diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-07-04 15:49:31 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-07-04 15:51:52 +0200 |
| commit | 312d2f2861a2598ed08587cb6c45c0e98a85408f (patch) | |
| tree | e3bdc4facef48a89cd76fa793d9e70211b7ff8d2 /compat.c | |
| parent | upstream: some magic for RSA-SHA2 checks (diff) | |
| download | openssh-312d2f2861a2598ed08587cb6c45c0e98a85408f.tar.xz openssh-312d2f2861a2598ed08587cb6c45c0e98a85408f.zip | |
upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA
signature work - returns ability to add/remove/specify algorithms by
wildcard.
Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.
Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.
(lots of) feedback, ok markus@
OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207
Diffstat (limited to 'compat.c')
| -rw-r--r-- | compat.c | 18 |
1 files changed, 9 insertions, 9 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: compat.c,v 1.109 2018/07/03 11:42:12 djm Exp $ */ +/* $OpenBSD: compat.c,v 1.110 2018/07/04 13:49:31 djm Exp $ */ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. * @@ -190,8 +190,8 @@ compat_cipher_proposal(char *cipher_prop) if (!(datafellows & SSH_BUG_BIGENDIANAES)) return cipher_prop; debug2("%s: original cipher proposal: %s", __func__, cipher_prop); - if ((cipher_prop = match_filter_list(cipher_prop, "aes*")) == NULL) - fatal("match_filter_list failed"); + if ((cipher_prop = match_filter_blacklist(cipher_prop, "aes*")) == NULL) + fatal("match_filter_blacklist failed"); debug2("%s: compat cipher proposal: %s", __func__, cipher_prop); if (*cipher_prop == '\0') fatal("No supported ciphers found"); @@ -204,8 +204,8 @@ compat_pkalg_proposal(char *pkalg_prop) if (!(datafellows & SSH_BUG_RSASIGMD5)) return pkalg_prop; debug2("%s: original public key proposal: %s", __func__, pkalg_prop); - if ((pkalg_prop = match_filter_list(pkalg_prop, "ssh-rsa")) == NULL) - fatal("match_filter_list failed"); + if ((pkalg_prop = match_filter_blacklist(pkalg_prop, "ssh-rsa")) == NULL) + fatal("match_filter_blacklist failed"); debug2("%s: compat public key proposal: %s", __func__, pkalg_prop); if (*pkalg_prop == '\0') fatal("No supported PK algorithms found"); @@ -219,14 +219,14 @@ compat_kex_proposal(char *p) return p; debug2("%s: original KEX proposal: %s", __func__, p); if ((datafellows & SSH_BUG_CURVE25519PAD) != 0) - if ((p = match_filter_list(p, + if ((p = match_filter_blacklist(p, "curve25519-sha256@libssh.org")) == NULL) - fatal("match_filter_list failed"); + fatal("match_filter_blacklist failed"); if ((datafellows & SSH_OLD_DHGEX) != 0) { - if ((p = match_filter_list(p, + if ((p = match_filter_blacklist(p, "diffie-hellman-group-exchange-sha256," "diffie-hellman-group-exchange-sha1")) == NULL) - fatal("match_filter_list failed"); + fatal("match_filter_blacklist failed"); } debug2("%s: compat KEX proposal: %s", __func__, p); if (*p == '\0') |