add rekey check to sftp client and use reletave path to file in test case

JacobBarthelmeh · JacobBarthelmeh · commit 353804531df6 · 2026-02-27T15:48:25.000-07:00
diff --git a/.github/workflows/windows-sftp.yml b/.github/workflows/windows-sftp.yml
@@ -162,6 +162,13 @@ jobs:
         "" | Out-File -FilePath $authKeysFile -Encoding ASCII -NoNewline
         icacls $authKeysFile /grant "testuser:R" /q
 
+        # Grant testuser full control of their home directory.
+        # New-Item creates the directory owned by the runner account; Windows
+        # only sets correct user ACLs during the normal profile-creation flow.
+        # Without this, ImpersonateLoggedOnUser succeeds but CreateFile fails
+        # with ACCESS_DENIED when wolfsshd tries to write files as testuser.
+        icacls $homeDir /grant "testuser:(OI)(CI)F" /T /q
+
         $sid = (New-Object System.Security.Principal.NTAccount("testuser")).Translate([System.Security.Principal.SecurityIdentifier]).Value
         $profKey = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$sid"
         if (-not (Test-Path $profKey)) { New-Item -Path $profKey -Force | Out-Null }
@@ -318,16 +325,15 @@ jobs:
         }
         Write-Host "Basic SFTP test passed"
 
-    - name: Create 3GB test file and run SFTP get/put (large_rw)
-      if: matrix.test_type == 'large_rw'
+    - name: Create 3GB test file and run SFTP get/put
       working-directory: ${{ github.workspace }}\wolfssh
       shell: pwsh
       timeout-minutes: 25
       run: |
         $sftpPath = $env:SFTP_PATH
-        $workDir = (Get-Location).Path
+        $workDir = Join-Path $env:GITHUB_WORKSPACE "wolfssh"
         $largeFile = Join-Path $workDir "large_test.dat"
-        $getDest = Join-Path $workDir "large_test_copy.dat"
+        $getDestPath = Join-Path $workDir "large_test_copy.dat"
 
         # Create 3GB file: one random 10MB chunk repeated 307x + 2MB
         Write-Host "Creating 3GB test file..."
@@ -346,57 +352,68 @@ jobs:
         $fs.Close()
 
         $hash = Get-FileHash -Path $largeFile -Algorithm SHA256
-        $hash.Hash | Out-File -FilePath large_test.dat.sha256
+        $hash.Hash | Out-File -FilePath (Join-Path $workDir "large_test.dat.sha256")
         Write-Host "Created 3GB file, SHA256: $($hash.Hash)"
 
         # SFTP PUT (upload)
+        # Use a relative remote path (no leading /) so the server resolves it
+        # under testuser's home directory.  An absolute /large_test.dat maps to
+        # the drive root (C:\) where testuser has no write permission; relative
+        # large_test.dat is prefixed by workingDir (C:\Users\testuser) on the
+        # client and becomes C:\Users\testuser\large_test.dat on the server.
         Write-Host "SFTP PUT 3GB file..."
-        $putCommands = "put $largeFile /large_test.dat`nquit"
-        $putCommands | Out-File -FilePath sftp_put_commands.txt -Encoding ASCII
+        $putCommands = "put $largeFile large_test.dat`nquit"
+        $putCommands | Out-File -FilePath (Join-Path $workDir "sftp_put_commands.txt") -Encoding ASCII
         $proc = Start-Process -FilePath $sftpPath `
           -ArgumentList "-u", "testuser", "-P", $env:TESTUSER_PASSWORD, "-h", "localhost", "-p", "${{env.TEST_PORT}}" `
-          -RedirectStandardInput "sftp_put_commands.txt" `
-          -RedirectStandardOutput "sftp_put_out.txt" `
-          -RedirectStandardError "sftp_put_err.txt" `
+          -WorkingDirectory $workDir `
+          -RedirectStandardInput (Join-Path $workDir "sftp_put_commands.txt") `
+          -RedirectStandardOutput (Join-Path $workDir "sftp_put_out.txt") `
+          -RedirectStandardError (Join-Path $workDir "sftp_put_err.txt") `
           -Wait -NoNewWindow -PassThru
 
-        if ($proc.ExitCode -ne 0) {
-          Get-Content sftp_put_out.txt
-          Get-Content sftp_put_err.txt
+        $putOut = Get-Content (Join-Path $workDir "sftp_put_out.txt") -Raw -ErrorAction SilentlyContinue
+        Write-Host "=== SFTP PUT output ==="; Write-Host $putOut
+        if ($proc.ExitCode -ne 0 -or $putOut -match "Error pushing file") {
+          Get-Content (Join-Path $workDir "sftp_put_err.txt") -ErrorAction SilentlyContinue
           Write-Host "ERROR: SFTP PUT failed"
           exit 1
         }
         Write-Host "PUT succeeded"
 
-        # SFTP GET (download)
+        # SFTP GET (download) - relative remote and local paths.
+        # Remote large_test.dat resolves to C:\Users\testuser\large_test.dat.
+        # Local large_test_copy.dat is relative to wolfsftp's CWD ($workDir).
         Write-Host "SFTP GET 3GB file..."
-        $getCommands = "get /large_test.dat $getDest`nquit"
-        $getCommands | Out-File -FilePath sftp_get_commands.txt -Encoding ASCII
+        $getCommands = "get large_test.dat large_test_copy.dat`nquit"
+        $getCommands | Out-File -FilePath (Join-Path $workDir "sftp_get_commands.txt") -Encoding ASCII
         $proc2 = Start-Process -FilePath $sftpPath `
           -ArgumentList "-u", "testuser", "-P", $env:TESTUSER_PASSWORD, "-h", "localhost", "-p", "${{env.TEST_PORT}}" `
-          -RedirectStandardInput "sftp_get_commands.txt" `
-          -RedirectStandardOutput "sftp_get_out.txt" `
-          -RedirectStandardError "sftp_get_err.txt" `
+          -WorkingDirectory $workDir `
+          -RedirectStandardInput (Join-Path $workDir "sftp_get_commands.txt") `
+          -RedirectStandardOutput (Join-Path $workDir "sftp_get_out.txt") `
+          -RedirectStandardError (Join-Path $workDir "sftp_get_err.txt") `
           -Wait -NoNewWindow -PassThru
 
-        if ($proc2.ExitCode -ne 0) {
-          Get-Content sftp_get_out.txt
-          Get-Content sftp_get_err.txt
+        $getOut = Get-Content (Join-Path $workDir "sftp_get_out.txt") -Raw -ErrorAction SilentlyContinue
+        Write-Host "=== SFTP GET output ==="; Write-Host $getOut
+        if ($proc2.ExitCode -ne 0 -or $getOut -match "Error getting file") {
+          Get-Content (Join-Path $workDir "sftp_get_err.txt") -ErrorAction SilentlyContinue
           Write-Host "ERROR: SFTP GET failed"
           exit 1
         }
         Write-Host "GET succeeded"
 
-        # Verify integrity
-        $expectedHash = (Get-Content large_test.dat.sha256).Trim()
-        $actualHash = (Get-FileHash -Path $getDest -Algorithm SHA256).Hash
+        # Verify integrity (file is in $workDir from GET with relative path)
+        $expectedHash = (Get-Content (Join-Path $workDir "large_test.dat.sha256")).Trim()
+        $actualHash = (Get-FileHash -Path $getDestPath -Algorithm SHA256).Hash
         if ($expectedHash -ne $actualHash) {
           Write-Host "ERROR: SHA256 mismatch - PUT/GET corruption"
           Write-Host "Expected: $expectedHash"
           Write-Host "Actual:   $actualHash"
           exit 1
         }
-        Write-Host "PASS: 3GB SFTP get/put with WOLFSSH_MAX_SFTP_RW=10485760 succeeded"
+        Write-Host "PASS: 3GB SFTP get/put succeeded"
 
     - name: Cleanup
       if: always()
diff --git a/examples/sftpclient/sftpclient.c b/examples/sftpclient/sftpclient.c
@@ -769,8 +769,8 @@ static int doCmds(func_args* args)
 
                 ret = wolfSSH_SFTP_STAT(ssh, pt, &atrb);
                 err = wolfSSH_get_error(ssh);
-            } while ((err == WS_WANT_READ || err == WS_WANT_WRITE)
-                        && ret != WS_SUCCESS);
+            } while ((err == WS_WANT_READ || err == WS_WANT_WRITE ||
+                        err == WS_REKEYING) && ret != WS_SUCCESS);
             if (ret != WS_SUCCESS) {
                 if (SFTP_FPUTS(args, "Error changing directory\n") < 0) {
                     err_msg("fputs error");
@@ -857,8 +857,8 @@ static int doCmds(func_args* args)
 
                 ret = wolfSSH_SFTP_CHMOD(ssh, pt, mode);
                 err = wolfSSH_get_error(ssh);
-            } while ((err == WS_WANT_READ || err == WS_WANT_WRITE)
-                        && ret != WS_SUCCESS);
+            } while ((err == WS_WANT_READ || err == WS_WANT_WRITE ||
+                        err == WS_REKEYING) && ret != WS_SUCCESS);
             if (ret != WS_SUCCESS) {
                 if (SFTP_FPUTS(args, "Unable to change permissions of ") < 0) {
                     err_msg("fputs error");
@@ -914,8 +914,8 @@ static int doCmds(func_args* args)
 
                 ret = wolfSSH_SFTP_RMDIR(ssh, pt);
                 err = wolfSSH_get_error(ssh);
-            } while ((err == WS_WANT_READ || err == WS_WANT_WRITE)
-                        && ret != WS_SUCCESS);
+            } while ((err == WS_WANT_READ || err == WS_WANT_WRITE ||
+                        err == WS_REKEYING) && ret != WS_SUCCESS);
             if (ret != WS_SUCCESS) {
                 if (ret == WS_PERMISSIONS) {
                     if (SFTP_FPUTS(args, "Insufficient permissions\n") < 0) {
@@ -967,8 +967,8 @@ static int doCmds(func_args* args)
 
                 ret = wolfSSH_SFTP_Remove(ssh, pt);
                 err = wolfSSH_get_error(ssh);
-            } while ((err == WS_WANT_READ || err == WS_WANT_WRITE)
-                        && ret != WS_SUCCESS);
+            } while ((err == WS_WANT_READ || err == WS_WANT_WRITE ||
+                        err == WS_REKEYING) && ret != WS_SUCCESS);
             if (ret != WS_SUCCESS) {
                 if (ret == WS_PERMISSIONS) {
                     if (SFTP_FPUTS(args, "Insufficient permissions\n") < 0) {
