Asynchronous server side user authentication.

wolfSSL · May 17, 2024 · 02a4fad · 02a4fad
1 parent 5ef2bc5
commit 02a4fad
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 20 deletions.
diff --git a/src/internal.c b/src/internal.c
@@ -450,6 +450,9 @@ const char* GetErrorString(int err)
         case WS_ED25519_E:
             return "Ed25519 buffer error";
 
+        case WS_AUTH_PENDING:
+            return "userauth is still pending (callback would block)";
+
         default:
             return "Unknown error code";
     }
@@ -6046,6 +6049,10 @@ static int DoUserAuthRequestNone(WOLFSSH* ssh, WS_UserAuthData* authData,
                 ret = WS_USER_AUTH_E;
                 #endif
             }
+            else if (ret == WOLFSSH_USERAUTH_WOULD_BLOCK) {
+                WLOG(WS_LOG_DEBUG, "DUARN: userauth callback would block");
+                ret = WS_AUTH_PENDING;
+            }
             else {
                 WLOG(WS_LOG_DEBUG, "DUARN: none check failed, retry");
                 ret = SendUserAuthFailure(ssh, 0);
@@ -6131,6 +6138,10 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData,
                 #endif
                 ret = WS_USER_AUTH_E;
             }
+            else if (ret == WOLFSSH_USERAUTH_WOULD_BLOCK) {
+                WLOG(WS_LOG_DEBUG, "DUARPW: userauth callback would block");
+                ret = WS_AUTH_PENDING;
+            }
             else {
                 WLOG(WS_LOG_DEBUG, "DUARPW: password check failed, retry");
                 authFailure = 1;
@@ -6149,7 +6160,7 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData,
     if (authFailure || partialSuccess) {
         ret = SendUserAuthFailure(ssh, partialSuccess);
     }
-    else {
+    else if (ret == WS_SUCCESS) {
         ssh->clientState = CLIENT_USERAUTH_DONE;
     }
 
@@ -7098,6 +7109,7 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
             ret = ssh->ctx->userAuthCb(WOLFSSH_USERAUTH_PUBLICKEY,
                                        authData, ssh->userAuthCtx);
             WLOG(WS_LOG_DEBUG, "DUARPK: callback result = %d", ret);
+
         #ifdef DEBUG_WOLFSSH
             switch (ret) {
                 case WOLFSSH_USERAUTH_SUCCESS:
@@ -7127,20 +7139,29 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
                 case WOLFSSH_USERAUTH_PARTIAL_SUCCESS:
                     WLOG(WS_LOG_DEBUG, "DUARPK: user auth partial success");
                     break;
+
+                case WOLFSSH_USERAUTH_WOULD_BLOCK:
+                    WLOG(WS_LOG_DEBUG, "DUARPK: userauth callback would block");
+                    break;
 
                 default:
                     WLOG(WS_LOG_DEBUG,
                         "Unexpected return value from Auth callback");
             }
         #endif
 
-            if (ret == WOLFSSH_USERAUTH_PARTIAL_SUCCESS) {
-                partialSuccess = 1;
+            if (ret == WOLFSSH_USERAUTH_WOULD_BLOCK) {
+                ret = WS_AUTH_PENDING;
             }
-            else if (ret != WOLFSSH_USERAUTH_SUCCESS) {
-                authFailure = 1;
+            else {
+                if (ret == WOLFSSH_USERAUTH_PARTIAL_SUCCESS) {
+                    partialSuccess = 1;
+                }
+                else if (ret != WOLFSSH_USERAUTH_SUCCESS) {
+                    authFailure = 1;
+                }
+                ret = WS_SUCCESS;
             }
-            ret = WS_SUCCESS;
         }
         else {
             WLOG(WS_LOG_DEBUG, "DUARPK: no userauth callback set");
@@ -8839,18 +8860,21 @@ static int DoPacket(WOLFSSH* ssh, byte* bufferConsumed)
             ret = SendUnimplemented(ssh);
     }
 
-    if (payloadSz > 0) {
-        idx += payloadIdx;
-        if (idx + padSz > len) {
-            WLOG(WS_LOG_DEBUG, "Not enough data in buffer for pad.");
-            ret = WS_BUFFER_E;
+    /* if the auth is still pending, don't discard the packet data */
+    if (ret != WS_AUTH_PENDING) {
+        if (payloadSz > 0) {
+            idx += payloadIdx;
+            if (idx + padSz > len) {
+                WLOG(WS_LOG_DEBUG, "Not enough data in buffer for pad.");
+                ret = WS_BUFFER_E;
+            }
         }
-    }
 
-    idx += padSz;
-    ssh->inputBuffer.idx = idx;
-    ssh->peerSeq++;
-    *bufferConsumed = 1;
+        idx += padSz;
+        ssh->inputBuffer.idx = idx;
+        ssh->peerSeq++;
+        *bufferConsumed = 1;
+    }
 
     return ret;
 }

diff --git a/src/ssh.c b/src/ssh.c
@@ -414,7 +414,7 @@ int wolfSSH_accept(WOLFSSH* ssh)
         return WS_BAD_ARGUMENT;
 
     /* clear want read/writes for retry */
-    if (ssh->error == WS_WANT_READ || ssh->error == WS_WANT_WRITE)
+    if (ssh->error == WS_WANT_READ || ssh->error == WS_WANT_WRITE || ssh->error == WS_AUTH_PENDING)
         ssh->error = 0;
 
     if (ssh->error != 0) {

diff --git a/wolfssh/error.h b/wolfssh/error.h
@@ -134,8 +134,9 @@ enum WS_ErrorCodes {
     WS_SFTP_NOT_FILE_E      = -1093, /* Not a regular file */
     WS_MSGID_NOT_ALLOWED_E  = -1094, /* Message not allowed before userauth */
     WS_ED25519_E            = -1095, /* Ed25519 failure */
-
-    WS_LAST_E               = -1095  /* Update this to indicate last error */
+    WS_AUTH_PENDING         = -1096, /* User authentication still pending */
+
+    WS_LAST_E               = -1096  /* Update this to indicate last error */
 };
 
 

diff --git a/wolfssh/ssh.h b/wolfssh/ssh.h
@@ -367,7 +367,8 @@ enum WS_UserAuthResults
     WOLFSSH_USERAUTH_INVALID_PASSWORD,
     WOLFSSH_USERAUTH_REJECTED,
     WOLFSSH_USERAUTH_INVALID_PUBLICKEY,
-    WOLFSSH_USERAUTH_PARTIAL_SUCCESS
+    WOLFSSH_USERAUTH_PARTIAL_SUCCESS,
+    WOLFSSH_USERAUTH_WOULD_BLOCK
 };
 
 enum WS_DisconnectReasonCodes {