===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/match.c,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- src/usr.bin/ssh/match.c	2017/03/10 04:24:55	1.37
+++ src/usr.bin/ssh/match.c	2018/07/04 13:49:31	1.38
@@ -1,4 +1,4 @@
-/* $OpenBSD: match.c,v 1.37 2017/03/10 04:24:55 djm Exp $ */
+/* $OpenBSD: match.c,v 1.38 2018/07/04 13:49:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -292,16 +292,20 @@
 }
 
 /*
- * Filters a comma-separated list of strings, excluding any entry matching
- * the 'filter' pattern list. Caller must free returned string.
+ * Filter proposal using pattern-list filter.
+ * "blacklist" determines sense of filter:
+ * non-zero indicates that items matching filter should be excluded.
+ * zero indicates that only items matching filter should be included.
+ * returns NULL on allocation error, otherwise caller must free result.
  */
-char *
-match_filter_list(const char *proposal, const char *filter)
+static char *
+filter_list(const char *proposal, const char *filter, int blacklist)
 {
 	size_t len = strlen(proposal) + 1;
 	char *fix_prop = malloc(len);
 	char *orig_prop = strdup(proposal);
 	char *cp, *tmp;
+	int r;
 
 	if (fix_prop == NULL || orig_prop == NULL) {
 		free(orig_prop);
@@ -312,7 +316,8 @@
 	tmp = orig_prop;
 	*fix_prop = '\0';
 	while ((cp = strsep(&tmp, ",")) != NULL) {
-		if (match_pattern_list(cp, filter, 0) != 1) {
+		r = match_pattern_list(cp, filter, 0);
+		if ((blacklist && r != 1) || (!blacklist && r == 1)) {
 			if (*fix_prop != '\0')
 				strlcat(fix_prop, ",", len);
 			strlcat(fix_prop, cp, len);
@@ -322,3 +327,22 @@
 	return fix_prop;
 }
 
+/*
+ * Filters a comma-separated list of strings, excluding any entry matching
+ * the 'filter' pattern list. Caller must free returned string.
+ */
+char *
+match_filter_blacklist(const char *proposal, const char *filter)
+{
+	return filter_list(proposal, filter, 1);
+}
+
+/*
+ * Filters a comma-separated list of strings, including only entries matching
+ * the 'filter' pattern list. Caller must free returned string.
+ */
+char *
+match_filter_whitelist(const char *proposal, const char *filter)
+{
+	return filter_list(proposal, filter, 0);
+}