Re: Missing signed-off for pkg chacha20 patches

[Andreas Schneider <asn@xxxxxxxxxxxxxx>]

On Thursday, 14 June 2018 16:06:20 CEST Andreas Schneider wrote:
> On Thursday, 14 June 2018 16:03:29 CEST Andreas Schneider wrote:
> > On Wednesday, 13 June 2018 16:35:16 CEST Andreas Schneider wrote:
> > > On Saturday, 9 June 2018 01:58:57 CEST Jon Simons wrote:
> > > > On 6/8/18 7:09 AM, Andreas Schneider wrote:
> > > > > I'm currently working on chacha20 to merge Aris his work. There are
> > > > > two
> > > > > pkd
> > > > > patches from you which don't have a Signed-off-by tag from you.
> > > > > 
> > > > > Could you please give me the permission to add it or send the
> > > > > attached
> > > > > patch back with them?
> > > > > 
> > > > > Also, could you test this patchset?
> > > > 
> > > > Excited to see the chacha20 work headed to master.
> > > > 
> > > > I gave the patchset some review and testing this afternoon and I've
> > > > attached>
> > > > 
> > > > a respin of the patchset that includes:
> > > >  * fixes for current master pkd:
> > > > https://www.libssh.org/archive/libssh/2018-05/0000009.html * the older
> > > > chacha20 patches now with my Signed-off
> > > > 
> > > >  * a couple of minor adjustments plus fix for the mbedTLS build
> > > > 
> > > > These should apply cleanly on to
> > > > 0940b0f29b4fef86e56dffdd13d978f9692b78fc.
> > > > 
> > > > I tested this series with these combinations of pkd:
> > > >  * Debian Jessie with OpenSSL 1.0.1, libgcrypt20
> > > >  * Debian Stretch with OpenSSL 1.1.0, libgcrypt20, mbedTLS
> > > > 
> > > > Please let me know if I can be of any further help or if you'd like to
> > > > see any changes to the adjustments I made.  I can also send out the
> > > > patches
> > > > in another format if that would be helpful.
> > > 
> > > Also the pkd test doesn't work on Fedora 26. The reason is the default
> > > config. There is:
> > > 
> > > /etc/ssh/ssh_config.d/05-redhat.conf
> > > 
> > > which includes
> > > 
> > > /etc/crypto-policies/back-ends/openssh.config
> > > 
> > > and that files sets:
> > > 
> > > Ciphers aes256-gcm@xxxxxxxxxxx,chacha20-poly1305@xxxxxxxxxxx,aes256-
> > > ctr,aes256-cbc,aes128-gcm@xxxxxxxxxxx,aes128-ctr,aes128-cbc
> > > MACs hmac-sha2-256-etm@xxxxxxxxxxx,hmac-sha1-etm@xxxxxxxxxxx,umac-128-
> > > etm@xxxxxxxxxxx,hmac-sha2-512-etm@xxxxxxxxxxx,hmac-sha2-256,hmac-
> > > sha1,umac-128@xxxxxxxxxxx,hmac-sha2-512
> > > GSSAPIKexAlgorithms gss-gex-sha1-,gss-group14-sha1-
> > > KexAlgorithms curve25519-sha256@xxxxxxxxxx,ecdh-sha2-nistp256,ecdh-sha2-
> > > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-
> > > hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-grou
> > > p-
> > > exchange-sha1,diffie-hellman-group14-sha1
> > > 
> > > 
> > > So you're not allowed to use certain ciphers!
> > > 
> > > 
> > > So you need to create a ssh config file and use 'ssh -F configfile'
> > > which
> > > already sets the above to allow all ciphers we want to test.
> > > 
> > > 	Andreas
> > 
> > Looks like openssh removed support for ssh-dss. At least my openssh 7.7
> > doesn't know about it at all.
> > 
> > I would remove it from libssh after the release of 0.8 together with SSHv1
> > support.
> > 
> > I think we can remove it from pkd already? Comments?
> 
> Same for blowfish_cbc.

Ok, the plan is to remove SSHv1, ssh-dss and blowfish-cbc should be optional 
but turned off by default.

pkd should detect the ssh version (ssh -V) and turn off ssh-dss and blowfish-
cbc checks if not supported, if we have it compiled it. Maybe the easiest is 
to run

system("ssh -V > /tmp/ssh_versionXXXX);

and read with

rc = sscanf(str, "OpenSSH_%u.%u", &major, &minor);


Could you implement that in pkd?

-- 
Andreas Schneider                   GPG-ID: CC014E3D
www.cryptomilk.org                asn@xxxxxxxxxxxxxx