simon-git: putty (master): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Mon Mar 2 07:14:17 GMT 2020
TL;DR:
b8a08f93 Implement the SHA-3 family.
6c226e4c Support log2_cofactor for Edwards curves (NFC).
4e6c69d5 Prepare for EdDSA lengths not 7 mod 8. (NFC)
5f3d7933 Support a per-instance hash prefix in EdDSA. (NFC)
9334eb3f PuTTYgen: prepare for more general EdDSA.
a085acba Support the new "ssh-ed448" key type.
Repository: https://git.tartarus.org/simon/putty.git
On the web: https://git.tartarus.org/?p=simon/putty.git
Branch updated: master
Committer: Simon Tatham <anakin at pobox.com>
Date: 2020-03-02 07:14:17
commit b8a08f9321a45be61ebe5c9862423c45ea6f1bdf
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=b8a08f9321a45be61ebe5c9862423c45ea6f1bdf;hp=31e5b621b5e660fbe6e7cf4f33689a5c58781cfc
Author: Simon Tatham <anakin at pobox.com>
Date: Mon Mar 2 06:55:48 2020 +0000
Implement the SHA-3 family.
These aren't used _directly_ by SSH at present, but an instance of
SHAKE-256 is required by the recently standardised Ed448.
Recipe | 2 +-
ssh.h | 7 +-
sshsha3.c | 320 +++++++++++++++++++++++++++++++++++++++++++++++++++++
test/cryptsuite.py | 16 +++
testcrypt.c | 5 +
testsc.c | 5 +
6 files changed, 353 insertions(+), 2 deletions(-)
commit 6c226e4c57027d6693461f9695bfbe864a016d95
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=6c226e4c57027d6693461f9695bfbe864a016d95;hp=b8a08f9321a45be61ebe5c9862423c45ea6f1bdf
Author: Simon Tatham <anakin at pobox.com>
Date: Mon Mar 2 06:58:03 2020 +0000
Support log2_cofactor for Edwards curves (NFC).
This works more or less like the similar refactoring for Montgomery
curves in 7fa0749fcb: where we previously hardwired the clearing of 3
low bits of a private exponent, we now turn that 3 into a curve-
specific constant, so that Ed448 will be able to set it to a different
value.
ssh.h | 1 +
sshecc.c | 11 +++++++----
2 files changed, 8 insertions(+), 4 deletions(-)
commit 4e6c69d5df8304d291eeccc7d23d1f6891811dd1
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=4e6c69d5df8304d291eeccc7d23d1f6891811dd1;hp=6c226e4c57027d6693461f9695bfbe864a016d95
Author: Simon Tatham <anakin at pobox.com>
Date: Mon Mar 2 07:02:08 2020 +0000
Prepare for EdDSA lengths not 7 mod 8. (NFC)
An EdDSA public key is transmitted as an integer just big enough to
store the curve point's y value plus one extra bit. The topmost bit of
the integer is set to indicate the parity of the x value.
In Ed25519, this works out very nicely: the curve modulus is just
under 2^255, so the y value occupies all but one bit of the topmost
byte of the integer, leaving the y parity to fit neatly in the spare
bit. But in Ed448, the curve modulus occupies a whole number of bytes
(56 of them) and the format standardises that you therefore have to
use a 57-byte string for the public key, with the highest-order
(final) byte having zero in the low 7 of its bits.
To support this, I've arranged that the Edwards-curve modes in
sshecc.c now set curve->fieldBytes to the right number of bytes to
hold curve->fieldBits+1 bits, instead of the obvious curve->fieldBits.
Doing it that way means fewer special cases everywhere else in the
code.
Also, this means changing the order of the validity check: we now wait
until after we've checked and cleared the topmost bit to see if the
rest is within range. That deals with checking the intervening 7 zero
bits.
sshecc.c | 40 +++++++++++++++++++++-------------------
1 file changed, 21 insertions(+), 19 deletions(-)
commit 5f3d79332e2579f77bc660069d117bdb013e215d
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=5f3d79332e2579f77bc660069d117bdb013e215d;hp=4e6c69d5df8304d291eeccc7d23d1f6891811dd1
Author: Simon Tatham <anakin at pobox.com>
Date: Mon Mar 2 07:03:15 2020 +0000
Support a per-instance hash prefix in EdDSA. (NFC)
In Ed25519, when you hash things, you just feed them straight to
SHA-512. But in Ed448, you prefix them with a magic string before
feeding them to SHAKE256, and the magic string varies depending on
which variant of Ed448 is in use.
Add support for such a prefix, and for Ed25519, set it to the empty
string.
sshecc.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
commit 9334eb3ff0c995bddb91b260885fab202dbd07b1
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=9334eb3ff0c995bddb91b260885fab202dbd07b1;hp=5f3d79332e2579f77bc660069d117bdb013e215d
Author: Simon Tatham <anakin at pobox.com>
Date: Mon Mar 2 07:05:19 2020 +0000
PuTTYgen: prepare for more general EdDSA.
In the Windows GUI, all the controls that were previously named or
labelled Ed25519 are now labelled EdDSA, and when you select that
top-level key type, there's a dropdown for the specific curve (just
like for ECDSA), whose only current value is Ed25519.
In command-line PuTTYgen, you can say '-t eddsa' and give a number of
bits, just like '-t ecdsa'. You can also still say '-t ed25519', for
backwards compatibility.
Also in command-line PuTTYgen, I've reworked the error messages if you
give a number of bits that doesn't correspond to a known elliptic
curve. Now the messages are generated by consulting the list of
curves, so that that list has to be updated by hand in one fewer
place.
cmdgen.c | 50 ++++++++++++++------
windows/winpgen.c | 135 +++++++++++++++++++++++++++++++++++-------------------
2 files changed, 124 insertions(+), 61 deletions(-)
commit a085acbadf829ac5b426323ca98058d6aa4048ba
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=a085acbadf829ac5b426323ca98058d6aa4048ba;hp=9334eb3ff0c995bddb91b260885fab202dbd07b1
Author: Simon Tatham <anakin at pobox.com>
Date: Mon Mar 2 07:09:08 2020 +0000
Support the new "ssh-ed448" key type.
This is standardised by RFC 8709 at SHOULD level, and for us it's not
too difficult (because we use general-purpose elliptic-curve code). So
let's be up to date for a change, and add it.
This implementation uses all the formats defined in the RFC. But we
also have to choose a wire format for the public+private key blob sent
to an agent, and since the OpenSSH agent protocol is the de facto
standard but not (yet?) handled by the IETF, OpenSSH themselves get to
say what the format for a key should or shouldn't be. So if they don't
support a particular key method, what do you do?
I checked with them, and they agreed that there's an obviously right
format for Ed448 keys, which is to do them exactly like Ed25519 except
that you have a 57-byte string everywhere Ed25519 had a 32-byte
string. So I've done that.
Recipe | 8 +++---
cmdgen.c | 4 ++-
contrib/kh2reg.py | 14 ++++++-----
putty.h | 1 +
settings.c | 1 +
ssh.h | 2 ++
ssh2transport.h | 1 +
sshecc.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
sshpubk.c | 2 ++
test/cryptsuite.py | 60 +++++++++++++++++++++++++++++++++++++++++++
test/eccref.py | 3 +++
testcrypt.c | 1 +
12 files changed, 159 insertions(+), 12 deletions(-)
More information about the tartarus-commits
mailing list