static void answer_msg(void *msgv)
{
unsigned char *msg = (unsigned char *)msgv;
unsigned msglen;
void *reply;
int replylen;
msglen = GET_32BIT(msg);
if (msglen > AGENT_MAX_MSGLEN) {
reply = pageant_failure_msg(&replylen);
} else {
reply = pageant_handle_msg(msg + 4, msglen, &replylen, NULL, NULL);
if (replylen > AGENT_MAX_MSGLEN) {
smemclr(reply, replylen);
sfree(reply);
reply = pageant_failure_msg(&replylen);
}
}
/*
* Windows Pageant answers messages in place, by overwriting the
* input message buffer.
*/
memcpy(msg, reply, replylen);
smemclr(reply, replylen);
sfree(reply);
}
/*
* Similar interface to seat_get_userpass_input(), except that here a
* -1 return means that we aren't capable of processing the prompt and
* someone else should do it.
*/
int cmdline_get_passwd_input(prompts_t *p)
{
static bool tried_once = false;
/*
* We only handle prompts which don't echo (which we assume to be
* passwords), and (currently) we only cope with a password prompt
* that comes in a prompt-set on its own.
*/
if (!cmdline_password || p->n_prompts != 1 || p->prompts[0]->echo) {
return -1;
}
/*
* If we've tried once, return utter failure (no more passwords left
* to try).
*/
if (tried_once)
return 0;
prompt_set_result(p->prompts[0], cmdline_password);
smemclr(cmdline_password, strlen(cmdline_password));
sfree(cmdline_password);
cmdline_password = NULL;
tried_once = true;
return 1;
}
void noise_get_heavy(void (*func) (void *, int))
{
HANDLE srch;
WIN32_FIND_DATA finddata;
DWORD pid;
char winpath[MAX_PATH + 3];
BYTE buf[32];
GetWindowsDirectory(winpath, sizeof(winpath));
strcat(winpath, "\\*");
srch = FindFirstFile(winpath, &finddata);
if (srch != INVALID_HANDLE_VALUE) {
do {
func(&finddata, sizeof(finddata));
} while (FindNextFile(srch, &finddata));
FindClose(srch);
}
pid = GetCurrentProcessId();
func(&pid, sizeof(pid));
if (win_read_random(buf, sizeof(buf))) {
func(buf, sizeof(buf));
smemclr(buf, sizeof(buf));
}
read_random_seed(func);
}
static void rsa2_sign(ssh_key *key, ptrlen data,
unsigned flags, BinarySink *bs)
{
RSAKey *rsa = container_of(key, RSAKey, sshk);
unsigned char *bytes;
size_t nbytes;
mp_int *in, *out;
const ssh_hashalg *halg;
const char *sign_alg_name;
halg = rsa2_hash_alg_for_flags(flags, &sign_alg_name);
nbytes = (mp_get_nbits(rsa->modulus) + 7) / 8;
bytes = rsa_pkcs1_signature_string(nbytes, halg, data);
in = mp_from_bytes_be(make_ptrlen(bytes, nbytes));
smemclr(bytes, nbytes);
sfree(bytes);
out = rsa_privkey_op(in, rsa);
mp_free(in);
put_stringz(bs, sign_alg_name);
nbytes = (mp_get_nbits(out) + 7) / 8;
put_uint32(bs, nbytes);
for (size_t i = 0; i < nbytes; i++)
put_byte(bs, mp_get_byte(out, nbytes - 1 - i));
mp_free(out);
}
static void arcfour_stir(ArcfourContext *ctx)
{
unsigned char *junk = snewn(1536, unsigned char);
memset(junk, 0, 1536);
arcfour_block(ctx, junk, 1536);
smemclr(junk, 1536);
sfree(junk);
}
static void append_hex_to_strbuf(strbuf *sb, mp_int *x)
{
if (sb->len > 0)
put_byte(sb, ',');
put_data(sb, "0x", 2);
char *hex = mp_get_hex(x);
size_t hexlen = strlen(hex);
put_data(sb, hex, hexlen);
smemclr(hex, hexlen);
sfree(hex);
}
static void sha512_mpint(SHA512_State * s, Bignum b)
{
unsigned char lenbuf[4];
int len;
len = (bignum_bitcount(b) + 8) / 8;
PUT_32BIT(lenbuf, len);
SHA512_Bytes(s, lenbuf, 4);
while (len-- > 0) {
lenbuf[0] = bignum_byte(b, len);
SHA512_Bytes(s, lenbuf, 1);
}
smemclr(lenbuf, sizeof(lenbuf));
}
void *safegrowarray(void *ptr, size_t *allocated, size_t eltsize,
size_t oldlen, size_t extralen, bool secret)
{
/* The largest value we can safely multiply by eltsize */
assert(eltsize > 0);
size_t maxsize = (~(size_t)0) / eltsize;
size_t oldsize = *allocated;
/* Range-check the input values */
assert(oldsize <= maxsize);
assert(oldlen <= maxsize);
assert(extralen <= maxsize - oldlen);
/* If the size is already enough, don't bother doing anything! */
if (oldsize > oldlen + extralen)
return ptr;
/* Find out how much we need to grow the array by. */
size_t increment = (oldlen + extralen) - oldsize;
/* Invent a new size. We want to grow the array by at least
* 'increment' elements; by at least a fixed number of bytes (to
* get things started when sizes are small); and by some constant
* factor of its old size (to avoid repeated calls to this
* function taking quadratic time overall). */
if (increment < 256 / eltsize)
increment = 256 / eltsize;
if (increment < oldsize / 16)
increment = oldsize / 16;
/* But we also can't grow beyond maxsize. */
size_t maxincr = maxsize - oldsize;
if (increment > maxincr)
increment = maxincr;
size_t newsize = oldsize + increment;
void *toret;
if (secret) {
toret = safemalloc(newsize, eltsize);
memcpy(toret, ptr, oldsize * eltsize);
smemclr(ptr, oldsize * eltsize);
sfree(ptr);
} else {
toret = saferealloc(ptr, newsize, eltsize);
}
*allocated = newsize;
return toret;
}
void openssh_bcrypt(const char *passphrase,
const unsigned char *salt, int saltbytes,
int rounds, unsigned char *out, int outbytes)
{
unsigned char hashed_passphrase[64];
unsigned char block[32], outblock[32];
const unsigned char *thissalt;
int thissaltbytes;
int modulus, residue, i, j, round;
/* Hash the passphrase to get the bcrypt key material */
hash_simple(&ssh_sha512, ptrlen_from_asciz(passphrase), hashed_passphrase);
/* We output key bytes in a scattered fashion to meld all output
* key blocks into all parts of the output. To do this, we pick a
* modulus, and we output the key bytes to indices of out[] in the
* following order: first the indices that are multiples of the
* modulus, then the ones congruent to 1 mod modulus, etc. Each of
* those passes consumes exactly one block output from
* bcrypt_genblock, so we must pick a modulus large enough that at
* most 32 bytes are used in the pass. */
modulus = (outbytes + 31) / 32;
for (residue = 0; residue < modulus; residue++) {
/* Our output block of data is the XOR of all blocks generated
* by bcrypt in the following loop */
memset(outblock, 0, sizeof(outblock));
thissalt = salt;
thissaltbytes = saltbytes;
for (round = 0; round < rounds; round++) {
bcrypt_genblock(round == 0 ? residue+1 : 0,
hashed_passphrase,
thissalt, thissaltbytes, block);
/* Each subsequent bcrypt call reuses the previous one's
* output as its salt */
thissalt = block;
thissaltbytes = 32;
for (i = 0; i < 32; i++)
outblock[i] ^= block[i];
}
for (i = residue, j = 0; i < outbytes; i += modulus, j++)
out[i] = outblock[j];
}
smemclr(&hashed_passphrase, sizeof(hashed_passphrase));
}
static bool rsa2_verify(ssh_key *key, ptrlen sig, ptrlen data)
{
RSAKey *rsa = container_of(key, RSAKey, sshk);
BinarySource src[1];
ptrlen type, in_pl;
mp_int *in, *out;
/* If we need to support variable flags on verify, this is where they go */
const ssh_hashalg *halg = rsa2_hash_alg_for_flags(0, NULL);
/* Start by making sure the key is even long enough to encode a
* signature. If not, everything fails to verify. */
size_t nbytes = (mp_get_nbits(rsa->modulus) + 7) / 8;
if (nbytes < rsa_pkcs1_length_of_fixed_parts(halg))
return false;
BinarySource_BARE_INIT_PL(src, sig);
type = get_string(src);
/*
* RFC 4253 section 6.6: the signature integer in an ssh-rsa
* signature is 'without lengths or padding'. That is, we _don't_
* expect the usual leading zero byte if the topmost bit of the
* first byte is set. (However, because of the possibility of
* BUG_SSH2_RSA_PADDING at the other end, we tolerate it if it's
* there.) So we can't use get_mp_ssh2, which enforces that
* leading-byte scheme; instead we use get_string and
* mp_from_bytes_be, which will tolerate anything.
*/
in_pl = get_string(src);
if (get_err(src) || !ptrlen_eq_string(type, "ssh-rsa"))
return false;
in = mp_from_bytes_be(in_pl);
out = mp_modpow(in, rsa->exponent, rsa->modulus);
mp_free(in);
unsigned diff = 0;
unsigned char *bytes = rsa_pkcs1_signature_string(nbytes, halg, data);
for (size_t i = 0; i < nbytes; i++)
diff |= bytes[nbytes-1 - i] ^ mp_get_byte(out, i);
smemclr(bytes, nbytes);
sfree(bytes);
mp_free(out);
return diff == 0;
}
void cmdline_cleanup(void)
{
int pri;
if (cmdline_password) {
smemclr(cmdline_password, strlen(cmdline_password));
sfree(cmdline_password);
cmdline_password = NULL;
}
for (pri = 0; pri < NPRIORITIES; pri++) {
sfree(saves[pri].params);
saves[pri].params = NULL;
saves[pri].savesize = 0;
saves[pri].nsaved = 0;
}
}
static void add_text_to_passphrase(struct askpass_ctx *ctx, gchar *str)
{
int len = strlen(str);
if (ctx->passlen + len >= ctx->passsize) {
/* Take some care with buffer expansion, because there are
* pieces of passphrase in the old buffer so we should ensure
* realloc doesn't leave a copy lying around in the address
* space. */
int oldsize = ctx->passsize;
char *newbuf;
ctx->passsize = (ctx->passlen + len) * 5 / 4 + 1024;
newbuf = snewn(ctx->passsize, char);
memcpy(newbuf, ctx->passphrase, oldsize);
smemclr(ctx->passphrase, oldsize);
sfree(ctx->passphrase);
ctx->passphrase = newbuf;
}
static mp_int *eddsa_signing_exponent_from_data(
struct eddsa_key *ek, const struct ecsign_extra *extra,
ptrlen r_encoded, ptrlen data)
{
/* Hash (r || public key || message) */
unsigned char hash[MAX_HASH_LEN];
ssh_hash *h = ssh_hash_new(extra->hash);
put_datapl(h, r_encoded);
put_epoint(h, ek->publicKey, ek->curve, true); /* omit string header */
put_datapl(h, data);
ssh_hash_final(h, hash);
/* Convert to an integer */
mp_int *toret = mp_from_bytes_le(make_ptrlen(hash, extra->hash->hlen));
smemclr(hash, extra->hash->hlen);
return toret;
}
void prompt_ensure_result_size(prompt_t *pr, int newlen)
{
if ((int)pr->resultsize < newlen) {
char *newbuf;
newlen = newlen * 5 / 4 + 512; /* avoid too many small allocs */
/*
* We don't use sresize / realloc here, because we will be
* storing sensitive stuff like passwords in here, and we want
* to make sure that the data doesn't get copied around in
* memory without the old copy being destroyed.
*/
newbuf = snewn(newlen, char);
memcpy(newbuf, pr->result, pr->resultsize);
smemclr(pr->result, pr->resultsize);
sfree(pr->result);
pr->result = newbuf;
pr->resultsize = newlen;
}
void bcrypt_genblock(int counter,
const unsigned char hashed_passphrase[64],
const unsigned char *salt, int saltbytes,
unsigned char output[32])
{
unsigned char hashed_salt[64];
/* Hash the input salt with the counter value optionally suffixed
* to get our real 32-byte salt */
ssh_hash *h = ssh_hash_new(&ssh_sha512);
put_data(h, salt, saltbytes);
if (counter)
put_uint32(h, counter);
ssh_hash_final(h, hashed_salt);
bcrypt_hash(hashed_passphrase, 64, hashed_salt, 64, output);
smemclr(&hashed_salt, sizeof(hashed_salt));
}
int main(int argc, char **argv)
{
char *infile = NULL;
Filename *infilename = NULL, *outfilename = NULL;
enum { NOKEYGEN, RSA1, RSA2, DSA } keytype = NOKEYGEN;
char *outfile = NULL, *outfiletmp = NULL;
enum { PRIVATE, PUBLIC, PUBLICO, FP, OPENSSH, SSHCOM } outtype = PRIVATE;
int bits = 2048;
char *comment = NULL, *origcomment = NULL;
int change_passphrase = FALSE;
int errs = FALSE, nogo = FALSE;
int intype = SSH_KEYTYPE_UNOPENABLE;
int sshver = 0;
struct ssh2_userkey *ssh2key = NULL;
struct RSAKey *ssh1key = NULL;
unsigned char *ssh2blob = NULL;
char *ssh2alg = NULL;
const struct ssh_signkey *ssh2algf = NULL;
int ssh2bloblen;
char *passphrase = NULL;
int load_encrypted;
progfn_t progressfn = is_interactive() ? progress_update : no_progress;
/* ------------------------------------------------------------------
* Parse the command line to figure out what we've been asked to do.
*/
/*
* If run with no arguments at all, print the usage message and
* return success.
*/
if (argc <= 1) {
usage(TRUE);
return 0;
}
/*
* Parse command line arguments.
*/
while (--argc) {
char *p = *++argv;
if (*p == '-') {
/*
* An option.
*/
while (p && *++p) {
char c = *p;
switch (c) {
case '-':
/*
* Long option.
*/
{
char *opt, *val;
opt = p++; /* opt will have _one_ leading - */
while (*p && *p != '=')
p++; /* find end of option */
if (*p == '=') {
*p++ = '\0';
val = p;
} else
val = NULL;
if (!strcmp(opt, "-help")) {
if (val) {
errs = TRUE;
fprintf(stderr, "puttygen: option `-%s'"
" expects no argument\n", opt);
} else {
help();
nogo = TRUE;
}
} else if (!strcmp(opt, "-version")) {
if (val) {
errs = TRUE;
fprintf(stderr, "puttygen: option `-%s'"
" expects no argument\n", opt);
} else {
showversion();
nogo = TRUE;
}
} else if (!strcmp(opt, "-pgpfp")) {
if (val) {
errs = TRUE;
fprintf(stderr, "puttygen: option `-%s'"
" expects no argument\n", opt);
} else {
/* support --pgpfp for consistency */
pgp_fingerprints();
nogo = TRUE;
}
}
/*
* For long options requiring an argument, add
* code along the lines of
*
* else if (!strcmp(opt, "-output")) {
* if (!val) {
* errs = TRUE;
* fprintf(stderr, "puttygen: option `-%s'"
* " expects an argument\n", opt);
* } else
* ofile = val;
* }
*/
else {
errs = TRUE;
fprintf(stderr,
"puttygen: no such option `-%s'\n", opt);
}
}
p = NULL;
break;
case 'h':
case 'V':
case 'P':
case 'l':
case 'L':
case 'p':
case 'q':
/*
* Option requiring no parameter.
*/
switch (c) {
case 'h':
help();
nogo = TRUE;
break;
case 'V':
showversion();
nogo = TRUE;
break;
case 'P':
change_passphrase = TRUE;
break;
case 'l':
outtype = FP;
break;
case 'L':
outtype = PUBLICO;
break;
case 'p':
outtype = PUBLIC;
break;
case 'q':
progressfn = no_progress;
break;
}
break;
case 't':
case 'b':
case 'C':
case 'O':
case 'o':
/*
* Option requiring parameter.
*/
p++;
if (!*p && argc > 1)
--argc, p = *++argv;
else if (!*p) {
fprintf(stderr, "puttygen: option `-%c' expects a"
" parameter\n", c);
errs = TRUE;
}
/*
* Now c is the option and p is the parameter.
*/
switch (c) {
case 't':
if (!strcmp(p, "rsa") || !strcmp(p, "rsa2"))
keytype = RSA2, sshver = 2;
else if (!strcmp(p, "rsa1"))
keytype = RSA1, sshver = 1;
else if (!strcmp(p, "dsa") || !strcmp(p, "dss"))
keytype = DSA, sshver = 2;
else {
fprintf(stderr,
"puttygen: unknown key type `%s'\n", p);
errs = TRUE;
}
break;
case 'b':
bits = atoi(p);
break;
case 'C':
comment = p;
break;
case 'O':
if (!strcmp(p, "public"))
outtype = PUBLIC;
else if (!strcmp(p, "public-openssh"))
outtype = PUBLICO;
else if (!strcmp(p, "private"))
outtype = PRIVATE;
else if (!strcmp(p, "fingerprint"))
outtype = FP;
else if (!strcmp(p, "private-openssh"))
outtype = OPENSSH, sshver = 2;
else if (!strcmp(p, "private-sshcom"))
outtype = SSHCOM, sshver = 2;
else {
fprintf(stderr,
"puttygen: unknown output type `%s'\n", p);
errs = TRUE;
}
break;
case 'o':
outfile = p;
break;
}
p = NULL; /* prevent continued processing */
break;
default:
/*
* Unrecognised option.
*/
errs = TRUE;
fprintf(stderr, "puttygen: no such option `-%c'\n", c);
break;
}
}
} else {
/*
* A non-option argument.
*/
if (!infile)
infile = p;
else {
errs = TRUE;
fprintf(stderr, "puttygen: cannot handle more than one"
" input file\n");
}
}
}
if (errs)
return 1;
if (nogo)
return 0;
/*
* If run with at least one argument _but_ not the required
* ones, print the usage message and return failure.
*/
if (!infile && keytype == NOKEYGEN) {
usage(TRUE);
return 1;
}
/* ------------------------------------------------------------------
* Figure out further details of exactly what we're going to do.
*/
/*
* Bomb out if we've been asked to both load and generate a
* key.
*/
if (keytype != NOKEYGEN && infile) {
fprintf(stderr, "puttygen: cannot both load and generate a key\n");
return 1;
}
/*
* We must save the private part when generating a new key.
*/
if (keytype != NOKEYGEN &&
(outtype != PRIVATE && outtype != OPENSSH && outtype != SSHCOM)) {
fprintf(stderr, "puttygen: this would generate a new key but "
"discard the private part\n");
return 1;
}
/*
* Analyse the type of the input file, in case this affects our
* course of action.
*/
if (infile) {
infilename = filename_from_str(infile);
intype = key_type(infilename);
switch (intype) {
/*
* It would be nice here to be able to load _public_
* key files, in any of a number of forms, and (a)
* convert them to other public key types, (b) print
* out their fingerprints. Or, I suppose, for real
* orthogonality, (c) change their comment!
*
* In fact this opens some interesting possibilities.
* Suppose ssh2_userkey_loadpub() were able to load
* public key files as well as extracting the public
* key from private ones. And suppose I did the thing
* I've been wanting to do, where specifying a
* particular private key file for authentication
* causes any _other_ key in the agent to be discarded.
* Then, if you had an agent forwarded to the machine
* you were running Unix PuTTY or Plink on, and you
* needed to specify which of the keys in the agent it
* should use, you could do that by supplying a
* _public_ key file, thus not needing to trust even
* your encrypted private key file to the network. Ooh!
*/
case SSH_KEYTYPE_UNOPENABLE:
case SSH_KEYTYPE_UNKNOWN:
fprintf(stderr, "puttygen: unable to load file `%s': %s\n",
infile, key_type_to_str(intype));
return 1;
case SSH_KEYTYPE_SSH1:
if (sshver == 2) {
fprintf(stderr, "puttygen: conversion from SSH-1 to SSH-2 keys"
" not supported\n");
return 1;
}
sshver = 1;
break;
case SSH_KEYTYPE_SSH2:
case SSH_KEYTYPE_OPENSSH:
case SSH_KEYTYPE_SSHCOM:
if (sshver == 1) {
fprintf(stderr, "puttygen: conversion from SSH-2 to SSH-1 keys"
" not supported\n");
return 1;
}
sshver = 2;
break;
}
}
/*
* Determine the default output file, if none is provided.
*
* This will usually be equal to stdout, except that if the
* input and output file formats are the same then the default
* output is to overwrite the input.
*
* Also in this code, we bomb out if the input and output file
* formats are the same and no other action is performed.
*/
if ((intype == SSH_KEYTYPE_SSH1 && outtype == PRIVATE) ||
(intype == SSH_KEYTYPE_SSH2 && outtype == PRIVATE) ||
(intype == SSH_KEYTYPE_OPENSSH && outtype == OPENSSH) ||
(intype == SSH_KEYTYPE_SSHCOM && outtype == SSHCOM)) {
if (!outfile) {
outfile = infile;
outfiletmp = dupcat(outfile, ".tmp", NULL);
}
if (!change_passphrase && !comment) {
fprintf(stderr, "puttygen: this command would perform no useful"
" action\n");
return 1;
}
} else {
if (!outfile) {
/*
* Bomb out rather than automatically choosing to write
* a private key file to stdout.
*/
if (outtype==PRIVATE || outtype==OPENSSH || outtype==SSHCOM) {
fprintf(stderr, "puttygen: need to specify an output file\n");
return 1;
}
}
}
/*
* Figure out whether we need to load the encrypted part of the
* key. This will be the case if either (a) we need to write
* out a private key format, or (b) the entire input key file
* is encrypted.
*/
if (outtype == PRIVATE || outtype == OPENSSH || outtype == SSHCOM ||
intype == SSH_KEYTYPE_OPENSSH || intype == SSH_KEYTYPE_SSHCOM)
load_encrypted = TRUE;
else
load_encrypted = FALSE;
/* ------------------------------------------------------------------
* Now we're ready to actually do some stuff.
*/
/*
* Either load or generate a key.
*/
if (keytype != NOKEYGEN) {
char *entropy;
char default_comment[80];
struct tm tm;
struct progress prog;
prog.phase = -1;
prog.current = -1;
tm = ltime();
if (keytype == DSA)
strftime(default_comment, 30, "dsa-key-%Y%m%d", &tm);
else
strftime(default_comment, 30, "rsa-key-%Y%m%d", &tm);
random_ref();
entropy = get_random_data(bits / 8);
if (!entropy) {
fprintf(stderr, "puttygen: failed to collect entropy, "
"could not generate key\n");
return 1;
}
random_add_heavynoise(entropy, bits / 8);
smemclr(entropy, bits/8);
sfree(entropy);
if (keytype == DSA) {
struct dss_key *dsskey = snew(struct dss_key);
dsa_generate(dsskey, bits, progressfn, &prog);
ssh2key = snew(struct ssh2_userkey);
ssh2key->data = dsskey;
ssh2key->alg = &ssh_dss;
ssh1key = NULL;
} else {
int main(int argc, char **argv)
{
char *infile = NULL;
Filename *infilename = NULL, *outfilename = NULL;
enum { NOKEYGEN, RSA1, RSA2, DSA, ECDSA, ED25519 } keytype = NOKEYGEN;
char *outfile = NULL, *outfiletmp = NULL;
enum { PRIVATE, PUBLIC, PUBLICO, FP, OPENSSH_AUTO,
OPENSSH_NEW, SSHCOM } outtype = PRIVATE;
int bits = -1;
char *comment = NULL, *origcomment = NULL;
int change_passphrase = FALSE;
int errs = FALSE, nogo = FALSE;
int intype = SSH_KEYTYPE_UNOPENABLE;
int sshver = 0;
struct ssh2_userkey *ssh2key = NULL;
struct RSAKey *ssh1key = NULL;
unsigned char *ssh2blob = NULL;
char *ssh2alg = NULL;
const struct ssh_signkey *ssh2algf = NULL;
int ssh2bloblen;
char *old_passphrase = NULL, *new_passphrase = NULL;
int load_encrypted;
progfn_t progressfn = is_interactive() ? progress_update : no_progress;
const char *random_device = NULL;
/* ------------------------------------------------------------------
* Parse the command line to figure out what we've been asked to do.
*/
/*
* If run with no arguments at all, print the usage message and
* return success.
*/
if (argc <= 1) {
usage(TRUE);
return 0;
}
/*
* Parse command line arguments.
*/
while (--argc) {
char *p = *++argv;
if (*p == '-') {
/*
* An option.
*/
while (p && *++p) {
char c = *p;
switch (c) {
case '-':
/*
* Long option.
*/
{
char *opt, *val;
opt = p++; /* opt will have _one_ leading - */
while (*p && *p != '=')
p++; /* find end of option */
if (*p == '=') {
*p++ = '\0';
val = p;
} else
val = NULL;
if (!strcmp(opt, "-help")) {
if (val) {
errs = TRUE;
fprintf(stderr, "puttygen: option `-%s'"
" expects no argument\n", opt);
} else {
help();
nogo = TRUE;
}
} else if (!strcmp(opt, "-version")) {
if (val) {
errs = TRUE;
fprintf(stderr, "puttygen: option `-%s'"
" expects no argument\n", opt);
} else {
showversion();
nogo = TRUE;
}
} else if (!strcmp(opt, "-pgpfp")) {
if (val) {
errs = TRUE;
fprintf(stderr, "puttygen: option `-%s'"
" expects no argument\n", opt);
} else {
/* support --pgpfp for consistency */
pgp_fingerprints();
nogo = TRUE;
}
} else if (!strcmp(opt, "-old-passphrase")) {
if (!val && argc > 1)
--argc, val = *++argv;
if (!val) {
errs = TRUE;
fprintf(stderr, "puttygen: option `-%s'"
" expects an argument\n", opt);
} else {
old_passphrase = readpassphrase(val);
if (!old_passphrase)
errs = TRUE;
}
} else if (!strcmp(opt, "-new-passphrase")) {
if (!val && argc > 1)
--argc, val = *++argv;
if (!val) {
errs = TRUE;
fprintf(stderr, "puttygen: option `-%s'"
" expects an argument\n", opt);
} else {
new_passphrase = readpassphrase(val);
if (!new_passphrase)
errs = TRUE;
}
} else if (!strcmp(opt, "-random-device")) {
if (!val && argc > 1)
--argc, val = *++argv;
if (!val) {
errs = TRUE;
fprintf(stderr, "puttygen: option `-%s'"
" expects an argument\n", opt);
} else {
random_device = val;
}
} else {
errs = TRUE;
fprintf(stderr,
"puttygen: no such option `-%s'\n", opt);
}
}
p = NULL;
break;
case 'h':
case 'V':
case 'P':
case 'l':
case 'L':
case 'p':
case 'q':
/*
* Option requiring no parameter.
*/
switch (c) {
case 'h':
help();
nogo = TRUE;
break;
case 'V':
showversion();
nogo = TRUE;
break;
case 'P':
change_passphrase = TRUE;
break;
case 'l':
outtype = FP;
break;
case 'L':
outtype = PUBLICO;
break;
case 'p':
outtype = PUBLIC;
break;
case 'q':
progressfn = no_progress;
break;
}
break;
case 't':
case 'b':
case 'C':
case 'O':
case 'o':
/*
* Option requiring parameter.
*/
p++;
if (!*p && argc > 1)
--argc, p = *++argv;
else if (!*p) {
fprintf(stderr, "puttygen: option `-%c' expects a"
" parameter\n", c);
errs = TRUE;
}
/*
* Now c is the option and p is the parameter.
*/
switch (c) {
case 't':
if (!strcmp(p, "rsa") || !strcmp(p, "rsa2"))
keytype = RSA2, sshver = 2;
else if (!strcmp(p, "rsa1"))
keytype = RSA1, sshver = 1;
else if (!strcmp(p, "dsa") || !strcmp(p, "dss"))
keytype = DSA, sshver = 2;
else if (!strcmp(p, "ecdsa"))
keytype = ECDSA, sshver = 2;
else if (!strcmp(p, "ed25519"))
keytype = ED25519, sshver = 2;
else {
fprintf(stderr,
"puttygen: unknown key type `%s'\n", p);
errs = TRUE;
}
break;
case 'b':
bits = atoi(p);
break;
case 'C':
comment = p;
break;
case 'O':
if (!strcmp(p, "public"))
outtype = PUBLIC;
else if (!strcmp(p, "public-openssh"))
outtype = PUBLICO;
else if (!strcmp(p, "private"))
outtype = PRIVATE;
else if (!strcmp(p, "fingerprint"))
outtype = FP;
else if (!strcmp(p, "private-openssh"))
outtype = OPENSSH_AUTO, sshver = 2;
else if (!strcmp(p, "private-openssh-new"))
outtype = OPENSSH_NEW, sshver = 2;
else if (!strcmp(p, "private-sshcom"))
outtype = SSHCOM, sshver = 2;
else {
fprintf(stderr,
"puttygen: unknown output type `%s'\n", p);
errs = TRUE;
}
break;
case 'o':
outfile = p;
break;
}
p = NULL; /* prevent continued processing */
break;
default:
/*
* Unrecognised option.
*/
errs = TRUE;
fprintf(stderr, "puttygen: no such option `-%c'\n", c);
break;
}
}
} else {
/*
* A non-option argument.
*/
if (!infile)
infile = p;
else {
errs = TRUE;
fprintf(stderr, "puttygen: cannot handle more than one"
" input file\n");
}
}
}
if (bits == -1) {
/*
* No explicit key size was specified. Default varies
* depending on key type.
*/
switch (keytype) {
case ECDSA:
bits = 384;
break;
case ED25519:
bits = 256;
break;
default:
bits = DEFAULT_RSADSA_BITS;
break;
}
}
if (keytype == ECDSA && (bits != 256 && bits != 384 && bits != 521)) {
fprintf(stderr, "puttygen: invalid bits for ECDSA, choose 256, 384 or 521\n");
errs = TRUE;
}
if (keytype == ED25519 && (bits != 256)) {
fprintf(stderr, "puttygen: invalid bits for ED25519, choose 256\n");
errs = TRUE;
}
if (keytype == RSA2 || keytype == RSA1 || keytype == DSA) {
if (bits < 256) {
fprintf(stderr, "puttygen: cannot generate %s keys shorter than"
" 256 bits\n", (keytype == DSA ? "DSA" : "RSA"));
errs = TRUE;
} else if (bits < DEFAULT_RSADSA_BITS) {
fprintf(stderr, "puttygen: warning: %s keys shorter than"
" %d bits are probably not secure\n",
(keytype == DSA ? "DSA" : "RSA"), DEFAULT_RSADSA_BITS);
/* but this is just a warning, so proceed anyway */
}
}
if (errs)
return 1;
if (nogo)
return 0;
/*
* If run with at least one argument _but_ not the required
* ones, print the usage message and return failure.
*/
if (!infile && keytype == NOKEYGEN) {
usage(TRUE);
return 1;
}
/* ------------------------------------------------------------------
* Figure out further details of exactly what we're going to do.
*/
/*
* Bomb out if we've been asked to both load and generate a
* key.
*/
if (keytype != NOKEYGEN && infile) {
fprintf(stderr, "puttygen: cannot both load and generate a key\n");
return 1;
}
/*
* We must save the private part when generating a new key.
*/
if (keytype != NOKEYGEN &&
(outtype != PRIVATE && outtype != OPENSSH_AUTO &&
outtype != OPENSSH_NEW && outtype != SSHCOM)) {
fprintf(stderr, "puttygen: this would generate a new key but "
"discard the private part\n");
return 1;
}
/*
* Analyse the type of the input file, in case this affects our
* course of action.
*/
if (infile) {
infilename = filename_from_str(infile);
intype = key_type(infilename);
switch (intype) {
case SSH_KEYTYPE_UNOPENABLE:
case SSH_KEYTYPE_UNKNOWN:
fprintf(stderr, "puttygen: unable to load file `%s': %s\n",
infile, key_type_to_str(intype));
return 1;
case SSH_KEYTYPE_SSH1:
case SSH_KEYTYPE_SSH1_PUBLIC:
if (sshver == 2) {
fprintf(stderr, "puttygen: conversion from SSH-1 to SSH-2 keys"
" not supported\n");
return 1;
}
sshver = 1;
break;
case SSH_KEYTYPE_SSH2:
case SSH_KEYTYPE_SSH2_PUBLIC_RFC4716:
case SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH:
case SSH_KEYTYPE_OPENSSH_PEM:
case SSH_KEYTYPE_OPENSSH_NEW:
case SSH_KEYTYPE_SSHCOM:
if (sshver == 1) {
fprintf(stderr, "puttygen: conversion from SSH-2 to SSH-1 keys"
" not supported\n");
return 1;
}
sshver = 2;
break;
case SSH_KEYTYPE_OPENSSH_AUTO:
default:
assert(0 && "Should never see these types on an input file");
}
}
/*
* Determine the default output file, if none is provided.
*
* This will usually be equal to stdout, except that if the
* input and output file formats are the same then the default
* output is to overwrite the input.
*
* Also in this code, we bomb out if the input and output file
* formats are the same and no other action is performed.
*/
if ((intype == SSH_KEYTYPE_SSH1 && outtype == PRIVATE) ||
(intype == SSH_KEYTYPE_SSH2 && outtype == PRIVATE) ||
(intype == SSH_KEYTYPE_OPENSSH_PEM && outtype == OPENSSH_AUTO) ||
(intype == SSH_KEYTYPE_OPENSSH_NEW && outtype == OPENSSH_NEW) ||
(intype == SSH_KEYTYPE_SSHCOM && outtype == SSHCOM)) {
if (!outfile) {
outfile = infile;
outfiletmp = dupcat(outfile, ".tmp", NULL);
}
if (!change_passphrase && !comment) {
fprintf(stderr, "puttygen: this command would perform no useful"
" action\n");
return 1;
}
} else {
if (!outfile) {
/*
* Bomb out rather than automatically choosing to write
* a private key file to stdout.
*/
if (outtype == PRIVATE || outtype == OPENSSH_AUTO ||
outtype == OPENSSH_NEW || outtype == SSHCOM) {
fprintf(stderr, "puttygen: need to specify an output file\n");
return 1;
}
}
}
/*
* Figure out whether we need to load the encrypted part of the
* key. This will be the case if either (a) we need to write
* out a private key format, or (b) the entire input key file
* is encrypted.
*/
if (outtype == PRIVATE || outtype == OPENSSH_AUTO ||
outtype == OPENSSH_NEW || outtype == SSHCOM ||
intype == SSH_KEYTYPE_OPENSSH_PEM ||
intype == SSH_KEYTYPE_OPENSSH_NEW ||
intype == SSH_KEYTYPE_SSHCOM)
load_encrypted = TRUE;
else
load_encrypted = FALSE;
if (load_encrypted && (intype == SSH_KEYTYPE_SSH1_PUBLIC ||
intype == SSH_KEYTYPE_SSH2_PUBLIC_RFC4716 ||
intype == SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH)) {
fprintf(stderr, "puttygen: cannot perform this action on a "
"public-key-only input file\n");
return 1;
}
/* ------------------------------------------------------------------
* Now we're ready to actually do some stuff.
*/
/*
* Either load or generate a key.
*/
if (keytype != NOKEYGEN) {
char *entropy;
char default_comment[80];
struct tm tm;
struct progress prog;
prog.phase = -1;
prog.current = -1;
tm = ltime();
if (keytype == DSA)
strftime(default_comment, 30, "dsa-key-%Y%m%d", &tm);
else if (keytype == ECDSA)
strftime(default_comment, 30, "ecdsa-key-%Y%m%d", &tm);
else if (keytype == ED25519)
strftime(default_comment, 30, "ed25519-key-%Y%m%d", &tm);
else
strftime(default_comment, 30, "rsa-key-%Y%m%d", &tm);
random_ref();
entropy = get_random_data(bits / 8, random_device);
if (!entropy) {
fprintf(stderr, "puttygen: failed to collect entropy, "
"could not generate key\n");
return 1;
}
random_add_heavynoise(entropy, bits / 8);
smemclr(entropy, bits/8);
sfree(entropy);
if (keytype == DSA) {
struct dss_key *dsskey = snew(struct dss_key);
dsa_generate(dsskey, bits, progressfn, &prog);
ssh2key = snew(struct ssh2_userkey);
ssh2key->data = dsskey;
ssh2key->alg = &ssh_dss;
ssh1key = NULL;
} else if (keytype == ECDSA) {
/*
* Dialog-box function for the main PuTTYgen dialog box.
*/
static int CALLBACK MainDlgProc(HWND hwnd, UINT msg,
WPARAM wParam, LPARAM lParam)
{
static const char generating_msg[] =
"Please wait while a key is generated...";
static const char entropy_msg[] =
"Please generate some randomness by moving the mouse over the blank area.";
struct MainDlgState *state;
switch (msg) {
case WM_INITDIALOG:
if (has_help())
SetWindowLongPtr(hwnd, GWL_EXSTYLE,
GetWindowLongPtr(hwnd, GWL_EXSTYLE) |
WS_EX_CONTEXTHELP);
else {
/*
* If we add a Help button, this is where we destroy it
* if the help file isn't present.
*/
}
SendMessage(hwnd, WM_SETICON, (WPARAM) ICON_BIG,
(LPARAM) LoadIcon(hinst, MAKEINTRESOURCE(200)));
state = snew(struct MainDlgState);
state->generation_thread_exists = FALSE;
state->collecting_entropy = FALSE;
state->entropy = NULL;
state->key_exists = FALSE;
SetWindowLongPtr(hwnd, GWLP_USERDATA, (LONG_PTR) state);
{
HMENU menu, menu1;
menu = CreateMenu();
menu1 = CreateMenu();
AppendMenu(menu1, MF_ENABLED, IDC_LOAD, "&Load private key");
AppendMenu(menu1, MF_ENABLED, IDC_SAVEPUB, "Save p&ublic key");
AppendMenu(menu1, MF_ENABLED, IDC_SAVE, "&Save private key");
AppendMenu(menu1, MF_SEPARATOR, 0, 0);
AppendMenu(menu1, MF_ENABLED, IDC_QUIT, "E&xit");
AppendMenu(menu, MF_POPUP | MF_ENABLED, (UINT) menu1, "&File");
state->filemenu = menu1;
menu1 = CreateMenu();
AppendMenu(menu1, MF_ENABLED, IDC_GENERATE, "&Generate key pair");
AppendMenu(menu1, MF_SEPARATOR, 0, 0);
AppendMenu(menu1, MF_ENABLED, IDC_KEYSSH1, "SSH-&1 key (RSA)");
AppendMenu(menu1, MF_ENABLED, IDC_KEYSSH2RSA, "SSH-2 &RSA key");
AppendMenu(menu1, MF_ENABLED, IDC_KEYSSH2DSA, "SSH-2 &DSA key");
AppendMenu(menu1, MF_ENABLED, IDC_KEYSSH2ECDSA, "SSH-2 &ECDSA key");
AppendMenu(menu, MF_POPUP | MF_ENABLED, (UINT) menu1, "&Key");
state->keymenu = menu1;
menu1 = CreateMenu();
AppendMenu(menu1, MF_ENABLED, IDC_IMPORT, "&Import key");
AppendMenu(menu1, MF_SEPARATOR, 0, 0);
AppendMenu(menu1, MF_ENABLED, IDC_EXPORT_OPENSSH,
"Export &OpenSSH key");
AppendMenu(menu1, MF_ENABLED, IDC_EXPORT_SSHCOM,
"Export &ssh.com key");
AppendMenu(menu, MF_POPUP | MF_ENABLED, (UINT) menu1,
"Con&versions");
state->cvtmenu = menu1;
menu1 = CreateMenu();
AppendMenu(menu1, MF_ENABLED, IDC_ABOUT, "&About");
if (has_help())
AppendMenu(menu1, MF_ENABLED, IDC_GIVEHELP, "&Help");
AppendMenu(menu, MF_POPUP | MF_ENABLED, (UINT) menu1, "&Help");
SetMenu(hwnd, menu);
}
/*
* Centre the window.
*/
{ /* centre the window */
RECT rs, rd;
HWND hw;
hw = GetDesktopWindow();
if (GetWindowRect(hw, &rs) && GetWindowRect(hwnd, &rd))
MoveWindow(hwnd,
(rs.right + rs.left + rd.left - rd.right) / 2,
(rs.bottom + rs.top + rd.top - rd.bottom) / 2,
rd.right - rd.left, rd.bottom - rd.top, TRUE);
}
{
struct ctlpos cp, cp2;
/* Accelerators used: acglops1rbde */
ctlposinit(&cp, hwnd, 4, 4, 4);
beginbox(&cp, "Key", IDC_BOX_KEY);
cp2 = cp;
statictext(&cp2, "No key.", 1, IDC_NOKEY);
cp2 = cp;
statictext(&cp2, "", 1, IDC_GENERATING);
progressbar(&cp2, IDC_PROGRESS);
bigeditctrl(&cp,
"&Public key for pasting into authorized_keys file:",
IDC_PKSTATIC, IDC_KEYDISPLAY, 5);
SendDlgItemMessage(hwnd, IDC_KEYDISPLAY, EM_SETREADONLY, 1, 0);
staticedit(&cp, "Key f&ingerprint:", IDC_FPSTATIC,
IDC_FINGERPRINT, 75);
SendDlgItemMessage(hwnd, IDC_FINGERPRINT, EM_SETREADONLY, 1,
0);
staticedit(&cp, "Key &comment:", IDC_COMMENTSTATIC,
IDC_COMMENTEDIT, 75);
staticpassedit(&cp, "Key p&assphrase:", IDC_PASSPHRASE1STATIC,
IDC_PASSPHRASE1EDIT, 75);
staticpassedit(&cp, "C&onfirm passphrase:",
IDC_PASSPHRASE2STATIC, IDC_PASSPHRASE2EDIT, 75);
endbox(&cp);
beginbox(&cp, "Actions", IDC_BOX_ACTIONS);
staticbtn(&cp, "Generate a public/private key pair",
IDC_GENSTATIC, "&Generate", IDC_GENERATE);
staticbtn(&cp, "Load an existing private key file",
IDC_LOADSTATIC, "&Load", IDC_LOAD);
static2btn(&cp, "Save the generated key", IDC_SAVESTATIC,
"Save p&ublic key", IDC_SAVEPUB,
"&Save private key", IDC_SAVE);
endbox(&cp);
beginbox(&cp, "Parameters", IDC_BOX_PARAMS);
radioline(&cp, "Type of key to generate:", IDC_TYPESTATIC, 4,
"SSH-&1 (RSA)", IDC_KEYSSH1,
"SSH-2 &RSA", IDC_KEYSSH2RSA,
"SSH-2 &DSA", IDC_KEYSSH2DSA,
"SSH-2 &ECDSA", IDC_KEYSSH2ECDSA, NULL);
staticedit(&cp, "Number of &bits in a generated key:",
IDC_BITSSTATIC, IDC_BITS, 20);
endbox(&cp);
}
CheckRadioButton(hwnd, IDC_KEYSSH1, IDC_KEYSSH2ECDSA, IDC_KEYSSH2RSA);
CheckMenuRadioItem(state->keymenu, IDC_KEYSSH1, IDC_KEYSSH2ECDSA,
IDC_KEYSSH2RSA, MF_BYCOMMAND);
SetDlgItemInt(hwnd, IDC_BITS, DEFAULT_KEYSIZE, FALSE);
/*
* Initially, hide the progress bar and the key display,
* and show the no-key display. Also disable the Save
* buttons, because with no key we obviously can't save
* anything.
*/
ui_set_state(hwnd, state, 0);
/*
* Load a key file if one was provided on the command line.
*/
if (cmdline_keyfile) {
Filename *fn = filename_from_str(cmdline_keyfile);
load_key_file(hwnd, state, fn, 0);
filename_free(fn);
}
return 1;
case WM_MOUSEMOVE:
state = (struct MainDlgState *) GetWindowLongPtr(hwnd, GWLP_USERDATA);
if (state->collecting_entropy &&
state->entropy && state->entropy_got < state->entropy_required) {
state->entropy[state->entropy_got++] = lParam;
state->entropy[state->entropy_got++] = GetMessageTime();
SendDlgItemMessage(hwnd, IDC_PROGRESS, PBM_SETPOS,
state->entropy_got, 0);
if (state->entropy_got >= state->entropy_required) {
struct rsa_key_thread_params *params;
DWORD threadid;
/*
* Seed the entropy pool
*/
random_add_heavynoise(state->entropy, state->entropy_size);
smemclr(state->entropy, state->entropy_size);
sfree(state->entropy);
state->collecting_entropy = FALSE;
SetDlgItemText(hwnd, IDC_GENERATING, generating_msg);
SendDlgItemMessage(hwnd, IDC_PROGRESS, PBM_SETRANGE, 0,
MAKELPARAM(0, PROGRESSRANGE));
SendDlgItemMessage(hwnd, IDC_PROGRESS, PBM_SETPOS, 0, 0);
params = snew(struct rsa_key_thread_params);
params->progressbar = GetDlgItem(hwnd, IDC_PROGRESS);
params->dialog = hwnd;
params->keysize = state->keysize;
params->keytype = state->keytype;
params->key = &state->key;
params->dsskey = &state->dsskey;
if (!CreateThread(NULL, 0, generate_rsa_key_thread,
params, 0, &threadid)) {
MessageBox(hwnd, "Out of thread resources",
"Key generation error",
MB_OK | MB_ICONERROR);
sfree(params);
} else {
state->generation_thread_exists = TRUE;
}
}
}
break;
case WM_COMMAND:
switch (LOWORD(wParam)) {
case IDC_KEYSSH1:
case IDC_KEYSSH2RSA:
case IDC_KEYSSH2DSA:
case IDC_KEYSSH2ECDSA:
{
state = (struct MainDlgState *)
GetWindowLongPtr(hwnd, GWLP_USERDATA);
if (!IsDlgButtonChecked(hwnd, LOWORD(wParam)))
CheckRadioButton(hwnd, IDC_KEYSSH1, IDC_KEYSSH2DSA,
LOWORD(wParam));
CheckMenuRadioItem(state->keymenu, IDC_KEYSSH1, IDC_KEYSSH2DSA,
LOWORD(wParam), MF_BYCOMMAND);
CheckRadioButton(hwnd, IDC_KEYSSH1, IDC_KEYSSH2ECDSA,
LOWORD(wParam));
CheckMenuRadioItem(state->keymenu, IDC_KEYSSH1,
IDC_KEYSSH2ECDSA,
LOWORD(wParam), MF_BYCOMMAND);
}
break;
case IDC_QUIT:
PostMessage(hwnd, WM_CLOSE, 0, 0);
break;
case IDC_COMMENTEDIT:
if (HIWORD(wParam) == EN_CHANGE) {
state = (struct MainDlgState *)
GetWindowLongPtr(hwnd, GWLP_USERDATA);
if (state->key_exists) {
HWND editctl = GetDlgItem(hwnd, IDC_COMMENTEDIT);
int len = GetWindowTextLength(editctl);
if (*state->commentptr)
sfree(*state->commentptr);
*state->commentptr = snewn(len + 1, char);
GetWindowText(editctl, *state->commentptr, len + 1);
if (state->ssh2) {
setupbigedit2(hwnd, IDC_KEYDISPLAY, IDC_PKSTATIC,
&state->ssh2key);
} else {
setupbigedit1(hwnd, IDC_KEYDISPLAY, IDC_PKSTATIC,
&state->key);
}
}
}
static char *make_dirname(const char *pi_name, char **logtext)
{
char *name, *parentdirname, *dirname, *err;
/*
* First, create the top-level directory for all shared PuTTY
* connections owned by this user.
*/
parentdirname = make_parentdir_name();
if ((err = make_dir_and_check_ours(parentdirname)) != NULL) {
*logtext = err;
sfree(parentdirname);
return NULL;
}
/*
* Transform the platform-independent version of the connection
* identifier into the name we'll actually use for the directory
* containing the Unix socket.
*
* We do this by hashing the identifier with some user-specific
* secret information, to avoid the privacy leak of having
* "user@host" strings show up in 'netstat -x'. (Irritatingly, the
* full pathname of a Unix-domain socket _does_ show up in the
* 'netstat -x' output, at least on Linux, even if that socket is
* in a directory not readable to the user running netstat. You'd
* think putting things inside an 0700 directory would hide their
* names from other users, but no.)
*
* The secret information we use to salt the hash lives in a file
* inside the top-level directory we just created, so we must
* first create that file (with some fresh random data in it) if
* it's not already been done by a previous PuTTY.
*/
{
unsigned char saltbuf[SALT_SIZE];
char *saltname;
int saltfd, i, ret;
saltname = dupprintf("%s/%s", parentdirname, SALT_FILENAME);
saltfd = open(saltname, O_RDONLY);
if (saltfd < 0) {
char *tmpname;
int pid;
if (errno != ENOENT) {
*logtext = dupprintf("%s: open: %s", saltname,
strerror(errno));
sfree(saltname);
sfree(parentdirname);
return NULL;
}
/*
* The salt file doesn't already exist, so try to create
* it. Another process may be attempting the same thing
* simultaneously, so we must do this carefully: we write
* a salt file under a different name, then hard-link it
* into place, which guarantees that we won't change the
* contents of an existing salt file.
*/
pid = getpid();
for (i = 0;; i++) {
tmpname = dupprintf("%s/%s.tmp.%d.%d",
parentdirname, SALT_FILENAME, pid, i);
saltfd = open(tmpname, O_WRONLY | O_EXCL | O_CREAT, 0400);
if (saltfd >= 0)
break;
if (errno != EEXIST) {
*logtext = dupprintf("%s: open: %s", tmpname,
strerror(errno));
sfree(tmpname);
sfree(saltname);
sfree(parentdirname);
return NULL;
}
sfree(tmpname); /* go round and try again with i+1 */
}
/*
* Invent some random data.
*/
for (i = 0; i < SALT_SIZE; i++) {
saltbuf[i] = random_byte();
}
ret = write(saltfd, saltbuf, SALT_SIZE);
/* POSIX atomicity guarantee: because we wrote less than
* PIPE_BUF bytes, the write either completed in full or
* failed. */
assert(SALT_SIZE < PIPE_BUF);
assert(ret < 0 || ret == SALT_SIZE);
if (ret < 0) {
close(saltfd);
*logtext = dupprintf("%s: write: %s", tmpname,
strerror(errno));
sfree(tmpname);
sfree(saltname);
sfree(parentdirname);
return NULL;
}
if (close(saltfd) < 0) {
*logtext = dupprintf("%s: close: %s", tmpname,
strerror(errno));
sfree(tmpname);
sfree(saltname);
sfree(parentdirname);
return NULL;
}
/*
* Now attempt to hard-link our temp file into place. We
* tolerate EEXIST as an outcome, because that just means
* another PuTTY got their attempt in before we did (and
* we only care that there is a valid salt file we can
* agree on, no matter who created it).
*/
if (link(tmpname, saltname) < 0 && errno != EEXIST) {
*logtext = dupprintf("%s: link: %s", saltname,
strerror(errno));
sfree(tmpname);
sfree(saltname);
sfree(parentdirname);
return NULL;
}
/*
* Whether that succeeded or not, get rid of our temp file.
*/
if (unlink(tmpname) < 0) {
*logtext = dupprintf("%s: unlink: %s", tmpname,
strerror(errno));
sfree(tmpname);
sfree(saltname);
sfree(parentdirname);
return NULL;
}
/*
* And now we've arranged for there to be a salt file, so
* we can try to open it for reading again and this time
* expect it to work.
*/
sfree(tmpname);
saltfd = open(saltname, O_RDONLY);
if (saltfd < 0) {
*logtext = dupprintf("%s: open: %s", saltname,
strerror(errno));
sfree(saltname);
sfree(parentdirname);
return NULL;
}
}
for (i = 0; i < SALT_SIZE; i++) {
ret = read(saltfd, saltbuf, SALT_SIZE);
if (ret <= 0) {
close(saltfd);
*logtext = dupprintf("%s: read: %s", saltname,
ret == 0 ? "unexpected EOF" :
strerror(errno));
sfree(saltname);
sfree(parentdirname);
return NULL;
}
assert(0 < ret && ret <= SALT_SIZE - i);
i += ret;
}
close(saltfd);
sfree(saltname);
/*
* Now we've got our salt, hash it with the connection
* identifier to produce our actual socket name.
*/
{
SHA256_State sha;
unsigned len;
unsigned char lenbuf[4];
unsigned char digest[32];
char retbuf[65];
SHA256_Init(&sha);
PUT_32BIT(lenbuf, SALT_SIZE);
SHA256_Bytes(&sha, lenbuf, 4);
SHA256_Bytes(&sha, saltbuf, SALT_SIZE);
len = strlen(pi_name);
PUT_32BIT(lenbuf, len);
SHA256_Bytes(&sha, lenbuf, 4);
SHA256_Bytes(&sha, pi_name, len);
SHA256_Final(&sha, digest);
/*
* And make it printable.
*/
for (i = 0; i < 32; i++) {
sprintf(retbuf + 2*i, "%02x", digest[i]);
/* the last of those will also write the trailing NUL */
}
name = dupstr(retbuf);
}
smemclr(saltbuf, sizeof(saltbuf));
}
dirname = dupprintf("%s/%s", parentdirname, name);
sfree(parentdirname);
sfree(name);
return dirname;
}
static void win_add_keyfile(Filename *filename)
{
char *err;
int ret;
char *passphrase = NULL;
/*
* Try loading the key without a passphrase. (Or rather, without a
* _new_ passphrase; pageant_add_keyfile will take care of trying
* all the passphrases we've already stored.)
*/
ret = pageant_add_keyfile(filename, NULL, &err);
if (ret == PAGEANT_ACTION_OK) {
goto done;
} else if (ret == PAGEANT_ACTION_FAILURE) {
goto error;
}
/*
* OK, a passphrase is needed, and we've been given the key
* comment to use in the passphrase prompt.
*/
while (1) {
INT_PTR dlgret;
struct PassphraseProcStruct pps;
pps.passphrase = &passphrase;
pps.comment = err;
// region tray-fatty
dlgret = DialogBoxParam(
hinst, MAKEINTRESOURCE(910), NULL, PassphraseProc, (LPARAM)&pps);
// endregion
passphrase_box = NULL;
if (!dlgret)
goto done; /* operation cancelled */
sfree(err);
assert(passphrase != NULL);
ret = pageant_add_keyfile(filename, passphrase, &err);
if (ret == PAGEANT_ACTION_OK) {
goto done;
} else if (ret == PAGEANT_ACTION_FAILURE) {
goto error;
}
smemclr(passphrase, strlen(passphrase));
sfree(passphrase);
passphrase = NULL;
}
error:
message_box(
err, APPNAME, MB_OK | MB_ICONERROR, HELPCTXID(errors_cantloadkey));
done:
if (passphrase) {
smemclr(passphrase, strlen(passphrase));
sfree(passphrase);
}
sfree(err);
return;
}
Bignum *dss_gen_k(const char *id_string, Bignum modulus, Bignum private_key,
unsigned char *digest, int digest_len)
{
/*
* The basic DSS signing algorithm is:
*
* - invent a random k between 1 and q-1 (exclusive).
* - Compute r = (g^k mod p) mod q.
* - Compute s = k^-1 * (hash + x*r) mod q.
*
* This has the dangerous properties that:
*
* - if an attacker in possession of the public key _and_ the
* signature (for example, the host you just authenticated
* to) can guess your k, he can reverse the computation of s
* and work out x = r^-1 * (s*k - hash) mod q. That is, he
* can deduce the private half of your key, and masquerade
* as you for as long as the key is still valid.
*
* - since r is a function purely of k and the public key, if
* the attacker only has a _range of possibilities_ for k
* it's easy for him to work through them all and check each
* one against r; he'll never be unsure of whether he's got
* the right one.
*
* - if you ever sign two different hashes with the same k, it
* will be immediately obvious because the two signatures
* will have the same r, and moreover an attacker in
* possession of both signatures (and the public key of
* course) can compute k = (hash1-hash2) * (s1-s2)^-1 mod q,
* and from there deduce x as before.
*
* - the Bleichenbacher attack on DSA makes use of methods of
* generating k which are significantly non-uniformly
* distributed; in particular, generating a 160-bit random
* number and reducing it mod q is right out.
*
* For this reason we must be pretty careful about how we
* generate our k. Since this code runs on Windows, with no
* particularly good system entropy sources, we can't trust our
* RNG itself to produce properly unpredictable data. Hence, we
* use a totally different scheme instead.
*
* What we do is to take a SHA-512 (_big_) hash of the private
* key x, and then feed this into another SHA-512 hash that
* also includes the message hash being signed. That is:
*
* proto_k = SHA512 ( SHA512(x) || SHA160(message) )
*
* This number is 512 bits long, so reducing it mod q won't be
* noticeably non-uniform. So
*
* k = proto_k mod q
*
* This has the interesting property that it's _deterministic_:
* signing the same hash twice with the same key yields the
* same signature.
*
* Despite this determinism, it's still not predictable to an
* attacker, because in order to repeat the SHA-512
* construction that created it, the attacker would have to
* know the private key value x - and by assumption he doesn't,
* because if he knew that he wouldn't be attacking k!
*
* (This trick doesn't, _per se_, protect against reuse of k.
* Reuse of k is left to chance; all it does is prevent
* _excessively high_ chances of reuse of k due to entropy
* problems.)
*
* Thanks to Colin Plumb for the general idea of using x to
* ensure k is hard to guess, and to the Cambridge University
* Computer Security Group for helping to argue out all the
* fine details.
*/
SHA512_State ss;
unsigned char digest512[64];
Bignum proto_k, k;
/*
* Hash some identifying text plus x.
*/
SHA512_Init(&ss);
SHA512_Bytes(&ss, id_string, strlen(id_string) + 1);
sha512_mpint(&ss, private_key);
SHA512_Final(&ss, digest512);
/*
* Now hash that digest plus the message hash.
*/
SHA512_Init(&ss);
SHA512_Bytes(&ss, digest512, sizeof(digest512));
SHA512_Bytes(&ss, digest, digest_len);
while (1) {
SHA512_State ss2 = ss; /* structure copy */
SHA512_Final(&ss2, digest512);
smemclr(&ss2, sizeof(ss2));
/*
* Now convert the result into a bignum, and reduce it mod q.
*/
proto_k = bignum_from_bytes(digest512, 64);
k = bigmod(proto_k, modulus);
freebn(proto_k);
if (bignum_cmp(k, One) != 0 && bignum_cmp(k, Zero) != 0) {
smemclr(&ss, sizeof(ss));
smemclr(digest512, sizeof(digest512));
return k;
}
/* Very unlikely we get here, but if so, k was unsuitable. */
freebn(k);
/* Perturb the hash to think of a different k. */
SHA512_Bytes(&ss, "x", 1);
/* Go round and try again. */
}
}
static int loadrsakey_main(FILE * fp, struct RSAKey *key, int pub_only,
char **commentptr, char *passphrase,
const char **error)
{
unsigned char buf[16384];
unsigned char keybuf[16];
int len;
int i, j, ciphertype;
int ret = 0;
struct MD5Context md5c;
char *comment;
*error = NULL;
/* Slurp the whole file (minus the header) into a buffer. */
len = fread(buf, 1, sizeof(buf), fp);
fclose(fp);
if (len < 0 || len == sizeof(buf)) {
*error = "error reading file";
goto end; /* file too big or not read */
}
i = 0;
*error = "file format error";
/*
* A zero byte. (The signature includes a terminating NUL.)
*/
if (len - i < 1 || buf[i] != 0)
goto end;
i++;
/* One byte giving encryption type, and one reserved uint32. */
if (len - i < 1)
goto end;
ciphertype = buf[i];
if (ciphertype != 0 && ciphertype != SSH_CIPHER_3DES)
goto end;
i++;
if (len - i < 4)
goto end; /* reserved field not present */
if (buf[i] != 0 || buf[i + 1] != 0 || buf[i + 2] != 0
|| buf[i + 3] != 0) goto end; /* reserved field nonzero, panic! */
i += 4;
/* Now the serious stuff. An ordinary SSH-1 public key. */
j = makekey(buf + i, len - i, key, NULL, 1);
if (j < 0)
goto end; /* overran */
i += j;
/* Next, the comment field. */
j = toint(GET_32BIT(buf + i));
i += 4;
if (j < 0 || len - i < j)
goto end;
comment = snewn(j + 1, char);
if (comment) {
memcpy(comment, buf + i, j);
comment[j] = '\0';
}
i += j;
if (commentptr)
*commentptr = dupstr(comment);
if (key)
key->comment = comment;
else
sfree(comment);
if (pub_only) {
ret = 1;
goto end;
}
if (!key) {
ret = ciphertype != 0;
*error = NULL;
goto end;
}
/*
* Decrypt remainder of buffer.
*/
if (ciphertype) {
MD5Init(&md5c);
MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase));
MD5Final(keybuf, &md5c);
des3_decrypt_pubkey(keybuf, buf + i, (len - i + 7) & ~7);
smemclr(keybuf, sizeof(keybuf)); /* burn the evidence */
}
/*
* We are now in the secret part of the key. The first four
* bytes should be of the form a, b, a, b.
*/
if (len - i < 4)
goto end;
if (buf[i] != buf[i + 2] || buf[i + 1] != buf[i + 3]) {
*error = "wrong passphrase";
ret = -1;
goto end;
}
i += 4;
/*
* After that, we have one further bignum which is our
* decryption exponent, and then the three auxiliary values
* (iqmp, q, p).
*/
j = makeprivate(buf + i, len - i, key);
if (j < 0) goto end;
i += j;
j = ssh1_read_bignum(buf + i, len - i, &key->iqmp);
if (j < 0) goto end;
i += j;
j = ssh1_read_bignum(buf + i, len - i, &key->q);
if (j < 0) goto end;
i += j;
j = ssh1_read_bignum(buf + i, len - i, &key->p);
if (j < 0) goto end;
i += j;
if (!rsa_verify(key)) {
*error = "rsa_verify failed";
freersakey(key);
ret = 0;
} else
ret = 1;
end:
smemclr(buf, sizeof(buf)); /* burn the evidence */
return ret;
}
static unsigned char *dss_sign(void *key, char *data, int datalen, int *siglen)
{
/*
* The basic DSS signing algorithm is:
*
* - invent a random k between 1 and q-1 (exclusive).
* - Compute r = (g^k mod p) mod q.
* - Compute s = k^-1 * (hash + x*r) mod q.
*
* This has the dangerous properties that:
*
* - if an attacker in possession of the public key _and_ the
* signature (for example, the host you just authenticated
* to) can guess your k, he can reverse the computation of s
* and work out x = r^-1 * (s*k - hash) mod q. That is, he
* can deduce the private half of your key, and masquerade
* as you for as long as the key is still valid.
*
* - since r is a function purely of k and the public key, if
* the attacker only has a _range of possibilities_ for k
* it's easy for him to work through them all and check each
* one against r; he'll never be unsure of whether he's got
* the right one.
*
* - if you ever sign two different hashes with the same k, it
* will be immediately obvious because the two signatures
* will have the same r, and moreover an attacker in
* possession of both signatures (and the public key of
* course) can compute k = (hash1-hash2) * (s1-s2)^-1 mod q,
* and from there deduce x as before.
*
* - the Bleichenbacher attack on DSA makes use of methods of
* generating k which are significantly non-uniformly
* distributed; in particular, generating a 160-bit random
* number and reducing it mod q is right out.
*
* For this reason we must be pretty careful about how we
* generate our k. Since this code runs on Windows, with no
* particularly good system entropy sources, we can't trust our
* RNG itself to produce properly unpredictable data. Hence, we
* use a totally different scheme instead.
*
* What we do is to take a SHA-512 (_big_) hash of the private
* key x, and then feed this into another SHA-512 hash that
* also includes the message hash being signed. That is:
*
* proto_k = SHA512 ( SHA512(x) || SHA160(message) )
*
* This number is 512 bits long, so reducing it mod q won't be
* noticeably non-uniform. So
*
* k = proto_k mod q
*
* This has the interesting property that it's _deterministic_:
* signing the same hash twice with the same key yields the
* same signature.
*
* Despite this determinism, it's still not predictable to an
* attacker, because in order to repeat the SHA-512
* construction that created it, the attacker would have to
* know the private key value x - and by assumption he doesn't,
* because if he knew that he wouldn't be attacking k!
*
* (This trick doesn't, _per se_, protect against reuse of k.
* Reuse of k is left to chance; all it does is prevent
* _excessively high_ chances of reuse of k due to entropy
* problems.)
*
* Thanks to Colin Plumb for the general idea of using x to
* ensure k is hard to guess, and to the Cambridge University
* Computer Security Group for helping to argue out all the
* fine details.
*/
dss_key *dss = (dss_key *) key;
SHA512_State ss;
unsigned char digest[20], digest512[64];
Bignum proto_k, k, gkp, hash, kinv, hxr, r, s;
unsigned char *bytes;
int nbytes, i;
SHA_Simple(data, datalen, digest);
/*
* Hash some identifying text plus x.
*/
SHA512_Init(&ss);
SHA512_Bytes(&ss, "DSA deterministic k generator", 30);
sha512_mpint(&ss, dss->x);
SHA512_Final(&ss, digest512);
/*
* Now hash that digest plus the message hash.
*/
SHA512_Init(&ss);
SHA512_Bytes(&ss, digest512, sizeof(digest512));
SHA512_Bytes(&ss, digest, sizeof(digest));
while (1) {
SHA512_State ss2 = ss; /* structure copy */
SHA512_Final(&ss2, digest512);
smemclr(&ss2, sizeof(ss2));
/*
* Now convert the result into a bignum, and reduce it mod q.
*/
proto_k = bignum_from_bytes(digest512, 64);
k = bigmod(proto_k, dss->q);
freebn(proto_k);
kinv = modinv(k, dss->q); /* k^-1 mod q */
if (!kinv) { /* very unlikely */
freebn(k);
/* Perturb the hash to think of a different k. */
SHA512_Bytes(&ss, "x", 1);
/* Go round and try again. */
continue;
}
break;
}
smemclr(&ss, sizeof(ss));
smemclr(digest512, sizeof(digest512));
/*
* Now we have k, so just go ahead and compute the signature.
*/
gkp = modpow(dss->g, k, dss->p); /* g^k mod p */
r = bigmod(gkp, dss->q); /* r = (g^k mod p) mod q */
freebn(gkp);
hash = bignum_from_bytes(digest, 20);
hxr = bigmuladd(dss->x, r, hash); /* hash + x*r */
s = modmul(kinv, hxr, dss->q); /* s = k^-1 * (hash + x*r) mod q */
freebn(hxr);
freebn(kinv);
freebn(k);
freebn(hash);
/*
* Signature blob is
*
* string "ssh-dss"
* string two 20-byte numbers r and s, end to end
*
* i.e. 4+7 + 4+40 bytes.
*/
nbytes = 4 + 7 + 4 + 40;
bytes = snewn(nbytes, unsigned char);
PUT_32BIT(bytes, 7);
memcpy(bytes + 4, "ssh-dss", 7);
PUT_32BIT(bytes + 4 + 7, 40);
for (i = 0; i < 20; i++) {
bytes[4 + 7 + 4 + i] = bignum_byte(r, 19 - i);
bytes[4 + 7 + 4 + 20 + i] = bignum_byte(s, 19 - i);
}
freebn(r);
freebn(s);
*siglen = nbytes;
return bytes;
}
/*
* Save an RSA key file. Return nonzero on success.
*/
int saversakey(const Filename *filename, struct RSAKey *key, char *passphrase)
{
unsigned char buf[16384];
unsigned char keybuf[16];
struct MD5Context md5c;
unsigned char *p, *estart;
FILE *fp;
/*
* Write the initial signature.
*/
p = buf;
memcpy(p, rsa_signature, sizeof(rsa_signature));
p += sizeof(rsa_signature);
/*
* One byte giving encryption type, and one reserved (zero)
* uint32.
*/
*p++ = (passphrase ? SSH_CIPHER_3DES : 0);
PUT_32BIT(p, 0);
p += 4;
/*
* An ordinary SSH-1 public key consists of: a uint32
* containing the bit count, then two bignums containing the
* modulus and exponent respectively.
*/
PUT_32BIT(p, bignum_bitcount(key->modulus));
p += 4;
p += ssh1_write_bignum(p, key->modulus);
p += ssh1_write_bignum(p, key->exponent);
/*
* A string containing the comment field.
*/
if (key->comment) {
PUT_32BIT(p, strlen(key->comment));
p += 4;
memcpy(p, key->comment, strlen(key->comment));
p += strlen(key->comment);
} else {
PUT_32BIT(p, 0);
p += 4;
}
/*
* The encrypted portion starts here.
*/
estart = p;
/*
* Two bytes, then the same two bytes repeated.
*/
*p++ = random_byte();
*p++ = random_byte();
p[0] = p[-2];
p[1] = p[-1];
p += 2;
/*
* Four more bignums: the decryption exponent, then iqmp, then
* q, then p.
*/
p += ssh1_write_bignum(p, key->private_exponent);
p += ssh1_write_bignum(p, key->iqmp);
p += ssh1_write_bignum(p, key->q);
p += ssh1_write_bignum(p, key->p);
/*
* Now write zeros until the encrypted portion is a multiple of
* 8 bytes.
*/
while ((p - estart) % 8)
*p++ = '\0';
/*
* Now encrypt the encrypted portion.
*/
if (passphrase) {
MD5Init(&md5c);
MD5Update(&md5c, (unsigned char *)passphrase, strlen(passphrase));
MD5Final(keybuf, &md5c);
des3_encrypt_pubkey(keybuf, estart, p - estart);
smemclr(keybuf, sizeof(keybuf)); /* burn the evidence */
}
/*
* Done. Write the result to the file.
*/
fp = f_open(filename, "wb", TRUE);
if (fp) {
int ret = (fwrite(buf, 1, p - buf, fp) == (size_t) (p - buf));
if (fclose(fp))
ret = 0;
return ret;
} else
return 0;
}
int cmdline_process_param(const char *p, char *value,
int need_save, Conf *conf)
{
int ret = 0;
if (p[0] != '-') {
if (need_save < 0)
return 0;
/*
* Common handling for the tools whose initial command-line
* arguments specify a hostname to connect to, i.e. PuTTY and
* Plink. Doesn't count the file transfer tools, because their
* hostname specification appears as part of a more
* complicated scheme.
*/
if ((cmdline_tooltype & TOOLTYPE_HOST_ARG) &&
!seen_hostname_argument &&
(!(cmdline_tooltype & TOOLTYPE_HOST_ARG_FROM_LAUNCHABLE_LOAD) ||
!loaded_session || !conf_launchable(conf))) {
/*
* Treat this argument as a host name, if we have not yet
* seen a host name argument or -load.
*
* Exception, in some tools (Plink): if we have seen -load
* but it didn't create a launchable session, then we
* still accept a hostname argument following that -load.
* This allows you to make saved sessions that configure
* lots of other stuff (colour schemes, terminal settings
* etc) and then say 'putty -load sessionname hostname'.
*
* Also, we carefully _don't_ test conf for launchability
* if we haven't been explicitly told to load a session
* (otherwise saving a host name into Default Settings
* would cause 'putty' on its own to immediately launch
* the default session and never be able to do anything
* else).
*/
if (!strncmp(p, "telnet:", 7)) {
/*
* If the argument starts with "telnet:", set the
* protocol to Telnet and process the string as a
* Telnet URL.
*/
/*
* Skip the "telnet:" or "telnet://" prefix.
*/
p += 7;
if (p[0] == '/' && p[1] == '/')
p += 2;
conf_set_int(conf, CONF_protocol, PROT_TELNET);
/*
* The next thing we expect is a host name.
*/
{
const char *host = p;
char *buf;
p += host_strcspn(p, ":/");
buf = dupprintf("%.*s", (int)(p - host), host);
conf_set_str(conf, CONF_host, buf);
sfree(buf);
seen_hostname_argument = true;
}
/*
* If the host name is followed by a colon, then
* expect a port number after it.
*/
if (*p == ':') {
p++;
conf_set_int(conf, CONF_port, atoi(p));
/*
* Set the flag that will stop us from treating
* the next argument as a separate port; this one
* counts as explicitly provided.
*/
seen_port_argument = true;
} else {
conf_set_int(conf, CONF_port, -1);
}
} else {
char *user = NULL, *hostname = NULL;
const char *hostname_after_user;
int port_override = -1;
size_t len;
/*
* Otherwise, treat it as a bare host name.
*/
if (cmdline_tooltype & TOOLTYPE_HOST_ARG_PROTOCOL_PREFIX) {
/*
* Here Plink checks for a comma-separated
* protocol prefix, e.g. 'ssh,hostname' or
* 'ssh,user@hostname'.
*
* I'm not entirely sure why; this behaviour dates
* from 2000 and isn't explained. But I _think_ it
* has to do with CVS transport or similar use
* cases, in which the end user invokes the SSH
* client indirectly, via some means that only
* lets them pass a single string argument, and it
* was occasionally useful to shoehorn the choice
* of protocol into that argument.
*/
const char *comma = strchr(p, ',');
if (comma) {
char *prefix = dupprintf("%.*s", (int)(comma - p), p);
const struct BackendVtable *vt =
backend_vt_from_name(prefix);
if (vt) {
default_protocol = vt->protocol;
conf_set_int(conf, CONF_protocol,
default_protocol);
port_override = vt->default_port;
} else {
cmdline_error("unrecognised protocol prefix '%s'",
prefix);
}
sfree(prefix);
p = comma + 1;
}
}
hostname_after_user = p;
if (cmdline_tooltype & TOOLTYPE_HOST_ARG_CAN_BE_SESSION) {
/*
* If the hostname argument can also be a saved
* session (see below), then here we also check
* for a user@ prefix, which will override the
* username from the saved session.
*
* (If the hostname argument _isn't_ a saved
* session, we don't do this.)
*/
const char *at = strrchr(p, '@');
if (at) {
user = dupprintf("%.*s", (int)(at - p), p);
hostname_after_user = at + 1;
}
}
/*
* Write the whole hostname argument (minus only that
* optional protocol prefix) into the existing Conf,
* for tools that don't treat it as a saved session
* and as a fallback for those that do.
*/
hostname = dupstr(p + strspn(p, " \t"));
len = strlen(hostname);
while (len > 0 && (hostname[len-1] == ' ' ||
hostname[len-1] == '\t'))
hostname[--len] = '\0';
seen_hostname_argument = true;
conf_set_str(conf, CONF_host, hostname);
if ((cmdline_tooltype & TOOLTYPE_HOST_ARG_CAN_BE_SESSION) &&
!loaded_session) {
/*
* For some tools, we equivocate between a
* hostname argument and an argument naming a
* saved session. Here we attempt to load a
* session with the specified name, and if that
* session exists and is launchable, we overwrite
* the entire Conf with it.
*
* We skip this check if a -load option has
* already happened, so that
*
* plink -load non-launchable-session hostname
*
* will treat 'hostname' as a hostname _even_ if a
* saved session called 'hostname' exists. (This
* doesn't lose any functionality someone could
* have needed, because if 'hostname' did cause a
* session to be loaded, then it would overwrite
* everything from the previously loaded session.
* So if that was the behaviour someone wanted,
* then they could get it by leaving off the
* -load completely.)
*/
Conf *conf2 = conf_new();
if (do_defaults(hostname_after_user, conf2) &&
conf_launchable(conf2)) {
conf_copy_into(conf, conf2);
loaded_session = true;
/* And override the username if one was given. */
if (user)
conf_set_str(conf, CONF_username, user);
}
conf_free(conf2);
}
sfree(hostname);
sfree(user);
if (port_override >= 0)
conf_set_int(conf, CONF_port, port_override);
}
return 1;
} else if ((cmdline_tooltype & TOOLTYPE_PORT_ARG) &&
!seen_port_argument) {
/*
* If we've already got a host name from the command line
* (either as a hostname argument or a qualifying -load),
* but not a port number, then treat the next argument as
* a port number.
*
* We handle this by calling ourself recursively to
* pretend we received a -P argument, so that it will be
* deferred until it's a good moment to run it.
*/
char *dup = dupstr(p); /* 'value' is not a const char * */
int retd = cmdline_process_param("-P", dup, 1, conf);
sfree(dup);
assert(retd == 2);
seen_port_argument = true;
return 1;
} else {
/*
* Refuse to recognise this argument, and give it back to
* the tool's own command-line processing.
*/
return 0;
}
}
#ifdef PUTTYNG
if (!stricmp(p, "-hwndparent")) {
RETURN(2);
hwnd_parent = atoi(value);
return 2;
}
#endif
if (!strcmp(p, "-load")) {
RETURN(2);
/* This parameter must be processed immediately rather than being
* saved. */
do_defaults(value, conf);
loaded_session = true;
cmdline_session_name = dupstr(value);
return 2;
}
if (!strcmp(p, "-ssh")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(0);
default_protocol = PROT_SSH;
default_port = 22;
conf_set_int(conf, CONF_protocol, default_protocol);
conf_set_int(conf, CONF_port, default_port);
return 1;
}
if (!strcmp(p, "-telnet")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(0);
default_protocol = PROT_TELNET;
default_port = 23;
conf_set_int(conf, CONF_protocol, default_protocol);
conf_set_int(conf, CONF_port, default_port);
return 1;
}
if (!strcmp(p, "-rlogin")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(0);
default_protocol = PROT_RLOGIN;
default_port = 513;
conf_set_int(conf, CONF_protocol, default_protocol);
conf_set_int(conf, CONF_port, default_port);
return 1;
}
if (!strcmp(p, "-raw")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(0);
default_protocol = PROT_RAW;
conf_set_int(conf, CONF_protocol, default_protocol);
}
if (!strcmp(p, "-serial")) {
RETURN(1);
/* Serial is not NONNETWORK in an odd sense of the word */
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(0);
default_protocol = PROT_SERIAL;
conf_set_int(conf, CONF_protocol, default_protocol);
/* The host parameter will already be loaded into CONF_host,
* so copy it across */
conf_set_str(conf, CONF_serline, conf_get_str(conf, CONF_host));
}
if (!strcmp(p, "-v")) {
RETURN(1);
flags |= FLAG_VERBOSE;
}
if (!strcmp(p, "-l")) {
RETURN(2);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_str(conf, CONF_username, value);
}
if (!strcmp(p, "-loghost")) {
RETURN(2);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_str(conf, CONF_loghost, value);
}
if (!strcmp(p, "-hostkey")) {
char *dup;
RETURN(2);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(0);
dup = dupstr(value);
if (!validate_manual_hostkey(dup)) {
cmdline_error("'%s' is not a valid format for a manual host "
"key specification", value);
sfree(dup);
return ret;
}
conf_set_str_str(conf, CONF_ssh_manual_hostkeys, dup, "");
sfree(dup);
}
if ((!strcmp(p, "-L") || !strcmp(p, "-R") || !strcmp(p, "-D"))) {
char type, *q, *qq, *key, *val;
RETURN(2);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(0);
if (strcmp(p, "-D")) {
/*
* For -L or -R forwarding types:
*
* We expect _at least_ two colons in this string. The
* possible formats are `sourceport:desthost:destport',
* or `sourceip:sourceport:desthost:destport' if you're
* specifying a particular loopback address. We need to
* replace the one between source and dest with a \t;
* this means we must find the second-to-last colon in
* the string.
*
* (This looks like a foolish way of doing it given the
* existence of strrchr, but it's more efficient than
* two strrchrs - not to mention that the second strrchr
* would require us to modify the input string!)
*/
type = p[1]; /* 'L' or 'R' */
q = qq = host_strchr(value, ':');
while (qq) {
char *qqq = host_strchr(qq+1, ':');
if (qqq)
q = qq;
qq = qqq;
}
if (!q) {
cmdline_error("-%c expects at least two colons in its"
" argument", type);
return ret;
}
key = dupprintf("%c%.*s", type, (int)(q - value), value);
val = dupstr(q+1);
} else {
/*
* Dynamic port forwardings are entered under the same key
* as if they were local (because they occupy the same
* port space - a local and a dynamic forwarding on the
* same local port are mutually exclusive), with the
* special value "D" (which can be distinguished from
* anything in the ordinary -L case by containing no
* colon).
*/
key = dupprintf("L%s", value);
val = dupstr("D");
}
conf_set_str_str(conf, CONF_portfwd, key, val);
sfree(key);
sfree(val);
}
if ((!strcmp(p, "-nc"))) {
char *host, *portp;
RETURN(2);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(0);
portp = host_strchr(value, ':');
if (!portp) {
cmdline_error("-nc expects argument of form 'host:port'");
return ret;
}
host = dupprintf("%.*s", (int)(portp - value), value);
conf_set_str(conf, CONF_ssh_nc_host, host);
conf_set_int(conf, CONF_ssh_nc_port, atoi(portp + 1));
sfree(host);
}
if (!strcmp(p, "-m")) {
const char *filename;
FILE *fp;
RETURN(2);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(0);
filename = value;
fp = fopen(filename, "r");
if (!fp) {
cmdline_error("unable to open command file \"%s\"", filename);
return ret;
}
strbuf *command = strbuf_new();
char readbuf[4096];
while (1) {
size_t nread = fread(readbuf, 1, sizeof(readbuf), fp);
if (nread == 0)
break;
put_data(command, readbuf, nread);
}
fclose(fp);
conf_set_str(conf, CONF_remote_cmd, command->s);
conf_set_str(conf, CONF_remote_cmd2, "");
conf_set_bool(conf, CONF_nopty, true); /* command => no terminal */
strbuf_free(command);
}
if (!strcmp(p, "-P")) {
RETURN(2);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(1); /* lower priority than -ssh,-telnet */
conf_set_int(conf, CONF_port, atoi(value));
}
if (!strcmp(p, "-pw")) {
RETURN(2);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(1);
/* We delay evaluating this until after the protocol is decided,
* so that we can warn if it's of no use with the selected protocol */
if (conf_get_int(conf, CONF_protocol) != PROT_SSH)
cmdline_error("the -pw option can only be used with the "
"SSH protocol");
else {
cmdline_password = dupstr(value);
/* Assuming that `value' is directly from argv, make a good faith
* attempt to trample it, to stop it showing up in `ps' output
* on Unix-like systems. Not guaranteed, of course. */
smemclr(value, strlen(value));
}
}
if (!strcmp(p, "-agent") || !strcmp(p, "-pagent") ||
!strcmp(p, "-pageant")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_bool(conf, CONF_tryagent, true);
}
if (!strcmp(p, "-noagent") || !strcmp(p, "-nopagent") ||
!strcmp(p, "-nopageant")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_bool(conf, CONF_tryagent, false);
}
if (!strcmp(p, "-share")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_bool(conf, CONF_ssh_connection_sharing, true);
}
if (!strcmp(p, "-noshare")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_bool(conf, CONF_ssh_connection_sharing, false);
}
if (!strcmp(p, "-A")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_bool(conf, CONF_agentfwd, true);
}
if (!strcmp(p, "-a")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_bool(conf, CONF_agentfwd, false);
}
if (!strcmp(p, "-X")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_bool(conf, CONF_x11_forward, true);
}
if (!strcmp(p, "-x")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_bool(conf, CONF_x11_forward, false);
}
if (!strcmp(p, "-t")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(1); /* lower priority than -m */
conf_set_bool(conf, CONF_nopty, false);
}
if (!strcmp(p, "-T")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(1);
conf_set_bool(conf, CONF_nopty, true);
}
if (!strcmp(p, "-N")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_bool(conf, CONF_ssh_no_shell, true);
}
if (!strcmp(p, "-C")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_bool(conf, CONF_compression, true);
}
if (!strcmp(p, "-1")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_int(conf, CONF_sshprot, 0); /* ssh protocol 1 only */
}
if (!strcmp(p, "-2")) {
RETURN(1);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_int(conf, CONF_sshprot, 3); /* ssh protocol 2 only */
}
if (!strcmp(p, "-i")) {
Filename *fn;
RETURN(2);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(0);
fn = filename_from_str(value);
conf_set_filename(conf, CONF_keyfile, fn);
filename_free(fn);
}
if (!strcmp(p, "-4") || !strcmp(p, "-ipv4")) {
RETURN(1);
SAVEABLE(1);
conf_set_int(conf, CONF_addressfamily, ADDRTYPE_IPV4);
}
if (!strcmp(p, "-6") || !strcmp(p, "-ipv6")) {
RETURN(1);
SAVEABLE(1);
conf_set_int(conf, CONF_addressfamily, ADDRTYPE_IPV6);
}
if (!strcmp(p, "-sercfg")) {
char* nextitem;
RETURN(2);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER | TOOLTYPE_NONNETWORK);
SAVEABLE(1);
if (conf_get_int(conf, CONF_protocol) != PROT_SERIAL)
cmdline_error("the -sercfg option can only be used with the "
"serial protocol");
/* Value[0] contains one or more , separated values, like 19200,8,n,1,X */
nextitem = value;
while (nextitem[0] != '\0') {
int length, skip;
char *end = strchr(nextitem, ',');
if (!end) {
length = strlen(nextitem);
skip = 0;
} else {
length = end - nextitem;
nextitem[length] = '\0';
skip = 1;
}
if (length == 1) {
switch (*nextitem) {
case '1':
case '2':
conf_set_int(conf, CONF_serstopbits, 2 * (*nextitem-'0'));
break;
case '5':
case '6':
case '7':
case '8':
case '9':
conf_set_int(conf, CONF_serdatabits, *nextitem-'0');
break;
case 'n':
conf_set_int(conf, CONF_serparity, SER_PAR_NONE);
break;
case 'o':
conf_set_int(conf, CONF_serparity, SER_PAR_ODD);
break;
case 'e':
conf_set_int(conf, CONF_serparity, SER_PAR_EVEN);
break;
case 'm':
conf_set_int(conf, CONF_serparity, SER_PAR_MARK);
break;
case 's':
conf_set_int(conf, CONF_serparity, SER_PAR_SPACE);
break;
case 'N':
conf_set_int(conf, CONF_serflow, SER_FLOW_NONE);
break;
case 'X':
conf_set_int(conf, CONF_serflow, SER_FLOW_XONXOFF);
break;
case 'R':
conf_set_int(conf, CONF_serflow, SER_FLOW_RTSCTS);
break;
case 'D':
conf_set_int(conf, CONF_serflow, SER_FLOW_DSRDTR);
break;
default:
cmdline_error("Unrecognised suboption \"-sercfg %c\"",
*nextitem);
}
} else if (length == 3 && !strncmp(nextitem,"1.5",3)) {
/* Messy special case */
conf_set_int(conf, CONF_serstopbits, 3);
} else {
int serspeed = atoi(nextitem);
if (serspeed != 0) {
conf_set_int(conf, CONF_serspeed, serspeed);
} else {
cmdline_error("Unrecognised suboption \"-sercfg %s\"",
nextitem);
}
}
nextitem += length + skip;
}
}
if (!strcmp(p, "-sessionlog")) {
Filename *fn;
RETURN(2);
UNAVAILABLE_IN(TOOLTYPE_FILETRANSFER);
/* but available even in TOOLTYPE_NONNETWORK, cf pterm "-log" */
SAVEABLE(0);
fn = filename_from_str(value);
conf_set_filename(conf, CONF_logfilename, fn);
conf_set_int(conf, CONF_logtype, LGTYP_DEBUG);
filename_free(fn);
}
if (!strcmp(p, "-sshlog") ||
!strcmp(p, "-sshrawlog")) {
Filename *fn;
RETURN(2);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(0);
fn = filename_from_str(value);
conf_set_filename(conf, CONF_logfilename, fn);
conf_set_int(conf, CONF_logtype,
!strcmp(p, "-sshlog") ? LGTYP_PACKETS :
/* !strcmp(p, "-sshrawlog") ? */ LGTYP_SSHRAW);
filename_free(fn);
}
if (!strcmp(p, "-proxycmd")) {
RETURN(2);
UNAVAILABLE_IN(TOOLTYPE_NONNETWORK);
SAVEABLE(0);
conf_set_int(conf, CONF_proxy_type, PROXY_CMD);
conf_set_str(conf, CONF_proxy_telnet_command, value);
}
#ifdef _WINDOWS
/*
* Cross-tool options only available on Windows.
*/
if (!strcmp(p, "-restrict-acl") || !strcmp(p, "-restrict_acl") ||
!strcmp(p, "-restrictacl")) {
RETURN(1);
restrict_process_acl();
restricted_acl = true;
}
#endif
return ret; /* unrecognised */
}
