2000-10-19 15:43:08 +00:00
|
|
|
/*
|
2004-04-27 12:31:57 +00:00
|
|
|
* PuTTY key generation front end (Windows).
|
2000-10-19 15:43:08 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <time.h>
|
|
|
|
|
#include <stdio.h>
|
2000-10-24 10:47:49 +00:00
|
|
|
#include <stdlib.h>
|
2011-10-02 14:14:21 +00:00
|
|
|
#include <assert.h>
|
2000-10-19 15:43:08 +00:00
|
|
|
|
|
|
|
|
#include "putty.h"
|
|
|
|
|
#include "ssh.h"
|
2015-12-22 12:43:31 +00:00
|
|
|
#include "licence.h"
|
2016-04-02 07:00:07 +00:00
|
|
|
#include "winsecur.h"
|
2003-10-12 13:46:12 +00:00
|
|
|
|
|
|
|
|
#include <commctrl.h>
|
2000-10-19 15:43:08 +00:00
|
|
|
|
2003-02-07 13:54:34 +00:00
|
|
|
#ifdef MSVC4
|
|
|
|
|
#define ICON_BIG 1
|
|
|
|
|
#endif
|
|
|
|
|
|
2005-08-10 18:31:24 +00:00
|
|
|
#define WM_DONEKEY (WM_APP + 1)
|
2000-10-19 15:43:08 +00:00
|
|
|
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
#define DEFAULT_KEY_BITS 2048
|
|
|
|
|
#define DEFAULT_CURVE_INDEX 0
|
2000-10-19 15:43:08 +00:00
|
|
|
|
2002-08-06 17:48:14 +00:00
|
|
|
static char *cmdline_keyfile = NULL;
|
|
|
|
|
|
2002-10-09 18:09:42 +00:00
|
|
|
/*
|
|
|
|
|
* Print a modal (Really Bad) message box and perform a fatal exit.
|
|
|
|
|
*/
|
2015-05-15 10:15:42 +00:00
|
|
|
void modalfatalbox(const char *fmt, ...)
|
2002-10-09 18:09:42 +00:00
|
|
|
{
|
|
|
|
|
va_list ap;
|
2002-11-07 19:49:03 +00:00
|
|
|
char *stuff;
|
2002-10-09 18:09:42 +00:00
|
|
|
|
|
|
|
|
va_start(ap, fmt);
|
2002-11-07 19:49:03 +00:00
|
|
|
stuff = dupvprintf(fmt, ap);
|
2002-10-09 18:09:42 +00:00
|
|
|
va_end(ap);
|
|
|
|
|
MessageBox(NULL, stuff, "PuTTYgen Fatal Error",
|
2019-09-08 19:29:00 +00:00
|
|
|
MB_SYSTEMMODAL | MB_ICONERROR | MB_OK);
|
2002-11-07 19:49:03 +00:00
|
|
|
sfree(stuff);
|
2002-10-09 18:09:42 +00:00
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
2013-07-22 07:11:44 +00:00
|
|
|
/*
|
|
|
|
|
* Print a non-fatal message box and do not exit.
|
|
|
|
|
*/
|
2015-05-15 10:15:42 +00:00
|
|
|
void nonfatal(const char *fmt, ...)
|
2013-07-22 07:11:44 +00:00
|
|
|
{
|
|
|
|
|
va_list ap;
|
|
|
|
|
char *stuff;
|
|
|
|
|
|
|
|
|
|
va_start(ap, fmt);
|
|
|
|
|
stuff = dupvprintf(fmt, ap);
|
|
|
|
|
va_end(ap);
|
|
|
|
|
MessageBox(NULL, stuff, "PuTTYgen Error",
|
2019-09-08 19:29:00 +00:00
|
|
|
MB_SYSTEMMODAL | MB_ICONERROR | MB_OK);
|
2013-07-22 07:11:44 +00:00
|
|
|
sfree(stuff);
|
|
|
|
|
}
|
|
|
|
|
|
2000-10-19 15:43:08 +00:00
|
|
|
/* ----------------------------------------------------------------------
|
2020-02-29 16:32:16 +00:00
|
|
|
* Progress report code. This is really horrible :-)
|
2000-10-19 15:43:08 +00:00
|
|
|
*/
|
2001-09-22 20:52:21 +00:00
|
|
|
#define PROGRESSRANGE 65535
|
|
|
|
|
#define MAXPHASE 5
|
2000-10-19 15:43:08 +00:00
|
|
|
struct progress {
|
2001-09-22 20:52:21 +00:00
|
|
|
int nphases;
|
2020-02-29 16:32:16 +00:00
|
|
|
struct {
|
|
|
|
|
bool exponential;
|
|
|
|
|
unsigned startpoint, total;
|
|
|
|
|
unsigned param, current, n; /* if exponential */
|
|
|
|
|
unsigned mult; /* if linear */
|
|
|
|
|
} phases[MAXPHASE];
|
|
|
|
|
unsigned total, divisor, range;
|
2000-10-19 15:43:08 +00:00
|
|
|
HWND progbar;
|
|
|
|
|
};
|
|
|
|
|
|
2020-02-29 16:32:16 +00:00
|
|
|
static void progress_update(void *param, int action, int phase, int iprogress)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2020-02-29 16:32:16 +00:00
|
|
|
struct progress *p = (struct progress *) param;
|
|
|
|
|
unsigned progress = iprogress;
|
|
|
|
|
int position;
|
|
|
|
|
|
|
|
|
|
if (action < PROGFN_READY && p->nphases < phase)
|
|
|
|
|
p->nphases = phase;
|
|
|
|
|
switch (action) {
|
|
|
|
|
case PROGFN_INITIALISE:
|
|
|
|
|
p->nphases = 0;
|
|
|
|
|
break;
|
|
|
|
|
case PROGFN_LIN_PHASE:
|
|
|
|
|
p->phases[phase-1].exponential = false;
|
|
|
|
|
p->phases[phase-1].mult = p->phases[phase].total / progress;
|
|
|
|
|
break;
|
|
|
|
|
case PROGFN_EXP_PHASE:
|
|
|
|
|
p->phases[phase-1].exponential = true;
|
|
|
|
|
p->phases[phase-1].param = 0x10000 + progress;
|
|
|
|
|
p->phases[phase-1].current = p->phases[phase-1].total;
|
|
|
|
|
p->phases[phase-1].n = 0;
|
|
|
|
|
break;
|
|
|
|
|
case PROGFN_PHASE_EXTENT:
|
|
|
|
|
p->phases[phase-1].total = progress;
|
|
|
|
|
break;
|
|
|
|
|
case PROGFN_READY: {
|
|
|
|
|
unsigned total = 0;
|
|
|
|
|
int i;
|
|
|
|
|
for (i = 0; i < p->nphases; i++) {
|
|
|
|
|
p->phases[i].startpoint = total;
|
|
|
|
|
total += p->phases[i].total;
|
|
|
|
|
}
|
|
|
|
|
p->total = total;
|
|
|
|
|
p->divisor = ((p->total + PROGRESSRANGE - 1) / PROGRESSRANGE);
|
|
|
|
|
p->range = p->total / p->divisor;
|
|
|
|
|
SendMessage(p->progbar, PBM_SETRANGE, 0, MAKELPARAM(0, p->range));
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
case PROGFN_PROGRESS:
|
|
|
|
|
if (p->phases[phase-1].exponential) {
|
|
|
|
|
while (p->phases[phase-1].n < progress) {
|
|
|
|
|
p->phases[phase-1].n++;
|
|
|
|
|
p->phases[phase-1].current *= p->phases[phase-1].param;
|
|
|
|
|
p->phases[phase-1].current /= 0x10000;
|
|
|
|
|
}
|
|
|
|
|
position = (p->phases[phase-1].startpoint +
|
|
|
|
|
p->phases[phase-1].total - p->phases[phase-1].current);
|
|
|
|
|
} else {
|
|
|
|
|
position = (p->phases[phase-1].startpoint +
|
|
|
|
|
progress * p->phases[phase-1].mult);
|
|
|
|
|
}
|
|
|
|
|
SendMessage(p->progbar, PBM_SETPOS, position / p->divisor, 0);
|
|
|
|
|
break;
|
2000-10-19 15:43:08 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct PassphraseProcStruct {
|
2011-10-02 14:14:21 +00:00
|
|
|
char **passphrase;
|
2000-10-19 15:43:08 +00:00
|
|
|
char *comment;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Dialog-box function for the passphrase box.
|
|
|
|
|
*/
|
2015-08-11 12:22:09 +00:00
|
|
|
static INT_PTR CALLBACK PassphraseProc(HWND hwnd, UINT msg,
|
2019-09-08 19:29:00 +00:00
|
|
|
WPARAM wParam, LPARAM lParam)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2011-10-02 14:14:21 +00:00
|
|
|
static char **passphrase = NULL;
|
2000-10-19 15:43:08 +00:00
|
|
|
struct PassphraseProcStruct *p;
|
|
|
|
|
|
|
|
|
|
switch (msg) {
|
|
|
|
|
case WM_INITDIALOG:
|
2019-09-08 19:29:00 +00:00
|
|
|
SetForegroundWindow(hwnd);
|
|
|
|
|
SetWindowPos(hwnd, HWND_TOP, 0, 0, 0, 0,
|
|
|
|
|
SWP_NOMOVE | SWP_NOSIZE | SWP_SHOWWINDOW);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Centre the window.
|
|
|
|
|
*/
|
|
|
|
|
{ /* centre the window */
|
|
|
|
|
RECT rs, rd;
|
|
|
|
|
HWND hw;
|
|
|
|
|
|
|
|
|
|
hw = GetDesktopWindow();
|
|
|
|
|
if (GetWindowRect(hw, &rs) && GetWindowRect(hwnd, &rd))
|
|
|
|
|
MoveWindow(hwnd,
|
|
|
|
|
(rs.right + rs.left + rd.left - rd.right) / 2,
|
|
|
|
|
(rs.bottom + rs.top + rd.top - rd.bottom) / 2,
|
|
|
|
|
rd.right - rd.left, rd.bottom - rd.top, true);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
p = (struct PassphraseProcStruct *) lParam;
|
|
|
|
|
passphrase = p->passphrase;
|
|
|
|
|
if (p->comment)
|
|
|
|
|
SetDlgItemText(hwnd, 101, p->comment);
|
2011-10-02 14:14:21 +00:00
|
|
|
burnstr(*passphrase);
|
|
|
|
|
*passphrase = dupstr("");
|
2019-09-08 19:29:00 +00:00
|
|
|
SetDlgItemText(hwnd, 102, *passphrase);
|
|
|
|
|
return 0;
|
2000-10-19 15:43:08 +00:00
|
|
|
case WM_COMMAND:
|
2019-09-08 19:29:00 +00:00
|
|
|
switch (LOWORD(wParam)) {
|
|
|
|
|
case IDOK:
|
|
|
|
|
if (*passphrase)
|
|
|
|
|
EndDialog(hwnd, 1);
|
|
|
|
|
else
|
|
|
|
|
MessageBeep(0);
|
|
|
|
|
return 0;
|
|
|
|
|
case IDCANCEL:
|
|
|
|
|
EndDialog(hwnd, 0);
|
|
|
|
|
return 0;
|
|
|
|
|
case 102: /* edit box */
|
|
|
|
|
if ((HIWORD(wParam) == EN_CHANGE) && passphrase) {
|
2011-10-02 14:14:21 +00:00
|
|
|
burnstr(*passphrase);
|
|
|
|
|
*passphrase = GetDlgItemText_alloc(hwnd, 102);
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
2000-10-19 15:43:08 +00:00
|
|
|
case WM_CLOSE:
|
2019-09-08 19:29:00 +00:00
|
|
|
EndDialog(hwnd, 0);
|
|
|
|
|
return 0;
|
2000-10-19 15:43:08 +00:00
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Prompt for a key file. Assumes the filename buffer is of size
|
|
|
|
|
* FILENAME_MAX.
|
|
|
|
|
*/
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
static bool prompt_keyfile(HWND hwnd, char *dlgtitle,
|
|
|
|
|
char *filename, bool save, bool ppk)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2000-10-19 15:43:08 +00:00
|
|
|
OPENFILENAME of;
|
|
|
|
|
memset(&of, 0, sizeof(of));
|
|
|
|
|
of.hwndOwner = hwnd;
|
2002-08-06 17:35:34 +00:00
|
|
|
if (ppk) {
|
2019-09-08 19:29:00 +00:00
|
|
|
of.lpstrFilter = "PuTTY Private Key Files (*.ppk)\0*.ppk\0"
|
|
|
|
|
"All Files (*.*)\0*\0\0\0";
|
|
|
|
|
of.lpstrDefExt = ".ppk";
|
2002-08-06 17:35:34 +00:00
|
|
|
} else {
|
2019-09-08 19:29:00 +00:00
|
|
|
of.lpstrFilter = "All Files (*.*)\0*\0\0\0";
|
2002-08-06 17:35:34 +00:00
|
|
|
}
|
2000-10-19 15:43:08 +00:00
|
|
|
of.lpstrCustomFilter = NULL;
|
|
|
|
|
of.nFilterIndex = 1;
|
2001-05-06 14:35:20 +00:00
|
|
|
of.lpstrFile = filename;
|
|
|
|
|
*filename = '\0';
|
2000-10-19 15:43:08 +00:00
|
|
|
of.nMaxFile = FILENAME_MAX;
|
|
|
|
|
of.lpstrFileTitle = NULL;
|
|
|
|
|
of.lpstrTitle = dlgtitle;
|
|
|
|
|
of.Flags = 0;
|
2018-10-29 19:50:29 +00:00
|
|
|
return request_file(NULL, &of, false, save);
|
2000-10-19 15:43:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Dialog-box function for the Licence box.
|
|
|
|
|
*/
|
2015-08-11 12:22:09 +00:00
|
|
|
static INT_PTR CALLBACK LicenceProc(HWND hwnd, UINT msg,
|
2019-09-08 19:29:00 +00:00
|
|
|
WPARAM wParam, LPARAM lParam)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2000-10-19 15:43:08 +00:00
|
|
|
switch (msg) {
|
Formatting change to braces around one case of a switch.
Sometimes, within a switch statement, you want to declare local
variables specific to the handler for one particular case. Until now
I've mostly been writing this in the form
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED:
{
declare variables;
do stuff;
}
break;
}
which is ugly because the two pieces of essentially similar code
appear at different indent levels, and also inconvenient because you
have less horizontal space available to write the complicated case
handler in - particuarly undesirable because _complicated_ case
handlers are the ones most likely to need all the space they can get!
After encountering a rather nicer idiom in the LLVM source code, and
after a bit of hackery this morning figuring out how to persuade
Emacs's auto-indent to do what I wanted with it, I've decided to move
to an idiom in which the open brace comes right after the case
statement, and the code within it is indented the same as it would
have been without the brace. Then the whole case handler (including
the break) lives inside those braces, and you get something that looks
more like this:
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED: {
declare variables;
do stuff;
break;
}
}
This commit is a big-bang change that reformats all the complicated
case handlers I could find into the new layout. This is particularly
nice in the Pageant main function, in which almost _every_ case
handler had a bundle of variables and was long and complicated. (In
fact that's what motivated me to get round to this.) Some of the
innermost parts of the terminal escape-sequence handling are also
breathing a bit easier now the horizontal pressure on them is
relieved.
(Also, in a few cases, I was able to remove the extra braces
completely, because the only variable local to the case handler was a
loop variable which our new C99 policy allows me to move into the
initialiser clause of its for statement.)
Viewed with whitespace ignored, this is not too disruptive a change.
Downstream patches that conflict with it may need to be reapplied
using --ignore-whitespace or similar.
2020-02-16 07:49:52 +00:00
|
|
|
case WM_INITDIALOG: {
|
2019-09-08 19:29:00 +00:00
|
|
|
/*
|
|
|
|
|
* Centre the window.
|
|
|
|
|
*/
|
Formatting change to braces around one case of a switch.
Sometimes, within a switch statement, you want to declare local
variables specific to the handler for one particular case. Until now
I've mostly been writing this in the form
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED:
{
declare variables;
do stuff;
}
break;
}
which is ugly because the two pieces of essentially similar code
appear at different indent levels, and also inconvenient because you
have less horizontal space available to write the complicated case
handler in - particuarly undesirable because _complicated_ case
handlers are the ones most likely to need all the space they can get!
After encountering a rather nicer idiom in the LLVM source code, and
after a bit of hackery this morning figuring out how to persuade
Emacs's auto-indent to do what I wanted with it, I've decided to move
to an idiom in which the open brace comes right after the case
statement, and the code within it is indented the same as it would
have been without the brace. Then the whole case handler (including
the break) lives inside those braces, and you get something that looks
more like this:
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED: {
declare variables;
do stuff;
break;
}
}
This commit is a big-bang change that reformats all the complicated
case handlers I could find into the new layout. This is particularly
nice in the Pageant main function, in which almost _every_ case
handler had a bundle of variables and was long and complicated. (In
fact that's what motivated me to get round to this.) Some of the
innermost parts of the terminal escape-sequence handling are also
breathing a bit easier now the horizontal pressure on them is
relieved.
(Also, in a few cases, I was able to remove the extra braces
completely, because the only variable local to the case handler was a
loop variable which our new C99 policy allows me to move into the
initialiser clause of its for statement.)
Viewed with whitespace ignored, this is not too disruptive a change.
Downstream patches that conflict with it may need to be reapplied
using --ignore-whitespace or similar.
2020-02-16 07:49:52 +00:00
|
|
|
RECT rs, rd;
|
|
|
|
|
HWND hw;
|
2019-09-08 19:29:00 +00:00
|
|
|
|
Formatting change to braces around one case of a switch.
Sometimes, within a switch statement, you want to declare local
variables specific to the handler for one particular case. Until now
I've mostly been writing this in the form
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED:
{
declare variables;
do stuff;
}
break;
}
which is ugly because the two pieces of essentially similar code
appear at different indent levels, and also inconvenient because you
have less horizontal space available to write the complicated case
handler in - particuarly undesirable because _complicated_ case
handlers are the ones most likely to need all the space they can get!
After encountering a rather nicer idiom in the LLVM source code, and
after a bit of hackery this morning figuring out how to persuade
Emacs's auto-indent to do what I wanted with it, I've decided to move
to an idiom in which the open brace comes right after the case
statement, and the code within it is indented the same as it would
have been without the brace. Then the whole case handler (including
the break) lives inside those braces, and you get something that looks
more like this:
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED: {
declare variables;
do stuff;
break;
}
}
This commit is a big-bang change that reformats all the complicated
case handlers I could find into the new layout. This is particularly
nice in the Pageant main function, in which almost _every_ case
handler had a bundle of variables and was long and complicated. (In
fact that's what motivated me to get round to this.) Some of the
innermost parts of the terminal escape-sequence handling are also
breathing a bit easier now the horizontal pressure on them is
relieved.
(Also, in a few cases, I was able to remove the extra braces
completely, because the only variable local to the case handler was a
loop variable which our new C99 policy allows me to move into the
initialiser clause of its for statement.)
Viewed with whitespace ignored, this is not too disruptive a change.
Downstream patches that conflict with it may need to be reapplied
using --ignore-whitespace or similar.
2020-02-16 07:49:52 +00:00
|
|
|
hw = GetDesktopWindow();
|
|
|
|
|
if (GetWindowRect(hw, &rs) && GetWindowRect(hwnd, &rd))
|
|
|
|
|
MoveWindow(hwnd,
|
|
|
|
|
(rs.right + rs.left + rd.left - rd.right) / 2,
|
|
|
|
|
(rs.bottom + rs.top + rd.top - rd.bottom) / 2,
|
|
|
|
|
rd.right - rd.left, rd.bottom - rd.top, true);
|
2001-03-03 11:54:34 +00:00
|
|
|
|
2015-12-22 12:43:31 +00:00
|
|
|
SetDlgItemText(hwnd, 1000, LICENCE_TEXT("\r\n\r\n"));
|
2019-09-08 19:29:00 +00:00
|
|
|
return 1;
|
Formatting change to braces around one case of a switch.
Sometimes, within a switch statement, you want to declare local
variables specific to the handler for one particular case. Until now
I've mostly been writing this in the form
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED:
{
declare variables;
do stuff;
}
break;
}
which is ugly because the two pieces of essentially similar code
appear at different indent levels, and also inconvenient because you
have less horizontal space available to write the complicated case
handler in - particuarly undesirable because _complicated_ case
handlers are the ones most likely to need all the space they can get!
After encountering a rather nicer idiom in the LLVM source code, and
after a bit of hackery this morning figuring out how to persuade
Emacs's auto-indent to do what I wanted with it, I've decided to move
to an idiom in which the open brace comes right after the case
statement, and the code within it is indented the same as it would
have been without the brace. Then the whole case handler (including
the break) lives inside those braces, and you get something that looks
more like this:
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED: {
declare variables;
do stuff;
break;
}
}
This commit is a big-bang change that reformats all the complicated
case handlers I could find into the new layout. This is particularly
nice in the Pageant main function, in which almost _every_ case
handler had a bundle of variables and was long and complicated. (In
fact that's what motivated me to get round to this.) Some of the
innermost parts of the terminal escape-sequence handling are also
breathing a bit easier now the horizontal pressure on them is
relieved.
(Also, in a few cases, I was able to remove the extra braces
completely, because the only variable local to the case handler was a
loop variable which our new C99 policy allows me to move into the
initialiser clause of its for statement.)
Viewed with whitespace ignored, this is not too disruptive a change.
Downstream patches that conflict with it may need to be reapplied
using --ignore-whitespace or similar.
2020-02-16 07:49:52 +00:00
|
|
|
}
|
2000-10-19 15:43:08 +00:00
|
|
|
case WM_COMMAND:
|
2019-09-08 19:29:00 +00:00
|
|
|
switch (LOWORD(wParam)) {
|
|
|
|
|
case IDOK:
|
|
|
|
|
case IDCANCEL:
|
|
|
|
|
EndDialog(hwnd, 1);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
2000-10-19 15:43:08 +00:00
|
|
|
case WM_CLOSE:
|
2019-09-08 19:29:00 +00:00
|
|
|
EndDialog(hwnd, 1);
|
|
|
|
|
return 0;
|
2000-10-19 15:43:08 +00:00
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Dialog-box function for the About box.
|
|
|
|
|
*/
|
2015-08-11 12:22:09 +00:00
|
|
|
static INT_PTR CALLBACK AboutProc(HWND hwnd, UINT msg,
|
2019-09-08 19:29:00 +00:00
|
|
|
WPARAM wParam, LPARAM lParam)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2000-10-19 15:43:08 +00:00
|
|
|
switch (msg) {
|
|
|
|
|
case WM_INITDIALOG:
|
2019-09-08 19:29:00 +00:00
|
|
|
/*
|
|
|
|
|
* Centre the window.
|
|
|
|
|
*/
|
|
|
|
|
{ /* centre the window */
|
|
|
|
|
RECT rs, rd;
|
|
|
|
|
HWND hw;
|
|
|
|
|
|
|
|
|
|
hw = GetDesktopWindow();
|
|
|
|
|
if (GetWindowRect(hw, &rs) && GetWindowRect(hwnd, &rd))
|
|
|
|
|
MoveWindow(hwnd,
|
|
|
|
|
(rs.right + rs.left + rd.left - rd.right) / 2,
|
|
|
|
|
(rs.bottom + rs.top + rd.top - rd.bottom) / 2,
|
|
|
|
|
rd.right - rd.left, rd.bottom - rd.top, true);
|
|
|
|
|
}
|
2001-03-03 11:54:34 +00:00
|
|
|
|
2015-12-22 10:18:48 +00:00
|
|
|
{
|
2017-01-21 14:55:53 +00:00
|
|
|
char *buildinfo_text = buildinfo("\r\n");
|
2015-12-22 10:18:48 +00:00
|
|
|
char *text = dupprintf
|
2017-01-21 14:55:53 +00:00
|
|
|
("PuTTYgen\r\n\r\n%s\r\n\r\n%s\r\n\r\n%s",
|
|
|
|
|
ver, buildinfo_text,
|
2015-12-22 12:43:31 +00:00
|
|
|
"\251 " SHORT_COPYRIGHT_DETAILS ". All rights reserved.");
|
2017-01-21 14:55:53 +00:00
|
|
|
sfree(buildinfo_text);
|
2015-12-22 10:18:48 +00:00
|
|
|
SetDlgItemText(hwnd, 1000, text);
|
|
|
|
|
sfree(text);
|
|
|
|
|
}
|
2019-09-08 19:29:00 +00:00
|
|
|
return 1;
|
2000-10-19 15:43:08 +00:00
|
|
|
case WM_COMMAND:
|
2019-09-08 19:29:00 +00:00
|
|
|
switch (LOWORD(wParam)) {
|
|
|
|
|
case IDOK:
|
|
|
|
|
case IDCANCEL:
|
|
|
|
|
EndDialog(hwnd, 1);
|
|
|
|
|
return 0;
|
|
|
|
|
case 101:
|
|
|
|
|
EnableWindow(hwnd, 0);
|
|
|
|
|
DialogBox(hinst, MAKEINTRESOURCE(214), hwnd, LicenceProc);
|
|
|
|
|
EnableWindow(hwnd, 1);
|
|
|
|
|
SetActiveWindow(hwnd);
|
|
|
|
|
return 0;
|
|
|
|
|
case 102:
|
|
|
|
|
/* Load web browser */
|
|
|
|
|
ShellExecute(hwnd, "open",
|
|
|
|
|
"https://www.chiark.greenend.org.uk/~sgtatham/putty/",
|
|
|
|
|
0, 0, SW_SHOWDEFAULT);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
2000-10-19 15:43:08 +00:00
|
|
|
case WM_CLOSE:
|
2019-09-08 19:29:00 +00:00
|
|
|
EndDialog(hwnd, 1);
|
|
|
|
|
return 0;
|
2000-10-19 15:43:08 +00:00
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2015-05-09 14:02:54 +00:00
|
|
|
typedef enum {RSA, DSA, ECDSA, ED25519} keytype;
|
2014-11-01 09:14:19 +00:00
|
|
|
|
2000-10-19 15:43:08 +00:00
|
|
|
/*
|
|
|
|
|
* Thread to generate a key.
|
|
|
|
|
*/
|
|
|
|
|
struct rsa_key_thread_params {
|
2019-09-08 19:29:00 +00:00
|
|
|
HWND progressbar; /* notify this with progress */
|
|
|
|
|
HWND dialog; /* notify this on completion */
|
|
|
|
|
int key_bits; /* bits in key modulus (RSA, DSA) */
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
int curve_bits; /* bits in elliptic curve (ECDSA) */
|
2014-11-01 09:14:19 +00:00
|
|
|
keytype keytype;
|
|
|
|
|
union {
|
2019-01-04 06:51:44 +00:00
|
|
|
RSAKey *key;
|
2014-11-01 09:14:19 +00:00
|
|
|
struct dss_key *dsskey;
|
Complete rewrite of PuTTY's bignum library.
The old 'Bignum' data type is gone completely, and so is sshbn.c. In
its place is a new thing called 'mp_int', handled by an entirely new
library module mpint.c, with API differences both large and small.
The main aim of this change is that the new library should be free of
timing- and cache-related side channels. I've written the code so that
it _should_ - assuming I haven't made any mistakes - do all of its
work without either control flow or memory addressing depending on the
data words of the input numbers. (Though, being an _arbitrary_
precision library, it does have to at least depend on the sizes of the
numbers - but there's a 'formal' size that can vary separately from
the actual magnitude of the represented integer, so if you want to
keep it secret that your number is actually small, it should work fine
to have a very long mp_int and just happen to store 23 in it.) So I've
done all my conditionalisation by means of computing both answers and
doing bit-masking to swap the right one into place, and all loops over
the words of an mp_int go up to the formal size rather than the actual
size.
I haven't actually tested the constant-time property in any rigorous
way yet (I'm still considering the best way to do it). But this code
is surely at the very least a big improvement on the old version, even
if I later find a few more things to fix.
I've also completely rewritten the low-level elliptic curve arithmetic
from sshecc.c; the new ecc.c is closer to being an adjunct of mpint.c
than it is to the SSH end of the code. The new elliptic curve code
keeps all coordinates in Montgomery-multiplication transformed form to
speed up all the multiplications mod the same prime, and only converts
them back when you ask for the affine coordinates. Also, I adopted
extended coordinates for the Edwards curve implementation.
sshecc.c has also had a near-total rewrite in the course of switching
it over to the new system. While I was there, I've separated ECDSA and
EdDSA more completely - they now have separate vtables, instead of a
single vtable in which nearly every function had a big if statement in
it - and also made the externally exposed types for an ECDSA key and
an ECDH context different.
A minor new feature: since the new arithmetic code includes a modular
square root function, we can now support the compressed point
representation for the NIST curves. We seem to have been getting along
fine without that so far, but it seemed a shame not to put it in,
since it was suddenly easy.
In sshrsa.c, one major change is that I've removed the RSA blinding
step in rsa_privkey_op, in which we randomise the ciphertext before
doing the decryption. The purpose of that was to avoid timing leaks
giving away the plaintext - but the new arithmetic code should take
that in its stride in the course of also being careful enough to avoid
leaking the _private key_, which RSA blinding had no way to do
anything about in any case.
Apart from those specific points, most of the rest of the changes are
more or less mechanical, just changing type names and translating code
into the new API.
2018-12-31 13:53:41 +00:00
|
|
|
struct ecdsa_key *eckey;
|
|
|
|
|
struct eddsa_key *edkey;
|
2014-11-01 09:14:19 +00:00
|
|
|
};
|
2000-10-19 15:43:08 +00:00
|
|
|
};
|
2016-03-30 10:28:59 +00:00
|
|
|
static DWORD WINAPI generate_key_thread(void *param)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2000-10-19 15:43:08 +00:00
|
|
|
struct rsa_key_thread_params *params =
|
2019-09-08 19:29:00 +00:00
|
|
|
(struct rsa_key_thread_params *) param;
|
2000-10-19 15:43:08 +00:00
|
|
|
struct progress prog;
|
|
|
|
|
prog.progbar = params->progressbar;
|
|
|
|
|
|
2020-02-29 16:32:16 +00:00
|
|
|
progress_update(&prog, PROGFN_INITIALISE, 0, 0);
|
2001-11-12 09:19:57 +00:00
|
|
|
|
2014-11-01 09:14:19 +00:00
|
|
|
if (params->keytype == DSA)
|
2020-02-29 16:32:16 +00:00
|
|
|
dsa_generate(params->dsskey, params->key_bits, progress_update, &prog);
|
2014-11-01 09:45:20 +00:00
|
|
|
else if (params->keytype == ECDSA)
|
2020-02-29 16:32:16 +00:00
|
|
|
ecdsa_generate(params->eckey, params->curve_bits,
|
|
|
|
|
progress_update, &prog);
|
2015-05-09 14:02:54 +00:00
|
|
|
else if (params->keytype == ED25519)
|
2020-02-29 16:32:16 +00:00
|
|
|
eddsa_generate(params->edkey, 255, progress_update, &prog);
|
2001-09-22 20:52:21 +00:00
|
|
|
else
|
2020-02-29 16:32:16 +00:00
|
|
|
rsa_generate(params->key, params->key_bits, progress_update, &prog);
|
2000-10-19 15:43:08 +00:00
|
|
|
|
|
|
|
|
PostMessage(params->dialog, WM_DONEKEY, 0, 0);
|
|
|
|
|
|
2000-12-12 10:33:13 +00:00
|
|
|
sfree(params);
|
2000-10-19 15:43:08 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct MainDlgState {
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool collecting_entropy;
|
|
|
|
|
bool generation_thread_exists;
|
|
|
|
|
bool key_exists;
|
2000-10-19 15:43:08 +00:00
|
|
|
int entropy_got, entropy_required, entropy_size;
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
int key_bits, curve_bits;
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool ssh2;
|
2014-11-01 09:14:19 +00:00
|
|
|
keytype keytype;
|
2019-09-08 19:29:00 +00:00
|
|
|
char **commentptr; /* points to key.comment or ssh2key.comment */
|
2019-01-04 06:51:44 +00:00
|
|
|
ssh2_userkey ssh2key;
|
2000-10-19 15:43:08 +00:00
|
|
|
unsigned *entropy;
|
2014-11-01 09:14:19 +00:00
|
|
|
union {
|
2019-01-04 06:51:44 +00:00
|
|
|
RSAKey key;
|
2014-11-01 09:14:19 +00:00
|
|
|
struct dss_key dsskey;
|
Complete rewrite of PuTTY's bignum library.
The old 'Bignum' data type is gone completely, and so is sshbn.c. In
its place is a new thing called 'mp_int', handled by an entirely new
library module mpint.c, with API differences both large and small.
The main aim of this change is that the new library should be free of
timing- and cache-related side channels. I've written the code so that
it _should_ - assuming I haven't made any mistakes - do all of its
work without either control flow or memory addressing depending on the
data words of the input numbers. (Though, being an _arbitrary_
precision library, it does have to at least depend on the sizes of the
numbers - but there's a 'formal' size that can vary separately from
the actual magnitude of the represented integer, so if you want to
keep it secret that your number is actually small, it should work fine
to have a very long mp_int and just happen to store 23 in it.) So I've
done all my conditionalisation by means of computing both answers and
doing bit-masking to swap the right one into place, and all loops over
the words of an mp_int go up to the formal size rather than the actual
size.
I haven't actually tested the constant-time property in any rigorous
way yet (I'm still considering the best way to do it). But this code
is surely at the very least a big improvement on the old version, even
if I later find a few more things to fix.
I've also completely rewritten the low-level elliptic curve arithmetic
from sshecc.c; the new ecc.c is closer to being an adjunct of mpint.c
than it is to the SSH end of the code. The new elliptic curve code
keeps all coordinates in Montgomery-multiplication transformed form to
speed up all the multiplications mod the same prime, and only converts
them back when you ask for the affine coordinates. Also, I adopted
extended coordinates for the Edwards curve implementation.
sshecc.c has also had a near-total rewrite in the course of switching
it over to the new system. While I was there, I've separated ECDSA and
EdDSA more completely - they now have separate vtables, instead of a
single vtable in which nearly every function had a big if statement in
it - and also made the externally exposed types for an ECDSA key and
an ECDH context different.
A minor new feature: since the new arithmetic code includes a modular
square root function, we can now support the compressed point
representation for the NIST curves. We seem to have been getting along
fine without that so far, but it seemed a shame not to put it in,
since it was suddenly easy.
In sshrsa.c, one major change is that I've removed the RSA blinding
step in rsa_privkey_op, in which we randomise the ciphertext before
doing the decryption. The purpose of that was to avoid timing leaks
giving away the plaintext - but the new arithmetic code should take
that in its stride in the course of also being careful enough to avoid
leaking the _private key_, which RSA blinding had no way to do
anything about in any case.
Apart from those specific points, most of the rest of the changes are
more or less mechanical, just changing type names and translating code
into the new API.
2018-12-31 13:53:41 +00:00
|
|
|
struct ecdsa_key eckey;
|
|
|
|
|
struct eddsa_key edkey;
|
2014-11-01 09:14:19 +00:00
|
|
|
};
|
2002-05-18 09:20:41 +00:00
|
|
|
HMENU filemenu, keymenu, cvtmenu;
|
2000-10-19 15:43:08 +00:00
|
|
|
};
|
|
|
|
|
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
static void hidemany(HWND hwnd, const int *ids, bool hideit)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2000-10-19 15:43:08 +00:00
|
|
|
while (*ids) {
|
2019-09-08 19:29:00 +00:00
|
|
|
ShowWindow(GetDlgItem(hwnd, *ids++), (hideit ? SW_HIDE : SW_SHOW));
|
2000-10-19 15:43:08 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-04 06:51:44 +00:00
|
|
|
static void setupbigedit1(HWND hwnd, int id, int idstatic, RSAKey *key)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2015-05-12 12:42:26 +00:00
|
|
|
char *buffer = ssh1_pubkey_str(key);
|
2000-10-19 15:43:08 +00:00
|
|
|
SetDlgItemText(hwnd, id, buffer);
|
2001-08-27 17:40:03 +00:00
|
|
|
SetDlgItemText(hwnd, idstatic,
|
2019-09-08 19:29:00 +00:00
|
|
|
"&Public key for pasting into authorized_keys file:");
|
2000-12-12 10:33:13 +00:00
|
|
|
sfree(buffer);
|
2000-10-19 15:43:08 +00:00
|
|
|
}
|
|
|
|
|
|
2001-08-27 17:40:03 +00:00
|
|
|
static void setupbigedit2(HWND hwnd, int id, int idstatic,
|
2019-09-08 19:29:00 +00:00
|
|
|
ssh2_userkey *key)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2015-05-12 12:42:26 +00:00
|
|
|
char *buffer = ssh2_pubkey_openssh_str(key);
|
2001-03-03 11:54:34 +00:00
|
|
|
SetDlgItemText(hwnd, id, buffer);
|
2001-08-27 17:40:03 +00:00
|
|
|
SetDlgItemText(hwnd, idstatic, "&Public key for pasting into "
|
2019-09-08 19:29:00 +00:00
|
|
|
"OpenSSH authorized_keys file:");
|
2001-05-06 14:35:20 +00:00
|
|
|
sfree(buffer);
|
2001-03-03 11:54:34 +00:00
|
|
|
}
|
|
|
|
|
|
2001-11-25 14:31:46 +00:00
|
|
|
/*
|
|
|
|
|
* Warn about the obsolescent key file format.
|
|
|
|
|
*/
|
|
|
|
|
void old_keyfile_warning(void)
|
|
|
|
|
{
|
|
|
|
|
static const char mbtitle[] = "PuTTY Key File Warning";
|
|
|
|
|
static const char message[] =
|
2019-09-08 19:29:00 +00:00
|
|
|
"You are loading an SSH-2 private key which has an\n"
|
|
|
|
|
"old version of the file format. This means your key\n"
|
|
|
|
|
"file is not fully tamperproof. Future versions of\n"
|
|
|
|
|
"PuTTY may stop supporting this private key format,\n"
|
|
|
|
|
"so we recommend you convert your key to the new\n"
|
|
|
|
|
"format.\n"
|
|
|
|
|
"\n"
|
|
|
|
|
"Once the key is loaded into PuTTYgen, you can perform\n"
|
|
|
|
|
"this conversion simply by saving it again.";
|
2001-11-25 14:31:46 +00:00
|
|
|
|
|
|
|
|
MessageBox(NULL, message, mbtitle, MB_OK);
|
|
|
|
|
}
|
|
|
|
|
|
2002-05-15 20:07:11 +00:00
|
|
|
enum {
|
|
|
|
|
controlidstart = 100,
|
|
|
|
|
IDC_QUIT,
|
|
|
|
|
IDC_TITLE,
|
|
|
|
|
IDC_BOX_KEY,
|
|
|
|
|
IDC_NOKEY,
|
|
|
|
|
IDC_GENERATING,
|
|
|
|
|
IDC_PROGRESS,
|
|
|
|
|
IDC_PKSTATIC, IDC_KEYDISPLAY,
|
|
|
|
|
IDC_FPSTATIC, IDC_FINGERPRINT,
|
|
|
|
|
IDC_COMMENTSTATIC, IDC_COMMENTEDIT,
|
|
|
|
|
IDC_PASSPHRASE1STATIC, IDC_PASSPHRASE1EDIT,
|
|
|
|
|
IDC_PASSPHRASE2STATIC, IDC_PASSPHRASE2EDIT,
|
|
|
|
|
IDC_BOX_ACTIONS,
|
|
|
|
|
IDC_GENSTATIC, IDC_GENERATE,
|
|
|
|
|
IDC_LOADSTATIC, IDC_LOAD,
|
|
|
|
|
IDC_SAVESTATIC, IDC_SAVE, IDC_SAVEPUB,
|
|
|
|
|
IDC_BOX_PARAMS,
|
|
|
|
|
IDC_TYPESTATIC, IDC_KEYSSH1, IDC_KEYSSH2RSA, IDC_KEYSSH2DSA,
|
2015-05-09 14:02:54 +00:00
|
|
|
IDC_KEYSSH2ECDSA, IDC_KEYSSH2ED25519,
|
2002-05-15 20:07:11 +00:00
|
|
|
IDC_BITSSTATIC, IDC_BITS,
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
IDC_CURVESTATIC, IDC_CURVE,
|
|
|
|
|
IDC_NOTHINGSTATIC,
|
2002-05-15 20:07:11 +00:00
|
|
|
IDC_ABOUT,
|
|
|
|
|
IDC_GIVEHELP,
|
2015-04-28 18:46:58 +00:00
|
|
|
IDC_IMPORT,
|
2015-05-10 06:42:48 +00:00
|
|
|
IDC_EXPORT_OPENSSH_AUTO, IDC_EXPORT_OPENSSH_NEW,
|
2015-04-28 18:46:58 +00:00
|
|
|
IDC_EXPORT_SSHCOM
|
2002-05-15 20:07:11 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static const int nokey_ids[] = { IDC_NOKEY, 0 };
|
|
|
|
|
static const int generating_ids[] = { IDC_GENERATING, IDC_PROGRESS, 0 };
|
|
|
|
|
static const int gotkey_ids[] = {
|
|
|
|
|
IDC_PKSTATIC, IDC_KEYDISPLAY,
|
|
|
|
|
IDC_FPSTATIC, IDC_FINGERPRINT,
|
|
|
|
|
IDC_COMMENTSTATIC, IDC_COMMENTEDIT,
|
|
|
|
|
IDC_PASSPHRASE1STATIC, IDC_PASSPHRASE1EDIT,
|
|
|
|
|
IDC_PASSPHRASE2STATIC, IDC_PASSPHRASE2EDIT, 0
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Small UI helper function to switch the state of the main dialog
|
|
|
|
|
* by enabling and disabling controls and menu items.
|
|
|
|
|
*/
|
|
|
|
|
void ui_set_state(HWND hwnd, struct MainDlgState *state, int status)
|
|
|
|
|
{
|
|
|
|
|
int type;
|
|
|
|
|
|
|
|
|
|
switch (status) {
|
2019-09-08 19:29:00 +00:00
|
|
|
case 0: /* no key */
|
|
|
|
|
hidemany(hwnd, nokey_ids, false);
|
|
|
|
|
hidemany(hwnd, generating_ids, true);
|
|
|
|
|
hidemany(hwnd, gotkey_ids, true);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_GENERATE), 1);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_LOAD), 1);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_SAVE), 0);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_SAVEPUB), 0);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH1), 1);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH2RSA), 1);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH2DSA), 1);
|
2014-11-01 09:45:20 +00:00
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH2ECDSA), 1);
|
2015-05-09 14:02:54 +00:00
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH2ED25519), 1);
|
2019-09-08 19:29:00 +00:00
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_BITS), 1);
|
|
|
|
|
EnableMenuItem(state->filemenu, IDC_LOAD, MF_ENABLED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->filemenu, IDC_SAVE, MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->filemenu, IDC_SAVEPUB, MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->keymenu, IDC_GENERATE, MF_ENABLED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH1, MF_ENABLED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH2RSA, MF_ENABLED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH2DSA, MF_ENABLED|MF_BYCOMMAND);
|
2014-11-01 09:45:20 +00:00
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH2ECDSA,
|
|
|
|
|
MF_ENABLED|MF_BYCOMMAND);
|
2015-05-09 14:02:54 +00:00
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH2ED25519,
|
|
|
|
|
MF_ENABLED|MF_BYCOMMAND);
|
2019-09-08 19:29:00 +00:00
|
|
|
EnableMenuItem(state->cvtmenu, IDC_IMPORT, MF_ENABLED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->cvtmenu, IDC_EXPORT_OPENSSH_AUTO,
|
|
|
|
|
MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->cvtmenu, IDC_EXPORT_OPENSSH_NEW,
|
|
|
|
|
MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->cvtmenu, IDC_EXPORT_SSHCOM,
|
|
|
|
|
MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
break;
|
|
|
|
|
case 1: /* generating key */
|
|
|
|
|
hidemany(hwnd, nokey_ids, true);
|
|
|
|
|
hidemany(hwnd, generating_ids, false);
|
|
|
|
|
hidemany(hwnd, gotkey_ids, true);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_GENERATE), 0);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_LOAD), 0);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_SAVE), 0);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_SAVEPUB), 0);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH1), 0);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH2RSA), 0);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH2DSA), 0);
|
2014-11-01 09:45:20 +00:00
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH2ECDSA), 0);
|
2015-05-09 14:02:54 +00:00
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH2ED25519), 0);
|
2019-09-08 19:29:00 +00:00
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_BITS), 0);
|
|
|
|
|
EnableMenuItem(state->filemenu, IDC_LOAD, MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->filemenu, IDC_SAVE, MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->filemenu, IDC_SAVEPUB, MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->keymenu, IDC_GENERATE, MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH1, MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH2RSA, MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH2DSA, MF_GRAYED|MF_BYCOMMAND);
|
2014-11-01 09:45:20 +00:00
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH2ECDSA,
|
|
|
|
|
MF_GRAYED|MF_BYCOMMAND);
|
2015-05-09 14:02:54 +00:00
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH2ED25519,
|
|
|
|
|
MF_GRAYED|MF_BYCOMMAND);
|
2019-09-08 19:29:00 +00:00
|
|
|
EnableMenuItem(state->cvtmenu, IDC_IMPORT, MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->cvtmenu, IDC_EXPORT_OPENSSH_AUTO,
|
|
|
|
|
MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->cvtmenu, IDC_EXPORT_OPENSSH_NEW,
|
|
|
|
|
MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->cvtmenu, IDC_EXPORT_SSHCOM,
|
|
|
|
|
MF_GRAYED|MF_BYCOMMAND);
|
|
|
|
|
break;
|
2002-05-15 20:07:11 +00:00
|
|
|
case 2:
|
2019-09-08 19:29:00 +00:00
|
|
|
hidemany(hwnd, nokey_ids, true);
|
|
|
|
|
hidemany(hwnd, generating_ids, true);
|
|
|
|
|
hidemany(hwnd, gotkey_ids, false);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_GENERATE), 1);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_LOAD), 1);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_SAVE), 1);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_SAVEPUB), 1);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH1), 1);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH2RSA), 1);
|
|
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH2DSA), 1);
|
2014-11-01 09:45:20 +00:00
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH2ECDSA), 1);
|
2015-05-09 14:02:54 +00:00
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_KEYSSH2ED25519), 1);
|
2019-09-08 19:29:00 +00:00
|
|
|
EnableWindow(GetDlgItem(hwnd, IDC_BITS), 1);
|
|
|
|
|
EnableMenuItem(state->filemenu, IDC_LOAD, MF_ENABLED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->filemenu, IDC_SAVE, MF_ENABLED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->filemenu, IDC_SAVEPUB, MF_ENABLED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->keymenu, IDC_GENERATE, MF_ENABLED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH1, MF_ENABLED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH2RSA,MF_ENABLED|MF_BYCOMMAND);
|
|
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH2DSA,MF_ENABLED|MF_BYCOMMAND);
|
2014-11-01 09:45:20 +00:00
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH2ECDSA,
|
|
|
|
|
MF_ENABLED|MF_BYCOMMAND);
|
2015-05-09 14:02:54 +00:00
|
|
|
EnableMenuItem(state->keymenu, IDC_KEYSSH2ED25519,
|
|
|
|
|
MF_ENABLED|MF_BYCOMMAND);
|
2019-09-08 19:29:00 +00:00
|
|
|
EnableMenuItem(state->cvtmenu, IDC_IMPORT, MF_ENABLED|MF_BYCOMMAND);
|
|
|
|
|
/*
|
|
|
|
|
* Enable export menu items if and only if the key type
|
|
|
|
|
* supports this kind of export.
|
|
|
|
|
*/
|
|
|
|
|
type = state->ssh2 ? SSH_KEYTYPE_SSH2 : SSH_KEYTYPE_SSH1;
|
2002-05-15 20:07:11 +00:00
|
|
|
#define do_export_menuitem(x,y) \
|
2002-05-18 09:20:41 +00:00
|
|
|
EnableMenuItem(state->cvtmenu, x, MF_BYCOMMAND | \
|
2019-09-08 19:29:00 +00:00
|
|
|
(import_target_type(y)==type?MF_ENABLED:MF_GRAYED))
|
|
|
|
|
do_export_menuitem(IDC_EXPORT_OPENSSH_AUTO, SSH_KEYTYPE_OPENSSH_AUTO);
|
|
|
|
|
do_export_menuitem(IDC_EXPORT_OPENSSH_NEW, SSH_KEYTYPE_OPENSSH_NEW);
|
|
|
|
|
do_export_menuitem(IDC_EXPORT_SSHCOM, SSH_KEYTYPE_SSHCOM);
|
2002-05-15 20:07:11 +00:00
|
|
|
#undef do_export_menuitem
|
2019-09-08 19:29:00 +00:00
|
|
|
break;
|
2002-05-15 20:07:11 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
/*
|
|
|
|
|
* Helper functions to set the key type, taking care of keeping the
|
|
|
|
|
* menu and radio button selections in sync and also showing/hiding
|
|
|
|
|
* the appropriate size/curve control for the current key type.
|
|
|
|
|
*/
|
|
|
|
|
void ui_update_key_type_ctrls(HWND hwnd)
|
|
|
|
|
{
|
|
|
|
|
enum { BITS, CURVE, NOTHING } which;
|
|
|
|
|
static const int bits_ids[] = {
|
|
|
|
|
IDC_BITSSTATIC, IDC_BITS, 0
|
|
|
|
|
};
|
|
|
|
|
static const int curve_ids[] = {
|
|
|
|
|
IDC_CURVESTATIC, IDC_CURVE, 0
|
|
|
|
|
};
|
|
|
|
|
static const int nothing_ids[] = {
|
|
|
|
|
IDC_NOTHINGSTATIC, 0
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if (IsDlgButtonChecked(hwnd, IDC_KEYSSH1) ||
|
|
|
|
|
IsDlgButtonChecked(hwnd, IDC_KEYSSH2RSA) ||
|
|
|
|
|
IsDlgButtonChecked(hwnd, IDC_KEYSSH2DSA)) {
|
|
|
|
|
which = BITS;
|
|
|
|
|
} else if (IsDlgButtonChecked(hwnd, IDC_KEYSSH2ECDSA)) {
|
|
|
|
|
which = CURVE;
|
|
|
|
|
} else {
|
|
|
|
|
/* ED25519 implicitly only supports one curve */
|
|
|
|
|
which = NOTHING;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hidemany(hwnd, bits_ids, which != BITS);
|
|
|
|
|
hidemany(hwnd, curve_ids, which != CURVE);
|
|
|
|
|
hidemany(hwnd, nothing_ids, which != NOTHING);
|
|
|
|
|
}
|
|
|
|
|
void ui_set_key_type(HWND hwnd, struct MainDlgState *state, int button)
|
|
|
|
|
{
|
|
|
|
|
CheckRadioButton(hwnd, IDC_KEYSSH1, IDC_KEYSSH2ED25519, button);
|
|
|
|
|
CheckMenuRadioItem(state->keymenu, IDC_KEYSSH1, IDC_KEYSSH2ED25519,
|
|
|
|
|
button, MF_BYCOMMAND);
|
|
|
|
|
ui_update_key_type_ctrls(hwnd);
|
|
|
|
|
}
|
|
|
|
|
|
2002-08-06 17:48:14 +00:00
|
|
|
void load_key_file(HWND hwnd, struct MainDlgState *state,
|
2019-09-08 19:29:00 +00:00
|
|
|
Filename *filename, bool was_import_cmd)
|
2002-08-06 17:48:14 +00:00
|
|
|
{
|
2011-10-02 14:14:21 +00:00
|
|
|
char *passphrase;
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool needs_pass;
|
2002-08-06 17:48:14 +00:00
|
|
|
int type, realtype;
|
|
|
|
|
int ret;
|
2005-02-27 23:01:11 +00:00
|
|
|
const char *errmsg = NULL;
|
2002-08-06 17:48:14 +00:00
|
|
|
char *comment;
|
2019-01-04 06:51:44 +00:00
|
|
|
RSAKey newkey1;
|
|
|
|
|
ssh2_userkey *newkey2 = NULL;
|
2002-08-06 17:48:14 +00:00
|
|
|
|
2011-10-02 11:01:57 +00:00
|
|
|
type = realtype = key_type(filename);
|
2002-08-06 17:48:14 +00:00
|
|
|
if (type != SSH_KEYTYPE_SSH1 &&
|
2019-09-08 19:29:00 +00:00
|
|
|
type != SSH_KEYTYPE_SSH2 &&
|
|
|
|
|
!import_possible(type)) {
|
|
|
|
|
char *msg = dupprintf("Couldn't load private key (%s)",
|
|
|
|
|
key_type_to_str(type));
|
2020-02-02 10:00:42 +00:00
|
|
|
message_box(hwnd, msg, "PuTTYgen Error", MB_OK | MB_ICONERROR,
|
2019-09-08 19:29:00 +00:00
|
|
|
HELPCTXID(errors_cantloadkey));
|
|
|
|
|
sfree(msg);
|
|
|
|
|
return;
|
2002-08-06 17:48:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (type != SSH_KEYTYPE_SSH1 &&
|
2019-09-08 19:29:00 +00:00
|
|
|
type != SSH_KEYTYPE_SSH2) {
|
|
|
|
|
realtype = type;
|
|
|
|
|
type = import_target_type(type);
|
2002-08-06 17:48:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
comment = NULL;
|
2011-10-02 14:14:21 +00:00
|
|
|
passphrase = NULL;
|
2002-08-06 17:48:14 +00:00
|
|
|
if (realtype == SSH_KEYTYPE_SSH1)
|
2020-01-05 10:28:45 +00:00
|
|
|
needs_pass = rsa1_encrypted_f(filename, &comment);
|
2002-08-06 17:48:14 +00:00
|
|
|
else if (realtype == SSH_KEYTYPE_SSH2)
|
2020-01-05 10:28:45 +00:00
|
|
|
needs_pass = ppk_encrypted_f(filename, &comment);
|
2002-08-06 17:48:14 +00:00
|
|
|
else
|
2019-09-08 19:29:00 +00:00
|
|
|
needs_pass = import_encrypted(filename, realtype, &comment);
|
2002-08-06 17:48:14 +00:00
|
|
|
do {
|
2011-10-02 14:14:21 +00:00
|
|
|
burnstr(passphrase);
|
|
|
|
|
passphrase = NULL;
|
|
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
if (needs_pass) {
|
|
|
|
|
int dlgret;
|
2011-10-02 14:14:21 +00:00
|
|
|
struct PassphraseProcStruct pps;
|
|
|
|
|
pps.passphrase = &passphrase;
|
|
|
|
|
pps.comment = comment;
|
2019-09-08 19:29:00 +00:00
|
|
|
dlgret = DialogBoxParam(hinst,
|
|
|
|
|
MAKEINTRESOURCE(210),
|
|
|
|
|
NULL, PassphraseProc,
|
|
|
|
|
(LPARAM) &pps);
|
|
|
|
|
if (!dlgret) {
|
|
|
|
|
ret = -2;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2011-10-02 14:14:21 +00:00
|
|
|
assert(passphrase != NULL);
|
2019-09-08 19:29:00 +00:00
|
|
|
} else
|
|
|
|
|
passphrase = dupstr("");
|
|
|
|
|
if (type == SSH_KEYTYPE_SSH1) {
|
|
|
|
|
if (realtype == type)
|
2020-01-05 10:28:45 +00:00
|
|
|
ret = rsa1_load_f(filename, &newkey1, passphrase, &errmsg);
|
2019-09-08 19:29:00 +00:00
|
|
|
else
|
|
|
|
|
ret = import_ssh1(filename, realtype, &newkey1,
|
2011-10-02 11:01:57 +00:00
|
|
|
passphrase, &errmsg);
|
2019-09-08 19:29:00 +00:00
|
|
|
} else {
|
|
|
|
|
if (realtype == type)
|
2020-01-05 10:28:45 +00:00
|
|
|
newkey2 = ppk_load_f(filename, passphrase, &errmsg);
|
2019-09-08 19:29:00 +00:00
|
|
|
else
|
|
|
|
|
newkey2 = import_ssh2(filename, realtype, passphrase, &errmsg);
|
|
|
|
|
if (newkey2 == SSH2_WRONG_PASSPHRASE)
|
|
|
|
|
ret = -1;
|
|
|
|
|
else if (!newkey2)
|
|
|
|
|
ret = 0;
|
|
|
|
|
else
|
|
|
|
|
ret = 1;
|
|
|
|
|
}
|
2002-08-06 17:48:14 +00:00
|
|
|
} while (ret == -1);
|
|
|
|
|
if (comment)
|
2019-09-08 19:29:00 +00:00
|
|
|
sfree(comment);
|
2002-08-06 17:48:14 +00:00
|
|
|
if (ret == 0) {
|
2019-09-08 19:29:00 +00:00
|
|
|
char *msg = dupprintf("Couldn't load private key (%s)", errmsg);
|
2020-02-02 10:00:42 +00:00
|
|
|
message_box(hwnd, msg, "PuTTYgen Error", MB_OK | MB_ICONERROR,
|
2019-09-08 19:29:00 +00:00
|
|
|
HELPCTXID(errors_cantloadkey));
|
|
|
|
|
sfree(msg);
|
2002-08-06 17:48:14 +00:00
|
|
|
} else if (ret == 1) {
|
2019-09-08 19:29:00 +00:00
|
|
|
/*
|
|
|
|
|
* Now update the key controls with all the
|
|
|
|
|
* key data.
|
|
|
|
|
*/
|
|
|
|
|
{
|
|
|
|
|
SetDlgItemText(hwnd, IDC_PASSPHRASE1EDIT,
|
|
|
|
|
passphrase);
|
|
|
|
|
SetDlgItemText(hwnd, IDC_PASSPHRASE2EDIT,
|
|
|
|
|
passphrase);
|
|
|
|
|
if (type == SSH_KEYTYPE_SSH1) {
|
|
|
|
|
char *fingerprint, *savecomment;
|
|
|
|
|
|
|
|
|
|
state->ssh2 = false;
|
|
|
|
|
state->commentptr = &state->key.comment;
|
|
|
|
|
state->key = newkey1;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set the key fingerprint.
|
|
|
|
|
*/
|
|
|
|
|
savecomment = state->key.comment;
|
|
|
|
|
state->key.comment = NULL;
|
|
|
|
|
fingerprint = rsa_ssh1_fingerprint(&state->key);
|
|
|
|
|
state->key.comment = savecomment;
|
|
|
|
|
SetDlgItemText(hwnd, IDC_FINGERPRINT, fingerprint);
|
2018-06-03 07:08:53 +00:00
|
|
|
sfree(fingerprint);
|
2002-08-06 17:48:14 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
/*
|
|
|
|
|
* Construct a decimal representation
|
|
|
|
|
* of the key, for pasting into
|
|
|
|
|
* .ssh/authorized_keys on a Unix box.
|
|
|
|
|
*/
|
|
|
|
|
setupbigedit1(hwnd, IDC_KEYDISPLAY,
|
|
|
|
|
IDC_PKSTATIC, &state->key);
|
|
|
|
|
} else {
|
|
|
|
|
char *fp;
|
|
|
|
|
char *savecomment;
|
|
|
|
|
|
|
|
|
|
state->ssh2 = true;
|
|
|
|
|
state->commentptr =
|
|
|
|
|
&state->ssh2key.comment;
|
|
|
|
|
state->ssh2key = *newkey2; /* structure copy */
|
|
|
|
|
sfree(newkey2);
|
|
|
|
|
|
|
|
|
|
savecomment = state->ssh2key.comment;
|
|
|
|
|
state->ssh2key.comment = NULL;
|
|
|
|
|
fp = ssh2_fingerprint(state->ssh2key.key);
|
|
|
|
|
state->ssh2key.comment = savecomment;
|
|
|
|
|
|
|
|
|
|
SetDlgItemText(hwnd, IDC_FINGERPRINT, fp);
|
|
|
|
|
sfree(fp);
|
|
|
|
|
|
|
|
|
|
setupbigedit2(hwnd, IDC_KEYDISPLAY,
|
|
|
|
|
IDC_PKSTATIC, &state->ssh2key);
|
|
|
|
|
}
|
|
|
|
|
SetDlgItemText(hwnd, IDC_COMMENTEDIT,
|
|
|
|
|
*state->commentptr);
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Finally, hide the progress bar and show
|
|
|
|
|
* the key data.
|
|
|
|
|
*/
|
|
|
|
|
ui_set_state(hwnd, state, 2);
|
|
|
|
|
state->key_exists = true;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If the user has imported a foreign key
|
|
|
|
|
* using the Load command, let them know.
|
|
|
|
|
* If they've used the Import command, be
|
|
|
|
|
* silent.
|
|
|
|
|
*/
|
|
|
|
|
if (realtype != type && !was_import_cmd) {
|
|
|
|
|
char msg[512];
|
|
|
|
|
sprintf(msg, "Successfully imported foreign key\n"
|
|
|
|
|
"(%s).\n"
|
|
|
|
|
"To use this key with PuTTY, you need to\n"
|
|
|
|
|
"use the \"Save private key\" command to\n"
|
|
|
|
|
"save it in PuTTY's own format.",
|
|
|
|
|
key_type_to_str(realtype));
|
|
|
|
|
MessageBox(NULL, msg, "PuTTYgen Notice",
|
|
|
|
|
MB_OK | MB_ICONINFORMATION);
|
|
|
|
|
}
|
2002-08-06 17:48:14 +00:00
|
|
|
}
|
2011-10-02 14:14:21 +00:00
|
|
|
burnstr(passphrase);
|
2002-08-06 17:48:14 +00:00
|
|
|
}
|
|
|
|
|
|
2018-06-03 13:41:31 +00:00
|
|
|
static void start_generating_key(HWND hwnd, struct MainDlgState *state)
|
|
|
|
|
{
|
|
|
|
|
static const char generating_msg[] =
|
2019-09-08 19:29:00 +00:00
|
|
|
"Please wait while a key is generated...";
|
2018-06-03 13:41:31 +00:00
|
|
|
|
|
|
|
|
struct rsa_key_thread_params *params;
|
|
|
|
|
DWORD threadid;
|
|
|
|
|
|
|
|
|
|
SetDlgItemText(hwnd, IDC_GENERATING, generating_msg);
|
|
|
|
|
SendDlgItemMessage(hwnd, IDC_PROGRESS, PBM_SETRANGE, 0,
|
|
|
|
|
MAKELPARAM(0, PROGRESSRANGE));
|
|
|
|
|
SendDlgItemMessage(hwnd, IDC_PROGRESS, PBM_SETPOS, 0, 0);
|
|
|
|
|
|
|
|
|
|
params = snew(struct rsa_key_thread_params);
|
|
|
|
|
params->progressbar = GetDlgItem(hwnd, IDC_PROGRESS);
|
|
|
|
|
params->dialog = hwnd;
|
|
|
|
|
params->key_bits = state->key_bits;
|
|
|
|
|
params->curve_bits = state->curve_bits;
|
|
|
|
|
params->keytype = state->keytype;
|
|
|
|
|
params->key = &state->key;
|
|
|
|
|
params->dsskey = &state->dsskey;
|
|
|
|
|
|
|
|
|
|
if (!CreateThread(NULL, 0, generate_key_thread,
|
|
|
|
|
params, 0, &threadid)) {
|
|
|
|
|
MessageBox(hwnd, "Out of thread resources",
|
|
|
|
|
"Key generation error",
|
|
|
|
|
MB_OK | MB_ICONERROR);
|
|
|
|
|
sfree(params);
|
|
|
|
|
} else {
|
2018-10-29 19:50:29 +00:00
|
|
|
state->generation_thread_exists = true;
|
2018-06-03 13:41:31 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2000-10-19 15:43:08 +00:00
|
|
|
/*
|
|
|
|
|
* Dialog-box function for the main PuTTYgen dialog box.
|
|
|
|
|
*/
|
2015-08-11 12:22:09 +00:00
|
|
|
static INT_PTR CALLBACK MainDlgProc(HWND hwnd, UINT msg,
|
2019-09-08 19:29:00 +00:00
|
|
|
WPARAM wParam, LPARAM lParam)
|
2001-05-06 14:35:20 +00:00
|
|
|
{
|
2000-10-19 15:43:08 +00:00
|
|
|
static const char entropy_msg[] =
|
2019-09-08 19:29:00 +00:00
|
|
|
"Please generate some randomness by moving the mouse over the blank area.";
|
2000-10-19 15:43:08 +00:00
|
|
|
struct MainDlgState *state;
|
|
|
|
|
|
|
|
|
|
switch (msg) {
|
|
|
|
|
case WM_INITDIALOG:
|
2006-12-17 11:16:07 +00:00
|
|
|
if (has_help())
|
2005-05-21 14:16:43 +00:00
|
|
|
SetWindowLongPtr(hwnd, GWL_EXSTYLE,
|
2019-09-08 19:29:00 +00:00
|
|
|
GetWindowLongPtr(hwnd, GWL_EXSTYLE) |
|
|
|
|
|
WS_EX_CONTEXTHELP);
|
2001-12-12 18:45:56 +00:00
|
|
|
else {
|
|
|
|
|
/*
|
|
|
|
|
* If we add a Help button, this is where we destroy it
|
|
|
|
|
* if the help file isn't present.
|
|
|
|
|
*/
|
|
|
|
|
}
|
2019-09-08 19:29:00 +00:00
|
|
|
SendMessage(hwnd, WM_SETICON, (WPARAM) ICON_BIG,
|
|
|
|
|
(LPARAM) LoadIcon(hinst, MAKEINTRESOURCE(200)));
|
|
|
|
|
|
|
|
|
|
state = snew(struct MainDlgState);
|
|
|
|
|
state->generation_thread_exists = false;
|
|
|
|
|
state->collecting_entropy = false;
|
|
|
|
|
state->entropy = NULL;
|
|
|
|
|
state->key_exists = false;
|
|
|
|
|
SetWindowLongPtr(hwnd, GWLP_USERDATA, (LONG_PTR) state);
|
|
|
|
|
{
|
|
|
|
|
HMENU menu, menu1;
|
|
|
|
|
|
|
|
|
|
menu = CreateMenu();
|
|
|
|
|
|
|
|
|
|
menu1 = CreateMenu();
|
|
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_LOAD, "&Load private key");
|
|
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_SAVEPUB, "Save p&ublic key");
|
|
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_SAVE, "&Save private key");
|
|
|
|
|
AppendMenu(menu1, MF_SEPARATOR, 0, 0);
|
|
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_QUIT, "E&xit");
|
|
|
|
|
AppendMenu(menu, MF_POPUP | MF_ENABLED, (UINT_PTR) menu1, "&File");
|
|
|
|
|
state->filemenu = menu1;
|
|
|
|
|
|
|
|
|
|
menu1 = CreateMenu();
|
|
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_GENERATE, "&Generate key pair");
|
|
|
|
|
AppendMenu(menu1, MF_SEPARATOR, 0, 0);
|
|
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_KEYSSH1, "SSH-&1 key (RSA)");
|
|
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_KEYSSH2RSA, "SSH-2 &RSA key");
|
|
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_KEYSSH2DSA, "SSH-2 &DSA key");
|
2014-11-01 09:45:20 +00:00
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_KEYSSH2ECDSA, "SSH-2 &ECDSA key");
|
2019-04-19 14:29:58 +00:00
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_KEYSSH2ED25519, "SSH-2 Ed&25519 key");
|
2019-09-08 19:29:00 +00:00
|
|
|
AppendMenu(menu, MF_POPUP | MF_ENABLED, (UINT_PTR) menu1, "&Key");
|
|
|
|
|
state->keymenu = menu1;
|
|
|
|
|
|
|
|
|
|
menu1 = CreateMenu();
|
|
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_IMPORT, "&Import key");
|
|
|
|
|
AppendMenu(menu1, MF_SEPARATOR, 0, 0);
|
|
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_EXPORT_OPENSSH_AUTO,
|
|
|
|
|
"Export &OpenSSH key");
|
|
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_EXPORT_OPENSSH_NEW,
|
|
|
|
|
"Export &OpenSSH key (force new file format)");
|
|
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_EXPORT_SSHCOM,
|
|
|
|
|
"Export &ssh.com key");
|
|
|
|
|
AppendMenu(menu, MF_POPUP | MF_ENABLED, (UINT_PTR) menu1,
|
|
|
|
|
"Con&versions");
|
|
|
|
|
state->cvtmenu = menu1;
|
|
|
|
|
|
|
|
|
|
menu1 = CreateMenu();
|
|
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_ABOUT, "&About");
|
|
|
|
|
if (has_help())
|
|
|
|
|
AppendMenu(menu1, MF_ENABLED, IDC_GIVEHELP, "&Help");
|
|
|
|
|
AppendMenu(menu, MF_POPUP | MF_ENABLED, (UINT_PTR) menu1, "&Help");
|
|
|
|
|
|
|
|
|
|
SetMenu(hwnd, menu);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Centre the window.
|
|
|
|
|
*/
|
|
|
|
|
{ /* centre the window */
|
|
|
|
|
RECT rs, rd;
|
|
|
|
|
HWND hw;
|
|
|
|
|
|
|
|
|
|
hw = GetDesktopWindow();
|
|
|
|
|
if (GetWindowRect(hw, &rs) && GetWindowRect(hwnd, &rd))
|
|
|
|
|
MoveWindow(hwnd,
|
|
|
|
|
(rs.right + rs.left + rd.left - rd.right) / 2,
|
|
|
|
|
(rs.bottom + rs.top + rd.top - rd.bottom) / 2,
|
|
|
|
|
rd.right - rd.left, rd.bottom - rd.top, true);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
struct ctlpos cp, cp2;
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
int ymax;
|
2000-10-19 15:43:08 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
/* Accelerators used: acglops1rbvde */
|
|
|
|
|
|
|
|
|
|
ctlposinit(&cp, hwnd, 4, 4, 4);
|
|
|
|
|
beginbox(&cp, "Key", IDC_BOX_KEY);
|
|
|
|
|
cp2 = cp;
|
|
|
|
|
statictext(&cp2, "No key.", 1, IDC_NOKEY);
|
|
|
|
|
cp2 = cp;
|
|
|
|
|
statictext(&cp2, "", 1, IDC_GENERATING);
|
|
|
|
|
progressbar(&cp2, IDC_PROGRESS);
|
|
|
|
|
bigeditctrl(&cp,
|
|
|
|
|
"&Public key for pasting into authorized_keys file:",
|
|
|
|
|
IDC_PKSTATIC, IDC_KEYDISPLAY, 5);
|
|
|
|
|
SendDlgItemMessage(hwnd, IDC_KEYDISPLAY, EM_SETREADONLY, 1, 0);
|
|
|
|
|
staticedit(&cp, "Key f&ingerprint:", IDC_FPSTATIC,
|
|
|
|
|
IDC_FINGERPRINT, 75);
|
|
|
|
|
SendDlgItemMessage(hwnd, IDC_FINGERPRINT, EM_SETREADONLY, 1,
|
|
|
|
|
0);
|
|
|
|
|
staticedit(&cp, "Key &comment:", IDC_COMMENTSTATIC,
|
|
|
|
|
IDC_COMMENTEDIT, 75);
|
|
|
|
|
staticpassedit(&cp, "Key p&assphrase:", IDC_PASSPHRASE1STATIC,
|
|
|
|
|
IDC_PASSPHRASE1EDIT, 75);
|
|
|
|
|
staticpassedit(&cp, "C&onfirm passphrase:",
|
|
|
|
|
IDC_PASSPHRASE2STATIC, IDC_PASSPHRASE2EDIT, 75);
|
|
|
|
|
endbox(&cp);
|
|
|
|
|
beginbox(&cp, "Actions", IDC_BOX_ACTIONS);
|
|
|
|
|
staticbtn(&cp, "Generate a public/private key pair",
|
|
|
|
|
IDC_GENSTATIC, "&Generate", IDC_GENERATE);
|
|
|
|
|
staticbtn(&cp, "Load an existing private key file",
|
|
|
|
|
IDC_LOADSTATIC, "&Load", IDC_LOAD);
|
|
|
|
|
static2btn(&cp, "Save the generated key", IDC_SAVESTATIC,
|
|
|
|
|
"Save p&ublic key", IDC_SAVEPUB,
|
|
|
|
|
"&Save private key", IDC_SAVE);
|
|
|
|
|
endbox(&cp);
|
|
|
|
|
beginbox(&cp, "Parameters", IDC_BOX_PARAMS);
|
|
|
|
|
radioline(&cp, "Type of key to generate:", IDC_TYPESTATIC, 5,
|
|
|
|
|
"&RSA", IDC_KEYSSH2RSA,
|
2015-05-14 12:19:15 +00:00
|
|
|
"&DSA", IDC_KEYSSH2DSA,
|
|
|
|
|
"&ECDSA", IDC_KEYSSH2ECDSA,
|
2019-04-19 14:29:58 +00:00
|
|
|
"Ed&25519", IDC_KEYSSH2ED25519,
|
2019-09-08 19:29:00 +00:00
|
|
|
"SSH-&1 (RSA)", IDC_KEYSSH1,
|
2015-05-14 12:19:15 +00:00
|
|
|
NULL);
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
cp2 = cp;
|
2019-09-08 19:29:00 +00:00
|
|
|
staticedit(&cp2, "Number of &bits in a generated key:",
|
|
|
|
|
IDC_BITSSTATIC, IDC_BITS, 20);
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
ymax = cp2.ypos;
|
|
|
|
|
cp2 = cp;
|
2019-09-08 19:29:00 +00:00
|
|
|
staticddl(&cp2, "Cur&ve to use for generating this key:",
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
IDC_CURVESTATIC, IDC_CURVE, 20);
|
|
|
|
|
SendDlgItemMessage(hwnd, IDC_CURVE, CB_RESETCONTENT, 0, 0);
|
|
|
|
|
{
|
|
|
|
|
int i, bits;
|
|
|
|
|
const struct ec_curve *curve;
|
Invent a struct type for polymorphic SSH key data.
During last week's work, I made a mistake in which I got the arguments
backwards in one of the key-blob-generating functions - mistakenly
swapped the 'void *' key instance with the 'BinarySink *' output
destination - and I didn't spot the mistake until run time, because in
C you can implicitly convert both to and from void * and so there was
no compile-time failure of type checking.
Now that I've introduced the FROMFIELD macro that downcasts a pointer
to one field of a structure to retrieve a pointer to the whole
structure, I think I might start using that more widely to indicate
this kind of polymorphic subtyping. So now all the public-key
functions in the struct ssh_signkey vtable handle their data instance
in the form of a pointer to a subfield of a new zero-sized structure
type 'ssh_key', which outside the key implementations indicates 'this
is some kind of key instance but it could be of any type'; they
downcast that pointer internally using FROMFIELD in place of the
previous ordinary C cast, and return one by returning &foo->sshk for
whatever foo they've just made up.
The sshk member is not at the beginning of the structure, which means
all those FROMFIELDs and &key->sshk are actually adding and
subtracting an offset. Of course I could have put the member at the
start anyway, but I had the idea that it's actually a feature _not_ to
have the two types start at the same address, because it means you
should notice earlier rather than later if you absentmindedly cast
from one to the other directly rather than by the approved method (in
particular, if you accidentally assign one through a void * and back
without even _noticing_ you perpetrated a cast). In particular, this
enforces that you can't sfree() the thing even once without realising
you should instead of called the right freekey function. (I found
several bugs by this method during initial testing, so I think it's
already proved its worth!)
While I'm here, I've also renamed the vtable structure ssh_signkey to
ssh_keyalg, because it was a confusing name anyway - it describes the
_algorithm_ for handling all keys of that type, not a specific key. So
ssh_keyalg is the collection of code, and ssh_key is one instance of
the data it handles.
2018-05-27 07:32:21 +00:00
|
|
|
const ssh_keyalg *alg;
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
|
|
|
|
|
for (i = 0; i < n_ec_nist_curve_lengths; i++) {
|
|
|
|
|
bits = ec_nist_curve_lengths[i];
|
|
|
|
|
ec_nist_alg_and_curve_by_bits(bits, &curve, &alg);
|
|
|
|
|
SendDlgItemMessage(hwnd, IDC_CURVE, CB_ADDSTRING, 0,
|
|
|
|
|
(LPARAM)curve->textname);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
ymax = ymax > cp2.ypos ? ymax : cp2.ypos;
|
|
|
|
|
cp2 = cp;
|
2019-09-08 19:29:00 +00:00
|
|
|
statictext(&cp2, "(nothing to configure for this key type)",
|
|
|
|
|
1, IDC_NOTHINGSTATIC);
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
ymax = ymax > cp2.ypos ? ymax : cp2.ypos;
|
|
|
|
|
cp.ypos = ymax;
|
2019-09-08 19:29:00 +00:00
|
|
|
endbox(&cp);
|
|
|
|
|
}
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
ui_set_key_type(hwnd, state, IDC_KEYSSH2RSA);
|
2019-09-08 19:29:00 +00:00
|
|
|
SetDlgItemInt(hwnd, IDC_BITS, DEFAULT_KEY_BITS, false);
|
|
|
|
|
SendDlgItemMessage(hwnd, IDC_CURVE, CB_SETCURSEL,
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
DEFAULT_CURVE_INDEX, 0);
|
2000-10-20 10:07:53 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
/*
|
|
|
|
|
* Initially, hide the progress bar and the key display,
|
|
|
|
|
* and show the no-key display. Also disable the Save
|
|
|
|
|
* buttons, because with no key we obviously can't save
|
|
|
|
|
* anything.
|
|
|
|
|
*/
|
|
|
|
|
ui_set_state(hwnd, state, 0);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Load a key file if one was provided on the command line.
|
|
|
|
|
*/
|
|
|
|
|
if (cmdline_keyfile) {
|
2013-07-22 19:55:55 +00:00
|
|
|
Filename *fn = filename_from_str(cmdline_keyfile);
|
2019-09-08 19:29:00 +00:00
|
|
|
load_key_file(hwnd, state, fn, false);
|
2013-07-22 19:55:55 +00:00
|
|
|
filename_free(fn);
|
|
|
|
|
}
|
2002-08-06 17:48:14 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
return 1;
|
2000-10-19 15:43:08 +00:00
|
|
|
case WM_MOUSEMOVE:
|
2019-09-08 19:29:00 +00:00
|
|
|
state = (struct MainDlgState *) GetWindowLongPtr(hwnd, GWLP_USERDATA);
|
|
|
|
|
if (state->collecting_entropy &&
|
|
|
|
|
state->entropy && state->entropy_got < state->entropy_required) {
|
|
|
|
|
state->entropy[state->entropy_got++] = lParam;
|
|
|
|
|
state->entropy[state->entropy_got++] = GetMessageTime();
|
|
|
|
|
SendDlgItemMessage(hwnd, IDC_PROGRESS, PBM_SETPOS,
|
|
|
|
|
state->entropy_got, 0);
|
|
|
|
|
if (state->entropy_got >= state->entropy_required) {
|
|
|
|
|
/*
|
|
|
|
|
* Seed the entropy pool
|
|
|
|
|
*/
|
Replace PuTTY's PRNG with a Fortuna-like system.
This tears out the entire previous random-pool system in sshrand.c. In
its place is a system pretty close to Ferguson and Schneier's
'Fortuna' generator, with the main difference being that I use SHA-256
instead of AES for the generation side of the system (rationale given
in comment).
The PRNG implementation lives in sshprng.c, and defines a self-
contained data type with no state stored outside the object, so you
can instantiate however many of them you like. The old sshrand.c still
exists, but in place of the previous random pool system, it's just
become a client of sshprng.c, whose job is to hold a single global
instance of the PRNG type, and manage its reference count, save file,
noise-collection timers and similar administrative business.
Advantages of this change include:
- Fortuna is designed with a more varied threat model in mind than my
old home-grown random pool. For example, after any request for
random numbers, it automatically re-seeds itself, so that if the
state of the PRNG should be leaked, it won't give enough
information to find out what past outputs _were_.
- The PRNG type can be instantiated with any hash function; the
instance used by the main tools is based on SHA-256, an improvement
on the old pool's use of SHA-1.
- The new PRNG only uses the completely standard interface to the
hash function API, instead of having to have privileged access to
the internal SHA-1 block transform function. This will make it
easier to revamp the hash code in general, and also it means that
hardware-accelerated versions of SHA-256 will automatically be used
for the PRNG as well as for everything else.
- The new PRNG can be _tested_! Because it has an actual (if not
quite explicit) specification for exactly what the output numbers
_ought_ to be derived from the hashes of, I can (and have) put
tests in cryptsuite that ensure the output really is being derived
in the way I think it is. The old pool could have been returning
any old nonsense and it would have been very hard to tell for sure.
2019-01-22 22:42:41 +00:00
|
|
|
random_reseed(
|
|
|
|
|
make_ptrlen(state->entropy, state->entropy_size));
|
2019-09-08 19:29:00 +00:00
|
|
|
smemclr(state->entropy, state->entropy_size);
|
|
|
|
|
sfree(state->entropy);
|
|
|
|
|
state->collecting_entropy = false;
|
2001-05-06 14:35:20 +00:00
|
|
|
|
2018-06-03 13:41:31 +00:00
|
|
|
start_generating_key(hwnd, state);
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
2000-10-19 15:43:08 +00:00
|
|
|
case WM_COMMAND:
|
2019-09-08 19:29:00 +00:00
|
|
|
switch (LOWORD(wParam)) {
|
|
|
|
|
case IDC_KEYSSH1:
|
|
|
|
|
case IDC_KEYSSH2RSA:
|
|
|
|
|
case IDC_KEYSSH2DSA:
|
2014-11-01 09:45:20 +00:00
|
|
|
case IDC_KEYSSH2ECDSA:
|
Formatting change to braces around one case of a switch.
Sometimes, within a switch statement, you want to declare local
variables specific to the handler for one particular case. Until now
I've mostly been writing this in the form
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED:
{
declare variables;
do stuff;
}
break;
}
which is ugly because the two pieces of essentially similar code
appear at different indent levels, and also inconvenient because you
have less horizontal space available to write the complicated case
handler in - particuarly undesirable because _complicated_ case
handlers are the ones most likely to need all the space they can get!
After encountering a rather nicer idiom in the LLVM source code, and
after a bit of hackery this morning figuring out how to persuade
Emacs's auto-indent to do what I wanted with it, I've decided to move
to an idiom in which the open brace comes right after the case
statement, and the code within it is indented the same as it would
have been without the brace. Then the whole case handler (including
the break) lives inside those braces, and you get something that looks
more like this:
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED: {
declare variables;
do stuff;
break;
}
}
This commit is a big-bang change that reformats all the complicated
case handlers I could find into the new layout. This is particularly
nice in the Pageant main function, in which almost _every_ case
handler had a bundle of variables and was long and complicated. (In
fact that's what motivated me to get round to this.) Some of the
innermost parts of the terminal escape-sequence handling are also
breathing a bit easier now the horizontal pressure on them is
relieved.
(Also, in a few cases, I was able to remove the extra braces
completely, because the only variable local to the case handler was a
loop variable which our new C99 policy allows me to move into the
initialiser clause of its for statement.)
Viewed with whitespace ignored, this is not too disruptive a change.
Downstream patches that conflict with it may need to be reapplied
using --ignore-whitespace or similar.
2020-02-16 07:49:52 +00:00
|
|
|
case IDC_KEYSSH2ED25519: {
|
|
|
|
|
state = (struct MainDlgState *)
|
|
|
|
|
GetWindowLongPtr(hwnd, GWLP_USERDATA);
|
|
|
|
|
ui_set_key_type(hwnd, state, LOWORD(wParam));
|
2019-09-08 19:29:00 +00:00
|
|
|
break;
|
Formatting change to braces around one case of a switch.
Sometimes, within a switch statement, you want to declare local
variables specific to the handler for one particular case. Until now
I've mostly been writing this in the form
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED:
{
declare variables;
do stuff;
}
break;
}
which is ugly because the two pieces of essentially similar code
appear at different indent levels, and also inconvenient because you
have less horizontal space available to write the complicated case
handler in - particuarly undesirable because _complicated_ case
handlers are the ones most likely to need all the space they can get!
After encountering a rather nicer idiom in the LLVM source code, and
after a bit of hackery this morning figuring out how to persuade
Emacs's auto-indent to do what I wanted with it, I've decided to move
to an idiom in which the open brace comes right after the case
statement, and the code within it is indented the same as it would
have been without the brace. Then the whole case handler (including
the break) lives inside those braces, and you get something that looks
more like this:
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED: {
declare variables;
do stuff;
break;
}
}
This commit is a big-bang change that reformats all the complicated
case handlers I could find into the new layout. This is particularly
nice in the Pageant main function, in which almost _every_ case
handler had a bundle of variables and was long and complicated. (In
fact that's what motivated me to get round to this.) Some of the
innermost parts of the terminal escape-sequence handling are also
breathing a bit easier now the horizontal pressure on them is
relieved.
(Also, in a few cases, I was able to remove the extra braces
completely, because the only variable local to the case handler was a
loop variable which our new C99 policy allows me to move into the
initialiser clause of its for statement.)
Viewed with whitespace ignored, this is not too disruptive a change.
Downstream patches that conflict with it may need to be reapplied
using --ignore-whitespace or similar.
2020-02-16 07:49:52 +00:00
|
|
|
}
|
2019-09-08 19:29:00 +00:00
|
|
|
case IDC_QUIT:
|
|
|
|
|
PostMessage(hwnd, WM_CLOSE, 0, 0);
|
|
|
|
|
break;
|
|
|
|
|
case IDC_COMMENTEDIT:
|
|
|
|
|
if (HIWORD(wParam) == EN_CHANGE) {
|
|
|
|
|
state = (struct MainDlgState *)
|
|
|
|
|
GetWindowLongPtr(hwnd, GWLP_USERDATA);
|
|
|
|
|
if (state->key_exists) {
|
|
|
|
|
HWND editctl = GetDlgItem(hwnd, IDC_COMMENTEDIT);
|
|
|
|
|
int len = GetWindowTextLength(editctl);
|
|
|
|
|
if (*state->commentptr)
|
|
|
|
|
sfree(*state->commentptr);
|
|
|
|
|
*state->commentptr = snewn(len + 1, char);
|
|
|
|
|
GetWindowText(editctl, *state->commentptr, len + 1);
|
|
|
|
|
if (state->ssh2) {
|
|
|
|
|
setupbigedit2(hwnd, IDC_KEYDISPLAY, IDC_PKSTATIC,
|
|
|
|
|
&state->ssh2key);
|
|
|
|
|
} else {
|
|
|
|
|
setupbigedit1(hwnd, IDC_KEYDISPLAY, IDC_PKSTATIC,
|
|
|
|
|
&state->key);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case IDC_ABOUT:
|
|
|
|
|
EnableWindow(hwnd, 0);
|
|
|
|
|
DialogBox(hinst, MAKEINTRESOURCE(213), hwnd, AboutProc);
|
|
|
|
|
EnableWindow(hwnd, 1);
|
|
|
|
|
SetActiveWindow(hwnd);
|
|
|
|
|
return 0;
|
|
|
|
|
case IDC_GIVEHELP:
|
2002-05-11 16:45:29 +00:00
|
|
|
if (HIWORD(wParam) == BN_CLICKED ||
|
|
|
|
|
HIWORD(wParam) == BN_DOUBLECLICKED) {
|
2019-09-08 19:29:00 +00:00
|
|
|
launch_help(hwnd, WINHELP_CTX_puttygen_general);
|
2002-05-11 16:45:29 +00:00
|
|
|
}
|
2019-09-08 19:29:00 +00:00
|
|
|
return 0;
|
|
|
|
|
case IDC_GENERATE:
|
2003-03-22 09:22:52 +00:00
|
|
|
if (HIWORD(wParam) != BN_CLICKED &&
|
|
|
|
|
HIWORD(wParam) != BN_DOUBLECLICKED)
|
2019-09-08 19:29:00 +00:00
|
|
|
break;
|
|
|
|
|
state =
|
|
|
|
|
(struct MainDlgState *) GetWindowLongPtr(hwnd, GWLP_USERDATA);
|
|
|
|
|
if (!state->generation_thread_exists) {
|
2018-06-03 13:41:31 +00:00
|
|
|
unsigned raw_entropy_required;
|
|
|
|
|
unsigned char *raw_entropy_buf;
|
2019-09-08 19:29:00 +00:00
|
|
|
BOOL ok;
|
|
|
|
|
state->key_bits = GetDlgItemInt(hwnd, IDC_BITS, &ok, false);
|
|
|
|
|
if (!ok)
|
|
|
|
|
state->key_bits = DEFAULT_KEY_BITS;
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
{
|
|
|
|
|
int curveindex = SendDlgItemMessage(hwnd, IDC_CURVE,
|
|
|
|
|
CB_GETCURSEL, 0, 0);
|
|
|
|
|
assert(curveindex >= 0);
|
|
|
|
|
assert(curveindex < n_ec_nist_curve_lengths);
|
|
|
|
|
state->curve_bits = ec_nist_curve_lengths[curveindex];
|
|
|
|
|
}
|
2019-09-08 19:29:00 +00:00
|
|
|
/* If we ever introduce a new key type, check it here! */
|
|
|
|
|
state->ssh2 = !IsDlgButtonChecked(hwnd, IDC_KEYSSH1);
|
2014-11-01 09:14:19 +00:00
|
|
|
state->keytype = RSA;
|
|
|
|
|
if (IsDlgButtonChecked(hwnd, IDC_KEYSSH2DSA)) {
|
|
|
|
|
state->keytype = DSA;
|
2014-11-01 09:45:20 +00:00
|
|
|
} else if (IsDlgButtonChecked(hwnd, IDC_KEYSSH2ECDSA)) {
|
|
|
|
|
state->keytype = ECDSA;
|
2015-05-09 14:02:54 +00:00
|
|
|
} else if (IsDlgButtonChecked(hwnd, IDC_KEYSSH2ED25519)) {
|
|
|
|
|
state->keytype = ED25519;
|
2014-11-01 09:14:19 +00:00
|
|
|
}
|
2016-04-02 07:00:37 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
if ((state->keytype == RSA || state->keytype == DSA) &&
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
state->key_bits < 256) {
|
|
|
|
|
char *message = dupprintf
|
|
|
|
|
("PuTTYgen will not generate a key smaller than 256"
|
|
|
|
|
" bits.\nKey length reset to default %d. Continue?",
|
|
|
|
|
DEFAULT_KEY_BITS);
|
2019-09-08 19:29:00 +00:00
|
|
|
int ret = MessageBox(hwnd, message, "PuTTYgen Warning",
|
|
|
|
|
MB_ICONWARNING | MB_OKCANCEL);
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
sfree(message);
|
2019-09-08 19:29:00 +00:00
|
|
|
if (ret != IDOK)
|
|
|
|
|
break;
|
|
|
|
|
state->key_bits = DEFAULT_KEY_BITS;
|
|
|
|
|
SetDlgItemInt(hwnd, IDC_BITS, DEFAULT_KEY_BITS, false);
|
|
|
|
|
} else if ((state->keytype == RSA || state->keytype == DSA) &&
|
2016-04-02 07:00:37 +00:00
|
|
|
state->key_bits < DEFAULT_KEY_BITS) {
|
|
|
|
|
char *message = dupprintf
|
|
|
|
|
("Keys shorter than %d bits are not recommended. "
|
|
|
|
|
"Really generate this key?", DEFAULT_KEY_BITS);
|
2019-09-08 19:29:00 +00:00
|
|
|
int ret = MessageBox(hwnd, message, "PuTTYgen Warning",
|
|
|
|
|
MB_ICONWARNING | MB_OKCANCEL);
|
2016-04-02 07:00:37 +00:00
|
|
|
sfree(message);
|
2019-09-08 19:29:00 +00:00
|
|
|
if (ret != IDOK)
|
|
|
|
|
break;
|
2016-04-02 07:00:37 +00:00
|
|
|
}
|
|
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
if (state->keytype == RSA || state->keytype == DSA)
|
2018-06-03 13:41:31 +00:00
|
|
|
raw_entropy_required = (state->key_bits / 2) * 2;
|
2019-09-08 19:29:00 +00:00
|
|
|
else if (state->keytype == ECDSA)
|
2018-06-03 13:41:31 +00:00
|
|
|
raw_entropy_required = (state->curve_bits / 2) * 2;
|
Polish up the PuTTYgen user interface for ECC key types.
Jacob pointed out that a free-text field for entering a key size in
bits is all very well for key types where we actually _can_ generate a
key to a size of your choice, but less useful for key types where
there are only three (or one) legal values for the field, especially
if we don't _say_ what they are.
So I've revamped the UI a bit: now, in ECDSA mode, you get a dropdown
list selector showing the available elliptic curves (and they're even
named, rather than just given by bit count), and in ED25519 mode even
that disappears. The curve selector for ECDSA and the bits selector
for RSA/DSA are independent controls, so each one remembers its last
known value even while temporarily hidden in favour of the other.
The actual generation function still expects a bit count rather than
an actual curve or algorithm ID, so the easiest way to actually
arrange to populate the drop-down list was to have an array of bit
counts exposed by sshecc.c. That's a bit ugly, but there we go.
One small functional change: if you enter an absurdly low value into
the RSA/DSA bit count box (under 256), PuTTYgen used to give a warning
and reset it to 256. Now it resets it to the default key length of
2048, basically because I was touching that code anyway to change a
variable name and just couldn't bring myself to leave it in a state
where it intentionally chose such an utterly useless key size. Of
course this doesn't prevent generation of 256-bit keys if someone
still really wants one - it just means they don't get one selected as
the result of a typo.
2016-03-25 07:53:06 +00:00
|
|
|
else
|
2018-06-03 13:41:31 +00:00
|
|
|
raw_entropy_required = 256;
|
|
|
|
|
|
2019-02-10 13:43:14 +00:00
|
|
|
/* Bound the entropy collection above by the amount of
|
|
|
|
|
* data we can actually fit into the PRNG. Any more
|
|
|
|
|
* than that and it's doing no more good. */
|
|
|
|
|
if (raw_entropy_required > random_seed_bits())
|
|
|
|
|
raw_entropy_required = random_seed_bits();
|
|
|
|
|
|
2018-06-03 13:41:31 +00:00
|
|
|
raw_entropy_buf = snewn(raw_entropy_required, unsigned char);
|
|
|
|
|
if (win_read_random(raw_entropy_buf, raw_entropy_required)) {
|
|
|
|
|
/*
|
2019-02-10 13:38:15 +00:00
|
|
|
* If we can get entropy from CryptGenRandom, use
|
|
|
|
|
* it. But CryptGenRandom isn't a kernel-level
|
|
|
|
|
* CPRNG (according to Wikipedia), and papers have
|
|
|
|
|
* been published cryptanalysing it. So we'll
|
|
|
|
|
* still do manual entropy collection; we'll just
|
|
|
|
|
* do it _as well_ as this.
|
2018-06-03 13:41:31 +00:00
|
|
|
*/
|
Replace PuTTY's PRNG with a Fortuna-like system.
This tears out the entire previous random-pool system in sshrand.c. In
its place is a system pretty close to Ferguson and Schneier's
'Fortuna' generator, with the main difference being that I use SHA-256
instead of AES for the generation side of the system (rationale given
in comment).
The PRNG implementation lives in sshprng.c, and defines a self-
contained data type with no state stored outside the object, so you
can instantiate however many of them you like. The old sshrand.c still
exists, but in place of the previous random pool system, it's just
become a client of sshprng.c, whose job is to hold a single global
instance of the PRNG type, and manage its reference count, save file,
noise-collection timers and similar administrative business.
Advantages of this change include:
- Fortuna is designed with a more varied threat model in mind than my
old home-grown random pool. For example, after any request for
random numbers, it automatically re-seeds itself, so that if the
state of the PRNG should be leaked, it won't give enough
information to find out what past outputs _were_.
- The PRNG type can be instantiated with any hash function; the
instance used by the main tools is based on SHA-256, an improvement
on the old pool's use of SHA-1.
- The new PRNG only uses the completely standard interface to the
hash function API, instead of having to have privileged access to
the internal SHA-1 block transform function. This will make it
easier to revamp the hash code in general, and also it means that
hardware-accelerated versions of SHA-256 will automatically be used
for the PRNG as well as for everything else.
- The new PRNG can be _tested_! Because it has an actual (if not
quite explicit) specification for exactly what the output numbers
_ought_ to be derived from the hashes of, I can (and have) put
tests in cryptsuite that ensure the output really is being derived
in the way I think it is. The old pool could have been returning
any old nonsense and it would have been very hard to tell for sure.
2019-01-22 22:42:41 +00:00
|
|
|
random_reseed(
|
|
|
|
|
make_ptrlen(raw_entropy_buf, raw_entropy_required));
|
2018-06-03 13:41:31 +00:00
|
|
|
}
|
2001-05-06 14:35:20 +00:00
|
|
|
|
2019-02-10 13:38:15 +00:00
|
|
|
/*
|
|
|
|
|
* Manual entropy input, by making the user wave the
|
|
|
|
|
* mouse over the window a lot.
|
|
|
|
|
*
|
|
|
|
|
* My brief statistical tests on mouse movements
|
|
|
|
|
* suggest that there are about 2.5 bits of randomness
|
|
|
|
|
* in the x position, 2.5 in the y position, and 1.7
|
|
|
|
|
* in the message time, making 5.7 bits of
|
|
|
|
|
* unpredictability per mouse movement. However, other
|
|
|
|
|
* people have told me it's far less than that, so I'm
|
|
|
|
|
* going to be stupidly cautious and knock that down
|
|
|
|
|
* to a nice round 2. With this method, we require two
|
|
|
|
|
* words per mouse movement, so with 2 bits per mouse
|
|
|
|
|
* movement we expect 2 bits every 2 words, i.e. the
|
|
|
|
|
* number of _words_ of mouse data we want to collect
|
|
|
|
|
* is just the same as the number of _bits_ of entropy
|
|
|
|
|
* we want.
|
|
|
|
|
*/
|
|
|
|
|
state->entropy_required = raw_entropy_required;
|
|
|
|
|
|
|
|
|
|
ui_set_state(hwnd, state, 1);
|
|
|
|
|
SetDlgItemText(hwnd, IDC_GENERATING, entropy_msg);
|
|
|
|
|
state->key_exists = false;
|
|
|
|
|
state->collecting_entropy = true;
|
|
|
|
|
|
|
|
|
|
state->entropy_got = 0;
|
|
|
|
|
state->entropy_size = (state->entropy_required *
|
|
|
|
|
sizeof(unsigned));
|
|
|
|
|
state->entropy = snewn(state->entropy_required, unsigned);
|
|
|
|
|
|
|
|
|
|
SendDlgItemMessage(hwnd, IDC_PROGRESS, PBM_SETRANGE, 0,
|
|
|
|
|
MAKELPARAM(0, state->entropy_required));
|
|
|
|
|
SendDlgItemMessage(hwnd, IDC_PROGRESS, PBM_SETPOS, 0, 0);
|
|
|
|
|
|
2018-06-03 13:41:31 +00:00
|
|
|
smemclr(raw_entropy_buf, raw_entropy_required);
|
|
|
|
|
sfree(raw_entropy_buf);
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case IDC_SAVE:
|
2015-05-10 06:42:48 +00:00
|
|
|
case IDC_EXPORT_OPENSSH_AUTO:
|
2015-04-28 18:46:58 +00:00
|
|
|
case IDC_EXPORT_OPENSSH_NEW:
|
2002-05-13 16:56:11 +00:00
|
|
|
case IDC_EXPORT_SSHCOM:
|
2019-09-08 19:29:00 +00:00
|
|
|
if (HIWORD(wParam) != BN_CLICKED)
|
|
|
|
|
break;
|
|
|
|
|
state =
|
|
|
|
|
(struct MainDlgState *) GetWindowLongPtr(hwnd, GWLP_USERDATA);
|
|
|
|
|
if (state->key_exists) {
|
|
|
|
|
char filename[FILENAME_MAX];
|
|
|
|
|
char *passphrase, *passphrase2;
|
2002-05-13 16:56:11 +00:00
|
|
|
int type, realtype;
|
|
|
|
|
|
|
|
|
|
if (state->ssh2)
|
|
|
|
|
realtype = SSH_KEYTYPE_SSH2;
|
|
|
|
|
else
|
|
|
|
|
realtype = SSH_KEYTYPE_SSH1;
|
|
|
|
|
|
2015-05-10 06:42:48 +00:00
|
|
|
if (LOWORD(wParam) == IDC_EXPORT_OPENSSH_AUTO)
|
|
|
|
|
type = SSH_KEYTYPE_OPENSSH_AUTO;
|
2015-04-28 18:46:58 +00:00
|
|
|
else if (LOWORD(wParam) == IDC_EXPORT_OPENSSH_NEW)
|
|
|
|
|
type = SSH_KEYTYPE_OPENSSH_NEW;
|
2002-05-13 16:56:11 +00:00
|
|
|
else if (LOWORD(wParam) == IDC_EXPORT_SSHCOM)
|
|
|
|
|
type = SSH_KEYTYPE_SSHCOM;
|
|
|
|
|
else
|
|
|
|
|
type = realtype;
|
|
|
|
|
|
|
|
|
|
if (type != realtype &&
|
|
|
|
|
import_target_type(type) != realtype) {
|
|
|
|
|
char msg[256];
|
2005-03-10 16:36:05 +00:00
|
|
|
sprintf(msg, "Cannot export an SSH-%d key in an SSH-%d"
|
2002-05-13 16:56:11 +00:00
|
|
|
" format", (state->ssh2 ? 2 : 1),
|
|
|
|
|
(state->ssh2 ? 1 : 2));
|
2019-09-08 19:29:00 +00:00
|
|
|
MessageBox(hwnd, msg,
|
2002-05-13 16:56:11 +00:00
|
|
|
"PuTTYgen Error", MB_OK | MB_ICONERROR);
|
2019-09-08 19:29:00 +00:00
|
|
|
break;
|
2002-05-13 16:56:11 +00:00
|
|
|
}
|
|
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
passphrase = GetDlgItemText_alloc(hwnd, IDC_PASSPHRASE1EDIT);
|
|
|
|
|
passphrase2 = GetDlgItemText_alloc(hwnd, IDC_PASSPHRASE2EDIT);
|
|
|
|
|
if (strcmp(passphrase, passphrase2)) {
|
|
|
|
|
MessageBox(hwnd,
|
|
|
|
|
"The two passphrases given do not match.",
|
|
|
|
|
"PuTTYgen Error", MB_OK | MB_ICONERROR);
|
2011-10-02 14:14:21 +00:00
|
|
|
burnstr(passphrase);
|
|
|
|
|
burnstr(passphrase2);
|
2019-09-08 19:29:00 +00:00
|
|
|
break;
|
|
|
|
|
}
|
2011-10-02 14:14:21 +00:00
|
|
|
burnstr(passphrase2);
|
2019-09-08 19:29:00 +00:00
|
|
|
if (!*passphrase) {
|
|
|
|
|
int ret;
|
|
|
|
|
ret = MessageBox(hwnd,
|
|
|
|
|
"Are you sure you want to save this key\n"
|
|
|
|
|
"without a passphrase to protect it?",
|
|
|
|
|
"PuTTYgen Warning",
|
|
|
|
|
MB_YESNO | MB_ICONWARNING);
|
|
|
|
|
if (ret != IDYES) {
|
2011-10-02 14:14:21 +00:00
|
|
|
burnstr(passphrase);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
|
|
|
|
if (prompt_keyfile(hwnd, "Save private key as:",
|
|
|
|
|
filename, true, (type == realtype))) {
|
|
|
|
|
int ret;
|
|
|
|
|
FILE *fp = fopen(filename, "r");
|
|
|
|
|
if (fp) {
|
|
|
|
|
char *buffer;
|
|
|
|
|
fclose(fp);
|
|
|
|
|
buffer = dupprintf("Overwrite existing file\n%s?",
|
|
|
|
|
filename);
|
|
|
|
|
ret = MessageBox(hwnd, buffer, "PuTTYgen Warning",
|
|
|
|
|
MB_YESNO | MB_ICONWARNING);
|
|
|
|
|
sfree(buffer);
|
|
|
|
|
if (ret != IDYES) {
|
2011-10-02 14:14:21 +00:00
|
|
|
burnstr(passphrase);
|
2019-09-08 19:29:00 +00:00
|
|
|
break;
|
2011-10-02 14:14:21 +00:00
|
|
|
}
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
2002-05-13 16:56:11 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
if (state->ssh2) {
|
|
|
|
|
Filename *fn = filename_from_str(filename);
|
2002-05-13 16:56:11 +00:00
|
|
|
if (type != realtype)
|
2011-10-02 11:01:57 +00:00
|
|
|
ret = export_ssh2(fn, type, &state->ssh2key,
|
2002-05-13 16:56:11 +00:00
|
|
|
*passphrase ? passphrase : NULL);
|
|
|
|
|
else
|
2020-01-05 10:28:45 +00:00
|
|
|
ret = ppk_save_f(fn, &state->ssh2key,
|
|
|
|
|
*passphrase ? passphrase : NULL);
|
2011-10-02 11:01:57 +00:00
|
|
|
filename_free(fn);
|
2019-09-08 19:29:00 +00:00
|
|
|
} else {
|
|
|
|
|
Filename *fn = filename_from_str(filename);
|
2002-05-13 16:56:11 +00:00
|
|
|
if (type != realtype)
|
2011-10-02 11:01:57 +00:00
|
|
|
ret = export_ssh1(fn, type, &state->key,
|
2002-05-13 16:56:11 +00:00
|
|
|
*passphrase ? passphrase : NULL);
|
|
|
|
|
else
|
2020-01-05 10:28:45 +00:00
|
|
|
ret = rsa1_save_f(fn, &state->key,
|
|
|
|
|
*passphrase ? passphrase : NULL);
|
2011-10-02 11:01:57 +00:00
|
|
|
filename_free(fn);
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
|
|
|
|
if (ret <= 0) {
|
|
|
|
|
MessageBox(hwnd, "Unable to save key file",
|
|
|
|
|
"PuTTYgen Error", MB_OK | MB_ICONERROR);
|
|
|
|
|
}
|
|
|
|
|
}
|
2011-10-02 14:14:21 +00:00
|
|
|
burnstr(passphrase);
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case IDC_SAVEPUB:
|
|
|
|
|
if (HIWORD(wParam) != BN_CLICKED)
|
|
|
|
|
break;
|
|
|
|
|
state =
|
|
|
|
|
(struct MainDlgState *) GetWindowLongPtr(hwnd, GWLP_USERDATA);
|
|
|
|
|
if (state->key_exists) {
|
|
|
|
|
char filename[FILENAME_MAX];
|
|
|
|
|
if (prompt_keyfile(hwnd, "Save public key as:",
|
|
|
|
|
filename, true, false)) {
|
|
|
|
|
int ret;
|
|
|
|
|
FILE *fp = fopen(filename, "r");
|
|
|
|
|
if (fp) {
|
|
|
|
|
char *buffer;
|
|
|
|
|
fclose(fp);
|
|
|
|
|
buffer = dupprintf("Overwrite existing file\n%s?",
|
|
|
|
|
filename);
|
|
|
|
|
ret = MessageBox(hwnd, buffer, "PuTTYgen Warning",
|
|
|
|
|
MB_YESNO | MB_ICONWARNING);
|
|
|
|
|
sfree(buffer);
|
|
|
|
|
if (ret != IDYES)
|
|
|
|
|
break;
|
|
|
|
|
}
|
2015-05-12 12:42:26 +00:00
|
|
|
fp = fopen(filename, "w");
|
|
|
|
|
if (!fp) {
|
|
|
|
|
MessageBox(hwnd, "Unable to open key file",
|
|
|
|
|
"PuTTYgen Error", MB_OK | MB_ICONERROR);
|
|
|
|
|
} else {
|
|
|
|
|
if (state->ssh2) {
|
2018-05-24 09:59:39 +00:00
|
|
|
strbuf *blob = strbuf_new();
|
2018-06-03 11:58:05 +00:00
|
|
|
ssh_key_public_blob(
|
|
|
|
|
state->ssh2key.key, BinarySink_UPCAST(blob));
|
2015-05-12 12:42:26 +00:00
|
|
|
ssh2_write_pubkey(fp, state->ssh2key.comment,
|
2018-05-24 09:59:39 +00:00
|
|
|
blob->u, blob->len,
|
2015-05-12 12:42:26 +00:00
|
|
|
SSH_KEYTYPE_SSH2_PUBLIC_RFC4716);
|
2018-05-24 09:59:39 +00:00
|
|
|
strbuf_free(blob);
|
2015-05-12 12:42:26 +00:00
|
|
|
} else {
|
|
|
|
|
ssh1_write_pubkey(fp, &state->key);
|
|
|
|
|
}
|
|
|
|
|
if (fclose(fp) < 0) {
|
|
|
|
|
MessageBox(hwnd, "Unable to save key file",
|
|
|
|
|
"PuTTYgen Error", MB_OK | MB_ICONERROR);
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case IDC_LOAD:
|
|
|
|
|
case IDC_IMPORT:
|
|
|
|
|
if (HIWORD(wParam) != BN_CLICKED)
|
|
|
|
|
break;
|
|
|
|
|
state =
|
|
|
|
|
(struct MainDlgState *) GetWindowLongPtr(hwnd, GWLP_USERDATA);
|
|
|
|
|
if (!state->generation_thread_exists) {
|
|
|
|
|
char filename[FILENAME_MAX];
|
|
|
|
|
if (prompt_keyfile(hwnd, "Load private key:", filename, false,
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
LOWORD(wParam) == IDC_LOAD)) {
|
2013-07-22 07:11:54 +00:00
|
|
|
Filename *fn = filename_from_str(filename);
|
2019-09-08 19:29:00 +00:00
|
|
|
load_key_file(hwnd, state, fn, LOWORD(wParam) != IDC_LOAD);
|
2013-07-22 07:11:54 +00:00
|
|
|
filename_free(fn);
|
|
|
|
|
}
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
2000-10-19 15:43:08 +00:00
|
|
|
case WM_DONEKEY:
|
2019-09-08 19:29:00 +00:00
|
|
|
state = (struct MainDlgState *) GetWindowLongPtr(hwnd, GWLP_USERDATA);
|
|
|
|
|
state->generation_thread_exists = false;
|
|
|
|
|
state->key_exists = true;
|
|
|
|
|
SendDlgItemMessage(hwnd, IDC_PROGRESS, PBM_SETRANGE, 0,
|
|
|
|
|
MAKELPARAM(0, PROGRESSRANGE));
|
|
|
|
|
SendDlgItemMessage(hwnd, IDC_PROGRESS, PBM_SETPOS, PROGRESSRANGE, 0);
|
|
|
|
|
if (state->ssh2) {
|
2014-11-01 09:14:19 +00:00
|
|
|
if (state->keytype == DSA) {
|
2019-09-08 19:29:00 +00:00
|
|
|
state->ssh2key.key = &state->dsskey.sshk;
|
2014-11-01 09:45:20 +00:00
|
|
|
} else if (state->keytype == ECDSA) {
|
2018-06-03 11:58:05 +00:00
|
|
|
state->ssh2key.key = &state->eckey.sshk;
|
2015-05-09 14:02:54 +00:00
|
|
|
} else if (state->keytype == ED25519) {
|
Complete rewrite of PuTTY's bignum library.
The old 'Bignum' data type is gone completely, and so is sshbn.c. In
its place is a new thing called 'mp_int', handled by an entirely new
library module mpint.c, with API differences both large and small.
The main aim of this change is that the new library should be free of
timing- and cache-related side channels. I've written the code so that
it _should_ - assuming I haven't made any mistakes - do all of its
work without either control flow or memory addressing depending on the
data words of the input numbers. (Though, being an _arbitrary_
precision library, it does have to at least depend on the sizes of the
numbers - but there's a 'formal' size that can vary separately from
the actual magnitude of the represented integer, so if you want to
keep it secret that your number is actually small, it should work fine
to have a very long mp_int and just happen to store 23 in it.) So I've
done all my conditionalisation by means of computing both answers and
doing bit-masking to swap the right one into place, and all loops over
the words of an mp_int go up to the formal size rather than the actual
size.
I haven't actually tested the constant-time property in any rigorous
way yet (I'm still considering the best way to do it). But this code
is surely at the very least a big improvement on the old version, even
if I later find a few more things to fix.
I've also completely rewritten the low-level elliptic curve arithmetic
from sshecc.c; the new ecc.c is closer to being an adjunct of mpint.c
than it is to the SSH end of the code. The new elliptic curve code
keeps all coordinates in Montgomery-multiplication transformed form to
speed up all the multiplications mod the same prime, and only converts
them back when you ask for the affine coordinates. Also, I adopted
extended coordinates for the Edwards curve implementation.
sshecc.c has also had a near-total rewrite in the course of switching
it over to the new system. While I was there, I've separated ECDSA and
EdDSA more completely - they now have separate vtables, instead of a
single vtable in which nearly every function had a big if statement in
it - and also made the externally exposed types for an ECDSA key and
an ECDH context different.
A minor new feature: since the new arithmetic code includes a modular
square root function, we can now support the compressed point
representation for the NIST curves. We seem to have been getting along
fine without that so far, but it seemed a shame not to put it in,
since it was suddenly easy.
In sshrsa.c, one major change is that I've removed the RSA blinding
step in rsa_privkey_op, in which we randomise the ciphertext before
doing the decryption. The purpose of that was to avoid timing leaks
giving away the plaintext - but the new arithmetic code should take
that in its stride in the course of also being careful enough to avoid
leaking the _private key_, which RSA blinding had no way to do
anything about in any case.
Apart from those specific points, most of the rest of the changes are
more or less mechanical, just changing type names and translating code
into the new API.
2018-12-31 13:53:41 +00:00
|
|
|
state->ssh2key.key = &state->edkey.sshk;
|
2019-09-08 19:29:00 +00:00
|
|
|
} else {
|
|
|
|
|
state->ssh2key.key = &state->key.sshk;
|
|
|
|
|
}
|
|
|
|
|
state->commentptr = &state->ssh2key.comment;
|
|
|
|
|
} else {
|
|
|
|
|
state->commentptr = &state->key.comment;
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Invent a comment for the key. We'll do this by including
|
|
|
|
|
* the date in it. This will be so horrifyingly ugly that
|
|
|
|
|
* the user will immediately want to change it, which is
|
|
|
|
|
* what we want :-)
|
|
|
|
|
*/
|
|
|
|
|
*state->commentptr = snewn(30, char);
|
|
|
|
|
{
|
|
|
|
|
struct tm tm;
|
|
|
|
|
tm = ltime();
|
2014-11-01 09:14:19 +00:00
|
|
|
if (state->keytype == DSA)
|
2019-09-08 19:29:00 +00:00
|
|
|
strftime(*state->commentptr, 30, "dsa-key-%Y%m%d", &tm);
|
2014-11-01 09:45:20 +00:00
|
|
|
else if (state->keytype == ECDSA)
|
|
|
|
|
strftime(*state->commentptr, 30, "ecdsa-key-%Y%m%d", &tm);
|
2015-05-09 14:02:54 +00:00
|
|
|
else if (state->keytype == ED25519)
|
|
|
|
|
strftime(*state->commentptr, 30, "ed25519-key-%Y%m%d", &tm);
|
2019-09-08 19:29:00 +00:00
|
|
|
else
|
|
|
|
|
strftime(*state->commentptr, 30, "rsa-key-%Y%m%d", &tm);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Now update the key controls with all the key data.
|
|
|
|
|
*/
|
|
|
|
|
{
|
|
|
|
|
char *fp, *savecomment;
|
|
|
|
|
/*
|
|
|
|
|
* Blank passphrase, initially. This isn't dangerous,
|
|
|
|
|
* because we will warn (Are You Sure?) before allowing
|
|
|
|
|
* the user to save an unprotected private key.
|
|
|
|
|
*/
|
|
|
|
|
SetDlgItemText(hwnd, IDC_PASSPHRASE1EDIT, "");
|
|
|
|
|
SetDlgItemText(hwnd, IDC_PASSPHRASE2EDIT, "");
|
|
|
|
|
/*
|
|
|
|
|
* Set the comment.
|
|
|
|
|
*/
|
|
|
|
|
SetDlgItemText(hwnd, IDC_COMMENTEDIT, *state->commentptr);
|
|
|
|
|
/*
|
|
|
|
|
* Set the key fingerprint.
|
|
|
|
|
*/
|
|
|
|
|
savecomment = *state->commentptr;
|
|
|
|
|
*state->commentptr = NULL;
|
|
|
|
|
if (state->ssh2)
|
|
|
|
|
fp = ssh2_fingerprint(state->ssh2key.key);
|
2018-06-03 07:08:53 +00:00
|
|
|
else
|
|
|
|
|
fp = rsa_ssh1_fingerprint(&state->key);
|
|
|
|
|
SetDlgItemText(hwnd, IDC_FINGERPRINT, fp);
|
|
|
|
|
sfree(fp);
|
2019-09-08 19:29:00 +00:00
|
|
|
*state->commentptr = savecomment;
|
|
|
|
|
/*
|
|
|
|
|
* Construct a decimal representation of the key, for
|
|
|
|
|
* pasting into .ssh/authorized_keys or
|
|
|
|
|
* .ssh/authorized_keys2 on a Unix box.
|
|
|
|
|
*/
|
|
|
|
|
if (state->ssh2) {
|
|
|
|
|
setupbigedit2(hwnd, IDC_KEYDISPLAY,
|
|
|
|
|
IDC_PKSTATIC, &state->ssh2key);
|
|
|
|
|
} else {
|
|
|
|
|
setupbigedit1(hwnd, IDC_KEYDISPLAY,
|
|
|
|
|
IDC_PKSTATIC, &state->key);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Finally, hide the progress bar and show the key data.
|
|
|
|
|
*/
|
|
|
|
|
ui_set_state(hwnd, state, 2);
|
|
|
|
|
break;
|
Formatting change to braces around one case of a switch.
Sometimes, within a switch statement, you want to declare local
variables specific to the handler for one particular case. Until now
I've mostly been writing this in the form
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED:
{
declare variables;
do stuff;
}
break;
}
which is ugly because the two pieces of essentially similar code
appear at different indent levels, and also inconvenient because you
have less horizontal space available to write the complicated case
handler in - particuarly undesirable because _complicated_ case
handlers are the ones most likely to need all the space they can get!
After encountering a rather nicer idiom in the LLVM source code, and
after a bit of hackery this morning figuring out how to persuade
Emacs's auto-indent to do what I wanted with it, I've decided to move
to an idiom in which the open brace comes right after the case
statement, and the code within it is indented the same as it would
have been without the brace. Then the whole case handler (including
the break) lives inside those braces, and you get something that looks
more like this:
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED: {
declare variables;
do stuff;
break;
}
}
This commit is a big-bang change that reformats all the complicated
case handlers I could find into the new layout. This is particularly
nice in the Pageant main function, in which almost _every_ case
handler had a bundle of variables and was long and complicated. (In
fact that's what motivated me to get round to this.) Some of the
innermost parts of the terminal escape-sequence handling are also
breathing a bit easier now the horizontal pressure on them is
relieved.
(Also, in a few cases, I was able to remove the extra braces
completely, because the only variable local to the case handler was a
loop variable which our new C99 policy allows me to move into the
initialiser clause of its for statement.)
Viewed with whitespace ignored, this is not too disruptive a change.
Downstream patches that conflict with it may need to be reapplied
using --ignore-whitespace or similar.
2020-02-16 07:49:52 +00:00
|
|
|
case WM_HELP: {
|
|
|
|
|
int id = ((LPHELPINFO)lParam)->iCtrlId;
|
|
|
|
|
const char *topic = NULL;
|
|
|
|
|
switch (id) {
|
|
|
|
|
case IDC_GENERATING:
|
|
|
|
|
case IDC_PROGRESS:
|
|
|
|
|
case IDC_GENSTATIC:
|
|
|
|
|
case IDC_GENERATE:
|
|
|
|
|
topic = WINHELP_CTX_puttygen_generate; break;
|
|
|
|
|
case IDC_PKSTATIC:
|
|
|
|
|
case IDC_KEYDISPLAY:
|
|
|
|
|
topic = WINHELP_CTX_puttygen_pastekey; break;
|
|
|
|
|
case IDC_FPSTATIC:
|
|
|
|
|
case IDC_FINGERPRINT:
|
|
|
|
|
topic = WINHELP_CTX_puttygen_fingerprint; break;
|
|
|
|
|
case IDC_COMMENTSTATIC:
|
|
|
|
|
case IDC_COMMENTEDIT:
|
|
|
|
|
topic = WINHELP_CTX_puttygen_comment; break;
|
|
|
|
|
case IDC_PASSPHRASE1STATIC:
|
|
|
|
|
case IDC_PASSPHRASE1EDIT:
|
|
|
|
|
case IDC_PASSPHRASE2STATIC:
|
|
|
|
|
case IDC_PASSPHRASE2EDIT:
|
|
|
|
|
topic = WINHELP_CTX_puttygen_passphrase; break;
|
|
|
|
|
case IDC_LOADSTATIC:
|
|
|
|
|
case IDC_LOAD:
|
|
|
|
|
topic = WINHELP_CTX_puttygen_load; break;
|
|
|
|
|
case IDC_SAVESTATIC:
|
|
|
|
|
case IDC_SAVE:
|
|
|
|
|
topic = WINHELP_CTX_puttygen_savepriv; break;
|
|
|
|
|
case IDC_SAVEPUB:
|
|
|
|
|
topic = WINHELP_CTX_puttygen_savepub; break;
|
|
|
|
|
case IDC_TYPESTATIC:
|
|
|
|
|
case IDC_KEYSSH1:
|
|
|
|
|
case IDC_KEYSSH2RSA:
|
|
|
|
|
case IDC_KEYSSH2DSA:
|
|
|
|
|
case IDC_KEYSSH2ECDSA:
|
|
|
|
|
case IDC_KEYSSH2ED25519:
|
|
|
|
|
topic = WINHELP_CTX_puttygen_keytype; break;
|
|
|
|
|
case IDC_BITSSTATIC:
|
|
|
|
|
case IDC_BITS:
|
|
|
|
|
topic = WINHELP_CTX_puttygen_bits; break;
|
|
|
|
|
case IDC_IMPORT:
|
|
|
|
|
case IDC_EXPORT_OPENSSH_AUTO:
|
|
|
|
|
case IDC_EXPORT_OPENSSH_NEW:
|
|
|
|
|
case IDC_EXPORT_SSHCOM:
|
|
|
|
|
topic = WINHELP_CTX_puttygen_conversions; break;
|
|
|
|
|
}
|
|
|
|
|
if (topic) {
|
|
|
|
|
launch_help(hwnd, topic);
|
|
|
|
|
} else {
|
|
|
|
|
MessageBeep(0);
|
2001-12-12 18:45:56 +00:00
|
|
|
}
|
|
|
|
|
break;
|
Formatting change to braces around one case of a switch.
Sometimes, within a switch statement, you want to declare local
variables specific to the handler for one particular case. Until now
I've mostly been writing this in the form
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED:
{
declare variables;
do stuff;
}
break;
}
which is ugly because the two pieces of essentially similar code
appear at different indent levels, and also inconvenient because you
have less horizontal space available to write the complicated case
handler in - particuarly undesirable because _complicated_ case
handlers are the ones most likely to need all the space they can get!
After encountering a rather nicer idiom in the LLVM source code, and
after a bit of hackery this morning figuring out how to persuade
Emacs's auto-indent to do what I wanted with it, I've decided to move
to an idiom in which the open brace comes right after the case
statement, and the code within it is indented the same as it would
have been without the brace. Then the whole case handler (including
the break) lives inside those braces, and you get something that looks
more like this:
switch (discriminant) {
case SIMPLE:
do stuff;
break;
case COMPLICATED: {
declare variables;
do stuff;
break;
}
}
This commit is a big-bang change that reformats all the complicated
case handlers I could find into the new layout. This is particularly
nice in the Pageant main function, in which almost _every_ case
handler had a bundle of variables and was long and complicated. (In
fact that's what motivated me to get round to this.) Some of the
innermost parts of the terminal escape-sequence handling are also
breathing a bit easier now the horizontal pressure on them is
relieved.
(Also, in a few cases, I was able to remove the extra braces
completely, because the only variable local to the case handler was a
loop variable which our new C99 policy allows me to move into the
initialiser clause of its for statement.)
Viewed with whitespace ignored, this is not too disruptive a change.
Downstream patches that conflict with it may need to be reapplied
using --ignore-whitespace or similar.
2020-02-16 07:49:52 +00:00
|
|
|
}
|
2000-10-19 15:43:08 +00:00
|
|
|
case WM_CLOSE:
|
2019-09-08 19:29:00 +00:00
|
|
|
state = (struct MainDlgState *) GetWindowLongPtr(hwnd, GWLP_USERDATA);
|
|
|
|
|
sfree(state);
|
|
|
|
|
quit_help(hwnd);
|
|
|
|
|
EndDialog(hwnd, 1);
|
|
|
|
|
return 0;
|
2000-10-19 15:43:08 +00:00
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2006-12-17 11:16:07 +00:00
|
|
|
void cleanup_exit(int code)
|
|
|
|
|
{
|
|
|
|
|
shutdown_help();
|
|
|
|
|
exit(code);
|
|
|
|
|
}
|
2002-03-06 20:13:22 +00:00
|
|
|
|
Remove remaining uses of the GLOBAL macro.
We now have no remaining things in header files that switch from being
a declaration to a definition depending on an awkward #define at the
point of including that header. There are still a few mutable
variables with external linkage, but at least now each one is defined
in a specific source file file appropriate to its purpose and context.
The remaining globals as of this commit were:
- 'logctx' and 'term', which never needed to be globals in the first
place, because they were never actually shared between source
files. Now 'term' is just a static in window.c, and 'logctx' is a
static in each of that and winplink.c.
- 'hinst', which still has external linkage, but is now defined
separately in each source file that sets it up (i.e. those with a
WinMain)
- osMajorVersion, osMinorVersion and osPlatformId, whose definitions
now live in winmisc.c alongside the code which sets them up.
(Actually they were defined there all along, it turns out, but
every toolchain I've built with has commoned them together with the
version defined by the GLOBAL in the header.)
- 'hwnd', which nothing was actually _using_ any more after previous
commits, so all this commit had to do was delete it.
2020-02-02 10:00:43 +00:00
|
|
|
HINSTANCE hinst;
|
|
|
|
|
|
2001-05-06 14:35:20 +00:00
|
|
|
int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
|
|
|
|
|
{
|
2017-01-28 21:56:28 +00:00
|
|
|
int argc, i;
|
2002-08-06 17:48:14 +00:00
|
|
|
char **argv;
|
2006-12-17 11:16:07 +00:00
|
|
|
int ret;
|
2002-08-06 17:48:14 +00:00
|
|
|
|
2016-07-18 19:02:32 +00:00
|
|
|
dll_hijacking_protection();
|
|
|
|
|
|
2017-03-13 21:42:44 +00:00
|
|
|
init_common_controls();
|
2000-10-19 15:43:08 +00:00
|
|
|
hinst = inst;
|
2001-12-12 18:45:56 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* See if we can find our Help file.
|
|
|
|
|
*/
|
2006-12-17 11:16:07 +00:00
|
|
|
init_help();
|
2001-12-12 18:45:56 +00:00
|
|
|
|
2005-03-19 02:26:58 +00:00
|
|
|
split_into_argv(cmdline, &argc, &argv, NULL);
|
|
|
|
|
|
2017-01-28 21:56:28 +00:00
|
|
|
for (i = 0; i < argc; i++) {
|
2019-09-08 19:29:00 +00:00
|
|
|
if (!strcmp(argv[i], "-pgpfp")) {
|
2020-02-02 10:00:42 +00:00
|
|
|
pgp_fingerprints_msgbox(NULL);
|
2019-09-08 19:29:00 +00:00
|
|
|
return 1;
|
2017-01-28 21:56:28 +00:00
|
|
|
} else if (!strcmp(argv[i], "-restrict-acl") ||
|
|
|
|
|
!strcmp(argv[i], "-restrict_acl") ||
|
|
|
|
|
!strcmp(argv[i], "-restrictacl")) {
|
|
|
|
|
restrict_process_acl();
|
2019-09-08 19:29:00 +00:00
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* Assume the first argument to be a private key file, and
|
|
|
|
|
* attempt to load it.
|
|
|
|
|
*/
|
|
|
|
|
cmdline_keyfile = argv[i];
|
2017-01-28 21:56:28 +00:00
|
|
|
break;
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
2005-03-19 02:26:58 +00:00
|
|
|
}
|
|
|
|
|
|
Replace PuTTY's PRNG with a Fortuna-like system.
This tears out the entire previous random-pool system in sshrand.c. In
its place is a system pretty close to Ferguson and Schneier's
'Fortuna' generator, with the main difference being that I use SHA-256
instead of AES for the generation side of the system (rationale given
in comment).
The PRNG implementation lives in sshprng.c, and defines a self-
contained data type with no state stored outside the object, so you
can instantiate however many of them you like. The old sshrand.c still
exists, but in place of the previous random pool system, it's just
become a client of sshprng.c, whose job is to hold a single global
instance of the PRNG type, and manage its reference count, save file,
noise-collection timers and similar administrative business.
Advantages of this change include:
- Fortuna is designed with a more varied threat model in mind than my
old home-grown random pool. For example, after any request for
random numbers, it automatically re-seeds itself, so that if the
state of the PRNG should be leaked, it won't give enough
information to find out what past outputs _were_.
- The PRNG type can be instantiated with any hash function; the
instance used by the main tools is based on SHA-256, an improvement
on the old pool's use of SHA-1.
- The new PRNG only uses the completely standard interface to the
hash function API, instead of having to have privileged access to
the internal SHA-1 block transform function. This will make it
easier to revamp the hash code in general, and also it means that
hardware-accelerated versions of SHA-256 will automatically be used
for the PRNG as well as for everything else.
- The new PRNG can be _tested_! Because it has an actual (if not
quite explicit) specification for exactly what the output numbers
_ought_ to be derived from the hashes of, I can (and have) put
tests in cryptsuite that ensure the output really is being derived
in the way I think it is. The old pool could have been returning
any old nonsense and it would have been very hard to tell for sure.
2019-01-22 22:42:41 +00:00
|
|
|
random_setup_special();
|
2006-12-17 11:16:07 +00:00
|
|
|
ret = DialogBox(hinst, MAKEINTRESOURCE(201), NULL, MainDlgProc) != IDOK;
|
|
|
|
|
|
|
|
|
|
cleanup_exit(ret);
|
2019-09-08 19:29:00 +00:00
|
|
|
return ret; /* just in case optimiser complains */
|
2000-10-19 15:43:08 +00:00
|
|
|
}
|