simon-git: putty (master): Simon Tatham

Commits to Tartarus hosted VCS tartarus-commits at lists.tartarus.org
Mon Mar 2 07:14:17 GMT 2020


TL;DR:
  b8a08f93 Implement the SHA-3 family.
  6c226e4c Support log2_cofactor for Edwards curves (NFC).
  4e6c69d5 Prepare for EdDSA lengths not 7 mod 8. (NFC)
  5f3d7933 Support a per-instance hash prefix in EdDSA. (NFC)
  9334eb3f PuTTYgen: prepare for more general EdDSA.
  a085acba Support the new "ssh-ed448" key type.

Repository:     https://git.tartarus.org/simon/putty.git
On the web:     https://git.tartarus.org/?p=simon/putty.git
Branch updated: master
Committer:      Simon Tatham <anakin at pobox.com>
Date:           2020-03-02 07:14:17

commit b8a08f9321a45be61ebe5c9862423c45ea6f1bdf
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=b8a08f9321a45be61ebe5c9862423c45ea6f1bdf;hp=31e5b621b5e660fbe6e7cf4f33689a5c58781cfc
Author: Simon Tatham <anakin at pobox.com>
Date:   Mon Mar 2 06:55:48 2020 +0000

    Implement the SHA-3 family.
    
    These aren't used _directly_ by SSH at present, but an instance of
    SHAKE-256 is required by the recently standardised Ed448.

 Recipe             |   2 +-
 ssh.h              |   7 +-
 sshsha3.c          | 320 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 test/cryptsuite.py |  16 +++
 testcrypt.c        |   5 +
 testsc.c           |   5 +
 6 files changed, 353 insertions(+), 2 deletions(-)

commit 6c226e4c57027d6693461f9695bfbe864a016d95
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=6c226e4c57027d6693461f9695bfbe864a016d95;hp=b8a08f9321a45be61ebe5c9862423c45ea6f1bdf
Author: Simon Tatham <anakin at pobox.com>
Date:   Mon Mar 2 06:58:03 2020 +0000

    Support log2_cofactor for Edwards curves (NFC).
    
    This works more or less like the similar refactoring for Montgomery
    curves in 7fa0749fcb: where we previously hardwired the clearing of 3
    low bits of a private exponent, we now turn that 3 into a curve-
    specific constant, so that Ed448 will be able to set it to a different
    value.

 ssh.h    |  1 +
 sshecc.c | 11 +++++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

commit 4e6c69d5df8304d291eeccc7d23d1f6891811dd1
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=4e6c69d5df8304d291eeccc7d23d1f6891811dd1;hp=6c226e4c57027d6693461f9695bfbe864a016d95
Author: Simon Tatham <anakin at pobox.com>
Date:   Mon Mar 2 07:02:08 2020 +0000

    Prepare for EdDSA lengths not 7 mod 8. (NFC)
    
    An EdDSA public key is transmitted as an integer just big enough to
    store the curve point's y value plus one extra bit. The topmost bit of
    the integer is set to indicate the parity of the x value.
    
    In Ed25519, this works out very nicely: the curve modulus is just
    under 2^255, so the y value occupies all but one bit of the topmost
    byte of the integer, leaving the y parity to fit neatly in the spare
    bit. But in Ed448, the curve modulus occupies a whole number of bytes
    (56 of them) and the format standardises that you therefore have to
    use a 57-byte string for the public key, with the highest-order
    (final) byte having zero in the low 7 of its bits.
    
    To support this, I've arranged that the Edwards-curve modes in
    sshecc.c now set curve->fieldBytes to the right number of bytes to
    hold curve->fieldBits+1 bits, instead of the obvious curve->fieldBits.
    Doing it that way means fewer special cases everywhere else in the
    code.
    
    Also, this means changing the order of the validity check: we now wait
    until after we've checked and cleared the topmost bit to see if the
    rest is within range. That deals with checking the intervening 7 zero
    bits.

 sshecc.c | 40 +++++++++++++++++++++-------------------
 1 file changed, 21 insertions(+), 19 deletions(-)

commit 5f3d79332e2579f77bc660069d117bdb013e215d
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=5f3d79332e2579f77bc660069d117bdb013e215d;hp=4e6c69d5df8304d291eeccc7d23d1f6891811dd1
Author: Simon Tatham <anakin at pobox.com>
Date:   Mon Mar 2 07:03:15 2020 +0000

    Support a per-instance hash prefix in EdDSA. (NFC)
    
    In Ed25519, when you hash things, you just feed them straight to
    SHA-512. But in Ed448, you prefix them with a magic string before
    feeding them to SHAKE256, and the magic string varies depending on
    which variant of Ed448 is in use.
    
    Add support for such a prefix, and for Ed25519, set it to the empty
    string.

 sshecc.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

commit 9334eb3ff0c995bddb91b260885fab202dbd07b1
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=9334eb3ff0c995bddb91b260885fab202dbd07b1;hp=5f3d79332e2579f77bc660069d117bdb013e215d
Author: Simon Tatham <anakin at pobox.com>
Date:   Mon Mar 2 07:05:19 2020 +0000

    PuTTYgen: prepare for more general EdDSA.
    
    In the Windows GUI, all the controls that were previously named or
    labelled Ed25519 are now labelled EdDSA, and when you select that
    top-level key type, there's a dropdown for the specific curve (just
    like for ECDSA), whose only current value is Ed25519.
    
    In command-line PuTTYgen, you can say '-t eddsa' and give a number of
    bits, just like '-t ecdsa'. You can also still say '-t ed25519', for
    backwards compatibility.
    
    Also in command-line PuTTYgen, I've reworked the error messages if you
    give a number of bits that doesn't correspond to a known elliptic
    curve. Now the messages are generated by consulting the list of
    curves, so that that list has to be updated by hand in one fewer
    place.

 cmdgen.c          |  50 ++++++++++++++------
 windows/winpgen.c | 135 +++++++++++++++++++++++++++++++++++-------------------
 2 files changed, 124 insertions(+), 61 deletions(-)

commit a085acbadf829ac5b426323ca98058d6aa4048ba
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=a085acbadf829ac5b426323ca98058d6aa4048ba;hp=9334eb3ff0c995bddb91b260885fab202dbd07b1
Author: Simon Tatham <anakin at pobox.com>
Date:   Mon Mar 2 07:09:08 2020 +0000

    Support the new "ssh-ed448" key type.
    
    This is standardised by RFC 8709 at SHOULD level, and for us it's not
    too difficult (because we use general-purpose elliptic-curve code). So
    let's be up to date for a change, and add it.
    
    This implementation uses all the formats defined in the RFC. But we
    also have to choose a wire format for the public+private key blob sent
    to an agent, and since the OpenSSH agent protocol is the de facto
    standard but not (yet?) handled by the IETF, OpenSSH themselves get to
    say what the format for a key should or shouldn't be. So if they don't
    support a particular key method, what do you do?
    
    I checked with them, and they agreed that there's an obviously right
    format for Ed448 keys, which is to do them exactly like Ed25519 except
    that you have a 57-byte string everywhere Ed25519 had a 32-byte
    string. So I've done that.

 Recipe             |  8 +++---
 cmdgen.c           |  4 ++-
 contrib/kh2reg.py  | 14 ++++++-----
 putty.h            |  1 +
 settings.c         |  1 +
 ssh.h              |  2 ++
 ssh2transport.h    |  1 +
 sshecc.c           | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
 sshpubk.c          |  2 ++
 test/cryptsuite.py | 60 +++++++++++++++++++++++++++++++++++++++++++
 test/eccref.py     |  3 +++
 testcrypt.c        |  1 +
 12 files changed, 159 insertions(+), 12 deletions(-)



More information about the tartarus-commits mailing list