diff options
author | Simon Tatham <anakin@pobox.com> | 2021-02-22 21:13:12 +0300 |
---|---|---|
committer | Simon Tatham <anakin@pobox.com> | 2021-02-22 23:53:18 +0300 |
commit | 117cee8ea62b42b20c3c16d0584b411bf8d3d0de (patch) | |
tree | 3e255fdd823b542912117dcbd2cf2f72f5ec7921 /cmdgen.c | |
parent | b8f3fc4bd1c17c74fa1f17f78eb55a24a4f7a53e (diff) |
cmdgen: command-line control of PPK save parameters.
This allows you to manually adjust the Argon2 parameters so that you
can trade off CPU requirements in legitimate use against difficulty of
brute-force attack. It also allows downgrading the key file version
back to the widespread PPK v2, so you can manually back-port a key
that you accidentally generated too new.
Diffstat (limited to 'cmdgen.c')
-rw-r--r-- | cmdgen.c | 74 |
1 files changed, 72 insertions, 2 deletions
@@ -150,6 +150,20 @@ void help(void) " proven numbers that have been proven to be prime\n" " proven-even also try harder for an even distribution\n" " --strong-rsa use \"strong\" primes as RSA key factors\n" + " --ppk-param <key>=<value>[,<key>=<value>,...]\n" + " specify parameters when writing PuTTY private key file " + "format:\n" + " version PPK format version (min 2, max 3, " + "default 3)\n" + " memory Kb of memory to use in password hash " + "(default 8192)\n" + " time approx milliseconds to hash for " + "(default 100)\n" + " passes exact number of hash passes to run " + "(alternative to 'time')\n" + " parallelism number of parallelisable threads in the " + "hash function\n" + " (default 1)\n" ); } @@ -227,6 +241,7 @@ int main(int argc, char **argv) int exit_status = 0; const PrimeGenerationPolicy *primegen = &primegen_probabilistic; bool strong_rsa = false; + ppk_save_parameters params = ppk_save_default_parameters; if (is_interactive()) progress_fp = stderr; @@ -366,6 +381,62 @@ int main(int argc, char **argv) strong_rsa = true; } else if (!strcmp(opt, "-reencrypt")) { reencrypt = true; + } else if (!strcmp(opt, "-ppk-param") || + !strcmp(opt, "-ppk-params")) { + if (!val && argc > 1) + --argc, val = *++argv; + if (!val) { + errs = true; + fprintf(stderr, "puttygen: option `-%s'" + " expects an argument\n", opt); + } else { + char *nextval; + for (; val; val = nextval) { + nextval = strchr(val, ','); + if (nextval) + *nextval++ = '\0'; + + char *optvalue = strchr(val, '='); + if (!optvalue) { + errs = true; + fprintf(stderr, "puttygen: PPK parameter " + "'%s' expected a value\n", val); + continue; + } + + *optvalue++ = '\0'; + char *end; + unsigned long n = strtoul(optvalue, &end, 0); + if (!*optvalue || *end) { + errs = true; + fprintf(stderr, "puttygen: value '%s' for " + "PPK parameter '%s': expected a " + "number\n", optvalue, val); + continue; + } + + if (!strcmp(val, "version")) { + params.fmt_version = n; + } else if (!strcmp(val, "memory") || + !strcmp(val, "mem")) { + params.argon2_mem = n; + } else if (!strcmp(val, "time")) { + params.argon2_passes_auto = true; + params.argon2_milliseconds = n; + } else if (!strcmp(val, "passes")) { + params.argon2_passes_auto = false; + params.argon2_milliseconds = n; + } else if (!strcmp(val, "parallelism") || + !strcmp(val, "parallel")) { + params.argon2_parallelism = n; + } else { + errs = true; + fprintf(stderr, "puttygen: unrecognised " + "PPK parameter '%s'\n", val); + continue; + } + } + } } else { errs = true; fprintf(stderr, @@ -1033,8 +1104,7 @@ int main(int argc, char **argv) } } else { assert(ssh2key); - ret = ppk_save_f(outfilename, ssh2key, new_passphrase, - &ppk_save_default_parameters); + ret = ppk_save_f(outfilename, ssh2key, new_passphrase, ¶ms); if (!ret) { fprintf(stderr, "puttygen: unable to save SSH-2 private key\n"); RETURN(1); |