[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: master has no DES encryption cipher policy


Sorry for the lack of detail, I can not connect to some legacy device, log are:
---
: libssh 0.6.0 (c) 2003-2010 Aris Adamantiadis (aris@xxxxxxxxxxxx)
Distributed under the LGPL, please refer to COPYING file for
information about your rights, using threading threads_noop
: host 10.111.115.86 matches an IP address
: Nonblocking connection socket: 1868
: Socket connecting, now waiting for the callbacks to work
: ssh_connect: Actual timeout : 60000
: Received POLLOUT in connecting state
: Socket connection callback: 1 (0)
: Received banner: SSH-1.5-OpenSSH_3.7.1p3
: SSH server banner: SSH-1.5-OpenSSH_3.7.1p3
: Analyzing banner: SSH-1.5-OpenSSH_3.7.1p3
: We are talking to an OpenSSH client version: 3.7 (30700)
: Enabling POLLOUT for socket
: Reading a 271 bytes packet
: 1 bytes padding
: The packet is valid
: Dispatching handler for packet type 2
: Got a SSH_SMSG_PUBLIC_KEY
: Server bits: 768; Host bits: 1024; Protocol flags: 00000002; Cipher
mask: 00000004; Auth mask: 0000002c
ssh_packet_publickey1: Error: Remote server doesn't accept 3DES
: ssh_connect: Actual state : 9
---

function 'ssh_packet_publickey1' no support DES now, only 3DES:

--- ssh_packet_publickey1-from-kex.c-0.5.2	Wed Sep  5 19:11:38 2012
+++ ssh_packet_publickey1-from-kex1.c-0.5.9	Wed Sep  5 19:11:49 2012
@@ -15,8 +15,6 @@
   ssh_string enc_session = NULL;
   uint16_t bits;
   int ko;
-  uint32_t have3Des;
-  uint32_t haveDes;
   enter_function();
   (void)type;
   (void)user;
@@ -25,7 +23,7 @@
     ssh_set_error(session,SSH_FATAL,"SSH_KEXINIT received in wrong state");
     goto error;
   }
-  if (buffer_get_data(packet, session->server_kex.cookie, 8) != 8) {
+  if (buffer_get_data(packet,
session->next_crypto->server_kex.cookie, 8) != 8) {
     ssh_set_error(session, SSH_FATAL, "Can't get cookie in buffer");
     goto error;
   }
@@ -102,10 +100,7 @@

   /* now, we must choose an encryption algo */
   /* hardcode 3des */
-  //
-  have3Des = (supported_ciphers_mask & (1<<SSH_CIPHER_3DES));
-  haveDes = (supported_ciphers_mask & (1<<SSH_CIPHER_DES));
-  if(!have3Des && ! haveDes){
+  if (!(supported_ciphers_mask & (1 << SSH_CIPHER_3DES))) {
     ssh_set_error(session, SSH_FATAL, "Remote server doesn't accept 3DES");
     goto error;
   }
@@ -114,12 +109,10 @@
    if (buffer_add_u8(session->out_buffer, SSH_CMSG_SESSION_KEY) < 0) {
      goto error;
    }
-
-   if (buffer_add_u8(session->out_buffer,have3Des?SSH_CIPHER_3DES:SSH_CIPHER_DES)
< 0) {
+   if (buffer_add_u8(session->out_buffer, SSH_CIPHER_3DES) < 0) {
      goto error;
    }
-
-   if (buffer_add_data(session->out_buffer,
session->server_kex.cookie, 8) < 0) {
+   if (buffer_add_data(session->out_buffer,
session->next_crypto->server_kex.cookie, 8) < 0) {
      goto error;
    }

@@ -150,8 +143,8 @@
    }

    /* we can set encryption */
-   if(crypt_set_algorithms(session, have3Des?0:1)){
-      goto error;
+   if (crypt_set_algorithms(session)) {
+     goto error;
    }

    session->current_crypto = session->next_crypto;




2012/9/5 Andreas Schneider <asn@xxxxxxxxxxxxxx>:
> On Wednesday 05 September 2012 17:46:59 you wrote:
>> Why DES was removed from master ? There are 3DES only.
>> There are many legacy devices that supports DES only.
>> 0.5.2 branch support DES & 3DES, Can support of DES be restored in master ?
>
> What do you mean exactly? Please give more details.
>
> We didn't remove any DES support.
>
>
>
>         -- andreas
>
> --
> Andreas Schneider                   GPG-ID: F33E3FC6
> www.cryptomilk.org                asn@xxxxxxxxxxxxxx
>
>

Follow-Ups:
Re: master has no DES encryption cipher policyAris Adamantiadis <aris@xxxxxxxxxxxx>
References:
master has no DES encryption cipher policyDmitriy Kuznetsov <dk@xxxxxxxxx>
Re: master has no DES encryption cipher policyAndreas Schneider <asn@xxxxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org