simon-git: putty (master): Simon Tatham

Commits to Tartarus hosted VCS tartarus-commits at lists.tartarus.org
Sat Mar 23 08:48:45 GMT 2019 

TL;DR:
  7fa0749f Generalise the Montgomery-curve DH support.
  e400e93b Reduce Curve25519 public values mod 2^255.
  c0e62e97 Curve25519: add test vectors from RFC 7748.

Repository:     https://git.tartarus.org/simon/putty.git
On the web:     https://git.tartarus.org/?p=simon/putty.git
Branch updated: master
Committer:      Simon Tatham <anakin at pobox.com>
Date:           2019-03-23 08:48:45

commit 7fa0749fcb38839d7f41845e24d977744f4827cf
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=7fa0749fcb38839d7f41845e24d977744f4827cf;hp=319d4b5075f0b8eba8be386237a1c9ab5f813449
Author: Simon Tatham <anakin at pobox.com>
Date:   Sat Mar 23 07:45:02 2019 +0000

    Generalise the Montgomery-curve DH support.
    
    This gets rid of the magic constants we apply to the top and bottom
    bytes of the random data to make the Curve25519 private DH value. Or
    rather, one of the magic constants is completely gone (we can infer it
    from curve->fieldBits), and the other is moved into the curve
    structure instead of being hardwired into the private-key-inventing
    function.
    
    With this change, it will be easy to add the similar Curve448 kex
    method, because it's now just a matter of adding the protocol names
    and curve constants.

 ssh.h    |  1 +
 sshecc.c | 18 +++++++++++++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

commit e400e93bccaaf4bfc6813a15f45100f2abaa6f40
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=e400e93bccaaf4bfc6813a15f45100f2abaa6f40;hp=7fa0749fcb38839d7f41845e24d977744f4827cf
Author: Simon Tatham <anakin at pobox.com>
Date:   Sat Mar 23 07:55:58 2019 +0000

    Reduce Curve25519 public values mod 2^255.
    
    I just spotted this requirement in RFC 7748. A _sensible_ Ed25519
    public value is an integer less than p=2^255-19, but the transport
    format allows encoding of numbers up to 2^256, and RFC 7748 has a
    specific recommendation for what to do with overlarge ones: namely,
    ignore the topmost bit if it is set (i.e. reduce mod 2^255), and deal
    with the remaining 19 overlarge values by reducing mod p.
    
    Apparently the purpose is to 'increase resistance to implementation
    fingerprinting', so the lack of this step wasn't a serious
    interoperability or security issue.

 sshecc.c | 8 ++++++++
 1 file changed, 8 insertions(+)

commit c0e62e97bb9512b88d3e75be7fb444e4236481ca
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=c0e62e97bb9512b88d3e75be7fb444e4236481ca;hp=e400e93bccaaf4bfc6813a15f45100f2abaa6f40
Author: Simon Tatham <anakin at pobox.com>
Date:   Sat Mar 23 08:16:05 2019 +0000

    Curve25519: add test vectors from RFC 7748.
    
    My API for ECDH KEX doesn't provide a function to input the random
    bytes from which the private key is derived, but conveniently, the
    existing call to random_read() in ssh_ecdhkex_m_setup treats the
    provided bytes in exactly the way that these test vectors expect.
    
    One of these tests also exercises the 'reduction mod 2^255' case that
    I just added.

 test/cryptsuite.py | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

More information about the tartarus-commits mailing list