pub fn apply_overrides(
category: AlgCategory,
base: Vec<String>,
override_str: &str,
) -> Result<Vec<String>, AnvilError>Expand description
Applies an OpenSSH-format KexAlgorithms/etc. override string to
base, returning the resulting algorithm list.
§Override syntax
| Prefix | Meaning |
|---|---|
| (none) | Replace base entirely with the comma-separated list. |
+algo,algo | Append the listed algorithms to base (deduplicated, denylist-filtered). |
-algo,algo | Remove the listed algorithms from base (no error if absent). |
^algo,algo | Move the listed algorithms to the front of base (preserving their order). |
| (empty) | No-op — returns base unchanged. |
Whitespace around commas is trimmed. Empty entries (e.g.
"a,,b") are silently dropped. Comparison is case-insensitive
ASCII.
§FR-78 enforcement
After every transformation, the result is filtered through
apply_denylist. Additionally, an explicit attempt to
re-enable a denylisted algorithm via +ssh-dss (or any prefix)
is surfaced as a hard error with a tips-thinking hint — silent
filtering would mask user intent.
§Errors
- The override mentions an algorithm on
DENYLIST(any prefix).
Unknown algorithm names — names not on DENYLIST but also not
in russh’s accepted set — are not validated here; that check
belongs to the caller (which has access to all_supported).