diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-07-04 13:49:31 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-07-04 23:51:52 +1000 |
commit | 312d2f2861a2598ed08587cb6c45c0e98a85408f (patch) | |
tree | e3bdc4facef48a89cd76fa793d9e70211b7ff8d2 /compat.c | |
parent | 303af5803bd74bf05d375c04e1a83b40c30b2be5 (diff) |
upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
signature work - returns ability to add/remove/specify algorithms by
wildcard.
Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
Diffstat (limited to 'compat.c')
-rw-r--r-- | compat.c | 18 |
1 files changed, 9 insertions, 9 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: compat.c,v 1.109 2018/07/03 11:42:12 djm Exp $ */ | 1 | /* $OpenBSD: compat.c,v 1.110 2018/07/04 13:49:31 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -190,8 +190,8 @@ compat_cipher_proposal(char *cipher_prop) | |||
190 | if (!(datafellows & SSH_BUG_BIGENDIANAES)) | 190 | if (!(datafellows & SSH_BUG_BIGENDIANAES)) |
191 | return cipher_prop; | 191 | return cipher_prop; |
192 | debug2("%s: original cipher proposal: %s", __func__, cipher_prop); | 192 | debug2("%s: original cipher proposal: %s", __func__, cipher_prop); |
193 | if ((cipher_prop = match_filter_list(cipher_prop, "aes*")) == NULL) | 193 | if ((cipher_prop = match_filter_blacklist(cipher_prop, "aes*")) == NULL) |
194 | fatal("match_filter_list failed"); | 194 | fatal("match_filter_blacklist failed"); |
195 | debug2("%s: compat cipher proposal: %s", __func__, cipher_prop); | 195 | debug2("%s: compat cipher proposal: %s", __func__, cipher_prop); |
196 | if (*cipher_prop == '\0') | 196 | if (*cipher_prop == '\0') |
197 | fatal("No supported ciphers found"); | 197 | fatal("No supported ciphers found"); |
@@ -204,8 +204,8 @@ compat_pkalg_proposal(char *pkalg_prop) | |||
204 | if (!(datafellows & SSH_BUG_RSASIGMD5)) | 204 | if (!(datafellows & SSH_BUG_RSASIGMD5)) |
205 | return pkalg_prop; | 205 | return pkalg_prop; |
206 | debug2("%s: original public key proposal: %s", __func__, pkalg_prop); | 206 | debug2("%s: original public key proposal: %s", __func__, pkalg_prop); |
207 | if ((pkalg_prop = match_filter_list(pkalg_prop, "ssh-rsa")) == NULL) | 207 | if ((pkalg_prop = match_filter_blacklist(pkalg_prop, "ssh-rsa")) == NULL) |
208 | fatal("match_filter_list failed"); | 208 | fatal("match_filter_blacklist failed"); |
209 | debug2("%s: compat public key proposal: %s", __func__, pkalg_prop); | 209 | debug2("%s: compat public key proposal: %s", __func__, pkalg_prop); |
210 | if (*pkalg_prop == '\0') | 210 | if (*pkalg_prop == '\0') |
211 | fatal("No supported PK algorithms found"); | 211 | fatal("No supported PK algorithms found"); |
@@ -219,14 +219,14 @@ compat_kex_proposal(char *p) | |||
219 | return p; | 219 | return p; |
220 | debug2("%s: original KEX proposal: %s", __func__, p); | 220 | debug2("%s: original KEX proposal: %s", __func__, p); |
221 | if ((datafellows & SSH_BUG_CURVE25519PAD) != 0) | 221 | if ((datafellows & SSH_BUG_CURVE25519PAD) != 0) |
222 | if ((p = match_filter_list(p, | 222 | if ((p = match_filter_blacklist(p, |
223 | "curve25519-sha256@libssh.org")) == NULL) | 223 | "curve25519-sha256@libssh.org")) == NULL) |
224 | fatal("match_filter_list failed"); | 224 | fatal("match_filter_blacklist failed"); |
225 | if ((datafellows & SSH_OLD_DHGEX) != 0) { | 225 | if ((datafellows & SSH_OLD_DHGEX) != 0) { |
226 | if ((p = match_filter_list(p, | 226 | if ((p = match_filter_blacklist(p, |
227 | "diffie-hellman-group-exchange-sha256," | 227 | "diffie-hellman-group-exchange-sha256," |
228 | "diffie-hellman-group-exchange-sha1")) == NULL) | 228 | "diffie-hellman-group-exchange-sha1")) == NULL) |
229 | fatal("match_filter_list failed"); | 229 | fatal("match_filter_blacklist failed"); |
230 | } | 230 | } |
231 | debug2("%s: compat KEX proposal: %s", __func__, p); | 231 | debug2("%s: compat KEX proposal: %s", __func__, p); |
232 | if (*p == '\0') | 232 | if (*p == '\0') |