simon-git: putty (master): Simon Tatham

Commits to Tartarus CVS repository. tartarus-commits at lists.tartarus.org
Sun Apr 26 23:33:53 BST 2015 

TL;DR:
  183a9ee Support OpenSSH encrypt-then-MAC protocol extension.
  9d5a164 Use a timing-safe memory compare to verify MACs.

Repository:     git://git.tartarus.org/simon/putty.git
On the web:     http://tartarus.org/~simon-git/gitweb/?p=putty.git
Branch updated: master
Committer:      Simon Tatham <anakin at pobox.com>
Date:           2015-04-26 23:33:53

commit 183a9ee98b6535f8d059b4c488f198532ad84586
web diff http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=commitdiff;h=183a9ee98b6535f8d059b4c488f198532ad84586;hp=78989c97c94ef45b7081d80df1c35f2cc1edfea0
Author: Simon Tatham <anakin at pobox.com>
Date:   Sun Apr 26 23:30:32 2015 +0100

    Support OpenSSH encrypt-then-MAC protocol extension.
    
    This causes the initial length field of the SSH-2 binary packet to be
    unencrypted (with the knock-on effect that now the packet length not
    including MAC must be congruent to 4 rather than 0 mod the cipher
    block size), and then the MAC is applied over the unencrypted length
    field and encrypted ciphertext (prefixed by the sequence number as
    usual). At the cost of exposing some information about the packet
    lengths to an attacker (but rarely anything they couldn't have
    inferred from the TCP headers anyway), this closes down any
    possibility of a MITM using the client as a decryption oracle, unless
    they can _first_ fake a correct MAC.
    
    ETM mode is enabled by means of selecting a different MAC identifier,
    all the current ones of which are constructed by appending
    "-etm at openssh.com" to the name of a MAC that already existed.
    
    We currently prefer the original SSH-2 binary packet protocol (i.e. we
    list all the ETM-mode MACs last in our KEXINIT), on the grounds that
    it's better tested and more analysed, so at the moment the new mode is
    only activated if a server refuses to speak anything else.

 ssh.c      |  169 +++++++++++++++++++++++++++++++++++++++++++++++++++++-------
 ssh.h      |    2 +-
 sshmd5.c   |    2 +-
 sshsh256.c |    2 +-
 sshsha.c   |    8 +--
 5 files changed, 157 insertions(+), 26 deletions(-)

commit 9d5a16402168f82ba1bd695c3e95bb4812ccd0a9
web diff http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=commitdiff;h=9d5a16402168f82ba1bd695c3e95bb4812ccd0a9;hp=183a9ee98b6535f8d059b4c488f198532ad84586
Author: Simon Tatham <anakin at pobox.com>
Date:   Sun Apr 26 23:31:11 2015 +0100

    Use a timing-safe memory compare to verify MACs.
    
    Now that we have modes in which the MAC verification happens before
    any other crypto operation and hence will be the only thing seen by an
    attacker, it seems like about time we got round to doing it in a
    cautious way that tries to prevent the attacker from using our memcmp
    as a timing oracle.
    
    So, here's an smemeq() function which has the semantics of !memcmp but
    attempts to run in time dependent only on the length parameter. All
    the MAC implementations now use this in place of !memcmp to verify the
    MAC on input data.

 misc.c     |   16 ++++++++++++++++
 misc.h     |   12 ++++++++++++
 sshmd5.c   |    4 ++--
 sshsh256.c |    4 ++--
 sshsha.c   |    8 ++++----
 5 files changed, 36 insertions(+), 8 deletions(-)

More information about the tartarus-commits mailing list