WIP

ejohnstown · ejohnstown · commit f2b21dccd0d9 · 2025-07-23T11:53:21.000-07:00
diff --git a/src/internal.c b/src/internal.c
@@ -598,34 +598,43 @@ static void HandshakeInfoFree(HandshakeInfo* hs, void* heap)
 #ifndef NO_WOLFSSH_SERVER
 INLINE static int IsMessageAllowedServer(WOLFSSH *ssh, byte msg)
 {
+    /* Transport Layer Generic messages are always allowed. */
+    if (MSGIDLIMIT_TRANS_GEN(msg)) {
+        return 1;
+    }
+
     /* Has client userauth started? */
+    /* Allows the server to receive up to KEXDH GEX Request during KEX. */
     if (ssh->acceptState < ACCEPT_KEYED) {
-        if (msg > MSGID_KEXDH_LIMIT) {
+        if (msg > MSGID_KEXDH_GEX_REQUEST) {
             return 0;
         }
     }
     /* Is server userauth complete? */
     if (ssh->acceptState < ACCEPT_SERVER_USERAUTH_SENT) {
+        /* The server should only receive the user auth request message,
+         * it should not accept the other user auth messages, it sends
+         * them. (>50) */
         /* Explicitly check for messages not allowed before user
          * authentication has comleted. */
-        if (msg >= MSGID_USERAUTH_LIMIT) {
-            WLOG(WS_LOG_DEBUG, "Message ID %u not allowed by server "
-                    "before user authentication is complete", msg);
+        if (MSGIDLIMIT_POST_USERAUTH(msg)) {
+            WLOG(WS_LOG_DEBUG, "Message ID %u not allowed by %s %s",
+                    msg, "server", "before user authentication is complete");
             return 0;
         }
         /* Explicitly check for the user authentication messages that
          * only the server sends, it shouldn't receive them. */
-        if ((msg > MSGID_USERAUTH_RESTRICT) &&
+        if ((msg > MSGID_USERAUTH_REQUEST) &&
             (msg != MSGID_USERAUTH_INFO_RESPONSE)) {
-            WLOG(WS_LOG_DEBUG, "Message ID %u not allowed by server "
-                    "during user authentication", msg);
+            WLOG(WS_LOG_DEBUG, "Message ID %u not allowed by %s %s",
+                    msg, "server", "during user authentication");
             return 0;
         }
     }
     else {
-        if (msg >= MSGID_USERAUTH_RESTRICT && msg < MSGID_USERAUTH_LIMIT) {
-            WLOG(WS_LOG_DEBUG, "Message ID %u not allowed by server "
-                    "after user authentication", msg);
+        if (msg >= MSGID_USERAUTH_REQUEST && msg < MSGID_GLOBAL_REQUEST) {
+            WLOG(WS_LOG_DEBUG, "Message ID %u not allowed by %s %s",
+                    msg, "server", "after user authentication");
             return 0;
         }
     }
@@ -638,6 +647,19 @@ INLINE static int IsMessageAllowedServer(WOLFSSH *ssh, byte msg)
 #ifndef NO_WOLFSSH_CLIENT
 INLINE static int IsMessageAllowedClient(WOLFSSH *ssh, byte msg)
 {
+    /* Transport Layer Generic messages are always allowed. */
+    if (MSGIDLIMIT_TRANS_GEN(msg)) {
+        return 1;
+    }
+
+    /* The client should only send the user auth request message
+     * (50), it should not accept it. The server should only receive
+     * the user auth request message, it should not accept the other
+     * user auth messages, it sends them. (>50) */
+    if (msg == MSGID_USERAUTH_REQUEST) {
+        return 0;
+    }
+
     /* Is KEX complete? */
     if (ssh->connectState < CONNECT_KEYED && ssh->handshake) {
         /* If expecting a specific message, and didn't receive it, error. */
@@ -648,35 +670,37 @@ INLINE static int IsMessageAllowedClient(WOLFSSH *ssh, byte msg)
                 return 0;
             }
             ssh->handshake->expectMsgId = MSGID_NONE;
+            return 1;
         }
     }
     /* Has client userauth started? */
     if (ssh->connectState < CONNECT_CLIENT_KEXDH_INIT_SENT) {
-        if (msg >= MSGID_KEXDH_LIMIT) {
+        if (msg >= MSGID_KEXDH_GEX_REQUEST) {
             return 0;
         }
     }
     /* Is client userauth complete? */
     if (ssh->connectState < CONNECT_SERVER_USERAUTH_ACCEPT_DONE) {
-        /* Explicitly check for messages not allowed before user
-         * authentication has comleted. */
-        if (msg >= MSGID_USERAUTH_LIMIT) {
-            WLOG(WS_LOG_DEBUG, "Message ID %u not allowed by client "
-                    "before user authentication is complete", msg);
+        /* The endpoints should not allow message IDs greater than or
+         * equal to msgid 80 before user authentication is complete.
+         * Per RFC 4252 section 6. */
+        if (MSGIDLIMIT_POST_USERAUTH(msg)) {
+            WLOG(WS_LOG_DEBUG, "Message ID %u not allowed by %s %s",
+                    msg, "client", "before user authentication is complete");
             return 0;
         }
-        /* Explicitly check for the user authentication message that
-         * only the client sends, it shouldn't receive it. */
-        if (msg == MSGID_USERAUTH_RESTRICT) {
-            WLOG(WS_LOG_DEBUG, "Message ID %u not allowed by client "
-                    "during user authentication", msg);
+        /* Explicitly check for the user authentication request message.
+         * The client only sends the message, it shouldn't receive it. */
+        if (msg == MSGID_USERAUTH_REQUEST) {
+            WLOG(WS_LOG_DEBUG, "Message ID %u not allowed by %s %s",
+                    msg, "client", "during user authentication");
             return 0;
         }
     }
     else {
-        if (msg >= MSGID_USERAUTH_RESTRICT && msg < MSGID_USERAUTH_LIMIT) {
-            WLOG(WS_LOG_DEBUG, "Message ID %u not allowed by client "
-                    "after user authentication", msg);
+        if (MSGIDLIMIT_AUTH(msg)) {
+            WLOG(WS_LOG_DEBUG, "Message ID %u not allowed by %s %s",
+                    msg, "client", "after user authentication");
             return 0;
         }
     }
diff --git a/wolfssh/internal.h b/wolfssh/internal.h
@@ -1180,6 +1180,7 @@ enum ProcessReplyStates {
 
 enum WS_MessageIds {
     MSGID_NONE = 0,
+
     MSGID_DISCONNECT = 1,
     MSGID_IGNORE = 2,
     MSGID_UNIMPLEMENTED = 3,
@@ -1235,19 +1236,57 @@ enum WS_MessageIds {
 };
 
 
-/* Allows the server to receive up to KEXDH GEX Request during KEX. */
-#define MSGID_KEXDH_LIMIT MSGID_KEXDH_GEX_REQUEST
-
-/* The endpoints should not allow message IDs greater than or
- * equal to msgid 80 before user authentication is complete.
- * Per RFC 4252 section 6. */
-#define MSGID_USERAUTH_LIMIT 80
+/* The following message ID ranges are described in RFC 5251, section 7. */
+enum WS_MessageIdLimits {
+/* Transport Layer Protocol: */
+    MSGIDLIMIT_TRANS_MIN = 1,
+    MSGIDLIMIT_TRANS_GEN_MIN = 1,
+    MSGIDLIMIT_TRANS_GEN_MAX = 19,
+    MSGIDLIMIT_TRANS_ALGO_MIN = 20,
+    MSGIDLIMIT_TRANS_ALGO_MAX = 29,
+    MSGIDLIMIT_TRANS_KEX_MIN = 30,
+    MSGIDLIMIT_TRANS_KEX_MAX = 49,
+    MSGIDLIMIT_TRANS_MAX = 49,
+/* User Authentication Protocol: */
+    MSGIDLIMIT_AUTH_MIN = 50,
+    MSGIDLIMIT_AUTH_GEN_MIN = 50,
+    MSGIDLIMIT_AUTH_GEN_MAX = 59,
+    MSGIDLIMIT_AUTH_METH_MIN = 60,
+    MSGIDLIMIT_AUTH_METH_MAX = 79,
+    MSGIDLIMIT_AUTH_MAX = 79,
+/* Connection Protocol: */
+    MSGIDLIMIT_CONN_MIN = 80,
+    MSGIDLIMIT_CONN_GEN_MIN = 80,
+    MSGIDLIMIT_CONN_GEN_MAX = 89,
+    MSGIDLIMIT_CONN_CHAN_MIN = 90,
+    MSGIDLIMIT_CONN_CHAN_MAX = 127,
+    MSGIDLIMIT_CONN_MAX = 127,
+/* Reserved For Client Protocols: */
+    MSGIDLIMIT_RESERVED_MIN = 128,
+    MSGIDLIMIT_RESERVED_MAX = 191,
+/* Local Extensions: */
+    MSGIDLIMIT_EXTENDED_MIN = 192,
+    MSGIDLIMIT_EXTENDED_MAX = 255,
+};
 
-/* The client should only send the user auth request message
- * (50), it should not accept it. The server should only receive
- * the user auth request message, it should not accept the other
- * user auth messages, it sends them. (>50) */
-#define MSGID_USERAUTH_RESTRICT 50
+/* Message ID bounds checking. */
+#define MSGIDLIMIT_BOUND(x,y,z) ((x) >= (y) && (x) <= (z))
+#define MSGIDLIMIT_COMP(x,name) \
+    MSGIDLIMIT_BOUND((x),MSGIDLIMIT_##name##_MIN,MSGIDLIMIT_##name##_MAX)
+#define MSGIDLIMIT_TRANS(x) MSGIDLIMIT_COMP((x),TRANS)
+#define MSGIDLIMIT_TRANS_GEN(x) MSGIDLIMIT_COMP((x),TRANS_GEN)
+#define MSGIDLIMIT_TRANS_ALGO(x) MSGIDLIMIT_COMP((x),TRANS_ALGO)
+#define MSGIDLIMIT_TRANS_KEX(x) MSGIDLIMIT_COMP((x),TRANS_KEX)
+#define MSGIDLIMIT_AUTH(x) MSGIDLIMIT_COMP((x),AUTH)
+#define MSGIDLIMIT_AUTH_GEN(x) MSGIDLIMIT_COMP((x),AUTH_GEN)
+#define MSGIDLIMIT_AUTH_METH(x) MSGIDLIMIT_COMP((x),AUTH_METH)
+#define MSGIDLIMIT_CONN(x) MSGIDLIMIT_COMP((x),CONN)
+#define MSGIDLIMIT_CONN_GEN(x) MSGIDLIMIT_COMP((x),CONN_GEN)
+#define MSGIDLIMIT_CONN_CHAN(x) MSGIDLIMIT_COMP((x),CONN_CHAN)
+#define MSGIDLIMIT_RESERVED(x) MSGIDLIMIT_COMP((x),RESERVED)
+#define MSGIDLIMIT_EXTENDED(x) MSGIDLIMIT_COMP((x),EXTENDED)
+#define MSGIDLIMIT_POST_USERAUTH(x) \
+    MSGIDLIMIT_BOUND((x),MSGIDLIMIT_CONN_MIN,MSGIDLIMIT_EXTENDED_MAX)
 
 
 #define CHANNEL_EXTENDED_DATA_STDERR WOLFSSH_EXT_DATA_STDERR
