Re: master has no DES encryption cipher policy

[Aris Adamantiadis <aris@xxxxxxxxxxxx>]

Hi Dmitry,

Are you sure this is not one of your personnal patches ? I do not
remember having ever added DES support on libssh nor having seen this
commit ...

Aris
Le 5/09/12 17:13, Dmitriy Kuznetsov a écrit :
> Sorry for the lack of detail, I can not connect to some legacy device, log are:
> ---
> : libssh 0.6.0 (c) 2003-2010 Aris Adamantiadis (aris@xxxxxxxxxxxx)
> Distributed under the LGPL, please refer to COPYING file for
> information about your rights, using threading threads_noop
> : host 10.111.115.86 matches an IP address
> : Nonblocking connection socket: 1868
> : Socket connecting, now waiting for the callbacks to work
> : ssh_connect: Actual timeout : 60000
> : Received POLLOUT in connecting state
> : Socket connection callback: 1 (0)
> : Received banner: SSH-1.5-OpenSSH_3.7.1p3
> : SSH server banner: SSH-1.5-OpenSSH_3.7.1p3
> : Analyzing banner: SSH-1.5-OpenSSH_3.7.1p3
> : We are talking to an OpenSSH client version: 3.7 (30700)
> : Enabling POLLOUT for socket
> : Reading a 271 bytes packet
> : 1 bytes padding
> : The packet is valid
> : Dispatching handler for packet type 2
> : Got a SSH_SMSG_PUBLIC_KEY
> : Server bits: 768; Host bits: 1024; Protocol flags: 00000002; Cipher
> mask: 00000004; Auth mask: 0000002c
> ssh_packet_publickey1: Error: Remote server doesn't accept 3DES
> : ssh_connect: Actual state : 9
> ---
> 
> function 'ssh_packet_publickey1' no support DES now, only 3DES:
> 
> --- ssh_packet_publickey1-from-kex.c-0.5.2	Wed Sep  5 19:11:38 2012
> +++ ssh_packet_publickey1-from-kex1.c-0.5.9	Wed Sep  5 19:11:49 2012
> @@ -15,8 +15,6 @@
>    ssh_string enc_session = NULL;
>    uint16_t bits;
>    int ko;
> -  uint32_t have3Des;
> -  uint32_t haveDes;
>    enter_function();
>    (void)type;
>    (void)user;
> @@ -25,7 +23,7 @@
>      ssh_set_error(session,SSH_FATAL,"SSH_KEXINIT received in wrong state");
>      goto error;
>    }
> -  if (buffer_get_data(packet, session->server_kex.cookie, 8) != 8) {
> +  if (buffer_get_data(packet,
> session->next_crypto->server_kex.cookie, 8) != 8) {
>      ssh_set_error(session, SSH_FATAL, "Can't get cookie in buffer");
>      goto error;
>    }
> @@ -102,10 +100,7 @@
> 
>    /* now, we must choose an encryption algo */
>    /* hardcode 3des */
> -  //
> -  have3Des = (supported_ciphers_mask & (1<<SSH_CIPHER_3DES));
> -  haveDes = (supported_ciphers_mask & (1<<SSH_CIPHER_DES));
> -  if(!have3Des && ! haveDes){
> +  if (!(supported_ciphers_mask & (1 << SSH_CIPHER_3DES))) {
>      ssh_set_error(session, SSH_FATAL, "Remote server doesn't accept 3DES");
>      goto error;
>    }
> @@ -114,12 +109,10 @@
>     if (buffer_add_u8(session->out_buffer, SSH_CMSG_SESSION_KEY) < 0) {
>       goto error;
>     }
> -
> -   if (buffer_add_u8(session->out_buffer,have3Des?SSH_CIPHER_3DES:SSH_CIPHER_DES)
> < 0) {
> +   if (buffer_add_u8(session->out_buffer, SSH_CIPHER_3DES) < 0) {
>       goto error;
>     }
> -
> -   if (buffer_add_data(session->out_buffer,
> session->server_kex.cookie, 8) < 0) {
> +   if (buffer_add_data(session->out_buffer,
> session->next_crypto->server_kex.cookie, 8) < 0) {
>       goto error;
>     }
> 
> @@ -150,8 +143,8 @@
>     }
> 
>     /* we can set encryption */
> -   if(crypt_set_algorithms(session, have3Des?0:1)){
> -      goto error;
> +   if (crypt_set_algorithms(session)) {
> +     goto error;
>     }
> 
>     session->current_crypto = session->next_crypto;
> 
> 
> 
> 
> 2012/9/5 Andreas Schneider <asn@xxxxxxxxxxxxxx>:
>> On Wednesday 05 September 2012 17:46:59 you wrote:
>>> Why DES was removed from master ? There are 3DES only.
>>> There are many legacy devices that supports DES only.
>>> 0.5.2 branch support DES & 3DES, Can support of DES be restored in master ?
>>
>> What do you mean exactly? Please give more details.
>>
>> We didn't remove any DES support.
>>
>>
>>
>>         -- andreas
>>
>> --
>> Andreas Schneider                   GPG-ID: F33E3FC6
>> www.cryptomilk.org                asn@xxxxxxxxxxxxxx
>>
>>
>