2000-09-27 15:21:04 +00:00
|
|
|
/*
|
|
|
|
|
* storage.h: interface defining functions for storage and recovery
|
|
|
|
|
* of PuTTY's persistent data.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef PUTTY_STORAGE_H
|
|
|
|
|
#define PUTTY_STORAGE_H
|
|
|
|
|
|
2022-05-02 09:18:16 +00:00
|
|
|
#include "defs.h"
|
|
|
|
|
|
2000-09-27 15:21:04 +00:00
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Functions to save and restore PuTTY sessions. Note that this is
|
|
|
|
|
* only the low-level code to do the reading and writing. The
|
Post-release destabilisation! Completely remove the struct type
'Config' in putty.h, which stores all PuTTY's settings and includes an
arbitrary length limit on every single one of those settings which is
stored in string form. In place of it is 'Conf', an opaque data type
everywhere outside the new file conf.c, which stores a list of (key,
value) pairs in which every key contains an integer identifying a
configuration setting, and for some of those integers the key also
contains extra parts (so that, for instance, CONF_environmt is a
string-to-string mapping). Everywhere that a Config was previously
used, a Conf is now; everywhere there was a Config structure copy,
conf_copy() is called; every lookup, adjustment, load and save
operation on a Config has been rewritten; and there's a mechanism for
serialising a Conf into a binary blob and back for use with Duplicate
Session.
User-visible effects of this change _should_ be minimal, though I
don't doubt I've introduced one or two bugs here and there which will
eventually be found. The _intended_ visible effects of this change are
that all arbitrary limits on configuration strings and lists (e.g.
limit on number of port forwardings) should now disappear; that list
boxes in the configuration will now be displayed in a sorted order
rather than the arbitrary order in which they were added to the list
(since the underlying data structure is now a sorted tree234 rather
than an ad-hoc comma-separated string); and one more specific change,
which is that local and dynamic port forwardings on the same port
number are now mutually exclusive in the configuration (putting 'D' in
the key rather than the value was a mistake in the first place).
One other reorganisation as a result of this is that I've moved all
the dialog.c standard handlers (dlg_stdeditbox_handler and friends)
out into config.c, because I can't really justify calling them generic
any more. When they took a pointer to an arbitrary structure type and
the offset of a field within that structure, they were independent of
whether that structure was a Config or something completely different,
but now they really do expect to talk to a Conf, which can _only_ be
used for PuTTY configuration, so I've renamed them all things like
conf_editbox_handler and moved them out of the nominally independent
dialog-box management module into the PuTTY-specific config.c.
[originally from svn r9214]
2011-07-14 18:52:21 +00:00
|
|
|
* higher-level code that translates an internal Conf structure into
|
|
|
|
|
* a set of (key,value) pairs in their external storage format is
|
|
|
|
|
* elsewhere, since it doesn't (mostly) change between platforms.
|
2000-09-27 15:21:04 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Write a saved session. The caller is expected to call
|
|
|
|
|
* open_setting_w() to get a `void *' handle, then pass that to a
|
|
|
|
|
* number of calls to write_setting_s() and write_setting_i(), and
|
|
|
|
|
* then close it using close_settings_w(). At the end of this call
|
|
|
|
|
* sequence the settings should have been written to the PuTTY
|
|
|
|
|
* persistent storage area.
|
2001-05-14 22:20:20 +00:00
|
|
|
*
|
|
|
|
|
* A given key will be written at most once while saving a session.
|
|
|
|
|
* Keys may be up to 255 characters long. String values have no length
|
|
|
|
|
* limit.
|
2019-09-08 19:29:00 +00:00
|
|
|
*
|
2003-04-01 18:10:25 +00:00
|
|
|
* Any returned error message must be freed after use.
|
2000-09-27 15:21:04 +00:00
|
|
|
*/
|
2018-09-14 07:45:42 +00:00
|
|
|
settings_w *open_settings_w(const char *sessionname, char **errmsg);
|
|
|
|
|
void write_setting_s(settings_w *handle, const char *key, const char *value);
|
|
|
|
|
void write_setting_i(settings_w *handle, const char *key, int value);
|
|
|
|
|
void write_setting_filename(settings_w *handle,
|
|
|
|
|
const char *key, Filename *value);
|
|
|
|
|
void write_setting_fontspec(settings_w *handle,
|
|
|
|
|
const char *key, FontSpec *font);
|
|
|
|
|
void close_settings_w(settings_w *handle);
|
2000-09-27 15:21:04 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Read a saved session. The caller is expected to call
|
|
|
|
|
* open_setting_r() to get a `void *' handle, then pass that to a
|
|
|
|
|
* number of calls to read_setting_s() and read_setting_i(), and
|
|
|
|
|
* then close it using close_settings_r().
|
2019-09-08 19:29:00 +00:00
|
|
|
*
|
Post-release destabilisation! Completely remove the struct type
'Config' in putty.h, which stores all PuTTY's settings and includes an
arbitrary length limit on every single one of those settings which is
stored in string form. In place of it is 'Conf', an opaque data type
everywhere outside the new file conf.c, which stores a list of (key,
value) pairs in which every key contains an integer identifying a
configuration setting, and for some of those integers the key also
contains extra parts (so that, for instance, CONF_environmt is a
string-to-string mapping). Everywhere that a Config was previously
used, a Conf is now; everywhere there was a Config structure copy,
conf_copy() is called; every lookup, adjustment, load and save
operation on a Config has been rewritten; and there's a mechanism for
serialising a Conf into a binary blob and back for use with Duplicate
Session.
User-visible effects of this change _should_ be minimal, though I
don't doubt I've introduced one or two bugs here and there which will
eventually be found. The _intended_ visible effects of this change are
that all arbitrary limits on configuration strings and lists (e.g.
limit on number of port forwardings) should now disappear; that list
boxes in the configuration will now be displayed in a sorted order
rather than the arbitrary order in which they were added to the list
(since the underlying data structure is now a sorted tree234 rather
than an ad-hoc comma-separated string); and one more specific change,
which is that local and dynamic port forwardings on the same port
number are now mutually exclusive in the configuration (putting 'D' in
the key rather than the value was a mistake in the first place).
One other reorganisation as a result of this is that I've moved all
the dialog.c standard handlers (dlg_stdeditbox_handler and friends)
out into config.c, because I can't really justify calling them generic
any more. When they took a pointer to an arbitrary structure type and
the offset of a field within that structure, they were independent of
whether that structure was a Config or something completely different,
but now they really do expect to talk to a Conf, which can _only_ be
used for PuTTY configuration, so I've renamed them all things like
conf_editbox_handler and moved them out of the nominally independent
dialog-box management module into the PuTTY-specific config.c.
[originally from svn r9214]
2011-07-14 18:52:21 +00:00
|
|
|
* read_setting_s() returns a dynamically allocated string which the
|
2011-10-02 11:01:57 +00:00
|
|
|
* caller must free. read_setting_filename() and
|
|
|
|
|
* read_setting_fontspec() likewise return dynamically allocated
|
|
|
|
|
* structures.
|
2019-09-08 19:29:00 +00:00
|
|
|
*
|
2000-09-27 15:21:04 +00:00
|
|
|
* If a particular string setting is not present in the session,
|
|
|
|
|
* read_setting_s() can return NULL, in which case the caller
|
|
|
|
|
* should invent a sensible default. If an integer setting is not
|
|
|
|
|
* present, read_setting_i() returns its provided default.
|
|
|
|
|
*/
|
2018-09-14 07:45:42 +00:00
|
|
|
settings_r *open_settings_r(const char *sessionname);
|
|
|
|
|
char *read_setting_s(settings_r *handle, const char *key);
|
|
|
|
|
int read_setting_i(settings_r *handle, const char *key, int defvalue);
|
|
|
|
|
Filename *read_setting_filename(settings_r *handle, const char *key);
|
|
|
|
|
FontSpec *read_setting_fontspec(settings_r *handle, const char *key);
|
|
|
|
|
void close_settings_r(settings_r *handle);
|
2000-09-27 16:21:52 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Delete a whole saved session.
|
|
|
|
|
*/
|
2003-01-14 18:43:45 +00:00
|
|
|
void del_settings(const char *sessionname);
|
2000-09-27 16:21:52 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Enumerate all saved sessions.
|
|
|
|
|
*/
|
2018-09-14 07:45:42 +00:00
|
|
|
settings_e *enum_settings_start(void);
|
Rework mungestr() and unmungestr().
For a start, they now have different names on Windows and Unix,
reflecting their different roles: on Windows they apply escaping to
any string that's going to be used as a registry key (be it a session
name, or a host name for host key storage), whereas on Unix they're
for constructing saved-session file names in particular (and also
handle the special case of filling in "Default Settings" for NULL).
Also, they now produce output by writing to a strbuf, which simplifies
a lot of the call sites. In particular, the strbuf output idiom is
passed on to enum_settings_next, which is especially nice because its
only actual caller was doing an ad-hoc realloc loop that I can now get
rid of completely.
Thirdly, on Windows they're centralised into winmisc.c instead of
living in winstore.c, because that way Pageant can use the unescape
function too. (It was spotting the duplication there that made me
think of doing this in the first place, but once I'd started, I had to
keep unravelling the thread...)
2018-11-03 08:58:41 +00:00
|
|
|
bool enum_settings_next(settings_e *handle, strbuf *out);
|
2018-09-14 07:45:42 +00:00
|
|
|
void enum_settings_finish(settings_e *handle);
|
2000-09-27 15:21:04 +00:00
|
|
|
|
|
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Functions to access PuTTY's host key database.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* See if a host key matches the database entry. Return values can
|
|
|
|
|
* be 0 (entry matches database), 1 (entry is absent in database),
|
|
|
|
|
* or 2 (entry exists in database and is different).
|
|
|
|
|
*/
|
Reorganise host key checking and confirmation.
Previously, checking the host key against the persistent cache managed
by the storage.h API was done as part of the seat_verify_ssh_host_key
method, i.e. separately by each Seat.
Now that check is done by verify_ssh_host_key(), which is a new
function in ssh/common.c that centralises all the parts of host key
checking that don't need an interactive prompt. It subsumes the
previous verify_ssh_manual_host_key() that checked against the Conf,
and it does the check against the storage API that each Seat was
previously doing separately. If it can't confirm or definitively
reject the host key by itself, _then_ it calls out to the Seat, once
an interactive prompt is definitely needed.
The main point of doing this is so that when SshProxy forwards a Seat
call from the proxy SSH connection to the primary Seat, it won't print
an announcement of which connection is involved unless it's actually
going to do something interactive. (Not that we're printing those
announcements _yet_ anyway, but this is a piece of groundwork that
works towards doing so.)
But while I'm at it, I've also taken the opportunity to clean things
up a bit by renaming functions sensibly. Previously we had three very
similarly named functions verify_ssh_manual_host_key(), SeatVtable's
'verify_ssh_host_key' method, and verify_host_key() in storage.h. Now
the Seat method is called 'confirm' rather than 'verify' (since its
job is now always to print an interactive prompt, so it looks more
like the other confirm_foo methods), and the storage.h function is
called check_stored_host_key(), which goes better with store_host_key
and avoids having too many functions with similar names. And the
'manual' function is subsumed into the new centralised code, so
there's now just *one* host key function with 'verify' in the name.
Several functions are reindented in this commit. Best viewed with
whitespace changes ignored.
2021-10-25 17:12:17 +00:00
|
|
|
int check_stored_host_key(const char *hostname, int port,
|
|
|
|
|
const char *keytype, const char *key);
|
2000-09-27 15:21:04 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Write a host key into the database, overwriting any previous
|
|
|
|
|
* entry that might have been there.
|
2022-09-13 07:49:38 +00:00
|
|
|
*
|
|
|
|
|
* A Seat is provided for error-reporting purposes.
|
2000-09-27 15:21:04 +00:00
|
|
|
*/
|
2022-09-13 07:49:38 +00:00
|
|
|
void store_host_key(Seat *seat, const char *hostname, int port,
|
2019-09-08 19:29:00 +00:00
|
|
|
const char *keytype, const char *key);
|
2000-09-27 15:21:04 +00:00
|
|
|
|
Initial support for host certificates.
Now we offer the OpenSSH certificate key types in our KEXINIT host key
algorithm list, so that if the server has a certificate, they can send
it to us.
There's a new storage.h abstraction for representing a list of trusted
host CAs, and which ones are trusted to certify hosts for what
domains. This is stored outside the normal saved session data, because
the whole point of host certificates is to avoid per-host faffing.
Configuring this set of trusted CAs is done via a new GUI dialog box,
separate from the main PuTTY config box (because it modifies a single
set of settings across all saved sessions), which you can launch by
clicking a button in the 'Host keys' pane. The GUI is pretty crude for
the moment, and very much at a 'just about usable' stage right now. It
will want some polishing.
If we have no CA configured that matches the hostname, we don't offer
to receive certified host keys in the first place. So for existing
users who haven't set any of this up yet, nothing will immediately
change.
Currently, if we do offer to receive certified host keys and the
server presents one signed by a CA we don't trust, PuTTY will bomb out
unconditionally with an error, instead of offering a confirmation box.
That's an unfinished part which I plan to fix before this goes into a
release.
2022-04-22 11:07:24 +00:00
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Functions to access PuTTY's configuration for trusted host
|
|
|
|
|
* certification authorities. This must be stored separately from the
|
|
|
|
|
* saved-session data, because the whole point is to avoid having to
|
|
|
|
|
* configure CAs separately per session.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
struct host_ca {
|
|
|
|
|
char *name;
|
|
|
|
|
strbuf *ca_public_key;
|
2022-06-12 09:04:26 +00:00
|
|
|
char *validity_expression;
|
2022-05-02 09:18:16 +00:00
|
|
|
ca_options opts;
|
Initial support for host certificates.
Now we offer the OpenSSH certificate key types in our KEXINIT host key
algorithm list, so that if the server has a certificate, they can send
it to us.
There's a new storage.h abstraction for representing a list of trusted
host CAs, and which ones are trusted to certify hosts for what
domains. This is stored outside the normal saved session data, because
the whole point of host certificates is to avoid per-host faffing.
Configuring this set of trusted CAs is done via a new GUI dialog box,
separate from the main PuTTY config box (because it modifies a single
set of settings across all saved sessions), which you can launch by
clicking a button in the 'Host keys' pane. The GUI is pretty crude for
the moment, and very much at a 'just about usable' stage right now. It
will want some polishing.
If we have no CA configured that matches the hostname, we don't offer
to receive certified host keys in the first place. So for existing
users who haven't set any of this up yet, nothing will immediately
change.
Currently, if we do offer to receive certified host keys and the
server presents one signed by a CA we don't trust, PuTTY will bomb out
unconditionally with an error, instead of offering a confirmation box.
That's an unfinished part which I plan to fix before this goes into a
release.
2022-04-22 11:07:24 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
host_ca_enum *enum_host_ca_start(void);
|
|
|
|
|
bool enum_host_ca_next(host_ca_enum *handle, strbuf *out);
|
|
|
|
|
void enum_host_ca_finish(host_ca_enum *handle);
|
|
|
|
|
|
|
|
|
|
host_ca *host_ca_load(const char *name);
|
|
|
|
|
char *host_ca_save(host_ca *); /* NULL on success, or dynamic error msg */
|
|
|
|
|
char *host_ca_delete(const char *name); /* likewise */
|
2022-05-02 06:40:52 +00:00
|
|
|
|
|
|
|
|
host_ca *host_ca_new(void); /* initialises to default settings */
|
Initial support for host certificates.
Now we offer the OpenSSH certificate key types in our KEXINIT host key
algorithm list, so that if the server has a certificate, they can send
it to us.
There's a new storage.h abstraction for representing a list of trusted
host CAs, and which ones are trusted to certify hosts for what
domains. This is stored outside the normal saved session data, because
the whole point of host certificates is to avoid per-host faffing.
Configuring this set of trusted CAs is done via a new GUI dialog box,
separate from the main PuTTY config box (because it modifies a single
set of settings across all saved sessions), which you can launch by
clicking a button in the 'Host keys' pane. The GUI is pretty crude for
the moment, and very much at a 'just about usable' stage right now. It
will want some polishing.
If we have no CA configured that matches the hostname, we don't offer
to receive certified host keys in the first place. So for existing
users who haven't set any of this up yet, nothing will immediately
change.
Currently, if we do offer to receive certified host keys and the
server presents one signed by a CA we don't trust, PuTTY will bomb out
unconditionally with an error, instead of offering a confirmation box.
That's an unfinished part which I plan to fix before this goes into a
release.
2022-04-22 11:07:24 +00:00
|
|
|
void host_ca_free(host_ca *);
|
|
|
|
|
|
2000-09-27 15:21:04 +00:00
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Functions to access PuTTY's random number seed file.
|
|
|
|
|
*/
|
|
|
|
|
|
2001-05-06 14:35:20 +00:00
|
|
|
typedef void (*noise_consumer_t) (void *data, int len);
|
2000-09-27 15:21:04 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Read PuTTY's random seed file and pass its contents to a noise
|
|
|
|
|
* consumer function.
|
|
|
|
|
*/
|
|
|
|
|
void read_random_seed(noise_consumer_t consumer);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Write PuTTY's random seed file from a given chunk of noise.
|
|
|
|
|
*/
|
2000-09-27 16:21:52 +00:00
|
|
|
void write_random_seed(void *data, int len);
|
2000-09-27 15:21:04 +00:00
|
|
|
|
|
|
|
|
/* ----------------------------------------------------------------------
|
|
|
|
|
* Cleanup function: remove all of PuTTY's persistent state.
|
|
|
|
|
*/
|
|
|
|
|
void cleanup_all(void);
|
|
|
|
|
|
|
|
|
|
#endif
|