diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-07-04 13:49:31 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-07-04 23:51:52 +1000 |
commit | 312d2f2861a2598ed08587cb6c45c0e98a85408f (patch) | |
tree | e3bdc4facef48a89cd76fa793d9e70211b7ff8d2 /match.c | |
parent | 303af5803bd74bf05d375c04e1a83b40c30b2be5 (diff) |
upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
signature work - returns ability to add/remove/specify algorithms by
wildcard.
Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
Diffstat (limited to 'match.c')
-rw-r--r-- | match.c | 36 |
1 files changed, 30 insertions, 6 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: match.c,v 1.37 2017/03/10 04:24:55 djm Exp $ */ | 1 | /* $OpenBSD: match.c,v 1.38 2018/07/04 13:49:31 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -294,16 +294,20 @@ match_list(const char *client, const char *server, u_int *next) | |||
294 | } | 294 | } |
295 | 295 | ||
296 | /* | 296 | /* |
297 | * Filters a comma-separated list of strings, excluding any entry matching | 297 | * Filter proposal using pattern-list filter. |
298 | * the 'filter' pattern list. Caller must free returned string. | 298 | * "blacklist" determines sense of filter: |
299 | * non-zero indicates that items matching filter should be excluded. | ||
300 | * zero indicates that only items matching filter should be included. | ||
301 | * returns NULL on allocation error, otherwise caller must free result. | ||
299 | */ | 302 | */ |
300 | char * | 303 | static char * |
301 | match_filter_list(const char *proposal, const char *filter) | 304 | filter_list(const char *proposal, const char *filter, int blacklist) |
302 | { | 305 | { |
303 | size_t len = strlen(proposal) + 1; | 306 | size_t len = strlen(proposal) + 1; |
304 | char *fix_prop = malloc(len); | 307 | char *fix_prop = malloc(len); |
305 | char *orig_prop = strdup(proposal); | 308 | char *orig_prop = strdup(proposal); |
306 | char *cp, *tmp; | 309 | char *cp, *tmp; |
310 | int r; | ||
307 | 311 | ||
308 | if (fix_prop == NULL || orig_prop == NULL) { | 312 | if (fix_prop == NULL || orig_prop == NULL) { |
309 | free(orig_prop); | 313 | free(orig_prop); |
@@ -314,7 +318,8 @@ match_filter_list(const char *proposal, const char *filter) | |||
314 | tmp = orig_prop; | 318 | tmp = orig_prop; |
315 | *fix_prop = '\0'; | 319 | *fix_prop = '\0'; |
316 | while ((cp = strsep(&tmp, ",")) != NULL) { | 320 | while ((cp = strsep(&tmp, ",")) != NULL) { |
317 | if (match_pattern_list(cp, filter, 0) != 1) { | 321 | r = match_pattern_list(cp, filter, 0); |
322 | if ((blacklist && r != 1) || (!blacklist && r == 1)) { | ||
318 | if (*fix_prop != '\0') | 323 | if (*fix_prop != '\0') |
319 | strlcat(fix_prop, ",", len); | 324 | strlcat(fix_prop, ",", len); |
320 | strlcat(fix_prop, cp, len); | 325 | strlcat(fix_prop, cp, len); |
@@ -324,3 +329,22 @@ match_filter_list(const char *proposal, const char *filter) | |||
324 | return fix_prop; | 329 | return fix_prop; |
325 | } | 330 | } |
326 | 331 | ||
332 | /* | ||
333 | * Filters a comma-separated list of strings, excluding any entry matching | ||
334 | * the 'filter' pattern list. Caller must free returned string. | ||
335 | */ | ||
336 | char * | ||
337 | match_filter_blacklist(const char *proposal, const char *filter) | ||
338 | { | ||
339 | return filter_list(proposal, filter, 1); | ||
340 | } | ||
341 | |||
342 | /* | ||
343 | * Filters a comma-separated list of strings, including only entries matching | ||
344 | * the 'filter' pattern list. Caller must free returned string. | ||
345 | */ | ||
346 | char * | ||
347 | match_filter_whitelist(const char *proposal, const char *filter) | ||
348 | { | ||
349 | return filter_list(proposal, filter, 0); | ||
350 | } | ||