===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/compat.c,v
retrieving revision 1.81
retrieving revision 1.82
diff -u -r1.81 -r1.82
--- src/usr.bin/ssh/compat.c	2013/05/17 00:13:13	1.81
+++ src/usr.bin/ssh/compat.c	2013/12/30 23:52:27	1.82
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.81 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: compat.c,v 1.82 2013/12/30 23:52:27 djm Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -169,8 +169,9 @@
 	for (i = 0; check[i].pat; i++) {
 		if (match_pattern_list(version, check[i].pat,
 		    strlen(check[i].pat), 0) == 1) {
-			debug("match: %s pat %s", version, check[i].pat);
 			datafellows = check[i].bugs;
+			debug("match: %s pat %s compat 0x%08x",
+			    version, check[i].pat, datafellows);
 			return;
 		}
 	}
@@ -206,33 +207,59 @@
 	return ret;
 }
 
-char *
-compat_cipher_proposal(char *cipher_prop)
+/*
+ * Filters a proposal string, excluding any algorithm matching the 'filter'
+ * pattern list.
+ */
+static char *
+filter_proposal(char *proposal, const char *filter)
 {
 	Buffer b;
-	char *orig_prop, *fix_ciphers;
+	char *orig_prop, *fix_prop;
 	char *cp, *tmp;
 
-	if (!(datafellows & SSH_BUG_BIGENDIANAES))
-		return(cipher_prop);
-
 	buffer_init(&b);
-	tmp = orig_prop = xstrdup(cipher_prop);
+	tmp = orig_prop = xstrdup(proposal);
 	while ((cp = strsep(&tmp, ",")) != NULL) {
-		if (strncmp(cp, "aes", 3) != 0) {
+		if (match_pattern_list(cp, filter, strlen(cp), 0) != 1) {
 			if (buffer_len(&b) > 0)
 				buffer_append(&b, ",", 1);
 			buffer_append(&b, cp, strlen(cp));
-		}
+		} else
+			debug2("Compat: skipping algorithm \"%s\"", cp);
 	}
 	buffer_append(&b, "\0", 1);
-	fix_ciphers = xstrdup(buffer_ptr(&b));
+	fix_prop = xstrdup(buffer_ptr(&b));
 	buffer_free(&b);
 	free(orig_prop);
-	debug2("Original cipher proposal: %s", cipher_prop);
-	debug2("Compat cipher proposal: %s", fix_ciphers);
-	if (!*fix_ciphers)
-		fatal("No available ciphers found.");
 
-	return(fix_ciphers);
+	return fix_prop;
 }
+
+char *
+compat_cipher_proposal(char *cipher_prop)
+{
+	if (!(datafellows & SSH_BUG_BIGENDIANAES))
+		return cipher_prop;
+	debug2("%s: original cipher proposal: %s", __func__, cipher_prop);
+	cipher_prop = filter_proposal(cipher_prop, "aes*");
+	debug2("%s: compat cipher proposal: %s", __func__, cipher_prop);
+	if (*cipher_prop == '\0')
+		fatal("No supported ciphers found");
+	return cipher_prop;
+}
+
+
+char *
+compat_pkalg_proposal(char *pkalg_prop)
+{
+	if (!(datafellows & SSH_BUG_RSASIGMD5))
+		return pkalg_prop;
+	debug2("%s: original public key proposal: %s", __func__, pkalg_prop);
+	pkalg_prop = filter_proposal(pkalg_prop, "ssh-rsa");
+	debug2("%s: compat public key proposal: %s", __func__, pkalg_prop);
+	if (*pkalg_prop == '\0')
+		fatal("No supported PK algorithms found");
+	return pkalg_prop;
+}
+