[PATCH v3 00/41] Security and reliability fixes
ijackson at chiark.greenend.org.uk
Thu Jul 25 18:40:26 BST 2013
This series fixes several security problems, some serious, and a
number of other bugs.
git users can find it here:
I have repro'd all the significant bugs mentioned, and tested the
fixes, the new transform, the new PROD message, and the backward
compatibility machinery. I'm currently running this version on
zealot, my netbook.
If all goes well, and subject to comments, I plan to push this to
master in the middle of next week and start beta-testing it on chiark.
It would be good if people would at least read the descriptions of the
patches to check that what I'm doing sounds sane. The most critical
patches have been reviewed by Mark Wooding already, which is very
helpful, and the other somewhat-dicey stuff has survived my testing.
So unless anyone particularly wants to, I don't think there's a need
for detailed code review.
I have laid the groundwork for a future public key algorithm
transition, but not actually gone any further in that direction. Our
current arrangements are suboptimal, but they aren't in need of
Mark: I have changed the eax-serpent transform to check the received
sequence number _after_ decryption. This allows us to reliably
distinguish "message was decryptable but stale due to network lag or
attack" from "message is from previous session using same site index
01/41 rsa.c: Fix incorrect commentary.
02/41 rsa.c: Factor out constructing the EMSA-PKCS1 message representative.
03/41 rsa.c: Replace the magic length 1024 with a (larger) constant.
04/41 rsa.c: Check public key length.
05/41 unaligned.h: rationalise; provide buf_append_uint8 et al
06/41 util, buffers: Preparatory improvements
07/41 memcmp: Introduce and use consttime_memeq
08/41 transform: Do not look at any bytes of PKCS#5 padding other than the last
09/41 serpent: const-correct
10/41 serpent, transform: rework GET_32BIT_MSB_FIRST, PUT_...
11/41 serpent: Provide little-endian version too, but ours is big
12/41 serpent: Ad-hoc debugging facility
13/41 crypto: Copy a SHA512 implementation into tree
14/41 crypto: Copy an AES (Rijndael) implementation into tree
15/41 EAX: provide an implementation of EAX
16/41 transform: split out transform-common.h
17/41 transform: Allow DH to set the key size
18/41 transform: Pass a direction flag to the transform
19/41 transform: Provide Serpent-EAX transform
20/41 magic: Introduce LABEL_NAK
21/41 udp.c: Do not send NAKs in response to NAKs
22/41 udp, util: Break out send_nak function
23/41 site: Send NAKs for undecryptable data packets (msg0)
24/41 NOTES: Improve documentation of NAKs.
25/41 NOTES: Remove paragraph about slow-to-prepare messages
26/41 NOTES: Remove unimplemented protocol negotiation
27/41 site: fix site name checking leaving room for expansion
28/41 site: Extra info in name fields for MSG1, clearer processing
29/41 site: use unaligned.h's functions, not pointer cast and ntohl
30/41 site: interpret first 4 bytes of extrainfo as capabilities
31/41 site: Check transform errors; factor out transform handling
32/41 site: dynamically create and destroy transform instances
33/41 site, netlink: abolish max_end_pad and min_end_pad
34/41 site, transform: per-transform-instance max_start_pad
35/41 site: support multiple transforms
36/41 Use FORMAT everywhere, and fix up the errors it finds
37/41 max_start_pad: calculate globally, not via client graph
38/41 udp.c: call buffer_init
39/41 slip: Buffer management (max_start_pad) fixes
40/41 site: New PROD message
41/41 changelog: Describe 0.3.0~beta2
More information about the sgo-software-discuss