--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: pu...@packages.debian.org
Control: affects -1 + src:putty
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
Security fix CVE-2024-31497
[ Impact ]
Vulnerable biased nonce generation is still here.
[ Tests ]
Full crypto test suite testing particularly CVE-2024-31497 is run
[ Risks ]
Low reviewed by maintainer
Approved by Colin
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* Non-maintainer upload.
* Cherry-pick from upstream:
- Add an extra HMAC constructor function
- Fix CVE-2024-31497: biased ECDSA nonce generation allows an attacker
to recover a user's NIST P-521 secret key via a quick attack in
approximately 60 signatures. In other words, an adversary
may already have enough signature information to compromise a victim's
private key, even if there is no further use of vulnerable PuTTY
versions.
* Run test/cryptsuite.py during build.
diff -Nru putty-0.78/debian/changelog putty-0.78/debian/changelog
--- putty-0.78/debian/changelog 2023-12-18 19:13:57.000000000 +0000
+++ putty-0.78/debian/changelog 2024-07-16 10:44:03.000000000 +0000
@@ -1,3 +1,18 @@
+putty (0.78-2+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Cherry-pick from upstream:
+ - Add an extra HMAC constructor function
+ - Fix CVE-2024-31497: biased ECDSA nonce generation allows an attacker
+ to recover a user's NIST P-521 secret key via a quick attack in
+ approximately 60 signatures. In other words, an adversary
+ may already have enough signature information to compromise a victim's
+ private key, even if there is no further use of vulnerable PuTTY
+ versions.
+ * Run test/cryptsuite.py during build.
+
+ -- Bastien Roucari??s <ro...@debian.org> Tue, 16 Jul 2024 10:44:03 +0000
+
putty (0.78-2+deb12u1) bookworm-security; urgency=medium
* CVE-2023-48795: Cherry-pick from upstream:
diff -Nru putty-0.78/debian/control putty-0.78/debian/control
--- putty-0.78/debian/control 2023-12-18 19:13:47.000000000 +0000
+++ putty-0.78/debian/control 2024-07-16 10:44:03.000000000 +0000
@@ -8,6 +8,7 @@
debhelper-compat (= 13),
dh-exec,
dpkg-dev (>= 1.15.7~),
+ python3 <!nocheck>,
Build-Depends-Arch: imagemagick,
libgtk-3-dev,
libx11-dev,
diff -Nru putty-0.78/debian/.git-dpm putty-0.78/debian/.git-dpm
--- putty-0.78/debian/.git-dpm 2023-12-18 19:13:47.000000000 +0000
+++ putty-0.78/debian/.git-dpm 2024-07-16 10:44:03.000000000 +0000
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-cbe541c94bed68e3a009f622d7f36bd4ca00a005
-cbe541c94bed68e3a009f622d7f36bd4ca00a005
+fc80bc63dba4a891e7fca2ffda5390d000e1971d
+fc80bc63dba4a891e7fca2ffda5390d000e1971d
e517b33826b38389d4d45a859603a635bd3cf55b
e517b33826b38389d4d45a859603a635bd3cf55b
putty_0.78.orig.tar.gz
diff -Nru putty-0.78/debian/.gitignore putty-0.78/debian/.gitignore
--- putty-0.78/debian/.gitignore 2023-12-18 19:13:47.000000000 +0000
+++ putty-0.78/debian/.gitignore 1970-01-01 00:00:00.000000000 +0000
@@ -1,9 +0,0 @@
-/*.debhelper*
-/*.substvars
-/build
-/files
-/pterm
-/putty
-/putty-doc
-/putty-tools
-/version.but.save
diff -Nru putty-0.78/debian/patches/0009-Add-an-extra-HMAC-constructor-function.patch putty-0.78/debian/patches/0009-Add-an-extra-HMAC-constructor-function.patch
--- putty-0.78/debian/patches/0009-Add-an-extra-HMAC-constructor-function.patch 1970-01-01 00:00:00.000000000 +0000
+++ putty-0.78/debian/patches/0009-Add-an-extra-HMAC-constructor-function.patch 2024-07-16 10:44:03.000000000 +0000
@@ -0,0 +1,108 @@
+From 5a6f12336d7ddfb0322898cba3cde010341e945c Mon Sep 17 00:00:00 2001
+From: Simon Tatham <ana...@pobox.com>
+Date: Mon, 1 Apr 2024 07:45:21 +0100
+Subject: Add an extra HMAC constructor function.
+
+Add an extra HMAC constructor function.
+
+This takes a plain ssh_hashalg, and constructs the most natural kind
+of HMAC wrapper around it, taking its key length and output length
+to be the hash's output length. In other words, it converts SHA-foo
+into exactly the thing usually called HMAC-SHA-foo.
+
+It does it by constructing a new ssh2_macalg vtable, and including it
+in the same memory allocation as the actual hash object. That's the
+first time in PuTTY I've done it this way.
+
+Nothing yet uses this, but a new piece of code is about to.
+
+origin: backport, https://git.tartarus.org/?p=simon/putty.git;a=commitdiff_plain;h=dea3ddca0537299ebfe907dd4c883fe65bfb4035
+---
+ crypto/hmac.c | 45 +++++++++++++++++++++++++++++++++++++++++++--
+ ssh.h | 5 +++++
+ 2 files changed, 48 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/hmac.c b/crypto/hmac.c
+index adeccd29..fa70c8e6 100644
+--- a/crypto/hmac.c
++++ b/crypto/hmac.c
+@@ -18,9 +18,10 @@ struct hmac_extra {
+ const char *suffix, *annotation;
+ };
+
+-static ssh2_mac *hmac_new(const ssh2_macalg *alg, ssh_cipher *cipher)
++/* Most of hmac_new(). Takes the actual 'struct hmac' as a parameter,
++ * because sometimes it will have been allocated in a special way. */
++static ssh2_mac *hmac_new_inner(struct hmac *ctx, const ssh2_macalg *alg)
+ {
+- struct hmac *ctx = snew(struct hmac);
+ const struct hmac_extra *extra = (const struct hmac_extra *)alg->extra;
+
+ ctx->h_outer = ssh_hash_new(extra->hashalg_base);
+@@ -64,6 +65,11 @@ static ssh2_mac *hmac_new(const ssh2_macalg *alg, ssh_cipher *cipher)
+ return &ctx->mac;
+ }
+
++static ssh2_mac *hmac_new(const ssh2_macalg *alg, ssh_cipher *cipher)
++{
++ return hmac_new_inner(snew(struct hmac), alg); /* cipher isn't needed */
++}
++
+ static void hmac_free(ssh2_mac *mac)
+ {
+ struct hmac *ctx = container_of(mac, struct hmac, mac);
+@@ -261,3 +267,38 @@ const ssh2_macalg ssh_hmac_sha1_96_buggy = {
+ .keylen = 16,
+ .extra = &ssh_hmac_sha1_96_buggy_extra,
+ };
++
++ssh2_mac *hmac_new_from_hash(const ssh_hashalg *hash)
++{
++ /*
++ * Construct a custom ssh2_macalg, derived directly from the
++ * provided hash vtable. It's included in the same memory
++ * allocation as the struct hmac, so that it all gets freed
++ * together.
++ */
++
++ struct alloc {
++ struct hmac hmac;
++ ssh2_macalg alg;
++ struct hmac_extra extra;
++ };
++
++ struct alloc *alloc = snew(struct alloc);
++ alloc->alg.new = hmac_new;
++ alloc->alg.free = hmac_free;
++ alloc->alg.setkey = hmac_key;
++ alloc->alg.start = hmac_start;
++ alloc->alg.genresult = hmac_genresult;
++ alloc->alg.next_message = nullmac_next_message;
++ alloc->alg.text_name = hmac_text_name;
++ alloc->alg.name = NULL;
++ alloc->alg.etm_name = NULL;
++ alloc->alg.len = hash->hlen;
++ alloc->alg.keylen = hash->hlen;
++ alloc->alg.extra = &alloc->extra;
++ alloc->extra.hashalg_base = hash;
++ alloc->extra.suffix = "";
++ alloc->extra.annotation = NULL;
++
++ return hmac_new_inner(&alloc->hmac, &alloc->alg);
++}
+diff --git a/ssh.h b/ssh.h
+index 0961c0b2..b33be1c7 100644
+--- a/ssh.h
++++ b/ssh.h
+@@ -762,6 +762,11 @@ void nullmac_next_message(ssh2_mac *m);
+ * string with a given key in the most obvious way. */
+ void mac_simple(const ssh2_macalg *alg, ptrlen key, ptrlen data, void *output);
+
++/* Constructor that makes an HMAC object given just a MAC. This object
++ * will have empty 'name' and 'etm_name' fields, so it's not suitable
++ * for use in SSH. It's used as a subroutine in RFC 6979. */
++ssh2_mac *hmac_new_from_hash(const ssh_hashalg *hash);
++
+ struct ssh_hash {
+ const ssh_hashalg *vt;
+ BinarySink_DELEGATE_IMPLEMENTATION;
diff -Nru putty-0.78/debian/patches/0010-Switch-to-RFC-6979-for-DSA-nonce-generation.patch putty-0.78/debian/patches/0010-Switch-to-RFC-6979-for-DSA-nonce-generation.patch
--- putty-0.78/debian/patches/0010-Switch-to-RFC-6979-for-DSA-nonce-generation.patch 1970-01-01 00:00:00.000000000 +0000
+++ putty-0.78/debian/patches/0010-Switch-to-RFC-6979-for-DSA-nonce-generation.patch 2024-07-16 10:44:03.000000000 +0000
@@ -0,0 +1,1034 @@
+From fc80bc63dba4a891e7fca2ffda5390d000e1971d Mon Sep 17 00:00:00 2001
+From: Simon Tatham <ana...@pobox.com>
+Date: Mon, 1 Apr 2024 08:18:34 +0000
+Subject: Switch to RFC 6979 for DSA nonce generation.
+
+This fixes a vulnerability that compromises NIST P521 ECDSA keys when
+they are used with PuTTY's existing DSA nonce generation code. The
+vulnerability has been assigned the identifier CVE-2024-31497.
+
+PuTTY has been doing its DSA signing deterministically for literally
+as long as it's been doing it at all, because I didn't trust Windows's
+entropy generation. Deterministic nonce generation was introduced in
+commit d345ebc2a5a0b59, as part of the initial version of our DSA
+signing routine. At the time, there was no standard for how to do it,
+so we had to think up the details of our system ourselves, with some
+help from the Cambridge University computer security group.
+
+More than ten years later, RFC 6979 was published, recommending a
+similar system for general use, naturally with all the details
+different. We didn't switch over to doing it that way, because we had
+a scheme in place already, and as far as I could see, the differences
+were not security-critical - just the normal sort of variation you
+expect when any two people design a protocol component of this kind
+independently.
+
+As far as I know, the _structure_ of our scheme is still perfectly
+fine, in terms of what data gets hashed, how many times, and how the
+hash output is converted into a nonce. But the weak spot is the choice
+of hash function: inside our dsa_gen_k() function, we generate 512
+bits of random data using SHA-512, and then reduce that to the output
+range by modular reduction, regardless of what signature algorithm
+we're generating a nonce for.
+
+In the original use case, this introduced a theoretical bias (the
+output size is an odd prime, which doesn't evenly divide the space of
+2^512 possible inputs to the reduction), but the theory was that since
+integer DSA uses a modulus prime only 160 bits long (being based on
+SHA-1, at least in the form that SSH uses it), the bias would be too
+small to be detectable, let alone exploitable.
+
+Then we reused the same function for NIST-style ECDSA, when it
+arrived. This is fine for the P256 curve, and even P384. But in P521,
+the order of the base point is _greater_ than 2^512, so when we
+generate a 512-bit number and reduce it, the reduction never makes any
+difference, and our output nonces are all in the first 2^512 elements
+of the range of about 2^521. So this _does_ introduce a significant
+bias in the nonces, compared to the ideal of uniformly random
+distribution over the whole range. And it's been recently discovered
+that a bias of this kind is sufficient to expose private keys, given a
+manageably small number of signatures to work from.
+
+(Incidentally, none of this affects Ed25519. The spec for that system
+includes its own idea of how you should do deterministic nonce
+generation - completely different again, naturally - and we did it
+that way rather than our way, so that we could use the existing test
+vectors.)
+
+The simplest fix would be to patch our existing nonce generator to use
+a longer hash, or concatenate a couple of SHA-512 hashes, or something
+similar. But I think a more robust approach is to switch it out
+completely for what is now the standard system. The main reason why I
+prefer that is that the standard system comes with test vectors, which
+adds a lot of confidence that I haven't made some other mistake in
+following my own design.
+
+So here's a commit that adds an implementation of RFC 6979, and
+removes the old dsa_gen_k() function. Tests are added based on the
+RFC's appendix of test vectors (as many as are compatible with the
+more limited API of PuTTY's crypto code, e.g. we lack support for the
+NIST P192 curve, or for doing integer DSA with many different hash
+functions). One existing test changes its expected outputs, namely the
+one that has a sample key pair and signature for every key algorithm
+we support.
+
+origin: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff_plain;h=c193fe9848f50a88a4089aac647fecc31ae96d27
+bug: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2024-31497
+---
+ crypto/CMakeLists.txt | 1 +
+ crypto/dsa.c | 116 +-------------
+ crypto/ecc-ssh.c | 14 +-
+ crypto/rfc6979.c | 359 ++++++++++++++++++++++++++++++++++++++++++
+ defs.h | 2 +
+ ssh.h | 15 +-
+ test/cryptsuite.py | 249 ++++++++++++++++++++++++++++-
+ test/testcrypt-func.h | 6 +
+ test/testsc.c | 59 +++++++
+ 9 files changed, 690 insertions(+), 131 deletions(-)
+ create mode 100644 crypto/rfc6979.c
+
+diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
+index 4b0aa907..edb02ce4 100644
+--- a/crypto/CMakeLists.txt
++++ b/crypto/CMakeLists.txt
+@@ -30,6 +30,7 @@ add_sources_from_current_dir(crypto
+ pubkey-pem.c
+ pubkey-ppk.c
+ pubkey-ssh1.c
++ rfc6979.c
+ rsa.c
+ sha256-common.c
+ sha256-select.c
+diff --git a/crypto/dsa.c b/crypto/dsa.c
+index 71fcd94a..1999a1c2 100644
+--- a/crypto/dsa.c
++++ b/crypto/dsa.c
+@@ -340,117 +340,6 @@ static int dsa_pubkey_bits(const ssh_keyalg *self, ptrlen pub)
+ return ret;
+ }
+
+-mp_int *dsa_gen_k(const char *id_string, mp_int *modulus,
+- mp_int *private_key,
+- unsigned char *digest, int digest_len)
+-{
+- /*
+- * The basic DSA signing algorithm is:
+- *
+- * - invent a random k between 1 and q-1 (exclusive).
+- * - Compute r = (g^k mod p) mod q.
+- * - Compute s = k^-1 * (hash + x*r) mod q.
+- *
+- * This has the dangerous properties that:
+- *
+- * - if an attacker in possession of the public key _and_ the
+- * signature (for example, the host you just authenticated
+- * to) can guess your k, he can reverse the computation of s
+- * and work out x = r^-1 * (s*k - hash) mod q. That is, he
+- * can deduce the private half of your key, and masquerade
+- * as you for as long as the key is still valid.
+- *
+- * - since r is a function purely of k and the public key, if
+- * the attacker only has a _range of possibilities_ for k
+- * it's easy for him to work through them all and check each
+- * one against r; he'll never be unsure of whether he's got
+- * the right one.
+- *
+- * - if you ever sign two different hashes with the same k, it
+- * will be immediately obvious because the two signatures
+- * will have the same r, and moreover an attacker in
+- * possession of both signatures (and the public key of
+- * course) can compute k = (hash1-hash2) * (s1-s2)^-1 mod q,
+- * and from there deduce x as before.
+- *
+- * - the Bleichenbacher attack on DSA makes use of methods of
+- * generating k which are significantly non-uniformly
+- * distributed; in particular, generating a 160-bit random
+- * number and reducing it mod q is right out.
+- *
+- * For this reason we must be pretty careful about how we
+- * generate our k. Since this code runs on Windows, with no
+- * particularly good system entropy sources, we can't trust our
+- * RNG itself to produce properly unpredictable data. Hence, we
+- * use a totally different scheme instead.
+- *
+- * What we do is to take a SHA-512 (_big_) hash of the private
+- * key x, and then feed this into another SHA-512 hash that
+- * also includes the message hash being signed. That is:
+- *
+- * proto_k = SHA512 ( SHA512(x) || SHA160(message) )
+- *
+- * This number is 512 bits long, so reducing it mod q won't be
+- * noticeably non-uniform. So
+- *
+- * k = proto_k mod q
+- *
+- * This has the interesting property that it's _deterministic_:
+- * signing the same hash twice with the same key yields the
+- * same signature.
+- *
+- * Despite this determinism, it's still not predictable to an
+- * attacker, because in order to repeat the SHA-512
+- * construction that created it, the attacker would have to
+- * know the private key value x - and by assumption he doesn't,
+- * because if he knew that he wouldn't be attacking k!
+- *
+- * (This trick doesn't, _per se_, protect against reuse of k.
+- * Reuse of k is left to chance; all it does is prevent
+- * _excessively high_ chances of reuse of k due to entropy
+- * problems.)
+- *
+- * Thanks to Colin Plumb for the general idea of using x to
+- * ensure k is hard to guess, and to the Cambridge University
+- * Computer Security Group for helping to argue out all the
+- * fine details.
+- */
+- ssh_hash *h;
+- unsigned char digest512[64];
+-
+- /*
+- * Hash some identifying text plus x.
+- */
+- h = ssh_hash_new(&ssh_sha512);
+- put_asciz(h, id_string);
+- put_mp_ssh2(h, private_key);
+- ssh_hash_digest(h, digest512);
+-
+- /*
+- * Now hash that digest plus the message hash.
+- */
+- ssh_hash_reset(h);
+- put_data(h, digest512, sizeof(digest512));
+- put_data(h, digest, digest_len);
+- ssh_hash_final(h, digest512);
+-
+- /*
+- * Now convert the result into a bignum, and coerce it to the
+- * range [2,q), which we do by reducing it mod q-2 and adding 2.
+- */
+- mp_int *modminus2 = mp_copy(modulus);
+- mp_sub_integer_into(modminus2, modminus2, 2);
+- mp_int *proto_k = mp_from_bytes_be(make_ptrlen(digest512, 64));
+- mp_int *k = mp_mod(proto_k, modminus2);
+- mp_free(proto_k);
+- mp_free(modminus2);
+- mp_add_integer_into(k, k, 2);
+-
+- smemclr(digest512, sizeof(digest512));
+-
+- return k;
+-}
+-
+ static void dsa_sign(ssh_key *key, ptrlen data, unsigned flags, BinarySink *bs)
+ {
+ struct dsa_key *dsa = container_of(key, struct dsa_key, sshk);
+@@ -459,8 +348,9 @@ static void dsa_sign(ssh_key *key, ptrlen data, unsigned flags, BinarySink *bs)
+
+ hash_simple(&ssh_sha1, data, digest);
+
+- mp_int *k = dsa_gen_k("DSA deterministic k generator", dsa->q, dsa->x,
+- digest, sizeof(digest));
++ /* Generate any valid exponent k, using the RFC 6979 deterministic
++ * procedure. */
++ mp_int *k = rfc6979(&ssh_sha1, dsa->q, dsa->x, data);
+ mp_int *kinv = mp_invert(k, dsa->q); /* k^-1 mod q */
+
+ /*
+diff --git a/crypto/ecc-ssh.c b/crypto/ecc-ssh.c
+index d3197866..5fa25189 100644
+--- a/crypto/ecc-ssh.c
++++ b/crypto/ecc-ssh.c
+@@ -1126,16 +1126,10 @@ static void ecdsa_sign(ssh_key *key, ptrlen data,
+
+ mp_int *z = ecdsa_signing_exponent_from_data(ek->curve, extra, data);
+
+- /* Generate k between 1 and curve->n, using the same deterministic
+- * k generation system we use for conventional DSA. */
+- mp_int *k;
+- {
+- unsigned char digest[20];
+- hash_simple(&ssh_sha1, data, digest);
+- k = dsa_gen_k(
+- "ECDSA deterministic k generator", ek->curve->w.G_order,
+- ek->privateKey, digest, sizeof(digest));
+- }
++ /* Generate any valid exponent k, using the RFC 6979 deterministic
++ * procedure. */
++ mp_int *k = rfc6979(
++ extra->hash, ek->curve->w.G_order, ek->privateKey, data);
+
+ WeierstrassPoint *kG = ecc_weierstrass_multiply(ek->curve->w.G, k);
+ mp_int *x;
+diff --git a/crypto/rfc6979.c b/crypto/rfc6979.c
+new file mode 100644
+index 00000000..73e5c924
+--- /dev/null
++++ b/crypto/rfc6979.c
+@@ -0,0 +1,359 @@
++/*
++ * Code to generate 'nonce' values for DSA signature algorithms, in a
++ * deterministic way.
++ */
++
++#include "ssh.h"
++#include "mpint.h"
++#include "misc.h"
++
++/*
++ * All DSA-type signature systems depend on a nonce - a random number
++ * generated during the signing operation.
++ *
++ * This nonce is a weak point of DSA and needs careful protection,
++ * for multiple reasons:
++ *
++ * 1. If an attacker in possession of your public key and a single
++ * signature can find out or guess the nonce you used in that
++ * signature, they can immediately recover your _private key_.
++ *
++ * 2. If you reuse the same nonce in two different signatures, this
++ * will be instantly obvious to the attacker (one of the two
++ * values making up the signature will match), and again, they can
++ * immediately recover the private key as soon as they notice this.
++ *
++ * 3. In at least one system, information about your private key is
++ * leaked merely by generating nonces with a significant bias.
++ *
++ * Attacks #1 and #2 work across all of integer DSA, NIST-style ECDSA,
++ * and EdDSA. The details vary, but the headline effects are the same.
++ *
++ * So we must be very careful with our nonces. They must be generated
++ * with uniform distribution, but also, they must avoid depending on
++ * any random number generator that has the slightest doubt about its
++ * reliability.
++ *
++ * In particular, PuTTY's policy is that for this purpose we don't
++ * _even_ trust the PRNG we use for other cryptography. This is mostly
++ * a concern because of Windows, where system entropy sources are
++ * limited and we have doubts about their trustworthiness
++ * - even CryptGenRandom. PuTTY compensates as best it can with its
++ * own ongoing entropy collection, and we trust that for session keys,
++ * but revealing the private key that goes with a long-term public key
++ * is a far worse outcome than revealing one SSH session key, and for
++ * keeping your private key safe, we don't think the available Windows
++ * entropy gives us enough confidence.
++ *
++ * A common strategy these days (although <hipster>PuTTY was doing it
++ * before it was cool</hipster>) is to avoid using a PRNG based on
++ * system entropy at all. Instead, you use a deterministic PRNG that
++ * starts from a fixed input seed, and in that input seed you include
++ * the message to be signed and the _private key_.
++ *
++ * Including the private key in the seed is counterintuitive, but does
++ * actually make sense. A deterministic nonce generation strategy must
++ * use _some_ piece of input that the attacker doesn't have, or else
++ * they'd be able to repeat the entire computation and construct the
++ * same nonce you did. And the one thing they don't know is the
++ * private key! So we include that in the seed data (under enough
++ * layers of overcautious hashing to protect it against exposure), and
++ * then they _can't_ repeat the same construction. Moreover, if they
++ * _could_, they'd already know the private key, so they wouldn't need
++ * to perform an attack of this kind at all!
++ *
++ * (This trick doesn't, _per se_, protect against reuse of nonces.
++ * That is left to chance, which is enough, because the space of
++ * nonces is large enough to make it adequately unlikely. But it
++ * avoids escalating the reuse risk due to inadequate entropy.)
++ *
++ * For integer DSA and ECDSA, the system we use for deterministic
++ * generation of k is exactly the one specified in RFC 6979. We
++ * switched to this from the old system that PuTTY used to use before
++ * that RFC came out. The old system had a critical bug: it did not
++ * always generate _enough_ data to get uniform distribution, because
++ * its output was a single SHA-512 hash. We could have fixed that
++ * minimally, by concatenating multiple hashes, but it seemed more
++ * sensible to switch to a system that comes with test vectors.
++ *
++ * One downside of RFC 6979 is that it's based on rejection sampling
++ * (that is, you generate a random number and keep retrying until it's
++ * in range). This makes it play badly with our side-channel test
++ * system, which wants every execution trace of a supposedly
++ * constant-time operation to be the same. To work around this
++ * awkwardness, we break up the algorithm further, into a setup phase
++ * and an 'attempt to generate an output' phase, each of which is
++ * individually constant-time.
++ */
++
++struct RFC6979 {
++ /*
++ * Size of the cyclic group over which we're doing DSA.
++ * Equivalently, the multiplicative order of g (for integer DSA)
++ * or the curve's base point (for ECDSA). For integer DSA this is
++ * also the same thing as the small prime q from the key
++ * parameters.
++ *
++ * This pointer is not owned. Freeing this structure will not free
++ * it, and freeing the pointed-to integer before freeing this
++ * structure will make this structure dangerous to use.
++ */
++ mp_int *q;
++
++ /*
++ * The private key integer, which is always the discrete log of
++ * the public key with respect to the group generator.
++ *
++ * This pointer is not owned. Freeing this structure will not free
++ * it, and freeing the pointed-to integer before freeing this
++ * structure will make this structure dangerous to use.
++ */
++ mp_int *x;
++
++ /*
++ * Cached values derived from q: its length in bits, and in bytes.
++ */
++ size_t qbits, qbytes;
++
++ /*
++ * Reusable hash and MAC objects.
++ */
++ ssh_hash *hash;
++ ssh2_mac *mac;
++
++ /*
++ * Cached value: the output length of the hash.
++ */
++ size_t hlen;
++
++ /*
++ * The byte string V used in the algorithm.
++ */
++ unsigned char V[MAX_HASH_LEN];
++
++ /*
++ * The string T to use during each attempt, and how many
++ * hash-sized blocks to fill it with.
++ */
++ size_t T_nblocks;
++ unsigned char *T;
++};
++
++static mp_int *bits2int(ptrlen b, RFC6979 *s)
++{
++ if (b.len > s->qbytes)
++ b.len = s->qbytes;
++ mp_int *x = mp_from_bytes_be(b);
++
++ /*
++ * Rationale for using mp_rshift_fixed_into and not
++ * mp_rshift_safe_into: the shift count is derived from the
++ * difference between the length of the modulus q, and the length
++ * of the input bit string, i.e. between the _sizes_ of things
++ * involved in the protocol. But the sizes aren't secret. Only the
++ * actual values of integers and bit strings of those sizes are
++ * secret. So it's OK for the shift count to be known to an
++ * attacker - they'd know it anyway just from which DSA algorithm
++ * we were using.
++ */
++ if (b.len * 8 > s->qbits)
++ mp_rshift_fixed_into(x, x, b.len * 8 - s->qbits);
++
++ return x;
++}
++
++static void BinarySink_put_int2octets(BinarySink *bs, mp_int *x, RFC6979 *s)
++{
++ mp_int *x_mod_q = mp_mod(x, s->q);
++ for (size_t i = s->qbytes; i-- > 0 ;)
++ put_byte(bs, mp_get_byte(x_mod_q, i));
++ mp_free(x_mod_q);
++}
++
++static void BinarySink_put_bits2octets(BinarySink *bs, ptrlen b, RFC6979 *s)
++{
++ mp_int *x = bits2int(b, s);
++ BinarySink_put_int2octets(bs, x, s);
++ mp_free(x);
++}
++
++#define put_int2octets(bs, x, s) \
++ BinarySink_put_int2octets(BinarySink_UPCAST(bs), x, s)
++#define put_bits2octets(bs, b, s) \
++ BinarySink_put_bits2octets(BinarySink_UPCAST(bs), b, s)
++
++RFC6979 *rfc6979_new(const ssh_hashalg *hashalg, mp_int *q, mp_int *x)
++{
++ /* Make the state structure. */
++ RFC6979 *s = snew(RFC6979);
++ s->q = q;
++ s->x = x;
++ s->qbits = mp_get_nbits(q);
++ s->qbytes = (s->qbits + 7) >> 3;
++ s->hash = ssh_hash_new(hashalg);
++ s->mac = hmac_new_from_hash(hashalg);
++ s->hlen = hashalg->hlen;
++
++ /* In each attempt, we concatenate enough hash blocks to be
++ * greater than qbits in size. */
++ size_t hbits = 8 * s->hlen;
++ s->T_nblocks = (s->qbits + hbits - 1) / hbits;
++ s->T = snewn(s->T_nblocks * s->hlen, unsigned char);
++
++ return s;
++}
++
++void rfc6979_setup(RFC6979 *s, ptrlen message)
++{
++ unsigned char h1[MAX_HASH_LEN];
++ unsigned char K[MAX_HASH_LEN];
++
++ /* 3.2 (a): hash the message to get h1. */
++ ssh_hash_reset(s->hash);
++ put_datapl(s->hash, message);
++ ssh_hash_digest(s->hash, h1);
++
++ /* 3.2 (b): set V to a sequence of 0x01 bytes the same size as the
++ * hash function's output. */
++ memset(s->V, 1, s->hlen);
++
++ /* 3.2 (c): set the initial HMAC key K to all zeroes, again the
++ * same size as the hash function's output. */
++ memset(K, 0, s->hlen);
++ ssh2_mac_setkey(s->mac, make_ptrlen(K, s->hlen));
++
++ /* 3.2 (d): compute the MAC of V, the private key, and h1, with
++ * key K, making a new key to replace K. */
++ ssh2_mac_start(s->mac);
++ put_data(s->mac, s->V, s->hlen);
++ put_byte(s->mac, 0);
++ put_int2octets(s->mac, s->x, s);
++ put_bits2octets(s->mac, make_ptrlen(h1, s->hlen), s);
++ ssh2_mac_genresult(s->mac, K);
++ ssh2_mac_setkey(s->mac, make_ptrlen(K, s->hlen));
++
++ /* 3.2 (e): replace V with its HMAC using the new K. */
++ ssh2_mac_start(s->mac);
++ put_data(s->mac, s->V, s->hlen);
++ ssh2_mac_genresult(s->mac, s->V);
++
++ /* 3.2 (f): repeat step (d), only using the new K in place of the
++ * initial all-zeroes one, and with the extra byte in the middle
++ * of the MAC preimage being 1 rather than 0. */
++ ssh2_mac_start(s->mac);
++ put_data(s->mac, s->V, s->hlen);
++ put_byte(s->mac, 1);
++ put_int2octets(s->mac, s->x, s);
++ put_bits2octets(s->mac, make_ptrlen(h1, s->hlen), s);
++ ssh2_mac_genresult(s->mac, K);
++ ssh2_mac_setkey(s->mac, make_ptrlen(K, s->hlen));
++
++ /* 3.2 (g): repeat step (e), using the again-replaced K. */
++ ssh2_mac_start(s->mac);
++ put_data(s->mac, s->V, s->hlen);
++ ssh2_mac_genresult(s->mac, s->V);
++
++ smemclr(h1, sizeof(h1));
++ smemclr(K, sizeof(K));
++}
++
++RFC6979Result rfc6979_attempt(RFC6979 *s)
++{
++ RFC6979Result result;
++
++ /* 3.2 (h) 1: set T to the empty string */
++ /* 3.2 (h) 2: make lots of output by concatenating MACs of V */
++ for (size_t i = 0; i < s->T_nblocks; i++) {
++ ssh2_mac_start(s->mac);
++ put_data(s->mac, s->V, s->hlen);
++ ssh2_mac_genresult(s->mac, s->V);
++ memcpy(s->T + i * s->hlen, s->V, s->hlen);
++ }
++
++ /* 3.2 (h) 3: if we have a number in [1, q-1], return it ... */
++ result.k = bits2int(make_ptrlen(s->T, s->T_nblocks * s->hlen), s);
++ result.ok = mp_hs_integer(result.k, 1) & ~mp_cmp_hs(result.k, s->q);
++
++ /*
++ * Perturb K and regenerate V ready for the next attempt.
++ *
++ * We do this unconditionally, whether or not the k we just
++ * generated is acceptable. The time cost isn't large compared to
++ * the public-key operation we're going to do next (not to mention
++ * the larger number of these same operations we've already done),
++ * and it makes side-channel testing easier if this function is
++ * constant-time from beginning to end.
++ *
++ * In other rejection-sampling situations, particularly prime
++ * generation, we're not this careful: it's enough to ensure that
++ * _successful_ attempts run in constant time, Failures can do
++ * whatever they like, on the theory that the only information
++ * they _have_ to potentially expose via side channels is
++ * information that was subsequently thrown away without being
++ * used for anything important. (Hence, for example, it's fine to
++ * have multiple different early-exit paths for failures you
++ * detect at different times.)
++ *
++ * But here, the situation is different. Prime generation attempts
++ * are independent of each other. These are not. All our
++ * iterations round this loop use the _same_ secret data set up by
++ * rfc6979_new(), and also, the perturbation step we're about to
++ * compute will be used by the next iteration if there is one. So
++ * it's absolutely _not_ true that a failed iteration deals
++ * exclusively with data that won't contribute to the eventual
++ * output. Hence, we have to be careful about the failures as well
++ * as the successes.
++ *
++ * (Even so, it would be OK to make successes and failures take
++ * different amounts of time, as long as each of those amounts was
++ * consistent. But it's easier for testing to make them the same.)
++ */
++ ssh2_mac_start(s->mac);
++ put_data(s->mac, s->V, s->hlen);
++ put_byte(s->mac, 0);
++ unsigned char K[MAX_HASH_LEN];
++ ssh2_mac_genresult(s->mac, K);
++ ssh2_mac_setkey(s->mac, make_ptrlen(K, s->hlen));
++ smemclr(K, sizeof(K));
++
++ ssh2_mac_start(s->mac);
++ put_data(s->mac, s->V, s->hlen);
++ ssh2_mac_genresult(s->mac, s->V);
++
++ return result;
++}
++
++void rfc6979_free(RFC6979 *s)
++{
++ /* We don't free s->q or s->x: our caller still owns those. */
++
++ ssh_hash_free(s->hash);
++ ssh2_mac_free(s->mac);
++ smemclr(s->T, s->T_nblocks * s->hlen);
++ sfree(s->T);
++
++ /* Clear the whole structure before freeing. Most fields aren't
++ * sensitive (pointers or well-known length values), but V is, and
++ * it's easier to clear the whole lot than fiddle about
++ * identifying the sensitive fields. */
++ smemclr(s, sizeof(*s));
++
++ sfree(s);
++}
++
++mp_int *rfc6979(
++ const ssh_hashalg *hashalg, mp_int *q, mp_int *x, ptrlen message)
++{
++ RFC6979 *s = rfc6979_new(hashalg, q, x);
++ rfc6979_setup(s, message);
++ RFC6979Result result;
++ while (true) {
++ result = rfc6979_attempt(s);
++ if (result.ok)
++ break;
++ else
++ mp_free(result.k);
++ }
++ rfc6979_free(s);
++ return result.k;
++}
+diff --git a/defs.h b/defs.h
+index 286e0c96..8b1f2712 100644
+--- a/defs.h
++++ b/defs.h
+@@ -177,6 +177,8 @@ typedef struct ecdh_key ecdh_key;
+ typedef struct ecdh_keyalg ecdh_keyalg;
+ typedef struct NTRUKeyPair NTRUKeyPair;
+ typedef struct NTRUEncodeSchedule NTRUEncodeSchedule;
++typedef struct RFC6979 RFC6979;
++typedef struct RFC6979Result RFC6979Result;
+
+ typedef struct dlgparam dlgparam;
+ typedef struct dlgcontrol dlgcontrol;
+diff --git a/ssh.h b/ssh.h
+index b33be1c7..dc8ca4b0 100644
+--- a/ssh.h
++++ b/ssh.h
+@@ -629,11 +629,18 @@ mp_int *ssh_rsakex_decrypt(
+ RSAKey *key, const ssh_hashalg *h, ptrlen ciphertext);
+
+ /*
+- * Helper function for k generation in DSA, reused in ECDSA
++ * System for generating k in DSA and ECDSA.
+ */
+-mp_int *dsa_gen_k(const char *id_string,
+- mp_int *modulus, mp_int *private_key,
+- unsigned char *digest, int digest_len);
++struct RFC6979Result {
++ mp_int *k;
++ unsigned ok;
++};
++RFC6979 *rfc6979_new(const ssh_hashalg *hashalg, mp_int *q, mp_int *x);
++void rfc6979_setup(RFC6979 *s, ptrlen message);
++RFC6979Result rfc6979_attempt(RFC6979 *s);
++void rfc6979_free(RFC6979 *s);
++mp_int *rfc6979(const ssh_hashalg *hashalg, mp_int *modulus,
++ mp_int *private_key, ptrlen message);
+
+ struct ssh_cipher {
+ const ssh_cipheralg *vt;
+diff --git a/test/cryptsuite.py b/test/cryptsuite.py
+index 69b492e8..83a2a8f5 100755
+--- a/test/cryptsuite.py
++++ b/test/cryptsuite.py
+@@ -90,6 +90,9 @@ def le_integer(x, nbits):
+ assert nbits % 8 == 0
+ return bytes([0xFF & (x >> (8*n)) for n in range(nbits//8)])
+
++def be_integer(x, nbits):
++ return bytes(reversed(le_integer(x, nbits)))
++
+ @contextlib.contextmanager
+ def queued_random_data(nbytes, seed):
+ hashsize = 512 // 8
+@@ -2075,6 +2078,244 @@ culpa qui officia deserunt mollit anim id est laborum.
+ self.assertFalse(ssh_key_verify(pubkey, badsig0, "hello, again"))
+ self.assertFalse(ssh_key_verify(pubkey, badsigq, "hello, again"))
+
++ def testRFC6979(self):
++ # The test case described in detail in RFC 6979 section A.1.
++ # We can't actually do the _signature_ for this, because it's
++ # based on ECDSA over a finite field of characteristic 2, and
++ # we only support prime-order fields. But we don't need to do
++ # full ECDSA, only generate the same deterministic nonce that
++ # the test case expects.
++ k = rfc6979('sha256',
++ 0x4000000000000000000020108A2E0CC0D99F8A5EF,
++ 0x09A4D6792295A7F730FC3F2B49CBC0F62E862272F, "sample")
++ self.assertEqual(int(k), 0x23AF4074C90A02B3FE61D286D5C87F425E6BDD81B)
++
++ # Selected test cases from the rest of Appendix A.
++ #
++ # We can only use test cases for which we have the appropriate
++ # hash function, so I've left out the test cases based on
++ # SHA-224. (We could easily implement that, but I don't think
++ # it's worth it just for adding further tests of this one
++ # function.) Similarly, I've omitted test cases relating to
++ # ECDSA curves we don't implement: P192, P224, and all the
++ # curves over power-of-2 finite fields.
++ #
++ # Where possible, we also test the actual signature algorithm,
++ # to make sure it delivers the same entire signature as the
++ # test case. This demonstrates that the rfc6979() function is
++ # being called in the right way and the results are being used
++ # as they should be. Here I've had to cut down the test cases
++ # even further, because the RFC specifies test cases with a
++ # cross product of DSA group and hash function, whereas we
++ # have a fixed hash (specified by SSH) for each signature
++ # algorithm. And the RFC is clear that you use the same hash
++ # for nonce generation and actual signing.
++
++ # A.2.1: 1024-bit DSA
++ q = 0x996F967F6C8E388D9E28D01E205FBA957A5698B1
++ x = 0x411602CB19A6CCC34494D79D98EF1E7ED5AF25F7
++ k = rfc6979('sha1', q, x, "sample")
++ self.assertEqual(int(k), 0x7BDB6B0FF756E1BB5D53583EF979082F9AD5BD5B)
++ k = rfc6979('sha256', q, x, "sample")
++ self.assertEqual(int(k), 0x519BA0546D0C39202A7D34D7DFA5E760B318BCFB)
++ k = rfc6979('sha384', q, x, "sample")
++ self.assertEqual(int(k), 0x95897CD7BBB944AA932DBC579C1C09EB6FCFC595)
++ k = rfc6979('sha512', q, x, "sample")
++ self.assertEqual(int(k), 0x09ECE7CA27D0F5A4DD4E556C9DF1D21D28104F8B)
++ k = rfc6979('sha1', q, x, "test")
++ self.assertEqual(int(k), 0x5C842DF4F9E344EE09F056838B42C7A17F4A6433)
++ k = rfc6979('sha256', q, x, "test")
++ self.assertEqual(int(k), 0x5A67592E8128E03A417B0484410FB72C0B630E1A)
++ k = rfc6979('sha384', q, x, "test")
++ self.assertEqual(int(k), 0x220156B761F6CA5E6C9F1B9CF9C24BE25F98CD89)
++ k = rfc6979('sha512', q, x, "test")
++ self.assertEqual(int(k), 0x65D2C2EEB175E370F28C75BFCDC028D22C7DBE9C)
++ # The rest of the public key, for signature testing
++ p = 0x86F5CA03DCFEB225063FF830A0C769B9DD9D6153AD91D7CE27F787C43278B447E6533B86B18BED6E8A48B784A14C252C5BE0DBF60B86D6385BD2F12FB763ED8873ABFD3F5BA2E0A8C0A59082EAC056935E529DAF7C610467899C77ADEDFC846C881870B7B19B2B58F9BE0521A17002E3BDD6B86685EE90B3D9A1B02B782B1779
++ g = 0x07B0F92546150B62514BB771E2A0C0CE387F03BDA6C56B505209FF25FD3C133D89BBCD97E904E09114D9A7DEFDEADFC9078EA544D2E401AEECC40BB9FBBF78FD87995A10A1C27CB7789B594BA7EFB5C4326A9FE59A070E136DB77175464ADCA417BE5DCE2F40D10A46A3A3943F26AB7FD9C0398FF8C76EE0A56826A8A88F1DBD
++ y = 0x5DF5E01DED31D0297E274E1691C192FE5868FEF9E19A84776454B100CF16F65392195A38B90523E2542EE61871C0440CB87C322FC4B4D2EC5E1E7EC766E1BE8D4CE935437DC11C3C8FD426338933EBFE739CB3465F4D3668C5E473508253B1E682F65CBDC4FAE93C2EA212390E54905A86E2223170B44EAA7DA5DD9FFCFB7F3B
++ pubblob = ssh_string(b"ssh-dss") + b"".join(map(ssh2_mpint, [p,q,g,y]))
++ privblob = ssh2_mpint(x)
++ pubkey = ssh_key_new_pub('dsa', pubblob)
++ privkey = ssh_key_new_priv('dsa', pubblob, privblob)
++ sig = ssh_key_sign(privkey, b"sample", 0)
++ # Expected output using SHA-1 as the hash in nonce
++ # construction.
++ r = 0x2E1A0C2562B2912CAAF89186FB0F42001585DA55
++ s = 0x29EFB6B0AFF2D7A68EB70CA313022253B9A88DF5
++ ref_sig = ssh_string(b"ssh-dss") + ssh_string(
++ be_integer(r, 160) + be_integer(s, 160))
++ self.assertEqual(sig, ref_sig)
++ # And the other test string.
++ sig = ssh_key_sign(privkey, b"test", 0)
++ r = 0x42AB2052FD43E123F0607F115052A67DCD9C5C77
++ s = 0x183916B0230D45B9931491D4C6B0BD2FB4AAF088
++ ref_sig = ssh_string(b"ssh-dss") + ssh_string(
++ be_integer(r, 160) + be_integer(s, 160))
++ self.assertEqual(sig, ref_sig)
++
++ # A.2.2: 2048-bit DSA
++ q = 0xF2C3119374CE76C9356990B465374A17F23F9ED35089BD969F61C6DDE9998C1F
++ x = 0x69C7548C21D0DFEA6B9A51C9EAD4E27C33D3B3F180316E5BCAB92C933F0E4DBC
++ k = rfc6979('sha1', q, x, "sample")
++ self.assertEqual(int(k), 0x888FA6F7738A41BDC9846466ABDB8174C0338250AE50CE955CA16230F9CBD53E)
++ k = rfc6979('sha256', q, x, "sample")
++ self.assertEqual(int(k), 0x8926A27C40484216F052F4427CFD5647338B7B3939BC6573AF4333569D597C52)
++ k = rfc6979('sha384', q, x, "sample")
++ self.assertEqual(int(k), 0xC345D5AB3DA0A5BCB7EC8F8FB7A7E96069E03B206371EF7D83E39068EC564920)
++ k = rfc6979('sha512', q, x, "sample")
++ self.assertEqual(int(k), 0x5A12994431785485B3F5F067221517791B85A597B7A9436995C89ED0374668FC)
++ k = rfc6979('sha1', q, x, "test")
++ self.assertEqual(int(k), 0x6EEA486F9D41A037B2C640BC5645694FF8FF4B98D066A25F76BE641CCB24BA4F)
++ k = rfc6979('sha256', q, x, "test")
++ self.assertEqual(int(k), 0x1D6CE6DDA1C5D37307839CD03AB0A5CBB18E60D800937D67DFB4479AAC8DEAD7)
++ k = rfc6979('sha384', q, x, "test")
++ self.assertEqual(int(k), 0x206E61F73DBE1B2DC8BE736B22B079E9DACD974DB00EEBBC5B64CAD39CF9F91C)
++ k = rfc6979('sha512', q, x, "test")
++ self.assertEqual(int(k), 0xAFF1651E4CD6036D57AA8B2A05CCF1A9D5A40166340ECBBDC55BE10B568AA0AA)
++ # The rest of the public key, for signature testing
++ p = 0x9DB6FB5951B66BB6FE1E140F1D2CE5502374161FD6538DF1648218642F0B5C48C8F7A41AADFA187324B87674FA1822B00F1ECF8136943D7C55757264E5A1A44FFE012E9936E00C1D3E9310B01C7D179805D3058B2A9F4BB6F9716BFE6117C6B5B3CC4D9BE341104AD4A80AD6C94E005F4B993E14F091EB51743BF33050C38DE235567E1B34C3D6A5C0CEAA1A0F368213C3D19843D0B4B09DCB9FC72D39C8DE41F1BF14D4BB4563CA28371621CAD3324B6A2D392145BEBFAC748805236F5CA2FE92B871CD8F9C36D3292B5509CA8CAA77A2ADFC7BFD77DDA6F71125A7456FEA153E433256A2261C6A06ED3693797E7995FAD5AABBCFBE3EDA2741E375404AE25B
++ g = 0x5C7FF6B06F8F143FE8288433493E4769C4D988ACE5BE25A0E24809670716C613D7B0CEE6932F8FAA7C44D2CB24523DA53FBE4F6EC3595892D1AA58C4328A06C46A15662E7EAA703A1DECF8BBB2D05DBE2EB956C142A338661D10461C0D135472085057F3494309FFA73C611F78B32ADBB5740C361C9F35BE90997DB2014E2EF5AA61782F52ABEB8BD6432C4DD097BC5423B285DAFB60DC364E8161F4A2A35ACA3A10B1C4D203CC76A470A33AFDCBDD92959859ABD8B56E1725252D78EAC66E71BA9AE3F1DD2487199874393CD4D832186800654760E1E34C09E4D155179F9EC0DC4473F996BDCE6EED1CABED8B6F116F7AD9CF505DF0F998E34AB27514B0FFE7
++ y = 0x667098C654426C78D7F8201EAC6C203EF030D43605032C2F1FA937E5237DBD949F34A0A2564FE126DC8B715C5141802CE0979C8246463C40E6B6BDAA2513FA611728716C2E4FD53BC95B89E69949D96512E873B9C8F8DFD499CC312882561ADECB31F658E934C0C197F2C4D96B05CBAD67381E7B768891E4DA3843D24D94CDFB5126E9B8BF21E8358EE0E0A30EF13FD6A664C0DCE3731F7FB49A4845A4FD8254687972A2D382599C9BAC4E0ED7998193078913032558134976410B89D2C171D123AC35FD977219597AA7D15C1A9A428E59194F75C721EBCBCFAE44696A499AFA74E04299F132026601638CB87AB79190D4A0986315DA8EEC6561C938996BEADF
++ pubblob = ssh_string(b"ssh-dss") + b"".join(map(ssh2_mpint, [p,q,g,y]))
++ privblob = ssh2_mpint(x)
++ pubkey = ssh_key_new_pub('dsa', pubblob)
++ privkey = ssh_key_new_priv('dsa', pubblob, privblob)
++ sig = ssh_key_sign(privkey, b"sample", 0)
++ # Expected output using SHA-1 as the hash in nonce
++ # construction, which is how SSH does things. RFC6979 lists
++ # the following 256-bit values for r and s, but we end up only
++ # using the low 160 bits of each.
++ r = 0x3A1B2DBD7489D6ED7E608FD036C83AF396E290DBD602408E8677DAABD6E7445A
++ s = 0xD26FCBA19FA3E3058FFC02CA1596CDBB6E0D20CB37B06054F7E36DED0CDBBCCF
++ ref_sig = ssh_string(b"ssh-dss") + ssh_string(
++ be_integer(r, 160) + be_integer(s, 160))
++ self.assertEqual(sig, ref_sig)
++ # And the other test string.
++ sig = ssh_key_sign(privkey, b"test", 0)
++ r = 0xC18270A93CFC6063F57A4DFA86024F700D980E4CF4E2CB65A504397273D98EA0
++ s = 0x414F22E5F31A8B6D33295C7539C1C1BA3A6160D7D68D50AC0D3A5BEAC2884FAA
++ ref_sig = ssh_string(b"ssh-dss") + ssh_string(
++ be_integer(r, 160) + be_integer(s, 160))
++ self.assertEqual(sig, ref_sig)
++
++ # A.2.5: ECDSA with NIST P256
++ q = 0xFFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551
++ x = 0xC9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721
++ k = rfc6979('sha1', q, x, "sample")
++ self.assertEqual(int(k), 0x882905F1227FD620FBF2ABF21244F0BA83D0DC3A9103DBBEE43A1FB858109DB4)
++ k = rfc6979('sha256', q, x, "sample")
++ self.assertEqual(int(k), 0xA6E3C57DD01ABE90086538398355DD4C3B17AA873382B0F24D6129493D8AAD60)
++ k = rfc6979('sha384', q, x, "sample")
++ self.assertEqual(int(k), 0x09F634B188CEFD98E7EC88B1AA9852D734D0BC272F7D2A47DECC6EBEB375AAD4)
++ k = rfc6979('sha512', q, x, "sample")
++ self.assertEqual(int(k), 0x5FA81C63109BADB88C1F367B47DA606DA28CAD69AA22C4FE6AD7DF73A7173AA5)
++ k = rfc6979('sha1', q, x, "test")
++ self.assertEqual(int(k), 0x8C9520267C55D6B980DF741E56B4ADEE114D84FBFA2E62137954164028632A2E)
++ k = rfc6979('sha256', q, x, "test")
++ self.assertEqual(int(k), 0xD16B6AE827F17175E040871A1C7EC3500192C4C92677336EC2537ACAEE0008E0)
++ k = rfc6979('sha384', q, x, "test")
++ self.assertEqual(int(k), 0x16AEFFA357260B04B1DD199693960740066C1A8F3E8EDD79070AA914D361B3B8)
++ k = rfc6979('sha512', q, x, "test")
++ self.assertEqual(int(k), 0x6915D11632ACA3C40D5D51C08DAF9C555933819548784480E93499000D9F0B7F)
++ # The public key, for signature testing
++ Ux = 0x60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6
++ Uy = 0x7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299
++ pubblob = ssh_string(b"ecdsa-sha2-nistp256") + ssh_string(b"nistp256") + ssh_string(b'\x04' + be_integer(Ux, 256) + be_integer(Uy, 256))
++ privblob = ssh2_mpint(x)
++ pubkey = ssh_key_new_pub('p256', pubblob)
++ privkey = ssh_key_new_priv('p256', pubblob, privblob)
++ sig = ssh_key_sign(privkey, b"sample", 0)
++ # Expected output using SHA-256
++ r = 0xEFD48B2AACB6A8FD1140DD9CD45E81D69D2C877B56AAF991C34D0EA84EAF3716
++ s = 0xF7CB1C942D657C41D436C7A1B6E29F65F3E900DBB9AFF4064DC4AB2F843ACDA8
++ ref_sig = ssh_string(b"ecdsa-sha2-nistp256") + ssh_string(ssh2_mpint(r) + ssh2_mpint(s))
++ self.assertEqual(sig, ref_sig)
++ # And the other test string
++ sig = ssh_key_sign(privkey, b"test", 0)
++ r = 0xF1ABB023518351CD71D881567B1EA663ED3EFCF6C5132B354F28D3B0B7D38367
++ s = 0x019F4113742A2B14BD25926B49C649155F267E60D3814B4C0CC84250E46F0083
++ ref_sig = ssh_string(b"ecdsa-sha2-nistp256") + ssh_string(ssh2_mpint(r) + ssh2_mpint(s))
++ self.assertEqual(sig, ref_sig)
++
++ # A.2.5: ECDSA with NIST P384
++ q = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973
++ x = 0x6B9D3DAD2E1B8C1C05B19875B6659F4DE23C3B667BF297BA9AA47740787137D896D5724E4C70A825F872C9EA60D2EDF5
++ k = rfc6979('sha1', q, x, "sample")
++ self.assertEqual(int(k), 0x4471EF7518BB2C7C20F62EAE1C387AD0C5E8E470995DB4ACF694466E6AB096630F29E5938D25106C3C340045A2DB01A7)
++ k = rfc6979('sha256', q, x, "sample")
++ self.assertEqual(int(k), 0x180AE9F9AEC5438A44BC159A1FCB277C7BE54FA20E7CF404B490650A8ACC414E375572342863C899F9F2EDF9747A9B60)
++ k = rfc6979('sha384', q, x, "sample")
++ self.assertEqual(int(k), 0x94ED910D1A099DAD3254E9242AE85ABDE4BA15168EAF0CA87A555FD56D10FBCA2907E3E83BA95368623B8C4686915CF9)
++ k = rfc6979('sha512', q, x, "sample")
++ self.assertEqual(int(k), 0x92FC3C7183A883E24216D1141F1A8976C5B0DD797DFA597E3D7B32198BD35331A4E966532593A52980D0E3AAA5E10EC3)
++ k = rfc6979('sha1', q, x, "test")
++ self.assertEqual(int(k), 0x66CC2C8F4D303FC962E5FF6A27BD79F84EC812DDAE58CF5243B64A4AD8094D47EC3727F3A3C186C15054492E30698497)
++ k = rfc6979('sha256', q, x, "test")
++ self.assertEqual(int(k), 0x0CFAC37587532347DC3389FDC98286BBA8C73807285B184C83E62E26C401C0FAA48DD070BA79921A3457ABFF2D630AD7)
++ k = rfc6979('sha384', q, x, "test")
++ self.assertEqual(int(k), 0x015EE46A5BF88773ED9123A5AB0807962D193719503C527B031B4C2D225092ADA71F4A459BC0DA98ADB95837DB8312EA)
++ k = rfc6979('sha512', q, x, "test")
++ self.assertEqual(int(k), 0x3780C4F67CB15518B6ACAE34C9F83568D2E12E47DEAB6C50A4E4EE5319D1E8CE0E2CC8A136036DC4B9C00E6888F66B6C)
++ # The public key, for signature testing
++ Ux = 0xEC3A4E415B4E19A4568618029F427FA5DA9A8BC4AE92E02E06AAE5286B300C64DEF8F0EA9055866064A254515480BC13
++ Uy = 0x8015D9B72D7D57244EA8EF9AC0C621896708A59367F9DFB9F54CA84B3F1C9DB1288B231C3AE0D4FE7344FD2533264720
++ pubblob = ssh_string(b"ecdsa-sha2-nistp384") + ssh_string(b"nistp384") + ssh_string(b'\x04' + be_integer(Ux, 384) + be_integer(Uy, 384))
++ privblob = ssh2_mpint(x)
++ pubkey = ssh_key_new_pub('p384', pubblob)
++ privkey = ssh_key_new_priv('p384', pubblob, privblob)
++ sig = ssh_key_sign(privkey, b"sample", 0)
++ # Expected output using SHA-384
++ r = 0x94EDBB92A5ECB8AAD4736E56C691916B3F88140666CE9FA73D64C4EA95AD133C81A648152E44ACF96E36DD1E80FABE46
++ s = 0x99EF4AEB15F178CEA1FE40DB2603138F130E740A19624526203B6351D0A3A94FA329C145786E679E7B82C71A38628AC8
++ ref_sig = ssh_string(b"ecdsa-sha2-nistp384") + ssh_string(ssh2_mpint(r) + ssh2_mpint(s))
++ self.assertEqual(sig, ref_sig)
++ # And the other test string
++ sig = ssh_key_sign(privkey, b"test", 0)
++ r = 0x8203B63D3C853E8D77227FB377BCF7B7B772E97892A80F36AB775D509D7A5FEB0542A7F0812998DA8F1DD3CA3CF023DB
++ s = 0xDDD0760448D42D8A43AF45AF836FCE4DE8BE06B485E9B61B827C2F13173923E06A739F040649A667BF3B828246BAA5A5
++ ref_sig = ssh_string(b"ecdsa-sha2-nistp384") + ssh_string(ssh2_mpint(r) + ssh2_mpint(s))
++ self.assertEqual(sig, ref_sig)
++
++ # A.2.6: ECDSA with NIST P521
++ q = 0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409
++ x = 0x0FAD06DAA62BA3B25D2FB40133DA757205DE67F5BB0018FEE8C86E1B68C7E75CAA896EB32F1F47C70855836A6D16FCC1466F6D8FBEC67DB89EC0C08B0E996B83538
++ k = rfc6979('sha1', q, x, "sample")
++ self.assertEqual(int(k), 0x089C071B419E1C2820962321787258469511958E80582E95D8378E0C2CCDB3CB42BEDE42F50E3FA3C71F5A76724281D31D9C89F0F91FC1BE4918DB1C03A5838D0F9)
++ k = rfc6979('sha256', q, x, "sample")
++ self.assertEqual(int(k), 0x0EDF38AFCAAECAB4383358B34D67C9F2216C8382AAEA44A3DAD5FDC9C32575761793FEF24EB0FC276DFC4F6E3EC476752F043CF01415387470BCBD8678ED2C7E1A0)
++ k = rfc6979('sha384', q, x, "sample")
++ self.assertEqual(int(k), 0x1546A108BC23A15D6F21872F7DED661FA8431DDBD922D0DCDB77CC878C8553FFAD064C95A920A750AC9137E527390D2D92F153E66196966EA554D9ADFCB109C4211)
++ k = rfc6979('sha512', q, x, "sample")
++ self.assertEqual(int(k), 0x1DAE2EA071F8110DC26882D4D5EAE0621A3256FC8847FB9022E2B7D28E6F10198B1574FDD03A9053C08A1854A168AA5A57470EC97DD5CE090124EF52A2F7ECBFFD3)
++ k = rfc6979('sha1', q, x, "test")
++ self.assertEqual(int(k), 0x0BB9F2BF4FE1038CCF4DABD7139A56F6FD8BB1386561BD3C6A4FC818B20DF5DDBA80795A947107A1AB9D12DAA615B1ADE4F7A9DC05E8E6311150F47F5C57CE8B222)
++ k = rfc6979('sha256', q, x, "test")
++ self.assertEqual(int(k), 0x01DE74955EFAABC4C4F17F8E84D881D1310B5392D7700275F82F145C61E843841AF09035BF7A6210F5A431A6A9E81C9323354A9E69135D44EBD2FCAA7731B909258)
++ k = rfc6979('sha384', q, x, "test")
++ self.assertEqual(int(k), 0x1F1FC4A349A7DA9A9E116BFDD055DC08E78252FF8E23AC276AC88B1770AE0B5DCEB1ED14A4916B769A523CE1E90BA22846AF11DF8B300C38818F713DADD85DE0C88)
++ k = rfc6979('sha512', q, x, "test")
++ self.assertEqual(int(k), 0x16200813020EC986863BEDFC1B121F605C1215645018AEA1A7B215A564DE9EB1B38A67AA1128B80CE391C4FB71187654AAA3431027BFC7F395766CA988C964DC56D)
++ # The public key, for signature testing
++ Ux = 0x1894550D0785932E00EAA23B694F213F8C3121F86DC97A04E5A7167DB4E5BCD371123D46E45DB6B5D5370A7F20FB633155D38FFA16D2BD761DCAC474B9A2F5023A4
++ Uy = 0x0493101C962CD4D2FDDF782285E64584139C2F91B47F87FF82354D6630F746A28A0DB25741B5B34A828008B22ACC23F924FAAFBD4D33F81EA66956DFEAA2BFDFCF5
++ pubblob = ssh_string(b"ecdsa-sha2-nistp521") + ssh_string(b"nistp521") + ssh_string(b'\x04' + be_integer(Ux, 528) + be_integer(Uy, 528))
++ privblob = ssh2_mpint(x)
++ pubkey = ssh_key_new_pub('p521', pubblob)
++ privkey = ssh_key_new_priv('p521', pubblob, privblob)
++ sig = ssh_key_sign(privkey, b"sample", 0)
++ # Expected output using SHA-512
++ r = 0x0C328FAFCBD79DD77850370C46325D987CB525569FB63C5D3BC53950E6D4C5F174E25A1EE9017B5D450606ADD152B534931D7D4E8455CC91F9B15BF05EC36E377FA
++ s = 0x0617CCE7CF5064806C467F678D3B4080D6F1CC50AF26CA209417308281B68AF282623EAA63E5B5C0723D8B8C37FF0777B1A20F8CCB1DCCC43997F1EE0E44DA4A67A
++ ref_sig = ssh_string(b"ecdsa-sha2-nistp521") + ssh_string(ssh2_mpint(r) + ssh2_mpint(s))
++ self.assertEqual(sig, ref_sig)
++ # And the other test string
++ sig = ssh_key_sign(privkey, b"test", 0)
++ r = 0x13E99020ABF5CEE7525D16B69B229652AB6BDF2AFFCAEF38773B4B7D08725F10CDB93482FDCC54EDCEE91ECA4166B2A7C6265EF0CE2BD7051B7CEF945BABD47EE6D
++ s = 0x1FBD0013C674AA79CB39849527916CE301C66EA7CE8B80682786AD60F98F7E78A19CA69EFF5C57400E3B3A0AD66CE0978214D13BAF4E9AC60752F7B155E2DE4DCE3
++ ref_sig = ssh_string(b"ecdsa-sha2-nistp521") + ssh_string(ssh2_mpint(r) + ssh2_mpint(s))
++ self.assertEqual(sig, ref_sig)
++
+ def testBLAKE2b(self):
+ # The standard test vectors for BLAKE2b (in the separate class
+ # below) don't satisfy me because they only test one hash
+@@ -2381,10 +2622,10 @@ culpa qui officia deserunt mollit anim id est laborum.
+ test_keys = [
+ ('ed25519', 'AAAAC3NzaC1lZDI1NTE5AAAAIM7jupzef6CD0ps2JYxJp9IlwY49oorOseV5z5JFDFKn', 'AAAAIAf4/WRtypofgdNF2vbZOUFE1h4hvjw4tkGJZyOzI7c3', 255, b'0xf4d6e7f6f4479c23f0764ef43cea1711dbfe02aa2b5a32ff925c7c1fbf0f0db,0x27520c4592cf79e5b1ce8aa23d8ec125d2a7498c25369bd283a07fde9cbae3ce', [(0, 'AAAAC3NzaC1lZDI1NTE5AAAAQN73EqfyA4WneqDhgZ98TlRj9V5Wg8zCrMxTLJN1UtyfAnPUJDtfG/U0vOsP8PrnQxd41DDDnxrAXuqJz8rOagc=')]),
+ ('ed448', 'AAAACXNzaC1lZDQ0OAAAADnRI0CQDym5IqUidLNDcSdHe54bYEwqjpjBlab8uKGoe6FRqqejha7+5U/VAHy7BmE23+ju26O9XgA=', 'AAAAObP9klqyiJSJsdFJf+xwZQdkbZGUqXE07K6e5plfRTGjYYkyWJFUNFH4jzIn9xH1TX9z9EGycPaXAA==', 448, b'0x4bf4a2b6586c60d8cdb52c2b45b897f6d2224bc37987489c0d70febb449e8c82964ed5785827be808e44d31dd31e6ff7c99f43e49f419928,0x5ebda3dbeee8df366106bb7c00d54fe5feae85a3a7aa51a17ba8a1b8fca695c1988e2a4c601b9e7b47277143b37422a522b9290f904023d1', [(0, 'AAAACXNzaC1lZDQ0OAAAAHLkSVioGMvLesZp3Tn+Z/sSK0Hl7RHsHP4q9flLzTpZG5h6JDH3VmZBEjTJ6iOLaa0v4FoNt0ng4wAB53WrlQC4h3iAusoGXnPMAKJLmqzplKOCi8HKXk8Xl8fsXbaoyhatv1OZpwJcffmh1x+x+LSgNQA=')]),
+- ('p256', 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHkYQ0sQoq5LbJI1VMWhw3bV43TSYi3WVpqIgKcBKK91TcFFlAMZgceOHQ0xAFYcSczIttLvFu+xkcLXrRd4N7Q=', 'AAAAIQCV/1VqiCsHZm/n+bq7lHEHlyy7KFgZBEbzqYaWtbx48Q==', 256, b'nistp256,0x7918434b10a2ae4b6c923554c5a1c376d5e374d2622dd6569a8880a70128af75,0x4dc14594031981c78e1d0d3100561c49ccc8b6d2ef16efb191c2d7ad177837b4', [(0, 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABIAAAAIAryzHDGi/TcCnbdxZkIYR5EGR6SNYXr/HlQRF8le+/IAAAAIERfzn6eHuBbqWIop2qL8S7DWRB3lenN1iyL10xYQPKw')]),
+- ('p384', 'AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMYK8PUtfAlJwKaBTIGEuCzH0vqOMa4UbcjrBbTbkGVSUnfo+nuC80NCdj9JJMs1jvfF8GzKLc5z8H3nZyM741/BUFjV7rEHsQFDek4KyWvKkEgKiTlZid19VukNo1q2Hg==', 'AAAAMGsfTmdB4zHdbiQ2euTSdzM6UKEOnrVjMAWwHEYvmG5qUOcBnn62fJDRJy67L+QGdg==', 384, b'nistp384,0xc60af0f52d7c0949c0a6814c8184b82cc7d2fa8e31ae146dc8eb05b4db9065525277e8fa7b82f34342763f4924cb358e,0xf7c5f06cca2dce73f07de767233be35fc15058d5eeb107b101437a4e0ac96bca90480a89395989dd7d56e90da35ab61e', [(0, 'AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAABpAAAAMDmHrtXCADzLvkkWG/duBAHlf6B1mVvdt6F0uzXfsf8Yub8WXNUNVnYq6ovrWPzLggAAADEA9izzwoUuFcXYRJeKcRLZEGMmSDDPzUZb7oZR0UgD1jsMQXs8UfpO31Qur/FDSCRK')]),
+- ('p521', 'AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFrGthlKM152vu2Ghk+R7iO9/M6e+hTehNZ6+FBwof4HPkPB2/HHXj5+w5ynWyUrWiX5TI2riuJEIrJErcRH5LglADnJDX2w4yrKZ+wDHSz9lwh9p2F+B5R952es6gX3RJRkGA+qhKpKup8gKx78RMbleX8wgRtIu+4YMUnKb1edREiRg==', 'AAAAQgFh7VNJFUljWhhyAEiL0z+UPs/QggcMTd3Vv2aKDeBdCRl5di8r+BMm39L7bRzxRMEtW5NSKlDtE8MFEGdIE9khsw==', 521, b'nistp521,0x16b1ad86528cd79dafbb61a193e47b88ef7f33a7be8537a1359ebe141c287f81cf90f076fc71d78f9fb0e729d6c94ad6897e53236ae2b89108ac912b7111f92e094,0xe72435f6c38cab299fb00c74b3f65c21f69d85f81e51f79d9eb3a817dd125190603eaa12a92aea7c80ac7bf1131b95e5fcc2046d22efb860c52729bd5e75112246', [(0, 'AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAACMAAAAQgCLgvftvwM3CUaigrW0yzmCHoYjC6GLtO+6S91itqpgMEtWPNlaTZH6QQqkgscijWdXx98dDkQao/gcAKVmOZKPXgAAAEIB1PIrsDF1y6poJ/czqujB7NSUWt31v+c2t6UA8m2gTA1ARuVJ9XBGLMdceOTB00Hi9psC2RYFLpaWREOGCeDa6ow=')]),
+- ('dsa', 'AAAAB3NzaC1kc3MAAABhAJyWZzjVddGdyc5JPu/WPrC07vKRAmlqO6TUi49ah96iRcM7/D1aRMVAdYBepQ2mf1fsQTmvoC9KgQa79nN3kHhz0voQBKOuKI1ZAodfVOgpP4xmcXgjaA73Vjz22n4newAAABUA6l7/vIveaiA33YYv+SKcKLQaA8cAAABgbErc8QLw/WDz7mhVRZrU+9x3Tfs68j3eW+B/d7Rz1ZCqMYDk7r/F8dlBdQlYhpQvhuSBgzoFa0+qPvSSxPmutgb94wNqhHlVIUb9ZOJNloNr2lXiPP//Wu51TxXAEvAAAAAAYQCcQ9mufXtZa5RyfwT4NuLivdsidP4HRoLXdlnppfFAbNdbhxE0Us8WZt+a/443bwKnYxgif8dgxv5UROnWTngWu0jbJHpaDcTc9lRyTeSUiZZK312s/Sl7qDk3/Du7RUI=', 'AAAAFGx3ft7G8AQzFsjhle7PWardUXh3', 768, b'0x9c966738d575d19dc9ce493eefd63eb0b4eef29102696a3ba4d48b8f5a87dea245c33bfc3d5a44c54075805ea50da67f57ec4139afa02f4a8106bbf67377907873d2fa1004a3ae288d5902875f54e8293f8c66717823680ef7563cf6da7e277b,0xea5effbc8bde6a2037dd862ff9229c28b41a03c7,0x6c4adcf102f0fd60f3ee6855459ad4fbdc774dfb3af23dde5be07f77b473d590aa3180e4eebfc5f1d94175095886942f86e481833a056b4faa3ef492c4f9aeb606fde3036a8479552146fd64e24d96836bda55e23cffff5aee754f15c012f000,0x9c43d9ae7d7b596b94727f04f836e2e2bddb2274fe074682d77659e9a5f1406cd75b87113452cf1666df9aff8e376f02a76318227fc760c6fe5444e9d64e7816bb48db247a5a0dc4dcf654724de49489964adf5dacfd297ba83937fc3bbb4542', [(0, 'AAAAB3NzaC1kc3MAAAAo0T2t6dr8Qr5DK2B0ETwUa3BhxMLPjLY0ZtlOACmP/kUt3JgByLv+3g==')]),
++ ('p256', 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHkYQ0sQoq5LbJI1VMWhw3bV43TSYi3WVpqIgKcBKK91TcFFlAMZgceOHQ0xAFYcSczIttLvFu+xkcLXrRd4N7Q=', 'AAAAIQCV/1VqiCsHZm/n+bq7lHEHlyy7KFgZBEbzqYaWtbx48Q==', 256, b'nistp256,0x7918434b10a2ae4b6c923554c5a1c376d5e374d2622dd6569a8880a70128af75,0x4dc14594031981c78e1d0d3100561c49ccc8b6d2ef16efb191c2d7ad177837b4', [(0, 'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABIAAAAIFrd1bjr4GHfWsM9RNJ+y4Z0eVwpRRv3IvNE2moaA1x3AAAAIFWcwwCE69kS4oybMFEUP4r7qFAY8tSb1o8ItSFcSe2+')]),
++ ('p384', 'AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMYK8PUtfAlJwKaBTIGEuCzH0vqOMa4UbcjrBbTbkGVSUnfo+nuC80NCdj9JJMs1jvfF8GzKLc5z8H3nZyM741/BUFjV7rEHsQFDek4KyWvKkEgKiTlZid19VukNo1q2Hg==', 'AAAAMGsfTmdB4zHdbiQ2euTSdzM6UKEOnrVjMAWwHEYvmG5qUOcBnn62fJDRJy67L+QGdg==', 384, b'nistp384,0xc60af0f52d7c0949c0a6814c8184b82cc7d2fa8e31ae146dc8eb05b4db9065525277e8fa7b82f34342763f4924cb358e,0xf7c5f06cca2dce73f07de767233be35fc15058d5eeb107b101437a4e0ac96bca90480a89395989dd7d56e90da35ab61e', [(0, 'AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAABoAAAAMFqCJ+gBP4GGc7yCy9F5e4EjkDlvYBYsYWMYFg3Md/ml7Md8pIrN7I0+8bFb99rZjQAAADAsM2kI+QOcgK+oVDaP0qkLRRbWDO1dSU5I2YfETyHVLYFNdRmgdWo6002XTO9jAsk=')]),
++ ('p521', 'AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFrGthlKM152vu2Ghk+R7iO9/M6e+hTehNZ6+FBwof4HPkPB2/HHXj5+w5ynWyUrWiX5TI2riuJEIrJErcRH5LglADnJDX2w4yrKZ+wDHSz9lwh9p2F+B5R952es6gX3RJRkGA+qhKpKup8gKx78RMbleX8wgRtIu+4YMUnKb1edREiRg==', 'AAAAQgFh7VNJFUljWhhyAEiL0z+UPs/QggcMTd3Vv2aKDeBdCRl5di8r+BMm39L7bRzxRMEtW5NSKlDtE8MFEGdIE9khsw==', 521, b'nistp521,0x16b1ad86528cd79dafbb61a193e47b88ef7f33a7be8537a1359ebe141c287f81cf90f076fc71d78f9fb0e729d6c94ad6897e53236ae2b89108ac912b7111f92e094,0xe72435f6c38cab299fb00c74b3f65c21f69d85f81e51f79d9eb3a817dd125190603eaa12a92aea7c80ac7bf1131b95e5fcc2046d22efb860c52729bd5e75112246', [(0, 'AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAACLAAAAQVBkbaCKivgvc+68CULCdPayjzRUYZdj1G2pLyiPWTdmJKVKF/W1oDAtjMZlP53tqCpGxDdrLoJH2A39k6g5MgNjAAAAQgGrNcesPBw/HMopBQ1JqOG1cSlAzjiFT34FvM68ZhdIjbQ0eHFuYs97RekQ8dpxmkuM88e63ATbZy4yDX06pKgmuQ==')]),
++ ('dsa', 'AAAAB3NzaC1kc3MAAABhAJyWZzjVddGdyc5JPu/WPrC07vKRAmlqO6TUi49ah96iRcM7/D1aRMVAdYBepQ2mf1fsQTmvoC9KgQa79nN3kHhz0voQBKOuKI1ZAodfVOgpP4xmcXgjaA73Vjz22n4newAAABUA6l7/vIveaiA33YYv+SKcKLQaA8cAAABgbErc8QLw/WDz7mhVRZrU+9x3Tfs68j3eW+B/d7Rz1ZCqMYDk7r/F8dlBdQlYhpQvhuSBgzoFa0+qPvSSxPmutgb94wNqhHlVIUb9ZOJNloNr2lXiPP//Wu51TxXAEvAAAAAAYQCcQ9mufXtZa5RyfwT4NuLivdsidP4HRoLXdlnppfFAbNdbhxE0Us8WZt+a/443bwKnYxgif8dgxv5UROnWTngWu0jbJHpaDcTc9lRyTeSUiZZK312s/Sl7qDk3/Du7RUI=', 'AAAAFGx3ft7G8AQzFsjhle7PWardUXh3', 768, b'0x9c966738d575d19dc9ce493eefd63eb0b4eef29102696a3ba4d48b8f5a87dea245c33bfc3d5a44c54075805ea50da67f57ec4139afa02f4a8106bbf67377907873d2fa1004a3ae288d5902875f54e8293f8c66717823680ef7563cf6da7e277b,0xea5effbc8bde6a2037dd862ff9229c28b41a03c7,0x6c4adcf102f0fd60f3ee6855459ad4fbdc774dfb3af23dde5be07f77b473d590aa3180e4eebfc5f1d94175095886942f86e481833a056b4faa3ef492c4f9aeb606fde3036a8479552146fd64e24d96836bda55e23cffff5aee754f15c012f000,0x9c43d9ae7d7b596b94727f04f836e2e2bddb2274fe074682d77659e9a5f1406cd75b87113452cf1666df9aff8e376f02a76318227fc760c6fe5444e9d64e7816bb48db247a5a0dc4dcf654724de49489964adf5dacfd297ba83937fc3bbb4542', [(0, 'AAAAB3NzaC1kc3MAAAAoyCVHLG2QqdMx7NiCWaThx6tDA5mf7UGl+8By0IzmSldBujsGKNs20g==')]),
+ ('rsa', 'AAAAB3NzaC1yc2EAAAABJQAAAGEA2ChX9+mQD/NULFkBrxLDI8d1PHgrInC2u11U4Grqu4oVzKvnFROo6DZeCu6sKhFJE5CnIL7evAthQ9hkXVHDhQ7xGVauzqyHGdIU4/pHRScAYWBv/PZOlNMrSoP/PP91', 'AAAAYCMNdgyGvWpez2EjMLSbQj0nQ3GW8jzvru3zdYwtA3hblNUU9QpWNxDmOMOApkwCzUgsdIPsBxctIeWT2h+v8sVOH+d66LCaNmNR0lp+dQ+iXM67hcGNuxJwRdMupD9ZbQAAADEA7XMrMAb4WuHaFafoTfGrf6Jhdy9Ozjqi1fStuld7Nj9JkoZluiL2dCwIrxqOjwU5AAAAMQDpC1gYiGVSPeDRILr2oxREtXWOsW+/ZZTfZNX7lvoufnp+qvwZPqvZnXQFHyZ8qB0AAAAwQE0wx8TPgcvRVEVv8Wt+o1NFlkJZayWD5hqpe/8AqUMZbqfg/aiso5mvecDLFgfV', 768, b'0x25,0xd82857f7e9900ff3542c5901af12c323c7753c782b2270b6bb5d54e06aeabb8a15ccabe71513a8e8365e0aeeac2a11491390a720bedebc0b6143d8645d51c3850ef11956aeceac8719d214e3fa4745270061606ffcf64e94d32b4a83ff3cff75', [(0, 'AAAAB3NzaC1yc2EAAABgrLSC4635RCsH1b3en58NqLsrH7PKRZyb3YmRasOyr8xIZMSlKZyxNg+kkn9OgBzbH9vChafzarfHyVwtJE2IMt3uwxTIWjwgwH19tc16k8YmNfDzujmB6OFOArmzKJgJ'), (2, 'AAAADHJzYS1zaGEyLTI1NgAAAGAJszr04BZlVBEdRLGOv1rTJwPiid/0I6/MycSH+noahvUH2wjrRhqDuv51F4nKYF5J9vBsEotTSrSF/cnLsliCdvVkEfmvhdcn/jx2LWF2OfjqETiYSc69Dde9UFmAPds='), (4, 'AAAADHJzYS1zaGEyLTUxMgAAAGBxfZ2m+WjvZ5YV5RFm0+w84CgHQ95EPndoAha0PCMc93AUHBmoHnezsJvEGuLovUm35w/0POmUNHI7HzM9PECwXrV0rO6N/HL/oFxJuDYmeqCpjMVmN8QXka+yxs2GEtA=')]),
+ ]
+
+diff --git a/test/testcrypt-func.h b/test/testcrypt-func.h
+index bd007293..cff2b86e 100644
+--- a/test/testcrypt-func.h
++++ b/test/testcrypt-func.h
+@@ -327,6 +327,12 @@ FUNC(opt_val_string, key_components_nth_str,
+ FUNC(opt_val_mpint, key_components_nth_mp, ARG(val_keycomponents, kc),
+ ARG(uint, n))
+
++/*
++ * DSA nonce generation.
++ */
++FUNC(opt_val_mpint, rfc6979, ARG(hashalg, hash), ARG(val_mpint, modulus),
++ ARG(val_mpint, private_key), ARG(val_string_ptrlen, message))
++
+ /*
+ * The ssh_cipher abstraction. The in-place encrypt and decrypt
+ * functions are wrapped to replace them with versions that take one
+diff --git a/test/testsc.c b/test/testsc.c
+index 0a643e97..3e7becb4 100644
+--- a/test/testsc.c
++++ b/test/testsc.c
+@@ -430,6 +430,8 @@ VOLATILE_WRAPPED_DEFN(static, size_t, looplimit, (size_t x))
+ X(argon2) \
+ X(primegen_probabilistic) \
+ X(ntru) \
++ X(rfc6979_setup) \
++ X(rfc6979_attempt) \
+ /* end of list */
+
+ static void test_mp_get_nbits(void)
+@@ -1743,6 +1745,63 @@ static void test_ntru(void)
+ strbuf_free(buffer);
+ }
+
++static void test_rfc6979_setup(void)
++{
++ mp_int *q = mp_new(512);
++ mp_int *x = mp_new(512);
++
++ strbuf *message = strbuf_new();
++ strbuf_append(message, 123);
++
++ RFC6979 *s = rfc6979_new(&ssh_sha256, q, x);
++
++ for (size_t i = 0; i < looplimit(20); i++) {
++ random_read(message->u, message->len);
++ mp_random_fill(q);
++ mp_random_fill(x);
++
++ log_start();
++ rfc6979_setup(s, ptrlen_from_strbuf(message));
++ log_end();
++ }
++
++ rfc6979_free(s);
++ mp_free(q);
++ mp_free(x);
++ strbuf_free(message);
++}
++
++static void test_rfc6979_attempt(void)
++{
++ mp_int *q = mp_new(512);
++ mp_int *x = mp_new(512);
++
++ strbuf *message = strbuf_new();
++ strbuf_append(message, 123);
++
++ RFC6979 *s = rfc6979_new(&ssh_sha256, q, x);
++
++ for (size_t i = 0; i < looplimit(5); i++) {
++ random_read(message->u, message->len);
++ mp_random_fill(q);
++ mp_random_fill(x);
++
++ rfc6979_setup(s, ptrlen_from_strbuf(message));
++
++ for (size_t j = 0; j < looplimit(10); j++) {
++ log_start();
++ RFC6979Result result = rfc6979_attempt(s);
++ mp_free(result.k);
++ log_end();
++ }
++ }
++
++ rfc6979_free(s);
++ mp_free(q);
++ mp_free(x);
++ strbuf_free(message);
++}
++
+ static const struct test tests[] = {
+ #define STRUCT_TEST(X) { #X, test_##X },
+ TESTLIST(STRUCT_TEST)
diff -Nru putty-0.78/debian/patches/series putty-0.78/debian/patches/series
--- putty-0.78/debian/patches/series 2023-12-18 19:13:47.000000000 +0000
+++ putty-0.78/debian/patches/series 2024-07-16 10:44:03.000000000 +0000
@@ -6,3 +6,5 @@
terrapin-warning.patch
remove-fatal-error-reporting-from-scan_kexinit.patch
terrapin-warning-reconfiguration.patch
+0009-Add-an-extra-HMAC-constructor-function.patch
+0010-Switch-to-RFC-6979-for-DSA-nonce-generation.patch
diff -Nru putty-0.78/debian/putty.NEWS putty-0.78/debian/putty.NEWS
--- putty-0.78/debian/putty.NEWS 1970-01-01 00:00:00.000000000 +0000
+++ putty-0.78/debian/putty.NEWS 2024-07-16 10:44:03.000000000 +0000
@@ -0,0 +1,28 @@
+putty (0.78-2+deb12u2) bookworm; urgency=medium
+
+ Previous PuTTY versions were affected by CVE-2024-31497,
+ a critical vulnerability that generates signatures
+ from ECDSA private keys that use the NIST P521 curve.
+ The effect of the vulnerability is to compromise the private key.
+
+ An attacker in possession of a few dozen signed messages and the public
+ key has enough information to deduce the private key, and then forge
+ signatures as if they were made by the victim. This allows the attacker
+ to (for instance) log in to any servers the victim uses that key for.
+ To obtain these signatures, an attacker need only briefly compromise
+ any server the victim uses the key to authenticate to.
+
+ Therefore, if you have any NIST-P521 ECDSA key, we strongly recommend
+ that you replace it with one created with a fixed version of
+ PuTTY. Then, revoke the old public key and remove it from any
+ machine where you use it to log in, so that a signature
+ from the compromised key has no value any more.
+
+ The only affected key type is 521-bit ECDSA. That is, a key that appears
+ in Windows PuTTYgen with ecdsa-sha2-nistp521 at the start of the
+ 'Key fingerprint' box, or is described as 'NIST p521', or has an id
+ starting ecdsa-sha2-nistp521 in the SSH protocol or the key file.
+ Other sizes of ECDSA, and other key algorithms, are unaffected.
+ In particular, Ed25519 is not affected.
+
+ -- Bastien Roucari??s <ro...@debian.org> Mon, 29 Apr 2024 16:55:15 +0000
\ Pas de fin de ligne ?? la fin du fichier
diff -Nru putty-0.78/debian/putty-tools.NEWS putty-0.78/debian/putty-tools.NEWS
--- putty-0.78/debian/putty-tools.NEWS 1970-01-01 00:00:00.000000000 +0000
+++ putty-0.78/debian/putty-tools.NEWS 2024-07-16 10:44:03.000000000 +0000
@@ -0,0 +1,28 @@
+putty (0.78-2+deb12u2) bookworm; urgency=medium
+
+ Previous PuTTY versions were affected by CVE-2024-31497,
+ a critical vulnerability that generates signatures
+ from ECDSA private keys that use the NIST P521 curve.
+ The effect of the vulnerability is to compromise the private key.
+
+ An attacker in possession of a few dozen signed messages and the public
+ key has enough information to deduce the private key, and then forge
+ signatures as if they were made by the victim. This allows the attacker
+ to (for instance) log in to any servers the victim uses that key for.
+ To obtain these signatures, an attacker need only briefly compromise
+ any server the victim uses the key to authenticate to.
+
+ Therefore, if you have any NIST-P521 ECDSA key, we strongly recommend
+ that you replace it with one created with a fixed version of
+ PuTTY. Then, revoke the old public key and remove it from any
+ machine where you use it to log in, so that a signature
+ from the compromised key has no value any more.
+
+ The only affected key type is 521-bit ECDSA. That is, a key that appears
+ in Windows PuTTYgen with ecdsa-sha2-nistp521 at the start of the
+ 'Key fingerprint' box, or is described as 'NIST p521', or has an id
+ starting ecdsa-sha2-nistp521 in the SSH protocol or the key file.
+ Other sizes of ECDSA, and other key algorithms, are unaffected.
+ In particular, Ed25519 is not affected.
+
+ -- Bastien Roucari??s <ro...@debian.org> Mon, 29 Apr 2024 16:55:15 +0000
\ Pas de fin de ligne ?? la fin du fichier
diff -Nru putty-0.78/debian/rules putty-0.78/debian/rules
--- putty-0.78/debian/rules 2023-12-18 19:13:47.000000000 +0000
+++ putty-0.78/debian/rules 2024-07-16 10:44:03.000000000 +0000
@@ -20,6 +20,11 @@
"$(DEB_VENDOR)" "$(DEB_VERSION)" >doc/version.but
$(MAKE) -C debian/build doc
+execute_after_dh_auto_test-arch:
+ifeq (,$(filter nocheck,${DEB_BUILD_OPTIONS} ${DEB_BUILD_PROFILES}))
+ PUTTY_TESTCRYPT=./debian/build/testcrypt python3 ./test/cryptsuite.py
+endif
+
execute_after_dh_auto_clean:
$(MAKE) -C icons clean
if [ -e debian/version.but.save ]; then \
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
