Skip to content

Test SearchForPubKey authorized_keys no-match rejection#1107

Open
yosuke-wolfssl wants to merge 1 commit into
wolfSSL:masterfrom
yosuke-wolfssl:fix/f_6814
Open

Test SearchForPubKey authorized_keys no-match rejection#1107
yosuke-wolfssl wants to merge 1 commit into
wolfSSL:masterfrom
yosuke-wolfssl:fix/f_6814

Conversation

@yosuke-wolfssl

Copy link
Copy Markdown
Contributor

Overview

Adds a negative-path unit test for SearchForPubKey, the authorized_keys authorization gate for default (non-certificate) wolfsshd builds. Finding 6814 was a test-coverage gap, not a live bug: the gate that converts "no authorized_keys line matched" into an authentication failure was untested, so a deletion or condition-inversion of it could ship undetected.

Background

SearchForPubKey (apps/wolfsshd/auth.c) reads a user's authorized_keys file and calls CheckAuthKeysLine for each line. foundKey is set only when a line matches; the final gate

if (ret == WSSHD_AUTH_SUCCESS && !foundKey) {
    ret = WSSHD_AUTH_FAILURE;
}

is the sole line that turns an all-mismatch file into a rejection. It had no coverage:

  • SearchForPubKey was static and not exported through the WOLFSSHD_UNIT_TEST block.
  • test_CheckAuthKeysLine exercises a single line in isolation, never the foundKey aggregation.
  • The integration suite (run_all_sshd_tests.sh) is positive-only — it always presents an authorized key — so it cannot kill a mutation of this gate.

A deletion of the if block, or inverting !foundKey to foundKey, would make SearchForPubKey return success for a key that is not in authorized_keys, propagating up as WOLFSSH_USERAUTH_SUCCESS — a public-key auth bypass.

Changes

  • apps/wolfsshd/auth.c — expose SearchForPubKey (non-static) under #if defined(WOLFSSHD_UNIT_TEST) && !defined(_WIN32), mirroring the existing CheckAuthKeysLine / wsshd_setre*_cb unit-test hooks. No production behavior change.

  • apps/wolfsshd/auth.h — add the prototype inside the existing WOLFSSHD_UNIT_TEST / #ifndef _WIN32 block.

  • apps/wolfsshd/test/test_configuration.c — add test_SearchForPubKey, driving the real function against a mkdtemp temp authorized_keys file across four scenarios:

    • authorized key accepted (StrictModes off)
    • authorized key accepted (StrictModes on) — covers the wolfSSHD_OpenSecureFile dispatch branch
    • valid-but-unauthorized key rejected → WSSHD_AUTH_FAILURE
    • missing keys file → error (rc < 0, the WS_BAD_FILE_E path)

    Registered under #if defined(WOLFSSL_BASE64_ENCODE) && !defined(_WIN32).

Mutation coverage

The negative controls were confirmed by hand-mutating the gate and observing the test fail:

  • !foundKeyfoundKey (inversion): the authorized-key scenario fails.
  • gate deleted entirely: the unauthorized-key scenario fails (rc == WSSHD_AUTH_SUCCESS leaks through).

Both mutations are now killed; the gate was then restored to its correct form.

Testing

  • apps/wolfsshd/test/test_configuration — all four scenarios pass, full suite exits 0.

@yosuke-wolfssl yosuke-wolfssl self-assigned this Jul 16, 2026
Copilot AI review requested due to automatic review settings July 16, 2026 00:31

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR closes a unit-test coverage gap around SearchForPubKey’s “no authorized_keys line matched ⇒ authentication failure” gate by adding a negative-path test and exposing SearchForPubKey to the wolfsshd unit-test binary (without changing production behavior).

Changes:

  • Expose SearchForPubKey as non-static under WOLFSSHD_UNIT_TEST && !_WIN32 so the unit-test binary can call it.
  • Add a new test_SearchForPubKey covering authorized-key accept (StrictModes off/on), unauthorized-key reject, and missing-file error.
  • Add the unit-test-only prototype to auth.h under the existing WOLFSSHD_UNIT_TEST / !_WIN32 block.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
apps/wolfsshd/test/test_configuration.c Adds test_SearchForPubKey and registers it in the test table.
apps/wolfsshd/auth.h Declares SearchForPubKey for unit tests on non-Windows builds.
apps/wolfsshd/auth.c Makes SearchForPubKey externally visible only for unit tests (non-Windows).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread apps/wolfsshd/test/test_configuration.c

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #1107

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants