test: close wolfSSH test_gap coverage holes#1100
Open
MarkAtwood wants to merge 1 commit into
Open
Conversation
Add mutation-killing unit coverage flagged by Fenrir static analysis. No production logic changes. #3673 tests/unit.c: test_HandshakeInfoFree_zeroesSecrets pins the ForceZero over HandshakeInfo in HandshakeInfoFree (src/internal.c). #5579 apps/wolfsshd: export CheckPasswordUnix under WOLFSSHD_UNIT_TEST and add test_CheckPasswordUnix pinning the pwStr wipe in auth.c. #6702 test_configuration.c: extend test_CheckPasswordHashUnix with empty/locked-password cases pinning the empty-branch and '*' guards. Build-verified against wolfSSL --enable-all; each added assertion was confirmed to fail when its guard is removed (mutant killed).
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds targeted unit-test coverage to “kill” mutation-testing gaps around secret zeroization in wolfSSH and wolfsshd authentication code paths, including a WOLFSSHD_UNIT_TEST-guarded export to allow direct testing of an otherwise-internal password check routine.
Changes:
- Add a capturing-allocator unit test to verify
HandshakeInfoFree()wipesHandshakeInfobefore free (tests/unit.c). - Extend wolfsshd auth tests to cover additional
CheckPasswordHashUnix()edge cases and add a capturing-allocator test to verifyCheckPasswordUnix()wipespwStrbefore free (apps/wolfsshd/test/test_configuration.c). - Export
CheckPasswordUnix()only for unit tests (apps/wolfsshd/auth.c,apps/wolfsshd/auth.h).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| tests/unit.c | Adds a new retain-on-free test to assert HandshakeInfoFree() zeroizes sensitive handshake fields before release and wires it into the unit test runner. |
| apps/wolfsshd/test/test_configuration.c | Adds extra CheckPasswordHashUnix() scenarios and a new capturing-allocator test validating CheckPasswordUnix() wipes the plaintext password buffer prior to free. |
| apps/wolfsshd/auth.h | Declares CheckPasswordUnix() for unit-test builds so test code can link against it. |
| apps/wolfsshd/auth.c | Makes CheckPasswordUnix() non-static under WOLFSSHD_UNIT_TEST to support the new unit test. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+1414
to
+1422
| Log(" Testing scenario: CheckPasswordUnix wipes pwStr before free."); | ||
| if (wolfSSL_SetAllocators(pwCapMalloc, pwCapFree, pwCapRealloc) != 0) { | ||
| Log(" FAILED (set allocators).\n"); | ||
| return WS_FATAL_ERROR; | ||
| } | ||
| (void)CheckPasswordUnix("wolfsshd-no-such-user-xyz", | ||
| (const byte*)"secret", 6, NULL); | ||
| wolfSSL_SetAllocators(NULL, NULL, NULL); | ||
|
|
Comment on lines
+5409
to
+5415
| out: | ||
| if (retainInstalled) | ||
| wolfSSL_SetAllocators(prevMf, prevFf, prevRf); | ||
| DrainRetained(); | ||
| if (ctx != NULL) | ||
| wolfSSH_CTX_free(ctx); | ||
| return result; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds mutation-killing test coverage for three secret-zeroization sites reported by Fenrir static analysis. Test-only additions (plus a
WOLFSSHD_UNIT_TEST-guarded export); no production logic changes. Build-verified against wolfSSL--enable-all, and each new assertion was confirmed to fail when its guard is deleted (mutant killed).tests/unit.c—test_HandshakeInfoFree_zeroesSecretspins theForceZero(hs, sizeof(HandshakeInfo))inHandshakeInfoFree(src/internal.c). Uses the existingwolfSSH_TestFreeHandshakehook and retain-on-free allocator to inspect the freed block; deleting theForceZeromakes it FAIL.apps/wolfsshd/auth.c,auth.h,test/test_configuration.c— exportCheckPasswordUnixunderWOLFSSHD_UNIT_TESTand addtest_CheckPasswordUnix, which captures thepwStrbuffer at free time and asserts it is wiped; deleting the cleanupForceZero(pwStr, pwSz+1)makes it FAIL.apps/wolfsshd/test/test_configuration.c— extendtest_CheckPasswordHashUnixwith empty-input/empty-hash, empty-input/real-hash, non-empty/empty-hash, and locked-account (*) cases; these kill the&&->||and empty-branch mutants. Noauth.clogic change.Reported by Fenrir static analysis.