Index: dist/src/lib/create.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/netpgp/dist/src/lib/create.c,v
retrieving revision 1.38
diff -u -p -r1.38 create.c
--- dist/src/lib/create.c	15 Nov 2010 08:03:39 -0000	1.38
+++ dist/src/lib/create.c	24 Mar 2020 22:02:16 -0000
@@ -959,8 +959,17 @@ pgp_create_pk_sesskey(const pgp_key_t *k
 	}
 	/* allocate unencoded_m_buf here */
 	(void) memset(&cipherinfo, 0x0, sizeof(cipherinfo));
-	pgp_crypt_any(&cipherinfo,
-		cipher = pgp_str_to_cipher((ciphername) ? ciphername : "cast5"));
+
+	cipher = pgp_str_to_cipher(ciphername);
+
+	if (cipher == PGP_SA_UNKNOWN) {
+		(void) fprintf(stderr,
+			"pgp_create_pk_sesskey: invalid cipher\n");
+		return NULL;
+	}
+
+	pgp_crypt_any(&cipherinfo, cipher);
+
 	unencoded_m_buf = calloc(1, cipherinfo.keysize + 1 + 2);
 	if (unencoded_m_buf == NULL) {
 		(void) fprintf(stderr,
Index: dist/src/lib/misc.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/netpgp/dist/src/lib/misc.c,v
retrieving revision 1.42
diff -u -p -r1.42 misc.c
--- dist/src/lib/misc.c	13 Nov 2018 14:52:30 -0000	1.42
+++ dist/src/lib/misc.c	24 Mar 2020 22:02:16 -0000
@@ -833,7 +833,7 @@ pgp_str_to_cipher(const char *cipher)
 			return sp->i;
 		}
 	}
-	return PGP_SA_DEFAULT_CIPHER;
+	return PGP_SA_UNKNOWN;
 }
 
 void 
Index: dist/src/lib/netpgp.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/netpgp/dist/src/lib/netpgp.c,v
retrieving revision 1.103
diff -u -p -r1.103 netpgp.c
--- dist/src/lib/netpgp.c	21 Mar 2020 01:07:21 -0000	1.103
+++ dist/src/lib/netpgp.c	24 Mar 2020 22:02:16 -0000
@@ -801,6 +801,7 @@ netpgp_init(netpgp_t *netpgp)
 	char		 id[MAX_ID_LENGTH];
 	char		*homedir;
 	char		*userid;
+	char		*ciphername;
 	char		*stream;
 	char		*passfd;
 	char		*results;
@@ -868,6 +869,14 @@ netpgp_init(netpgp_t *netpgp)
 		(void) fprintf(io->errs, "netpgp: bad homedir\n");
 		return 0;
 	}
+
+	if ((ciphername = netpgp_getvar(netpgp, "cipher")) != NULL) {
+		if (pgp_str_to_cipher(ciphername) == PGP_SA_UNKNOWN) {
+			(void) fprintf(io->errs, "netpgp: invalid cipher\n");
+			return 0;
+		}
+	}
+
 	if (netpgp_getvar(netpgp, "ssh keys") == NULL) {
 		/* read from ordinary pgp keyrings */
 		netpgp->pubring = readkeyring(netpgp, "pubring");
Index: dist/src/lib/packet.h
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/netpgp/dist/src/lib/packet.h,v
retrieving revision 1.31
diff -u -p -r1.31 packet.h
--- dist/src/lib/packet.h	13 Nov 2018 14:52:30 -0000	1.31
+++ dist/src/lib/packet.h	24 Mar 2020 22:02:16 -0000
@@ -471,6 +471,7 @@ typedef enum {
  * \see RFC4880 9.2
  */
 typedef enum {
+	PGP_SA_UNKNOWN = -1,	/* used to indicate errors */
 	PGP_SA_PLAINTEXT = 0,	/* Plaintext or unencrypted data */
 	PGP_SA_IDEA = 1,	/* IDEA */
 	PGP_SA_TRIPLEDES = 2,	/* TripleDES */