simon-git: putty (master): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Sat Mar 7 11:43:07 GMT 2020
TL;DR:
2ec2b796 Migrate all Python scripts to Python 3.
18fd47b6 Generate MPU certificates for proven primes.
6b1fbfe5 PrimeCandidateSource: add Sophie Germain filtering.
11568652 PrimeCandidateSource: add one-shot mode.
365c1d2d Command-line prime-generation testing tool.
844e766b RSA generation: option to generate strong primes.
Repository: https://git.tartarus.org/simon/putty.git
On the web: https://git.tartarus.org/?p=simon/putty.git
Branch updated: master
Committer: Simon Tatham <anakin at pobox.com>
Date: 2020-03-07 11:43:07
commit 2ec2b796ed24cb5f09bb5251efe30057df5ff915
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=2ec2b796ed24cb5f09bb5251efe30057df5ff915;hp=cdffb995df389a8df3aef651c3aee0bcd15abe4a
Author: Simon Tatham <anakin at pobox.com>
Date: Wed Mar 4 21:23:49 2020 +0000
Migrate all Python scripts to Python 3.
Most of them are now _mandatory_ P3 scripts, because I'm tired of
maintaining everything to be compatible with both versions.
The current exceptions are gdb.py (which has to live with whatever gdb
gives it), and kh2reg.py (which is actually designed for other people
to use, and some of them might still be stuck on P2 for the moment).
contrib/encodelib.py | 47 +++++++++++++++++++++++++----------------------
contrib/kh2reg.py | 2 +-
contrib/make1305.py | 20 +++++++++++---------
contrib/samplekex.py | 30 ++++++++++++++++--------------
icons/macicon.py | 41 +++++++++++++++++++++--------------------
icons/mkicon.py | 3 +++
test/agenttest.py | 2 ++
test/agenttestgen.py | 4 ++++
test/cryptsuite.py | 15 +++++++++------
test/desref.py | 4 +++-
test/eccref.py | 3 +++
test/numbertheory.py | 3 +++
test/ssh.py | 3 +++
test/testcrypt.py | 30 +++++++++++-------------------
windows/msifixup.py | 2 +-
15 files changed, 116 insertions(+), 93 deletions(-)
commit 18fd47b61843eb860a8de7ad2e7f33f73d126bdb
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=18fd47b61843eb860a8de7ad2e7f33f73d126bdb;hp=2ec2b796ed24cb5f09bb5251efe30057df5ff915
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Feb 29 06:44:13 2020 +0000
Generate MPU certificates for proven primes.
Conveniently checkable certificates of primality aren't a new concept.
I didn't invent them, and I wasn't the first to implement them. Given
that, I thought it might be useful to be able to independently verify
a prime generated by PuTTY's provable prime system. Then, even if you
don't trust _this_ code, you might still trust someone else's
verifier, or at least be less willing to believe that both were
colluding.
The Perl module Math::Prime::Util is the only free software I've found
that defines a specific text-file format for certificates of
primality. The MPU format (as it calls it) supports various different
methods of certifying the primality of a number (most of which, like
Pockle's, depend on having previously proved some smaller number(s) to
be prime). The system implemented by Pockle is on its list: MPU calls
it by the name "BLS5".
So this commit introduces extra stored data inside Pockle so that it
remembers not just _that_ it believes certain numbers to be prime, but
also _why_ it believed each one to be prime. Then there's an extra
method in the Pockle API to translate its internal data structures
into the text of an MPU certificate for any number it knows about.
Math::Prime::Util doesn't come with a command-line verification tool,
unfortunately; only a Perl function which you feed a string argument.
So also in this commit I add test/mpu-check.pl, which is a trivial
command-line client of that function.
At the moment, this new piece of API is only exposed via testcrypt. I
could easily put some user interface into the key generation tools
that would save a few primality certificates alongside the private
key, but I have yet to think of any good reason to do it. Mostly this
facility is intended for debugging and cross-checking of the
_algorithm_, not of any particular prime.
pockle.c | 140 ++++++++++++++++++++++++++++++++++++++++++++++--------
sshkeygen.h | 8 ++++
sshprime.c | 14 ++++++
test/mpu-check.pl | 19 ++++++++
testcrypt.h | 2 +
5 files changed, 164 insertions(+), 19 deletions(-)
commit 6b1fbfe55ca2f171660a92521211df11228d766a
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=6b1fbfe55ca2f171660a92521211df11228d766a;hp=18fd47b61843eb860a8de7ad2e7f33f73d126bdb
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Feb 29 06:46:13 2020 +0000
PrimeCandidateSource: add Sophie Germain filtering.
A Sophie Germain prime is a prime p such that 2p+1 is also prime. The
larger prime of the pair 2p+1 is also known as a 'safe prime', and is
the preferred kind of modulus for conventional Diffie-Hellman.
Generating these is harder work than normal prime generation. There's
not really much of a technique except to just keep generating
candidate primes p and then testing 2p+1. But what you _can_ do to
speed things up is to get the prime-candidate generator to help a bit:
it's already enforcing that no small prime divides p, and it's easy to
get it to also enforce that no small prime divides 2p+1. That check
can filter out a lot of bad candidates early, before you waste time on
the more expensive checks, so you have a better chance of success with
each number that gets as far as Miller-Rabin.
Here I add an extra setup function for PrimeCandidateSource which
enables those extra checks. After you call pcs_try_sophie_germain(),
the PCS will only deliver you numbers for which both p and 2p+1 are
free of small factors.
primecandidate.c | 31 ++++++++++++++++++++++++++++++-
sshkeygen.h | 3 +++
testcrypt.h | 1 +
3 files changed, 34 insertions(+), 1 deletion(-)
commit 115686527c656aae792625100866fcf662341f32
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=115686527c656aae792625100866fcf662341f32;hp=6b1fbfe55ca2f171660a92521211df11228d766a
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Feb 29 06:47:12 2020 +0000
PrimeCandidateSource: add one-shot mode.
If you want to generate a Sophie Germain / safe prime pair with this
code, then after you've made p, you need to test the primality of
2p+1.
The easiest way to do that is to make a PrimeCandidateSource that is
so constrained as to only be able to deliver 2p+1 as a candidate, and
then run the ordinary prime generation system. The problem is that the
prime generation loops forever, so if 2p+1 _isn't_ prime, it will just
keep testing the same number over and over again and failing the test.
To solve this, I add a 'one-shot mode' to the PrimeCandidateSource
itself, which will cause it to return NULL if asked to generate a
second candidate. Then the prime-generation loops all detect that and
return NULL in turn. However, for clients that _don't_ set a pcs into
one-shot mode, the API remains unchanged: pcs_generate will not return
until it's found a prime (by its own criteria).
This feels like a bit of a bodge, API-wise. But the other two obvious
approaches turn out more awkward.
One option is to extract the Pockle from the PrimeGenerationContext
and use that to directly test primality of 2p+1 based on p - but that
way you don't get to _probabilistically_ generate safe primes, because
that kind of PGC has no Pockle in the first place. (And you can't make
one separately, because you can't convince it that an only
probabilistically generated p is prime!)
Another option is to add a test() method to PrimeGenerationPolicy,
that sits alongside generate(). Then, having generated p, you just
_test_ 2p+1. But then in the provable case you have to explain to it
that it should use p as part of the proof, so that API would get
awkward in its own way.
So this is actually the least disruptive way to do it!
primecandidate.c | 13 +++++++++++++
sshkeygen.h | 4 ++++
sshprime.c | 12 ++++++++++++
testcrypt.h | 1 +
4 files changed, 30 insertions(+)
commit 365c1d2df7badfb68155fab8b6785815850c8f5a
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=365c1d2df7badfb68155fab8b6785815850c8f5a;hp=115686527c656aae792625100866fcf662341f32
Author: Simon Tatham <anakin at pobox.com>
Date: Sat Feb 29 07:11:57 2020 +0000
Command-line prime-generation testing tool.
Since our prime-generation code contains facilities not used by the
main key generators - Sophie Germain primes, user-specified modular
congruences, and MPU certificate output - it's probably going to be
useful sooner or later to have a command-line tool to access those
facilities. So here's a simple script that glues a Python argparse
interface on to the front of it all.
It would be nice to put this in 'contrib' rather than 'test', on the
grounds that it's at least potentially useful for purposes other than
testing PuTTY during development. But it's a client of the testcrypt
system, so it can't live anywhere other than the same directory as
testcrypt.py without me first having to do a lot of faffing about with
Python module organisation. So it can live here for the moment.
test/primegen.py | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 71 insertions(+)
commit 844e766b03550c5e150af058b296791d5f6587be
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=844e766b03550c5e150af058b296791d5f6587be;hp=365c1d2df7badfb68155fab8b6785815850c8f5a
Author: Simon Tatham <anakin at pobox.com>
Date: Mon Mar 2 06:52:09 2020 +0000
RSA generation: option to generate strong primes.
A 'strong' prime, as defined by the Handbook of Applied Cryptography,
is a prime p such that each of p-1 and p+1 has a large prime factor,
and that the large factor q of p-1 is such that q-1 in turn _also_ has
a large prime factor.
HoAC says that making your RSA key using primes of this form defeats
some factoring algorithms - but there are other faster algorithms to
which it makes no difference. So this is probably not a useful
precaution in practice. However, it has been recommended in the past
by some official standards, and it's easy to implement given the new
general facility in PrimeCandidateSource that lets you ask for your
prime to satisfy an arbitrary modular congruence. (And HoAC also says
there's no particular reason _not_ to use strong primes.) So I provide
it as an option, just in case anyone wants to select it.
The change to the key generation algorithm is entirely in sshrsag.c,
and is neatly independent of the prime-generation system in use. If
you're using Maurer provable prime generation, then the known factor q
of p-1 can be used to help certify p, and the one for q-1 to help with
q in turn; if you switch to probabilistic prime generation then you
still get an RSA key with the right structure, except that every time
the definition says 'prime factor' you just append '(probably)'.
(The probabilistic version of this procedure is described as 'Gordon's
algorithm' in HoAC section 4.4.2.)
cmdgen.c | 6 ++-
ssh1login-server.c | 2 +-
ssh2kex-server.c | 3 +-
sshkeygen.h | 4 +-
sshrsag.c | 109 ++++++++++++++++++++++++++++++++++++++++++---------
test/agenttestgen.py | 2 +-
test/testcrypt.py | 2 +
testcrypt.c | 15 +++++--
testcrypt.h | 4 +-
windows/winpgen.c | 42 ++++++++++++++++----
10 files changed, 151 insertions(+), 38 deletions(-)
More information about the tartarus-commits
mailing list