simon-git: putty (main): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Fri Apr 15 17:51:25 BST 2022
TL;DR:
1500da80 Move key_components management functions into utils.
3adfb1aa testsc: add random_advance_counter().
d5af33da Utility function mp_resize.
31db2e67 Make smemeq return unsigned, not bool.
e66e1ebe testcrypt: permit multiple OO function prefixes for a type.
e103ab1f Refactor handling of SSH kex shared secret.
422a89e2 Use C99 named initialisers in all ssh_kex instances.
e59ee965 Refactor ecdh_kex into an organised vtable.
faf1601a Implement OpenSSH 9.x's NTRU Prime / Curve25519 kex.
Repository: https://git.tartarus.org/simon/putty.git
On the web: https://git.tartarus.org/?p=simon/putty.git
Branch updated: main
Committer: Simon Tatham <anakin at pobox.com>
Date: 2022-04-15 17:51:25
commit 1500da80f182a993cf0a7da7e143ab9bb623e2d3
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=1500da80f182a993cf0a7da7e143ab9bb623e2d3;hp=c0fba758e60e2ff4c1bebd566d9a0e56276d07ec
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Apr 15 15:20:16 2022 +0100
Move key_components management functions into utils.
They're pretty much self-contained, and don't really need to be in the
same module as sshpubk.c (which has other dependencies). Move them out
into a utils module, where pulling them in won't pull in anything else
unwanted.
sshpubk.c | 44 --------------------------------------------
utils/CMakeLists.txt | 1 +
utils/key_components.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 47 insertions(+), 44 deletions(-)
commit 3adfb1aa5bb924aad5b753057f9cf7214f81e0e4
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=3adfb1aa5bb924aad5b753057f9cf7214f81e0e4;hp=1500da80f182a993cf0a7da7e143ab9bb623e2d3
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Apr 15 15:31:30 2022 +0100
testsc: add random_advance_counter().
In test_primegen, we loop round retrieving random data until we find
some that will permit a successful prime generation, so that we can
log only the successful attempts, and not the failures (which don't
have to be time-safe). But this itself introduces a potential mismatch
between logs, because the simplistic RNG used in testsc will have
different control flow depending on how far through a buffer of hash
data it is at the start of a given run.
random_advance_counter() gives it a fresh buffer, so calling that at
the start of a run should normalise this out. The code to do that was
already in the middle of random_read(); I've just pulled it out into a
separately callable function.
This hasn't _actually_ caused failures in test_primegen, but I'm not
sure why not. (Perhaps just luck.) But it did cause a failure in
another test of a similar nature, so before I commit _that_ test (and
the thing it's testing), I'd better fix this.
test/testsc.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
commit d5af33da533c54342006b6f4d96c5455bb7ac2e5
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=d5af33da533c54342006b6f4d96c5455bb7ac2e5;hp=3adfb1aa5bb924aad5b753057f9cf7214f81e0e4
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Apr 15 17:18:23 2022 +0100
Utility function mp_resize.
This reallocs an existing mp_int to have a different physical size,
e.g. to make sure there's enough space at the top of it.
Trivial, but I'm a little surprised I haven't needed it until now!
crypto/mpint.c | 8 ++++++++
mpint.h | 7 +++++++
2 files changed, 15 insertions(+)
commit 31db2e67bb49fe838e39819394470867064624e6
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=31db2e67bb49fe838e39819394470867064624e6;hp=d5af33da533c54342006b6f4d96c5455bb7ac2e5
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Apr 15 17:18:32 2022 +0100
Make smemeq return unsigned, not bool.
bool is dangerous in a time-safe context, because C compilers might
insert a control flow divergence to implement the implicit
normalisation of nonzero integers to 1 when you assign to a bool.
Everywhere else time-safe, I avoid using it; but smemeq has been an
exception until now, because the response to smemeq returning failure
was to do an obvious protocol-level divergence _anyway_ (like
disconnecting due to MAC mismatch).
But I'm about to want to use smemeq in a context where I use the
result _subtly_ and don't want to give away what it is, so now it's
time to get rid of that bool and have smemeq return unsigned.
misc.h | 6 +++---
utils/smemeq.c | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
commit e66e1ebeae6fcd6671db2b41a4193cfb137cb16a
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=e66e1ebeae6fcd6671db2b41a4193cfb137cb16a;hp=31db2e67bb49fe838e39819394470867064624e6
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Apr 15 17:18:58 2022 +0100
testcrypt: permit multiple OO function prefixes for a type.
This means if I have functions like foo_subfoo_bar and foo_baz that
both operate on a foo, the Python testcrypt system can translate both
into .bar() and .baz() methods on the object, even though they don't
start with the same prefix.
test/testcrypt.py | 37 ++++++++++++++++++++-----------------
1 file changed, 20 insertions(+), 17 deletions(-)
commit e103ab1fb6d6b3a41f2b53905f6eea26bdababe6
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=e103ab1fb6d6b3a41f2b53905f6eea26bdababe6;hp=e66e1ebeae6fcd6671db2b41a4193cfb137cb16a
Author: Simon Tatham <anakin at pobox.com>
Date: Thu Apr 14 06:23:11 2022 +0100
Refactor handling of SSH kex shared secret.
Until now, every kex method has represented the output as an mp_int.
So we were storing it in the mp_int field s->K, and adding it to the
exchange hash and key derivation hashes via put_mp_ssh2.
But there's now going to be the first kex method that represents the
output as a string (so that it might have the top bit set, or multiple
leading zero bytes, without its length varying). So we now need to be
more general.
The most general thing it's sensible to do is to replace s->K with a
strbuf containing _already-encoded_ data to become part of the hash,
including length fields if necessary. So every existing kex method
still derives an mp_int, but then immediately puts it into that strbuf
using put_mp_ssh2 and frees it.
ssh/kex2-client.c | 26 +++++++++++++++++++-------
ssh/kex2-server.c | 18 +++++++++++++-----
ssh/transport2.c | 28 ++++++++++++++++------------
ssh/transport2.h | 3 ++-
4 files changed, 50 insertions(+), 25 deletions(-)
commit 422a89e208910523d654db5e670433c89730c8bb
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=422a89e208910523d654db5e670433c89730c8bb;hp=e103ab1fb6d6b3a41f2b53905f6eea26bdababe6
Author: Simon Tatham <anakin at pobox.com>
Date: Thu Apr 14 06:38:30 2022 +0100
Use C99 named initialisers in all ssh_kex instances.
No functional change, but this will allow me to add more fields to
that structure without breaking the existing initialisers.
crypto/diffie-hellman.c | 56 +++++++++++++++++++++++++++++++++++--------------
crypto/ecc-ssh.c | 36 ++++++++++++++++++++-----------
crypto/rsa.c | 12 +++++++----
3 files changed, 72 insertions(+), 32 deletions(-)
commit e59ee9655453982fe8a99b57e34eb9eb7682bc4b
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=e59ee9655453982fe8a99b57e34eb9eb7682bc4b;hp=422a89e208910523d654db5e670433c89730c8bb
Author: Simon Tatham <anakin at pobox.com>
Date: Thu Apr 14 07:04:33 2022 +0100
Refactor ecdh_kex into an organised vtable.
This is already slightly nice because it lets me separate the
Weierstrass and Montgomery code more completely, without having to
have a vtable tucked into dh->extra. But more to the point, it will
allow completely different kex methods to fit into the same framework
later.
To that end, I've moved more of the descriptive message generation
into the vtable, and also provided the constructor with a flag that
will let it do different things in client and server.
Also, following on from a previous commit, I've arranged that the new
API returns arbitrary binary data for the exchange hash, rather than
an mp_int. An upcoming implementation of this interface will want to
return an encoded string instead of an encoded mp_int.
crypto/ecc-ssh.c | 212 +++++++++++++++++++++++++-------------------------
defs.h | 1 +
ssh.h | 41 +++++++---
ssh/kex2-client.c | 22 +++---
ssh/kex2-server.c | 19 +++--
ssh/transport2.c | 2 +-
test/cryptsuite.py | 30 +++----
test/testcrypt-func.h | 8 +-
test/testcrypt.c | 14 +++-
9 files changed, 194 insertions(+), 155 deletions(-)
commit faf1601a5549eda9298f72f7c0f68f39c8f97764
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=faf1601a5549eda9298f72f7c0f68f39c8f97764;hp=e59ee9655453982fe8a99b57e34eb9eb7682bc4b
Author: Simon Tatham <anakin at pobox.com>
Date: Fri Apr 15 17:19:47 2022 +0100
Implement OpenSSH 9.x's NTRU Prime / Curve25519 kex.
This consists of DJB's 'Streamlined NTRU Prime' quantum-resistant
cryptosystem, currently in round 3 of the NIST post-quantum key
exchange competition; it's run in parallel with ordinary Curve25519,
and generates a shared secret combining the output of both systems.
(Hence, even if you don't trust this newfangled NTRU Prime thing at
all, it's at least no _less_ secure than the kex you were using
already.)
As the OpenSSH developers point out, key exchange is the most urgent
thing to make quantum-resistant, even before working quantum computers
big enough to break crypto become available, because a break of the
kex algorithm can be applied retroactively to recordings of your past
sessions. By contrast, authentication is a real-time protocol, and can
only be broken by a quantum computer if there's one available to
attack you _already_.
I've implemented both sides of the mechanism, so that PuTTY and Uppity
both support it. In my initial testing, the two sides can both
interoperate with the appropriate half of OpenSSH, and also (of
course, but it would be embarrassing to mess it up) with each other.
config.c | 2 +
crypto/CMakeLists.txt | 1 +
crypto/ntru.c | 1915 +++++++++++++++++++++++++++++++++++++++++++++++++
crypto/ntru.h | 53 ++
defs.h | 2 +
putty.h | 1 +
settings.c | 1 +
ssh.h | 1 +
ssh/transport2.c | 4 +
test/cryptsuite.py | 101 +++
test/testcrypt-func.h | 29 +
test/testcrypt.c | 169 +++++
test/testcrypt.py | 9 +
test/testsc.c | 70 ++
14 files changed, 2358 insertions(+)
More information about the tartarus-commits
mailing list