upstream: repair PubkeyAcceptedKeyTypes (and friends) after RSA

signature work - returns ability to add/remove/specify algorithms by
wildcard.

Algorithm lists are now fully expanded when the server/client configs
are finalised, so errors are reported early and the config dumps
(e.g. "ssh -G ...") now list the actual algorithms selected.

Clarify that, while wildcards are accepted in algorithm lists, they
aren't full pattern-lists that support negation.

(lots of) feedback, ok markus@

OpenBSD-Commit-ID: a8894c5c81f399a002f02ff4fe6b4fa46b1f3207

1 files changed, 6 insertions, 4 deletions

diff --git a/sshconnect2.c b/sshconnect2.c
index db95cb214..f3ccd53a9 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.274 2018/07/03 13:20:25 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.275 2018/07/04 13:49:31 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -158,7 +158,7 @@ void
 ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
 {
         char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
-        char *s;
+        char *s, *all_key;
         struct kex *kex;
         int r;
 
@@ -178,9 +178,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
         myproposal[PROPOSAL_MAC_ALGS_CTOS] =
             myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
         if (options.hostkeyalgorithms != NULL) {
-                if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
-                    &options.hostkeyalgorithms) != 0)
+                all_key = sshkey_alg_list(0, 0, 1, ',');
+                if (kex_assemble_names(&options.hostkeyalgorithms,
+                    KEX_DEFAULT_PK_ALG, all_key) != 0)
                         fatal("%s: kex_assemble_namelist", __func__);
+                free(all_key);
                 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
                     compat_pkalg_proposal(options.hostkeyalgorithms);
         } else {