===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshkey.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- src/usr.bin/ssh/sshkey.c	2015/01/12 20:13:27	1.10
+++ src/usr.bin/ssh/sshkey.c	2015/01/13 07:39:19	1.11
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.c,v 1.10 2015/01/12 20:13:27 markus Exp $ */
+/* $OpenBSD: sshkey.c,v 1.11 2015/01/13 07:39:19 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
@@ -50,6 +50,7 @@
 #include "digest.h"
 #define SSHKEY_INTERNAL
 #include "sshkey.h"
+#include "match.h"
 
 /* openssh private key file format */
 #define MARK_BEGIN		"-----BEGIN OPENSSH PRIVATE KEY-----\n"
@@ -207,9 +208,11 @@
 }
 
 int
-sshkey_names_valid2(const char *names)
+sshkey_names_valid2(const char *names, int allow_wildcard)
 {
 	char *s, *cp, *p;
+	const struct keytype *kt;
+	int type;
 
 	if (names == NULL || strcmp(names, "") == 0)
 		return 0;
@@ -217,9 +220,28 @@
 		return 0;
 	for ((p = strsep(&cp, ",")); p && *p != '\0';
 	    (p = strsep(&cp, ","))) {
-		switch (sshkey_type_from_name(p)) {
-		case KEY_RSA1:
-		case KEY_UNSPEC:
+		type = sshkey_type_from_name(p);
+		if (type == KEY_RSA1) {
+			free(s);
+			return 0;
+		}
+		if (type == KEY_UNSPEC) {
+			if (allow_wildcard) {
+				/*
+				 * Try matching key types against the string.
+				 * If any has a positive or negative match then
+				 * the component is accepted.
+				 */
+				for (kt = keytypes; kt->type != -1; kt++) {
+					if (kt->type == KEY_RSA1)
+						continue;
+					if (match_pattern_list(kt->name,
+					    p, strlen(p), 0) != 0)
+						break;
+				}
+				if (kt->type != -1)
+					continue;
+			}
 			free(s);
 			return 0;
 		}