upstream commit

Allow ssh_config and sshd_config kex parameters options be
 prefixed by a '+' to indicate that the specified items be appended to the
 default rather than replacing it.

approach suggested by dtucker@, feedback dlg@, ok markus@

Upstream-ID: 0f901137298fc17095d5756ff1561a7028e8882a

1 files changed, 12 insertions, 21 deletions

diff --git a/sshconnect2.c b/sshconnect2.c
index 34dbf9a77..775103185 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.225 2015/07/10 06:21:53 markus Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.226 2015/07/30 00:01:34 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -163,18 +163,12 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
         xxx_host = host;
         xxx_hostaddr = hostaddr;
 
-        if (options.ciphers == (char *)-1) {
-                logit("No valid ciphers for protocol version 2 given, using defaults.");
-                options.ciphers = NULL;
-        }
-        if (options.ciphers != NULL) {
-                myproposal[PROPOSAL_ENC_ALGS_CTOS] =
-                myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
-        }
+        myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+            options.kex_algorithms);
         myproposal[PROPOSAL_ENC_ALGS_CTOS] =
-            compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
+            compat_cipher_proposal(options.ciphers);
         myproposal[PROPOSAL_ENC_ALGS_STOC] =
-            compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]);
+            compat_cipher_proposal(options.ciphers);
         if (options.compression) {
                 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
                 myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib@openssh.com,zlib,none";
@@ -182,14 +176,15 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
                 myproposal[PROPOSAL_COMP_ALGS_CTOS] =
                 myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,zlib@openssh.com,zlib";
         }
-        if (options.macs != NULL) {
-                myproposal[PROPOSAL_MAC_ALGS_CTOS] =
-                myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
-        }
-        if (options.hostkeyalgorithms != NULL)
+        myproposal[PROPOSAL_MAC_ALGS_CTOS] =
+            myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
+        if (options.hostkeyalgorithms != NULL) {
+                if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
+                    &options.hostkeyalgorithms) != 0)
+                        fatal("%s: kex_assemble_namelist", __func__);
                 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
                     compat_pkalg_proposal(options.hostkeyalgorithms);
-        else {
+        } else {
                 /* Enforce default */
                 options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
                 /* Prefer algorithms that we already have keys for */
@@ -197,10 +192,6 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
                     compat_pkalg_proposal(
                     order_hostkeyalgs(host, hostaddr, port));
         }
-        if (options.kex_algorithms != NULL)
-                myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
-        myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-            myproposal[PROPOSAL_KEX_ALGS]);
 
         if (options.rekey_limit || options.rekey_interval)
                 packet_set_rekey_limits((u_int32_t)options.rekey_limit,