simon-git: putty (master): Simon Tatham

Commits to Tartarus hosted VCS tartarus-commits at lists.tartarus.org
Mon Dec 31 15:02:50 GMT 2018 

TL;DR:
  a80edab4 Move some manual freeing into freersakey().
  5b0f32a1 Centralise RSA PKCS1 signature formatting.
  814665fb Clean up RSA and DSA host-key cache formatters.
  d73a1716 Remove static list of primes in sshprime.c.
  25b034ee Complete rewrite of PuTTY's bignum library.

Repository:     https://git.tartarus.org/simon/putty.git
On the web:     https://git.tartarus.org/?p=simon/putty.git
Branch updated: master
Committer:      Simon Tatham <anakin at pobox.com>
Date:           2018-12-31 15:02:50

commit a80edab4b51c5092a619bd6ac84f66d696003efa
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=a80edab4b51c5092a619bd6ac84f66d696003efa;hp=55cea187e9bc5b504c57be991fde3e3a10c6f54c
Author: Simon Tatham <anakin at pobox.com>
Date:   Fri Dec 14 19:42:47 2018 +0000

    Move some manual freeing into freersakey().
    
    Several pieces of old code were disposing of pieces of an RSAKey by
    manually freeing them one at a time. We have a centralised
    freersakey(), so we should use that instead wherever possible.
    
    Where it wasn't possible to switch over to that, it was because we
    were only freeing the private fields of the key - so I've fixed that
    by cutting freersakey() down the middle and exposing the private-only
    half as freersapriv().

 pageant.c   | 10 ++++------
 ssh.h       |  1 +
 ssh1login.c | 20 +++-----------------
 sshrsa.c    | 39 +++++++++++++++++++++++++++++----------
 4 files changed, 37 insertions(+), 33 deletions(-)

commit 5b0f32a10008f0f487eca670373cc6a7e58a6b89
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=5b0f32a10008f0f487eca670373cc6a7e58a6b89;hp=a80edab4b51c5092a619bd6ac84f66d696003efa
Author: Simon Tatham <anakin at pobox.com>
Date:   Thu Dec 13 18:16:07 2018 +0000

    Centralise RSA PKCS1 signature formatting.
    
    There was no point in rsa2_sign and rsa2_verify having mirrored
    versions of the same code to construct the cleartext of the RSA
    signature integer, just because one is building it and the other is
    checking it. Much more sensible to have a single function that builds
    it, and then rsa2_verify can compare the received integer against that
    while rsa2_sign encodes it into an output integer.

 sshrsa.c | 101 +++++++++++++++++++++++++++++++--------------------------------
 1 file changed, 49 insertions(+), 52 deletions(-)

commit 814665fb229f47a8a03707d8c1cc0c96e0540eda
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=814665fb229f47a8a03707d8c1cc0c96e0540eda;hp=5b0f32a10008f0f487eca670373cc6a7e58a6b89
Author: Simon Tatham <anakin at pobox.com>
Date:   Mon Dec 31 13:45:48 2018 +0000

    Clean up RSA and DSA host-key cache formatters.
    
    These were both using the old-fashioned strategy of 'count up the
    length first, then go back over the same data trying not to do
    anything different', which these days I'm trying to replace with
    strbufs.
    
    Also, while I was in ssh.h, removed the prototype of rsasanitise()
    which doesn't even exist any more.

 ssh.h       |  4 +---
 ssh1login.c |  4 +---
 sshdss.c    | 63 +++++++++++++++++++++----------------------------------------
 sshrsa.c    | 55 ++++++++++++++++-------------------------------------
 4 files changed, 39 insertions(+), 87 deletions(-)

commit d73a1716f603348739b55b953c3aaa0b86f0ffab
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=d73a1716f603348739b55b953c3aaa0b86f0ffab;hp=814665fb229f47a8a03707d8c1cc0c96e0540eda
Author: Simon Tatham <anakin at pobox.com>
Date:   Sun Dec 30 08:48:38 2018 +0000

    Remove static list of primes in sshprime.c.
    
    It wasn't really doing any serious harm, but I just got tired of
    having to scroll past 700 lines of pointless static data every time I
    wanted to look at the actual code in the file. Now primes[] is
    initialised as necessary when genprime is first called.
    
    (Since we only use primes up to 2^16, I didn't see any point in doing
    anything fancy; this is the most trivial Sieve of Eratosthenes.)

 sshprime.c | 747 +++----------------------------------------------------------
 1 file changed, 28 insertions(+), 719 deletions(-)

commit 25b034ee39f557cab6e6e7b79591ef46c72cba92
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=25b034ee39f557cab6e6e7b79591ef46c72cba92;hp=d73a1716f603348739b55b953c3aaa0b86f0ffab
Author: Simon Tatham <anakin at pobox.com>
Date:   Mon Dec 31 13:53:41 2018 +0000

    Complete rewrite of PuTTY's bignum library.
    
    The old 'Bignum' data type is gone completely, and so is sshbn.c. In
    its place is a new thing called 'mp_int', handled by an entirely new
    library module mpint.c, with API differences both large and small.
    
    The main aim of this change is that the new library should be free of
    timing- and cache-related side channels. I've written the code so that
    it _should_ - assuming I haven't made any mistakes - do all of its
    work without either control flow or memory addressing depending on the
    data words of the input numbers. (Though, being an _arbitrary_
    precision library, it does have to at least depend on the sizes of the
    numbers - but there's a 'formal' size that can vary separately from
    the actual magnitude of the represented integer, so if you want to
    keep it secret that your number is actually small, it should work fine
    to have a very long mp_int and just happen to store 23 in it.) So I've
    done all my conditionalisation by means of computing both answers and
    doing bit-masking to swap the right one into place, and all loops over
    the words of an mp_int go up to the formal size rather than the actual
    size.
    
    I haven't actually tested the constant-time property in any rigorous
    way yet (I'm still considering the best way to do it). But this code
    is surely at the very least a big improvement on the old version, even
    if I later find a few more things to fix.
    
    I've also completely rewritten the low-level elliptic curve arithmetic
    from sshecc.c; the new ecc.c is closer to being an adjunct of mpint.c
    than it is to the SSH end of the code. The new elliptic curve code
    keeps all coordinates in Montgomery-multiplication transformed form to
    speed up all the multiplications mod the same prime, and only converts
    them back when you ask for the affine coordinates. Also, I adopted
    extended coordinates for the Edwards curve implementation.
    
    sshecc.c has also had a near-total rewrite in the course of switching
    it over to the new system. While I was there, I've separated ECDSA and
    EdDSA more completely - they now have separate vtables, instead of a
    single vtable in which nearly every function had a big if statement in
    it - and also made the externally exposed types for an ECDSA key and
    an ECDH context different.
    
    A minor new feature: since the new arithmetic code includes a modular
    square root function, we can now support the compressed point
    representation for the NIST curves. We seem to have been getting along
    fine without that so far, but it seemed a shame not to put it in,
    since it was suddenly easy.
    
    In sshrsa.c, one major change is that I've removed the RSA blinding
    step in rsa_privkey_op, in which we randomise the ciphertext before
    doing the decryption. The purpose of that was to avoid timing leaks
    giving away the plaintext - but the new arithmetic code should take
    that in its stride in the course of also being careful enough to avoid
    leaking the _private key_, which RSA blinding had no way to do
    anything about in any case.
    
    Apart from those specific points, most of the rest of the changes are
    more or less mechanical, just changing type names and translating code
    into the new API.

 Recipe                   |   13 +-
 cmdgen.c                 |   12 +-
 contrib/eccref.py        |  401 ++++++
 contrib/gdb.py           |   34 +-
 defs.h                   |   10 +
 ecc.c                    | 1112 ++++++++++++++++
 ecc.h                    |  233 ++++
 import.c                 |   41 +-
 marshal.h                |    6 +-
 mpint.c                  | 2340 ++++++++++++++++++++++++++++++++++
 mpint.h                  |  386 ++++++
 sshbn.h => mpint_i.h     |   85 +-
 pageant.c                |   43 +-
 ssh.h                    |  169 +--
 ssh1login-server.c       |   22 +-
 ssh1login.c              |   23 +-
 ssh2kex-client.c         |   19 +-
 ssh2kex-server.c         |   11 +-
 ssh2transport.c          |   13 +-
 ssh2transport.h          |    4 +-
 sshbn.c                  | 2180 --------------------------------
 sshccp.c                 |    2 +-
 sshcommon.c              |   10 +-
 sshdh.c                  |  193 ++-
 sshdss.c                 |  186 ++-
 sshdssg.c                |   86 +-
 sshecc.c                 | 3147 ++++++++++++++--------------------------------
 sshecdsag.c              |   64 +-
 sshprime.c               |  280 ++---
 sshpubk.c                |   18 +-
 sshrsa.c                 |  411 ++----
 sshrsag.c                |   50 +-
 sshserver.h              |    2 +-
 testbn.c                 |  275 ----
 testdata/bignum.py       |  140 ---
 testdata/bignumtests.txt |  205 ---
 unix/uxserver.c          |    5 +-
 windows/winpgen.c        |   13 +-
 38 files changed, 6209 insertions(+), 6035 deletions(-)

More information about the tartarus-commits mailing list