simon-git: putty (master): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Wed Jan 16 06:45:09 GMT 2019
TL;DR:
85633ac4 cryptsuite.py: Python 3 compatibility fixes.
5ac7cdb1 Make the AES availability cache actually cache things!
9f530d8c Add another standard AES test vector.
f71dce66 Add comprehensive DES test vectors.
c3301562 Expose CRC32 to testcrypt, and add tests for it.
2e866e1f Rewrite CRC implementation to be constant-time.
8611e2f0 Add tests of the CRC compensation detector.
8d88cd21 SSH-1 BPP: pass the IV to detect_attack.
Repository: https://git.tartarus.org/simon/putty.git
On the web: https://git.tartarus.org/?p=simon/putty.git
Branch updated: master
Committer: Simon Tatham <anakin at pobox.com>
Date: 2019-01-16 06:45:09
commit 85633ac4bd6d02f2dc84b88cb207ac63974ab8fb
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=85633ac4bd6d02f2dc84b88cb207ac63974ab8fb;hp=c9f673ac12f867e9365350d6e426ec39e6718210
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Jan 15 22:29:11 2019 +0000
cryptsuite.py: Python 3 compatibility fixes.
I intended cryptsuite to be Python 2/3 agnostic when I first wrote it,
but of course since then I've been testing on whichever Python was
handy and not continuing to check that both actually worked.
test/cryptsuite.py | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
commit 5ac7cdb1cb08cb19677c48c6a609090baf31aea8
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=5ac7cdb1cb08cb19677c48c6a609090baf31aea8;hp=85633ac4bd6d02f2dc84b88cb207ac63974ab8fb
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Jan 15 22:45:53 2019 +0000
Make the AES availability cache actually cache things!
Ahem. I went to all the effort of setting up a wrapper function that
would store the result of the first call to aes_hw_available(), and
managed to forget to make it set the flag that said it _had_ stored
the result. So the underlying query function was being called every
time.
sshaes.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
commit 9f530d8c55e71f024a490850a8083d6c479fa448
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=9f530d8c55e71f024a490850a8083d6c479fa448;hp=5ac7cdb1cb08cb19677c48c6a609090baf31aea8
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Jan 16 06:22:49 2019 +0000
Add another standard AES test vector.
The 128-bit example from Appendix A/B is a more useful first test case
for a new implementation than the Appendix C tests, because the
standard shows even more of the working (in particular the full set of
intermediate results from key setup).
test/cryptsuite.py | 8 ++++++++
1 file changed, 8 insertions(+)
commit f71dce662eda1652f2214465d688a12c8bdba2b5
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=f71dce662eda1652f2214465d688a12c8bdba2b5;hp=9f530d8c55e71f024a490850a8083d6c479fa448
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Jan 15 19:51:10 2019 +0000
Add comprehensive DES test vectors.
I found some that look pretty good - in particular exercising every
entry in every S-box. These will come in useful when I finish writing
a replacement for the venerable current DES implementation.
test/cryptsuite.py | 145 +++++++++++++++++++++++++++++++++++++++++++++++++++++
testcrypt.c | 1 -
2 files changed, 145 insertions(+), 1 deletion(-)
commit c330156259288c0f733e1ccc8158b2e99284c160
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=c330156259288c0f733e1ccc8158b2e99284c160;hp=f71dce662eda1652f2214465d688a12c8bdba2b5
Author: Simon Tatham <anakin at pobox.com>
Date: Mon Jan 14 20:45:19 2019 +0000
Expose CRC32 to testcrypt, and add tests for it.
Finding even semi-official test vectors for this CRC implementation
was hard, because it turns out not to _quite_ match any of the well
known ones catalogued on the web. Its _polynomial_ is well known, but
the combination of details that go alongside it (starting state,
post-hashing transformation) are not quite the same as any other hash
I know of.
After trawling catalogue websites for a while I finally worked out
that SSH-1's CRC and RFC 1662's CRC are basically the same except for
different choices of starting value and final adjustment. And RFC
1662's CRC is common enough that there _are_ test vectors.
So I've renamed the previous crc32_compute function to crc32_ssh1,
reflecting that it seems to be its own thing unlike any other CRC;
implemented the RFC 1662 CRC as well, as an alternative tiny wrapper
on the inner crc32_update function; and exposed all three functions to
testcrypt. That lets me run standard test vectors _and_ directed tests
of the internal update routine, plus one check that crc32_ssh1 itself
does what I expect.
While I'm here, I've also modernised the code to use uint32_t in place
of unsigned long, and ptrlen instead of separate pointer,length
arguments. And I've removed the general primer on CRC theory from the
header comment, in favour of the more specifically useful information
about _which_ CRC this is and how it matches up to anything else out
there.
(I've bowed to inevitability and put the directed CRC tests in the
'crypt' class in cryptsuite.py. Of course this is a misnomer, since
CRC isn't cryptography, but it falls into the same category in terms
of the role it plays in SSH-1, and I didn't feel like making a new
pointedly-named 'notreallycrypt' container class just for this :-)
Recipe | 4 +-
ssh.h | 5 +-
ssh1bpp.c | 10 ++--
sshcrc.c | 131 ++++++++++++++++++++++-------------------------------
sshcrcda.c | 4 +-
test/cryptsuite.py | 75 ++++++++++++++++++++++++++++++
testcrypt.h | 3 ++
7 files changed, 145 insertions(+), 87 deletions(-)
commit 2e866e1fb7fe69aa87a135c7d017c6920f971080
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=2e866e1fb7fe69aa87a135c7d017c6920f971080;hp=c330156259288c0f733e1ccc8158b2e99284c160
Author: Simon Tatham <anakin at pobox.com>
Date: Mon Jan 14 20:46:12 2019 +0000
Rewrite CRC implementation to be constant-time.
In SSH-1, the CRC is used on sensitive data, because it takes the
place of what ought to be a MAC. This is of course hopelessly bad
security and one of the major reasons SSH-1 was replaced, but even so,
there's no need to add timing and cache side channels _as well_ as all
the other problems with it!
So I've removed the 256-entry lookup table that's the usual way to
implement CRC (in particular, the implementation given in the RFC 1662
appendix shows the same table in full). The new strategy folds in four
bits at a time, using a multiply+XOR technique to replicate the
outgoing four bits in all the right places.
In a crude timing test this gave about a factor of 2 slowdown, which
seemed surprisingly good to me - six multiplies replacing a single
table lookup? But the multiplications in each 4-bit fold are
independent of each other, so I suspect the CPU is managing to
parallelise them.
sshcrc.c | 174 ++++++++++++++-------------------------------------------------
1 file changed, 37 insertions(+), 137 deletions(-)
commit 8611e2f035af5f218490687893cb7915b5929836
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=8611e2f035af5f218490687893cb7915b5929836;hp=2e866e1fb7fe69aa87a135c7d017c6920f971080
Author: Simon Tatham <anakin at pobox.com>
Date: Mon Jan 14 21:19:38 2019 +0000
Add tests of the CRC compensation detector.
I remembered the existence of that module while I was changing the API
of the CRC functions. It's still quite possibly the only code in PuTTY
not written specifically _for_ PuTTY, so it definitely deserves a bit
of a test suite.
In order to expose it through the ptrlen-centric testcrypt system,
I've added some missing 'const' in the detector module itself, but
otherwise I've left the detector code as it was.
Recipe | 4 ++--
ssh.h | 5 +++--
sshcrcda.c | 14 +++++++------
test/cryptsuite.py | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
testcrypt.c | 13 ++++++++++++
testcrypt.h | 1 +
6 files changed, 86 insertions(+), 10 deletions(-)
commit 8d88cd21ef760e691faf8fe075b38399e34a34ad
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=8d88cd21ef760e691faf8fe075b38399e34a34ad;hp=8611e2f035af5f218490687893cb7915b5929836
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Jan 16 06:35:31 2019 +0000
SSH-1 BPP: pass the IV to detect_attack.
In the course of writing the tests for detect_attack, I noticed that
it had a parameter where you can pass in the last cipher block of the
previous packet (or the CBC IV, of course, if there was no previous
packet), so that it can detect a pattern of repeated cipher blocks
even if one of them is just outside the current packet.
But the actual use of the attack detector in ssh1bpp wasn't using that
parameter. Now it is!
ssh1bpp.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
More information about the tartarus-commits
mailing list