OpenSSH CA Certificate Support#1072
Conversation
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #1072
Scan targets checked: wolfssh-bugs, wolfssh-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
| pk.isOsshCert = 1; | ||
| pk.caKeyHash = caKeyHash; | ||
| pk.caKeyHashSz = caKeyHashSz; | ||
| return CheckPublicKeyUnix(NULL, &pk, caKeysFile, NULL, NULL); |
There was a problem hiding this comment.
🔵 [Low] Test helper references Unix-only CheckPublicKeyUnix without !_WIN32 guard · API contract violations
wolfSSHD_TestCheckOsshCertCa (and its auth.h:104 prototype) is guarded only by WOLFSSHD_UNIT_TEST && WOLFSSH_OSSH_CERTS, but calls CheckPublicKeyUnix, which exists only under #ifndef _WIN32. A Windows unit-test build with OSSH certs fails to compile/link; sibling helpers in auth.h are correctly !_WIN32 guarded.
Fix: Wrap the helper's declaration and definition in #ifndef _WIN32, matching the other Unix-only unit-test helpers.
2 participants
Fixed memory leaks and verification logic in OpenSSH CA Certificate authentication.
verification loop completes without finding a matching trusted CA fingerprint.