upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA

signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@ OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
author: djm@openbsd.org <djm@openbsd.org> 2018-07-04 13:49:31 +0000
committer: Damien Miller <djm@mindrot.org> 2018-07-04 23:51:52 +1000
commit: 312d2f2861a2598ed08587cb6c45c0e98a85408f (patch)
tree: e3bdc4facef48a89cd76fa793d9e70211b7ff8d2 /match.c
parent: 303af5803bd74bf05d375c04e1a83b40c30b2be5 (diff)
1 files changed, 30 insertions, 6 deletions
diff --git a/match.c b/match.c
index 3cf40306b..bb3e95f67 100644
--- a/match.c
+++ b/match.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: match.c,v 1.37 2017/03/10 04:24:55 djm Exp $ */
+/* $OpenBSD: match.c,v 1.38 2018/07/04 13:49:31 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -294,16 +294,20 @@ match_list(const char *client, const char *server, u_int *next)
 }
 /*
- * Filters a comma-separated list of strings, excluding any entry matching
+ * Filter proposal using pattern-list filter.
- * the 'filter' pattern list. Caller must free returned string.
+ * "blacklist" determines sense of filter:
+ * non-zero indicates that items matching filter should be excluded.
+ * zero indicates that only items matching filter should be included.
+ * returns NULL on allocation error, otherwise caller must free result.
 */
-char *
+static char *
-match_filter_list(const char *proposal, const char *filter)
+filter_list(const char *proposal, const char *filter, int blacklist)
 {
        size_t len = strlen(proposal) + 1;
        char *fix_prop = malloc(len);
        char *orig_prop = strdup(proposal);
        char *cp, *tmp;
+        int r;
        if (fix_prop == NULL || orig_prop == NULL) {
                free(orig_prop);
@@ -314,7 +318,8 @@ match_filter_list(const char *proposal, const char *filter)
        tmp = orig_prop;
        *fix_prop = '\0';
        while ((cp = strsep(&tmp, ",")) != NULL) {
-                if (match_pattern_list(cp, filter, 0) != 1) {
+                r = match_pattern_list(cp, filter, 0);
+                if ((blacklist && r != 1) || (!blacklist && r == 1)) {
                        if (*fix_prop != '\0')
                                strlcat(fix_prop, ",", len);
                        strlcat(fix_prop, cp, len);
@@ -324,3 +329,22 @@ match_filter_list(const char *proposal, const char *filter)
        return fix_prop;
 }
+/*
+ * Filters a comma-separated list of strings, excluding any entry matching
+ * the 'filter' pattern list. Caller must free returned string.
+ */
+char *
+match_filter_blacklist(const char *proposal, const char *filter)
+{
+        return filter_list(proposal, filter, 1);
+}
+/*
+ * Filters a comma-separated list of strings, including only entries matching
+ * the 'filter' pattern list. Caller must free returned string.
+ */
+char *
+match_filter_whitelist(const char *proposal, const char *filter)
+{
+        return filter_list(proposal, filter, 0);
+}
author	djm@openbsd.org <djm@openbsd.org>	2018-07-04 13:49:31 +0000
committer	Damien Miller <djm@mindrot.org>	2018-07-04 23:51:52 +1000
commit	312d2f2861a2598ed08587cb6c45c0e98a85408f (patch)
tree	e3bdc4facef48a89cd76fa793d9e70211b7ff8d2 /match.c
parent	303af5803bd74bf05d375c04e1a83b40c30b2be5 (diff)