 64b36fd..31e7846 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3211,7 +3211,7 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData, pw->newPassword = NULL; pw->newPasswordSz = 0; } - + if (ssh->ctx->userAuthCb != NULL) { WLOG(WS_LOG_DEBUG, "DUARPW: Calling the userauth callback"); ret = ssh->ctx->userAuthCb(WOLFSSH_USERAUTH_PASSWORD, @@ -3221,14 +3221,24 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData, ssh->clientState = CLIENT_USERAUTH_DONE; ret = WS_SUCCESS; } + else if (ret == WOLFSSH_USERAUTH_INVALID_PASSWORD) { + WLOG(WS_LOG_DEBUG, "DUARPW: password check failed"); + ret = SendUserAuthFailure(ssh, 0); + } else { WLOG(WS_LOG_DEBUG, "DUARPW: password check failed"); ret = SendUserAuthFailure(ssh, 0); + if(ret == WS_SUCCESS){ + WLOG(WS_LOG_DEBUG, "DUARPW: WS_INVALID_USERNAME"); + ret = WS_INVALID_USERNAME; + } } } else { WLOG(WS_LOG_DEBUG, "DUARPW: No user auth callback"); ret = SendUserAuthFailure(ssh, 0); + if (ret == WS_SUCCESS) + ret = WS_FATAL_ERROR; } } diff --git a/wolfssh/ssh.h b/wolfssh/ssh.h index fee8c17..b4dfbf3 100644 --- a/wolfssh/ssh.h +++ b/wolfssh/ssh.h @@ -239,6 +239,7 @@ enum WS_UserAuthResults { WOLFSSH_USERAUTH_INVALID_AUTHTYPE, WOLFSSH_USERAUTH_INVALID_USER, WOLFSSH_USERAUTH_INVALID_PASSWORD, + WOLFSSH_USERAUTH_PASSWORD_RETRYOUT, WOLFSSH_USERAUTH_INVALID_PUBLICKEY }; From 153fa4798b01002b857e57962378f9081b448e34 Mon Sep 17 00:00:00 2001 From: Takashi Kojo Date: Sat, 29 Jun 2019 12:11:51 +0900 Subject: [PATCH 2/5] WS_PASSWORD_RETRYOUT --- examples/echoserver/echoserver.c | 2 +- src/internal.c | 15 ++++++++------- wolfssh/error.h | 3 ++- wolfssh/ssh.h | 1 - 4 files changed, 11 insertions(+), 10 deletions(-) diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 0cfe821..25518aa 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -742,7 +742,7 @@ static int wsUserAuth(byte authType, else { ret = (authType == WOLFSSH_USERAUTH_PASSWORD ? (--passwdRetry > 0 ? - WOLFSSH_USERAUTH_INVALID_PASSWORD : WOLFSSH_USERAUTH_PASSWORD_RETRYOUT) + WOLFSSH_USERAUTH_INVALID_PASSWORD : WS_PASSWORD_RETRYOUT) : WOLFSSH_USERAUTH_INVALID_PUBLICKEY); if (passwdRetry == 0)passwdRetry = MAX_PASSWD_RETRY; return ret; diff --git a/src/internal.c b/src/internal.c index 31e7846..73917f1 100644 --- a/src/internal.c +++ b/src/internal.c @@ -272,6 +272,9 @@ const char* GetErrorString(int err) case WS_EXTDATA: return "Extended Data available to be read"; + case WS_PASSWORD_RETRYOUT: + return "Password retry out"; + default: return "Unknown error code"; } @@ -3221,17 +3224,15 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData, ssh->clientState = CLIENT_USERAUTH_DONE; ret = WS_SUCCESS; } - else if (ret == WOLFSSH_USERAUTH_INVALID_PASSWORD) { - WLOG(WS_LOG_DEBUG, "DUARPW: password check failed"); + else if (ret == WS_PASSWORD_RETRYOUT) { + WLOG(WS_LOG_DEBUG, "DUARPW: password retry out"); ret = SendUserAuthFailure(ssh, 0); + if (ret == WS_SUCCESS) + ret = WS_PASSWORD_RETRYOUT; } else { - WLOG(WS_LOG_DEBUG, "DUARPW: password check failed"); + WLOG(WS_LOG_DEBUG, "DUARPW: password check failed, retry"); ret = SendUserAuthFailure(ssh, 0); - if(ret == WS_SUCCESS){ - WLOG(WS_LOG_DEBUG, "DUARPW: WS_INVALID_USERNAME"); - ret = WS_INVALID_USERNAME; - } } } else { diff --git a/wolfssh/error.h b/wolfssh/error.h index 4cbd0df..ea46c9e 100644 --- a/wolfssh/error.h +++ b/wolfssh/error.h @@ -105,8 +105,9 @@ enum WS_ErrorCodes { WS_CLOSE_FILE_E = -1065, /* Unable to close local file */ WS_PUBKEY_REJECTED_E = -1066, /* Server public key rejected */ WS_EXTDATA = -1067, /* Extended Data available to be read */ + WS_PASSWORD_RETRYOUT = -1068, /* Password retry out */ - WS_LAST_E = -1067 /* Update this to indicate last error */ + WS_LAST_E = -1068 /* Update this to indicate last error */ }; diff --git a/wolfssh/ssh.h b/wolfssh/ssh.h index b4dfbf3..fee8c17 100644 --- a/wolfssh/ssh.h +++ b/wolfssh/ssh.h @@ -239,7 +239,6 @@ enum WS_UserAuthResults { WOLFSSH_USERAUTH_INVALID_AUTHTYPE, WOLFSSH_USERAUTH_INVALID_USER, WOLFSSH_USERAUTH_INVALID_PASSWORD, - WOLFSSH_USERAUTH_PASSWORD_RETRYOUT, WOLFSSH_USERAUTH_INVALID_PUBLICKEY }; From 58a768df293740c45e53717eca349c10cc028d42 Mon Sep 17 00:00:00 2001 From: Takashi Kojo Date: Sat, 29 Jun 2019 12:37:34 +0900 Subject: [PATCH 3/5] WOLFSSH_USERAUTH_REJECTED --- examples/echoserver/echoserver.c | 2 +- src/internal.c | 9 +++------ wolfssh/error.h | 3 +-- wolfssh/ssh.h | 6 +++--- 4 files changed, 8 insertions(+), 12 deletions(-) diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 25518aa..27969ca 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -742,7 +742,7 @@ static int wsUserAuth(byte authType, else { ret = (authType == WOLFSSH_USERAUTH_PASSWORD ? (--passwdRetry > 0 ? - WOLFSSH_USERAUTH_INVALID_PASSWORD : WS_PASSWORD_RETRYOUT) + WOLFSSH_USERAUTH_INVALID_PASSWORD : WOLFSSH_USERAUTH_REJECTED) : WOLFSSH_USERAUTH_INVALID_PUBLICKEY); if (passwdRetry == 0)passwdRetry = MAX_PASSWD_RETRY; return ret; diff --git a/src/internal.c b/src/internal.c index 73917f1..f29bb63 100644 --- a/src/internal.c +++ b/src/internal.c @@ -272,9 +272,6 @@ const char* GetErrorString(int err) case WS_EXTDATA: return "Extended Data available to be read"; - case WS_PASSWORD_RETRYOUT: - return "Password retry out"; - default: return "Unknown error code"; } @@ -3224,11 +3221,11 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData, ssh->clientState = CLIENT_USERAUTH_DONE; ret = WS_SUCCESS; } - else if (ret == WS_PASSWORD_RETRYOUT) { - WLOG(WS_LOG_DEBUG, "DUARPW: password retry out"); + else if (ret == WOLFSSH_USERAUTH_REJECTED) { + WLOG(WS_LOG_DEBUG, "DUARPW: password rejected"); ret = SendUserAuthFailure(ssh, 0); if (ret == WS_SUCCESS) - ret = WS_PASSWORD_RETRYOUT; + ret = WS_FATAL_ERROR; } else { WLOG(WS_LOG_DEBUG, "DUARPW: password check failed, retry"); diff --git a/wolfssh/error.h b/wolfssh/error.h index ea46c9e..4cbd0df 100644 --- a/wolfssh/error.h +++ b/wolfssh/error.h @@ -105,9 +105,8 @@ enum WS_ErrorCodes { WS_CLOSE_FILE_E = -1065, /* Unable to close local file */ WS_PUBKEY_REJECTED_E = -1066, /* Server public key rejected */ WS_EXTDATA = -1067, /* Extended Data available to be read */ - WS_PASSWORD_RETRYOUT = -1068, /* Password retry out */ - WS_LAST_E = -1068 /* Update this to indicate last error */ + WS_LAST_E = -1067 /* Update this to indicate last error */ }; diff --git a/wolfssh/ssh.h b/wolfssh/ssh.h index fee8c17..97b482c 100644 --- a/wolfssh/ssh.h +++ b/wolfssh/ssh.h @@ -232,17 +232,17 @@ enum WS_UserAuthTypes { WOLFSSH_USERAUTH_PUBLICKEY }; - -enum WS_UserAuthResults { +enum WS_UserAuthResults +{ WOLFSSH_USERAUTH_SUCCESS, WOLFSSH_USERAUTH_FAILURE, WOLFSSH_USERAUTH_INVALID_AUTHTYPE, WOLFSSH_USERAUTH_INVALID_USER, WOLFSSH_USERAUTH_INVALID_PASSWORD, + WOLFSSH_USERAUTH_REJECTED, WOLFSSH_USERAUTH_INVALID_PUBLICKEY }; - enum WS_DisconnectReasonCodes { WOLFSSH_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT = 1, WOLFSSH_DISCONNECT_PROTOCOL_ERROR = 2, From 3e58768b7e571a62d4908dd95ef8f8140cf4d329 Mon Sep 17 00:00:00 2001 From: Takashi Kojo Date: Sat, 29 Jun 2019 13:02:21 +0900 Subject: [PATCH 4/5] WS_USER_AUTH_E for wolfSSH_get_error --- examples/echoserver/echoserver.c | 5 +++++ src/internal.c | 2 +- wolfssh/error.h | 3 ++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 27969ca..45a4da7 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -391,6 +391,11 @@ static THREAD_RETURN WOLFSSH_THREAD server_worker(void* vArgs) ret = 0; /* don't break out of loop with version miss match */ printf("Unsupported version error\n"); } + else if (ret == WS_FATAL_ERROR && wolfSSH_get_error(threadCtx->ssh) == + WS_USER_AUTH_E) { + ret = 0; /* don't break out of loop with user auth error */ + printf("User Authentication error\n"); + } if (wolfSSH_shutdown(threadCtx->ssh) != WS_SUCCESS) { fprintf(stderr, "Error with SSH shutdown.\n"); diff --git a/src/internal.c b/src/internal.c index f29bb63..9a24561 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3225,7 +3225,7 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData, WLOG(WS_LOG_DEBUG, "DUARPW: password rejected"); ret = SendUserAuthFailure(ssh, 0); if (ret == WS_SUCCESS) - ret = WS_FATAL_ERROR; + ret = WS_USER_AUTH_E; } else { WLOG(WS_LOG_DEBUG, "DUARPW: password check failed, retry"); diff --git a/wolfssh/error.h b/wolfssh/error.h index 4cbd0df..05ca9d2 100644 --- a/wolfssh/error.h +++ b/wolfssh/error.h @@ -105,7 +105,8 @@ enum WS_ErrorCodes { WS_CLOSE_FILE_E = -1065, /* Unable to close local file */ WS_PUBKEY_REJECTED_E = -1066, /* Server public key rejected */ WS_EXTDATA = -1067, /* Extended Data available to be read */ - + WS_USER_AUTH_E = -1068, /* User authentication error */ + WS_LAST_E = -1067 /* Update this to indicate last error */ }; From 401fcbd483f523a5e431fa0e374ef08a638b95b7 Mon Sep 17 00:00:00 2001 From: Takashi Kojo Date: Tue, 2 Jul 2019 08:15:28 +0900 Subject: [PATCH 5/5] Fix WS_LAST_E --- src/internal.c | 3 +++ wolfssh/error.h | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 9a24561..f67695f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -272,6 +272,9 @@ const char* GetErrorString(int err) case WS_EXTDATA: return "Extended Data available to be read"; + case WS_USER_AUTH_E: + return "User authentication error"; + default: return "Unknown error code"; } diff --git a/wolfssh/error.h b/wolfssh/error.h index 05ca9d2..c756e29 100644 --- a/wolfssh/error.h +++ b/wolfssh/error.h @@ -107,7 +107,7 @@ enum WS_ErrorCodes { WS_EXTDATA = -1067, /* Extended Data available to be read */ WS_USER_AUTH_E = -1068, /* User authentication error */ - WS_LAST_E = -1067 /* Update this to indicate last error */ + WS_LAST_E = -1068 /* Update this to indicate last error */ };