Enforce LoginGraceTime in wolfsshd on Windows and make the grace flag per-connection

Author: yosuke-wolfssl

.github/workflows/windows-check.yml

@@ -43,13 +43,12 @@ jobs:
       working-directory: ${{env.GITHUB_WORKSPACE}}wolfssl
       run: nuget restore ${{env.WOLFSSL_SOLUTION_FILE_PATH}}
 
-    - name: updated user_settings.h for sshd and x509
+    - name: Enable wolfSSH options (sshd, sftp, x509) in user_settings.h
       working-directory: ${{env.GITHUB_WORKSPACE}}
-      run: cp ${{env.USER_SETTINGS_H_NEW}} ${{env.USER_SETTINGS_H}}
-
-    - name: replace wolfSSL user_settings.h with wolfSSH user_settings.h
-      working-directory: ${{env.GITHUB_WORKSPACE}}
-      run: get-content ${{env.USER_SETTINGS_H_NEW}} | %{$_ -replace "if 0","if 1"}
+      shell: bash
+      run: |
+        sed -i 's/#if 0/#if 1/g' ${{env.USER_SETTINGS_H_NEW}}
+        cp ${{env.USER_SETTINGS_H_NEW}} ${{env.USER_SETTINGS_H}}
 
     - name: Build wolfssl library
       working-directory: ${{env.GITHUB_WORKSPACE}}wolfssl
@@ -65,3 +64,27 @@ jobs:
       # See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
       run: msbuild /m /p:PlatformToolset=v142 /p:Platform=${{env.BUILD_PLATFORM}} /p:WindowsTargetPlatformVersion=${{env.TARGET_PLATFORM}} /p:Configuration=${{env.WOLFSSH_BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}}
 
+    - name: Locate wolfsshd.exe and stage wolfssl.dll
+      working-directory: ${{ github.workspace }}\wolfssh
+      shell: pwsh
+      run: |
+        $sshdExe = Get-ChildItem -Path "${{ github.workspace }}\wolfssh" -Recurse -Filter "wolfsshd.exe" -ErrorAction SilentlyContinue |
+            Where-Object { $_.FullName -like "*Release*" } | Select-Object -First 1
+        if (-not $sshdExe) {
+            Write-Host "ERROR: wolfsshd.exe not found"
+            exit 1
+        }
+        Add-Content -Path $env:GITHUB_ENV -Value "SSHD_PATH=$($sshdExe.FullName)"
+
+        $sshdDir = Split-Path -Parent $sshdExe.FullName
+        $wolfsslDll = Get-ChildItem -Path "${{ github.workspace }}\wolfssl" -Recurse -Filter "wolfssl.dll" -ErrorAction SilentlyContinue | Select-Object -First 1
+        if ($wolfsslDll -and -not (Test-Path (Join-Path $sshdDir "wolfssl.dll"))) {
+            Copy-Item -Path $wolfsslDll.FullName -Destination (Join-Path $sshdDir "wolfssl.dll") -Force
+        }
+
+    - name: Test LoginGraceTime enforcement on Windows
+      working-directory: ${{ github.workspace }}\wolfssh\apps\wolfsshd\test
+      shell: pwsh
+      timeout-minutes: 2
+      run: pwsh -File .\sshd_login_grace_test.ps1 -SshdExe "$env:SSHD_PATH"
+

apps/wolfsshd/test/run_all_sshd_tests.sh

@@ -132,7 +132,6 @@ else
 
     #Github actions needs resolved for these test cases
     #run_test "error_return.sh"
-    #run_test "sshd_login_grace_test.sh"
 
     # add additional tests here, check on var USING_LOCAL_HOST if can make sshd
     # server start/restart with changes
@@ -147,9 +146,10 @@ else
         run_test "sshd_forcedcmd_test.sh"
         run_test "sshd_window_full_test.sh"
         run_test "sshd_empty_password_test.sh"
+        run_test "sshd_login_grace_test.sh"
     else
         printf "Skipping tests that need to setup local SSHD\n"
-        SKIPPED=$((SKIPPED+3))
+        SKIPPED=$((SKIPPED+4))
     fi
 
     # these tests run with X509 sshd-config loaded

apps/wolfsshd/test/sshd_login_grace_test.ps1

@@ -0,0 +1,112 @@
+#!/usr/bin/env pwsh
+#
+# Windows regression test for wolfsshd LoginGraceTime enforcement.
+#
+# Opens a raw TCP connection that never authenticates and verifies that
+# wolfsshd drops it at the login grace deadline. No Windows user account or
+# authorized key is required, because the connection is closed before
+# authentication ever completes - this exercises the pre-auth grace timer only.
+#
+# Usage:
+#   pwsh sshd_login_grace_test.ps1 -SshdExe <path-to-wolfsshd.exe> [-Port N] [-Grace N]
+#   (SshdExe also accepts the SSHD_PATH environment variable.)
+
+param(
+    [string]$SshdExe = $env:SSHD_PATH,
+    [int]$Port = 22224,
+    [int]$Grace = 5
+)
+
+$ErrorActionPreference = "Stop"
+$exitCode = 1
+
+$scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
+$repoRoot  = (Resolve-Path (Join-Path $scriptDir "..\..\..")).Path
+$keyPath   = (Resolve-Path (Join-Path $repoRoot "keys\server-key.pem")).Path
+$logFile   = Join-Path $scriptDir "grace_log.txt"
+$confFile  = Join-Path $scriptDir "sshd_config_test_login_grace"
+$authFile  = Join-Path $scriptDir "authorized_keys_test"
+
+if (-not $SshdExe -or -not (Test-Path $SshdExe)) {
+    Write-Host "ERROR: wolfsshd.exe not found (pass -SshdExe or set SSHD_PATH)"
+    exit 1
+}
+
+@"
+Port $Port
+Protocol 2
+LoginGraceTime $Grace
+PermitRootLogin yes
+PasswordAuthentication yes
+PermitEmptyPasswords no
+UseDNS no
+HostKey $keyPath
+AuthorizedKeysFile $authFile
+"@ | Out-File -FilePath $confFile -Encoding ASCII
+
+"" | Out-File -FilePath $authFile -Encoding ASCII
+if (Test-Path $logFile) { Remove-Item $logFile -Force }
+
+# Run wolfsshd in the foreground (-D) with debug logging to a file (-E). On
+# Windows, -D selects the non-service foreground path, which lets us read the
+# log just like the Unix test does.
+$sshd = Start-Process -FilePath $SshdExe `
+    -ArgumentList "-D", "-d", "-E", "`"$logFile`"", "-f", "`"$confFile`"", "-p", "$Port" `
+    -NoNewWindow -PassThru
+
+try {
+    # Wait for the listener to accept connections.
+    $up = $false
+    for ($i = 0; $i -lt 20; $i++) {
+        try {
+            $probe = New-Object System.Net.Sockets.TcpClient
+            $probe.Connect("127.0.0.1", $Port)
+            $probe.Close()
+            $up = $true
+            break
+        }
+        catch {
+            Start-Sleep -Milliseconds 500
+        }
+    }
+    if (-not $up) {
+        # throw rather than exit so the finally block still stops the daemon
+        throw "wolfsshd did not start listening on port $Port"
+    }
+
+    # Open a raw TCP connection and hold it open without authenticating.
+    $stall = New-Object System.Net.Sockets.TcpClient
+    $stall.Connect("127.0.0.1", $Port)
+
+    # Wait past the grace deadline (plus margin) for the server to drop it.
+    Start-Sleep -Seconds ($Grace + 3)
+    $stall.Close()
+
+    # Stop wolfsshd before reading the log. On Windows the running daemon keeps
+    # the log file open, so it cannot be read concurrently; the grace-period
+    # line is already flushed to disk by the logging callback.
+    if ($sshd -and -not $sshd.HasExited) {
+        Stop-Process -Id $sshd.Id -Force -ErrorAction SilentlyContinue
+        $sshd.WaitForExit(5000) | Out-Null
+    }
+
+    if (Select-String -Path $logFile -Pattern "Failed login within grace period" -Quiet) {
+        Write-Host "PASS: unauthenticated connection dropped at login grace deadline"
+        $exitCode = 0
+    }
+    else {
+        Write-Host "FAIL: grace period not enforced"
+        if (Test-Path $logFile) { Get-Content $logFile -Tail 40 }
+    }
+}
+catch {
+    Write-Host "ERROR: $_"
+    $exitCode = 1
+}
+finally {
+    if ($sshd -and -not $sshd.HasExited) {
+        Stop-Process -Id $sshd.Id -Force -ErrorAction SilentlyContinue
+    }
+}
+
+exit $exitCode

apps/wolfsshd/test/sshd_login_grace_test.sh

@@ -47,15 +47,30 @@ if [ "$RESULT" != 0 ]; then
     exit 1
 fi
 
-# attempt clearing out stdin from previous echo/grep
-read -t 1 -n 1000 discard
+popd
 
-# test grace login timeout by stalling on password prompt
-timeout --foreground 7 "$TEST_CLIENT" -u "$USER" -h "$TEST_HOST" -p "$TEST_PORT" -t
+# Test the grace-time timeout deterministically. Open a raw TCP connection and
+# hold it open without ever sending authentication. This needs no TTY or stdin
+# interaction, so it is reliable under CI (the previous version relied on the
+# client stalling at an interactive password prompt, which fails without a tty).
+GRACE=5
+(
+    exec 3<>"/dev/tcp/$TEST_HOST/$TEST_PORT" || exit 1
+    sleep $((GRACE + 4))
+    exec 3>&-
+) &
+STALL_PID=$!
 
-popd
-cat ./log.txt | grep "Failed login within grace period"
+# wait past the grace deadline (plus margin) for the server to drop the
+# unauthenticated connection
+sleep $((GRACE + 3))
+
+grep "Failed login within grace period" ./log.txt
 RESULT=$?
+
+kill "$STALL_PID" 2>/dev/null
+wait "$STALL_PID" 2>/dev/null
+
 if [ "$RESULT" != 0 ]; then
     echo "FAIL: Grace period not hit"
     cat ./log.txt