Attachment #3313 for bug #2924

Lines 237-243 kex_assemble_names(char *listp, const char def, const char *all) Link Here

(-)a/kex.c (-1 / +5 lines)
237		237
238	list = *listp;	238	list = *listp;
239	*listp = NULL;	239	*listp = NULL;
240	if (*list == '+') {	240	if (*list == ':') {
		241	/* Used in HostKeyAlgorithms to denote the list is supposed to be ordered later */
		242	/* Noop here */
		243	return 0;
		244	} else if (*list == '+') {
241	/* Append names to default list */	245	/* Append names to default list */
242	if ((tmp = kex_names_cat(def, list + 1)) == NULL) {	246	if ((tmp = kex_names_cat(def, list + 1)) == NULL) {
243	r = SSH_ERR_ALLOC_FAIL;	247	r = SSH_ERR_ALLOC_FAIL;

Lines 1237-1244 parse_keytypes: Link Here

(-)a/readconf.c (-1 / +5 lines)
1237	if (!arg \|\| *arg == '\0')	1237	if (!arg \|\| *arg == '\0')
1238	fatal("%.200s line %d: Missing argument.",	1238	fatal("%.200s line %d: Missing argument.",
1239	filename, linenum);	1239	filename, linenum);
		1240	if (opcode == oHostKeyAlgorithms)
		1241	arg2 = "+-:";
		1242	else
		1243	arg2 = "+-";
1240	if (*arg != '-' &&	1244	if (*arg != '-' &&
1241	!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1))	1245	!sshkey_names_valid2(strchr(arg2, *arg) ? arg + 1 : arg, 1))
1242	fatal("%s line %d: Bad key types '%s'.",	1246	fatal("%s line %d: Bad key types '%s'.",
1243	filename, linenum, arg ? arg : "<NONE>");	1247	filename, linenum, arg ? arg : "<NONE>");
1244	if (activep && charptr == NULL)	1248	if (activep && charptr == NULL)

Lines 822-827 If the specified value begins with a Link Here

(-)a/ssh_config.5 (+3 lines)
822	.Sq -	822	.Sq -
823	character, then the specified key types (including wildcards) will be removed	823	character, then the specified key types (including wildcards) will be removed
824	from the default set instead of replacing them.	824	from the default set instead of replacing them.
		825	If the specified value begins with a
		826	.Sq \&:
		827	character, then ssh will order the given list based on already known hosts.
825	The default for this option is:	828	The default for this option is:
826	.Bd -literal -offset 3n	829	.Bd -literal -offset 3n
827	ecdsa-sha2-nistp256-cert-v01@openssh.com,	830	ecdsa-sha2-nistp256-cert-v01@openssh.com,




}

static char *
order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *avail)
{
	char *oavail, *first, *last, *alg, *hostname, *ret;
	size_t maxlen;
	struct hostkeys *hostkeys;
	int ktype;

	for (i = 0; i < options.num_system_hostfiles; i++)
		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);

	oavail = avail = xstrdup(avail);
	maxlen = strlen(avail) + 1;
	first = xmalloc(maxlen);
	last = xmalloc(maxlen);

		    KEX_DEFAULT_PK_ALG, all_key) != 0)
			fatal("%s: kex_assemble_namelist", __func__);
		free(all_key);
		if (*options.hostkeyalgorithms == ':') {
			char *tmp = options.hostkeyalgorithms;
			options.hostkeyalgorithms = order_hostkeyalgs(host,
			    hostaddr, port, options.hostkeyalgorithms + 1);
			free(tmp);
		}
		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
		    compat_pkalg_proposal(options.hostkeyalgorithms);
	} else {

		/* Prefer algorithms that we already have keys for */
		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
		    compat_pkalg_proposal(
		    order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG));
	}

	if (options.rekey_limit || options.rekey_interval)
- 

Return to bug 2924

Lines 101-109 verify_host_key_callback(struct sshkey hostkey, struct ssh ssh) Link Here

(-)a/sshconnect2.c (-5 / +10 lines)
101	}	101	}
102		102
103	static char *	103	static char *
104	order_hostkeyalgs(char host, struct sockaddr hostaddr, u_short port)	104	order_hostkeyalgs(char host, struct sockaddr hostaddr, u_short port, char *avail)
105	{	105	{
106	char oavail, avail, first, last, alg, hostname, *ret;	106	char oavail, first, last, alg, hostname, ret;
107	size_t maxlen;	107	size_t maxlen;
108	struct hostkeys *hostkeys;	108	struct hostkeys *hostkeys;
109	int ktype;	109	int ktype;
Lines 117-123 order_hostkeyalgs(char host, struct sockaddr hostaddr, u_short port) Link Here
117	for (i = 0; i < options.num_system_hostfiles; i++)	117	for (i = 0; i < options.num_system_hostfiles; i++)
118	load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);	118	load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
119		119
120	oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);	120	oavail = avail = xstrdup(avail);
121	maxlen = strlen(avail) + 1;	121	maxlen = strlen(avail) + 1;
122	first = xmalloc(maxlen);	122	first = xmalloc(maxlen);
123	last = xmalloc(maxlen);	123	last = xmalloc(maxlen);
Lines 182-187 ssh_kex2(struct ssh ssh, char host, struct sockaddr *hostaddr, u_short port) Link Here
182	KEX_DEFAULT_PK_ALG, all_key) != 0)	182	KEX_DEFAULT_PK_ALG, all_key) != 0)
183	fatal("%s: kex_assemble_namelist", __func__);	183	fatal("%s: kex_assemble_namelist", __func__);
184	free(all_key);	184	free(all_key);
		185	if (*options.hostkeyalgorithms == ':') {
		186	char *tmp = options.hostkeyalgorithms;
		187	options.hostkeyalgorithms = order_hostkeyalgs(host,
		188	hostaddr, port, options.hostkeyalgorithms + 1);
		189	free(tmp);
		190	}
185	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =	191	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
186	compat_pkalg_proposal(options.hostkeyalgorithms);	192	compat_pkalg_proposal(options.hostkeyalgorithms);
187	} else {	193	} else {
Lines 190-196 ssh_kex2(struct ssh ssh, char host, struct sockaddr *hostaddr, u_short port) Link Here
190	/* Prefer algorithms that we already have keys for */	196	/* Prefer algorithms that we already have keys for */
191	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =	197	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
192	compat_pkalg_proposal(	198	compat_pkalg_proposal(
193	order_hostkeyalgs(host, hostaddr, port));	199	order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG));
194	}	200	}
195		201
196	if (options.rekey_limit \|\| options.rekey_interval)	202	if (options.rekey_limit \|\| options.rekey_interval)
197	-