Conversation

Notices

1. Foone🏳️‍⚧️ (foone@digipres.club)'s status on Tuesday, 16-Apr-2024 13:10:55 JST Foone🏳️‍⚧️

   in reply to

   • Graham Sutherland / Polynomial

   @gsuberland ah, one of the downsides of targeting old OSes: you have to build your own versions of APIs, and you might get it wrong. Whoops.

   • Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Tuesday, 16-Apr-2024 13:10:56 JST Graham Sutherland / Polynomial

     in reply to

     without digging into the full details of how the determinism stuff interplays with the protocol stack, their solution actually might have worked out ok if they had generated a second hash to fill the last 9 bits.

     if they had happened to write this implementation just a month or two later, they could've written it to use CryptGenRandom on XP or later, and fallen back to the deterministic approach on Win9x, and this bug would've been avoided.

   • Graham Sutherland / Polynomial (gsuberland@chaos.social)'s status on Tuesday, 16-Apr-2024 13:10:57 JST Graham Sutherland / Polynomial

     so as for *why* the PuTTY P-521 bug happened: they wrote the implementation in September 2001, which is a month before Windows XP was released. Win9x had no good random number generator APIs, so they came up with an alternative trick using SHA512 to generate deterministic but non-predictable nonces. but, of course, SHA512 outputs are 512 bits long, not 521 bits, and they just left the other 9 bits at zero, which resulted in this problem. the code was not reviewed since, so it never got fixed.