Framework for announcing which Interactor is talking.
All this Interactor business has been gradually working towards being
able to inform the user _which_ network connection is currently
presenting them with a password prompt (or whatever), in situations
where more than one of them might be, such as an SSH connection being
used as a proxy for another SSH connection when neither one has
one-touch login configured.
At some point, we have to arrange that any attempt to do a user
interaction during connection setup - be it a password prompt, a host
key confirmation dialog, or just displaying an SSH login banner -
makes it clear which host it's come from. That's going to mean calling
some kind of announcement function before doing any of those things.
But there are several of those functions in the Seat API, and calls to
them are scattered far and wide across the SSH backend. (And not even
just there - the Rlogin backend also uses seat_get_userpass_input).
How can we possibly make sure we don't forget a vital call site on
some obscure little-tested code path, and leave the user confused in
just that one case which nobody might notice for years?
Today I thought of a trick to solve that problem. We can use the C
type system to enforce it for us!
The plan is: we invent a new struct type which contains nothing but a
'Seat *'. Then, for every Seat method which does a thing that ought to
be clearly identified as relating to a particular Interactor, we
adjust the API for that function to take the new struct type where it
previously took a plain 'Seat *'. Or rather - doing less violence to
the existing code - we only need to adjust the API of the dispatch
functions inline in putty.h.
How does that help? Because the way you _get_ one of these
struct-wrapped Seat pointers is by calling interactor_announce() on
your Interactor, which will in turn call interactor_get_seat(), and
wrap the returned pointer into one of these structs.
The effect is that whenever the SSH (or Rlogin) code wants to call one
of those particular Seat methods, it _has_ to call
interactor_announce() just beforehand, which (once I finish all of
this) will make sure the user is aware of who is presenting the prompt
or banner or whatever. And you can't forget to call it, because if you
don't call it, then you just don't have a struct of the right type to
give to the Seat method you wanted to call!
(Of course, there's nothing stopping code from _deliberately_ taking a
Seat * it already has and wrapping it into the new struct. In fact
SshProxy has to do that, in order to forward these requests up the
chain of Seats. But the point is that you can't do it _by accident_,
just by forgetting to make a vital function call - when you do that,
you _know_ you're doing it on purpose.)
No functional change: the new interactor_announce() function exists,
and the type-system trick ensures it's called in all the right places,
but it doesn't actually _do_ anything yet.
2021-10-30 17:05:36 +00:00
|
|
|
/*
|
|
|
|
* Centralised functions for the Interactor trait.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "putty.h"
|
|
|
|
|
2021-10-30 16:45:38 +00:00
|
|
|
Seat *interactor_borrow_seat(Interactor *itr)
|
|
|
|
{
|
|
|
|
Seat *clientseat = interactor_get_seat(itr);
|
|
|
|
if (!clientseat)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
/* If the client has already had its Seat borrowed, then look
|
|
|
|
* through the existing TempSeat to find the underlying one. */
|
|
|
|
if (is_tempseat(clientseat))
|
|
|
|
return tempseat_get_real(clientseat);
|
|
|
|
|
|
|
|
/* Otherwise, make a new TempSeat and give that to the client. */
|
|
|
|
Seat *tempseat = tempseat_new(clientseat);
|
|
|
|
interactor_set_seat(itr, tempseat);
|
|
|
|
return clientseat;
|
|
|
|
}
|
|
|
|
|
2021-11-06 11:32:51 +00:00
|
|
|
static Interactor *interactor_toplevel(Interactor *itr, unsigned *level_out)
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Find the Interactor at the top of the chain, so that all the
|
|
|
|
* Interactors in a stack can share that one's last-to-talk field.
|
|
|
|
* Also, count how far we had to go to get to it, to put in the
|
|
|
|
* message.
|
|
|
|
*/
|
|
|
|
Interactor *itr_top = itr;
|
|
|
|
unsigned level = 0;
|
|
|
|
while (itr_top->parent) {
|
|
|
|
itr_top = itr_top->parent;
|
|
|
|
level++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (level_out)
|
|
|
|
*level_out = level;
|
|
|
|
return itr_top;
|
|
|
|
}
|
|
|
|
|
2021-10-30 16:45:38 +00:00
|
|
|
void interactor_return_seat(Interactor *itr)
|
|
|
|
{
|
|
|
|
Seat *tempseat = interactor_get_seat(itr);
|
|
|
|
if (!is_tempseat(tempseat))
|
|
|
|
return; /* no-op */
|
|
|
|
|
|
|
|
tempseat_flush(tempseat);
|
|
|
|
Seat *realseat = tempseat_get_real(tempseat);
|
|
|
|
interactor_set_seat(itr, realseat);
|
|
|
|
tempseat_free(tempseat);
|
|
|
|
|
Actually print announcements of Interactors' identity.
Finally, the payoff from all of this refactoring: now, when a proxy
prompts interactively during connection setup, you get a message in
advance telling you which Interactor is originating the following
messages.
To achieve this, I've arranged to link Interactors together into a
list, so that any Interactor created by a proxy has a 'parent' pointer
pointing to the Interactor its client passed to new_connection().
This allows interactor_announce() to follow the links back up the
chain and count them, so that it knows whether it's a primary
connection, or a proxy, or a proxy-for-a-proxy, or more generally an
nth-order proxy, and can include that in its announcement.
And secondly, once interactor_announce() reaches the top of the chain,
it can use that as a storage location agreed on by all Interactors in
the whole setup, to tell each other which one of them was the last to
do anything interactive. Then, whenever there's a change of
Interactor, a message can be printed to indicate it to the user; and
when the same Interactor does multiple things in succession, you don't
get a slew of pointless messages in between them all.
2021-10-30 17:08:02 +00:00
|
|
|
/*
|
|
|
|
* If we have a parent Interactor, and anyone has ever called
|
|
|
|
* interactor_announce, then all Interactors from now on will
|
|
|
|
* announce themselves even if they have nothing to say.
|
|
|
|
*/
|
2021-11-06 11:32:51 +00:00
|
|
|
Interactor *itr_top = interactor_toplevel(itr, NULL);
|
|
|
|
if (itr_top->last_to_talk)
|
|
|
|
interactor_announce(itr);
|
Actually print announcements of Interactors' identity.
Finally, the payoff from all of this refactoring: now, when a proxy
prompts interactively during connection setup, you get a message in
advance telling you which Interactor is originating the following
messages.
To achieve this, I've arranged to link Interactors together into a
list, so that any Interactor created by a proxy has a 'parent' pointer
pointing to the Interactor its client passed to new_connection().
This allows interactor_announce() to follow the links back up the
chain and count them, so that it knows whether it's a primary
connection, or a proxy, or a proxy-for-a-proxy, or more generally an
nth-order proxy, and can include that in its announcement.
And secondly, once interactor_announce() reaches the top of the chain,
it can use that as a storage location agreed on by all Interactors in
the whole setup, to tell each other which one of them was the last to
do anything interactive. Then, whenever there's a change of
Interactor, a message can be printed to indicate it to the user; and
when the same Interactor does multiple things in succession, you don't
get a slew of pointless messages in between them all.
2021-10-30 17:08:02 +00:00
|
|
|
|
2021-10-30 16:45:38 +00:00
|
|
|
/*
|
|
|
|
* We're about to hand this seat back to the parent Interactor to
|
|
|
|
* do its own thing with. It will typically expect to start in the
|
|
|
|
* same state as if the seat had never been borrowed, i.e. in the
|
|
|
|
* starting trust state.
|
|
|
|
*/
|
|
|
|
seat_set_trust_status(realseat, true);
|
|
|
|
}
|
|
|
|
|
Framework for announcing which Interactor is talking.
All this Interactor business has been gradually working towards being
able to inform the user _which_ network connection is currently
presenting them with a password prompt (or whatever), in situations
where more than one of them might be, such as an SSH connection being
used as a proxy for another SSH connection when neither one has
one-touch login configured.
At some point, we have to arrange that any attempt to do a user
interaction during connection setup - be it a password prompt, a host
key confirmation dialog, or just displaying an SSH login banner -
makes it clear which host it's come from. That's going to mean calling
some kind of announcement function before doing any of those things.
But there are several of those functions in the Seat API, and calls to
them are scattered far and wide across the SSH backend. (And not even
just there - the Rlogin backend also uses seat_get_userpass_input).
How can we possibly make sure we don't forget a vital call site on
some obscure little-tested code path, and leave the user confused in
just that one case which nobody might notice for years?
Today I thought of a trick to solve that problem. We can use the C
type system to enforce it for us!
The plan is: we invent a new struct type which contains nothing but a
'Seat *'. Then, for every Seat method which does a thing that ought to
be clearly identified as relating to a particular Interactor, we
adjust the API for that function to take the new struct type where it
previously took a plain 'Seat *'. Or rather - doing less violence to
the existing code - we only need to adjust the API of the dispatch
functions inline in putty.h.
How does that help? Because the way you _get_ one of these
struct-wrapped Seat pointers is by calling interactor_announce() on
your Interactor, which will in turn call interactor_get_seat(), and
wrap the returned pointer into one of these structs.
The effect is that whenever the SSH (or Rlogin) code wants to call one
of those particular Seat methods, it _has_ to call
interactor_announce() just beforehand, which (once I finish all of
this) will make sure the user is aware of who is presenting the prompt
or banner or whatever. And you can't forget to call it, because if you
don't call it, then you just don't have a struct of the right type to
give to the Seat method you wanted to call!
(Of course, there's nothing stopping code from _deliberately_ taking a
Seat * it already has and wrapping it into the new struct. In fact
SshProxy has to do that, in order to forward these requests up the
chain of Seats. But the point is that you can't do it _by accident_,
just by forgetting to make a vital function call - when you do that,
you _know_ you're doing it on purpose.)
No functional change: the new interactor_announce() function exists,
and the type-system trick ensures it's called in all the right places,
but it doesn't actually _do_ anything yet.
2021-10-30 17:05:36 +00:00
|
|
|
InteractionReadySeat interactor_announce(Interactor *itr)
|
|
|
|
{
|
|
|
|
Seat *seat = interactor_get_seat(itr);
|
Actually print announcements of Interactors' identity.
Finally, the payoff from all of this refactoring: now, when a proxy
prompts interactively during connection setup, you get a message in
advance telling you which Interactor is originating the following
messages.
To achieve this, I've arranged to link Interactors together into a
list, so that any Interactor created by a proxy has a 'parent' pointer
pointing to the Interactor its client passed to new_connection().
This allows interactor_announce() to follow the links back up the
chain and count them, so that it knows whether it's a primary
connection, or a proxy, or a proxy-for-a-proxy, or more generally an
nth-order proxy, and can include that in its announcement.
And secondly, once interactor_announce() reaches the top of the chain,
it can use that as a storage location agreed on by all Interactors in
the whole setup, to tell each other which one of them was the last to
do anything interactive. Then, whenever there's a change of
Interactor, a message can be printed to indicate it to the user; and
when the same Interactor does multiple things in succession, you don't
get a slew of pointless messages in between them all.
2021-10-30 17:08:02 +00:00
|
|
|
assert(!is_tempseat(seat) &&
|
|
|
|
"Shouldn't call announce when someone else is using our seat");
|
Framework for announcing which Interactor is talking.
All this Interactor business has been gradually working towards being
able to inform the user _which_ network connection is currently
presenting them with a password prompt (or whatever), in situations
where more than one of them might be, such as an SSH connection being
used as a proxy for another SSH connection when neither one has
one-touch login configured.
At some point, we have to arrange that any attempt to do a user
interaction during connection setup - be it a password prompt, a host
key confirmation dialog, or just displaying an SSH login banner -
makes it clear which host it's come from. That's going to mean calling
some kind of announcement function before doing any of those things.
But there are several of those functions in the Seat API, and calls to
them are scattered far and wide across the SSH backend. (And not even
just there - the Rlogin backend also uses seat_get_userpass_input).
How can we possibly make sure we don't forget a vital call site on
some obscure little-tested code path, and leave the user confused in
just that one case which nobody might notice for years?
Today I thought of a trick to solve that problem. We can use the C
type system to enforce it for us!
The plan is: we invent a new struct type which contains nothing but a
'Seat *'. Then, for every Seat method which does a thing that ought to
be clearly identified as relating to a particular Interactor, we
adjust the API for that function to take the new struct type where it
previously took a plain 'Seat *'. Or rather - doing less violence to
the existing code - we only need to adjust the API of the dispatch
functions inline in putty.h.
How does that help? Because the way you _get_ one of these
struct-wrapped Seat pointers is by calling interactor_announce() on
your Interactor, which will in turn call interactor_get_seat(), and
wrap the returned pointer into one of these structs.
The effect is that whenever the SSH (or Rlogin) code wants to call one
of those particular Seat methods, it _has_ to call
interactor_announce() just beforehand, which (once I finish all of
this) will make sure the user is aware of who is presenting the prompt
or banner or whatever. And you can't forget to call it, because if you
don't call it, then you just don't have a struct of the right type to
give to the Seat method you wanted to call!
(Of course, there's nothing stopping code from _deliberately_ taking a
Seat * it already has and wrapping it into the new struct. In fact
SshProxy has to do that, in order to forward these requests up the
chain of Seats. But the point is that you can't do it _by accident_,
just by forgetting to make a vital function call - when you do that,
you _know_ you're doing it on purpose.)
No functional change: the new interactor_announce() function exists,
and the type-system trick ensures it's called in all the right places,
but it doesn't actually _do_ anything yet.
2021-10-30 17:05:36 +00:00
|
|
|
|
|
|
|
InteractionReadySeat iseat;
|
|
|
|
iseat.seat = seat;
|
|
|
|
|
2021-11-06 11:32:51 +00:00
|
|
|
unsigned level;
|
|
|
|
Interactor *itr_top = interactor_toplevel(itr, &level);
|
Actually print announcements of Interactors' identity.
Finally, the payoff from all of this refactoring: now, when a proxy
prompts interactively during connection setup, you get a message in
advance telling you which Interactor is originating the following
messages.
To achieve this, I've arranged to link Interactors together into a
list, so that any Interactor created by a proxy has a 'parent' pointer
pointing to the Interactor its client passed to new_connection().
This allows interactor_announce() to follow the links back up the
chain and count them, so that it knows whether it's a primary
connection, or a proxy, or a proxy-for-a-proxy, or more generally an
nth-order proxy, and can include that in its announcement.
And secondly, once interactor_announce() reaches the top of the chain,
it can use that as a storage location agreed on by all Interactors in
the whole setup, to tell each other which one of them was the last to
do anything interactive. Then, whenever there's a change of
Interactor, a message can be printed to indicate it to the user; and
when the same Interactor does multiple things in succession, you don't
get a slew of pointless messages in between them all.
2021-10-30 17:08:02 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Generally, we should announce ourself if the previous
|
|
|
|
* Interactor that said anything was not us. That includes if
|
|
|
|
* there was no previous Interactor to talk (i.e. if we're the
|
|
|
|
* first to say anything) - *except* that the primary Interactor
|
|
|
|
* doesn't need to announce itself, if no proxy has intervened
|
|
|
|
* before it.
|
|
|
|
*/
|
|
|
|
bool need_announcement = (itr_top->last_to_talk != itr);
|
|
|
|
if (!itr->parent && !itr_top->last_to_talk)
|
|
|
|
need_announcement = false;
|
|
|
|
|
|
|
|
if (need_announcement) {
|
|
|
|
const char *prefix = "";
|
|
|
|
if (itr_top->last_to_talk != NULL)
|
|
|
|
prefix = "\r\n";
|
|
|
|
|
|
|
|
char *desc = interactor_description(itr);
|
|
|
|
char *adjective = (level == 0 ? dupstr("primary") :
|
|
|
|
level == 1 ? dupstr("proxy") :
|
|
|
|
dupprintf("proxy^%u", level));
|
|
|
|
char *msg = dupprintf("%sMaking %s %s", prefix, adjective, desc);
|
|
|
|
sfree(adjective);
|
|
|
|
sfree(desc);
|
|
|
|
|
|
|
|
seat_antispoof_msg(iseat, msg);
|
|
|
|
sfree(msg);
|
|
|
|
|
|
|
|
itr_top->last_to_talk = itr;
|
|
|
|
}
|
|
|
|
|
Framework for announcing which Interactor is talking.
All this Interactor business has been gradually working towards being
able to inform the user _which_ network connection is currently
presenting them with a password prompt (or whatever), in situations
where more than one of them might be, such as an SSH connection being
used as a proxy for another SSH connection when neither one has
one-touch login configured.
At some point, we have to arrange that any attempt to do a user
interaction during connection setup - be it a password prompt, a host
key confirmation dialog, or just displaying an SSH login banner -
makes it clear which host it's come from. That's going to mean calling
some kind of announcement function before doing any of those things.
But there are several of those functions in the Seat API, and calls to
them are scattered far and wide across the SSH backend. (And not even
just there - the Rlogin backend also uses seat_get_userpass_input).
How can we possibly make sure we don't forget a vital call site on
some obscure little-tested code path, and leave the user confused in
just that one case which nobody might notice for years?
Today I thought of a trick to solve that problem. We can use the C
type system to enforce it for us!
The plan is: we invent a new struct type which contains nothing but a
'Seat *'. Then, for every Seat method which does a thing that ought to
be clearly identified as relating to a particular Interactor, we
adjust the API for that function to take the new struct type where it
previously took a plain 'Seat *'. Or rather - doing less violence to
the existing code - we only need to adjust the API of the dispatch
functions inline in putty.h.
How does that help? Because the way you _get_ one of these
struct-wrapped Seat pointers is by calling interactor_announce() on
your Interactor, which will in turn call interactor_get_seat(), and
wrap the returned pointer into one of these structs.
The effect is that whenever the SSH (or Rlogin) code wants to call one
of those particular Seat methods, it _has_ to call
interactor_announce() just beforehand, which (once I finish all of
this) will make sure the user is aware of who is presenting the prompt
or banner or whatever. And you can't forget to call it, because if you
don't call it, then you just don't have a struct of the right type to
give to the Seat method you wanted to call!
(Of course, there's nothing stopping code from _deliberately_ taking a
Seat * it already has and wrapping it into the new struct. In fact
SshProxy has to do that, in order to forward these requests up the
chain of Seats. But the point is that you can't do it _by accident_,
just by forgetting to make a vital function call - when you do that,
you _know_ you're doing it on purpose.)
No functional change: the new interactor_announce() function exists,
and the type-system trick ensures it's called in all the right places,
but it doesn't actually _do_ anything yet.
2021-10-30 17:05:36 +00:00
|
|
|
return iseat;
|
|
|
|
}
|