simon-git: putty (master): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Sun Jan 13 14:41:41 GMT 2019
TL;DR:
91284547 Localise AESContext into sshaes.c.
ee8025dd testcrypt: allow ssh2_cipher_new to return NULL.
be5c0e63 Rename the AES vtables.
dfdb73e1 Complete rewrite of the AES code.
c507e9c9 testcrypt: test both hardware and software AES.
63781454 cryptsuite: test parallel CBC decryption.
Repository: https://git.tartarus.org/simon/putty.git
On the web: https://git.tartarus.org/?p=simon/putty.git
Branch updated: master
Committer: Simon Tatham <anakin at pobox.com>
Date: 2019-01-13 14:41:41
commit 9128454750109a86d9168df150bafcd6ca5ef0fe
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=9128454750109a86d9168df150bafcd6ca5ef0fe;hp=a3e63c707999861228b5fe1008c133e6c6cc4a04
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Jan 11 06:32:00 2019 +0000
Localise AESContext into sshaes.c.
All access to AES throughout the code is now done via the ssh2_cipher
vtable interface. All code that previously made direct calls to the
underlying functions (for encrypting and decrypting private key files)
now does it by instantiating an ssh2_cipher.
This removes constraints on the AES module's internal structure, and
allows me to reorganise it as much as I like.
import.c | 45 +++++++++++++++++++--------------------------
ssh.h | 11 -----------
sshaes.c | 25 +++++++++++++++----------
3 files changed, 34 insertions(+), 47 deletions(-)
commit ee8025dd1c0b12c0f1d1c70f03ceebf29870003d
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=ee8025dd1c0b12c0f1d1c70f03ceebf29870003d;hp=9128454750109a86d9168df150bafcd6ca5ef0fe
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Jan 11 06:47:39 2019 +0000
testcrypt: allow ssh2_cipher_new to return NULL.
No cipher construction function _currently_ returns NULL, but one's
about to start, so the testcrypt system will have to be able to cope.
This is the first time a function in the testcrypt API has had an
'opt' type as its return value rather than an argument. But it works
just the same in reverse: the wire protocol emits the special
identifer "NULL" when the optional return value is absent, and the
Python module catches that and rewrites it as Python 'None'.
test/testcrypt.py | 4 ++++
testcrypt.c | 8 ++++++++
testcrypt.h | 2 +-
3 files changed, 13 insertions(+), 1 deletion(-)
commit be5c0e635658de694dab26c0f1daf8635fc72219
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=be5c0e635658de694dab26c0f1daf8635fc72219;hp=ee8025dd1c0b12c0f1d1c70f03ceebf29870003d
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Jan 13 13:46:16 2019 +0000
Rename the AES vtables.
The old names like ssh_aes128 and ssh_aes128_ctr reflect the SSH
protocol IDs, which is all very well, but I think a more important
principle is that it should be easy for me to remember which cipher
mode each one refers to. So I've renamed them so that they all end in
_cbc and _sdctr.
(I've left alone the string identifiers used by testcrypt, for the
moment. Perhaps I'll go back and change those later.)
import.c | 6 +++---
ssh.h | 12 ++++++------
sshaes.c | 28 ++++++++++++++--------------
testcrypt.c | 12 ++++++------
4 files changed, 29 insertions(+), 29 deletions(-)
commit dfdb73e103366081045f7e5c23ed1a35e4777da4
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=dfdb73e103366081045f7e5c23ed1a35e4777da4;hp=be5c0e635658de694dab26c0f1daf8635fc72219
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Jan 13 13:47:10 2019 +0000
Complete rewrite of the AES code.
sshaes.c is more or less completely changed by this commit.
Firstly, I've changed the top-level structure. In the old structure,
there were three levels of indirection controlling what an encryption
function would actually do: first the ssh2_cipher vtable, then a
subsidiary set of function pointers within that to select the software
or hardware implementation, and then inside the main encryption
function, a switch on the key length to jump into the right place in
the unrolled loop of cipher rounds.
That was all a bit untidy. So now _all_ of that is done by means of
just one selection system, namely the ssh2_cipher vtable. The software
and hardware implementations of a given SSH cipher each have their own
separate vtable, e.g. ssh2_aes256_sdctr_sw and ssh2_aes256_sdctr_hw;
this allows them to have their own completely different state
structures too, and not have to try to coexist awkwardly in the same
universal AESContext with workaround code to align things correctly.
The old implementation-agnostic vtables like ssh2_aes256_sdctr still
exist, but now they're mostly empty, containing only the constructor
function, which will decide whether AES-NI is currently available and
then choose one of the other _real_ vtables to instantiate.
As well as the cleaner data representation, this also means the
vtables can have different description strings, which means the Event
Log will indicate which AES implementation is actually in use; it
means the SW and HW vtables are available for testcrypt to use
(although actually using them is left for the next commit); and in
principle it would also make it easy to support a user override for
the automatic SW/HW selection (in case anyone turns out to want one).
The AES-NI implementation has been reorganised to fit into the new
framework. One thing I've done is to de-optimise the key expansion:
instead of having a separate blazingly fast loop-unrolled key setup
function for each key length, there's now just one, which uses AES
intrinsics for the actual transformations of individual key words, but
wraps them in a common loop structure for all the key lengths which
has a clear correspondence to the cipher spec. (Sorry to throw away
your work there, Pavel, but this isn't an application where key setup
really _needs_ to be hugely fast, and I decided I prefer a version I
can understand and debug.)
The software AES implementation is also completely replaced with one
that uses a bit-sliced representation, i.e. the cipher state is split
across eight integers in such a way that each logical byte of the
state occupies a single bit in each of those integers. The S-box
lookup is done by a long string of AND and XOR operations on the eight
bits (removing the potential cache side channel from a lookup table),
and this representation allows 64 S-box lookups to be done in parallel
simply by extending those AND/XOR operations to be bitwise ones on a
whole word. So now we can perform four AES encryptions or decryptions
in parallel, at least when the cipher mode permits it (which SDCTR and
CBC decryption both do).
The result is slower than the old implementation, but (a) not by as
much as you might think - those parallel S-boxes are surprisingly
competitive with 64 separate table lookups; (b) the compensation is
that now it should run in constant time with no data-dependent control
flow or memory addressing; and (c) in any case the really fast
hardware implementation will supersede it for most users.
mpint_i.h | 23 +
ssh.h | 3 +
sshaes.c | 2898 ++++++++++++++++++++++++++++---------------------------------
3 files changed, 1344 insertions(+), 1580 deletions(-)
commit c507e9c964f08e6233721408918f1178c1f13692
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=c507e9c964f08e6233721408918f1178c1f13692;hp=dfdb73e103366081045f7e5c23ed1a35e4777da4
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Jan 13 13:48:19 2019 +0000
testcrypt: test both hardware and software AES.
The new explicit vtables for the hardware and software implementations
are now exposed by name in the testcrypt protocol, and cryptsuite.py
runs all the AES tests separately on both.
(When hardware AES is compiled out, ssh2_cipher_new("aes128_hw") and
similar calls will return None, and cryptsuite.py will respond by
skipping those tests.)
ssh.h | 12 +++++++++
test/cryptsuite.py | 73 +++++++++++++++++++++++++++++++-----------------------
testcrypt.c | 12 +++++++++
3 files changed, 66 insertions(+), 31 deletions(-)
commit 637814544c023127b4a5cc9851762064f3a967c3
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=637814544c023127b4a5cc9851762064f3a967c3;hp=c507e9c964f08e6233721408918f1178c1f13692
Author: Simon Tatham <anakin at pobox.com>
Date: Sun Jan 13 13:13:21 2019 +0000
cryptsuite: test parallel CBC decryption.
This was the most complicated one of the cipher modes to get right, so
I thought I'd add a test to make sure the IV is being written out
correctly after a decryption of any number of cipher blocks.
test/cryptsuite.py | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
More information about the tartarus-commits
mailing list