nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-09 17:38:00 +00:00
Code Issues Projects Releases Wiki Activity

cmdgen: command-line control of PPK save parameters.

Browse Source 
This allows you to manually adjust the Argon2 parameters so that you
can trade off CPU requirements in legitimate use against difficulty of
brute-force attack. It also allows downgrading the key file version
back to the widespread PPK v2, so you can manually back-port a key
that you accidentally generated too new.
This commit is contained in:
Simon Tatham 2021-02-22 18:13:12 +00:00
parent b8f3fc4bd1
commit 117cee8ea6
1 changed files with 72 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
cmdgen.c
View File

@ -150,6 +150,20 @@ void help(void)
" proven numbers that have been proven to be prime\n" " proven numbers that have been proven to be prime\n"
" proven-even also try harder for an even distribution\n" " proven-even also try harder for an even distribution\n"
" --strong-rsa use \"strong\" primes as RSA key factors\n" " --strong-rsa use \"strong\" primes as RSA key factors\n"
" --ppk-param <key>=<value>[,<key>=<value>,...]\n"
" specify parameters when writing PuTTY private key file "
"format:\n"
" version PPK format version (min 2, max 3, "
"default 3)\n"
" memory Kb of memory to use in password hash "
"(default 8192)\n"
" time approx milliseconds to hash for "
"(default 100)\n"
" passes exact number of hash passes to run "
"(alternative to 'time')\n"
" parallelism number of parallelisable threads in the "
"hash function\n"
" (default 1)\n"
); );
} }
@ -227,6 +241,7 @@ int main(int argc, char **argv)
int exit_status = 0; int exit_status = 0;
const PrimeGenerationPolicy *primegen = &primegen_probabilistic; const PrimeGenerationPolicy *primegen = &primegen_probabilistic;
bool strong_rsa = false; bool strong_rsa = false;
ppk_save_parameters params = ppk_save_default_parameters;
if (is_interactive()) if (is_interactive())
progress_fp = stderr; progress_fp = stderr;
@ -366,6 +381,62 @@ int main(int argc, char **argv)
strong_rsa = true; strong_rsa = true;
} else if (!strcmp(opt, "-reencrypt")) { } else if (!strcmp(opt, "-reencrypt")) {
reencrypt = true; reencrypt = true;
} else if (!strcmp(opt, "-ppk-param") ||
!strcmp(opt, "-ppk-params")) {
if (!val && argc > 1)
--argc, val = *++argv;
if (!val) {
errs = true;
fprintf(stderr, "puttygen: option `-%s'"
" expects an argument\n", opt);
} else {
char *nextval;
for (; val; val = nextval) {
nextval = strchr(val, ',');
if (nextval)
*nextval++ = '\0';
char *optvalue = strchr(val, '=');
if (!optvalue) {
errs = true;
fprintf(stderr, "puttygen: PPK parameter "
"'%s' expected a value\n", val);
continue;
}
*optvalue++ = '\0';
char *end;
unsigned long n = strtoul(optvalue, &end, 0);
if (!*optvalue || *end) {
errs = true;
fprintf(stderr, "puttygen: value '%s' for "
"PPK parameter '%s': expected a "
"number\n", optvalue, val);
continue;
}
if (!strcmp(val, "version")) {
params.fmt_version = n;
} else if (!strcmp(val, "memory") ||
!strcmp(val, "mem")) {
params.argon2_mem = n;
} else if (!strcmp(val, "time")) {
params.argon2_passes_auto = true;
params.argon2_milliseconds = n;
} else if (!strcmp(val, "passes")) {
params.argon2_passes_auto = false;
params.argon2_milliseconds = n;
} else if (!strcmp(val, "parallelism") ||
!strcmp(val, "parallel")) {
params.argon2_parallelism = n;
} else {
errs = true;
fprintf(stderr, "puttygen: unrecognised "
"PPK parameter '%s'\n", val);
continue;
}
}
}
} else { } else {
errs = true; errs = true;
fprintf(stderr, fprintf(stderr,
@ -1033,8 +1104,7 @@ int main(int argc, char **argv)
} }
} else { } else {
assert(ssh2key); assert(ssh2key);
ret = ppk_save_f(outfilename, ssh2key, new_passphrase, ret = ppk_save_f(outfilename, ssh2key, new_passphrase, &params);
&ppk_save_default_parameters);
if (!ret) { if (!ret) {
fprintf(stderr, "puttygen: unable to save SSH-2 private key\n"); fprintf(stderr, "puttygen: unable to save SSH-2 private key\n");
RETURN(1); RETURN(1);