nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 18:07:59 +00:00
Code Issues Projects Releases Wiki Activity
91a624fb70
putty-source/windows/winpgntc.c

127 lines
3.4 KiB
C
Raw Normal View History

Added Pageant, a first-attempt PuTTY authentication agent [originally from svn r589]
2000-09-14 15:02:50 +00:00
/*
* Pageant client code.
*/
#include <stdio.h>
#include <stdlib.h>
Rewrite agent forwarding to serialise requests. The previous agent-forwarding system worked by passing each complete query received from the input to agent_query() as soon as it was ready. So if the remote client were to pipeline multiple requests, then Unix PuTTY (in which agent_query() works asynchronously) would parallelise them into many _simultaneous_ connections to the real agent - and would not track which query went out first, so that if the real agent happened to send its replies (to what _it_ thought were independent clients) in the wrong order, then PuTTY would serialise the replies on to the forwarding channel in whatever order it got them, which wouldn't be the order the remote client was expecting. To solve this, I've done a considerable rewrite, which keeps the request stream in a bufchain, and only removes data from the bufchain when it has a complete request. Then, if agent_query decides to be asynchronous, the forwarding system waits for _that_ agent response before even trying to extract the next request's worth of data from the bufchain. As an added bonus (in principle), this gives agent-forwarding channels some actual flow control for the first time ever! If a client spams us with an endless stream of rapid requests, and never reads its responses, then the output side of the channel will run out of window, which causes us to stop processing requests until we have space to send responses again, which in turn causes us to stop granting extra window on the input side, which serves the client right.
2017-01-29 19:40:38 +00:00
#include <assert.h>
Added Pageant, a first-attempt PuTTY authentication agent [originally from svn r589]
2000-09-14 15:02:50 +00:00
Asynchronous agent requests on Windows. Actually, I've kept the ability to do synchronous ones as well, because PSCP and PSFTP don't really need async ones and it would have been a serious pain to implement them. Also, Pageant itself when run as a client of its primary instance doesn't benefit noticeably from async agent requests. [originally from svn r3154]
2003-04-28 13:59:32 +00:00
#include "putty.h"
Remove duplicate definition of AGENT_MAX_MSGLEN. Now all references of that constant use the same definition in pageant.h, so it'll be easy to change if we ever need to.
2017-01-30 19:42:28 +00:00
#include "pageant.h" /* for AGENT_MAX_MSGLEN */
Make memory management uniform: _everything_ now goes through the smalloc() macros and thence to the safemalloc() functions in misc.c. This should allow me to plug in a debugging allocator and track memory leaks and segfaults and things. [originally from svn r818]
2000-12-12 10:33:13 +00:00
More careful owner SID selection in the Pageant client code. This should solve some of the SID-mismatch issues we've occasionally had reported. Because it's a modification on the client side, it doesn't affect the security of Pageant itself. [originally from svn r9043]
2010-12-23 15:22:50 +00:00
#ifndef NO_SECURITY
Move the dynamic loading of advapi into its own module. There's now a winsecur.[ch], which centralises helper functions using the Windows security stuff in advapi.h (currently just get_user_sid), and also centralises the run-time loading of those functions and checking they're all there. [originally from svn r10082]
2013-11-17 14:05:29 +00:00
#include "winsecur.h"
More careful owner SID selection in the Pageant client code. This should solve some of the SID-mismatch issues we've occasionally had reported. Because it's a modification on the client side, it doesn't affect the security of Pageant itself. [originally from svn r9043]
2010-12-23 15:22:50 +00:00
#endif
Improved means of IPC between agent and PuTTY [originally from svn r601]
2000-09-19 16:29:28 +00:00
#define AGENT_COPYDATA_ID 0x804e50ba /* random goop */
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
int agent_exists(void)
{
Added Pageant, a first-attempt PuTTY authentication agent [originally from svn r589]
2000-09-14 15:02:50 +00:00
HWND hwnd;
hwnd = FindWindow("Pageant", "Pageant");
if (!hwnd)
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
return FALSE;
Added Pageant, a first-attempt PuTTY authentication agent [originally from svn r589]
2000-09-14 15:02:50 +00:00
else
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
return TRUE;
Added Pageant, a first-attempt PuTTY authentication agent [originally from svn r589]
2000-09-14 15:02:50 +00:00
}
Make asynchronous agent_query() requests cancellable. Now, instead of returning a boolean indicating whether the query has completed or is still pending, agent_query() returns NULL to indicate that the query _has_ completed, and if it hasn't, it returns a pointer to a context structure representing the pending query, so that the latter can be used to cancel the query if (for example) you later decide you need to free the thing its callback was using as a context. This should fix a potential race-condition segfault if you overload an agent forwarding channel and then close it abruptly. (Which nobody will be doing for sensible purposes, of course! But I ran across this while stress-testing other aspects of agent forwarding.)
2017-01-29 20:24:15 +00:00
void agent_cancel_query(agent_pending_query *q)
{
assert(0 && "Windows agent queries are never asynchronous!");
}
agent_pending_query *agent_query(
Build outgoing SSH agent requests in a strbuf. This simplifies the client code both in ssh.c and in the client side of Pageant. I've cheated a tiny bit by preparing agent requests in a strbuf that has space reserved at the front for the packet frame, which makes life easier for the code that sends them off.
2018-05-24 12:18:13 +00:00
strbuf *query, void **out, int *outlen,
Make asynchronous agent_query() requests cancellable. Now, instead of returning a boolean indicating whether the query has completed or is still pending, agent_query() returns NULL to indicate that the query _has_ completed, and if it hasn't, it returns a pointer to a context structure representing the pending query, so that the latter can be used to cancel the query if (for example) you later decide you need to free the thing its callback was using as a context. This should fix a potential race-condition segfault if you overload an agent forwarding channel and then close it abruptly. (Which nobody will be doing for sensible purposes, of course! But I ran across this while stress-testing other aspects of agent forwarding.)
2017-01-29 20:24:15 +00:00
void (*callback)(void *, void *, int), void *callback_ctx)
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
{
Added Pageant, a first-attempt PuTTY authentication agent [originally from svn r589]
2000-09-14 15:02:50 +00:00
HWND hwnd;
Asynchronous agent requests on Windows. Actually, I've kept the ability to do synchronous ones as well, because PSCP and PSFTP don't really need async ones and it would have been a serious pain to implement them. Also, Pageant itself when run as a client of its primary instance doesn't benefit noticeably from async agent requests. [originally from svn r3154]
2003-04-28 13:59:32 +00:00
char *mapname;
Added Pageant, a first-attempt PuTTY authentication agent [originally from svn r589]
2000-09-14 15:02:50 +00:00
HANDLE filemap;
Improved means of IPC between agent and PuTTY [originally from svn r601]
2000-09-19 16:29:28 +00:00
unsigned char *p, *ret;
Added Pageant, a first-attempt PuTTY authentication agent [originally from svn r589]
2000-09-14 15:02:50 +00:00
int id, retlen;
COPYDATASTRUCT cds;
More careful owner SID selection in the Pageant client code. This should solve some of the SID-mismatch issues we've occasionally had reported. Because it's a modification on the client side, it doesn't affect the security of Pageant itself. [originally from svn r9043]
2010-12-23 15:22:50 +00:00
SECURITY_ATTRIBUTES sa, *psa;
PSECURITY_DESCRIPTOR psd = NULL;
Make Pageant use the same SID-selection logic as the Pageant client code (as introduced in r9043), so that it uses the user SID rather than the default SID. This does change the access-control model, in that a Pageant running with administrator privilege will now serve keys to an unprivileged PuTTY running as the same user who started Pageant. Owen and I think this isn't a problem (in particular, it will still not serve keys to a _different_ user). More importantly, making the Pageant client and server code work the same way means that PuTTY and Pageant can still talk to each other when UAC is turned off, which we've had several reports of r9043 having broken. [originally from svn r9178] [r9043 == 05f22632eb45c9b8d17e8ffe7aa97e2590f8f11c]
2011-06-08 20:47:07 +00:00
PSID usersid = NULL;
Added Pageant, a first-attempt PuTTY authentication agent [originally from svn r589]
2000-09-14 15:02:50 +00:00
*out = NULL;
*outlen = 0;
Build outgoing SSH agent requests in a strbuf. This simplifies the client code both in ssh.c and in the client side of Pageant. I've cheated a tiny bit by preparing agent requests in a strbuf that has space reserved at the front for the packet frame, which makes life easier for the code that sends them off.
2018-05-24 12:18:13 +00:00
if (query->len > AGENT_MAX_MSGLEN)
return NULL; /* query too large */
Added Pageant, a first-attempt PuTTY authentication agent [originally from svn r589]
2000-09-14 15:02:50 +00:00
hwnd = FindWindow("Pageant", "Pageant");
if (!hwnd)
Make asynchronous agent_query() requests cancellable. Now, instead of returning a boolean indicating whether the query has completed or is still pending, agent_query() returns NULL to indicate that the query _has_ completed, and if it hasn't, it returns a pointer to a context structure representing the pending query, so that the latter can be used to cancel the query if (for example) you later decide you need to free the thing its callback was using as a context. This should fix a potential race-condition segfault if you overload an agent forwarding channel and then close it abruptly. (Which nobody will be doing for sensible purposes, of course! But I ran across this while stress-testing other aspects of agent forwarding.)
2017-01-29 20:24:15 +00:00
return NULL; /* *out == NULL, so failure */
Asynchronous agent requests on Windows. Actually, I've kept the ability to do synchronous ones as well, because PSCP and PSFTP don't really need async ones and it would have been a serious pain to implement them. Also, Pageant itself when run as a client of its primary instance doesn't benefit noticeably from async agent requests. [originally from svn r3154]
2003-04-28 13:59:32 +00:00
mapname = dupprintf("PageantRequest%08x", (unsigned)GetCurrentThreadId());
More careful owner SID selection in the Pageant client code. This should solve some of the SID-mismatch issues we've occasionally had reported. Because it's a modification on the client side, it doesn't affect the security of Pageant itself. [originally from svn r9043]
2010-12-23 15:22:50 +00:00
Initialise 'psa' to NULL on every code path in the Pageant client code, fixing a potential segfault when compiling with -DNO_SECURITY. [originally from svn r9954]
2013-07-21 11:01:22 +00:00
psa = NULL;
More careful owner SID selection in the Pageant client code. This should solve some of the SID-mismatch issues we've occasionally had reported. Because it's a modification on the client side, it doesn't affect the security of Pageant itself. [originally from svn r9043]
2010-12-23 15:22:50 +00:00
#ifndef NO_SECURITY
Move the dynamic loading of advapi into its own module. There's now a winsecur.[ch], which centralises helper functions using the Windows security stuff in advapi.h (currently just get_user_sid), and also centralises the run-time loading of those functions and checking they're all there. [originally from svn r10082]
2013-11-17 14:05:29 +00:00
if (got_advapi()) {
More careful owner SID selection in the Pageant client code. This should solve some of the SID-mismatch issues we've occasionally had reported. Because it's a modification on the client side, it doesn't affect the security of Pageant itself. [originally from svn r9043]
2010-12-23 15:22:50 +00:00
/*
* Make the file mapping we create for communication with
* Pageant owned by the user SID rather than the default. This
* should make communication between processes with slightly
* different contexts more reliable: in particular, command
* prompts launched as administrator should still be able to
* run PSFTPs which refer back to the owning user's
* unprivileged Pageant.
*/
Make Pageant use the same SID-selection logic as the Pageant client code (as introduced in r9043), so that it uses the user SID rather than the default SID. This does change the access-control model, in that a Pageant running with administrator privilege will now serve keys to an unprivileged PuTTY running as the same user who started Pageant. Owen and I think this isn't a problem (in particular, it will still not serve keys to a _different_ user). More importantly, making the Pageant client and server code work the same way means that PuTTY and Pageant can still talk to each other when UAC is turned off, which we've had several reports of r9043 having broken. [originally from svn r9178] [r9043 == 05f22632eb45c9b8d17e8ffe7aa97e2590f8f11c]
2011-06-08 20:47:07 +00:00
usersid = get_user_sid();
More careful owner SID selection in the Pageant client code. This should solve some of the SID-mismatch issues we've occasionally had reported. Because it's a modification on the client side, it doesn't affect the security of Pageant itself. [originally from svn r9043]
2010-12-23 15:22:50 +00:00
Make Pageant use the same SID-selection logic as the Pageant client code (as introduced in r9043), so that it uses the user SID rather than the default SID. This does change the access-control model, in that a Pageant running with administrator privilege will now serve keys to an unprivileged PuTTY running as the same user who started Pageant. Owen and I think this isn't a problem (in particular, it will still not serve keys to a _different_ user). More importantly, making the Pageant client and server code work the same way means that PuTTY and Pageant can still talk to each other when UAC is turned off, which we've had several reports of r9043 having broken. [originally from svn r9178] [r9043 == 05f22632eb45c9b8d17e8ffe7aa97e2590f8f11c]
2011-06-08 20:47:07 +00:00
if (usersid) {
More careful owner SID selection in the Pageant client code. This should solve some of the SID-mismatch issues we've occasionally had reported. Because it's a modification on the client side, it doesn't affect the security of Pageant itself. [originally from svn r9043]
2010-12-23 15:22:50 +00:00
psd = (PSECURITY_DESCRIPTOR)
LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
if (psd) {
if (p_InitializeSecurityDescriptor
(psd, SECURITY_DESCRIPTOR_REVISION) &&
Make Pageant use the same SID-selection logic as the Pageant client code (as introduced in r9043), so that it uses the user SID rather than the default SID. This does change the access-control model, in that a Pageant running with administrator privilege will now serve keys to an unprivileged PuTTY running as the same user who started Pageant. Owen and I think this isn't a problem (in particular, it will still not serve keys to a _different_ user). More importantly, making the Pageant client and server code work the same way means that PuTTY and Pageant can still talk to each other when UAC is turned off, which we've had several reports of r9043 having broken. [originally from svn r9178] [r9043 == 05f22632eb45c9b8d17e8ffe7aa97e2590f8f11c]
2011-06-08 20:47:07 +00:00
p_SetSecurityDescriptorOwner(psd, usersid, FALSE)) {
More careful owner SID selection in the Pageant client code. This should solve some of the SID-mismatch issues we've occasionally had reported. Because it's a modification on the client side, it doesn't affect the security of Pageant itself. [originally from svn r9043]
2010-12-23 15:22:50 +00:00
sa.nLength = sizeof(sa);
sa.bInheritHandle = TRUE;
sa.lpSecurityDescriptor = psd;
psa = &sa;
} else {
LocalFree(psd);
psd = NULL;
}
}
}
}
#endif /* NO_SECURITY */
filemap = CreateFileMapping(INVALID_HANDLE_VALUE, psa, PAGE_READWRITE,
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
0, AGENT_MAX_MSGLEN, mapname);
Another big batch of memory leak fixes, again mostly on error paths. The most interesting one is printer_add_enum, which I've modified to take a char ** rather than a char * so that it can both realloc its input buffer _and_ return NULL to indicate error. [originally from svn r9959]
2013-07-22 07:11:54 +00:00
if (filemap == NULL || filemap == INVALID_HANDLE_VALUE) {
sfree(mapname);
Make asynchronous agent_query() requests cancellable. Now, instead of returning a boolean indicating whether the query has completed or is still pending, agent_query() returns NULL to indicate that the query _has_ completed, and if it hasn't, it returns a pointer to a context structure representing the pending query, so that the latter can be used to cancel the query if (for example) you later decide you need to free the thing its callback was using as a context. This should fix a potential race-condition segfault if you overload an agent forwarding channel and then close it abruptly. (Which nobody will be doing for sensible purposes, of course! But I ran across this while stress-testing other aspects of agent forwarding.)
2017-01-29 20:24:15 +00:00
return NULL; /* *out == NULL, so failure */
Another big batch of memory leak fixes, again mostly on error paths. The most interesting one is printer_add_enum, which I've modified to take a char ** rather than a char * so that it can both realloc its input buffer _and_ return NULL to indicate error. [originally from svn r9959]
2013-07-22 07:11:54 +00:00
}
Improved means of IPC between agent and PuTTY [originally from svn r601]
2000-09-19 16:29:28 +00:00
p = MapViewOfFile(filemap, FILE_MAP_WRITE, 0, 0, 0);
Build outgoing SSH agent requests in a strbuf. This simplifies the client code both in ssh.c and in the client side of Pageant. I've cheated a tiny bit by preparing agent requests in a strbuf that has space reserved at the front for the packet frame, which makes life easier for the code that sends them off.
2018-05-24 12:18:13 +00:00
strbuf_finalise_agent_query(query);
memcpy(p, query->s, query->len);
Improved means of IPC between agent and PuTTY [originally from svn r601]
2000-09-19 16:29:28 +00:00
cds.dwData = AGENT_COPYDATA_ID;
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
cds.cbData = 1 + strlen(mapname);
Improved means of IPC between agent and PuTTY [originally from svn r601]
2000-09-19 16:29:28 +00:00
cds.lpData = mapname;
Asynchronous agent requests on Windows. Actually, I've kept the ability to do synchronous ones as well, because PSCP and PSFTP don't really need async ones and it would have been a serious pain to implement them. Also, Pageant itself when run as a client of its primary instance doesn't benefit noticeably from async agent requests. [originally from svn r3154]
2003-04-28 13:59:32 +00:00
/*
* The user either passed a null callback (indicating that the
* query is required to be synchronous) or CreateThread failed.
* Either way, we need a synchronous request.
*/
More confusing "(BYTE *) & val" style punctuation. I blame GNU indent, although its confusion is understandable. [originally from svn r5432]
2005-03-02 15:53:50 +00:00
id = SendMessage(hwnd, WM_COPYDATA, (WPARAM) NULL, (LPARAM) &cds);
Added Pageant, a first-attempt PuTTY authentication agent [originally from svn r589]
2000-09-14 15:02:50 +00:00
if (id > 0) {
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
retlen = 4 + GET_32BIT(p);
Introduced wrapper macros snew(), snewn() and sresize() for the malloc functions, which automatically cast to the same type they're allocating the size of. Should prevent any future errors involving mallocing the size of the wrong structure type, and will also make life easier if we ever need to turn the PuTTY core code from real C into C++-friendly C. I haven't touched the Mac frontend in this checkin because I couldn't compile or test it. [originally from svn r3014]
2003-03-29 16:14:26 +00:00
ret = snewn(retlen, unsigned char);
Run entire source base through GNU indent to tidy up the varying coding styles of the various contributors! Woohoo! [originally from svn r1098]
2001-05-06 14:35:20 +00:00
if (ret) {
memcpy(ret, p, retlen);
*out = ret;
*outlen = retlen;
}
Added Pageant, a first-attempt PuTTY authentication agent [originally from svn r589]
2000-09-14 15:02:50 +00:00
}
Improved means of IPC between agent and PuTTY [originally from svn r601]
2000-09-19 16:29:28 +00:00
UnmapViewOfFile(p);
CloseHandle(filemap);
Another big batch of memory leak fixes, again mostly on error paths. The most interesting one is printer_add_enum, which I've modified to take a char ** rather than a char * so that it can both realloc its input buffer _and_ return NULL to indicate error. [originally from svn r9959]
2013-07-22 07:11:54 +00:00
sfree(mapname);
More careful owner SID selection in the Pageant client code. This should solve some of the SID-mismatch issues we've occasionally had reported. Because it's a modification on the client side, it doesn't affect the security of Pageant itself. [originally from svn r9043]
2010-12-23 15:22:50 +00:00
if (psd)
LocalFree(psd);
Make asynchronous agent_query() requests cancellable. Now, instead of returning a boolean indicating whether the query has completed or is still pending, agent_query() returns NULL to indicate that the query _has_ completed, and if it hasn't, it returns a pointer to a context structure representing the pending query, so that the latter can be used to cancel the query if (for example) you later decide you need to free the thing its callback was using as a context. This should fix a potential race-condition segfault if you overload an agent forwarding channel and then close it abruptly. (Which nobody will be doing for sensible purposes, of course! But I ran across this while stress-testing other aspects of agent forwarding.)
2017-01-29 20:24:15 +00:00
return NULL;
Added Pageant, a first-attempt PuTTY authentication agent [originally from svn r589]
2000-09-14 15:02:50 +00:00
}
Reference in New Issue Copy Permalink