simon-git: putty (master): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Fri Feb 28 20:51:13 GMT 2020
TL;DR:
027f1c67 Switch to running cryptsuite.py under Python 3.
0645824e eccref.py: handle order-2 points in Montgomery curves.
141b75a7 Preserve zero denominators in ECC point normalisation.
c9a8fa63 New query function ecc_montgomery_is_identity.
122d7852 eccref.py: move support routines into a new file.
3ee9b929 numbertheory.py: factor out invert().
7be2e160 numbertheory.py: make the ModP class hashable.
072d3c66 numbertheory.py: generalise SqrtModP to do other roots.
f82af9ff numbertheory.py: cubic and quartic solver mod p.
1cad3c82 eccref.py: find low-order points on Montgomery curves.
77516578 Reject all low-order points in Montgomery key exchange.
Repository: https://git.tartarus.org/simon/putty.git
On the web: https://git.tartarus.org/?p=simon/putty.git
Branch updated: master
Committer: Simon Tatham <anakin at pobox.com>
Date: 2020-02-28 20:51:13
commit 027f1c67ecaa189fb86eb53e0b26deb85db2dc90
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=027f1c67ecaa189fb86eb53e0b26deb85db2dc90;hp=cc57ae74cc84bc640f913aa501a8eb611c76d84a
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Feb 28 20:39:08 2020 +0000
Switch to running cryptsuite.py under Python 3.
I'm getting tired of maintaining it as 2/3 compatible; 2 is on the way
out anyway and I'm losing patience. In future, if it breaks in 2, I
think I'm going to stop caring.
Buildscr | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
commit 0645824e4d9db92ea03d2bbebd42730f0c8c8d0d
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=0645824e4d9db92ea03d2bbebd42730f0c8c8d0d;hp=027f1c67ecaa189fb86eb53e0b26deb85db2dc90
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Feb 26 19:23:03 2020 +0000
eccref.py: handle order-2 points in Montgomery curves.
If a point doubles to the identity, we should return the identity,
rather than throwing a Python divide-by-zero exception.
test/eccref.py | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
commit 141b75a71abe8bcc8dc891ac7b68a772be644e32
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=141b75a71abe8bcc8dc891ac7b68a772be644e32;hp=0645824e4d9db92ea03d2bbebd42730f0c8c8d0d
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Feb 28 19:25:13 2020 +0000
Preserve zero denominators in ECC point normalisation.
ecc_montgomery_normalise takes a point with X and Z coordinates, and
normalises it to Z=1 by means of multiplying X by the inverse of Z and
then setting Z=1.
If you pass in a point with Z=0, representing the curve identity, then
it would be nice to still get the identity back out again afterwards.
We haven't really needed that property until now, but I'm about to
want it.
Currently, what happens is that we try to invert Z mod p; fail, but
don't notice we've failed, and come out with some nonsense value as
the inverse; multiply X by that; and then _set Z to 1_. So the output
value no longer has Z=0.
This commit changes things so that we multiply Z by the inverse we
computed. That way, if Z started off 0, it stays 0.
Also made the same change in the other two curve types, on general
principles, though I don't yet have a use for that.
ecc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
commit c9a8fa639e7d200fbad31c24eb031c7e77ddc7ec
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=c9a8fa639e7d200fbad31c24eb031c7e77ddc7ec;hp=141b75a71abe8bcc8dc891ac7b68a772be644e32
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Feb 28 19:32:35 2020 +0000
New query function ecc_montgomery_is_identity.
To begin with, this allows me to add a regression test for the change
in the previous commit.
ecc.c | 5 +++++
ecc.h | 5 +++++
test/cryptsuite.py | 6 ++++++
testcrypt.h | 1 +
4 files changed, 17 insertions(+)
commit 122d785283a2cf389537a5b6775c0e205b80faba
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=122d785283a2cf389537a5b6775c0e205b80faba;hp=c9a8fa639e7d200fbad31c24eb031c7e77ddc7ec
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Feb 28 19:35:21 2020 +0000
eccref.py: move support routines into a new file.
I'm about to want to expand the underlying number-theory code, so I'll
start by moving it into a file where it has room to grow without
swamping the main purpose of eccref.py.
test/eccref.py | 179 +-------------------------------------------------
test/numbertheory.py | 181 +++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 182 insertions(+), 178 deletions(-)
commit 3ee9b929352442040b13692e7f6d5f7a0d7a5218
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=3ee9b929352442040b13692e7f6d5f7a0d7a5218;hp=122d785283a2cf389537a5b6775c0e205b80faba
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Feb 28 20:13:06 2020 +0000
numbertheory.py: factor out invert().
I'm about to want to reuse it.
test/numbertheory.py | 26 ++++++++++++--------------
1 file changed, 12 insertions(+), 14 deletions(-)
commit 7be2e160233f232c0d559139d1dd2f9efbb5ab0c
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=7be2e160233f232c0d559139d1dd2f9efbb5ab0c;hp=3ee9b929352442040b13692e7f6d5f7a0d7a5218
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Feb 28 20:13:46 2020 +0000
numbertheory.py: make the ModP class hashable.
That will let me keep them in sets.
test/numbertheory.py | 2 ++
1 file changed, 2 insertions(+)
commit 072d3c665a5943f2ff1d396af5a1457c462afa92
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=072d3c665a5943f2ff1d396af5a1457c462afa92;hp=7be2e160233f232c0d559139d1dd2f9efbb5ab0c
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Feb 28 20:14:28 2020 +0000
numbertheory.py: generalise SqrtModP to do other roots.
I'm about to want to solve quartics mod a prime, which means I'll need
to be able to take cube roots mod p as well as square roots.
This commit introduces a more general class which can take rth roots
for any prime r, and moreover, it can do it in a general cyclic group.
(You have to tell it the group's order and give it some primitives for
doing arithmetic, plus a way of iterating over the group elements that
it can use to look for a non-rth-power and roots of unity.)
That system makes it nicely easy to test, because you can give it a
cyclic group represented as the integers under _addition_, and then
you obviously know what all the right answers are. So I've also added
a unit test system checking that.
test/eccref.py | 12 ++--
test/numbertheory.py | 188 +++++++++++++++++++++++++++++++++++++++------------
2 files changed, 149 insertions(+), 51 deletions(-)
commit f82af9ffe2eded0a0e49002dd0a5e41f0b62f61f
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=f82af9ffe2eded0a0e49002dd0a5e41f0b62f61f;hp=072d3c665a5943f2ff1d396af5a1457c462afa92
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Feb 28 20:17:15 2020 +0000
numbertheory.py: cubic and quartic solver mod p.
I'm going to want to use this for finding special values in elliptic
curves' ground fields.
In order to solve cubics and quartics in F_p, you have to work in
F_{p^2}, for much the same reasons that you have to be willing to use
complex numbers if you want to solve general cubics over the reals
(even if all the eventual roots turn out to be real after all). So
I've also introduced another arithmetic class to work in that kind of
field, and a shim that glues that on to the cyclic-group root finder
from the previous commit.
test/numbertheory.py | 356 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 356 insertions(+)
commit 1cad3c825566d4b1ec4a9994c1743a7cda08364f
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=1cad3c825566d4b1ec4a9994c1743a7cda08364f;hp=f82af9ffe2eded0a0e49002dd0a5e41f0b62f61f
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Feb 28 20:20:25 2020 +0000
eccref.py: find low-order points on Montgomery curves.
This uses the new quartic-solver mod p to generate all the values in
Curve25519 that can end up at the curve identity by repeated
application of the doubling formula.
test/eccref.py | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 90 insertions(+)
commit 7751657811bb052681ff270ae6e1492e18c56950
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=7751657811bb052681ff270ae6e1492e18c56950;hp=1cad3c825566d4b1ec4a9994c1743a7cda08364f
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Feb 26 19:23:03 2020 +0000
Reject all low-order points in Montgomery key exchange.
This expands our previous check for the public value being zero, to
take in all the values that will _become_ zero after not many steps.
The actual check at run time is done using the new is_infinite query
method for Montgomery curve points. Test cases in cryptsuite.py cover
all the dangerous values I generated via all that fiddly quartic-
solving code.
(DJB's page http://cr.yp.to/ecdh.html#validate also lists these same
constants. But working them out again for myself makes me confident I
can do it again for other similar curves, such as Curve448.)
In particular, this makes us fully compliant with RFC 7748's demand to
check we didn't generate a trivial output key, which can happen if the
other end sends any of those low-order values.
I don't actually see why this is a vital check to perform for security
purposes, for the same reason that we didn't classify the bug
'diffie-hellman-range-check' as a vulnerability: I can't really see
what the other end's incentive might be to deliberately send one of
these nonsense values (and you can't do it by accident - none of these
values is a power of the canonical base point). It's not that a DH
participant couldn't possible want to secretly expose the session
traffic - but there are plenty of more subtle (and less subtle!) ways
to do it, so you don't really gain anything by forcing them to use one
of those instead. But the RFC says to check, so we check.
sshecc.c | 22 +++++++---------------
test/cryptsuite.py | 40 ++++++++++++++++++++++++++++++++++++++++
testcrypt.h | 2 +-
3 files changed, 48 insertions(+), 16 deletions(-)
More information about the tartarus-commits
mailing list