simon-git: putty (master): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Wed Jan 23 22:41:25 GMT 2019
TL;DR:
1a2fbc66 testcrypt: include a dputs() function.
f8f96a2f testcrypt: fix the hello-world request!
e7edc6e7 Uppity: fix an unterminated dupcat in X server setup.
891c2b96 Uppity X forwarding: fix SockAddr use after free.
de797aa4 Reinstate CBC flag in AES-CBC ciphers.
a53559a0 Expose blocklen in the ssh_hash structure.
8ebdaf0b Fix memory leak when reading a public key.
c0de1cbb sshhmac: reorganise, and fix crash when used with CBC.
76aa3f6f Add more random-number noise collection calls.
628e7948 Replace random_byte() with random_read().
50877924 Label random-noise sources with an enum of ids.
320bf847 Replace PuTTY's PRNG with a Fortuna-like system.
cbbd464f Rewrite the SHA-256 and SHA-1 hash function modules.
dc2fdb8a Support hardware SHA-256 and SHA-1 on Arm platforms.
9285c1b9 Identify hash function implementations in the Event Log.
ba4eeff9 cryptsuite: test hardware and software SHA, if possible.
Repository: https://git.tartarus.org/simon/putty.git
On the web: https://git.tartarus.org/?p=simon/putty.git
Branch updated: master
Committer: Simon Tatham <anakin at pobox.com>
Date: 2019-01-23 22:41:25
commit 1a2fbc66baecb57ce8342ab45d740f0d8cc0b919
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=1a2fbc66baecb57ce8342ab45d740f0d8cc0b919;hp=baff23cdd62ccc34a21534bf32b7779ff8853458
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Jan 20 21:44:51 2019 +0000
testcrypt: include a dputs() function.
This allows me to compile testcrypt with -DDEBUG, even though it's not
linked against the usual collection of platform-specific modules that
normally provide dputs. I think the simplest possible dputs ('just
output to stderr') is actually better for testcrypt, because that
keeps it easy to compile for strange experimental platforms.
testcrypt.c | 5 +++++
1 file changed, 5 insertions(+)
commit f8f96a2fecb04cc484fbfa65e711c71a5efc2f88
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=f8f96a2fecb04cc484fbfa65e711c71a5efc2f88;hp=1a2fbc66baecb57ce8342ab45d740f0d8cc0b919
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Jan 23 18:52:38 2019 +0000
testcrypt: fix the hello-world request!
The single simplest request in the entire protocol - the command
'hello' which is supposed to respond 'hello, world\n' to demonstrate
to an interactive user that testcrypt has started up successfully -
was missing the trailing newline in the response. :-)
testcrypt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
commit e7edc6e7ba2671bf39b1431d371d0e9d0c24e8f0
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=e7edc6e7ba2671bf39b1431d371d0e9d0c24e8f0;hp=f8f96a2fecb04cc484fbfa65e711c71a5efc2f88
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Jan 23 20:44:46 2019 +0000
Uppity: fix an unterminated dupcat in X server setup.
Address Sanitiser pointed this out; I surely can't have run Uppity
under ASan before, or I'd have noticed this months ago.
unix/ux_x11.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
commit 891c2b96167fe6ece95e179b09780790d496b95b
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=891c2b96167fe6ece95e179b09780790d496b95b;hp=e7edc6e7ba2671bf39b1431d371d0e9d0c24e8f0
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Jan 23 20:50:49 2019 +0000
Uppity X forwarding: fix SockAddr use after free.
Another thing pointed out by ASan: new_unix_listener takes ownership
of the SockAddr you give it, so I shouldn't have been freeing it at
the end of platform_make_x11_server().
unix/ux_x11.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
commit de797aa40e1cd5d08ff306f56eff1e2cc4001654
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=de797aa40e1cd5d08ff306f56eff1e2cc4001654;hp=891c2b96167fe6ece95e179b09780790d496b95b
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Jan 23 20:22:29 2019 +0000
Reinstate CBC flag in AES-CBC ciphers.
That flag was missing from all the CBC vtables' flags fields, because
my recent rewrite forgot to put it in. As a result the SSH_MSG_IGNORE
defence against CBC length oracle attacks was not being enabled.
sshaes.c | 39 ++++++++++++++++++++++-----------------
1 file changed, 22 insertions(+), 17 deletions(-)
commit a53559a0dc5e3f4cb37bc2b4abc68cb83d3afe1a
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=a53559a0dc5e3f4cb37bc2b4abc68cb83d3afe1a;hp=de797aa40e1cd5d08ff306f56eff1e2cc4001654
Author: Simon Tatham <anakin at pobox.com>
Date: Mon Jan 21 19:04:22 2019 +0000
Expose blocklen in the ssh_hash structure.
Keeping that information alongside the hashes themselves seems more
sensible than having the HMAC code know that fact about everything it
can work with.
ssh.h | 1 +
sshhmac.c | 28 ++++++++++++++++++----------
sshmd5.c | 2 +-
sshsh256.c | 2 +-
sshsh512.c | 6 +++---
sshsha.c | 2 +-
6 files changed, 25 insertions(+), 16 deletions(-)
commit 8ebdaf0b1d7a9e6d8c498db21e44dfd53b894a87
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=8ebdaf0b1d7a9e6d8c498db21e44dfd53b894a87;hp=a53559a0dc5e3f4cb37bc2b4abc68cb83d3afe1a
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Jan 23 18:54:34 2019 +0000
Fix memory leak when reading a public key.
Leak Sanitiser pointed out in passing that the blob read from the key
file wasn't being freed.
sshpubk.c | 1 +
1 file changed, 1 insertion(+)
commit c0de1cbbadbe6371d42d8494daeff798a726dc42
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=c0de1cbbadbe6371d42d8494daeff798a726dc42;hp=8ebdaf0b1d7a9e6d8c498db21e44dfd53b894a87
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Jan 23 20:12:20 2019 +0000
sshhmac: reorganise, and fix crash when used with CBC.
I'd forgotten that the SSH-2 BPP uses a defensive measure of
generating the MAC for successive prefixes of an incoming packet,
which means that ssh_mac_genresult needs to be nondestructive.
While I'm at it, I've also made all of hmac's hash objects exist all
the time - they're created up front, destroyed unconditionally on
free, and in between, whenever one is destroyed at all it's
immediately recreated. I think this simplifies things in general, and
in particular, creating at least one hash object immediately will come
in useful when I add selector vtables in a few commits' time.
sshhmac.c | 80 ++++++++++++++++++++++++++++++++++++++-------------------------
1 file changed, 48 insertions(+), 32 deletions(-)
commit 76aa3f6f7a6219c242d0c88e83160aa75ba47262
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=76aa3f6f7a6219c242d0c88e83160aa75ba47262;hp=c0de1cbbadbe6371d42d8494daeff798a726dc42
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Jan 22 21:01:26 2019 +0000
Add more random-number noise collection calls.
Mostly on the Unix side: there are lots of places the Windows code was
collecting noise that the corresponding Unix/GTK code wasn't bothering
to, such as mouse movements, keystrokes and various network events.
Also, both platforms had forgotten to collect noise when reading data
from a pipe to a local proxy process, even though in that
configuration that's morally equivalent to the network packet timings
that we'd normally be collecting from.
unix/gtkwin.c | 6 ++++++
unix/uxfdsock.c | 1 +
unix/uxplink.c | 1 +
unix/uxpterm.c | 3 +++
unix/uxsel.c | 3 +++
windows/winhandl.c | 1 +
6 files changed, 15 insertions(+)
commit 628e79483228b0cd4746ed10655e1660f32d6cec
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=628e79483228b0cd4746ed10655e1660f32d6cec;hp=76aa3f6f7a6219c242d0c88e83160aa75ba47262
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Jan 22 19:43:27 2019 +0000
Replace random_byte() with random_read().
This is in preparation for a PRNG revamp which will want to have a
well defined boundary for any given request-for-randomness, so that it
can destroy the evidence afterwards. So no more looping round calling
random_byte() and then stopping when we feel like it: now you say up
front how many random bytes you want, and call random_read() which
gives you that many in one go.
Most of the call sites that had to be fixed are fairly mechanical, and
quite a few ended up more concise afterwards. A few became more
cumbersome, such as mp_random_bits, in which the new API doesn't let
me load the random bytes directly into the target integer without
triggering undefined behaviour, so instead I have to allocate a
separate temporary buffer.
The _most_ interesting call site was in the PKCS#1 v1.5 padding code
in sshrsa.c (used in SSH-1), in which you need a stream of _nonzero_
random bytes. The previous code just looped on random_byte, retrying
if it got a zero. Now I'm doing a much more interesting thing with an
mpint, essentially scaling a binary fraction repeatedly to extract a
number in the range [0,255) and then adding 1 to it.
import.c | 20 ++++++++++----------
mpint.c | 24 +++++++++++-------------
mpint.h | 13 +++++++------
pageant.c | 4 +---
putty.h | 2 +-
ssh.h | 2 +-
ssh1bpp.c | 5 ++---
ssh1login-server.c | 6 ++----
ssh1login.c | 12 ++++--------
ssh2bpp.c | 9 ++++++---
ssh2kex-client.c | 11 +++--------
ssh2transport.c | 6 +-----
sshecc.c | 4 ++--
sshprime.c | 6 ++++--
sshpubk.c | 10 ++++------
sshrand.c | 14 +++++++++-----
sshrsa.c | 35 ++++++++++++++++++++++++++++++-----
testcrypt.c | 9 +++------
unix/uxsftpserver.c | 4 +---
unix/uxshare.c | 4 +---
x11fwd.c | 9 +++++----
21 files changed, 108 insertions(+), 101 deletions(-)
commit 5087792440a04c87767c9bf9a966c1832ac58643
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=5087792440a04c87767c9bf9a966c1832ac58643;hp=628e79483228b0cd4746ed10655e1660f32d6cec
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Jan 22 18:25:54 2019 +0000
Label random-noise sources with an enum of ids.
The upcoming PRNG revamp will want to tell noise sources apart, so
that it can treat them all fairly. So I've added an extra parameter to
noise_ultralight and random_add_noise, which takes values in an
enumeration covering all the vague classes of entropy source I'm
collecting. In this commit, though, it's simply ignored.
be_nos_s.c | 2 +-
be_nossh.c | 2 +-
putty.h | 24 ++++++++++++++++++++++--
unix/gtkwin.c | 7 ++++---
unix/uxfdsock.c | 2 +-
unix/uxnet.c | 8 ++++----
unix/uxnoise.c | 12 ++++++------
unix/uxpgnt.c | 2 +-
unix/uxplink.c | 2 +-
unix/uxpterm.c | 2 +-
unix/uxsel.c | 2 +-
windows/window.c | 6 +++---
windows/winhandl.c | 2 +-
windows/winnet.c | 8 ++++----
windows/winnoise.c | 24 ++++++++++++------------
windows/winplink.c | 5 ++---
windows/winsftp.c | 3 +--
17 files changed, 66 insertions(+), 47 deletions(-)
commit 320bf8479ff5bcbad239db4f9f4aa63656b0675e
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=320bf8479ff5bcbad239db4f9f4aa63656b0675e;hp=5087792440a04c87767c9bf9a966c1832ac58643
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Jan 22 22:42:41 2019 +0000
Replace PuTTY's PRNG with a Fortuna-like system.
This tears out the entire previous random-pool system in sshrand.c. In
its place is a system pretty close to Ferguson and Schneier's
'Fortuna' generator, with the main difference being that I use SHA-256
instead of AES for the generation side of the system (rationale given
in comment).
The PRNG implementation lives in sshprng.c, and defines a self-
contained data type with no state stored outside the object, so you
can instantiate however many of them you like. The old sshrand.c still
exists, but in place of the previous random pool system, it's just
become a client of sshprng.c, whose job is to hold a single global
instance of the PRNG type, and manage its reference count, save file,
noise-collection timers and similar administrative business.
Advantages of this change include:
- Fortuna is designed with a more varied threat model in mind than my
old home-grown random pool. For example, after any request for
random numbers, it automatically re-seeds itself, so that if the
state of the PRNG should be leaked, it won't give enough
information to find out what past outputs _were_.
- The PRNG type can be instantiated with any hash function; the
instance used by the main tools is based on SHA-256, an improvement
on the old pool's use of SHA-1.
- The new PRNG only uses the completely standard interface to the
hash function API, instead of having to have privileged access to
the internal SHA-1 block transform function. This will make it
easier to revamp the hash code in general, and also it means that
hardware-accelerated versions of SHA-256 will automatically be used
for the PRNG as well as for everything else.
- The new PRNG can be _tested_! Because it has an actual (if not
quite explicit) specification for exactly what the output numbers
_ought_ to be derived from the hashes of, I can (and have) put
tests in cryptsuite that ensure the output really is being derived
in the way I think it is. The old pool could have been returning
any old nonsense and it would have been very hard to tell for sure.
Recipe | 6 +-
cmdgen.c | 4 +-
defs.h | 1 +
putty.h | 6 +
ssh.h | 32 ++++-
sshprng.c | 286 ++++++++++++++++++++++++++++++++++++++++++++
sshrand.c | 341 ++++++++++-------------------------------------------
test/cryptsuite.py | 40 +++++++
testcrypt.c | 20 ++++
testcrypt.h | 12 ++
unix/uxnoise.c | 19 ++-
windows/winnoise.c | 29 ++---
windows/winpgen.c | 9 +-
13 files changed, 480 insertions(+), 325 deletions(-)
commit cbbd464fd752821fe444d67b891c3977c426dee1
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=cbbd464fd752821fe444d67b891c3977c426dee1;hp=320bf8479ff5bcbad239db4f9f4aa63656b0675e
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Jan 20 18:44:26 2019 +0000
Rewrite the SHA-256 and SHA-1 hash function modules.
The new structure of those modules is along similar lines to the
recent rewrite of AES, with selection of HW vs SW implementation being
done by the main vtable instead of a subsidiary function pointer
within it, freedom for each implementation to define its state
structure however is most convenient, and space to drop in other
hardware-accelerated implementations.
I've removed the centralised test for compiler SHA-NI support in
ssh.h, and instead duplicated it between the two SHA modules, on the
grounds that once you start considering an open-ended set of hardware
accelerators, the two hashes _need_ not go together.
I've also added an extra test in cryptsuite that checks the point at
which the end-of-hash padding switches to adding an extra cipher
block. That was just because I was rewriting that padding code, was
briefly worried that I might have got an off-by-one error in that part
of it, and couldn't see any existing test that gave me confidence I
hadn't.
ssh.h | 29 +-
sshsh256.c | 1004 ++++++++++++++++++++++++++++++----------------------
sshsha.c | 994 +++++++++++++++++++++++++++------------------------
test/cryptsuite.py | 40 +++
4 files changed, 1171 insertions(+), 896 deletions(-)
commit dc2fdb8acf19b5a51d4d9bb7d84ad7190b73205c
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=dc2fdb8acf19b5a51d4d9bb7d84ad7190b73205c;hp=cbbd464fd752821fe444d67b891c3977c426dee1
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Jan 23 07:27:12 2019 +0000
Support hardware SHA-256 and SHA-1 on Arm platforms.
Similarly to my recent addition of NEON-accelerated AES, these new
implementations drop in alongside the SHA-NI ones, under a different
set of ifdefs. All the details of selection and detection are
essentially the same as they were for the AES code.
ssh.h | 2 +
sshsh256.c | 219 ++++++++++++++++++++++++++++++++++++++++++++++
sshsha.c | 248 +++++++++++++++++++++++++++++++++++++++++++++++++++++
unix/uxutils.c | 32 +++++++
windows/winmiscs.c | 10 +++
5 files changed, 511 insertions(+)
commit 9285c1b93c4ffdb970d43f26921e4aee31bc6613
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=9285c1b93c4ffdb970d43f26921e4aee31bc6613;hp=dc2fdb8acf19b5a51d4d9bb7d84ad7190b73205c
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Jan 23 07:29:53 2019 +0000
Identify hash function implementations in the Event Log.
Similarly to the 'AES (unaccelerated)' naming scheme I added in the
AES rewrite, the hash functions that have multiple implementations now
each come with an annotation saying which one they are.
This was more tricky for hashes than for ciphers, because the
annotation for a hash has to be a separate string literal from the
base text name, so that it can propagate into the name field for each
HMAC wrapper without looking silly.
ssh.h | 10 +++++++++-
ssh2kex-client.c | 10 +++++-----
ssh2kex-server.c | 6 +++---
sshhmac.c | 22 ++++++++++++++++------
sshmd5.c | 2 +-
sshsh256.c | 11 ++++++-----
sshsh512.c | 6 ++++--
sshsha.c | 11 ++++++-----
8 files changed, 50 insertions(+), 28 deletions(-)
commit ba4eeff9cb2a513f74484026cae6c06dde73c760
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=ba4eeff9cb2a513f74484026cae6c06dde73c760;hp=9285c1b93c4ffdb970d43f26921e4aee31bc6613
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Jan 23 18:54:12 2019 +0000
cryptsuite: test hardware and software SHA, if possible.
Like the AES code before it, I've now exposed the explicit _sw and _hw
vtables for SHA-256 and SHA-1 through the testcrypt system, and now
cryptsuite will run the standard test vectors for those hashes over
both implementations, on a platform where more than one is available.
test/cryptsuite.py | 129 ++++++++++++++++++++++++++++++++---------------------
testcrypt.c | 12 +++++
testcrypt.h | 2 +-
3 files changed, 90 insertions(+), 53 deletions(-)
More information about the tartarus-commits
mailing list