diff --git a/include/libssh/misc.h b/include/libssh/misc.h index 28982990..272539c5 100644 --- a/include/libssh/misc.h +++ b/include/libssh/misc.h @@ -105,8 +105,6 @@ void ssh_timestamp_init(struct ssh_timestamp *ts); int ssh_timeout_elapsed(struct ssh_timestamp *ts, int timeout); int ssh_timeout_update(struct ssh_timestamp *ts, int timeout); -int ssh_match_group(const char *group, const char *object); - void uint64_inc(unsigned char *counter); void ssh_log_hexdump(const char *descr, const unsigned char *what, size_t len); diff --git a/include/libssh/priv.h b/include/libssh/priv.h index 42e55753..9220f83e 100644 --- a/include/libssh/priv.h +++ b/include/libssh/priv.h @@ -335,6 +335,7 @@ int match_cidr_address_list(const char *address, const char *addrlist, int sa_family); #endif +int match_group(const char *group, const char *object); /* connector.c */ int ssh_connector_set_event(ssh_connector connector, ssh_event event); diff --git a/src/kex.c b/src/kex.c index 9dccb898..4d17b0ee 100644 --- a/src/kex.c +++ b/src/kex.c @@ -510,16 +510,16 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit) * flag and verify packet sequence numbers. */ if (server_kex) { - ok = ssh_match_group(crypto->client_kex.methods[SSH_KEX], - KEX_STRICT_CLIENT); + ok = match_group(crypto->client_kex.methods[SSH_KEX], + KEX_STRICT_CLIENT); if (ok) { SSH_LOG(SSH_LOG_DEBUG, "Client supports strict kex, enabling."); session->flags |= SSH_SESSION_FLAG_KEX_STRICT; } } else { /* client kex */ - ok = ssh_match_group(crypto->server_kex.methods[SSH_KEX], - KEX_STRICT_SERVER); + ok = match_group(crypto->server_kex.methods[SSH_KEX], + KEX_STRICT_SERVER); if (ok) { SSH_LOG(SSH_LOG_DEBUG, "Server supports strict kex, enabling."); session->flags |= SSH_SESSION_FLAG_KEX_STRICT; @@ -531,8 +531,8 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit) * If client sent a ext-info-c message in the kex list, it supports * RFC 8308 extension negotiation. */ - ok = ssh_match_group(crypto->client_kex.methods[SSH_KEX], - KEX_EXTENSION_CLIENT); + ok = match_group(crypto->client_kex.methods[SSH_KEX], + KEX_EXTENSION_CLIENT); if (ok) { const char *hostkeys = NULL, *wanted_hostkeys = NULL; @@ -546,7 +546,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit) */ hostkeys = crypto->client_kex.methods[SSH_HOSTKEYS]; wanted_hostkeys = session->opts.wanted_methods[SSH_HOSTKEYS]; - ok = ssh_match_group(hostkeys, "rsa-sha2-512"); + ok = match_group(hostkeys, "rsa-sha2-512"); if (ok) { /* Check if rsa-sha2-512 is allowed by config */ if (wanted_hostkeys != NULL) { @@ -558,7 +558,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit) SAFE_FREE(is_allowed); } } - ok = ssh_match_group(hostkeys, "rsa-sha2-256"); + ok = match_group(hostkeys, "rsa-sha2-256"); if (ok) { /* Check if rsa-sha2-256 is allowed by config */ if (wanted_hostkeys != NULL) { diff --git a/src/match.c b/src/match.c index 65fb156f..75f743e5 100644 --- a/src/match.c +++ b/src/match.c @@ -577,3 +577,28 @@ match_cidr_address_list(const char *address, return rc; } #endif + +int match_group(const char *group, const char *object) +{ + const char *a; + const char *z; + + z = group; + do { + a = strchr(z, ','); + if (a == NULL) { + if (strcmp(z, object) == 0) { + return 1; + } + return 0; + } else { + if (strncmp(z, object, a - z) == 0) { + return 1; + } + } + z = a + 1; + } while (1); + + /* not reached */ + return 0; +} diff --git a/src/messages.c b/src/messages.c index 72c0aacc..29349257 100644 --- a/src/messages.c +++ b/src/messages.c @@ -933,9 +933,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){ if (rc == SSH_OK) { /* Check if the signature from client matches server preferences */ if (session->opts.pubkey_accepted_types) { - if (!ssh_match_group(session->opts.pubkey_accepted_types, - sig->type_c)) - { + cmp = match_group(session->opts.pubkey_accepted_types, + sig->type_c); + if (cmp != 1) { ssh_set_error(session, SSH_FATAL, "Public key from client (%s) doesn't match server " diff --git a/src/misc.c b/src/misc.c index 0aea2a99..fb53d184 100644 --- a/src/misc.c +++ b/src/misc.c @@ -1571,32 +1571,6 @@ int ssh_timeout_update(struct ssh_timestamp *ts, int timeout) return ret >= 0 ? ret: 0; } - -int ssh_match_group(const char *group, const char *object) -{ - const char *a; - const char *z; - - z = group; - do { - a = strchr(z, ','); - if (a == NULL) { - if (strcmp(z, object) == 0) { - return 1; - } - return 0; - } else { - if (strncmp(z, object, a - z) == 0) { - return 1; - } - } - z = a + 1; - } while(1); - - /* not reached */ - return 0; -} - #if !defined(HAVE_EXPLICIT_BZERO) void explicit_bzero(void *s, size_t n) { diff --git a/src/packet_cb.c b/src/packet_cb.c index 7edb6791..2c19b588 100644 --- a/src/packet_cb.c +++ b/src/packet_cb.c @@ -170,8 +170,8 @@ SSH_PACKET_CALLBACK(ssh_packet_newkeys) /* Check if signature from server matches user preferences */ if (session->opts.wanted_methods[SSH_HOSTKEYS]) { - rc = ssh_match_group(session->opts.wanted_methods[SSH_HOSTKEYS], - sig->type_c); + rc = match_group(session->opts.wanted_methods[SSH_HOSTKEYS], + sig->type_c); if (rc == 0) { ssh_set_error(session, SSH_FATAL, @@ -277,10 +277,14 @@ SSH_PACKET_CALLBACK(ssh_packet_ext_info) if (cmp == 0) { /* TODO check for NULL bytes */ SSH_LOG(SSH_LOG_PACKET, "Extension: %s=<%s>", name, value); - if (ssh_match_group(value, "rsa-sha2-512")) { + + rc = match_group(value, "rsa-sha2-512"); + if (rc == 1) { session->extensions |= SSH_EXT_SIG_RSA_SHA512; } - if (ssh_match_group(value, "rsa-sha2-256")) { + + rc = match_group(value, "rsa-sha2-256"); + if (rc == 1) { session->extensions |= SSH_EXT_SIG_RSA_SHA256; } } else { diff --git a/src/pki.c b/src/pki.c index 816b7e6f..04c6cb46 100644 --- a/src/pki.c +++ b/src/pki.c @@ -371,7 +371,7 @@ int ssh_key_algorithm_allowed(ssh_session session, const char *type) } SSH_LOG(SSH_LOG_DEBUG, "Checking %s with list <%s>", type, allowed_list); - return ssh_match_group(allowed_list, type); + return match_group(allowed_list, type); } bool ssh_key_size_allowed_rsa(int min_size, ssh_key key)