0.83 中文版

Buildscr

@@ -35,7 +35,7 @@ module putty
 ifeq "$(RELEASE)" "" set Ndate $(!builddate)
 ifneq "$(Ndate)" "" in . do echo $(Ndate) | perl -pe 's/(....)(..)(..)/$$1-$$2-$$3/' > date
 ifneq "$(Ndate)" "" read Date date
-set Epoch 19052 # update this at every release
+set Epoch 19120 # update this at every release
 ifneq "$(Ndate)" "" in . do echo $(Ndate) | perl -ne 'use Time::Local; /(....)(..)(..)/ and print timegm(0,0,0,$$3,$$2-1,$$1) / 86400 - $(Epoch)' > days
 ifneq "$(Ndate)" "" read Days days
 

CHECKLST.txt

@@ -133,7 +133,9 @@ Making a release candidate build
        + on at least a reasonably current stable Linux distro, and
          also try Debian sid
        + test-build with all of GTK 1, 2 and 3
-       + test-build with -DNOT_X_WINDOWS
+       + test-build with -DNOT_X_WINDOWS (compile flag)
+       + test-build with -DPUTTY_GSSAPI=OFF (cmake flag)
+       + test-build with -DPUTTY_IPV6=OFF (cmake flag)
     * test that the Windows source builds with Visual Studio (just in
       case there's an unguarded clangism that would prevent it)
     * quick check of the outlying network protocols (Telnet, SUPDUP

CMakeLists.txt

@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 3.7)
+cmake_minimum_required(VERSION 3.7...3.28)
 project(putty LANGUAGES C)
 
 set(CMAKE_C_STANDARD 99)

LATEST.VER

@@ -1 +1 @@
-0.82
+0.83

LICENCE

@@ -1,4 +1,4 @@
-PuTTY is copyright 1997-2024 Simon Tatham.
+PuTTY is copyright 1997-2025 Simon Tatham.
 
 部分版权属于 Robert de Bath, Joris van Rantwijk, Delian
 Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry,
@@ -14,4 +14,4 @@ Kuzmich, Nico Williams, Viktor Dukhovni, Josh Dersch, Lars Brinkhoff,
 
 该软件是作为 "AS IS" 提供，没有任何保证、表示或暗示，包括但不限于适销性、适用性和不侵权。在任何情况下作者不对任何声明、损坏或其他责任负责，无论是发生在合同行为、侵权或其它任何来自软件的、与软件相关或无关的以及软件的使用。
 
-PuTTY 中文版的版权属于 2003-2024 李峰，保留所有权利。
+PuTTY 中文版的版权属于 2003-2025 李峰，保留所有权利。

cmake/cmake.h.in

@@ -15,6 +15,7 @@
 #cmakedefine01 HAVE_GETNAMEDPIPECLIENTPROCESSID
 #cmakedefine01 HAVE_SETDEFAULTDLLDIRECTORIES
 #cmakedefine01 HAVE_STRTOUMAX
+#cmakedefine01 HAVE_WMEMCHR
 #cmakedefine01 HAVE_DWMAPI_H
 
 #cmakedefine NOT_X_WINDOWS
@@ -60,3 +61,4 @@
 #cmakedefine01 HAVE_NEON_SHA512
 #cmakedefine01 HAVE_NEON_SHA512_INTRINSICS
 #cmakedefine01 USE_ARM64_NEON_H
+#cmakedefine01 HAVE_ARM_DIT

cmake/platforms/windows.cmake

@@ -53,6 +53,7 @@ define_negation(NO_HTMLHELP HAVE_HTMLHELP_H)
 check_include_files("winsock2.h;afunix.h" HAVE_AFUNIX_H)
 
 check_symbol_exists(strtoumax "inttypes.h" HAVE_STRTOUMAX)
+check_symbol_exists(wmemchr "wchar.h" HAVE_WMEMCHR)
 check_symbol_exists(AddDllDirectory "windows.h" HAVE_ADDDLLDIRECTORY)
 check_symbol_exists(SetDefaultDllDirectories "windows.h"
   HAVE_SETDEFAULTDLLDIRECTORIES)
@@ -103,14 +104,12 @@ endif()
 
 if(WINELIB)
   enable_language(RC)
-  set(LFLAG_MANIFEST_NO "")
 elseif(CMAKE_C_COMPILER_ID MATCHES "MSVC" OR
        CMAKE_C_COMPILER_FRONTEND_VARIANT MATCHES "MSVC")
   set(CMAKE_RC_FLAGS "${CMAKE_RC_FLAGS} /nologo /C65001")
-  set(LFLAG_MANIFEST_NO "/manifest:no")
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /manifest:no")
 else()
   set(CMAKE_RC_FLAGS "${CMAKE_RC_FLAGS} -c65001")
-  set(LFLAG_MANIFEST_NO "")
 endif()
 
 if(STRICT)

cmdgen.c

@@ -263,6 +263,8 @@ int main(int argc, char **argv)
     ppk_save_parameters params = ppk_save_default_parameters;
     FingerprintType fptype = SSH_FPTYPE_DEFAULT;
 
+    enable_dit();
+
     if (is_interactive())
         progress_fp = stderr;
 

config.c

@@ -578,6 +578,8 @@ static void kexlist_handler(dlgcontrol *ctrl, dlgparam *dlg,
             { "RSA-based key exchange",             KEX_RSA },
             { "ECDH key exchange",                  KEX_ECDH },
             { "NTRU Prime / Curve25519 hybrid kex", KEX_NTRU_HYBRID },
+            { "ML-KEM / Curve25519 hybrid kex",     KEX_MLKEM_25519_HYBRID },
+            { "ML-KEM / NIST ECDH hybrid kex",      KEX_MLKEM_NIST_HYBRID },
             { "-- 下面为警告选项 --",              KEX_WARN }
         };
 
@@ -1985,7 +1987,7 @@ void setup_config_box(struct controlbox *b, bool midsession,
                           sshrawlogname, 'r', I(LGTYP_SSHRAW));
     }
     ctrl_filesel(s, "日志文件名(F)：", 'f',
-                 NULL, true, "选择会话的日志文件名",
+                 FILTER_ALL_FILES, true, "选择会话的日志文件名",
                  HELPCTX(logging_filename),
                  conf_filesel_handler, I(CONF_logfilename));
     ctrl_text(s, "(日志文件名可以包含 &Y &M &D 表示年月日，"
@@ -2747,7 +2749,7 @@ void setup_config_box(struct controlbox *b, bool midsession,
             c = ctrl_draglist(s, "算法选择顺序(S)：", 's',
                               HELPCTX(ssh_kexlist),
                               kexlist_handler, P(NULL));
-            c->listbox.height = KEX_MAX;
+            c->listbox.height = 10;
 #ifndef NO_GSSAPI
             ctrl_checkbox(s, "尝试 GSSAPI 密钥交换",
                           'k', HELPCTX(ssh_gssapi),
@@ -2929,7 +2931,7 @@ void setup_config_box(struct controlbox *b, bool midsession,
                          HELPCTX(ssh_auth_privkey),
                          conf_filesel_handler, I(CONF_keyfile));
             ctrl_filesel(s, "与私钥一起使用的证书(可选) (E):", 'e',
-                         NULL, false, "选择证书文件",
+                         FILTER_ALL_FILES, false, "选择证书文件",
                          HELPCTX(ssh_auth_cert),
                          conf_filesel_handler, I(CONF_detached_cert));
 

contrib/logparse.pl

@@ -172,6 +172,16 @@ sub usage {
         my ($direction, $seq, $data) = @_;
         print "\n";
     },
+#define SSH2_MSG_KEX_HYBRID_INIT                    30    /* 0x1e */
+    'SSH2_MSG_KEX_HYBRID_INIT' => sub {
+        my ($direction, $seq, $data) = @_;
+        print "\n";
+    },
+#define SSH2_MSG_KEX_HYBRID_REPLY                   31    /* 0x1f */
+    'SSH2_MSG_KEX_HYBRID_REPLY' => sub {
+        my ($direction, $seq, $data) = @_;
+        print "\n";
+    },
 #define SSH2_MSG_USERAUTH_REQUEST                 50    /* 0x32 */
     'SSH2_MSG_USERAUTH_REQUEST' => sub {
         my ($direction, $seq, $data) = @_;
@@ -657,6 +667,16 @@ sub usage {
         # curve is. So the best we can do is just dump the raw data.
         printf "  client public value: %s\n", (unpack "H*", $cpv);
     },
+    'SSH2_MSG_KEX_HYBRID_INIT' => sub {
+        my ($data) = @_;
+        my ($cpv) = &parse("s", $data);
+        # Hybrid post-quantum + classical KEX is even more confusing,
+        # since two separate pieces of data are glomphed together into
+        # this string without any obvious dividing line. The best we
+        # can sensibly do is to announce that in the log.
+        printf "  client PQ encryption key + public ECDH value: %s\n",
+            (unpack "H*", $cpv);
+    },
     'SSH2_MSG_KEXDH_REPLY' => sub {
         my ($data) = @_;
         my ($hostkeyblob, $f, $sigblob) = &parse("sms", $data);
@@ -708,6 +728,26 @@ sub usage {
             printf "    $key: $value\n";
         }
     },
+    'SSH2_MSG_KEX_HYBRID_REPLY' => sub {
+        my ($data) = @_;
+        my ($hostkeyblob, $spv, $sigblob) = &parse("sss", $data);
+        my ($hktype, @hostkey) = &parse_public_key($hostkeyblob);
+        printf "  host key: %s\n", $hktype;
+        while (@hostkey) {
+            my ($key, $value) = splice @hostkey, 0, 2;
+            printf "    $key: $value\n";
+        }
+        # Similarly to HYBRID_INIT, warn the reader that this string
+        # contains two separate things glomphed together
+        printf "  server PQ KEM ciphertext + public ECDH value: %s\n",
+            (unpack "H*", $spv);
+        printf "  signature:\n";
+        my @signature = &parse_signature($sigblob, $hktype);
+        while (@signature) {
+            my ($key, $value) = splice @signature, 0, 2;
+            printf "    $key: $value\n";
+        }
+    },
     'SSH2_MSG_NEWKEYS' => sub {},
     'SSH2_MSG_SERVICE_REQUEST' => sub {
         my ($data) = @_;

crypto/CMakeLists.txt

@@ -20,9 +20,11 @@ add_sources_from_current_dir(crypto
   ecc-ssh.c
   hash_simple.c
   hmac.c
+  kex-hybrid.c
   mac.c
   mac_simple.c
   md5.c
+  mlkem.c
   mpint.c
   ntru.c
   openssh-certs.c
@@ -234,10 +236,17 @@ if(neon)
   endif()
 endif()
 
+test_compile_with_flags(HAVE_ARM_DIT
+  GNU_FLAGS -march=armv8.4-a
+  TEST_SOURCE "
+    int main(void) { asm volatile(\"msr dit, %0\" :: \"r\"(1)); }"
+  ADD_SOURCES_IF_SUCCESSFUL enable_dit.c)
+
 set(HAVE_AES_NI ${HAVE_AES_NI} PARENT_SCOPE)
 set(HAVE_SHA_NI ${HAVE_SHA_NI} PARENT_SCOPE)
 set(HAVE_SHAINTRIN_H ${HAVE_SHAINTRIN_H} PARENT_SCOPE)
 set(HAVE_NEON_CRYPTO ${HAVE_NEON_CRYPTO} PARENT_SCOPE)
 set(HAVE_NEON_SHA512 ${HAVE_NEON_SHA512} PARENT_SCOPE)
 set(HAVE_NEON_SHA512_INTRINSICS ${HAVE_NEON_SHA512_INTRINSICS} PARENT_SCOPE)
 set(USE_ARM64_NEON_H ${USE_ARM64_NEON_H} PARENT_SCOPE)
+set(HAVE_ARM_DIT ${HAVE_ARM_DIT} PARENT_SCOPE)

crypto/ecc-ssh.c

@@ -1615,6 +1615,7 @@ static const ecdh_keyalg ssh_ecdhkex_m_alg = {
     .getpublic = ssh_ecdhkex_m_getpublic,
     .getkey = ssh_ecdhkex_m_getkey,
     .description = ssh_ecdhkex_description,
+    .packet_naming_ctx = SSH2_PKTCTX_ECDHKEX,
 };
 const ssh_kex ssh_ec_kex_curve25519 = {
     .name = "curve25519-sha256",
@@ -1655,6 +1656,7 @@ static const ecdh_keyalg ssh_ecdhkex_w_alg = {
     .getpublic = ssh_ecdhkex_w_getpublic,
     .getkey = ssh_ecdhkex_w_getkey,
     .description = ssh_ecdhkex_description,
+    .packet_naming_ctx = SSH2_PKTCTX_ECDHKEX,
 };
 static const struct eckex_extra kex_extra_nistp256 = { ec_p256 };
 const ssh_kex ssh_ec_kex_nistp256 = {

crypto/enable_dit.c

@@ -0,0 +1,24 @@
+/*
+ * Enable the PSTATE.DIT flag in AArch64, if available.
+ *
+ * This guarantees that data-processing instructions (or rather, a
+ * long list of specific ones) will have data-independent timing
+ * (hence the name). In other words, you want to turn this bit on if
+ * you're trying to do constant-time crypto.
+ *
+ * For maximum performance you'd want to turn this bit back off when
+ * doing any CPU-intensive stuff that _isn't_ cryptographic. That
+ * seems like a small concern in this code base, and carries the risk
+ * of losing track of whether it was on or not, so here we just enable
+ * it for the whole process. That's why there's only an enable_dit()
+ * function in this file and not a disable_dit() to go with it.
+ */
+
+#include "ssh.h"
+
+void enable_dit(void)
+{
+    if (!platform_dit_available())
+        return;
+    asm volatile("msr dit, %0" :: "r"(1));
+}