[PATCH v3 00/41] Security and reliability fixes

Ian Jackson ijackson at chiark.greenend.org.uk
Thu Jul 25 18:40:26 BST 2013

This series fixes several security problems, some serious, and a
number of other bugs.

git users can find it here:

I have repro'd all the significant bugs mentioned, and tested the
fixes, the new transform, the new PROD message, and the backward
compatibility machinery.  I'm currently running this version on
zealot, my netbook.

If all goes well, and subject to comments, I plan to push this to
master in the middle of next week and start beta-testing it on chiark.

It would be good if people would at least read the descriptions of the
patches to check that what I'm doing sounds sane.  The most critical
patches have been reviewed by Mark Wooding already, which is very
helpful, and the other somewhat-dicey stuff has survived my testing.

So unless anyone particularly wants to, I don't think there's a need
for detailed code review.

I have laid the groundwork for a future public key algorithm
transition, but not actually gone any further in that direction.  Our
current arrangements are suboptimal, but they aren't in need of

Mark: I have changed the eax-serpent transform to check the received
sequence number _after_ decryption.  This allows us to reliably
distinguish "message was decryptable but stale due to network lag or
attack" from "message is from previous session using same site index

 01/41 rsa.c: Fix incorrect commentary.
 02/41 rsa.c: Factor out constructing the EMSA-PKCS1 message representative.
 03/41 rsa.c: Replace the magic length 1024 with a (larger) constant.
 04/41 rsa.c: Check public key length.
 05/41 unaligned.h: rationalise; provide buf_append_uint8 et al
 06/41 util, buffers: Preparatory improvements
 07/41 memcmp: Introduce and use consttime_memeq
 08/41 transform: Do not look at any bytes of PKCS#5 padding other than the last
 09/41 serpent: const-correct
 10/41 serpent, transform: rework GET_32BIT_MSB_FIRST, PUT_...
 11/41 serpent: Provide little-endian version too, but ours is big
 12/41 serpent: Ad-hoc debugging facility
 13/41 crypto: Copy a SHA512 implementation into tree
 14/41 crypto: Copy an AES (Rijndael) implementation into tree
 15/41 EAX: provide an implementation of EAX
 16/41 transform: split out transform-common.h
 17/41 transform: Allow DH to set the key size
 18/41 transform: Pass a direction flag to the transform
 19/41 transform: Provide Serpent-EAX transform
 20/41 magic: Introduce LABEL_NAK
 21/41 udp.c: Do not send NAKs in response to NAKs
 22/41 udp, util: Break out send_nak function
 23/41 site: Send NAKs for undecryptable data packets (msg0)
 24/41 NOTES: Improve documentation of NAKs.
 25/41 NOTES: Remove paragraph about slow-to-prepare messages
 26/41 NOTES: Remove unimplemented protocol negotiation
 27/41 site: fix site name checking leaving room for expansion
 28/41 site: Extra info in name fields for MSG1, clearer processing
 29/41 site: use unaligned.h's functions, not pointer cast and ntohl
 30/41 site: interpret first 4 bytes of extrainfo as capabilities
 31/41 site: Check transform errors; factor out transform handling
 32/41 site: dynamically create and destroy transform instances
 33/41 site, netlink: abolish max_end_pad and min_end_pad
 34/41 site, transform: per-transform-instance max_start_pad
 35/41 site: support multiple transforms
 36/41 Use FORMAT everywhere, and fix up the errors it finds
 37/41 max_start_pad: calculate globally, not via client graph
 38/41 udp.c: call buffer_init
 39/41 slip: Buffer management (max_start_pad) fixes
 40/41 site: New PROD message
 41/41 changelog: Describe 0.3.0~beta2

More information about the sgo-software-discuss mailing list