Merge pull request #923 from yosuke-wolfssl/f_2484

ejohnstown · web-flow · commit a608f1944f71 · 2026-04-21T09:46:43.000-07:00
Add additional regress test for DoKexDhReply
diff --git a/tests/regress.c b/tests/regress.c
@@ -513,6 +513,16 @@ static int AcceptAnyServerHostKey(const byte* pubKey, word32 pubKeySz,
     return 0;
 }
 
+static int RejectAnyServerHostKey(const byte* pubKey, word32 pubKeySz,
+        void* ctx)
+{
+    (void)pubKey;
+    (void)pubKeySz;
+    (void)ctx;
+
+    return 1;
+}
+
 static int QueueAppend(DuplexQueue* queue, const byte* data, word32 dataSz)
 {
     if (queue == NULL || data == NULL) {
@@ -953,6 +963,34 @@ static void TestKexDhReplyRejectsNoPublicKeyCheck(void)
 #endif
 }
 
+static void AssertHandshakeRejectsWhenCallbackRejects(const char* keyAlgo)
+{
+    KexReplyHarness harness;
+    KexReplyRunResult result;
+
+    InitKexReplyHarness(&harness, keyAlgo, 0);
+    wolfSSH_CTX_SetPublicKeyCheck(harness.clientCtx, RejectAnyServerHostKey);
+    RunKexReplyHandshake(&harness, &result);
+
+    AssertFalse(result.clientSuccess);
+    AssertTrue(result.clientRet == WS_FATAL_ERROR);
+    AssertTrue(result.clientErr != WS_WANT_READ && result.clientErr != WS_WANT_WRITE);
+    AssertIntEQ(result.clientErr, WS_PUBKEY_REJECTED_E);
+    AssertFalse(harness.client->connectState >= CONNECT_KEYED);
+
+    FreeKexReplyHarness(&harness);
+}
+
+static void TestKexDhReplyRejectsWhenCallbackRejects(void)
+{
+#ifndef WOLFSSH_NO_RSA_SHA2_256
+    AssertHandshakeRejectsWhenCallbackRejects("rsa-sha2-256");
+#endif
+#ifndef WOLFSSH_NO_RSA_SHA2_512
+    AssertHandshakeRejectsWhenCallbackRejects("rsa-sha2-512");
+#endif
+}
+
 #endif /* KEXDH_REPLY_REGRESS_KEX_ALGO */
 
 static void AssertChannelOpenFailResponse(const ChannelOpenHarness* harness,
@@ -1941,6 +1979,7 @@ int main(int argc, char** argv)
     TestKexDhReplyRejectsRsaSha2_512SigNameDowngrade();
     #endif
     TestKexDhReplyRejectsNoPublicKeyCheck();
+    TestKexDhReplyRejectsWhenCallbackRejects();
 #endif
 
 #ifdef WOLFSSH_SFTP
