• R/O
  • SSH
  • HTTPS

ttssh2: Commit


Commit MetaInfo

Revision9258 (tree)
Time2021-05-20 00:39:46
Authornmaya

Log Message

PuTTY private key format version 3 (PPK3) に対応

MF4-stable: r9256, r9257

Change Summary

Incremental Difference

--- trunk/doc/convtext.bat (revision 9257)
+++ trunk/doc/convtext.bat (revision 9258)
@@ -18,6 +18,8 @@
1818 %ZLIBCP% -i ..\libs\zlib\README -o %REF_J%\zlib-LICENSE.txt -l unix
1919 %TOSJIS% -i ..\libs\cJSON\LICENSE -o %REF_J%\cJSON-LICENSE.txt -l crlf
2020 %TOSJIS% -i ..\libs\cJSON\LICENSE -o %REF_E%\cJSON-LICENSE.txt -l crlf
21+%TOSJIS% -i ..\libs\argon2\LICENSE -o %REF_E%\argon2-LICENSE.txt -l unix
22+%TOSJIS% -i ..\libs\argon2\LICENSE -o %REF_J%\argon2-LICENSE.txt -l unix
2123
2224 perl -C0 -pe "s/^\xef\xbb\xbf//" ja/html/reference/build_with_cmake.md | perl Markdown_1.0.1/Markdown.pl > ja/html/reference/build_with_cmake_utf8.html
2325 %TOSJIS% -i ja/html/reference/build_with_cmake_utf8.html -o ja/html/reference/build_with_cmake.html -c utf8
--- trunk/doc/en/html/about/copyright.html (revision 9257)
+++ trunk/doc/en/html/about/copyright.html (revision 9258)
@@ -34,6 +34,7 @@
3434 <li>zlib ... <a href="../reference/zlib-LICENSE.txt">zlib License</a></li>
3535 <li>PuTTY ... <a href="../reference/PuTTY-LICENSE.txt">MIT License</a></li>
3636 <li>cJSON ... <a href="../reference/cJSON-LICENSE.txt">MIT License</a> <a href="https://github.com/DaveGamble/cJSON">(github)</a></li>
37+ <li>The reference C implementation of Argon2 ... <a href="../reference/argon2-LICENSE.txt">Creative Commons CC0 1.0 License/Waiver or the Apache License 2.0</a></li>
3738 </ul>
3839
3940
@@ -165,6 +166,8 @@
165166 This program uses the source code of OpenSSH.
166167 Copyright of PuTTY belongs to Simon Tatham. Please see <a href="../reference/PuTTY-LICENSE.txt">PuTTY-LICENSE.txt</a> for more information about license.
167168 This program uses the source code of PuTTY.
169+ Copyright of The reference C implementation of Argon2 belongs to Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, and Samuel Neves. Please see <a href="../reference/Argon2-LICENSE.txt">Argon2-LICENSE.txt</a> for more information about license.
170+ This program uses the source code of The reference C implementation of Argon2.
168171 Copyright of TTSSH icon file to Tatsuhiko Sakamoto.
169172
170173 This program is provided "as is" without warranties of any kind, either expressed or
--- trunk/doc/en/html/about/history.html (revision 9257)
+++ trunk/doc/en/html/about/history.html (revision 9258)
@@ -3271,6 +3271,7 @@
32713271 <li>Changes
32723272 <ul>
32733273 <li>added chacha20-poly1305@openssh.com symmetric key cipher algorithm for SSH2 protocol.</li>
3274+ <li>added support for the PuTTY private key format version 3 (PPK3).</li>
32743275 </ul>
32753276 </li>
32763277
--- trunk/doc/en/html/reference/develop.txt (revision 9257)
+++ trunk/doc/en/html/reference/develop.txt (revision 9258)
@@ -82,6 +82,7 @@
8282 - PuTTY 0.70 (http://www.chiark.greenend.org.uk/~sgtatham/putty/)
8383 - SFMT 1.5.1 (http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/SFMT/index.html)
8484 - cJSON 1.7.14 (https://github.com/DaveGamble/cJSON/)
85+- The reference C implementation of Argon2 20190702 (https://github.com/P-H-C/phc-winner-argon2)
8586
8687
8788 * Notice for SVN committer
@@ -155,7 +156,7 @@
155156
156157 * How to build Libraries
157158 1. PuTTY (used by TTSSH)
158- (1) Extract putty source into libs/putty directory.
159+ (1) Extract PuTTY source into libs/putty directory.
159160
160161 2. Oniguruma (used by Tera Term Macro)
161162 (1) Extract oniguruma source into libs/oniguruma directory.
@@ -182,7 +183,10 @@
182183 6. cJSON (used by TTXCheckUpdate plugin)
183184 (1) Extract cJSON source into libs/cJSON directory.
184185
186+ 7. The reference C implementation of Argon2 (used by TTSSH)
187+ (1) Extract argon2 source into libs/argon2 directory.
185188
189+
186190 * How to build Tera Term
187191 To build Tera Term source code is shown in the following step:
188192 And you should use Visual Studio 2005 Standard Edition later version to build Tera Term because Tera Term program links MFC library (Visual Studio 2005 Express Edition can't be used).
--- trunk/doc/ja/html/about/copyright.html (revision 9257)
+++ trunk/doc/ja/html/about/copyright.html (revision 9258)
@@ -34,6 +34,7 @@
3434 <li>zlib ... <a href="../reference/zlib-LICENSE.txt">zlibライセンス</a></li>
3535 <li>PuTTY ... <a href="../reference/PuTTY-LICENSE.txt">MITライセンス</a></li>
3636 <li>cJSON ... <a href="../reference/cJSON-LICENSE.txt">MITライセンス</a> <a href="https://github.com/DaveGamble/cJSON">(github)</a></li>
37+ <li>The reference C implementation of Argon2 ... <a href="../reference/argon2-LICENSE.txt">Creative Commons CC0 1.0 License/Waiver または Apache License 2.0</a></li>
3738 </ul>
3839
3940
@@ -158,6 +159,8 @@
158159 本プログラムは、OpenSSHのソースコードを使用しています。
159160 PuTTYはSimon Tatham氏の著作物です。ライセンス情報については同梱の<a href="../reference/PuTTY-LICENSE.txt">PuTTY-LICENCE.txt</a>をご覧下さい。
160161 本プログラムは、PuTTYのソースコードを使用しています。
162+ The reference C implementation of Argon2 は Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, Samuel Neves 各氏の著作物です。ライセンス情報については同梱の<a href="../reference/Argon2-LICENSE.txt">Argon2-LICENCE.txt</a>をご覧下さい。
163+ 本プログラムは、The reference C implementation of Argon2 のソースコードを使用しています。
161164 TTSSHに関するパッチの一部は永田真也に著作権があります。
162165 TTSSHのアイコンは坂本龍彦氏に著作権があります。
163166
--- trunk/doc/ja/html/about/history.html (revision 9257)
+++ trunk/doc/ja/html/about/history.html (revision 9258)
@@ -3277,6 +3277,7 @@
32773277 <li>変更
32783278 <ul>
32793279 <li>SSH2 の共通鍵暗号方式に chacha20-poly1305@openssh.com を追加した。</li>
3280+ <li>PuTTY 形式の秘密鍵フォーマット3 (PPK3) に対応した。</li>
32803281 </ul>
32813282 </li>
32823283
--- trunk/doc/ja/html/reference/develop.txt (revision 9257)
+++ trunk/doc/ja/html/reference/develop.txt (revision 9258)
@@ -75,6 +75,7 @@
7575 - PuTTY 0.70 (http://www.chiark.greenend.org.uk/~sgtatham/putty/)
7676 - SFMT 1.5.1 (http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/SFMT/index-jp.html)
7777 - cJSON 1.7.14 (https://github.com/DaveGamble/cJSON/)
78+- The reference C implementation of Argon2 20190702 (https://github.com/P-H-C/phc-winner-argon2)
7879
7980 ■ SVN コミッターへの注意
8081 - SVN リポジトリは一般向けとは違い、以下の通りです。
@@ -150,7 +151,8 @@
150151
151152 ■ ライブラリのビルド方法
152153 1. PuTTY (used by TTSSH)
153- (1) putty のソースを libs/putty の中に展開する。
154+ (1) PuTTY のソースを libs/putty の中に展開する。
155+ * ttssh ソリューション配下の putty プロジェクトにより必要な機能のみが静的ライブラリ化され、ttxssh.dll にリンクされるため、展開するだけでよい。
154156
155157 2. Oniguruma (used by Tera Term Macro)
156158 (1) oniguruma のソースを libs/oniguruma の中に展開する。
@@ -177,6 +179,11 @@
177179 6. cJSON (used by TTXCheckUpdate plugin)
178180 (1) cJSON のソースを libs/cJSON の中に展開する。
179181
182+ 7. The reference C implementation of Argon2 (used by TTSSH)
183+ (1) argon2 のソースを libs/argon2 の中に展開する。
184+ * argon2 リファレンス実装には静的ライブラリを生成するプロジェクトファイルが含まれていない。ttssh ソリューション配下の argon2 プロジェクトにより静的ライブラリが生成され、ttxssh.dll にリンクされるため、展開するだけでよい。
185+
186+
180187 ■ Tera Termのビルド方法
181188 Tera Termのビルド方法について以下に示します。
182189 ビルドにはVisual Studio 2005 Standard Edition以上が必要です。(Visual Studio 2005 Express Editionは不可)
--- trunk/ttssh2/argon2/argon2.h (nonexistent)
+++ trunk/ttssh2/argon2/argon2.h (revision 9258)
@@ -0,0 +1,443 @@
1+/*
2+ * Argon2 reference source code package - reference C implementations
3+ *
4+ * Copyright 2015
5+ * Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, and Samuel Neves
6+ *
7+ * You may use this work under the terms of a Creative Commons CC0 1.0
8+ * License/Waiver or the Apache Public License 2.0, at your option. The terms of
9+ * these licenses can be found at:
10+ *
11+ * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
12+ * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0
13+ *
14+ * You should have received a copy of both of these licenses along with this
15+ * software. If not, they may be obtained at the above URLs.
16+ */
17+
18+/*
19+ * modified from original include/argon2.h
20+ * - remove __declspec(dllexport)
21+ */
22+
23+#ifndef ARGON2_H
24+#define ARGON2_H
25+
26+#include <stdint.h>
27+#include <stddef.h>
28+#include <limits.h>
29+
30+#if defined(__cplusplus)
31+extern "C" {
32+#endif
33+
34+/* Symbols visibility control */
35+#ifdef A2_VISCTL
36+#define ARGON2_PUBLIC __attribute__((visibility("default")))
37+#define ARGON2_LOCAL __attribute__ ((visibility ("hidden")))
38+#elif _MSC_VER
39+// #define ARGON2_PUBLIC __declspec(dllexport)
40+#define ARGON2_PUBLIC
41+#define ARGON2_LOCAL
42+#else
43+#define ARGON2_PUBLIC
44+#define ARGON2_LOCAL
45+#endif
46+
47+/*
48+ * Argon2 input parameter restrictions
49+ */
50+
51+/* Minimum and maximum number of lanes (degree of parallelism) */
52+#define ARGON2_MIN_LANES UINT32_C(1)
53+#define ARGON2_MAX_LANES UINT32_C(0xFFFFFF)
54+
55+/* Minimum and maximum number of threads */
56+#define ARGON2_MIN_THREADS UINT32_C(1)
57+#define ARGON2_MAX_THREADS UINT32_C(0xFFFFFF)
58+
59+/* Number of synchronization points between lanes per pass */
60+#define ARGON2_SYNC_POINTS UINT32_C(4)
61+
62+/* Minimum and maximum digest size in bytes */
63+#define ARGON2_MIN_OUTLEN UINT32_C(4)
64+#define ARGON2_MAX_OUTLEN UINT32_C(0xFFFFFFFF)
65+
66+/* Minimum and maximum number of memory blocks (each of BLOCK_SIZE bytes) */
67+#define ARGON2_MIN_MEMORY (2 * ARGON2_SYNC_POINTS) /* 2 blocks per slice */
68+
69+#define ARGON2_MIN(a, b) ((a) < (b) ? (a) : (b))
70+/* Max memory size is addressing-space/2, topping at 2^32 blocks (4 TB) */
71+#define ARGON2_MAX_MEMORY_BITS \
72+ ARGON2_MIN(UINT32_C(32), (sizeof(void *) * CHAR_BIT - 10 - 1))
73+#define ARGON2_MAX_MEMORY \
74+ ARGON2_MIN(UINT32_C(0xFFFFFFFF), UINT64_C(1) << ARGON2_MAX_MEMORY_BITS)
75+
76+/* Minimum and maximum number of passes */
77+#define ARGON2_MIN_TIME UINT32_C(1)
78+#define ARGON2_MAX_TIME UINT32_C(0xFFFFFFFF)
79+
80+/* Minimum and maximum password length in bytes */
81+#define ARGON2_MIN_PWD_LENGTH UINT32_C(0)
82+#define ARGON2_MAX_PWD_LENGTH UINT32_C(0xFFFFFFFF)
83+
84+/* Minimum and maximum associated data length in bytes */
85+#define ARGON2_MIN_AD_LENGTH UINT32_C(0)
86+#define ARGON2_MAX_AD_LENGTH UINT32_C(0xFFFFFFFF)
87+
88+/* Minimum and maximum salt length in bytes */
89+#define ARGON2_MIN_SALT_LENGTH UINT32_C(8)
90+#define ARGON2_MAX_SALT_LENGTH UINT32_C(0xFFFFFFFF)
91+
92+/* Minimum and maximum key length in bytes */
93+#define ARGON2_MIN_SECRET UINT32_C(0)
94+#define ARGON2_MAX_SECRET UINT32_C(0xFFFFFFFF)
95+
96+/* Flags to determine which fields are securely wiped (default = no wipe). */
97+#define ARGON2_DEFAULT_FLAGS UINT32_C(0)
98+#define ARGON2_FLAG_CLEAR_PASSWORD (UINT32_C(1) << 0)
99+#define ARGON2_FLAG_CLEAR_SECRET (UINT32_C(1) << 1)
100+
101+/* Global flag to determine if we are wiping internal memory buffers. This flag
102+ * is defined in core.c and defaults to 1 (wipe internal memory). */
103+extern int FLAG_clear_internal_memory;
104+
105+/* Error codes */
106+typedef enum Argon2_ErrorCodes {
107+ ARGON2_OK = 0,
108+
109+ ARGON2_OUTPUT_PTR_NULL = -1,
110+
111+ ARGON2_OUTPUT_TOO_SHORT = -2,
112+ ARGON2_OUTPUT_TOO_LONG = -3,
113+
114+ ARGON2_PWD_TOO_SHORT = -4,
115+ ARGON2_PWD_TOO_LONG = -5,
116+
117+ ARGON2_SALT_TOO_SHORT = -6,
118+ ARGON2_SALT_TOO_LONG = -7,
119+
120+ ARGON2_AD_TOO_SHORT = -8,
121+ ARGON2_AD_TOO_LONG = -9,
122+
123+ ARGON2_SECRET_TOO_SHORT = -10,
124+ ARGON2_SECRET_TOO_LONG = -11,
125+
126+ ARGON2_TIME_TOO_SMALL = -12,
127+ ARGON2_TIME_TOO_LARGE = -13,
128+
129+ ARGON2_MEMORY_TOO_LITTLE = -14,
130+ ARGON2_MEMORY_TOO_MUCH = -15,
131+
132+ ARGON2_LANES_TOO_FEW = -16,
133+ ARGON2_LANES_TOO_MANY = -17,
134+
135+ ARGON2_PWD_PTR_MISMATCH = -18, /* NULL ptr with non-zero length */
136+ ARGON2_SALT_PTR_MISMATCH = -19, /* NULL ptr with non-zero length */
137+ ARGON2_SECRET_PTR_MISMATCH = -20, /* NULL ptr with non-zero length */
138+ ARGON2_AD_PTR_MISMATCH = -21, /* NULL ptr with non-zero length */
139+
140+ ARGON2_MEMORY_ALLOCATION_ERROR = -22,
141+
142+ ARGON2_FREE_MEMORY_CBK_NULL = -23,
143+ ARGON2_ALLOCATE_MEMORY_CBK_NULL = -24,
144+
145+ ARGON2_INCORRECT_PARAMETER = -25,
146+ ARGON2_INCORRECT_TYPE = -26,
147+
148+ ARGON2_OUT_PTR_MISMATCH = -27,
149+
150+ ARGON2_THREADS_TOO_FEW = -28,
151+ ARGON2_THREADS_TOO_MANY = -29,
152+
153+ ARGON2_MISSING_ARGS = -30,
154+
155+ ARGON2_ENCODING_FAIL = -31,
156+
157+ ARGON2_DECODING_FAIL = -32,
158+
159+ ARGON2_THREAD_FAIL = -33,
160+
161+ ARGON2_DECODING_LENGTH_FAIL = -34,
162+
163+ ARGON2_VERIFY_MISMATCH = -35
164+} argon2_error_codes;
165+
166+/* Memory allocator types --- for external allocation */
167+typedef int (*allocate_fptr)(uint8_t **memory, size_t bytes_to_allocate);
168+typedef void (*deallocate_fptr)(uint8_t *memory, size_t bytes_to_allocate);
169+
170+/* Argon2 external data structures */
171+
172+/*
173+ *****
174+ * Context: structure to hold Argon2 inputs:
175+ * output array and its length,
176+ * password and its length,
177+ * salt and its length,
178+ * secret and its length,
179+ * associated data and its length,
180+ * number of passes, amount of used memory (in KBytes, can be rounded up a bit)
181+ * number of parallel threads that will be run.
182+ * All the parameters above affect the output hash value.
183+ * Additionally, two function pointers can be provided to allocate and
184+ * deallocate the memory (if NULL, memory will be allocated internally).
185+ * Also, three flags indicate whether to erase password, secret as soon as they
186+ * are pre-hashed (and thus not needed anymore), and the entire memory
187+ *****
188+ * Simplest situation: you have output array out[8], password is stored in
189+ * pwd[32], salt is stored in salt[16], you do not have keys nor associated
190+ * data. You need to spend 1 GB of RAM and you run 5 passes of Argon2d with
191+ * 4 parallel lanes.
192+ * You want to erase the password, but you're OK with last pass not being
193+ * erased. You want to use the default memory allocator.
194+ * Then you initialize:
195+ Argon2_Context(out,8,pwd,32,salt,16,NULL,0,NULL,0,5,1<<20,4,4,NULL,NULL,true,false,false,false)
196+ */
197+typedef struct Argon2_Context {
198+ uint8_t *out; /* output array */
199+ uint32_t outlen; /* digest length */
200+
201+ uint8_t *pwd; /* password array */
202+ uint32_t pwdlen; /* password length */
203+
204+ uint8_t *salt; /* salt array */
205+ uint32_t saltlen; /* salt length */
206+
207+ uint8_t *secret; /* key array */
208+ uint32_t secretlen; /* key length */
209+
210+ uint8_t *ad; /* associated data array */
211+ uint32_t adlen; /* associated data length */
212+
213+ uint32_t t_cost; /* number of passes */
214+ uint32_t m_cost; /* amount of memory requested (KB) */
215+ uint32_t lanes; /* number of lanes */
216+ uint32_t threads; /* maximum number of threads */
217+
218+ uint32_t version; /* version number */
219+
220+ allocate_fptr allocate_cbk; /* pointer to memory allocator */
221+ deallocate_fptr free_cbk; /* pointer to memory deallocator */
222+
223+ uint32_t flags; /* array of bool options */
224+} argon2_context;
225+
226+/* Argon2 primitive type */
227+typedef enum Argon2_type {
228+ Argon2_d = 0,
229+ Argon2_i = 1,
230+ Argon2_id = 2
231+} argon2_type;
232+
233+/* Version of the algorithm */
234+typedef enum Argon2_version {
235+ ARGON2_VERSION_10 = 0x10,
236+ ARGON2_VERSION_13 = 0x13,
237+ ARGON2_VERSION_NUMBER = ARGON2_VERSION_13
238+} argon2_version;
239+
240+/*
241+ * Function that gives the string representation of an argon2_type.
242+ * @param type The argon2_type that we want the string for
243+ * @param uppercase Whether the string should have the first letter uppercase
244+ * @return NULL if invalid type, otherwise the string representation.
245+ */
246+ARGON2_PUBLIC const char *argon2_type2string(argon2_type type, int uppercase);
247+
248+/*
249+ * Function that performs memory-hard hashing with certain degree of parallelism
250+ * @param context Pointer to the Argon2 internal structure
251+ * @return Error code if smth is wrong, ARGON2_OK otherwise
252+ */
253+ARGON2_PUBLIC int argon2_ctx(argon2_context *context, argon2_type type);
254+
255+/**
256+ * Hashes a password with Argon2i, producing an encoded hash
257+ * @param t_cost Number of iterations
258+ * @param m_cost Sets memory usage to m_cost kibibytes
259+ * @param parallelism Number of threads and compute lanes
260+ * @param pwd Pointer to password
261+ * @param pwdlen Password size in bytes
262+ * @param salt Pointer to salt
263+ * @param saltlen Salt size in bytes
264+ * @param hashlen Desired length of the hash in bytes
265+ * @param encoded Buffer where to write the encoded hash
266+ * @param encodedlen Size of the buffer (thus max size of the encoded hash)
267+ * @pre Different parallelism levels will give different results
268+ * @pre Returns ARGON2_OK if successful
269+ */
270+ARGON2_PUBLIC int argon2i_hash_encoded(const uint32_t t_cost,
271+ const uint32_t m_cost,
272+ const uint32_t parallelism,
273+ const void *pwd, const size_t pwdlen,
274+ const void *salt, const size_t saltlen,
275+ const size_t hashlen, char *encoded,
276+ const size_t encodedlen);
277+
278+/**
279+ * Hashes a password with Argon2i, producing a raw hash at @hash
280+ * @param t_cost Number of iterations
281+ * @param m_cost Sets memory usage to m_cost kibibytes
282+ * @param parallelism Number of threads and compute lanes
283+ * @param pwd Pointer to password
284+ * @param pwdlen Password size in bytes
285+ * @param salt Pointer to salt
286+ * @param saltlen Salt size in bytes
287+ * @param hash Buffer where to write the raw hash - updated by the function
288+ * @param hashlen Desired length of the hash in bytes
289+ * @pre Different parallelism levels will give different results
290+ * @pre Returns ARGON2_OK if successful
291+ */
292+ARGON2_PUBLIC int argon2i_hash_raw(const uint32_t t_cost, const uint32_t m_cost,
293+ const uint32_t parallelism, const void *pwd,
294+ const size_t pwdlen, const void *salt,
295+ const size_t saltlen, void *hash,
296+ const size_t hashlen);
297+
298+ARGON2_PUBLIC int argon2d_hash_encoded(const uint32_t t_cost,
299+ const uint32_t m_cost,
300+ const uint32_t parallelism,
301+ const void *pwd, const size_t pwdlen,
302+ const void *salt, const size_t saltlen,
303+ const size_t hashlen, char *encoded,
304+ const size_t encodedlen);
305+
306+ARGON2_PUBLIC int argon2d_hash_raw(const uint32_t t_cost, const uint32_t m_cost,
307+ const uint32_t parallelism, const void *pwd,
308+ const size_t pwdlen, const void *salt,
309+ const size_t saltlen, void *hash,
310+ const size_t hashlen);
311+
312+ARGON2_PUBLIC int argon2id_hash_encoded(const uint32_t t_cost,
313+ const uint32_t m_cost,
314+ const uint32_t parallelism,
315+ const void *pwd, const size_t pwdlen,
316+ const void *salt, const size_t saltlen,
317+ const size_t hashlen, char *encoded,
318+ const size_t encodedlen);
319+
320+ARGON2_PUBLIC int argon2id_hash_raw(const uint32_t t_cost,
321+ const uint32_t m_cost,
322+ const uint32_t parallelism, const void *pwd,
323+ const size_t pwdlen, const void *salt,
324+ const size_t saltlen, void *hash,
325+ const size_t hashlen);
326+
327+/* generic function underlying the above ones */
328+ARGON2_PUBLIC int argon2_hash(const uint32_t t_cost, const uint32_t m_cost,
329+ const uint32_t parallelism, const void *pwd,
330+ const size_t pwdlen, const void *salt,
331+ const size_t saltlen, void *hash,
332+ const size_t hashlen, char *encoded,
333+ const size_t encodedlen, argon2_type type,
334+ const uint32_t version);
335+
336+/**
337+ * Verifies a password against an encoded string
338+ * Encoded string is restricted as in validate_inputs()
339+ * @param encoded String encoding parameters, salt, hash
340+ * @param pwd Pointer to password
341+ * @pre Returns ARGON2_OK if successful
342+ */
343+ARGON2_PUBLIC int argon2i_verify(const char *encoded, const void *pwd,
344+ const size_t pwdlen);
345+
346+ARGON2_PUBLIC int argon2d_verify(const char *encoded, const void *pwd,
347+ const size_t pwdlen);
348+
349+ARGON2_PUBLIC int argon2id_verify(const char *encoded, const void *pwd,
350+ const size_t pwdlen);
351+
352+/* generic function underlying the above ones */
353+ARGON2_PUBLIC int argon2_verify(const char *encoded, const void *pwd,
354+ const size_t pwdlen, argon2_type type);
355+
356+/**
357+ * Argon2d: Version of Argon2 that picks memory blocks depending
358+ * on the password and salt. Only for side-channel-free
359+ * environment!!
360+ *****
361+ * @param context Pointer to current Argon2 context
362+ * @return Zero if successful, a non zero error code otherwise
363+ */
364+ARGON2_PUBLIC int argon2d_ctx(argon2_context *context);
365+
366+/**
367+ * Argon2i: Version of Argon2 that picks memory blocks
368+ * independent on the password and salt. Good for side-channels,
369+ * but worse w.r.t. tradeoff attacks if only one pass is used.
370+ *****
371+ * @param context Pointer to current Argon2 context
372+ * @return Zero if successful, a non zero error code otherwise
373+ */
374+ARGON2_PUBLIC int argon2i_ctx(argon2_context *context);
375+
376+/**
377+ * Argon2id: Version of Argon2 where the first half-pass over memory is
378+ * password-independent, the rest are password-dependent (on the password and
379+ * salt). OK against side channels (they reduce to 1/2-pass Argon2i), and
380+ * better with w.r.t. tradeoff attacks (similar to Argon2d).
381+ *****
382+ * @param context Pointer to current Argon2 context
383+ * @return Zero if successful, a non zero error code otherwise
384+ */
385+ARGON2_PUBLIC int argon2id_ctx(argon2_context *context);
386+
387+/**
388+ * Verify if a given password is correct for Argon2d hashing
389+ * @param context Pointer to current Argon2 context
390+ * @param hash The password hash to verify. The length of the hash is
391+ * specified by the context outlen member
392+ * @return Zero if successful, a non zero error code otherwise
393+ */
394+ARGON2_PUBLIC int argon2d_verify_ctx(argon2_context *context, const char *hash);
395+
396+/**
397+ * Verify if a given password is correct for Argon2i hashing
398+ * @param context Pointer to current Argon2 context
399+ * @param hash The password hash to verify. The length of the hash is
400+ * specified by the context outlen member
401+ * @return Zero if successful, a non zero error code otherwise
402+ */
403+ARGON2_PUBLIC int argon2i_verify_ctx(argon2_context *context, const char *hash);
404+
405+/**
406+ * Verify if a given password is correct for Argon2id hashing
407+ * @param context Pointer to current Argon2 context
408+ * @param hash The password hash to verify. The length of the hash is
409+ * specified by the context outlen member
410+ * @return Zero if successful, a non zero error code otherwise
411+ */
412+ARGON2_PUBLIC int argon2id_verify_ctx(argon2_context *context,
413+ const char *hash);
414+
415+/* generic function underlying the above ones */
416+ARGON2_PUBLIC int argon2_verify_ctx(argon2_context *context, const char *hash,
417+ argon2_type type);
418+
419+/**
420+ * Get the associated error message for given error code
421+ * @return The error message associated with the given error code
422+ */
423+ARGON2_PUBLIC const char *argon2_error_message(int error_code);
424+
425+/**
426+ * Returns the encoded hash length for the given input parameters
427+ * @param t_cost Number of iterations
428+ * @param m_cost Memory usage in kibibytes
429+ * @param parallelism Number of threads; used to compute lanes
430+ * @param saltlen Salt size in bytes
431+ * @param hashlen Hash size in bytes
432+ * @param type The argon2_type that we want the encoded length for
433+ * @return The encoded hash length in bytes
434+ */
435+ARGON2_PUBLIC size_t argon2_encodedlen(uint32_t t_cost, uint32_t m_cost,
436+ uint32_t parallelism, uint32_t saltlen,
437+ uint32_t hashlen, argon2_type type);
438+
439+#if defined(__cplusplus)
440+}
441+#endif
442+
443+#endif
--- trunk/ttssh2/argon2/compat/stdint.h (nonexistent)
+++ trunk/ttssh2/argon2/compat/stdint.h (revision 9258)
@@ -0,0 +1,17 @@
1+/*
2+ * Visual Studio 2008 or earlier doesn't have stdint.h
3+ */
4+
5+#if (_MSC_VER < 1300)
6+ typedef unsigned char uint8_t;
7+ typedef unsigned short uint32_t;
8+#else
9+ typedef unsigned __int8 uint8_t;
10+ typedef unsigned __int32 uint32_t;
11+#endif
12+typedef unsigned __int64 uint64_t;
13+
14+#define UINT32_MAX _UI32_MAX
15+
16+#define UINT32_C(val) val##ui32
17+#define UINT64_C(val) val##ui64
--- trunk/ttssh2/putty/libputty.c (revision 9257)
+++ trunk/ttssh2/putty/libputty.c (revision 9258)
@@ -28,6 +28,16 @@
2828 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
2929 */
3030
31+/*
32+ * putty プロジェクトは
33+ * - PuTTY のソースファイル (プロジェクトに読み込むファイルは最小限)
34+ * - libputty.c/h
35+ * PuTTY の機能を利用するインターフェース
36+ * PuTTY のソースファイルから必要な関数のみをコピー
37+ * から静的ライブラリ libputty.lib を生成し、TTXSSH からリンクされて利用される。
38+ * そのため、TTXSSH 側の定義は持ち込まない。
39+ */
40+
3141 #include <windows.h>
3242 #include <assert.h>
3343
--- trunk/ttssh2/ttxssh/keyfiles-putty.c (nonexistent)
+++ trunk/ttssh2/ttxssh/keyfiles-putty.c (revision 9258)
@@ -0,0 +1,354 @@
1+/* Imported from PuTTY 0.74, 0.75, TeraTerm Project */
2+
3+/*
4+ * (C) 2021- TeraTerm Project
5+ * All rights reserved.
6+ *
7+ * Redistribution and use in source and binary forms, with or without
8+ * modification, are permitted provided that the following conditions
9+ * are met:
10+ *
11+ * 1. Redistributions of source code must retain the above copyright
12+ * notice, this list of conditions and the following disclaimer.
13+ * 2. Redistributions in binary form must reproduce the above copyright
14+ * notice, this list of conditions and the following disclaimer in the
15+ * documentation and/or other materials provided with the distribution.
16+ * 3. The name of the author may not be used to endorse or promote products
17+ * derived from this software without specific prior written permission.
18+ *
19+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR
20+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
21+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
22+ * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
24+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
28+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29+ */
30+
31+#include "ttxssh.h"
32+#include "keyfiles-putty.h"
33+
34+// from sshpubk.c (ver 0.75)
35+BOOL str_to_uint32_t(const char *s, uint32_t *out)
36+{
37+ char *endptr;
38+ unsigned long converted = strtoul(s, &endptr, 10);
39+ if (*s && !*endptr && converted <= ~(uint32_t)0) {
40+ *out = converted;
41+ return TRUE;
42+ } else {
43+ return FALSE;
44+ }
45+}
46+
47+// from sshpubk.c (ver 0.74)
48+BOOL ppk_read_header(FILE * fp, char *header)
49+{
50+ int len = 39;
51+ int c;
52+
53+ while (1) {
54+ c = fgetc(fp);
55+ if (c == '\n' || c == '\r' || c == EOF)
56+ return FALSE;
57+ if (c == ':') {
58+ c = fgetc(fp);
59+ if (c != ' ')
60+ return FALSE;
61+ *header = '\0';
62+ return TRUE;
63+ }
64+ if (len == 0)
65+ return FALSE;
66+ *header++ = c;
67+ len--;
68+ }
69+ return FALSE;
70+}
71+
72+// from sshpubk.c (ver 0.74)
73+char *ppk_read_body(FILE * fp)
74+{
75+ buffer_t *buf = buffer_init();
76+
77+ while (1) {
78+ int c = fgetc(fp);
79+ if (c == '\r' || c == '\n' || c == EOF) {
80+ if (c != EOF) {
81+ c = fgetc(fp);
82+ if (c != '\r' && c != '\n')
83+ ungetc(c, fp);
84+ }
85+ return buffer_ptr(buf);
86+ }
87+ buffer_put_char(buf, c);
88+ }
89+}
90+
91+// from sshpubk.c (ver 0.74), and modified
92+// - use buffer_t insted of strbuf
93+// - use OpenSSL function
94+BOOL ppk_read_blob(FILE* fp, int nlines, buffer_t *blob)
95+{
96+ BIO *bmem, *b64, *chain;
97+ int i, len;
98+ char line[200], buf[100];
99+
100+ b64 = BIO_new(BIO_f_base64());
101+ bmem = BIO_new(BIO_s_mem());
102+ for (i=0; i<nlines && fgets(line, sizeof(line), fp)!=NULL; i++) {
103+ BIO_write(bmem, line, strlen(line));
104+ }
105+ BIO_flush(bmem);
106+ chain = BIO_push(b64, bmem);
107+ BIO_set_mem_eof_return(chain, 0);
108+ while ((len = BIO_read(chain, buf, sizeof(buf))) > 0) {
109+ buffer_append(blob, buf, len);
110+ }
111+ BIO_free_all(chain);
112+
113+ return TRUE;
114+}
115+
116+// from sshsha.c (ver 0.70), and modifled
117+// - use OpenSSL function
118+void hmac_sha1_simple(unsigned char *key, int keylen, void *data, int datalen,
119+ unsigned char *output)
120+{
121+ EVP_MD_CTX *ctx[2] = {0, 0};
122+ unsigned char intermediate[20];
123+ unsigned char foo[64];
124+ const EVP_MD *md = EVP_sha1();
125+ int i;
126+ unsigned int len;
127+
128+ ctx[0] = EVP_MD_CTX_new();
129+ if (ctx[0] == NULL) {
130+ return;
131+ }
132+ ctx[1] = EVP_MD_CTX_new();
133+ if (ctx[1] == NULL) {
134+ EVP_MD_CTX_free(ctx[0]);
135+ return;
136+ }
137+
138+ memset(foo, 0x36, sizeof(foo));
139+ for (i = 0; i < keylen && i < sizeof(foo); i++) {
140+ foo[i] ^= key[i];
141+ }
142+ EVP_DigestInit(ctx[0], md);
143+ EVP_DigestUpdate(ctx[0], foo, sizeof(foo));
144+
145+ memset(foo, 0x5C, sizeof(foo));
146+ for (i = 0; i < keylen && i < sizeof(foo); i++) {
147+ foo[i] ^= key[i];
148+ }
149+ EVP_DigestInit(ctx[1], md);
150+ EVP_DigestUpdate(ctx[1], foo, sizeof(foo));
151+
152+ memset(foo, 0, sizeof(foo));
153+
154+ EVP_DigestUpdate(ctx[0], data, datalen);
155+ EVP_DigestFinal(ctx[0], intermediate, &len);
156+
157+ EVP_DigestUpdate(ctx[1], intermediate, sizeof(intermediate));
158+ EVP_DigestFinal(ctx[1], output, &len);
159+
160+ EVP_MD_CTX_free(ctx[0]);
161+ EVP_MD_CTX_free(ctx[1]);
162+}
163+
164+void hmac_sha256_simple(unsigned char *key, int keylen, void *data, int datalen,
165+ unsigned char *output)
166+{
167+ EVP_MD_CTX *ctx[2] = {0, 0};
168+ unsigned char intermediate[32];
169+ unsigned char foo[64];
170+ const EVP_MD *md = EVP_sha256();
171+ int i;
172+ unsigned int len;
173+
174+ ctx[0] = EVP_MD_CTX_new();
175+ if (ctx[0] == NULL) {
176+ return;
177+ }
178+ ctx[1] = EVP_MD_CTX_new();
179+ if (ctx[1] == NULL) {
180+ EVP_MD_CTX_free(ctx[0]);
181+ return;
182+ }
183+
184+ memset(foo, 0x36, sizeof(foo));
185+ for (i = 0; i < keylen && i < sizeof(foo); i++) {
186+ foo[i] ^= key[i];
187+ }
188+ EVP_DigestInit(ctx[0], md);
189+ EVP_DigestUpdate(ctx[0], foo, sizeof(foo));
190+
191+ memset(foo, 0x5C, sizeof(foo));
192+ for (i = 0; i < keylen && i < sizeof(foo); i++) {
193+ foo[i] ^= key[i];
194+ }
195+ EVP_DigestInit(ctx[1], md);
196+ EVP_DigestUpdate(ctx[1], foo, sizeof(foo));
197+
198+ memset(foo, 0, sizeof(foo));
199+
200+ EVP_DigestUpdate(ctx[0], data, datalen);
201+ EVP_DigestFinal(ctx[0], intermediate, &len);
202+
203+ EVP_DigestUpdate(ctx[1], intermediate, sizeof(intermediate));
204+ EVP_DigestFinal(ctx[1], output, &len);
205+
206+ EVP_MD_CTX_free(ctx[0]);
207+ EVP_MD_CTX_free(ctx[1]);
208+}
209+
210+// from sshsha.c (ver 0.70) hmac_sha1_simple
211+// sshauxcrypt.c (ver 0.75) mac_simple, and modifled
212+// - use OpenSSL function
213+// - use EVP_MD instead of ssh2_macalg
214+void mac_simple(const EVP_MD *md,
215+ unsigned char *key, int keylen, void *data, int datalen,
216+ unsigned char *output)
217+{
218+ EVP_MD_CTX *ctx[2] = {0, 0};
219+ unsigned char intermediate[32]; // sha1: 160bit / sha256: 256bit
220+ unsigned char foo[64]; // block size ... sha1: 512bit / sha256: 512bit
221+ int i;
222+ unsigned int len;
223+
224+ ctx[0] = EVP_MD_CTX_new();
225+ if (ctx[0] == NULL) {
226+ return;
227+ }
228+ ctx[1] = EVP_MD_CTX_new();
229+ if (ctx[1] == NULL) {
230+ EVP_MD_CTX_free(ctx[0]);
231+ return;
232+ }
233+
234+ memset(foo, 0x36, sizeof(foo));
235+ for (i = 0; i < keylen && i < sizeof(foo); i++) {
236+ foo[i] ^= key[i];
237+ }
238+ EVP_DigestInit(ctx[0], md);
239+ EVP_DigestUpdate(ctx[0], foo, sizeof(foo));
240+
241+ memset(foo, 0x5C, sizeof(foo));
242+ for (i = 0; i < keylen && i < sizeof(foo); i++) {
243+ foo[i] ^= key[i];
244+ }
245+ EVP_DigestInit(ctx[1], md);
246+ EVP_DigestUpdate(ctx[1], foo, sizeof(foo));
247+
248+ memset(foo, 0, sizeof(foo));
249+
250+ EVP_DigestUpdate(ctx[0], data, datalen);
251+ EVP_DigestFinal(ctx[0], intermediate, &len);
252+
253+ EVP_DigestUpdate(ctx[1], intermediate, EVP_MD_size(md));
254+ EVP_DigestFinal(ctx[1], output, &len);
255+
256+ EVP_MD_CTX_free(ctx[0]);
257+ EVP_MD_CTX_free(ctx[1]);
258+}
259+
260+// from sshpubk.c (ver 0.75), and modifled
261+// - delete unnecessary paramters
262+// - use char ** and int * instead of ptrlen
263+// - use buffer_t instead of strbuf
264+// - use OpenSSL function
265+// - use argon2 function
266+void ssh2_ppk_derive_keys(
267+ unsigned fmt_version, const struct ssh2cipher* ciphertype,
268+ unsigned char *passphrase, buffer_t *storage,
269+ unsigned char **cipherkey, unsigned int *cipherkey_len,
270+ unsigned char **cipheriv, unsigned int *cipheriv_len,
271+ unsigned char **mackey, unsigned int *mackey_len,
272+ ppk_argon2_parameters *params)
273+{
274+ size_t mac_keylen = 0;
275+ u_int ivlen;
276+ unsigned int cipherkey_offset = 0;
277+
278+ ivlen = (ciphertype->iv_len == 0) ? ciphertype->block_size : ciphertype->iv_len;
279+
280+ switch (fmt_version) {
281+ case 3: {
282+ uint32_t taglen;
283+ unsigned char *tag;
284+
285+ if (ciphertype->key_len == 0) {
286+ mac_keylen = 0;
287+ break;
288+ }
289+ mac_keylen = 32;
290+ taglen = ciphertype->key_len + ivlen + mac_keylen;
291+ tag = (char *)malloc(taglen);
292+
293+ argon2_hash(params->argon2_passes, params->argon2_mem,
294+ params->argon2_parallelism,
295+ passphrase, strlen(passphrase),
296+ params->salt, params->saltlen,
297+ tag, taglen,
298+ NULL, 0,
299+ params->type, 0x13);
300+ buffer_append(storage, tag, taglen);
301+
302+ free(tag);
303+
304+ break;
305+ }
306+ case 2: {
307+ unsigned ctr;
308+ const EVP_MD *md = EVP_sha1();
309+ EVP_MD_CTX *ctx = NULL;
310+ unsigned char u[4], buf[20]; // SHA1: 20byte
311+ unsigned int i, len, cipherkey_write_byte = 0;
312+
313+ ctx = EVP_MD_CTX_new();
314+
315+ /* Counter-mode iteration to generate cipher key data. */
316+ for (ctr = 0; ctr * 20 < ciphertype->key_len; ctr++) {
317+ EVP_DigestInit(ctx, md);
318+ set_uint32_MSBfirst(u, ctr);
319+ EVP_DigestUpdate(ctx, u, 4);
320+ EVP_DigestUpdate(ctx, passphrase, strlen(passphrase));
321+ EVP_DigestFinal(ctx, buf, &len);
322+ buffer_append(storage, buf, 20);
323+ cipherkey_write_byte += 20;
324+ }
325+ // TTSSH の buffer_t には shrink する関数がないので、
326+ // shrink せずに 40byte のうち 32byte だけを使う
327+ cipherkey_offset = cipherkey_write_byte - ciphertype->key_len;
328+
329+ /* In this version of the format, the CBC IV was always all 0. */
330+ for (i = 0; i < ivlen; i++) {
331+ buffer_put_char(storage, 0);
332+ }
333+
334+ /* Completely separate hash for the MAC key. */
335+ EVP_DigestInit(ctx, md);
336+ mac_keylen = EVP_MD_size(md); // SHA1: 20byte
337+ EVP_DigestUpdate(ctx, "putty-private-key-file-mac-key", 30);
338+ EVP_DigestUpdate(ctx, passphrase, strlen(passphrase));
339+ EVP_DigestFinal(ctx, buf, &len);
340+ buffer_append(storage, buf, mac_keylen);
341+
342+ EVP_MD_CTX_free(ctx);
343+
344+ break;
345+ }
346+ }
347+
348+ *cipherkey = storage->buf;
349+ *cipherkey_len = ciphertype->key_len;
350+ *cipheriv = storage->buf + ciphertype->key_len + cipherkey_offset;
351+ *cipheriv_len = ivlen;
352+ *mackey = storage->buf + ciphertype->key_len + cipherkey_offset + ivlen;
353+ *mackey_len = mac_keylen;
354+}
--- trunk/ttssh2/ttxssh/keyfiles-putty.h (nonexistent)
+++ trunk/ttssh2/ttxssh/keyfiles-putty.h (revision 9258)
@@ -0,0 +1,64 @@
1+/*
2+ * (C) 2021- TeraTerm Project
3+ * All rights reserved.
4+ *
5+ * Redistribution and use in source and binary forms, with or without
6+ * modification, are permitted provided that the following conditions
7+ * are met:
8+ *
9+ * 1. Redistributions of source code must retain the above copyright
10+ * notice, this list of conditions and the following disclaimer.
11+ * 2. Redistributions in binary form must reproduce the above copyright
12+ * notice, this list of conditions and the following disclaimer in the
13+ * documentation and/or other materials provided with the distribution.
14+ * 3. The name of the author may not be used to endorse or promote products
15+ * derived from this software without specific prior written permission.
16+ *
17+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR
18+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
19+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
20+ * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
22+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
23+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27+ */
28+
29+#ifndef __KEYFILES_PUTTY_H
30+#define __KEYFILES_PUTTY_H
31+
32+#include "argon2.h"
33+
34+typedef struct ppk_argon2_parameters {
35+ argon2_type type;
36+ uint32_t argon2_mem;
37+ uint32_t argon2_passes;
38+ uint32_t argon2_parallelism;
39+ const uint8_t *salt;
40+ size_t saltlen;
41+} ppk_argon2_parameters;
42+
43+BOOL str_to_uint32_t(const char *s, uint32_t *out);
44+BOOL ppk_read_header(FILE * fp, char *header);
45+char *ppk_read_body(FILE * fp);
46+BOOL ppk_read_blob(FILE* fp, int nlines, buffer_t *blob);
47+
48+void hmac_sha1_simple(unsigned char *key, int keylen, void *data, int datalen,
49+ unsigned char *output);
50+void hmac_sha256_simple(unsigned char *key, int keylen, void *data, int datalen,
51+ unsigned char *output);
52+void mac_simple(const EVP_MD *md,
53+ unsigned char *key, int keylen, void *data, int datalen,
54+ unsigned char *output);
55+
56+void ssh2_ppk_derive_keys(
57+ unsigned fmt_version, const struct ssh2cipher* ciphertype,
58+ unsigned char *passphrase, buffer_t *storage,
59+ unsigned char **cipherkey, unsigned int *cipherkey_len,
60+ unsigned char **cipheriv, unsigned int *cipheriv_len,
61+ unsigned char **mackey, unsigned int *mackey_len,
62+ ppk_argon2_parameters *params);
63+
64+#endif /* __KEYFILES_PUTTY_H */
--- trunk/ttssh2/ttxssh/keyfiles.c (revision 9257)
+++ trunk/ttssh2/ttxssh/keyfiles.c (revision 9258)
@@ -34,7 +34,10 @@
3434
3535 #include "ttxssh.h"
3636 #include "keyfiles.h"
37+#include "keyfiles-putty.h"
3738 #include "key.h"
39+#include "hostkey.h"
40+#include "argon2.h"
3841
3942 #include <io.h>
4043 #include <fcntl.h>
@@ -746,7 +749,6 @@
746749 * Private-Lines: 1
747750 * Base64...
748751 * Private-MAC: Base16...
749- * Private-Hash: Base16... (PuTTY-User-Key-File-1) ???
750752 *
751753 * for "ssh-rsa", it will be composed of
752754 *
@@ -821,14 +823,16 @@
821823 char *errmsg,
822824 int errmsg_len)
823825 {
826+ char header[40], *b = NULL, *encryption = NULL, *comment = NULL, *mac = NULL;
824827 Key *result = NULL;
825- EVP_PKEY *pk = NULL;
826- unsigned long err = 0;
827- int i, len, len2;
828- char *encname = NULL, *comment = NULL, *private_mac = NULL;
829- buffer_t *pubkey = NULL, *prikey = NULL;
830- const struct ssh2cipher *cipher = NULL;
831- struct sshcipher_ctx *cc = NULL;
828+ buffer_t *public_blob = NULL, *private_blob = NULL, *cipher_mac_keys_blob = NULL;
829+ unsigned char *cipherkey = NULL, *cipheriv = NULL, *mackey = NULL;
830+ unsigned int cipherkey_len, cipheriv_len, mackey_len;
831+ buffer_t *passphrase_salt = buffer_init();
832+ const struct ssh2cipher *ciphertype;
833+ int lines, len;
834+ ppk_argon2_parameters params;
835+ unsigned fmt_version = 0;
832836
833837 result = (Key *)malloc(sizeof(Key));
834838 ZeroMemory(result, sizeof(Key));
@@ -837,149 +841,262 @@
837841 result->dsa = NULL;
838842 result->ecdsa = NULL;
839843
840- pubkey = buffer_init();
841- prikey = buffer_init();
844+ // version and algorithm-name
845+ if (!ppk_read_header(fp, header)) {
846+ strncpy_s(errmsg, errmsg_len, "no header line found in key file", _TRUNCATE);
847+ goto error;
848+ }
849+ if (0 == strcmp(header, "PuTTY-User-Key-File-3")) {
850+ fmt_version = 3;
851+ }
852+ else if (0 == strcmp(header, "PuTTY-User-Key-File-2")) {
853+ fmt_version = 2;
854+ }
855+ else if (0 == strcmp(header, "PuTTY-User-Key-File-1")) {
856+ strncpy_s(errmsg, errmsg_len, "PuTTY key format too old", _TRUNCATE);
857+ goto error;
858+ }
859+ else if (0 == strncmp(header, "PuTTY-User-Key-File-", 20)) {
860+ strncpy_s(errmsg, errmsg_len, "PuTTY key format too new", _TRUNCATE);
861+ goto error;
862+ }
863+ if ((b = ppk_read_body(fp)) == NULL) {
864+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
865+ goto error;
866+ }
867+ if (0 == strcmp(b, "ssh-dss")) {
868+ result->type = KEY_DSA;
869+ }
870+ else if (0 == strcmp(b, "ssh-rsa")) {
871+ result->type = KEY_RSA;
872+ }
873+ else if (0 == strcmp(b, "ecdsa-sha2-nistp256")) {
874+ result->type = KEY_ECDSA256;
875+ }
876+ else if (0 == strcmp(b, "ecdsa-sha2-nistp384")) {
877+ result->type = KEY_ECDSA384;
878+ }
879+ else if (0 == strcmp(b, "ecdsa-sha2-nistp521")) {
880+ result->type = KEY_ECDSA521;
881+ }
882+ else if (0 == strcmp(b, "ssh-ed25519")) {
883+ result->type = KEY_ED25519;
884+ }
885+ else {
886+ strncpy_s(errmsg, errmsg_len, "unsupported key algorithm", _TRUNCATE);
887+ free(b);
888+ goto error;
889+ }
890+ free(b);
842891
843- // parse keyfile & decode blob
844- {
845- char line[200], buf[100];
846- BIO *bmem, *b64, *chain;
847- while (fgets(line, sizeof(line), fp) != NULL) {
848- if (strncmp(line, "PuTTY-User-Key-File-2: ", strlen("PuTTY-User-Key-File-2: ")) == 0) {
849- if (strncmp(line + strlen("PuTTY-User-Key-File-2: "), "ssh-dss", strlen("ssh-dss")) == 0) {
850- result->type = KEY_DSA;
851- }
852- else if (strncmp(line + strlen("PuTTY-User-Key-File-2: "), "ssh-rsa", strlen("ssh-rsa")) == 0) {
853- result->type = KEY_RSA;
854- }
855- else if (strncmp(line + strlen("PuTTY-User-Key-File-2: "), "ecdsa-sha2-nistp256", strlen("ecdsa-sha2-nistp256")) == 0) {
856- result->type = KEY_ECDSA256;
857- }
858- else if (strncmp(line + strlen("PuTTY-User-Key-File-2: "), "ecdsa-sha2-nistp384", strlen("ecdsa-sha2-nistp384")) == 0) {
859- result->type = KEY_ECDSA384;
860- }
861- else if (strncmp(line + strlen("PuTTY-User-Key-File-2: "), "ecdsa-sha2-nistp521", strlen("ecdsa-sha2-nistp521")) == 0) {
862- result->type = KEY_ECDSA521;
863- }
864- else if (strncmp(line + strlen("PuTTY-User-Key-File-2: "), "ssh-ed25519", strlen("ssh-ed25519")) == 0) {
865- result->type = KEY_ED25519;
866- }
867- else {
868- strncpy_s(errmsg, errmsg_len, "not a PuTTY SSH-2 private key", _TRUNCATE);
869- goto error;
870- }
892+ // encryption-type
893+ if (!ppk_read_header(fp, header) || 0 != strcmp(header, "Encryption")) {
894+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
895+ goto error;
896+ }
897+ if ((encryption = ppk_read_body(fp)) == NULL) {
898+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
899+ goto error;
900+ }
901+ if (strcmp(encryption, "aes256-cbc") == 0) {
902+ ciphertype = get_cipher_by_name(encryption);
903+ }
904+ else if (strcmp(encryption, "none") == 0) {
905+ ciphertype = get_cipher_by_name(encryption);
906+ }
907+ else {
908+ strncpy_s(errmsg, errmsg_len, "unknown encryption type", _TRUNCATE);
909+ goto error;
910+ }
911+
912+ // key-comment-string
913+ if (!ppk_read_header(fp, header) || 0 != strcmp(header, "Comment")) {
914+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
915+ goto error;
916+ }
917+ if ((comment = ppk_read_body(fp)) == NULL) {
918+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
919+ goto error;
920+ }
921+
922+ // public key
923+ if (!ppk_read_header(fp, header) || 0 != strcmp(header, "Public-Lines")) {
924+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
925+ goto error;
926+ }
927+ if ((b = ppk_read_body(fp)) == NULL) {
928+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
929+ free(b);
930+ goto error;
931+ }
932+ lines = atoi(b);
933+ free(b);
934+ public_blob = buffer_init();
935+ if (!ppk_read_blob(fp, lines, public_blob)) {
936+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
937+ goto error;
938+ }
939+
940+ if (fmt_version >= 3 && ciphertype->key_len != 0) {
941+ size_t i;
942+
943+ // argon2-flavour
944+ if (!ppk_read_header(fp, header) || 0 != strcmp(header, "Key-Derivation")) {
945+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
946+ goto error;
871947 }
872- else if (strncmp(line, "Encryption: ", strlen("Encryption: ")) == 0) {
873- len = strlen(line + strlen("Encryption: "));
874- encname = (char *)malloc(len); // trim \n
875- strncpy_s(encname, len, line + strlen("Encryption: "), _TRUNCATE);
876- if (strcmp(encname, "aes256-cbc") == 0) {
877- // NOP
878- }
879- else if (strcmp(encname, "none") == 0) {
880- // NOP
881- }
882- else {
883- strncpy_s(errmsg, errmsg_len, "unknown encryption type", _TRUNCATE);
884- goto error;
885- }
948+ if ((b = ppk_read_body(fp)) == NULL) {
949+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
950+ free(b);
951+ goto error;
886952 }
887- else if (strncmp(line, "Comment: ", strlen("Comment: ")) == 0) {
888- len = strlen(line + strlen("Comment: "));
889- comment = (char *)malloc(len); // trim \n
890- strncpy_s(comment, len, line + strlen("Comment: "), _TRUNCATE);
953+ if (!strcmp(b, "Argon2d")) {
954+ params.type = Argon2_d;
891955 }
892- else if (strncmp(line, "Private-MAC: ", strlen("Private-MAC: ")) == 0) {
893- len = strlen(line + strlen("Private-MAC: "));
894- private_mac = (char *)malloc(len); // trim \n
895- strncpy_s(private_mac, len, line + strlen("Private-MAC: "), _TRUNCATE);
956+ else if (!strcmp(b, "Argon2i")) {
957+ params.type = Argon2_i;
896958 }
897- else if (strncmp(line, "Private-HASH: ", strlen("Private-HASH: ")) == 0) {
898- strncpy_s(errmsg, errmsg_len, "not a PuTTY SSH-2 private key", _TRUNCATE);
959+ else if (!strcmp(b, "Argon2id")) {
960+ params.type = Argon2_id;
961+ }
962+ else {
963+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
964+ free(b);
899965 goto error;
900966 }
901- else if (strncmp(line, "Public-Lines: ", strlen("Public-Lines: ")) == 0) {
902- len = atoi(line + strlen("Public-Lines: "));
903- b64 = BIO_new(BIO_f_base64());
904- bmem = BIO_new(BIO_s_mem());
905- for (i=0; i<len && fgets(line, sizeof(line), fp)!=NULL; i++) {
906- BIO_write(bmem, line, strlen(line));
907- }
908- BIO_flush(bmem);
909- chain = BIO_push(b64, bmem);
910- BIO_set_mem_eof_return(chain, 0);
911- while ((len2 = BIO_read(chain, buf, sizeof(buf))) > 0) {
912- buffer_append(pubkey, buf, len2);
913- }
914- BIO_free_all(chain);
967+ free(b);
968+
969+ if (!ppk_read_header(fp, header) || 0 != strcmp(header, "Argon2-Memory")) {
970+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
971+ goto error;
915972 }
916- else if (strncmp(line, "Private-Lines: ", strlen("Private-Lines: ")) == 0) {
917- len = atoi(line + strlen("Private-Lines: "));
918- b64 = BIO_new(BIO_f_base64());
919- bmem = BIO_new(BIO_s_mem());
920- for (i=0; i<len && fgets(line, sizeof(line), fp)!=NULL; i++) {
921- BIO_write(bmem, line, strlen(line));
922- }
923- BIO_flush(bmem);
924- chain = BIO_push(b64, bmem);
925- BIO_set_mem_eof_return(chain, 0);
926- while ((len2 = BIO_read(chain, buf, sizeof(buf))) > 0) {
927- buffer_append(prikey, buf, len2);
928- }
929- BIO_free_all(chain);
973+ if ((b = ppk_read_body(fp)) == NULL) {
974+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
975+ free(b);
976+ goto error;
930977 }
931- else {
932- strncpy_s(errmsg, errmsg_len, "not a PuTTY SSH-2 private key", _TRUNCATE);
978+ if (!str_to_uint32_t(b, &params.argon2_mem)) {
979+ free(b);
933980 goto error;
934981 }
935- }
936- }
982+ free(b);
937983
938- if (result->type == KEY_NONE || strlen(encname) == 0 || buffer_len(pubkey) == 0 || buffer_len(prikey) == 0) {
939- strncpy_s(errmsg, errmsg_len, "key file format error", _TRUNCATE);
940- goto error;
941- }
984+ if (!ppk_read_header(fp, header) || 0 != strcmp(header, "Argon2-Passes")) {
985+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
986+ goto error;
987+ }
988+ if ((b = ppk_read_body(fp)) == NULL) {
989+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
990+ free(b);
991+ goto error;
992+ }
993+ if (!str_to_uint32_t(b, &params.argon2_passes)) {
994+ free(b);
995+ goto error;
996+ }
997+ free(b);
942998
943- // decrypt prikey with aes256-cbc
944- if (strcmp(encname, "aes256-cbc") == 0) {
945- const EVP_MD *md = EVP_sha1();
946- EVP_MD_CTX *ctx = NULL;
947- unsigned char key[40], iv[32];
948- EVP_CIPHER_CTX *cipher_ctx = NULL;
949- char *decrypted = NULL;
950- int ret;
951-
952- ctx = EVP_MD_CTX_new();
953- if (ctx == NULL) {
999+ if (!ppk_read_header(fp, header) || 0 != strcmp(header, "Argon2-Parallelism")) {
1000+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
9541001 goto error;
9551002 }
1003+ if ((b = ppk_read_body(fp)) == NULL) {
1004+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
1005+ free(b);
1006+ goto error;
1007+ }
1008+ if (!str_to_uint32_t(b, &params.argon2_parallelism)) {
1009+ free(b);
1010+ goto error;
1011+ }
1012+ free(b);
9561013
957- cipher_ctx = EVP_CIPHER_CTX_new();
958- if (cipher_ctx == NULL) {
959- EVP_MD_CTX_free(ctx);
1014+ if (!ppk_read_header(fp, header) || 0 != strcmp(header, "Argon2-Salt")) {
1015+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
9601016 goto error;
9611017 }
1018+ if ((b = ppk_read_body(fp)) == NULL) {
1019+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
1020+ free(b);
1021+ goto error;
1022+ }
1023+ for (i = 0; b[i]; i += 2) {
1024+ if (isxdigit((unsigned char)b[i]) && b[i+1] &&
1025+ isxdigit((unsigned char)b[i+1])) {
1026+ char s[3];
1027+ s[0] = b[i];
1028+ s[1] = b[i+1];
1029+ s[2] = '\0';
1030+ buffer_put_char(passphrase_salt, strtoul(s, NULL, 16));
1031+ }
1032+ else {
1033+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
1034+ free(b);
1035+ goto error;
1036+ }
1037+ }
1038+ params.salt = buffer_ptr(passphrase_salt);
1039+ params.saltlen = buffer_len(passphrase_salt);
1040+ free(b);
1041+ }
9621042
963- EVP_DigestInit(ctx, md);
964- EVP_DigestUpdate(ctx, "\0\0\0\0", 4);
965- EVP_DigestUpdate(ctx, passphrase, strlen(passphrase));
966- EVP_DigestFinal(ctx, key, &len);
1043+ // private key
1044+ if (!ppk_read_header(fp, header) || 0 != strcmp(header, "Private-Lines")) {
1045+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
1046+ goto error;
1047+ }
1048+ if ((b = ppk_read_body(fp)) == NULL) {
1049+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
1050+ free(b);
1051+ goto error;
1052+ }
1053+ lines = atoi(b);
1054+ free(b);
1055+ private_blob = buffer_init();
1056+ if (!ppk_read_blob(fp, lines, private_blob)) {
1057+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
1058+ goto error;
1059+ }
9671060
968- EVP_DigestInit(ctx, md);
969- EVP_DigestUpdate(ctx, "\0\0\0\1", 4);
970- EVP_DigestUpdate(ctx, passphrase, strlen(passphrase));
971- EVP_DigestFinal(ctx, key + 20, &len);
1061+ // hex-mac-data
1062+ if (!ppk_read_header(fp, header) || 0 != strcmp(header, "Private-MAC")) {
1063+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
1064+ goto error;
1065+ }
1066+ if ((mac = ppk_read_body(fp)) == NULL) {
1067+ strncpy_s(errmsg, errmsg_len, "file format error", _TRUNCATE);
1068+ goto error;
1069+ }
9721070
973- EVP_MD_CTX_free(ctx);
1071+ fclose(fp);
9741072
975- memset(iv, 0, sizeof(iv));
1073+ if (result->type == KEY_NONE || strlen(encryption) == 0 || buffer_len(public_blob) == 0 || buffer_len(private_blob) == 0) {
1074+ strncpy_s(errmsg, errmsg_len, "key file format error", _TRUNCATE);
1075+ goto error;
1076+ }
9761077
1078+ // derive key, iv, mackey
1079+ cipher_mac_keys_blob = buffer_init();
1080+ ssh2_ppk_derive_keys(fmt_version, ciphertype,
1081+ passphrase,
1082+ cipher_mac_keys_blob,
1083+ &cipherkey, &cipherkey_len,
1084+ &cipheriv, &cipheriv_len,
1085+ &mackey, &mackey_len,
1086+ &params);
1087+
1088+ // decrypt priate key with aes256-cbc
1089+ if (strcmp(encryption, "aes256-cbc") == 0) {
1090+ struct sshcipher_ctx *cc = NULL;
1091+ char *decrypted = NULL;
1092+ int ret;
1093+
9771094 // decrypt
978- cipher = get_cipher_by_name("aes256-cbc");
979- cipher_init_SSH2(&cc, cipher, key, 32, iv, 16, CIPHER_DECRYPT, pvar);
980- len = buffer_len(prikey);
1095+ ciphertype = get_cipher_by_name("aes256-cbc");
1096+ cipher_init_SSH2(&cc, ciphertype, cipherkey, 32, cipheriv, 16, CIPHER_DECRYPT, pvar);
1097+ len = buffer_len(private_blob);
9811098 decrypted = (char *)malloc(len);
982- ret = EVP_Cipher(cc->evp, decrypted, prikey->buf, len);
1099+ ret = EVP_Cipher(cc->evp, decrypted, private_blob->buf, len);
9831100 if (ret == 0) {
9841101 strncpy_s(errmsg, errmsg_len, "Key decrypt error", _TRUNCATE);
9851102 free(decrypted);
@@ -986,8 +1103,8 @@
9861103 cipher_free_SSH2(cc);
9871104 goto error;
9881105 }
989- buffer_clear(prikey);
990- buffer_append(prikey, decrypted, len);
1106+ buffer_clear(private_blob);
1107+ buffer_append(private_blob, decrypted, len);
9911108 free(decrypted);
9921109 cipher_free_SSH2(cc);
9931110 }
@@ -994,116 +1111,45 @@
9941111
9951112 // verity MAC
9961113 {
997- char realmac[41];
998- unsigned char binary[20];
999- buffer_t *macdata;
1000-
1001- macdata = buffer_init();
1002-
1003- len = strlen(get_ssh2_hostkey_type_name(result->type));
1004- buffer_put_int(macdata, len);
1005- buffer_append(macdata, get_ssh2_hostkey_type_name(result->type), len);
1006- len = strlen(encname);
1007- buffer_put_int(macdata, len);
1008- buffer_append(macdata, encname, len);
1009- len = strlen(comment);
1010- buffer_put_int(macdata, len);
1011- buffer_append(macdata, comment, len);
1012- buffer_put_int(macdata, pubkey->len);
1013- buffer_append(macdata, pubkey->buf, pubkey->len);
1014- buffer_put_int(macdata, prikey->len);
1015- buffer_append(macdata, prikey->buf, prikey->len);
1016-
1017- if (private_mac != NULL) {
1018- unsigned char mackey[20];
1019- char header[] = "putty-private-key-file-mac-key";
1020- const EVP_MD *md = EVP_sha1();
1021- EVP_MD_CTX *ctx = NULL;
1022-
1023- ctx = EVP_MD_CTX_new();
1024- if (ctx == NULL) {
1025- goto error;
1026- }
1027-
1028- EVP_DigestInit(ctx, md);
1029- EVP_DigestUpdate(ctx, header, sizeof(header)-1);
1030- len = strlen(passphrase);
1031- if (strcmp(encname, "aes256-cbc") == 0 && len > 0) {
1032- EVP_DigestUpdate(ctx, passphrase, len);
1033- }
1034- EVP_DigestFinal(ctx, mackey, &len);
1035- EVP_MD_CTX_free(ctx);
1036-
1037- //hmac_sha1_simple(mackey, sizeof(mackey), macdata->buf, macdata->len, binary);
1038- {
1039- EVP_MD_CTX *ctx[2] = {0, 0};
1040- unsigned char intermediate[20];
1041- unsigned char foo[64];
1114+ unsigned char binary[32];
1115+ char realmac[sizeof(binary) * 2 + 1];
1116+ const EVP_MD *md;
1117+ buffer_t *macdata;
10421118 int i;
10431119
1044- ctx[0] = EVP_MD_CTX_new();
1045- if (ctx[0] == NULL) {
1046- goto error;
1047- }
1048- ctx[1] = EVP_MD_CTX_new();
1049- if (ctx[1] == NULL) {
1050- EVP_MD_CTX_free(ctx[0]);
1051- goto error;
1052- }
1120+ macdata = buffer_init();
1121+ buffer_put_cstring(macdata, get_ssh2_hostkey_type_name(result->type));
1122+ buffer_put_cstring(macdata, encryption);
1123+ buffer_put_cstring(macdata, comment);
1124+ buffer_put_string(macdata, public_blob->buf, public_blob->len);
1125+ buffer_put_string(macdata, private_blob->buf, private_blob->len);
10531126
1054- memset(foo, 0x36, sizeof(foo));
1055- for (i = 0; i < sizeof(mackey) && i < sizeof(foo); i++) {
1056- foo[i] ^= mackey[i];
1127+ if (fmt_version == 2) {
1128+ md = EVP_sha1();
10571129 }
1058- EVP_DigestInit(ctx[0], md);
1059- EVP_DigestUpdate(ctx[0], foo, sizeof(foo));
1060-
1061- memset(foo, 0x5C, sizeof(foo));
1062- for (i = 0; i < sizeof(mackey) && i < sizeof(foo); i++) {
1063- foo[i] ^= mackey[i];
1130+ else {
1131+ md = EVP_sha256();
10641132 }
1065- EVP_DigestInit(ctx[1], md);
1066- EVP_DigestUpdate(ctx[1], foo, sizeof(foo));
1133+ mac_simple(md, (unsigned char *)mackey, mackey_len, macdata->buf, macdata->len, binary);
10671134
1068- memset(foo, 0, sizeof(foo));
1135+ buffer_free(macdata);
10691136
1070- EVP_DigestUpdate(ctx[0], macdata->buf, macdata->len);
1071- EVP_DigestFinal(ctx[0], intermediate, &len);
1072-
1073- EVP_DigestUpdate(ctx[1], intermediate, sizeof(intermediate));
1074- EVP_DigestFinal(ctx[1], binary, &len);
1075-
1076- EVP_MD_CTX_free(ctx[0]);
1077- EVP_MD_CTX_free(ctx[1]);
1137+ for (i=0; i<EVP_MD_size(md); i++) {
1138+ sprintf(realmac + 2*i, "%02x", binary[i]);
10781139 }
10791140
1080- memset(mackey, 0, sizeof(mackey));
1081-
1082- }
1083- else {
1084- strncpy_s(errmsg, errmsg_len, "key file format error", _TRUNCATE);
1085- buffer_free(macdata);
1086- goto error;
1087- }
1088-
1089- buffer_free(macdata);
1090-
1091- for (i=0; i<20; i++) {
1092- sprintf(realmac + 2*i, "%02x", binary[i]);
1093- }
1094-
1095- if (strcmp(private_mac, realmac) != 0) {
1096- if (strcmp(encname, "aes256-cbc") == 0) {
1097- strncpy_s(errmsg, errmsg_len, "wrong passphrase", _TRUNCATE);
1098- *invalid_passphrase = TRUE;
1099- goto error;
1141+ if (strcmp(mac, realmac) != 0) {
1142+ if (ciphertype->key_len > 0) {
1143+ strncpy_s(errmsg, errmsg_len, "wrong passphrase", _TRUNCATE);
1144+ *invalid_passphrase = TRUE;
1145+ goto error;
1146+ }
1147+ else {
1148+ strncpy_s(errmsg, errmsg_len, "MAC verify failed", _TRUNCATE);
1149+ goto error;
1150+ }
11001151 }
1101- else {
1102- strncpy_s(errmsg, errmsg_len, "MAC verify failed", _TRUNCATE);
1103- goto error;
1104- }
11051152 }
1106- }
11071153
11081154 switch (result->type) {
11091155 case KEY_RSA:
@@ -1111,8 +1157,8 @@
11111157 char *pubkey_type, *pub, *pri;
11121158 BIGNUM *e, *n, *d, *iqmp, *p, *q;
11131159
1114- pub = pubkey->buf;
1115- pri = prikey->buf;
1160+ pub = public_blob->buf;
1161+ pri = private_blob->buf;
11161162 pubkey_type = buffer_get_string(&pub, NULL);
11171163 if (strcmp(pubkey_type, "ssh-rsa") != 0) {
11181164 strncpy_s(errmsg, errmsg_len, "key type error", _TRUNCATE);
@@ -1160,8 +1206,8 @@
11601206 char *pubkey_type, *pub, *pri;
11611207 BIGNUM *p, *q, *g, *pub_key, *priv_key;
11621208
1163- pub = pubkey->buf;
1164- pri = prikey->buf;
1209+ pub = public_blob->buf;
1210+ pri = private_blob->buf;
11651211 pubkey_type = buffer_get_string(&pub, NULL);
11661212 if (strcmp(pubkey_type, "ssh-dss") != 0) {
11671213 strncpy_s(errmsg, errmsg_len, "key type error", _TRUNCATE);
@@ -1212,8 +1258,8 @@
12121258 BIGNUM *exponent = NULL;
12131259 EC_POINT *q = NULL;
12141260
1215- pub = pubkey->buf;
1216- pri = prikey->buf;
1261+ pub = public_blob->buf;
1262+ pri = private_blob->buf;
12171263 pubkey_type = buffer_get_string(&pub, NULL);
12181264 if ((result->type == KEY_ECDSA256 && strcmp(pubkey_type, "ecdsa-sha2-nistp256") != 0) ||
12191265 (result->type == KEY_ECDSA384 && strcmp(pubkey_type, "ecdsa-sha2-nistp384") != 0) ||
@@ -1267,8 +1313,8 @@
12671313 char *pubkey_type, *pub, *pri;
12681314 unsigned int pklen, sklen;
12691315 char *sk;
1270- pub = pubkey->buf;
1271- pri = prikey->buf;
1316+ pub = public_blob->buf;
1317+ pri = private_blob->buf;
12721318 pubkey_type = buffer_get_string(&pub, NULL);
12731319 if (strcmp(pubkey_type, "ssh-ed25519") != 0) {
12741320 strncpy_s(errmsg, errmsg_len, "key type error", _TRUNCATE);
@@ -1298,47 +1344,43 @@
12981344 break;
12991345 }
13001346
1301- fclose(fp);
1302-
1303- if (encname != NULL)
1304- free(encname);
1305-
1347+ if (encryption != NULL)
1348+ free(encryption);
13061349 if (comment != NULL)
13071350 free(comment);
1351+ if (mac != NULL)
1352+ free(mac);
1353+ if (public_blob != NULL)
1354+ buffer_free(public_blob);
1355+ if (private_blob != NULL)
1356+ buffer_free(private_blob);
1357+ if (cipher_mac_keys_blob != NULL)
1358+ buffer_free(cipher_mac_keys_blob);
1359+ if (passphrase_salt != NULL)
1360+ buffer_free(passphrase_salt);
13081361
1309- if (pubkey != NULL)
1310- buffer_free(pubkey);
1311-
1312- if (prikey != NULL)
1313- buffer_free(prikey);
1314-
1315- if (private_mac != NULL)
1316- free(private_mac);
1317-
13181362 return (result);
13191363
13201364 error:
13211365 if (result != NULL)
13221366 key_free(result);
1323-
13241367 if (fp != NULL)
13251368 fclose(fp);
1326-
1327- if (encname != NULL)
1328- free(encname);
1329-
1369+ if (encryption != NULL)
1370+ free(encryption);
13301371 if (comment != NULL)
13311372 free(comment);
1373+ if (mac != NULL)
1374+ free(mac);
1375+ if (public_blob != NULL)
1376+ buffer_free(public_blob);
1377+ if (private_blob != NULL)
1378+ buffer_free(private_blob);
1379+ if (cipher_mac_keys_blob != NULL)
1380+ buffer_free(cipher_mac_keys_blob);
1381+ if (passphrase_salt != NULL)
1382+ buffer_free(passphrase_salt);
13321383
1333- if (pubkey != NULL)
1334- buffer_free(pubkey);
1335-
1336- if (prikey != NULL)
1337- buffer_free(prikey);
1338-
1339- if (private_mac != NULL)
1340- free(private_mac);
1341-
13421384 return (NULL);
13431385 }
13441386
Show on old repository browser