simon-git: putty (main): Simon Tatham
Commits to Tartarus hosted VCS
tartarus-commits at lists.tartarus.org
Tue Aug 16 20:49:18 BST 2022
TL;DR:
dbc77dbd Change the rules for how we free a linked cipher and MAC.
48708def testcrypt: fix cut-and-paste goof in decrypt_length.
3198995e cryptsuite: add a test of ChaCha20-Poly1305.
83ecb072 sclog: add a 'project' line in CMakeLists.txt.
99dd3705 testsc: fix memory leak in test_ntru.
3b9cbaca testsc: refactor platform-specific conditionalisation.
9160c41e testsc: add side-channel test of Poly1305.
840043f0 Add 'next_message' methods to cipher and MAC vtables.
fd840f0d Add CPU feature checks on M1 macOS.
c1a2114b Implement AES-GCM using the @openssh.com protocol IDs.
Repository: https://git.tartarus.org/simon/putty.git
On the web: https://git.tartarus.org/?p=simon/putty.git
Branch updated: main
Committer: Simon Tatham <anakin at pobox.com>
Date: 2022-08-16 20:49:18
commit dbc77dbd7a247957602aa8d23bdf92dff5a4f35a
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=dbc77dbd7a247957602aa8d23bdf92dff5a4f35a;hp=e52087719c4e185e433f7b5b1fb8383b4d910c2e
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Aug 16 18:22:29 2022 +0100
Change the rules for how we free a linked cipher and MAC.
In the situation where a MAC and cipher implementation are tied
together by being facets of the same underlying object (used by the
inseparable ChaCha20 + Poly1305 pair), previously we freed them by
having the cipher_free function actually do the freeing, having the
mac_free function do nothing, and taking great care to call those in
the right order. (Otherwise, the mac_free function dereferences a
no-longer-valid vtable pointer and doesn't get as far as _finding out_
that it doesn't have to do anything.)
That's a time bomb in general, and especially awkward in situations
like testcrypt where we don't get precise control over freeing order
in any case. So I've replaced that system with one in which there are
two flags in the ChaCha20-Poly1305 structure, saying whether each of
the cipher and MAC facets is currently considered to be allocated.
When the last of those flags is cleared, the object is actually freed.
So now they can be freed in either order.
crypto/chacha20-poly1305.c | 25 ++++++++++++++++++++-----
ssh/bpp2.c | 9 ---------
2 files changed, 20 insertions(+), 14 deletions(-)
commit 48708def8430e8ae346bfb9a33a92c1cff60ebe7
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=48708def8430e8ae346bfb9a33a92c1cff60ebe7;hp=dbc77dbd7a247957602aa8d23bdf92dff5a4f35a
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Aug 16 18:23:15 2022 +0100
testcrypt: fix cut-and-paste goof in decrypt_length.
The length test was pasted from the ordinary decrypt function, when it
should have been pasted from encrypt_length (which got this right).
I've never tried to test those functions before, so I never noticed.
test/testcrypt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
commit 3198995ef38769a518fc00e5569f691bfb1f08f1
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=3198995ef38769a518fc00e5569f691bfb1f08f1;hp=48708def8430e8ae346bfb9a33a92c1cff60ebe7
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Aug 16 18:23:52 2022 +0100
cryptsuite: add a test of ChaCha20-Poly1305.
Not a very profound test, but it's at least enough to answer the
question 'is it still returning the same results?' after I change
things.
test/cryptsuite.py | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 60 insertions(+)
commit 83ecb0729600cf4eed2fdcdaefd18870317410f9
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=83ecb0729600cf4eed2fdcdaefd18870317410f9;hp=3198995ef38769a518fc00e5569f691bfb1f08f1
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Aug 16 18:15:59 2022 +0100
sclog: add a 'project' line in CMakeLists.txt.
This causes cmake to stop whinging that there isn't one. More
usefully, by specifying the LANGUAGES keyword as just C (rather than
the default of both C and CXX), the cmake configure step is sped up by
not having to faff about finding a C++ compiler.
test/sclog/CMakeLists.txt | 2 ++
1 file changed, 2 insertions(+)
commit 99dd370503b3ab86028544d0bc36b2ff59ab3675
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=99dd370503b3ab86028544d0bc36b2ff59ab3675;hp=83ecb0729600cf4eed2fdcdaefd18870317410f9
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Aug 16 18:24:20 2022 +0100
testsc: fix memory leak in test_ntru.
We forgot to free the key pair at the end of the test, which is
harmless except that it makes Leak Sanitiser complain loudly.
test/testsc.c | 2 ++
1 file changed, 2 insertions(+)
commit 3b9cbaca8e416b2dd4309bc97504dd2c2ee3d5a1
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=3b9cbaca8e416b2dd4309bc97504dd2c2ee3d5a1;hp=99dd370503b3ab86028544d0bc36b2ff59ab3675
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Aug 16 18:25:21 2022 +0100
testsc: refactor platform-specific conditionalisation.
Instead of having separate subsidiary list macros for all the AES-NI
or NEON accelerated ciphers, the main list macro now contains each
individual thing conditionalised under an IF_FOO macro defined at the
top.
Makes relatively little difference in the current state of things, but
it will make it easier to do lots of differently conditionalised
single entries in a list, which will be coming up shortly.
test/testsc.c | 74 ++++++++++++++++++++++++++++-------------------------------
1 file changed, 35 insertions(+), 39 deletions(-)
commit 9160c41e7bd1cd265d70e43b62a6902b004f927d
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=9160c41e7bd1cd265d70e43b62a6902b004f927d;hp=3b9cbaca8e416b2dd4309bc97504dd2c2ee3d5a1
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Aug 16 18:26:28 2022 +0100
testsc: add side-channel test of Poly1305.
Not sure how I missed this! I tested ChaCha20, but not the MAC that
goes with it. Happily, it passes, so no harm done.
This also involved adding a general framework for testing MACs that
are tied to a specific cipher: we have to allocate, key and IV the
cipher before attempting to use the MAC, and free it all afterwards.
test/testsc.c | 47 +++++++++++++++++++++++++++++++++++++++++------
1 file changed, 41 insertions(+), 6 deletions(-)
commit 840043f06e5f67adfdf3ccd16f433bbcc2f989b7
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=840043f06e5f67adfdf3ccd16f433bbcc2f989b7;hp=9160c41e7bd1cd265d70e43b62a6902b004f927d
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Aug 16 18:27:06 2022 +0100
Add 'next_message' methods to cipher and MAC vtables.
This provides a convenient hook to be called between SSH messages, for
the crypto components to do any per-message processing like
incrementing a sequence number.
crypto/aes.h | 2 ++
crypto/arcfour.c | 2 ++
crypto/blowfish.c | 3 +++
crypto/chacha20-poly1305.c | 2 ++
crypto/des.c | 5 +++++
crypto/hmac.c | 6 ++++++
ssh.h | 12 ++++++++++++
ssh/bpp2.c | 8 ++++++++
test/testcrypt-func.h | 2 ++
utils/CMakeLists.txt | 2 ++
utils/nullcipher.c | 11 +++++++++++
utils/nullmac.c | 11 +++++++++++
12 files changed, 66 insertions(+)
commit fd840f0dfef5af558f78b9c668b4b71fe64b2ff9
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=fd840f0dfef5af558f78b9c668b4b71fe64b2ff9;hp=840043f06e5f67adfdf3ccd16f433bbcc2f989b7
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Aug 16 18:39:12 2022 +0100
Add CPU feature checks on M1 macOS.
I booted my M1 Mac into macOS rather than Asahi for the first time in
a while, and discovered that an OS update seems to have added some
sysctl flags indicating the presence of the CPU extensions that I
previously knew of no way to check for! Added them checks to
arm_arch_queries.c, though I've also retained backwards compat with
the previous OS version which didn't have them at all.
unix/utils/arm_arch_queries.c | 28 +++++++++++++++++++---------
unix/utils/arm_arch_queries.h | 12 ++++++++----
2 files changed, 27 insertions(+), 13 deletions(-)
commit c1a2114b28125572cf54c393bd51a6a39c4f00bd
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=c1a2114b28125572cf54c393bd51a6a39c4f00bd;hp=fd840f0dfef5af558f78b9c668b4b71fe64b2ff9
Author: Simon Tatham <anakin at pobox.com>
Date: Tue Aug 16 18:36:58 2022 +0100
Implement AES-GCM using the @openssh.com protocol IDs.
I only recently found out that OpenSSH defined their own protocol IDs
for AES-GCM, defined to work the same as the standard ones except that
they fixed the semantics for how you select the linked cipher+MAC pair
during key exchange.
(RFC 5647 defines protocol ids for AES-GCM in both the cipher and MAC
namespaces, and requires that you MUST select both or neither - but
this contradicts the selection policy set out in the base SSH RFCs,
and there's no discussion of how you resolve a conflict between them!
OpenSSH's answer is to do it the same way ChaCha20-Poly1305 works,
because that will ensure the two suites don't fight.)
People do occasionally ask us for this linked cipher/MAC pair, and now
I know it's actually feasible, I've implemented it, including a pair
of vector implementations for x86 and Arm using their respective
architecture extensions for multiplying polynomials over GF(2).
Unlike ChaCha20-Poly1305, I've kept the cipher and MAC implementations
in separate objects, with an arm's-length link between them that the
MAC uses when it needs to encrypt single cipher blocks to use as the
inputs to the MAC algorithm. That enables the cipher and the MAC to be
independently selected from their hardware-accelerated versions, just
in case someone runs on a system that has polynomial multiplication
instructions but not AES acceleration, or vice versa.
There's a fourth implementation of the GCM MAC, which is a pure
software implementation of the same algorithm used in the vectorised
versions. It's too slow to use live, but I've kept it in the code for
future testing needs, and because it's a convenient place to dump my
design comments.
The vectorised implementations are fairly crude as far as optimisation
goes. I'm sure serious x86 _or_ Arm optimisation engineers would look
at them and laugh. But GCM is a fast MAC compared to HMAC-SHA-256
(indeed compared to HMAC-anything-at-all), so it should at least be
good enough to use. And we've got a working version with some tests
now, so if someone else wants to improve them, they can.
cmake/cmake.h.in | 2 +
config.c | 1 +
crypto/CMakeLists.txt | 25 +++
crypto/aes-common.c | 6 +
crypto/aes-neon.c | 65 +++++++
crypto/aes-ni.c | 60 +++++++
crypto/aes-select.c | 23 ++-
crypto/aes-sw.c | 95 +++++++++-
crypto/aes.h | 59 ++++++-
crypto/aesgcm-clmul.c | 180 +++++++++++++++++++
crypto/aesgcm-common.c | 8 +
crypto/aesgcm-footer.h | 368 +++++++++++++++++++++++++++++++++++++++
crypto/aesgcm-neon.c | 156 +++++++++++++++++
crypto/aesgcm-ref-poly.c | 364 ++++++++++++++++++++++++++++++++++++++
crypto/aesgcm-select.c | 38 ++++
crypto/aesgcm-sw.c | 145 +++++++++++++++
crypto/aesgcm.h | 44 +++++
putty.h | 1 +
settings.c | 1 +
ssh.h | 22 +++
ssh/bpp2.c | 7 +
ssh/transport2.c | 3 +
test/cryptsuite.py | 355 +++++++++++++++++++++++++++++++++++++
test/list-accel.py | 4 +
test/testcrypt-enum.h | 22 +++
test/testcrypt-func.h | 3 +
test/testcrypt.c | 11 +-
test/testsc.c | 90 +++++++++-
unix/utils/arm_arch_queries.c | 15 ++
windows/utils/arm_arch_queries.c | 5 +
30 files changed, 2167 insertions(+), 11 deletions(-)
More information about the tartarus-commits
mailing list