From 68bc8cfa7642d3ccbf2cd64281c16b8b9205be59 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 3 Feb 2017 23:01:19 +0000 Subject: upstream commit support =- for removing methods from algorithms lists, e.g. Ciphers=-*cbc; suggested by Cristian Ionescu-Idbohrn in bz#2671 "I like it" markus@ Upstream-ID: c78c38f9f81a963b33d0eade559f6048add24a6d --- compat.c | 48 +++++++++++++----------------------------------- 1 file changed, 13 insertions(+), 35 deletions(-) (limited to 'compat.c') diff --git a/compat.c b/compat.c index 69a104fbf..1e80cfa9a 100644 --- a/compat.c +++ b/compat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.99 2016/05/24 02:31:57 dtucker Exp $ */ +/* $OpenBSD: compat.c,v 1.100 2017/02/03 23:01:19 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -37,6 +37,7 @@ #include "compat.h" #include "log.h" #include "match.h" +#include "kex.h" int compat13 = 0; int compat20 = 0; @@ -250,42 +251,14 @@ proto_spec(const char *spec) return ret; } -/* - * Filters a proposal string, excluding any algorithm matching the 'filter' - * pattern list. - */ -static char * -filter_proposal(char *proposal, const char *filter) -{ - Buffer b; - char *orig_prop, *fix_prop; - char *cp, *tmp; - - buffer_init(&b); - tmp = orig_prop = xstrdup(proposal); - while ((cp = strsep(&tmp, ",")) != NULL) { - if (match_pattern_list(cp, filter, 0) != 1) { - if (buffer_len(&b) > 0) - buffer_append(&b, ",", 1); - buffer_append(&b, cp, strlen(cp)); - } else - debug2("Compat: skipping algorithm \"%s\"", cp); - } - buffer_append(&b, "\0", 1); - fix_prop = xstrdup((char *)buffer_ptr(&b)); - buffer_free(&b); - free(orig_prop); - - return fix_prop; -} - char * compat_cipher_proposal(char *cipher_prop) { if (!(datafellows & SSH_BUG_BIGENDIANAES)) return cipher_prop; debug2("%s: original cipher proposal: %s", __func__, cipher_prop); - cipher_prop = filter_proposal(cipher_prop, "aes*"); + if ((cipher_prop = match_filter_list(cipher_prop, "aes*")) == NULL) + fatal("match_filter_list failed"); debug2("%s: compat cipher proposal: %s", __func__, cipher_prop); if (*cipher_prop == '\0') fatal("No supported ciphers found"); @@ -298,7 +271,8 @@ compat_pkalg_proposal(char *pkalg_prop) if (!(datafellows & SSH_BUG_RSASIGMD5)) return pkalg_prop; debug2("%s: original public key proposal: %s", __func__, pkalg_prop); - pkalg_prop = filter_proposal(pkalg_prop, "ssh-rsa"); + if ((pkalg_prop = match_filter_list(pkalg_prop, "ssh-rsa")) == NULL) + fatal("match_filter_list failed"); debug2("%s: compat public key proposal: %s", __func__, pkalg_prop); if (*pkalg_prop == '\0') fatal("No supported PK algorithms found"); @@ -312,10 +286,14 @@ compat_kex_proposal(char *p) return p; debug2("%s: original KEX proposal: %s", __func__, p); if ((datafellows & SSH_BUG_CURVE25519PAD) != 0) - p = filter_proposal(p, "curve25519-sha256@libssh.org"); + if ((p = match_filter_list(p, + "curve25519-sha256@libssh.org")) == NULL) + fatal("match_filter_list failed"); if ((datafellows & SSH_OLD_DHGEX) != 0) { - p = filter_proposal(p, "diffie-hellman-group-exchange-sha256"); - p = filter_proposal(p, "diffie-hellman-group-exchange-sha1"); + if ((p = match_filter_list(p, + "diffie-hellman-group-exchange-sha256," + "diffie-hellman-group-exchange-sha1")) == NULL) + fatal("match_filter_list failed"); } debug2("%s: compat KEX proposal: %s", __func__, p); if (*p == '\0') -- cgit v1.2.3