upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA

signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@ OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
author: djm@openbsd.org <djm@openbsd.org> 2018-07-04 13:49:31 +0000
committer: Damien Miller <djm@mindrot.org> 2018-07-04 23:51:52 +1000
commit: 312d2f2861a2598ed08587cb6c45c0e98a85408f (patch)
tree: e3bdc4facef48a89cd76fa793d9e70211b7ff8d2 /compat.c
parent: 303af5803bd74bf05d375c04e1a83b40c30b2be5 (diff)
1 files changed, 9 insertions, 9 deletions
diff --git a/compat.c b/compat.c
index 8335f2a94..d8fd6eaf8 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.109 2018/07/03 11:42:12 djm Exp $ */
+/* $OpenBSD: compat.c,v 1.110 2018/07/04 13:49:31 djm Exp $ */
 /*
 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
 *
@@ -190,8 +190,8 @@ compat_cipher_proposal(char *cipher_prop)
        if (!(datafellows & SSH_BUG_BIGENDIANAES))
                return cipher_prop;
        debug2("%s: original cipher proposal: %s", __func__, cipher_prop);
-        if ((cipher_prop = match_filter_list(cipher_prop, "aes*")) == NULL)
+        if ((cipher_prop = match_filter_blacklist(cipher_prop, "aes*")) == NULL)
-                fatal("match_filter_list failed");
+                fatal("match_filter_blacklist failed");
        debug2("%s: compat cipher proposal: %s", __func__, cipher_prop);
        if (*cipher_prop == '\0')
                fatal("No supported ciphers found");
@@ -204,8 +204,8 @@ compat_pkalg_proposal(char *pkalg_prop)
        if (!(datafellows & SSH_BUG_RSASIGMD5))
                return pkalg_prop;
        debug2("%s: original public key proposal: %s", __func__, pkalg_prop);
-        if ((pkalg_prop = match_filter_list(pkalg_prop, "ssh-rsa")) == NULL)
+        if ((pkalg_prop = match_filter_blacklist(pkalg_prop, "ssh-rsa")) == NULL)
-                fatal("match_filter_list failed");
+                fatal("match_filter_blacklist failed");
        debug2("%s: compat public key proposal: %s", __func__, pkalg_prop);
        if (*pkalg_prop == '\0')
                fatal("No supported PK algorithms found");
@@ -219,14 +219,14 @@ compat_kex_proposal(char *p)
                return p;
        debug2("%s: original KEX proposal: %s", __func__, p);
        if ((datafellows & SSH_BUG_CURVE25519PAD) != 0)
-                if ((p = match_filter_list(p,
+                if ((p = match_filter_blacklist(p,
                    "curve25519-sha256@libssh.org")) == NULL)
-                        fatal("match_filter_list failed");
+                        fatal("match_filter_blacklist failed");
        if ((datafellows & SSH_OLD_DHGEX) != 0) {
-                if ((p = match_filter_list(p,
+                if ((p = match_filter_blacklist(p,
                    "diffie-hellman-group-exchange-sha256,"
                    "diffie-hellman-group-exchange-sha1")) == NULL)
-                        fatal("match_filter_list failed");
+                        fatal("match_filter_blacklist failed");
        }
        debug2("%s: compat KEX proposal: %s", __func__, p);
        if (*p == '\0')
author	djm@openbsd.org <djm@openbsd.org>	2018-07-04 13:49:31 +0000
committer	Damien Miller <djm@mindrot.org>	2018-07-04 23:51:52 +1000
commit	312d2f2861a2598ed08587cb6c45c0e98a85408f (patch)
tree	e3bdc4facef48a89cd76fa793d9e70211b7ff8d2 /compat.c
parent	303af5803bd74bf05d375c04e1a83b40c30b2be5 (diff)

diff --git a/compat.c b/compat.c index 8335f2a94..d8fd6eaf8 100644 --- a/compat.c +++ b/compat.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: compat.c,v 1.109 2018/07/03 11:42:12 djm Exp $ */	1	/* $OpenBSD: compat.c,v 1.110 2018/07/04 13:49:31 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.	3	* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
4	*	4	*
@@ -190,8 +190,8 @@ compat_cipher_proposal(char *cipher_prop)
190	if (!(datafellows & SSH_BUG_BIGENDIANAES))	190	if (!(datafellows & SSH_BUG_BIGENDIANAES))
191	return cipher_prop;	191	return cipher_prop;
192	debug2("%s: original cipher proposal: %s", __func__, cipher_prop);	192	debug2("%s: original cipher proposal: %s", __func__, cipher_prop);
193	if ((cipher_prop = match_filter_list(cipher_prop, "aes*")) == NULL)	193	if ((cipher_prop = match_filter_blacklist(cipher_prop, "aes*")) == NULL)
194	fatal("match_filter_list failed");	194	fatal("match_filter_blacklist failed");
195	debug2("%s: compat cipher proposal: %s", __func__, cipher_prop);	195	debug2("%s: compat cipher proposal: %s", __func__, cipher_prop);
196	if (*cipher_prop == '\0')	196	if (*cipher_prop == '\0')
197	fatal("No supported ciphers found");	197	fatal("No supported ciphers found");
@@ -204,8 +204,8 @@ compat_pkalg_proposal(char *pkalg_prop)
204	if (!(datafellows & SSH_BUG_RSASIGMD5))	204	if (!(datafellows & SSH_BUG_RSASIGMD5))
205	return pkalg_prop;	205	return pkalg_prop;
206	debug2("%s: original public key proposal: %s", __func__, pkalg_prop);	206	debug2("%s: original public key proposal: %s", __func__, pkalg_prop);
207	if ((pkalg_prop = match_filter_list(pkalg_prop, "ssh-rsa")) == NULL)	207	if ((pkalg_prop = match_filter_blacklist(pkalg_prop, "ssh-rsa")) == NULL)
208	fatal("match_filter_list failed");	208	fatal("match_filter_blacklist failed");
209	debug2("%s: compat public key proposal: %s", __func__, pkalg_prop);	209	debug2("%s: compat public key proposal: %s", __func__, pkalg_prop);
210	if (*pkalg_prop == '\0')	210	if (*pkalg_prop == '\0')
211	fatal("No supported PK algorithms found");	211	fatal("No supported PK algorithms found");
@@ -219,14 +219,14 @@ compat_kex_proposal(char *p)
219	return p;	219	return p;
220	debug2("%s: original KEX proposal: %s", __func__, p);	220	debug2("%s: original KEX proposal: %s", __func__, p);
221	if ((datafellows & SSH_BUG_CURVE25519PAD) != 0)	221	if ((datafellows & SSH_BUG_CURVE25519PAD) != 0)
222	if ((p = match_filter_list(p,	222	if ((p = match_filter_blacklist(p,
223	"curve25519-sha256@libssh.org")) == NULL)	223	"curve25519-sha256@libssh.org")) == NULL)
224	fatal("match_filter_list failed");	224	fatal("match_filter_blacklist failed");
225	if ((datafellows & SSH_OLD_DHGEX) != 0) {	225	if ((datafellows & SSH_OLD_DHGEX) != 0) {
226	if ((p = match_filter_list(p,	226	if ((p = match_filter_blacklist(p,
227	"diffie-hellman-group-exchange-sha256,"	227	"diffie-hellman-group-exchange-sha256,"
228	"diffie-hellman-group-exchange-sha1")) == NULL)	228	"diffie-hellman-group-exchange-sha1")) == NULL)
229	fatal("match_filter_list failed");	229	fatal("match_filter_blacklist failed");
230	}	230	}
231	debug2("%s: compat KEX proposal: %s", __func__, p);	231	debug2("%s: compat KEX proposal: %s", __func__, p);
232	if (*p == '\0')	232	if (*p == '\0')