simon-git: doit (master): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Thu Nov 23 20:21:00 GMT 2017
TL;DR:
6105bce Add nonce generation function for the protocol-test program.
129582d Automate the protocol test.
b99d9a7 Turn doitlib's TESTMODE into a proper test suite.
0a49368 Add autom4te.cache to .gitignore.
2e58d75 Use <stdint.h> and uint32_t in doitlib.c.
8c49904 Crypto update: switch the hash function to SHA-256.
068d957 Crypto: switch the protocol to encrypt-then-MAC.
ed986d6 Crypto: switch to using AES in counter mode, not CBC.
Repository: https://git.tartarus.org/simon/doit.git
On the web: https://git.tartarus.org/?p=simon/doit.git
Branch updated: master
Committer: Simon Tatham <anakin at pobox.com>
Date: 2017-11-23 20:21:00
commit 6105bceec778d21f6463e75b7cace8c541a8df08
web diff https://git.tartarus.org/?p=simon/doit.git;a=commitdiff;h=6105bceec778d21f6463e75b7cace8c541a8df08;hp=71407c20c515a48082e0e03a026fe03112618b33
Author: Simon Tatham <anakin at pobox.com>
Date: Thu Nov 23 19:04:55 2017 +0000
Add nonce generation function for the protocol-test program.
I remembered to update the test main() when I changed the semantics of
doit_incoming_data, but not when I added get_nonce_preimage. Now the
test program compiles again.
doitlib.c | 8 ++++++++
1 file changed, 8 insertions(+)
commit 129582d540a031e513e004887884cb32e7f48dd8
web diff https://git.tartarus.org/?p=simon/doit.git;a=commitdiff;h=129582d540a031e513e004887884cb32e7f48dd8;hp=6105bceec778d21f6463e75b7cace8c541a8df08
Author: Simon Tatham <anakin at pobox.com>
Date: Thu Nov 23 19:14:12 2017 +0000
Automate the protocol test.
Now instead of printing the received data to standard output and
requiring me to eyeball-check it, it checks it itself using memcpy.
Also, while I'm here, I've moved all the side-effect-ful expressions
out of assert statements. In this case I was never building with
-DNDEBUG anyway, but it makes me twitch regardless to see real work
being done inside assert().
doitlib.c | 96 +++++++++++++++++++++++++++++++++++++++++----------------------
1 file changed, 63 insertions(+), 33 deletions(-)
commit b99d9a7bf54abdd27d474dbef179a8ff47bb7f0c
web diff https://git.tartarus.org/?p=simon/doit.git;a=commitdiff;h=b99d9a7bf54abdd27d474dbef179a8ff47bb7f0c;hp=129582d540a031e513e004887884cb32e7f48dd8
Author: Simon Tatham <anakin at pobox.com>
Date: Thu Nov 23 19:07:22 2017 +0000
Turn doitlib's TESTMODE into a proper test suite.
It's now built by the autotools Makefile (but not installed, of
course); it's invoked by a 'make check' target in same, and that in
turn is run by the bob build script so that I can't forget to get it
to pass.
.gitignore | 1 +
Buildscr | 7 +++++++
Makefile.am | 7 +++++++
3 files changed, 15 insertions(+)
commit 0a49368735486160f7f62181652ed9d72fb19851
web diff https://git.tartarus.org/?p=simon/doit.git;a=commitdiff;h=0a49368735486160f7f62181652ed9d72fb19851;hp=b99d9a7bf54abdd27d474dbef179a8ff47bb7f0c
Author: Simon Tatham <anakin at pobox.com>
Date: Thu Nov 23 19:26:10 2017 +0000
Add autom4te.cache to .gitignore.
Somehow there's always _one_ piece of autotools debris that I forget
for ages, and I'm not even sure it's the same one every time...
.gitignore | 1 +
1 file changed, 1 insertion(+)
commit 2e58d75d7d489b122bafbae7c4aa03df008bdc42
web diff https://git.tartarus.org/?p=simon/doit.git;a=commitdiff;h=2e58d75d7d489b122bafbae7c4aa03df008bdc42;hp=0a49368735486160f7f62181652ed9d72fb19851
Author: Simon Tatham <anakin at pobox.com>
Date: Thu Nov 23 19:52:55 2017 +0000
Use <stdint.h> and uint32_t in doitlib.c.
The local uint32 typedef was _so_ last millennium. Even Windows C
compilers have realised stdint.h exists these days, so I can just use
it and stick with the standard type name.
doitlib.c | 121 +++++++++++++++++++++++++++++++-------------------------------
1 file changed, 60 insertions(+), 61 deletions(-)
commit 8c499041c3507b88869c277794302b522c17670a
web diff https://git.tartarus.org/?p=simon/doit.git;a=commitdiff;h=8c499041c3507b88869c277794302b522c17670a;hp=2e58d75d7d489b122bafbae7c4aa03df008bdc42
Author: Simon Tatham <anakin at pobox.com>
Date: Thu Nov 23 19:35:16 2017 +0000
Crypto update: switch the hash function to SHA-256.
Everyone else has switched away from SHA-1 these days (or should
have); just because DoIt's crypto is not especially mission-critical
doesn't mean I shouldn't do so too.
doitlib.c | 187 ++++++++++++++++++++++++++++++++++++-----------------------
doitprot.txt | 12 ++--
2 files changed, 122 insertions(+), 77 deletions(-)
commit 068d9579a461e1b2a553d9922e39a8c20abc841c
web diff https://git.tartarus.org/?p=simon/doit.git;a=commitdiff;h=068d9579a461e1b2a553d9922e39a8c20abc841c;hp=8c499041c3507b88869c277794302b522c17670a
Author: Simon Tatham <anakin at pobox.com>
Date: Thu Nov 23 19:41:30 2017 +0000
Crypto: switch the protocol to encrypt-then-MAC.
This follows what now seems to be standard best practice: when
ciphertext is received, the very first thing that happens is that its
MAC gets verified, and it is not entrusted to any other part of the
code base until that's done. That automatically prevents a variety of
attacks; in particular, decryption oracle attacks involving modifying
the ciphertext in transit and observing the resulting behaviour of the
receiving implementation all now stop working because the behaviour in
question is invariably 'complain about MAC failure'.
Encrypt-then-MAC doesn't work completely trivially with the SSH-style
packet format I was using: if the packet length is inside the first
cipher block, then you can't find it out until after you've decrypted
that block, but if you can't decrypt anything until you've MACed the
whole packet for which you need to know its length, then there's an
obvious dependency cycle. To fix that I've broken up any packet longer
than one cipher block into an 'initial packet' one block in length and
a 'followup packet' containing everything else, and they're MACed
separately, so you can verify the MAC on the first cipher block, then
decrypt it to find the packet length, _then_ read, MAC and decrypt the
followup packet if there is one.
doitlib.c | 136 ++++++++++++++++++++++++++++++++++++++++++++++-------------
doitprot.txt | 75 +++++++++++++++++++++-----------
2 files changed, 157 insertions(+), 54 deletions(-)
commit ed986d670acad806c09f12196f72e6728bb4a7f5
web diff https://git.tartarus.org/?p=simon/doit.git;a=commitdiff;h=ed986d670acad806c09f12196f72e6728bb4a7f5;hp=068d9579a461e1b2a553d9922e39a8c20abc841c
Author: Simon Tatham <anakin at pobox.com>
Date: Thu Nov 23 19:55:15 2017 +0000
Crypto: switch to using AES in counter mode, not CBC.
This is another thing that people seem to have settled on as good
practice these days. It effectively turns your block cipher into a
stream cipher, with a keystream derived from encrypting an
incrementing sequence of 128-bit integers which is then XORed into the
plaintext. So encryption and decryption are the same operations.
The risks of a stream cipher are that an active attacker can make
extremely controlled changes to the plaintext by modifying the
ciphertext (so I couldn't switch to this mode until the MAC was being
checked on all ciphertext before depending on it in _any_ other way,
including decoding the length field out of the packet header), and
that if you reuse the same piece of keystream then a listener can
trivially derive the XOR of two pieces of plaintext (but we never do,
because we only ever regenerate the counter / IV when we also generate
a fresh AES key).
On the plus side, this removes the possibility of a repeated cipher
block. In CBC mode an n-bit block cipher would expect a repeat after
only about 2^{n/2} blocks, due to birthday-paradox considerations; in
counter mode, a repeated cipher block absolutely _cannot_ occur until
the counter has cycled round all 2^n possible block values.
doitlib.c | 72 +++++++++++++++++++++++++++---------------------------------
doitprot.txt | 8 +++++--
2 files changed, 38 insertions(+), 42 deletions(-)
More information about the tartarus-commits
mailing list