[RFC PATCH v2 00/25] Algorithm agility, new transform, robustness

Ian Jackson ijackson at chiark.greenend.org.uk
Sat Jul 20 00:38:44 BST 2013

This is a portmanteau of my previous three patch series.  They have
been extensively updated.  I think these are mostly complete now,
although they have still NOT BEEN TESTED.

I'm particularly looking for review of these two patches:

 19/25 transform: Provide Serpment-EAX transform

    I'd like someone to check that what I've implemented is a sane
    usage of EAX, and ideally that it's lacking in howlers.

 11/25 site: interpret first 4 bytes of extrainfo as capabilities

    It would be good for someone else to double-check my
    forward-compatibility logic.  (With a view not just to the new
    transform, which I'll test, but also looking forward to a future
    public key algorithm upgrade.)

The biggest problem is that we are using CBC-MAC, which is known to be
broken.  I plan to fix this by replace our CBC+CBC-MAC transform with

Unfortunately we are lacking algorithm agility.  Looking at the NOTES
and the code, it is difficult to retrofit this because we're lacking
an officially approved space for future expansion covered by the

However, bug to the rescue!  It turns out that the string comparison
used for checking site names is broken in a way that we can exploit.
We therefore perpetrate an awful bodge, and enshrine and document it.

This gives us the room to replace the badly broken existing transform
with one based on EAX-Serpent.

Ideally we would like also to abandon PKCS#1 in favour of OAEP.  But I
think this is less urgent and wants to be combined with a general
public key (and public algorithm) rollover mechanism, which we are
currently lacking.

The capability mechanism is designed to be able to offer this in the
future, but sadly both peers will have to upgrade to the
capability-capable version first.

Also, there are situations where secnet won't recover properly
after a restart of one of the ends.  In this series we (mostly) fix

Due to the inclusion of coreutils's SHA512 implementation, this patch
series makes secnet GPLv3+.

 01/25 memcmp: Introduce and use consttime_memcmp
 02/25 transform: Do not look at any bytes of PKCS#5 padding other than the last
 03/25 magic: Introduce LABEL_NAK
 04/25 site: Send NAKs for undecryptable data packets (msg0)
 05/25 NOTES: Improve documentation of NAKs.
 06/25 NOTES: Remove paragraph about slow-to-prepare messages
 07/25 NOTES: Remove unimplemented protocol negotiation
 08/25 site: fix site name checking leaving room for expansion
 09/25 site: Extra info in name fields for MSG1, clearer processing
 10/25 site: use unaligned.h's functions, not pointer cast and ntohl
 11/25 site: interpret first 4 bytes of extrainfo as capabilities
 12/25 serpent: const-correct
 13/25 crypto: Copy a SHA512 implementation into tree
 14/25 crypto: Copy an AES (Rijndael) implementation into tree
 15/25 EAX: provide an implementation of EAX
 16/25 transform: split out transform-common.h
 17/25 transform: Allow DH to set the key size
 18/25 transform: Pass a direction flag to the transform
 19/25 transform: Provide Serpment-EAX transform
 20/25 site: dynamically create and destroy transform instances
 21/25 site, netlink: abolish max_end_pad and min_end_pad
 22/25 site, transform: per-transform-instance max_start_pad
 23/25 site: support multiple transforms
 24/25 Use FORMAT everywhere, and fix up the errors it finds
 25/25 site: New PROD message

More information about the sgo-software-discuss mailing list