In FIPS mode do not append bogus comma after the kex list

openssh-7.2p1-fips.patch

@@ -309,20 +309,20 @@ diff -up openssh-7.4p1/Makefile.in.fips openssh-7.4p1/Makefile.in
 diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h
 --- openssh-7.4p1/myproposal.h.fips	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/myproposal.h	2016-12-23 16:37:49.300741586 +0100
-@@ -138,6 +138,27 @@
+@@ -138,6 +138,37 @@
  
  #define KEX_CLIENT_MAC KEX_SERVER_MAC
  
-+#define KEX_DEFAULT_KEX_FIPS		\
-+	KEX_ECDH_METHODS \
-+	KEX_SHA2_METHODS \
-+	KEX_SHA2_GROUP14
 +#define	KEX_FIPS_ENCRYPT \
 +	"aes128-ctr,aes192-ctr,aes256-ctr," \
 +	"aes128-cbc,3des-cbc," \
 +	"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
 +#ifdef HAVE_EVP_SHA256
-+#define	KEX_FIPS_MAC \
++# define KEX_DEFAULT_KEX_FIPS		\
++	KEX_ECDH_METHODS \
++	KEX_SHA2_METHODS \
++	"diffie-hellman-group14-sha256"
++# define KEX_FIPS_MAC \
 +	"hmac-sha1," \
 +	"hmac-sha2-256," \
 +	"hmac-sha2-512," \
@@ -330,6 +330,16 @@ diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h
 +	"hmac-sha2-256-etm@openssh.com," \
 +	"hmac-sha2-512-etm@openssh.com"
 +#else
++# ifdef OPENSSL_HAS_NISTP521
++#  define KEX_DEFAULT_KEX_FIPS		\
++	"ecdh-sha2-nistp256," \
++	"ecdh-sha2-nistp384," \
++	"ecdh-sha2-nistp521"
++# else
++#  define KEX_DEFAULT_KEX_FIPS		\
++	"ecdh-sha2-nistp256," \
++	"ecdh-sha2-nistp384"
++# endif
 +#define        KEX_FIPS_MAC \
 +       "hmac-sha1"
 +#endif