6 files changed, 80 insertions, 19 deletions

diff --git a/kex.c b/kex.c
index 84f8e2aa9..5a8a03aad 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.153 2019/09/06 01:58:50 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.154 2019/09/06 14:45:34 naddy Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -213,8 +213,9 @@ kex_names_cat(const char *a, const char *b)
 /*
  * Assemble a list of algorithms from a default list and a string from a
  * configuration file. The user-provided string may begin with '+' to
- * indicate that it should be appended to the default or '-' that the
- * specified names should be removed.
+ * indicate that it should be appended to the default, '-' that the
+ * specified names should be removed, or '^' that they should be placed
+ * at the head.
  */
 int
 kex_assemble_names(char **listp, const char *def, const char *all)
@@ -251,6 +252,14 @@ kex_assemble_names(char **listp, const char *def, const char *all)
                 free(list);
                 /* filtering has already been done */
                 return 0;
+        } else if (*list == '^') {
+                /* Place names at head of default list */
+                if ((tmp = kex_names_cat(list + 1, def)) == NULL) {
+                        r = SSH_ERR_ALLOC_FAIL;
+                        goto fail;
+                }
+                free(list);
+                list = tmp;
         } else {
                 /* Explicit list, overrides default - just use "list" as is */
         }
diff --git a/readconf.c b/readconf.c
index d1b7871ec..f78b4d6fe 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.308 2019/08/09 05:05:54 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.309 2019/09/06 14:45:34 naddy Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1199,7 +1199,8 @@ parse_int:
                 arg = strdelim(&s);
                 if (!arg || *arg == '\0')
                         fatal("%.200s line %d: Missing argument.", filename, linenum);
-                if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
+                if (*arg != '-' &&
+                    !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
                         fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
                             filename, linenum, arg ? arg : "<NONE>");
                 if (*activep && options->ciphers == NULL)
@@ -1210,7 +1211,8 @@ parse_int:
                 arg = strdelim(&s);
                 if (!arg || *arg == '\0')
                         fatal("%.200s line %d: Missing argument.", filename, linenum);
-                if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
+                if (*arg != '-' &&
+                    !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
                         fatal("%.200s line %d: Bad SSH2 MAC spec '%s'.",
                             filename, linenum, arg ? arg : "<NONE>");
                 if (*activep && options->macs == NULL)
@@ -1223,7 +1225,8 @@ parse_int:
                         fatal("%.200s line %d: Missing argument.",
                             filename, linenum);
                 if (*arg != '-' &&
-                    !kex_names_valid(*arg == '+' ? arg + 1 : arg))
+                    !kex_names_valid(*arg == '+' || *arg == '^' ?
+                    arg + 1 : arg))
                         fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.",
                             filename, linenum, arg ? arg : "<NONE>");
                 if (*activep && options->kex_algorithms == NULL)
@@ -1238,7 +1241,8 @@ parse_keytypes:
                         fatal("%.200s line %d: Missing argument.",
                             filename, linenum);
                 if (*arg != '-' &&
-                    !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
+                    !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
+                    arg + 1 : arg, 1))
                         fatal("%s line %d: Bad key types '%s'.",
                                 filename, linenum, arg ? arg : "<NONE>");
                 if (*activep && *charptr == NULL)
diff --git a/servconf.c b/servconf.c
index 340045b28..e76f9c39e 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.351 2019/04/18 18:56:16 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.352 2019/09/06 14:45:34 naddy Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -1444,7 +1444,8 @@ process_server_config_line(ServerOptions *options, char *line,
                         fatal("%s line %d: Missing argument.",
                             filename, linenum);
                 if (*arg != '-' &&
-                    !sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))
+                    !sshkey_names_valid2(*arg == '+' || *arg == '^' ?
+                    arg + 1 : arg, 1))
                         fatal("%s line %d: Bad key types '%s'.",
                             filename, linenum, arg ? arg : "<NONE>");
                 if (*activep && *charptr == NULL)
@@ -1715,7 +1716,8 @@ process_server_config_line(ServerOptions *options, char *line,
                 arg = strdelim(&cp);
                 if (!arg || *arg == '\0')
                         fatal("%s line %d: Missing argument.", filename, linenum);
-                if (*arg != '-' && !ciphers_valid(*arg == '+' ? arg + 1 : arg))
+                if (*arg != '-' &&
+                    !ciphers_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
                         fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
                             filename, linenum, arg ? arg : "<NONE>");
                 if (options->ciphers == NULL)
@@ -1726,7 +1728,8 @@ process_server_config_line(ServerOptions *options, char *line,
                 arg = strdelim(&cp);
                 if (!arg || *arg == '\0')
                         fatal("%s line %d: Missing argument.", filename, linenum);
-                if (*arg != '-' && !mac_valid(*arg == '+' ? arg + 1 : arg))
+                if (*arg != '-' &&
+                    !mac_valid(*arg == '+' || *arg == '^' ? arg + 1 : arg))
                         fatal("%s line %d: Bad SSH2 mac spec '%s'.",
                             filename, linenum, arg ? arg : "<NONE>");
                 if (options->macs == NULL)
@@ -1739,7 +1742,8 @@ process_server_config_line(ServerOptions *options, char *line,
                         fatal("%s line %d: Missing argument.",
                             filename, linenum);
                 if (*arg != '-' &&
-                    !kex_names_valid(*arg == '+' ? arg + 1 : arg))
+                    !kex_names_valid(*arg == '+' || *arg == '^' ?
+                    arg + 1 : arg))
                         fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.",
                             filename, linenum, arg ? arg : "<NONE>");
                 if (options->kex_algorithms == NULL)
diff --git a/ssh.c b/ssh.c
index 654376981..cb321bcf3 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.505 2019/06/28 13:35:04 deraadt Exp $ */
+/* $OpenBSD: ssh.c,v 1.506 2019/09/06 14:45:34 naddy Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -877,7 +877,7 @@ main(int ac, char **av)
                         }
                         break;
                 case 'c':
-                        if (!ciphers_valid(*optarg == '+' ?
+                        if (!ciphers_valid(*optarg == '+' || *optarg == '^' ?
                             optarg + 1 : optarg)) {
                                 fprintf(stderr, "Unknown cipher type '%s'\n",
                                     optarg);
diff --git a/ssh_config.5 b/ssh_config.5
index 14d96beaf..e114b1dfe 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.300 2019/09/04 20:31:15 naddy Exp $
-.Dd $Mdocdate: September 4 2019 $
+.\" $OpenBSD: ssh_config.5,v 1.301 2019/09/06 14:45:34 naddy Exp $
+.Dd $Mdocdate: September 6 2019 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -430,6 +430,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified ciphers (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified ciphers will be placed at the head of the
+default set.
 .Pp
 The supported ciphers are:
 .Bd -literal -offset indent
@@ -794,6 +798,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -822,6 +830,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -1051,6 +1063,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified methods (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified methods will be placed at the head of the
+default set.
 The default is:
 .Bd -literal -offset indent
 curve25519-sha256,curve25519-sha256@libssh.org,
@@ -1132,6 +1148,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified algorithms will be placed at the head of the
+default set.
 .Pp
 The algorithms that contain
 .Qq -etm
@@ -1289,6 +1309,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
diff --git a/sshd_config.5 b/sshd_config.5
index f42d10417..9486f2a1c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.289 2019/09/04 20:31:15 naddy Exp $
-.Dd $Mdocdate: September 4 2019 $
+.\" $OpenBSD: sshd_config.5,v 1.290 2019/09/06 14:45:34 naddy Exp $
+.Dd $Mdocdate: September 6 2019 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -462,6 +462,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified ciphers (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified ciphers will be placed at the head of the
+default set.
 .Pp
 The supported ciphers are:
 .Pp
@@ -676,6 +680,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,
@@ -881,6 +889,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified methods (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified methods will be placed at the head of the
+default set.
 The supported algorithms are:
 .Pp
 .Bl -item -compact -offset indent
@@ -998,6 +1010,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified algorithms (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified algorithms will be placed at the head of the
+default set.
 .Pp
 The algorithms that contain
 .Qq -etm
@@ -1403,6 +1419,10 @@ If the specified list begins with a
 .Sq -
 character, then the specified key types (including wildcards) will be removed
 from the default set instead of replacing them.
+If the specified list begins with a
+.Sq ^
+character, then the specified key types will be placed at the head of the
+default set.
 The default for this option is:
 .Bd -literal -offset 3n
 ecdsa-sha2-nistp256-cert-v01@openssh.com,