wolfSSL · ejohnstown · Jun 5, 2024 · Jul 21, 2023 · May 17, 2024
diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c
@@ -1355,7 +1355,8 @@ static int NonBlockSSH_accept(WOLFSSH* ssh)
 
     while ((ret != WS_SUCCESS
                 && ret != WS_SCP_COMPLETE && ret != WS_SFTP_COMPLETE)
-            && (error == WS_WANT_READ || error == WS_WANT_WRITE)) {
+            && (error == WS_WANT_READ || error == WS_WANT_WRITE ||
+                error == WS_AUTH_PENDING)) {
 
         if (error == WS_WANT_READ)
             printf("... server would read block\n");
@@ -1365,7 +1366,8 @@ static int NonBlockSSH_accept(WOLFSSH* ssh)
         select_ret = tcp_select(sockfd, 1);
         if (select_ret == WS_SELECT_RECV_READY  ||
             select_ret == WS_SELECT_ERROR_READY ||
-            error      == WS_WANT_WRITE)
+            error      == WS_WANT_WRITE ||
+            error      == WS_AUTH_PENDING)
         {
             ret = wolfSSH_accept(ssh);
             error = wolfSSH_get_error(ssh);
@@ -1387,11 +1389,16 @@ static THREAD_RETURN WOLFSSH_THREAD server_worker(void* vArgs)
 
     passwdRetry = MAX_PASSWD_RETRY;
 
-    if (!threadCtx->nonBlock)
+    if (!threadCtx->nonBlock) {
         ret = wolfSSH_accept(threadCtx->ssh);
-    else
+        if (wolfSSH_get_error(threadCtx->ssh) == WS_AUTH_PENDING) {
+            printf("Auth pending error, use -N for non blocking\n");
+            printf("Trying to close down the connection\n");
+        }
+    }
+    else {
         ret = NonBlockSSH_accept(threadCtx->ssh);
-
+    }
 #ifdef WOLFSSH_SCP
     /* finish off SCP operation */
     if (ret == WS_SCP_INIT) {
@@ -2010,6 +2017,7 @@ static int wsUserAuthResult(byte res,
 }
 
 
+static int userAuthWouldBlock = 0;
 static int wsUserAuth(byte authType,
                       WS_UserAuthData* authData,
                       void* ctx)
@@ -2023,6 +2031,12 @@ static int wsUserAuth(byte authType,
         return WOLFSSH_USERAUTH_FAILURE;
     }
 
+    if (userAuthWouldBlock > 0) {
+        printf("User Auth would block ....\n");
+        userAuthWouldBlock--;
+        return WOLFSSH_USERAUTH_WOULD_BLOCK;
+    }
+
     if (authType != WOLFSSH_USERAUTH_PASSWORD &&
 #ifdef WOLFSSH_ALLOW_USERAUTH_NONE
         authType != WOLFSSH_USERAUTH_NONE &&
@@ -2239,6 +2253,7 @@ static void ShowUsage(void)
     printf(" -a <file>     load in a root CA certificate file\n");
 #endif
     printf(" -k            set the list of key algos to use\n");
+    printf(" -b <num>      test user auth would block\n");
 }
 
 
@@ -2300,7 +2315,7 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
     serverArgs->return_code = EXIT_SUCCESS;
 
     if (argc > 0) {
-        const char* optlist = "?1a:d:efEp:R:Ni:j:I:J:K:P:k:";
+        const char* optlist = "?1a:d:efEp:R:Ni:j:I:J:K:P:k:b:";
         myoptind = 0;
         while ((ch = mygetopt(argc, argv, optlist)) != -1) {
             switch (ch) {
@@ -2384,6 +2399,10 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
                     passwdList = StrListAdd(passwdList, myoptarg);
                     break;
 
+                case 'b':
+                    userAuthWouldBlock = atoi(myoptarg);
+                    break;
+
                 default:
                     ShowUsage();
                     serverArgs->return_code = MY_EX_USAGE;

diff --git a/src/internal.c b/src/internal.c
@@ -450,6 +450,9 @@ const char* GetErrorString(int err)
         case WS_ED25519_E:
             return "Ed25519 buffer error";
 
+        case WS_AUTH_PENDING:
+            return "userauth is still pending (callback would block)";
+
         default:
             return "Unknown error code";
     }
@@ -6046,6 +6049,10 @@ static int DoUserAuthRequestNone(WOLFSSH* ssh, WS_UserAuthData* authData,
                 ret = WS_USER_AUTH_E;
                 #endif
             }
+            else if (ret == WOLFSSH_USERAUTH_WOULD_BLOCK) {
+                WLOG(WS_LOG_DEBUG, "DUARN: userauth callback would block");
+                ret = WS_AUTH_PENDING;
+            }
             else {
                 WLOG(WS_LOG_DEBUG, "DUARN: none check failed, retry");
                 ret = SendUserAuthFailure(ssh, 0);
@@ -6131,6 +6138,10 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData,
                 #endif
                 ret = WS_USER_AUTH_E;
             }
+            else if (ret == WOLFSSH_USERAUTH_WOULD_BLOCK) {
+                WLOG(WS_LOG_DEBUG, "DUARPW: userauth callback would block");
+                ret = WS_AUTH_PENDING;
+            }
             else {
                 WLOG(WS_LOG_DEBUG, "DUARPW: password check failed, retry");
                 authFailure = 1;
@@ -6149,7 +6160,7 @@ static int DoUserAuthRequestPassword(WOLFSSH* ssh, WS_UserAuthData* authData,
     if (authFailure || partialSuccess) {
         ret = SendUserAuthFailure(ssh, partialSuccess);
     }
-    else {
+    else if (ret == WS_SUCCESS) {
         ssh->clientState = CLIENT_USERAUTH_DONE;
     }
 
@@ -7098,6 +7109,7 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
             ret = ssh->ctx->userAuthCb(WOLFSSH_USERAUTH_PUBLICKEY,
                                        authData, ssh->userAuthCtx);
             WLOG(WS_LOG_DEBUG, "DUARPK: callback result = %d", ret);
+
         #ifdef DEBUG_WOLFSSH
             switch (ret) {
                 case WOLFSSH_USERAUTH_SUCCESS:
@@ -7127,20 +7139,29 @@ static int DoUserAuthRequestPublicKey(WOLFSSH* ssh, WS_UserAuthData* authData,
                 case WOLFSSH_USERAUTH_PARTIAL_SUCCESS:
                     WLOG(WS_LOG_DEBUG, "DUARPK: user auth partial success");
                     break;
+
+                case WOLFSSH_USERAUTH_WOULD_BLOCK:
+                    WLOG(WS_LOG_DEBUG, "DUARPK: userauth callback would block");
+                    break;
 
                 default:
                     WLOG(WS_LOG_DEBUG,
                         "Unexpected return value from Auth callback");
             }
         #endif
 
-            if (ret == WOLFSSH_USERAUTH_PARTIAL_SUCCESS) {
-                partialSuccess = 1;
+            if (ret == WOLFSSH_USERAUTH_WOULD_BLOCK) {
+                ret = WS_AUTH_PENDING;
             }
-            else if (ret != WOLFSSH_USERAUTH_SUCCESS) {
-                authFailure = 1;
+            else {
+                if (ret == WOLFSSH_USERAUTH_PARTIAL_SUCCESS) {
+                    partialSuccess = 1;
+                }
+                else if (ret != WOLFSSH_USERAUTH_SUCCESS) {
+                    authFailure = 1;
+                }
+                ret = WS_SUCCESS;
             }
-            ret = WS_SUCCESS;
         }
         else {
             WLOG(WS_LOG_DEBUG, "DUARPK: no userauth callback set");
@@ -8839,18 +8860,21 @@ static int DoPacket(WOLFSSH* ssh, byte* bufferConsumed)
             ret = SendUnimplemented(ssh);
     }
 
-    if (payloadSz > 0) {
-        idx += payloadIdx;
-        if (idx + padSz > len) {
-            WLOG(WS_LOG_DEBUG, "Not enough data in buffer for pad.");
-            ret = WS_BUFFER_E;
+    /* if the auth is still pending, don't discard the packet data */
+    if (ret != WS_AUTH_PENDING) {
+        if (payloadSz > 0) {
+            idx += payloadIdx;
+            if (idx + padSz > len) {
+                WLOG(WS_LOG_DEBUG, "Not enough data in buffer for pad.");
+                ret = WS_BUFFER_E;
+            }
         }
-    }
 
-    idx += padSz;
-    ssh->inputBuffer.idx = idx;
-    ssh->peerSeq++;
-    *bufferConsumed = 1;
+        idx += padSz;
+        ssh->inputBuffer.idx = idx;
+        ssh->peerSeq++;
+        *bufferConsumed = 1;
+    }
 
     return ret;
 }

diff --git a/src/ssh.c b/src/ssh.c
@@ -414,7 +414,7 @@ int wolfSSH_accept(WOLFSSH* ssh)
         return WS_BAD_ARGUMENT;
 
     /* clear want read/writes for retry */
-    if (ssh->error == WS_WANT_READ || ssh->error == WS_WANT_WRITE)
+    if (ssh->error == WS_WANT_READ || ssh->error == WS_WANT_WRITE || ssh->error == WS_AUTH_PENDING)
         ssh->error = 0;
 
     if (ssh->error != 0) {

diff --git a/wolfssh/error.h b/wolfssh/error.h
@@ -134,8 +134,9 @@ enum WS_ErrorCodes {
     WS_SFTP_NOT_FILE_E      = -1093, /* Not a regular file */
     WS_MSGID_NOT_ALLOWED_E  = -1094, /* Message not allowed before userauth */
     WS_ED25519_E            = -1095, /* Ed25519 failure */
-
-    WS_LAST_E               = -1095  /* Update this to indicate last error */
+    WS_AUTH_PENDING         = -1096, /* User authentication still pending */
+
+    WS_LAST_E               = -1096  /* Update this to indicate last error */
 };
 
 

diff --git a/wolfssh/ssh.h b/wolfssh/ssh.h
@@ -367,7 +367,8 @@ enum WS_UserAuthResults
     WOLFSSH_USERAUTH_INVALID_PASSWORD,
     WOLFSSH_USERAUTH_REJECTED,
     WOLFSSH_USERAUTH_INVALID_PUBLICKEY,
-    WOLFSSH_USERAUTH_PARTIAL_SUCCESS
+    WOLFSSH_USERAUTH_PARTIAL_SUCCESS,
+    WOLFSSH_USERAUTH_WOULD_BLOCK
 };
 
 enum WS_DisconnectReasonCodes {