Attachment #2939 for bug #2671

View | Details | Raw Unified | Return to bug 2671
Collapse All | Expand All




#include "compat.h"
#include "log.h"
#include "match.h"
#include "kex.h"

int compat13 = 0;
int compat20 = 0;

	return ret;
}

/*
 * Filters a proposal string, excluding any algorithm matching the 'filter'
 * pattern list.
 */
static char *
filter_proposal(char *proposal, const char *filter)
{
	Buffer b;
	char *orig_prop, *fix_prop;
	char *cp, *tmp;

	buffer_init(&b);
	tmp = orig_prop = xstrdup(proposal);
	while ((cp = strsep(&tmp, ",")) != NULL) {
		if (match_pattern_list(cp, filter, 0) != 1) {
			if (buffer_len(&b) > 0)
				buffer_append(&b, ",", 1);
			buffer_append(&b, cp, strlen(cp));
		} else
			debug2("Compat: skipping algorithm \"%s\"", cp);
	}
	buffer_append(&b, "\0", 1);
	fix_prop = xstrdup((char *)buffer_ptr(&b));
	buffer_free(&b);
	free(orig_prop);

	return fix_prop;
}

char *
compat_cipher_proposal(char *cipher_prop)
{
	if (!(datafellows & SSH_BUG_BIGENDIANAES))
		return cipher_prop;
	debug2("%s: original cipher proposal: %s", __func__, cipher_prop);
	if ((cipher_prop = match_filter_list(cipher_prop, "aes*")) == NULL)
		fatal("match_filter_list failed");
	debug2("%s: compat cipher proposal: %s", __func__, cipher_prop);
	if (*cipher_prop == '\0')
		fatal("No supported ciphers found");

	if (!(datafellows & SSH_BUG_RSASIGMD5))
		return pkalg_prop;
	debug2("%s: original public key proposal: %s", __func__, pkalg_prop);
	if ((pkalg_prop = match_filter_list(pkalg_prop, "ssh-rsa")) == NULL)
		fatal("match_filter_list failed");
	debug2("%s: compat public key proposal: %s", __func__, pkalg_prop);
	if (*pkalg_prop == '\0')
		fatal("No supported PK algorithms found");

		return p;
	debug2("%s: original KEX proposal: %s", __func__, p);
	if ((datafellows & SSH_BUG_CURVE25519PAD) != 0)
		if ((p = match_filter_list(p,
		    "curve25519-sha256@libssh.org")) == NULL)
			fatal("match_filter_list failed");
	if ((datafellows & SSH_OLD_DHGEX) != 0) {
		if ((p = match_filter_list(p,
		    "diffie-hellman-group-exchange-sha256,"
		    "diffie-hellman-group-exchange-sha1")) == NULL)
			fatal("match_filter_list failed");
	}
	debug2("%s: compat KEX proposal: %s", __func__, p);
	if (*p == '\0')




/*
 * Assemble a list of algorithms from a default list and a string from a
 * configuration file. The user-provided string may begin with '+' to
 * indicate that it should be appended to the default or '-' that the
 * specified names should be removed.
 */
int
kex_assemble_names(const char *def, char **list)

		*list = strdup(def);
		return 0;
	}
	if (**list == '+') {
		if ((ret = kex_names_cat(def, *list + 1)) == NULL)
			return SSH_ERR_ALLOC_FAIL;
		free(*list);
		*list = ret;
	} else if (**list == '-') {
		if ((ret = match_filter_list(def, *list + 1)) == NULL)
			return SSH_ERR_ALLOC_FAIL;
		free(*list);
		*list = ret;
	}

	if ((ret = kex_names_cat(def, *list + 1)) == NULL)
		return SSH_ERR_ALLOC_FAIL;
	free(*list);
	*list = ret;
	return 0;
}





	free(s);
	return NULL;
}

/*
 * Filters a comma-separated list of strings, excluding any entry matching
 * the 'filter' pattern list. Caller must free returned string.
 */
char *
match_filter_list(const char *proposal, const char *filter)
{
	size_t len = strlen(proposal) + 1;
	char *fix_prop = malloc(len);
	char *orig_prop = strdup(proposal);
	char *cp, *tmp;

	if (fix_prop == NULL || orig_prop == NULL)
		return NULL;

	tmp = orig_prop;
	*fix_prop = '\0';
	while ((cp = strsep(&tmp, ",")) != NULL) {
		if (match_pattern_list(cp, filter, 0) != 1) {
			if (*fix_prop != '\0')
				strlcat(fix_prop, ",", len);
			strlcat(fix_prop, cp, len);
		}
	}
	free(orig_prop);
	return fix_prop;
}


Lines 20-25 int match_hostname(const char , const char ); Link Here

(-)a/match.h (+1 lines)
20	int match_host_and_ip(const char , const char , const char *);	20	int match_host_and_ip(const char , const char , const char *);
21	int match_user(const char , const char , const char , const char );	21	int match_user(const char , const char , const char , const char );
22	char match_list(const char , const char , u_int );	22	char match_list(const char , const char , u_int );
		23	char match_filter_list(const char , const char *);
23		24
24	/* addrmatch.c */	25	/* addrmatch.c */
25	int addr_match_list(const char , const char );	26	int addr_match_list(const char , const char );




		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing argument.", filename, linenum);
		if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
			fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
			    filename, linenum, arg ? arg : "<NONE>");
		if (*activep && options->ciphers == NULL)

		arg = strdelim(&s);
		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing argument.", filename, linenum);
		if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
			fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
			    filename, linenum, arg ? arg : "<NONE>");
		if (*activep && options->macs == NULL)

		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing argument.",
			    filename, linenum);
		if (*arg != '-' &&
		    !kex_names_valid(*arg == '+' ? arg + 1 : arg))
			fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
			    filename, linenum, arg ? arg : "<NONE>");
		if (*activep && options->kex_algorithms == NULL)

		if (!arg || *arg == '\0')
			fatal("%.200s line %d: Missing argument.",
			    filename, linenum);
		if (*arg != '-' &&
		    !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
			fatal("%s line %d: Bad key types '%s'.",
				filename, linenum, arg ? arg : "<NONE>");
		if (*activep && *charptr == NULL)




		if (!arg || *arg == '\0')
			fatal("%s line %d: Missing argument.",
			    filename, linenum);
		if (*arg != '-' &&
		    !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
			fatal("%s line %d: Bad key types '%s'.",
			    filename, linenum, arg ? arg : "<NONE>");
		if (*activep && *charptr == NULL)

		arg = strdelim(&cp);
		if (!arg || *arg == '\0')
			fatal("%s line %d: Missing argument.", filename, linenum);
		if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
			fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
			    filename, linenum, arg ? arg : "<NONE>");
		if (options->ciphers == NULL)

		arg = strdelim(&cp);
		if (!arg || *arg == '\0')
			fatal("%s line %d: Missing argument.", filename, linenum);
		if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
			fatal("%s line %d: Bad SSH2 mac spec '%s'.",
			    filename, linenum, arg ? arg : "<NONE>");
		if (options->macs == NULL)

		if (!arg || *arg == '\0')
			fatal("%s line %d: Missing argument.",
			    filename, linenum);
		if (*arg != '-' &&
		    !kex_names_valid(*arg == '+' ? arg + 1 : arg))
			fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
			    filename, linenum, arg ? arg : "<NONE>");
		if (options->kex_algorithms == NULL)

Lines 415-420 If the specified value begins with a Link Here

(-)a/ssh_config.5 (+24 lines)
415	.Sq +	415	.Sq +
416	character, then the specified ciphers will be appended to the default set	416	character, then the specified ciphers will be appended to the default set
417	instead of replacing them.	417	instead of replacing them.
		418	If the specified value begins with a
		419	.Sq -
		420	character, then the specified ciphers (including wildcards) will be removed
		421	from the default set instead of replacing them.
418	.Pp	422	.Pp
419	The supported ciphers are:	423	The supported ciphers are:
420	.Bd -literal -offset indent	424	.Bd -literal -offset indent
Lines 784-789 Alternately if the specified value begins with a Link Here
784	.Sq +	788	.Sq +
785	character, then the specified key types will be appended to the default set	789	character, then the specified key types will be appended to the default set
786	instead of replacing them.	790	instead of replacing them.
		791	If the specified value begins with a
		792	.Sq -
		793	character, then the specified key types (including wildcards) will be removed
		794	from the default set instead of replacing them.
787	The default for this option is:	795	The default for this option is:
788	.Bd -literal -offset 3n	796	.Bd -literal -offset 3n
789	ecdsa-sha2-nistp256-cert-v01@openssh.com,	797	ecdsa-sha2-nistp256-cert-v01@openssh.com,
Lines 807-812 Alternately if the specified value begins with a Link Here
807	.Sq +	815	.Sq +
808	character, then the specified key types will be appended to the default set	816	character, then the specified key types will be appended to the default set
809	instead of replacing them.	817	instead of replacing them.
		818	If the specified value begins with a
		819	.Sq -
		820	character, then the specified key types (including wildcards) will be removed
		821	from the default set instead of replacing them.
810	The default for this option is:	822	The default for this option is:
811	.Bd -literal -offset 3n	823	.Bd -literal -offset 3n
812	ecdsa-sha2-nistp256-cert-v01@openssh.com,	824	ecdsa-sha2-nistp256-cert-v01@openssh.com,
Lines 1027-1032 Alternately if the specified value begins with a Link Here
1027	.Sq +	1039	.Sq +
1028	character, then the specified methods will be appended to the default set	1040	character, then the specified methods will be appended to the default set
1029	instead of replacing them.	1041	instead of replacing them.
		1042	If the specified value begins with a
		1043	.Sq -
		1044	character, then the specified methods (including wildcards) will be removed
		1045	from the default set instead of replacing them.
1030	The default is:	1046	The default is:
1031	.Bd -literal -offset indent	1047	.Bd -literal -offset indent
1032	curve25519-sha256,curve25519-sha256@libssh.org,	1048	curve25519-sha256,curve25519-sha256@libssh.org,
Lines 1102-1107 If the specified value begins with a Link Here
1102	.Sq +	1118	.Sq +
1103	character, then the specified algorithms will be appended to the default set	1119	character, then the specified algorithms will be appended to the default set
1104	instead of replacing them.	1120	instead of replacing them.
		1121	If the specified value begins with a
		1122	.Sq -
		1123	character, then the specified algorithms (including wildcards) will be removed
		1124	from the default set instead of replacing them.
1105	.Pp	1125	.Pp
1106	The algorithms that contain	1126	The algorithms that contain
1107	.Qq -etm	1127	.Qq -etm
Lines 1264-1269 Alternately if the specified value begins with a Link Here
1264	.Sq +	1284	.Sq +
1265	character, then the key types after it will be appended to the default	1285	character, then the key types after it will be appended to the default
1266	instead of replacing it.	1286	instead of replacing it.
		1287	If the specified value begins with a
		1288	.Sq -
		1289	character, then the specified key types (including wildcards) will be removed
		1290	from the default set instead of replacing them.
1267	The default for this option is:	1291	The default for this option is:
1268	.Bd -literal -offset 3n	1292	.Bd -literal -offset 3n
1269	ecdsa-sha2-nistp256-cert-v01@openssh.com,	1293	ecdsa-sha2-nistp256-cert-v01@openssh.com,

Lines 438-443 If the specified value begins with a Link Here

(-)a/sshd_config.5 (+20 lines)
438	.Sq +	438	.Sq +
439	character, then the specified ciphers will be appended to the default set	439	character, then the specified ciphers will be appended to the default set
440	instead of replacing them.	440	instead of replacing them.
		441	If the specified value begins with a
		442	.Sq -
		443	character, then the specified ciphers (including wildcards) will be removed
		444	from the default set instead of replacing them.
441	.Pp	445	.Pp
442	The supported ciphers are:	446	The supported ciphers are:
443	.Pp	447	.Pp
Lines 650-655 Alternately if the specified value begins with a Link Here
650	.Sq +	654	.Sq +
651	character, then the specified key types will be appended to the default set	655	character, then the specified key types will be appended to the default set
652	instead of replacing them.	656	instead of replacing them.
		657	If the specified value begins with a
		658	.Sq -
		659	character, then the specified key types (including wildcards) will be removed
		660	from the default set instead of replacing them.
653	The default for this option is:	661	The default for this option is:
654	.Bd -literal -offset 3n	662	.Bd -literal -offset 3n
655	ecdsa-sha2-nistp256-cert-v01@openssh.com,	663	ecdsa-sha2-nistp256-cert-v01@openssh.com,
Lines 844-849 Alternately if the specified value begins with a Link Here
844	.Sq +	852	.Sq +
845	character, then the specified methods will be appended to the default set	853	character, then the specified methods will be appended to the default set
846	instead of replacing them.	854	instead of replacing them.
		855	If the specified value begins with a
		856	.Sq -
		857	character, then the specified methods (including wildcards) will be removed
		858	from the default set instead of replacing them.
847	The supported algorithms are:	859	The supported algorithms are:
848	.Pp	860	.Pp
849	.Bl -item -compact -offset indent	861	.Bl -item -compact -offset indent
Lines 934-939 If the specified value begins with a Link Here
934	.Sq +	946	.Sq +
935	character, then the specified algorithms will be appended to the default set	947	character, then the specified algorithms will be appended to the default set
936	instead of replacing them.	948	instead of replacing them.
		949	If the specified value begins with a
		950	.Sq -
		951	character, then the specified algorithms (including wildcards) will be removed
		952	from the default set instead of replacing them.
937	.Pp	953	.Pp
938	The algorithms that contain	954	The algorithms that contain
939	.Qq -etm	955	.Qq -etm
Lines 1281-1286 Alternately if the specified value begins with a Link Here
1281	.Sq +	1297	.Sq +
1282	character, then the specified key types will be appended to the default set	1298	character, then the specified key types will be appended to the default set
1283	instead of replacing them.	1299	instead of replacing them.
		1300	If the specified value begins with a
		1301	.Sq -
		1302	character, then the specified key types (including wildcards) will be removed
		1303	from the default set instead of replacing them.
1284	The default for this option is:	1304	The default for this option is:
1285	.Bd -literal -offset 3n	1305	.Bd -literal -offset 3n
1286	ecdsa-sha2-nistp256-cert-v01@openssh.com,	1306	ecdsa-sha2-nistp256-cert-v01@openssh.com,

Return to bug 2671

Lines 191-197 kex_names_cat(const char a, const char b) Link Here

(-)a/kex.c (-7 / +12 lines)
191	/*	191	/*
192	* Assemble a list of algorithms from a default list and a string from a	192	* Assemble a list of algorithms from a default list and a string from a
193	* configuration file. The user-provided string may begin with '+' to	193	* configuration file. The user-provided string may begin with '+' to
194	* indicate that it should be appended to the default.	194	* indicate that it should be appended to the default or '-' that the
		195	* specified names should be removed.
195	*/	196	*/
196	int	197	int
197	kex_assemble_names(const char def, char *list)	198	kex_assemble_names(const char def, char *list)
Lines 202-215 kex_assemble_names(const char def, char *list) Link Here
202	*list = strdup(def);	203	*list = strdup(def);
203	return 0;	204	return 0;
204	}	205	}
205	if (**list != '+') {	206	if (**list == '+') {
206	return 0;	207	if ((ret = kex_names_cat(def, *list + 1)) == NULL)
		208	return SSH_ERR_ALLOC_FAIL;
		209	free(*list);
		210	*list = ret;
		211	} else if (**list == '-') {
		212	if ((ret = match_filter_list(def, *list + 1)) == NULL)
		213	return SSH_ERR_ALLOC_FAIL;
		214	free(*list);
		215	*list = ret;
207	}	216	}
208		217
209	if ((ret = kex_names_cat(def, *list + 1)) == NULL)
210	return SSH_ERR_ALLOC_FAIL;
211	free(*list);
212	*list = ret;
213	return 0;	218	return 0;
214	}	219	}
215		220

Lines 1179-1185 parse_int: Link Here

(-)a/readconf.c (-4 / +6 lines)
1179	arg = strdelim(&s);	1179	arg = strdelim(&s);
1180	if (!arg \|\| *arg == '\0')	1180	if (!arg \|\| *arg == '\0')
1181	fatal("%.200s line %d: Missing argument.", filename, linenum);	1181	fatal("%.200s line %d: Missing argument.", filename, linenum);
1182	if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))	1182	if (arg != '-' && !ciphers_valid(arg == '+' ? arg + 1 : arg))
1183	fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",	1183	fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
1184	filename, linenum, arg ? arg : "<NONE>");	1184	filename, linenum, arg ? arg : "<NONE>");
1185	if (*activep && options->ciphers == NULL)	1185	if (*activep && options->ciphers == NULL)
Lines 1190-1196 parse_int: Link Here
1190	arg = strdelim(&s);	1190	arg = strdelim(&s);
1191	if (!arg \|\| *arg == '\0')	1191	if (!arg \|\| *arg == '\0')
1192	fatal("%.200s line %d: Missing argument.", filename, linenum);	1192	fatal("%.200s line %d: Missing argument.", filename, linenum);
1193	if (!mac_valid(*arg == '+' ? arg + 1 : arg))	1193	if (arg != '-' && !mac_valid(arg == '+' ? arg + 1 : arg))
1194	fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",	1194	fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
1195	filename, linenum, arg ? arg : "<NONE>");	1195	filename, linenum, arg ? arg : "<NONE>");
1196	if (*activep && options->macs == NULL)	1196	if (*activep && options->macs == NULL)
Lines 1202-1208 parse_int: Link Here
1202	if (!arg \|\| *arg == '\0')	1202	if (!arg \|\| *arg == '\0')
1203	fatal("%.200s line %d: Missing argument.",	1203	fatal("%.200s line %d: Missing argument.",
1204	filename, linenum);	1204	filename, linenum);
1205	if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))	1205	if (*arg != '-' &&
		1206	!kex_names_valid(*arg == '+' ? arg + 1 : arg))
1206	fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",	1207	fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
1207	filename, linenum, arg ? arg : "<NONE>");	1208	filename, linenum, arg ? arg : "<NONE>");
1208	if (*activep && options->kex_algorithms == NULL)	1209	if (*activep && options->kex_algorithms == NULL)
Lines 1216-1222 parse_keytypes: Link Here
1216	if (!arg \|\| *arg == '\0')	1217	if (!arg \|\| *arg == '\0')
1217	fatal("%.200s line %d: Missing argument.",	1218	fatal("%.200s line %d: Missing argument.",
1218	filename, linenum);	1219	filename, linenum);
1219	if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))	1220	if (*arg != '-' &&
		1221	!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1220	fatal("%s line %d: Bad key types '%s'.",	1222	fatal("%s line %d: Bad key types '%s'.",
1221	filename, linenum, arg ? arg : "<NONE>");	1223	filename, linenum, arg ? arg : "<NONE>");
1222	if (activep && charptr == NULL)	1224	if (activep && charptr == NULL)

Lines 35-40 Link Here

(-)a/compat.c (-34 / +12 lines)
35	#include "compat.h"	35	#include "compat.h"
36	#include "log.h"	36	#include "log.h"
37	#include "match.h"	37	#include "match.h"
		38	#include "kex.h"
38		39
39	int compat13 = 0;	40	int compat13 = 0;
40	int compat20 = 0;	41	int compat20 = 0;
Lines 248-289 proto_spec(const char *spec) Link Here
248	return ret;	249	return ret;
249	}	250	}
250		251
251	/*
252	* Filters a proposal string, excluding any algorithm matching the 'filter'
253	* pattern list.
254	*/
255	static char *
256	filter_proposal(char proposal, const char filter)
257	{
258	Buffer b;
259	char orig_prop, fix_prop;
260	char cp, tmp;
261
262	buffer_init(&b);
263	tmp = orig_prop = xstrdup(proposal);
264	while ((cp = strsep(&tmp, ",")) != NULL) {
265	if (match_pattern_list(cp, filter, 0) != 1) {
266	if (buffer_len(&b) > 0)
267	buffer_append(&b, ",", 1);
268	buffer_append(&b, cp, strlen(cp));
269	} else
270	debug2("Compat: skipping algorithm \"%s\"", cp);
271	}
272	buffer_append(&b, "\0", 1);
273	fix_prop = xstrdup((char *)buffer_ptr(&b));
274	buffer_free(&b);
275	free(orig_prop);
276
277	return fix_prop;
278	}
279
280	char *	252	char *
281	compat_cipher_proposal(char *cipher_prop)	253	compat_cipher_proposal(char *cipher_prop)
282	{	254	{
283	if (!(datafellows & SSH_BUG_BIGENDIANAES))	255	if (!(datafellows & SSH_BUG_BIGENDIANAES))
284	return cipher_prop;	256	return cipher_prop;
285	debug2("%s: original cipher proposal: %s", __func__, cipher_prop);	257	debug2("%s: original cipher proposal: %s", __func__, cipher_prop);
286	cipher_prop = filter_proposal(cipher_prop, "aes*");	258	if ((cipher_prop = match_filter_list(cipher_prop, "aes*")) == NULL)
		259	fatal("match_filter_list failed");
287	debug2("%s: compat cipher proposal: %s", __func__, cipher_prop);	260	debug2("%s: compat cipher proposal: %s", __func__, cipher_prop);
288	if (*cipher_prop == '\0')	261	if (*cipher_prop == '\0')
289	fatal("No supported ciphers found");	262	fatal("No supported ciphers found");
Lines 296-302 compat_pkalg_proposal(char *pkalg_prop) Link Here
296	if (!(datafellows & SSH_BUG_RSASIGMD5))	269	if (!(datafellows & SSH_BUG_RSASIGMD5))
297	return pkalg_prop;	270	return pkalg_prop;
298	debug2("%s: original public key proposal: %s", __func__, pkalg_prop);	271	debug2("%s: original public key proposal: %s", __func__, pkalg_prop);
299	pkalg_prop = filter_proposal(pkalg_prop, "ssh-rsa");	272	if ((pkalg_prop = match_filter_list(pkalg_prop, "ssh-rsa")) == NULL)
		273	fatal("match_filter_list failed");
300	debug2("%s: compat public key proposal: %s", __func__, pkalg_prop);	274	debug2("%s: compat public key proposal: %s", __func__, pkalg_prop);
301	if (*pkalg_prop == '\0')	275	if (*pkalg_prop == '\0')
302	fatal("No supported PK algorithms found");	276	fatal("No supported PK algorithms found");
Lines 310-319 compat_kex_proposal(char *p) Link Here
310	return p;	284	return p;
311	debug2("%s: original KEX proposal: %s", __func__, p);	285	debug2("%s: original KEX proposal: %s", __func__, p);
312	if ((datafellows & SSH_BUG_CURVE25519PAD) != 0)	286	if ((datafellows & SSH_BUG_CURVE25519PAD) != 0)
313	p = filter_proposal(p, "curve25519-sha256@libssh.org");	287	if ((p = match_filter_list(p,
		288	"curve25519-sha256@libssh.org")) == NULL)
		289	fatal("match_filter_list failed");
314	if ((datafellows & SSH_OLD_DHGEX) != 0) {	290	if ((datafellows & SSH_OLD_DHGEX) != 0) {
315	p = filter_proposal(p, "diffie-hellman-group-exchange-sha256");	291	if ((p = match_filter_list(p,
316	p = filter_proposal(p, "diffie-hellman-group-exchange-sha1");	292	"diffie-hellman-group-exchange-sha256,"
		293	"diffie-hellman-group-exchange-sha1")) == NULL)
		294	fatal("match_filter_list failed");
317	}	295	}
318	debug2("%s: compat KEX proposal: %s", __func__, p);	296	debug2("%s: compat KEX proposal: %s", __func__, p);
319	if (*p == '\0')	297	if (*p == '\0')

Lines 282-284 match_list(const char client, const char server, u_int *next) Link Here

(-)a/match.c (+29 lines)
282	free(s);	282	free(s);
283	return NULL;	283	return NULL;
284	}	284	}
		285
		286	/*
		287	* Filters a comma-separated list of strings, excluding any entry matching
		288	* the 'filter' pattern list. Caller must free returned string.
		289	*/
		290	char *
		291	match_filter_list(const char proposal, const char filter)
		292	{
		293	size_t len = strlen(proposal) + 1;
		294	char *fix_prop = malloc(len);
		295	char *orig_prop = strdup(proposal);
		296	char cp, tmp;
		297
		298	if (fix_prop == NULL \|\| orig_prop == NULL)
		299	return NULL;
		300
		301	tmp = orig_prop;
		302	*fix_prop = '\0';
		303	while ((cp = strsep(&tmp, ",")) != NULL) {
		304	if (match_pattern_list(cp, filter, 0) != 1) {
		305	if (*fix_prop != '\0')
		306	strlcat(fix_prop, ",", len);
		307	strlcat(fix_prop, cp, len);
		308	}
		309	}
		310	free(orig_prop);
		311	return fix_prop;
		312	}
		313

Lines 1116-1122 process_server_config_line(ServerOptions options, char line, Link Here

(-)a/servconf.c (-4 / +6 lines)
1116	if (!arg \|\| *arg == '\0')	1116	if (!arg \|\| *arg == '\0')
1117	fatal("%s line %d: Missing argument.",	1117	fatal("%s line %d: Missing argument.",
1118	filename, linenum);	1118	filename, linenum);
1119	if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))	1119	if (*arg != '-' &&
		1120	!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
1120	fatal("%s line %d: Bad key types '%s'.",	1121	fatal("%s line %d: Bad key types '%s'.",
1121	filename, linenum, arg ? arg : "<NONE>");	1122	filename, linenum, arg ? arg : "<NONE>");
1122	if (activep && charptr == NULL)	1123	if (activep && charptr == NULL)
Lines 1375-1381 process_server_config_line(ServerOptions options, char line, Link Here
1375	arg = strdelim(&cp);	1376	arg = strdelim(&cp);
1376	if (!arg \|\| *arg == '\0')	1377	if (!arg \|\| *arg == '\0')
1377	fatal("%s line %d: Missing argument.", filename, linenum);	1378	fatal("%s line %d: Missing argument.", filename, linenum);
1378	if (!ciphers_valid(*arg == '+' ? arg + 1 : arg))	1379	if (arg != '-' && !ciphers_valid(arg == '+' ? arg + 1 : arg))
1379	fatal("%s line %d: Bad SSH2 cipher spec '%s'.",	1380	fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
1380	filename, linenum, arg ? arg : "<NONE>");	1381	filename, linenum, arg ? arg : "<NONE>");
1381	if (options->ciphers == NULL)	1382	if (options->ciphers == NULL)
Lines 1386-1392 process_server_config_line(ServerOptions options, char line, Link Here
1386	arg = strdelim(&cp);	1387	arg = strdelim(&cp);
1387	if (!arg \|\| *arg == '\0')	1388	if (!arg \|\| *arg == '\0')
1388	fatal("%s line %d: Missing argument.", filename, linenum);	1389	fatal("%s line %d: Missing argument.", filename, linenum);
1389	if (!mac_valid(*arg == '+' ? arg + 1 : arg))	1390	if (arg != '-' && !mac_valid(arg == '+' ? arg + 1 : arg))
1390	fatal("%s line %d: Bad SSH2 mac spec '%s'.",	1391	fatal("%s line %d: Bad SSH2 mac spec '%s'.",
1391	filename, linenum, arg ? arg : "<NONE>");	1392	filename, linenum, arg ? arg : "<NONE>");
1392	if (options->macs == NULL)	1393	if (options->macs == NULL)
Lines 1398-1404 process_server_config_line(ServerOptions options, char line, Link Here
1398	if (!arg \|\| *arg == '\0')	1399	if (!arg \|\| *arg == '\0')
1399	fatal("%s line %d: Missing argument.",	1400	fatal("%s line %d: Missing argument.",
1400	filename, linenum);	1401	filename, linenum);
1401	if (!kex_names_valid(*arg == '+' ? arg + 1 : arg))	1402	if (*arg != '-' &&
		1403	!kex_names_valid(*arg == '+' ? arg + 1 : arg))
1402	fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",	1404	fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
1403	filename, linenum, arg ? arg : "<NONE>");	1405	filename, linenum, arg ? arg : "<NONE>");
1404	if (options->kex_algorithms == NULL)	1406	if (options->kex_algorithms == NULL)