Add service-name check and regress test by yosuke-wolfssl · Pull Request #953 · wolfSSL/wolfssh

yosuke-wolfssl · 2026-04-24T04:46:02Z

This PR adds the service-name check to comply with RFC 4252 section 5.
If service name is not equal to "ssh-connection", SSH_MSG_USERAUTH_FAILURE would be sent to the peer.
Also, new unit test is added to exercise service-name validation.

Copilot

Pull request overview

This PR adds RFC 4252 §5 compliance by validating the service-name in SSH_MSG_USERAUTH_REQUEST and rejecting requests that do not target "ssh-connection" while keeping the connection open for retry. It also introduces a new internal test hook and a unit test intended to exercise the new validation behavior.

Changes:

Add service-name validation in DoUserAuthRequest() and send SSH_MSG_USERAUTH_FAILURE when invalid.
Expose DoUserAuthRequest() via a new wolfSSH_TestDoUserAuthRequest() internal test wrapper.
Add a new unit test to exercise service-name validation logic.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
`wolfssh/internal.h`	Adds a new internal test API declaration for invoking `DoUserAuthRequest()` from unit tests.
`src/internal.c`	Implements the service-name check and the corresponding test wrapper.
`tests/unit.c`	Adds a unit test for service-name validation and wires it into the unit test runner.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

padelsbach · 2026-04-24T17:10:09Z

@yosuke-wolfssl, can you please rebase to resolve conflicts?

wolfSSL-Fenrir-bot

Fenrir Automated Review — PR #953

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅

aidangarske

Skoll Code Review

Scan type: review
Overall recommendation: APPROVE
Findings: 7 total — 7 posted, 0 skipped
7 finding(s) posted as inline comments (see file-level comments below)

Posted findings

[Low] Inconsistent cast style in new NameToId call — src/internal.c:8405-8406
[Low] Error from SendUserAuthFailure overwrites ret, making invalid-service path return non-success — src/internal.c:8405-8411
[Low] *idx = len is written even when SendUserAuthFailure returned an error — src/internal.c:8409-8411
[Low] Test assumes output path succeeds on a fresh session without documentation — tests/unit.c:952-1041
[Low] Test does not cover empty or oversize service names — tests/unit.c:964-973
[Info] serviceValid could be replaced by a guard-style early return block for readability — src/internal.c:8370,8417
[Info] *idx = len set before SendUserAuthFailure result is checked — src/internal.c:8409-8410

Review generated by Skoll

wolfSSL-Fenrir-bot

Fenrir Automated Review — PR #953

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅

yosuke-wolfssl · 2026-04-28T02:46:09Z

Hello @aidangarske ,

It's ready for review again.
Could you please take a look at this ?

ejohnstown · 2026-04-28T16:25:50Z

        authData.serviceName = buf + begin;
        begin += authData.serviceNameSz;

-        ret = GetSize(&authData.authNameSz, buf, len, &begin);


The function GetStringRef() was added for cases like this. It does all the appropriate length checking and it updates the idx. I just never got around to replacing all GetSize() and adjusting the idx myself with this function.

GetStringRef will give you a pointer into buf that points at the string, and it gives you the length. You don't need to free it, and the pointer is to const.

aidangarske

Skoll Code Review

Scan type: review
Overall recommendation: COMMENT
Findings: 3 total — 3 posted, 0 skipped
3 finding(s) posted as inline comments (see file-level comments below)

Posted findings

[Medium] wolfSSH_SetUsernameRaw mutates session state before the service-name check — src/internal.c:8351-8376
[Low] Unrelated blank-line removal between DoReceive and DoProtoId — src/internal.c:10719
[Low] Test couples to internal packet layout (byte-5 message-id) without abstraction — tests/unit.c:1027-1035

Review generated by Skoll

aidangarske

Skoll Multi-Scan Review

Modes: audit + review-security
Overall recommendation: COMMENT
Findings: 1 total — 1 posted, 0 skipped
1 finding(s) posted as inline comments (see file-level comments below)

Posted findings

[Low] [audit] Unknown-auth-method begin = len consumption path lacks meaningful coverage — src/internal.c:8402-8408

Review generated by Skoll

dgarske · 2026-05-05T18:21:12Z

@yosuke-wolfssl please see the feedback.

yosuke-wolfssl self-assigned this Apr 24, 2026

Copilot AI review requested due to automatic review settings April 24, 2026 04:46

Copilot started reviewing on behalf of yosuke-wolfssl April 24, 2026 04:46 View session

Copilot AI reviewed Apr 24, 2026

View reviewed changes

Comment thread tests/unit.c Outdated

Comment thread tests/unit.c Outdated

yosuke-wolfssl force-pushed the f_1274 branch from 1c46f1d to b2d19fb Compare April 24, 2026 05:12

yosuke-wolfssl assigned wolfSSL-Bot and unassigned yosuke-wolfssl Apr 24, 2026

padelsbach reviewed Apr 24, 2026

View reviewed changes

Comment thread src/internal.c

padelsbach reviewed Apr 24, 2026

View reviewed changes

Comment thread src/internal.c

padelsbach requested a review from wolfSSL-Fenrir-bot April 24, 2026 17:10

wolfSSL-Fenrir-bot reviewed Apr 24, 2026

View reviewed changes

aidangarske reviewed Apr 24, 2026

View reviewed changes

Comment thread src/internal.c

Comment thread src/internal.c

Comment thread src/internal.c

Comment thread tests/unit.c

Comment thread tests/unit.c

Comment thread src/internal.c

Comment thread src/internal.c

yosuke-wolfssl assigned yosuke-wolfssl and unassigned wolfSSL-Bot Apr 27, 2026

yosuke-wolfssl force-pushed the f_1274 branch from b2d19fb to 3119f6c Compare April 27, 2026 02:42

yosuke-wolfssl assigned wolfSSL-Bot and unassigned yosuke-wolfssl Apr 27, 2026

yosuke-wolfssl marked this pull request as draft April 27, 2026 02:55

Add service-name check and regress test

0cb09bf

yosuke-wolfssl force-pushed the f_1274 branch from 3119f6c to 0cb09bf Compare April 27, 2026 23:13

yosuke-wolfssl requested a review from wolfSSL-Fenrir-bot April 27, 2026 23:17

wolfSSL-Fenrir-bot reviewed Apr 27, 2026

View reviewed changes

yosuke-wolfssl marked this pull request as ready for review April 28, 2026 02:45

ejohnstown self-requested a review April 28, 2026 16:27

ejohnstown requested changes Apr 28, 2026

View reviewed changes

aidangarske reviewed Apr 28, 2026

View reviewed changes

Comment thread src/internal.c

Comment thread tests/unit.c

Comment thread src/internal.c

aidangarske reviewed Apr 28, 2026

View reviewed changes

Comment thread src/internal.c

dgarske assigned yosuke-wolfssl May 5, 2026

Conversation

yosuke-wolfssl commented Apr 24, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

padelsbach commented Apr 24, 2026

Uh oh!

wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

Fenrir Automated Review — PR #953

Uh oh!

aidangarske left a comment

Choose a reason for hiding this comment

Skoll Code Review

Posted findings

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

Fenrir Automated Review — PR #953

Uh oh!

yosuke-wolfssl commented Apr 28, 2026

Uh oh!

ejohnstown Apr 28, 2026

Choose a reason for hiding this comment

Uh oh!

aidangarske left a comment

Choose a reason for hiding this comment

Skoll Code Review

Posted findings

Uh oh!

Uh oh!

Uh oh!

Uh oh!

aidangarske left a comment

Choose a reason for hiding this comment

Skoll Multi-Scan Review

Posted findings

Uh oh!

Uh oh!

dgarske commented May 5, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants