wolfsshd: mark AuthorizedKeysFile as explicitly set in public setter

Author: yosuke-wolfssl

apps/wolfsshd/configuration.c

@@ -1064,7 +1064,6 @@ static int HandleConfigOption(WOLFSSHD_CONFIG** conf, int opt,
 
     switch (opt) {
         case OPT_AUTH_KEYS_FILE:
-            (*conf)->authKeysFileSet = 1;
             ret = wolfSSHD_ConfigSetAuthKeysFile(*conf, value);
             break;
         case OPT_PRIV_SEP:
@@ -1395,6 +1394,14 @@ int wolfSSHD_ConfigSetAuthKeysFile(WOLFSSHD_CONFIG* conf, const char* file)
         if (file != NULL) {
             ret = CreateString(&conf->authKeysFile, file,
                                         (int)WSTRLEN(file), conf->heap);
+            /* mark the authorized keys file as explicitly configured so
+             * certificate public-key logins are still checked against it */
+            if (ret == WS_SUCCESS) {
+                conf->authKeysFileSet = 1;
+            }
+        }
+        else {
+            conf->authKeysFileSet = 0;
         }
     }
 

apps/wolfsshd/test/test_configuration.c

@@ -305,7 +305,8 @@ static int test_ConfigCopy(void)
         ret = wolfSSHD_ConfigSetHostCertFile(head, "/etc/ssh/host_cert.pub");
     if (ret == WS_SUCCESS)
         ret = wolfSSHD_ConfigSetUserCAKeysFile(head, "/etc/ssh/ca.pub");
-    /* AuthorizedKeysFile must go through PCL so authKeysFileSet flag is set */
+    /* AuthorizedKeysFile via PCL to also exercise the config-parse path; the
+     * authKeysFileSet flag is set either way and must survive the copy */
     if (ret == WS_SUCCESS) ret = PCL("AuthorizedKeysFile .ssh/authorized_keys");
 
     /* scalar fields */
@@ -651,6 +652,44 @@ static int test_IncludeRecursionBound(void)
     return ret;
 }
 
+/* The public wolfSSHD_ConfigSetAuthKeysFile setter must mark the authorized
+ * keys file as explicitly configured, otherwise certificate public-key logins
+ * skip the authorized-keys check and rely on CA validation alone. */
+static int test_ConfigSetAuthKeysFile(void)
+{
+    int ret = WS_SUCCESS;
+    WOLFSSHD_CONFIG* conf;
+
+    conf = wolfSSHD_ConfigNew(NULL);
+    if (conf == NULL)
+        ret = WS_MEMORY_E;
+
+    /* fresh config has no explicit authorized keys file */
+    if (ret == WS_SUCCESS) {
+        if (wolfSSHD_ConfigGetAuthKeysFileSet(conf) != 0)
+            ret = WS_FATAL_ERROR;
+    }
+
+    /* configuring a file through the public setter must set the flag */
+    if (ret == WS_SUCCESS)
+        ret = wolfSSHD_ConfigSetAuthKeysFile(conf, ".ssh/authorized_keys");
+    if (ret == WS_SUCCESS) {
+        if (wolfSSHD_ConfigGetAuthKeysFileSet(conf) == 0)
+            ret = WS_FATAL_ERROR;
+    }
+
+    /* removing the file must clear the flag again */
+    if (ret == WS_SUCCESS)
+        ret = wolfSSHD_ConfigSetAuthKeysFile(conf, NULL);
+    if (ret == WS_SUCCESS) {
+        if (wolfSSHD_ConfigGetAuthKeysFileSet(conf) != 0)
+            ret = WS_FATAL_ERROR;
+    }
+
+    wolfSSHD_ConfigFree(conf);
+    return ret;
+}
+
 /* Verifies ConfigFree releases all string fields - most useful under ASan. */
 static int test_ConfigFree(void)
 {
@@ -1013,6 +1052,7 @@ const TEST_CASE testCases[] = {
     TEST_DECL(test_MatchUnsupportedSelector),
     TEST_DECL(test_CAKeysFileDiffers),
     TEST_DECL(test_IncludeRecursionBound),
+    TEST_DECL(test_ConfigSetAuthKeysFile),
     TEST_DECL(test_ConfigFree),
 #ifdef WOLFSSL_BASE64_ENCODE
     TEST_DECL(test_CheckAuthKeysLine),