summaryrefslogtreecommitdiff
path: root/compat.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-07-04 13:49:31 +0000
committerDamien Miller <djm@mindrot.org>2018-07-04 23:51:52 +1000
commit312d2f2861a2598ed08587cb6c45c0e98a85408f (patch)
treee3bdc4facef48a89cd76fa793d9e70211b7ff8d2 /compat.c
parent303af5803bd74bf05d375c04e1a83b40c30b2be5 (diff)
upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
signature work - returns ability to add/remove/specify algorithms by wildcard. Algorithm lists are now fully expanded when the server/client configs are finalised, so errors are reported early and the config dumps (e.g. "ssh -G ...") now list the actual algorithms selected. Clarify that, while wildcards are accepted in algorithm lists, they aren't full pattern-lists that support negation. (lots of) feedback, ok markus@ OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
Diffstat (limited to 'compat.c')
-rw-r--r--compat.c18
1 files changed, 9 insertions, 9 deletions
diff --git a/compat.c b/compat.c
index 8335f2a9..d8fd6eaf 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.109 2018/07/03 11:42:12 djm Exp $ */
+/* $OpenBSD: compat.c,v 1.110 2018/07/04 13:49:31 djm Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
*
@@ -190,8 +190,8 @@ compat_cipher_proposal(char *cipher_prop)
if (!(datafellows & SSH_BUG_BIGENDIANAES))
return cipher_prop;
debug2("%s: original cipher proposal: %s", __func__, cipher_prop);
- if ((cipher_prop = match_filter_list(cipher_prop, "aes*")) == NULL)
- fatal("match_filter_list failed");
+ if ((cipher_prop = match_filter_blacklist(cipher_prop, "aes*")) == NULL)
+ fatal("match_filter_blacklist failed");
debug2("%s: compat cipher proposal: %s", __func__, cipher_prop);
if (*cipher_prop == '\0')
fatal("No supported ciphers found");
@@ -204,8 +204,8 @@ compat_pkalg_proposal(char *pkalg_prop)
if (!(datafellows & SSH_BUG_RSASIGMD5))
return pkalg_prop;
debug2("%s: original public key proposal: %s", __func__, pkalg_prop);
- if ((pkalg_prop = match_filter_list(pkalg_prop, "ssh-rsa")) == NULL)
- fatal("match_filter_list failed");
+ if ((pkalg_prop = match_filter_blacklist(pkalg_prop, "ssh-rsa")) == NULL)
+ fatal("match_filter_blacklist failed");
debug2("%s: compat public key proposal: %s", __func__, pkalg_prop);
if (*pkalg_prop == '\0')
fatal("No supported PK algorithms found");
@@ -219,14 +219,14 @@ compat_kex_proposal(char *p)
return p;
debug2("%s: original KEX proposal: %s", __func__, p);
if ((datafellows & SSH_BUG_CURVE25519PAD) != 0)
- if ((p = match_filter_list(p,
+ if ((p = match_filter_blacklist(p,
"curve25519-sha256@libssh.org")) == NULL)
- fatal("match_filter_list failed");
+ fatal("match_filter_blacklist failed");
if ((datafellows & SSH_OLD_DHGEX) != 0) {
- if ((p = match_filter_list(p,
+ if ((p = match_filter_blacklist(p,
"diffie-hellman-group-exchange-sha256,"
"diffie-hellman-group-exchange-sha1")) == NULL)
- fatal("match_filter_list failed");
+ fatal("match_filter_blacklist failed");
}
debug2("%s: compat KEX proposal: %s", __func__, p);
if (*p == '\0')