2015-05-05 19:16:23 +00:00
|
|
|
/*
|
|
|
|
* Unix Pageant, more or less similar to ssh-agent.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <errno.h>
|
|
|
|
#include <assert.h>
|
|
|
|
#include <signal.h>
|
2015-05-12 12:27:33 +00:00
|
|
|
#include <ctype.h>
|
2015-05-05 19:16:23 +00:00
|
|
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <sys/wait.h>
|
2020-02-02 18:52:10 +00:00
|
|
|
#include <sys/stat.h>
|
Unix Pageant: -T option, tying lifetime to controlling tty.
This is intended to be a useful mode when you want to run an ssh agent
in a terminal session with no X11 available. You just execute a
command along the lines of eval $(pageant -T), and then Pageant will
run in the background for the rest of that terminal session - and when
the terminal session ends, so that Pageant loses its controlling tty,
it will take that as the signal to shut down. So, no need to manually
kill it, and unlike 'pageant --exec $SHELL', you can also do this half
way through a session if you don't realise until later that you need
an SSH agent, without losing any shell command history or other shell
context that you've accumulated so far in the session.
Unfortunately, I haven't been able to find any reliable way to
actually implement this -T mode, short of having Pageant wake up at
regular intervals and try to open /dev/tty to see if it's still there.
I had hoped that I could arrange to reliably get SIGHUP, or select on
/dev/tty for exceptional conditions, or some such, but nothing I've
tried along those lines seems to work.
2015-05-08 18:50:48 +00:00
|
|
|
#include <fcntl.h>
|
2015-05-05 19:16:23 +00:00
|
|
|
#include <unistd.h>
|
2020-02-02 16:43:58 +00:00
|
|
|
#include <termios.h>
|
2015-05-05 19:16:23 +00:00
|
|
|
|
|
|
|
#include "putty.h"
|
|
|
|
#include "ssh.h"
|
|
|
|
#include "misc.h"
|
|
|
|
#include "pageant.h"
|
|
|
|
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
void cmdline_error(const char *fmt, ...)
|
2015-05-05 19:16:23 +00:00
|
|
|
{
|
|
|
|
va_list ap;
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
va_start(ap, fmt);
|
|
|
|
console_print_error_msg_fmt_v("pageant", fmt, ap);
|
2015-05-05 19:16:23 +00:00
|
|
|
va_end(ap);
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
2020-02-08 18:35:37 +00:00
|
|
|
static void setup_sigchld_handler(void);
|
|
|
|
|
2020-02-08 18:36:09 +00:00
|
|
|
typedef enum RuntimePromptType {
|
|
|
|
RTPROMPT_UNAVAILABLE,
|
|
|
|
RTPROMPT_DEBUG,
|
|
|
|
RTPROMPT_GUI,
|
|
|
|
} RuntimePromptType;
|
|
|
|
|
|
|
|
static const char *progname;
|
|
|
|
|
Pageant: new asynchronous internal APIs.
This is a pure refactoring: no functional change expected.
This commit introduces two new small vtable-style APIs. One is
PageantClient, which identifies a particular client of the Pageant
'core' (meaning the code that handles each individual request). This
changes pageant_handle_msg into an asynchronous operation: you pass in
an agent request message and an identifier, and at some later point,
the got_response method in your PageantClient will be called with the
answer (and the same identifier, to allow you to match requests to
responses). The trait vtable also contains a logging system.
The main importance of PageantClient, and the reason why it has to
exist instead of just passing pageant_handle_msg a bare callback
function pointer and context parameter, is that it provides robustness
if a client stops existing while a request is still pending. You call
pageant_unregister_client, and any unfinished requests associated with
that client in the Pageant core will be cleaned up, so that you're
guaranteed that after the unregister operation, no stray callbacks
will happen with a stale pointer to that client.
The WM_COPYDATA interface of Windows Pageant is a direct client of
this API. The other client is PageantListener, the system that lives
in pageant.c and handles stream-based agent connections for both Unix
Pageant and the new Windows named-pipe IPC. More specifically, each
individual connection to the listening socket is a separate
PageantClient, which means that if a socket is closed abruptly or
suffers an OS error, that client can be unregistered and any pending
requests cancelled without disrupting other connections.
Users of PageantListener have a second client vtable they can use,
called PageantListenerClient. That contains _only_ logging facilities,
and at the moment, only Unix Pageant bothers to use it (and even that
only in debugging mode).
Finally, internally to the Pageant core, there's a new trait called
PageantAsyncOp which describes an agent request in the process of
being handled. But at the moment, it has only one trivial
implementation, which is handed the full response message already
constructed, and on the next toplevel callback, passes it back to the
PageantClient.
2020-01-25 17:24:28 +00:00
|
|
|
struct uxpgnt_client {
|
2020-02-02 16:43:58 +00:00
|
|
|
FILE *logfp;
|
2020-02-08 18:36:09 +00:00
|
|
|
strbuf *prompt_buf;
|
|
|
|
RuntimePromptType prompt_type;
|
|
|
|
bool prompt_active;
|
2020-02-02 16:43:58 +00:00
|
|
|
PageantClientDialogId *dlgid;
|
2020-02-07 19:14:32 +00:00
|
|
|
int passphrase_fd;
|
|
|
|
int termination_pid;
|
2020-02-02 16:43:58 +00:00
|
|
|
|
Pageant: new asynchronous internal APIs.
This is a pure refactoring: no functional change expected.
This commit introduces two new small vtable-style APIs. One is
PageantClient, which identifies a particular client of the Pageant
'core' (meaning the code that handles each individual request). This
changes pageant_handle_msg into an asynchronous operation: you pass in
an agent request message and an identifier, and at some later point,
the got_response method in your PageantClient will be called with the
answer (and the same identifier, to allow you to match requests to
responses). The trait vtable also contains a logging system.
The main importance of PageantClient, and the reason why it has to
exist instead of just passing pageant_handle_msg a bare callback
function pointer and context parameter, is that it provides robustness
if a client stops existing while a request is still pending. You call
pageant_unregister_client, and any unfinished requests associated with
that client in the Pageant core will be cleaned up, so that you're
guaranteed that after the unregister operation, no stray callbacks
will happen with a stale pointer to that client.
The WM_COPYDATA interface of Windows Pageant is a direct client of
this API. The other client is PageantListener, the system that lives
in pageant.c and handles stream-based agent connections for both Unix
Pageant and the new Windows named-pipe IPC. More specifically, each
individual connection to the listening socket is a separate
PageantClient, which means that if a socket is closed abruptly or
suffers an OS error, that client can be unregistered and any pending
requests cancelled without disrupting other connections.
Users of PageantListener have a second client vtable they can use,
called PageantListenerClient. That contains _only_ logging facilities,
and at the moment, only Unix Pageant bothers to use it (and even that
only in debugging mode).
Finally, internally to the Pageant core, there's a new trait called
PageantAsyncOp which describes an agent request in the process of
being handled. But at the moment, it has only one trivial
implementation, which is handed the full response message already
constructed, and on the next toplevel callback, passes it back to the
PageantClient.
2020-01-25 17:24:28 +00:00
|
|
|
PageantListenerClient plc;
|
|
|
|
};
|
|
|
|
|
|
|
|
static void uxpgnt_log(PageantListenerClient *plc, const char *fmt, va_list ap)
|
2015-05-05 19:16:23 +00:00
|
|
|
{
|
2020-02-02 16:43:58 +00:00
|
|
|
struct uxpgnt_client *upc = container_of(plc, struct uxpgnt_client, plc);
|
|
|
|
|
|
|
|
if (!upc->logfp)
|
2015-05-05 19:16:23 +00:00
|
|
|
return;
|
|
|
|
|
2020-02-02 16:43:58 +00:00
|
|
|
fprintf(upc->logfp, "pageant: ");
|
|
|
|
vfprintf(upc->logfp, fmt, ap);
|
|
|
|
fprintf(upc->logfp, "\n");
|
2015-05-05 19:16:23 +00:00
|
|
|
}
|
|
|
|
|
2020-02-08 18:36:09 +00:00
|
|
|
static int make_pipe_to_askpass(const char *msg)
|
|
|
|
{
|
|
|
|
int pipefds[2];
|
|
|
|
|
|
|
|
setup_sigchld_handler();
|
|
|
|
|
|
|
|
if (pipe(pipefds) < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
pid_t pid = fork();
|
|
|
|
if (pid < 0) {
|
|
|
|
close(pipefds[0]);
|
|
|
|
close(pipefds[1]);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (pid == 0) {
|
|
|
|
const char *args[5] = {
|
|
|
|
progname, "--gui-prompt", "--askpass", msg, NULL
|
|
|
|
};
|
|
|
|
|
|
|
|
dup2(pipefds[1], 1);
|
|
|
|
cloexec(pipefds[0]);
|
|
|
|
cloexec(pipefds[1]);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* See comment in fork_and_exec_self() in gtkmain.c.
|
|
|
|
*/
|
|
|
|
execv("/proc/self/exe", (char **)args);
|
|
|
|
execvp(progname, (char **)args);
|
|
|
|
perror("exec");
|
|
|
|
_exit(127);
|
|
|
|
}
|
|
|
|
|
|
|
|
close(pipefds[1]);
|
|
|
|
return pipefds[0];
|
|
|
|
}
|
|
|
|
|
2020-01-20 21:22:33 +00:00
|
|
|
static bool uxpgnt_ask_passphrase(
|
2021-04-02 09:49:18 +00:00
|
|
|
PageantListenerClient *plc, PageantClientDialogId *dlgid,
|
|
|
|
const char *comment)
|
2020-01-20 21:22:33 +00:00
|
|
|
{
|
2020-02-02 16:43:58 +00:00
|
|
|
struct uxpgnt_client *upc = container_of(plc, struct uxpgnt_client, plc);
|
|
|
|
|
2020-02-08 18:36:09 +00:00
|
|
|
assert(!upc->dlgid); /* Pageant core should be serialising requests */
|
|
|
|
|
2021-04-02 09:49:18 +00:00
|
|
|
char *msg = dupprintf(
|
|
|
|
"A client of Pageant wants to use the following encrypted key:\n"
|
|
|
|
"%s\n"
|
|
|
|
"If you intended this, enter the passphrase to decrypt the key.",
|
|
|
|
comment);
|
|
|
|
|
2020-02-08 18:36:09 +00:00
|
|
|
switch (upc->prompt_type) {
|
|
|
|
case RTPROMPT_UNAVAILABLE:
|
2021-04-02 09:49:18 +00:00
|
|
|
sfree(msg);
|
2020-02-02 16:43:58 +00:00
|
|
|
return false;
|
|
|
|
|
2020-02-08 18:36:09 +00:00
|
|
|
case RTPROMPT_GUI:
|
|
|
|
upc->passphrase_fd = make_pipe_to_askpass(msg);
|
2021-04-02 09:49:18 +00:00
|
|
|
sfree(msg);
|
2020-02-08 18:36:09 +00:00
|
|
|
if (upc->passphrase_fd < 0)
|
|
|
|
return false; /* something went wrong */
|
|
|
|
break;
|
2020-02-02 16:43:58 +00:00
|
|
|
|
2020-02-08 18:36:09 +00:00
|
|
|
case RTPROMPT_DEBUG:
|
|
|
|
fprintf(upc->logfp, "pageant passphrase request: %s\n", msg);
|
2021-04-02 09:49:18 +00:00
|
|
|
sfree(msg);
|
2020-02-08 18:36:09 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
upc->prompt_active = true;
|
2020-02-02 16:43:58 +00:00
|
|
|
upc->dlgid = dlgid;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void passphrase_done(struct uxpgnt_client *upc, bool success)
|
|
|
|
{
|
2020-02-08 18:36:09 +00:00
|
|
|
PageantClientDialogId *dlgid = upc->dlgid;
|
|
|
|
upc->dlgid = NULL;
|
|
|
|
upc->prompt_active = false;
|
|
|
|
|
|
|
|
if (upc->logfp)
|
|
|
|
fprintf(upc->logfp, "pageant passphrase response: %s\n",
|
|
|
|
success ? "success" : "failure");
|
2020-02-02 16:43:58 +00:00
|
|
|
|
|
|
|
if (success)
|
|
|
|
pageant_passphrase_request_success(
|
2020-02-08 18:36:09 +00:00
|
|
|
dlgid, ptrlen_from_strbuf(upc->prompt_buf));
|
2020-02-02 16:43:58 +00:00
|
|
|
else
|
2020-02-08 18:36:09 +00:00
|
|
|
pageant_passphrase_request_refused(dlgid);
|
2020-02-02 16:43:58 +00:00
|
|
|
|
2020-02-08 18:36:09 +00:00
|
|
|
strbuf_free(upc->prompt_buf);
|
|
|
|
upc->prompt_buf = strbuf_new_nm();
|
2020-01-20 21:22:33 +00:00
|
|
|
}
|
|
|
|
|
2020-01-29 06:22:01 +00:00
|
|
|
static const PageantListenerClientVtable uxpgnt_vtable = {
|
Change vtable defs to use C99 designated initialisers.
This is a sweeping change applied across the whole code base by a spot
of Emacs Lisp. Now, everywhere I declare a vtable filled with function
pointers (and the occasional const data member), all the members of
the vtable structure are initialised by name using the '.fieldname =
value' syntax introduced in C99.
We were already using this syntax for a handful of things in the new
key-generation progress report system, so it's not new to the code
base as a whole.
The advantage is that now, when a vtable only declares a subset of the
available fields, I can initialise the rest to NULL or zero just by
leaving them out. This is most dramatic in a couple of the outlying
vtables in things like psocks (which has a ConnectionLayerVtable
containing only one non-NULL method), but less dramatically, it means
that the new 'flags' field in BackendVtable can be completely left out
of every backend definition except for the SUPDUP one which defines it
to a nonzero value. Similarly, the test_for_upstream method only used
by SSH doesn't have to be mentioned in the rest of the backends;
network Plugs for listening sockets don't have to explicitly null out
'receive' and 'sent', and vice versa for 'accepting', and so on.
While I'm at it, I've normalised the declarations so they don't use
the unnecessarily verbose 'struct' keyword. Also a handful of them
weren't const; now they are.
2020-03-10 21:06:29 +00:00
|
|
|
.log = uxpgnt_log,
|
|
|
|
.ask_passphrase = uxpgnt_ask_passphrase,
|
Pageant: new asynchronous internal APIs.
This is a pure refactoring: no functional change expected.
This commit introduces two new small vtable-style APIs. One is
PageantClient, which identifies a particular client of the Pageant
'core' (meaning the code that handles each individual request). This
changes pageant_handle_msg into an asynchronous operation: you pass in
an agent request message and an identifier, and at some later point,
the got_response method in your PageantClient will be called with the
answer (and the same identifier, to allow you to match requests to
responses). The trait vtable also contains a logging system.
The main importance of PageantClient, and the reason why it has to
exist instead of just passing pageant_handle_msg a bare callback
function pointer and context parameter, is that it provides robustness
if a client stops existing while a request is still pending. You call
pageant_unregister_client, and any unfinished requests associated with
that client in the Pageant core will be cleaned up, so that you're
guaranteed that after the unregister operation, no stray callbacks
will happen with a stale pointer to that client.
The WM_COPYDATA interface of Windows Pageant is a direct client of
this API. The other client is PageantListener, the system that lives
in pageant.c and handles stream-based agent connections for both Unix
Pageant and the new Windows named-pipe IPC. More specifically, each
individual connection to the listening socket is a separate
PageantClient, which means that if a socket is closed abruptly or
suffers an OS error, that client can be unregistered and any pending
requests cancelled without disrupting other connections.
Users of PageantListener have a second client vtable they can use,
called PageantListenerClient. That contains _only_ logging facilities,
and at the moment, only Unix Pageant bothers to use it (and even that
only in debugging mode).
Finally, internally to the Pageant core, there's a new trait called
PageantAsyncOp which describes an agent request in the process of
being handled. But at the moment, it has only one trivial
implementation, which is handed the full response message already
constructed, and on the next toplevel callback, passes it back to the
PageantClient.
2020-01-25 17:24:28 +00:00
|
|
|
};
|
|
|
|
|
2015-05-05 19:16:23 +00:00
|
|
|
/*
|
|
|
|
* More stubs.
|
|
|
|
*/
|
|
|
|
void random_save_seed(void) {}
|
|
|
|
void random_destroy_seed(void) {}
|
|
|
|
char *platform_default_s(const char *name) { return NULL; }
|
2018-10-29 19:57:31 +00:00
|
|
|
bool platform_default_b(const char *name, bool def) { return def; }
|
2015-05-05 19:16:23 +00:00
|
|
|
int platform_default_i(const char *name, int def) { return def; }
|
|
|
|
FontSpec *platform_default_fontspec(const char *name) { return fontspec_new(""); }
|
|
|
|
Filename *platform_default_filename(const char *name) { return filename_from_str(""); }
|
|
|
|
char *x_get_default(const char *key) { return NULL; }
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Short description of parameters.
|
|
|
|
*/
|
|
|
|
static void usage(void)
|
|
|
|
{
|
|
|
|
printf("Pageant: SSH agent\n");
|
|
|
|
printf("%s\n", ver);
|
2021-04-05 17:35:38 +00:00
|
|
|
printf("Usage: pageant <lifetime> [[--encrypted] key files]\n");
|
|
|
|
printf(" pageant [[--encrypted] key files] --exec <command> [args]\n");
|
|
|
|
printf(" pageant -a [--encrypted] [key files]\n");
|
2015-05-19 17:24:04 +00:00
|
|
|
printf(" pageant -d [key identifiers]\n");
|
2021-04-05 17:35:38 +00:00
|
|
|
printf(" pageant -D\n");
|
|
|
|
printf(" pageant -r [key identifiers]\n");
|
|
|
|
printf(" pageant -R\n");
|
2015-05-19 17:24:04 +00:00
|
|
|
printf(" pageant --public [key identifiers]\n");
|
2018-06-03 14:38:57 +00:00
|
|
|
printf(" pageant ( --public-openssh | -L ) [key identifiers]\n");
|
2021-04-05 17:35:38 +00:00
|
|
|
printf(" pageant -l [-E fptype]\n");
|
2015-05-19 17:24:04 +00:00
|
|
|
printf("Lifetime options, for running Pageant as an agent:\n");
|
|
|
|
printf(" -X run with the lifetime of the X server\n");
|
|
|
|
printf(" -T run with the lifetime of the controlling tty\n");
|
|
|
|
printf(" --permanent run permanently\n");
|
|
|
|
printf(" --debug run in debugging mode, without forking\n");
|
|
|
|
printf(" --exec <command> run with the lifetime of that command\n");
|
|
|
|
printf("Client options, for talking to an existing agent:\n");
|
|
|
|
printf(" -a add key(s) to the existing agent\n");
|
|
|
|
printf(" -l list currently loaded key fingerprints and comments\n");
|
|
|
|
printf(" --public print public keys in RFC 4716 format\n");
|
2018-06-03 14:38:57 +00:00
|
|
|
printf(" --public-openssh, -L print public keys in OpenSSH format\n");
|
2015-05-19 17:24:04 +00:00
|
|
|
printf(" -d delete key(s) from the agent\n");
|
|
|
|
printf(" -D delete all keys from the agent\n");
|
2021-04-05 17:35:38 +00:00
|
|
|
printf(" -r re-encrypt keys in the agent (forget cleartext\n");
|
|
|
|
printf(" -R re-encrypt all possible keys in the agent\n");
|
2015-05-19 17:24:04 +00:00
|
|
|
printf("Other options:\n");
|
|
|
|
printf(" -v verbose mode (in agent mode)\n");
|
2017-02-11 22:12:33 +00:00
|
|
|
printf(" -s -c force POSIX or C shell syntax (in agent mode)\n");
|
2021-04-19 14:40:35 +00:00
|
|
|
printf(" --symlink path create symlink to socket (in agent mode)\n");
|
2021-04-05 17:35:38 +00:00
|
|
|
printf(" --encrypted when adding keys, don't decrypt\n");
|
|
|
|
printf(" -E alg, --fptype alg fingerprint type for -l (sha256, md5)\n");
|
2021-04-05 11:47:38 +00:00
|
|
|
printf(" --tty-prompt force tty-based passphrase prompt\n");
|
|
|
|
printf(" --gui-prompt force GUI-based passphrase prompt\n");
|
2018-05-14 07:08:34 +00:00
|
|
|
printf(" --askpass <prompt> behave like a standalone askpass program\n");
|
2015-05-05 19:16:23 +00:00
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void version(void)
|
|
|
|
{
|
2017-01-21 14:55:53 +00:00
|
|
|
char *buildinfo_text = buildinfo("\n");
|
|
|
|
printf("pageant: %s\n%s\n", ver, buildinfo_text);
|
|
|
|
sfree(buildinfo_text);
|
2017-02-15 19:50:14 +00:00
|
|
|
exit(0);
|
2015-05-05 19:16:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
void keylist_update(void)
|
|
|
|
{
|
|
|
|
/* Nothing needs doing in Unix Pageant */
|
|
|
|
}
|
|
|
|
|
|
|
|
#define PAGEANT_DIR_PREFIX "/tmp/pageant"
|
|
|
|
|
|
|
|
const char *const appname = "Pageant";
|
|
|
|
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
static bool time_to_die = false;
|
2015-05-07 18:04:25 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* These functions are part of the plug for our connection to the X
|
|
|
|
* display, so they do get called. They needn't actually do anything,
|
|
|
|
* except that x11_closing has to signal back to the main loop that
|
|
|
|
* it's time to terminate.
|
|
|
|
*/
|
2020-02-07 19:17:45 +00:00
|
|
|
static void x11_log(Plug *p, PlugLogType type, SockAddr *addr, int port,
|
2019-09-08 19:29:00 +00:00
|
|
|
const char *error_msg, int error_code) {}
|
2019-02-06 20:42:44 +00:00
|
|
|
static void x11_receive(Plug *plug, int urgent, const char *data, size_t len) {}
|
|
|
|
static void x11_sent(Plug *plug, size_t bufsize) {}
|
Get rid of lots of implicit pointer types.
All the main backend structures - Ssh, Telnet, Pty, Serial etc - now
describe structure types themselves rather than pointers to them. The
same goes for the codebase-wide trait types Socket and Plug, and the
supporting types SockAddr and Pinger.
All those things that were typedefed as pointers are older types; the
newer ones have the explicit * at the point of use, because that's
what I now seem to be preferring. But whichever one of those is
better, inconsistently using a mixture of the two styles is worse, so
let's make everything consistent.
A few types are still implicitly pointers, such as Bignum and some of
the GSSAPI types; generally this is either because they have to be
void *, or because they're typedefed differently on different
platforms and aren't always pointers at all. Can't be helped. But I've
got rid of the main ones, at least.
2018-10-04 18:10:23 +00:00
|
|
|
static void x11_closing(Plug *plug, const char *error_msg, int error_code,
|
2019-09-08 19:29:00 +00:00
|
|
|
bool calling_back)
|
2015-05-07 18:04:25 +00:00
|
|
|
{
|
2018-10-29 19:50:29 +00:00
|
|
|
time_to_die = true;
|
2015-05-07 18:04:25 +00:00
|
|
|
}
|
2015-05-05 19:16:23 +00:00
|
|
|
struct X11Connection {
|
2018-10-05 06:24:16 +00:00
|
|
|
Plug plug;
|
2015-05-05 19:16:23 +00:00
|
|
|
};
|
|
|
|
|
2020-02-02 10:00:43 +00:00
|
|
|
static char *socketname;
|
2016-03-25 16:43:59 +00:00
|
|
|
static enum { SHELL_AUTO, SHELL_SH, SHELL_CSH } shell_type = SHELL_AUTO;
|
2015-05-05 19:16:23 +00:00
|
|
|
void pageant_print_env(int pid)
|
|
|
|
{
|
2016-03-25 16:43:59 +00:00
|
|
|
if (shell_type == SHELL_AUTO) {
|
|
|
|
/* Same policy as OpenSSH: if $SHELL ends in "csh" then assume
|
|
|
|
* it's csh-shaped. */
|
|
|
|
const char *shell = getenv("SHELL");
|
|
|
|
if (shell && strlen(shell) >= 3 &&
|
|
|
|
!strcmp(shell + strlen(shell) - 3, "csh"))
|
|
|
|
shell_type = SHELL_CSH;
|
|
|
|
else
|
|
|
|
shell_type = SHELL_SH;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* These shell snippets could usefully pay some attention to
|
|
|
|
* escaping of interesting characters. I don't think it causes a
|
|
|
|
* problem at the moment, because the pathnames we use are so
|
|
|
|
* utterly boring, but it's a lurking bug waiting to happen once
|
|
|
|
* a bit more flexibility turns up.
|
|
|
|
*/
|
|
|
|
|
|
|
|
switch (shell_type) {
|
|
|
|
case SHELL_SH:
|
|
|
|
printf("SSH_AUTH_SOCK=%s; export SSH_AUTH_SOCK;\n"
|
|
|
|
"SSH_AGENT_PID=%d; export SSH_AGENT_PID;\n",
|
|
|
|
socketname, pid);
|
|
|
|
break;
|
|
|
|
case SHELL_CSH:
|
|
|
|
printf("setenv SSH_AUTH_SOCK %s;\n"
|
|
|
|
"setenv SSH_AGENT_PID %d;\n",
|
|
|
|
socketname, pid);
|
|
|
|
break;
|
|
|
|
case SHELL_AUTO:
|
2019-01-03 08:12:19 +00:00
|
|
|
unreachable("SHELL_AUTO should have been eliminated by now");
|
2016-03-25 16:43:59 +00:00
|
|
|
break;
|
|
|
|
}
|
2015-05-05 19:16:23 +00:00
|
|
|
}
|
|
|
|
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
void pageant_fork_and_print_env(bool retain_tty)
|
2015-05-05 19:16:23 +00:00
|
|
|
{
|
|
|
|
pid_t pid = fork();
|
|
|
|
if (pid == -1) {
|
|
|
|
perror("fork");
|
|
|
|
exit(1);
|
|
|
|
} else if (pid != 0) {
|
|
|
|
pageant_print_env(pid);
|
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Having forked off, we now daemonise ourselves as best we can.
|
|
|
|
* It's good practice in general to setsid() ourself out of any
|
|
|
|
* process group we didn't want to be part of, and to chdir("/")
|
|
|
|
* to avoid holding any directories open that we don't need in
|
|
|
|
* case someone wants to umount them; also, we should definitely
|
|
|
|
* close standard output (because it will very likely be pointing
|
|
|
|
* at a pipe from which some parent process is trying to read our
|
|
|
|
* environment variable dump, so if we hold open another copy of
|
|
|
|
* it then that process will never finish reading). We close
|
|
|
|
* standard input too on general principles, but not standard
|
|
|
|
* error, since we might need to shout a panicky error message
|
|
|
|
* down that one.
|
|
|
|
*/
|
|
|
|
if (chdir("/") < 0) {
|
|
|
|
/* should there be an error condition, nothing we can do about
|
|
|
|
* it anyway */
|
|
|
|
}
|
|
|
|
close(0);
|
|
|
|
close(1);
|
Unix Pageant: -T option, tying lifetime to controlling tty.
This is intended to be a useful mode when you want to run an ssh agent
in a terminal session with no X11 available. You just execute a
command along the lines of eval $(pageant -T), and then Pageant will
run in the background for the rest of that terminal session - and when
the terminal session ends, so that Pageant loses its controlling tty,
it will take that as the signal to shut down. So, no need to manually
kill it, and unlike 'pageant --exec $SHELL', you can also do this half
way through a session if you don't realise until later that you need
an SSH agent, without losing any shell command history or other shell
context that you've accumulated so far in the session.
Unfortunately, I haven't been able to find any reliable way to
actually implement this -T mode, short of having Pageant wake up at
regular intervals and try to open /dev/tty to see if it's still there.
I had hoped that I could arrange to reliably get SIGHUP, or select on
/dev/tty for exceptional conditions, or some such, but nothing I've
tried along those lines seems to work.
2015-05-08 18:50:48 +00:00
|
|
|
if (retain_tty) {
|
|
|
|
/* Get out of our previous process group, to avoid being
|
|
|
|
* blasted by passing signals. But keep our controlling tty,
|
|
|
|
* so we can keep checking to see if we still have one. */
|
|
|
|
setpgrp();
|
|
|
|
} else {
|
|
|
|
/* Do that, but also leave our entire session and detach from
|
|
|
|
* the controlling tty (if any). */
|
|
|
|
setsid();
|
|
|
|
}
|
2015-05-05 19:16:23 +00:00
|
|
|
}
|
|
|
|
|
2020-02-08 18:35:37 +00:00
|
|
|
static int signalpipe[2] = { -1, -1 };
|
2015-05-05 19:16:23 +00:00
|
|
|
|
2020-02-08 18:35:37 +00:00
|
|
|
static void sigchld(int signum)
|
2015-05-05 19:16:23 +00:00
|
|
|
{
|
|
|
|
if (write(signalpipe[1], "x", 1) <= 0)
|
|
|
|
/* not much we can do about it */;
|
|
|
|
}
|
|
|
|
|
2020-02-08 18:35:37 +00:00
|
|
|
static void setup_sigchld_handler(void)
|
|
|
|
{
|
|
|
|
if (signalpipe[0] >= 0)
|
|
|
|
return;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Set up the pipe we'll use to tell us about SIGCHLD.
|
|
|
|
*/
|
|
|
|
if (pipe(signalpipe) < 0) {
|
|
|
|
perror("pipe");
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
putty_signal(SIGCHLD, sigchld);
|
|
|
|
}
|
|
|
|
|
Unix Pageant: -T option, tying lifetime to controlling tty.
This is intended to be a useful mode when you want to run an ssh agent
in a terminal session with no X11 available. You just execute a
command along the lines of eval $(pageant -T), and then Pageant will
run in the background for the rest of that terminal session - and when
the terminal session ends, so that Pageant loses its controlling tty,
it will take that as the signal to shut down. So, no need to manually
kill it, and unlike 'pageant --exec $SHELL', you can also do this half
way through a session if you don't realise until later that you need
an SSH agent, without losing any shell command history or other shell
context that you've accumulated so far in the session.
Unfortunately, I haven't been able to find any reliable way to
actually implement this -T mode, short of having Pageant wake up at
regular intervals and try to open /dev/tty to see if it's still there.
I had hoped that I could arrange to reliably get SIGHUP, or select on
/dev/tty for exceptional conditions, or some such, but nothing I've
tried along those lines seems to work.
2015-05-08 18:50:48 +00:00
|
|
|
#define TTY_LIFE_POLL_INTERVAL (TICKSPERSEC * 30)
|
2020-02-02 10:00:43 +00:00
|
|
|
static void *dummy_timer_ctx;
|
Unix Pageant: -T option, tying lifetime to controlling tty.
This is intended to be a useful mode when you want to run an ssh agent
in a terminal session with no X11 available. You just execute a
command along the lines of eval $(pageant -T), and then Pageant will
run in the background for the rest of that terminal session - and when
the terminal session ends, so that Pageant loses its controlling tty,
it will take that as the signal to shut down. So, no need to manually
kill it, and unlike 'pageant --exec $SHELL', you can also do this half
way through a session if you don't realise until later that you need
an SSH agent, without losing any shell command history or other shell
context that you've accumulated so far in the session.
Unfortunately, I haven't been able to find any reliable way to
actually implement this -T mode, short of having Pageant wake up at
regular intervals and try to open /dev/tty to see if it's still there.
I had hoped that I could arrange to reliably get SIGHUP, or select on
/dev/tty for exceptional conditions, or some such, but nothing I've
tried along those lines seems to work.
2015-05-08 18:50:48 +00:00
|
|
|
static void tty_life_timer(void *ctx, unsigned long now)
|
|
|
|
{
|
|
|
|
schedule_timer(TTY_LIFE_POLL_INTERVAL, tty_life_timer, &dummy_timer_ctx);
|
|
|
|
}
|
|
|
|
|
2015-05-11 16:56:37 +00:00
|
|
|
typedef enum {
|
|
|
|
KEYACT_AGENT_LOAD,
|
2020-02-08 17:28:46 +00:00
|
|
|
KEYACT_AGENT_LOAD_ENCRYPTED,
|
|
|
|
KEYACT_CLIENT_BASE,
|
|
|
|
KEYACT_CLIENT_ADD = KEYACT_CLIENT_BASE,
|
|
|
|
KEYACT_CLIENT_ADD_ENCRYPTED,
|
2015-05-11 16:56:37 +00:00
|
|
|
KEYACT_CLIENT_DEL,
|
|
|
|
KEYACT_CLIENT_DEL_ALL,
|
|
|
|
KEYACT_CLIENT_LIST,
|
2015-05-12 13:48:32 +00:00
|
|
|
KEYACT_CLIENT_PUBLIC_OPENSSH,
|
2020-02-09 21:56:21 +00:00
|
|
|
KEYACT_CLIENT_PUBLIC,
|
|
|
|
KEYACT_CLIENT_SIGN,
|
2020-02-15 16:40:19 +00:00
|
|
|
KEYACT_CLIENT_REENCRYPT,
|
|
|
|
KEYACT_CLIENT_REENCRYPT_ALL,
|
2015-05-11 16:56:37 +00:00
|
|
|
} keyact;
|
|
|
|
struct cmdline_key_action {
|
|
|
|
struct cmdline_key_action *next;
|
|
|
|
keyact action;
|
|
|
|
const char *filename;
|
|
|
|
};
|
|
|
|
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool is_agent_action(keyact action)
|
2015-05-11 16:56:37 +00:00
|
|
|
{
|
2020-02-08 17:28:46 +00:00
|
|
|
return action < KEYACT_CLIENT_BASE;
|
2015-05-11 16:56:37 +00:00
|
|
|
}
|
|
|
|
|
2020-02-02 10:00:43 +00:00
|
|
|
static struct cmdline_key_action *keyact_head = NULL, *keyact_tail = NULL;
|
2020-02-09 21:56:21 +00:00
|
|
|
static uint32_t sign_flags = 0;
|
2015-05-11 16:56:37 +00:00
|
|
|
|
|
|
|
void add_keyact(keyact action, const char *filename)
|
|
|
|
{
|
|
|
|
struct cmdline_key_action *a = snew(struct cmdline_key_action);
|
|
|
|
a->action = action;
|
|
|
|
a->filename = filename;
|
|
|
|
a->next = NULL;
|
|
|
|
if (keyact_tail)
|
|
|
|
keyact_tail->next = a;
|
|
|
|
else
|
|
|
|
keyact_head = a;
|
|
|
|
keyact_tail = a;
|
|
|
|
}
|
|
|
|
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool have_controlling_tty(void)
|
2015-05-13 12:54:15 +00:00
|
|
|
{
|
|
|
|
int fd = open("/dev/tty", O_RDONLY);
|
|
|
|
if (fd < 0) {
|
|
|
|
if (errno != ENXIO) {
|
|
|
|
perror("/dev/tty: open");
|
|
|
|
exit(1);
|
|
|
|
}
|
2018-10-29 19:50:29 +00:00
|
|
|
return false;
|
2015-05-13 12:54:15 +00:00
|
|
|
} else {
|
|
|
|
close(fd);
|
2018-10-29 19:50:29 +00:00
|
|
|
return true;
|
2015-05-13 12:54:15 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-02-02 10:00:43 +00:00
|
|
|
static char **exec_args = NULL;
|
|
|
|
static enum {
|
2015-05-11 16:56:37 +00:00
|
|
|
LIFE_UNSPEC, LIFE_X11, LIFE_TTY, LIFE_DEBUG, LIFE_PERM, LIFE_EXEC
|
|
|
|
} life = LIFE_UNSPEC;
|
2020-02-02 10:00:43 +00:00
|
|
|
static const char *display = NULL;
|
|
|
|
static enum {
|
2018-05-14 06:36:05 +00:00
|
|
|
PROMPT_UNSPEC, PROMPT_TTY, PROMPT_GUI
|
|
|
|
} prompt_type = PROMPT_UNSPEC;
|
2021-03-13 10:27:50 +00:00
|
|
|
static FingerprintType key_list_fptype = SSH_FPTYPE_DEFAULT;
|
2018-05-14 06:36:05 +00:00
|
|
|
|
2018-05-14 07:08:34 +00:00
|
|
|
static char *askpass_tty(const char *prompt)
|
2018-05-14 06:36:05 +00:00
|
|
|
{
|
|
|
|
int ret;
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
prompts_t *p = new_prompts();
|
2018-10-29 19:50:29 +00:00
|
|
|
p->to_server = false;
|
2019-03-09 15:50:23 +00:00
|
|
|
p->from_server = false;
|
2018-05-14 06:36:05 +00:00
|
|
|
p->name = dupstr("Pageant passphrase prompt");
|
Make dupcat() into a variadic macro.
Up until now, it's been a variadic _function_, whose argument list
consists of 'const char *' ASCIZ strings to concatenate, terminated by
one containing a null pointer. Now, that function is dupcat_fn(), and
it's wrapped by a C99 variadic _macro_ called dupcat(), which
automatically suffixes the null-pointer terminating argument.
This has three benefits. Firstly, it's just less effort at every call
site. Secondly, it protects against the risk of accidentally leaving
off the NULL, causing arbitrary words of stack memory to be
dereferenced as char pointers. And thirdly, it protects against the
more subtle risk of writing a bare 'NULL' as the terminating argument,
instead of casting it explicitly to a pointer. That last one is
necessary because C permits the macro NULL to expand to an integer
constant such as 0, so NULL by itself may not have pointer type, and
worse, it may not be marshalled in a variadic argument list in the
same way as a pointer. (For example, on a 64-bit machine it might only
occupy 32 bits. And yet, on another 64-bit platform, it might work
just fine, so that you don't notice the mistake!)
I was inspired to do this by happening to notice one of those bare
NULL terminators, and thinking I'd better check if there were any
more. Turned out there were quite a few. Now there are none.
2019-10-14 18:42:37 +00:00
|
|
|
add_prompt(p, dupcat(prompt, ": "), false);
|
2018-05-18 06:22:56 +00:00
|
|
|
ret = console_get_userpass_input(p);
|
2018-05-14 06:36:05 +00:00
|
|
|
assert(ret >= 0);
|
|
|
|
|
|
|
|
if (!ret) {
|
|
|
|
perror("pageant: unable to read passphrase");
|
|
|
|
free_prompts(p);
|
|
|
|
return NULL;
|
|
|
|
} else {
|
2020-01-21 20:19:47 +00:00
|
|
|
char *passphrase = prompt_get_result(p->prompts[0]);
|
2018-05-14 06:36:05 +00:00
|
|
|
free_prompts(p);
|
|
|
|
return passphrase;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-05-14 07:08:34 +00:00
|
|
|
static char *askpass_gui(const char *prompt)
|
2018-05-14 06:36:05 +00:00
|
|
|
{
|
2018-05-14 07:08:34 +00:00
|
|
|
char *passphrase;
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool success;
|
2018-05-14 06:36:05 +00:00
|
|
|
|
2018-05-14 07:08:34 +00:00
|
|
|
passphrase = gtk_askpass_main(
|
|
|
|
display, "Pageant passphrase prompt", prompt, &success);
|
2018-05-14 06:36:05 +00:00
|
|
|
if (!success) {
|
|
|
|
/* return value is error message */
|
|
|
|
fprintf(stderr, "%s\n", passphrase);
|
|
|
|
sfree(passphrase);
|
|
|
|
passphrase = NULL;
|
|
|
|
}
|
|
|
|
return passphrase;
|
|
|
|
}
|
2015-05-11 16:56:37 +00:00
|
|
|
|
2018-05-14 07:08:34 +00:00
|
|
|
static char *askpass(const char *prompt)
|
2015-05-11 16:58:55 +00:00
|
|
|
{
|
2018-05-14 06:36:05 +00:00
|
|
|
if (prompt_type == PROMPT_TTY) {
|
|
|
|
if (!have_controlling_tty()) {
|
|
|
|
fprintf(stderr, "no controlling terminal available "
|
|
|
|
"for passphrase prompt\n");
|
2015-05-13 12:55:08 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
2018-05-14 07:08:34 +00:00
|
|
|
return askpass_tty(prompt);
|
2018-05-14 06:36:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (prompt_type == PROMPT_GUI) {
|
|
|
|
if (!display) {
|
|
|
|
fprintf(stderr, "no graphical display available "
|
|
|
|
"for passphrase prompt\n");
|
|
|
|
return NULL;
|
2015-05-13 12:55:08 +00:00
|
|
|
}
|
2018-05-14 07:08:34 +00:00
|
|
|
return askpass_gui(prompt);
|
2018-05-14 06:36:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (have_controlling_tty()) {
|
2018-05-14 07:08:34 +00:00
|
|
|
return askpass_tty(prompt);
|
2018-05-14 06:36:05 +00:00
|
|
|
} else if (display) {
|
2018-05-14 07:08:34 +00:00
|
|
|
return askpass_gui(prompt);
|
2015-05-13 12:55:08 +00:00
|
|
|
} else {
|
|
|
|
fprintf(stderr, "no way to read a passphrase without tty or "
|
|
|
|
"X display\n");
|
|
|
|
return NULL;
|
2015-05-11 16:58:55 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-02-08 17:28:46 +00:00
|
|
|
static bool unix_add_keyfile(const char *filename_str, bool add_encrypted)
|
2015-05-11 16:58:55 +00:00
|
|
|
{
|
|
|
|
Filename *filename = filename_from_str(filename_str);
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
int status;
|
|
|
|
bool ret;
|
2015-05-11 16:58:55 +00:00
|
|
|
char *err;
|
|
|
|
|
2018-10-29 19:50:29 +00:00
|
|
|
ret = true;
|
2015-05-11 16:58:55 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Try without a passphrase.
|
|
|
|
*/
|
2020-02-08 17:28:46 +00:00
|
|
|
status = pageant_add_keyfile(filename, NULL, &err, add_encrypted);
|
2015-05-11 16:58:55 +00:00
|
|
|
if (status == PAGEANT_ACTION_OK) {
|
|
|
|
goto cleanup;
|
|
|
|
} else if (status == PAGEANT_ACTION_FAILURE) {
|
|
|
|
fprintf(stderr, "pageant: %s: %s\n", filename_str, err);
|
2018-10-29 19:50:29 +00:00
|
|
|
ret = false;
|
2015-05-11 16:58:55 +00:00
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* And now try prompting for a passphrase.
|
|
|
|
*/
|
|
|
|
while (1) {
|
2018-05-14 07:08:34 +00:00
|
|
|
char *prompt = dupprintf(
|
|
|
|
"Enter passphrase to load key '%s'", err);
|
|
|
|
char *passphrase = askpass(prompt);
|
2015-05-11 16:58:55 +00:00
|
|
|
sfree(err);
|
2018-05-14 07:08:34 +00:00
|
|
|
sfree(prompt);
|
2015-05-13 12:22:44 +00:00
|
|
|
err = NULL;
|
2015-05-11 16:58:55 +00:00
|
|
|
if (!passphrase)
|
|
|
|
break;
|
|
|
|
|
2020-02-08 17:28:46 +00:00
|
|
|
status = pageant_add_keyfile(filename, passphrase, &err,
|
|
|
|
add_encrypted);
|
2015-05-11 16:58:55 +00:00
|
|
|
|
|
|
|
smemclr(passphrase, strlen(passphrase));
|
|
|
|
sfree(passphrase);
|
|
|
|
passphrase = NULL;
|
|
|
|
|
|
|
|
if (status == PAGEANT_ACTION_OK) {
|
|
|
|
goto cleanup;
|
|
|
|
} else if (status == PAGEANT_ACTION_FAILURE) {
|
|
|
|
fprintf(stderr, "pageant: %s: %s\n", filename_str, err);
|
2018-10-29 19:50:29 +00:00
|
|
|
ret = false;
|
2015-05-11 16:58:55 +00:00
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
sfree(err);
|
|
|
|
filename_free(filename);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2021-03-13 10:27:50 +00:00
|
|
|
void key_list_callback(void *ctx, char **fingerprints, const char *comment,
|
2020-12-15 14:07:29 +00:00
|
|
|
uint32_t ext_flags, struct pageant_pubkey *key)
|
2015-05-11 17:34:45 +00:00
|
|
|
{
|
2020-12-15 14:07:29 +00:00
|
|
|
const char *mode = "";
|
|
|
|
if (ext_flags & LIST_EXTENDED_FLAG_HAS_NO_CLEARTEXT_KEY)
|
|
|
|
mode = " (encrypted)";
|
|
|
|
else if (ext_flags & LIST_EXTENDED_FLAG_HAS_ENCRYPTED_KEY_FILE)
|
|
|
|
mode = " (re-encryptable)";
|
|
|
|
|
2021-03-13 10:27:50 +00:00
|
|
|
FingerprintType this_type =
|
|
|
|
ssh2_pick_fingerprint(fingerprints, key_list_fptype);
|
|
|
|
printf("%s %s%s\n", fingerprints[this_type], comment, mode);
|
2015-05-11 17:34:45 +00:00
|
|
|
}
|
|
|
|
|
2015-05-12 12:27:33 +00:00
|
|
|
struct key_find_ctx {
|
|
|
|
const char *string;
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool match_fp, match_comment;
|
2021-03-13 10:27:50 +00:00
|
|
|
bool match_fptypes[SSH_N_FPTYPES];
|
2015-05-12 12:27:33 +00:00
|
|
|
struct pageant_pubkey *found;
|
|
|
|
int nfound;
|
|
|
|
};
|
|
|
|
|
2021-03-13 10:27:50 +00:00
|
|
|
static bool match_fingerprint_string(
|
|
|
|
const char *string_orig, char **fingerprints,
|
|
|
|
const struct key_find_ctx *ctx)
|
2015-05-12 12:27:33 +00:00
|
|
|
{
|
|
|
|
const char *hash;
|
|
|
|
|
2021-03-13 10:27:50 +00:00
|
|
|
for (unsigned fptype = 0; fptype < SSH_N_FPTYPES; fptype++) {
|
|
|
|
if (!ctx->match_fptypes[fptype])
|
|
|
|
continue;
|
2015-05-12 12:27:33 +00:00
|
|
|
|
2021-03-13 10:27:50 +00:00
|
|
|
const char *fingerprint = fingerprints[fptype];
|
|
|
|
if (!fingerprint)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
/* Find the hash in the fingerprint string. It'll be the word
|
|
|
|
* at the end. */
|
|
|
|
hash = strrchr(fingerprint, ' ');
|
|
|
|
assert(hash);
|
2015-05-12 12:27:33 +00:00
|
|
|
hash++;
|
2021-03-13 10:27:50 +00:00
|
|
|
|
|
|
|
const char *string = string_orig;
|
|
|
|
bool case_sensitive;
|
|
|
|
const char *ignore_chars = "";
|
|
|
|
|
|
|
|
switch (fptype) {
|
|
|
|
case SSH_FPTYPE_MD5:
|
|
|
|
/* MD5 fingerprints are in hex, so disregard case differences. */
|
|
|
|
case_sensitive = false;
|
|
|
|
/* And we don't really need to force the user to type the
|
|
|
|
* colons in between the digits, which are always the
|
|
|
|
* same. */
|
|
|
|
ignore_chars = ":";
|
|
|
|
break;
|
|
|
|
case SSH_FPTYPE_SHA256:
|
|
|
|
/* Skip over the "SHA256:" prefix, which we don't really
|
|
|
|
* want to force the user to type. On the other hand,
|
|
|
|
* tolerate it on the input string. */
|
|
|
|
assert(strstartswith(hash, "SHA256:"));
|
|
|
|
hash += 7;
|
|
|
|
if (strstartswith(string, "SHA256:"))
|
|
|
|
string += 7;
|
|
|
|
/* SHA256 fingerprints are base64, which is intrinsically
|
|
|
|
* case sensitive. */
|
|
|
|
case_sensitive = true;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Now see if the search string is a prefix of the full hash,
|
|
|
|
* neglecting colons and (where appropriate) case differences. */
|
|
|
|
while (1) {
|
|
|
|
string += strspn(string, ignore_chars);
|
|
|
|
hash += strspn(hash, ignore_chars);
|
|
|
|
if (!*string)
|
|
|
|
return true;
|
|
|
|
char sc = *string, hc = *hash;
|
|
|
|
if (!case_sensitive) {
|
|
|
|
sc = tolower((unsigned char)sc);
|
|
|
|
hc = tolower((unsigned char)hc);
|
|
|
|
}
|
|
|
|
if (sc != hc)
|
|
|
|
break;
|
|
|
|
string++;
|
|
|
|
hash++;
|
|
|
|
}
|
2015-05-12 12:27:33 +00:00
|
|
|
}
|
2021-03-13 10:27:50 +00:00
|
|
|
|
|
|
|
return false;
|
2015-05-12 12:27:33 +00:00
|
|
|
}
|
|
|
|
|
2021-03-13 10:27:50 +00:00
|
|
|
void key_find_callback(void *vctx, char **fingerprints,
|
2020-12-15 14:07:29 +00:00
|
|
|
const char *comment, uint32_t ext_flags,
|
|
|
|
struct pageant_pubkey *key)
|
2015-05-12 12:27:33 +00:00
|
|
|
{
|
|
|
|
struct key_find_ctx *ctx = (struct key_find_ctx *)vctx;
|
|
|
|
|
|
|
|
if ((ctx->match_comment && !strcmp(ctx->string, comment)) ||
|
2021-03-13 10:27:50 +00:00
|
|
|
(ctx->match_fp && match_fingerprint_string(ctx->string, fingerprints,
|
|
|
|
ctx)))
|
2015-05-12 12:27:33 +00:00
|
|
|
{
|
|
|
|
if (!ctx->found)
|
|
|
|
ctx->found = pageant_pubkey_copy(key);
|
|
|
|
ctx->nfound++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
struct pageant_pubkey *find_key(const char *string, char **retstr)
|
|
|
|
{
|
2019-12-22 08:15:52 +00:00
|
|
|
struct key_find_ctx ctx[1];
|
2015-05-12 12:27:33 +00:00
|
|
|
struct pageant_pubkey key_in, *key_ret;
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool try_file = true, try_fp = true, try_comment = true;
|
|
|
|
bool file_errors = false;
|
2021-03-13 10:27:50 +00:00
|
|
|
bool try_all_fptypes = true;
|
|
|
|
FingerprintType fptype = SSH_FPTYPE_DEFAULT;
|
2015-05-12 12:27:33 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Trim off disambiguating prefixes telling us how to interpret
|
|
|
|
* the provided string.
|
|
|
|
*/
|
|
|
|
if (!strncmp(string, "file:", 5)) {
|
|
|
|
string += 5;
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
try_fp = false;
|
|
|
|
try_comment = false;
|
2018-10-29 19:50:29 +00:00
|
|
|
file_errors = true; /* also report failure to load the file */
|
2015-05-12 12:27:33 +00:00
|
|
|
} else if (!strncmp(string, "comment:", 8)) {
|
|
|
|
string += 8;
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
try_file = false;
|
|
|
|
try_fp = false;
|
2015-05-12 12:27:33 +00:00
|
|
|
} else if (!strncmp(string, "fp:", 3)) {
|
|
|
|
string += 3;
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
try_file = false;
|
|
|
|
try_comment = false;
|
2015-05-12 12:27:33 +00:00
|
|
|
} else if (!strncmp(string, "fingerprint:", 12)) {
|
|
|
|
string += 12;
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
try_file = false;
|
|
|
|
try_comment = false;
|
2021-03-13 10:27:50 +00:00
|
|
|
} else if (!strnicmp(string, "md5:", 4)) {
|
|
|
|
string += 4;
|
|
|
|
try_file = false;
|
|
|
|
try_comment = false;
|
|
|
|
try_all_fptypes = false;
|
|
|
|
fptype = SSH_FPTYPE_MD5;
|
|
|
|
} else if (!strncmp(string, "sha256:", 7)) {
|
|
|
|
string += 7;
|
|
|
|
try_file = false;
|
|
|
|
try_comment = false;
|
|
|
|
try_all_fptypes = false;
|
|
|
|
fptype = SSH_FPTYPE_SHA256;
|
2015-05-12 12:27:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Try interpreting the string as a key file name.
|
|
|
|
*/
|
|
|
|
if (try_file) {
|
|
|
|
Filename *fn = filename_from_str(string);
|
|
|
|
int keytype = key_type(fn);
|
|
|
|
if (keytype == SSH_KEYTYPE_SSH1 ||
|
|
|
|
keytype == SSH_KEYTYPE_SSH1_PUBLIC) {
|
|
|
|
const char *error;
|
|
|
|
|
2018-05-24 09:59:39 +00:00
|
|
|
key_in.blob = strbuf_new();
|
2020-01-05 10:28:45 +00:00
|
|
|
if (!rsa1_loadpub_f(fn, BinarySink_UPCAST(key_in.blob),
|
|
|
|
NULL, &error)) {
|
2018-05-24 09:59:39 +00:00
|
|
|
strbuf_free(key_in.blob);
|
|
|
|
key_in.blob = NULL;
|
2015-05-12 12:27:33 +00:00
|
|
|
if (file_errors) {
|
|
|
|
*retstr = dupprintf("unable to load file '%s': %s",
|
|
|
|
string, error);
|
|
|
|
filename_free(fn);
|
|
|
|
return NULL;
|
|
|
|
}
|
2017-02-15 05:31:30 +00:00
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* If we've successfully loaded the file, stop here - we
|
|
|
|
* already have a key blob and need not go to the agent to
|
|
|
|
* list things.
|
|
|
|
*/
|
|
|
|
key_in.ssh_version = 1;
|
|
|
|
key_in.comment = NULL;
|
|
|
|
key_ret = pageant_pubkey_copy(&key_in);
|
2018-05-24 09:59:39 +00:00
|
|
|
strbuf_free(key_in.blob);
|
|
|
|
key_in.blob = NULL;
|
2017-02-15 05:31:30 +00:00
|
|
|
filename_free(fn);
|
|
|
|
return key_ret;
|
2015-05-12 12:27:33 +00:00
|
|
|
}
|
|
|
|
} else if (keytype == SSH_KEYTYPE_SSH2 ||
|
|
|
|
keytype == SSH_KEYTYPE_SSH2_PUBLIC_RFC4716 ||
|
|
|
|
keytype == SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH) {
|
|
|
|
const char *error;
|
|
|
|
|
2018-05-24 09:59:39 +00:00
|
|
|
key_in.blob = strbuf_new();
|
2020-01-05 10:28:45 +00:00
|
|
|
if (!ppk_loadpub_f(fn, NULL, BinarySink_UPCAST(key_in.blob),
|
|
|
|
NULL, &error)) {
|
2018-05-24 09:59:39 +00:00
|
|
|
strbuf_free(key_in.blob);
|
|
|
|
key_in.blob = NULL;
|
2015-05-12 12:27:33 +00:00
|
|
|
if (file_errors) {
|
|
|
|
*retstr = dupprintf("unable to load file '%s': %s",
|
|
|
|
string, error);
|
|
|
|
filename_free(fn);
|
|
|
|
return NULL;
|
|
|
|
}
|
2017-02-15 05:31:30 +00:00
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* If we've successfully loaded the file, stop here - we
|
|
|
|
* already have a key blob and need not go to the agent to
|
|
|
|
* list things.
|
|
|
|
*/
|
|
|
|
key_in.ssh_version = 2;
|
|
|
|
key_in.comment = NULL;
|
|
|
|
key_ret = pageant_pubkey_copy(&key_in);
|
2018-05-24 09:59:39 +00:00
|
|
|
strbuf_free(key_in.blob);
|
|
|
|
key_in.blob = NULL;
|
2017-02-15 05:31:30 +00:00
|
|
|
filename_free(fn);
|
|
|
|
return key_ret;
|
2015-05-12 12:27:33 +00:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (file_errors) {
|
|
|
|
*retstr = dupprintf("unable to load key file '%s': %s",
|
|
|
|
string, key_type_to_str(keytype));
|
|
|
|
filename_free(fn);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
filename_free(fn);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Failing that, go through the keys in the agent, and match
|
|
|
|
* against fingerprints and comments as appropriate.
|
|
|
|
*/
|
|
|
|
ctx->string = string;
|
|
|
|
ctx->match_fp = try_fp;
|
|
|
|
ctx->match_comment = try_comment;
|
2021-03-13 10:27:50 +00:00
|
|
|
for (unsigned i = 0; i < SSH_N_FPTYPES; i++)
|
|
|
|
ctx->match_fptypes[i] = (try_all_fptypes || i == fptype);
|
2015-05-12 12:27:33 +00:00
|
|
|
ctx->found = NULL;
|
|
|
|
ctx->nfound = 0;
|
|
|
|
if (pageant_enum_keys(key_find_callback, ctx, retstr) ==
|
|
|
|
PAGEANT_ACTION_FAILURE)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (ctx->nfound == 0) {
|
|
|
|
*retstr = dupstr("no key matched");
|
|
|
|
assert(!ctx->found);
|
|
|
|
return NULL;
|
|
|
|
} else if (ctx->nfound > 1) {
|
|
|
|
*retstr = dupstr("multiple keys matched");
|
|
|
|
assert(ctx->found);
|
|
|
|
pageant_pubkey_free(ctx->found);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
assert(ctx->found);
|
|
|
|
return ctx->found;
|
|
|
|
}
|
|
|
|
|
2015-05-11 16:56:37 +00:00
|
|
|
void run_client(void)
|
|
|
|
{
|
2015-05-11 16:58:55 +00:00
|
|
|
const struct cmdline_key_action *act;
|
2015-05-12 12:27:33 +00:00
|
|
|
struct pageant_pubkey *key;
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool errors = false;
|
2015-05-11 17:34:45 +00:00
|
|
|
char *retstr;
|
2020-02-09 21:56:21 +00:00
|
|
|
LoadedFile *message = lf_new(AGENT_MAX_MSGLEN);
|
|
|
|
bool message_loaded = false, message_ok = false;
|
|
|
|
strbuf *signature = strbuf_new();
|
2015-05-11 16:58:55 +00:00
|
|
|
|
2015-05-11 16:56:51 +00:00
|
|
|
if (!agent_exists()) {
|
|
|
|
fprintf(stderr, "pageant: no agent running to talk to\n");
|
|
|
|
exit(1);
|
|
|
|
}
|
2015-05-11 16:58:55 +00:00
|
|
|
|
|
|
|
for (act = keyact_head; act; act = act->next) {
|
|
|
|
switch (act->action) {
|
|
|
|
case KEYACT_CLIENT_ADD:
|
2020-02-08 17:28:46 +00:00
|
|
|
case KEYACT_CLIENT_ADD_ENCRYPTED:
|
|
|
|
if (!unix_add_keyfile(act->filename,
|
|
|
|
act->action == KEYACT_CLIENT_ADD_ENCRYPTED))
|
2018-10-29 19:50:29 +00:00
|
|
|
errors = true;
|
2015-05-11 16:58:55 +00:00
|
|
|
break;
|
2015-05-11 17:34:45 +00:00
|
|
|
case KEYACT_CLIENT_LIST:
|
|
|
|
if (pageant_enum_keys(key_list_callback, NULL, &retstr) ==
|
|
|
|
PAGEANT_ACTION_FAILURE) {
|
|
|
|
fprintf(stderr, "pageant: listing keys: %s\n", retstr);
|
|
|
|
sfree(retstr);
|
2018-10-29 19:50:29 +00:00
|
|
|
errors = true;
|
2015-05-11 17:34:45 +00:00
|
|
|
}
|
|
|
|
break;
|
2015-05-11 16:58:55 +00:00
|
|
|
case KEYACT_CLIENT_DEL:
|
2015-05-12 12:27:33 +00:00
|
|
|
key = NULL;
|
|
|
|
if (!(key = find_key(act->filename, &retstr)) ||
|
|
|
|
pageant_delete_key(key, &retstr) == PAGEANT_ACTION_FAILURE) {
|
|
|
|
fprintf(stderr, "pageant: deleting key '%s': %s\n",
|
|
|
|
act->filename, retstr);
|
|
|
|
sfree(retstr);
|
2018-10-29 19:50:29 +00:00
|
|
|
errors = true;
|
2015-05-12 12:27:33 +00:00
|
|
|
}
|
|
|
|
if (key)
|
|
|
|
pageant_pubkey_free(key);
|
|
|
|
break;
|
2020-02-15 16:40:19 +00:00
|
|
|
case KEYACT_CLIENT_REENCRYPT:
|
|
|
|
key = NULL;
|
|
|
|
if (!(key = find_key(act->filename, &retstr)) ||
|
|
|
|
pageant_reencrypt_key(key, &retstr) == PAGEANT_ACTION_FAILURE) {
|
|
|
|
fprintf(stderr, "pageant: re-encrypting key '%s': %s\n",
|
|
|
|
act->filename, retstr);
|
|
|
|
sfree(retstr);
|
|
|
|
errors = true;
|
|
|
|
}
|
|
|
|
if (key)
|
|
|
|
pageant_pubkey_free(key);
|
|
|
|
break;
|
2015-05-12 13:48:32 +00:00
|
|
|
case KEYACT_CLIENT_PUBLIC_OPENSSH:
|
|
|
|
case KEYACT_CLIENT_PUBLIC:
|
|
|
|
key = NULL;
|
|
|
|
if (!(key = find_key(act->filename, &retstr))) {
|
|
|
|
fprintf(stderr, "pageant: finding key '%s': %s\n",
|
|
|
|
act->filename, retstr);
|
|
|
|
sfree(retstr);
|
2018-10-29 19:50:29 +00:00
|
|
|
errors = true;
|
2015-05-12 13:48:32 +00:00
|
|
|
} else {
|
|
|
|
FILE *fp = stdout; /* FIXME: add a -o option? */
|
|
|
|
|
|
|
|
if (key->ssh_version == 1) {
|
2018-05-29 19:36:21 +00:00
|
|
|
BinarySource src[1];
|
2019-01-04 06:51:44 +00:00
|
|
|
RSAKey rkey;
|
2018-05-29 19:36:21 +00:00
|
|
|
|
|
|
|
BinarySource_BARE_INIT(src, key->blob->u, key->blob->len);
|
2015-05-12 13:48:32 +00:00
|
|
|
memset(&rkey, 0, sizeof(rkey));
|
|
|
|
rkey.comment = dupstr(key->comment);
|
2018-06-03 07:23:07 +00:00
|
|
|
get_rsa_ssh1_pub(src, &rkey, RSA_SSH1_EXPONENT_FIRST);
|
2015-05-12 13:48:32 +00:00
|
|
|
ssh1_write_pubkey(fp, &rkey);
|
|
|
|
freersakey(&rkey);
|
|
|
|
} else {
|
2018-05-24 09:59:39 +00:00
|
|
|
ssh2_write_pubkey(fp, key->comment,
|
|
|
|
key->blob->u,
|
|
|
|
key->blob->len,
|
2015-05-12 13:48:32 +00:00
|
|
|
(act->action == KEYACT_CLIENT_PUBLIC ?
|
|
|
|
SSH_KEYTYPE_SSH2_PUBLIC_RFC4716 :
|
|
|
|
SSH_KEYTYPE_SSH2_PUBLIC_OPENSSH));
|
|
|
|
}
|
|
|
|
pageant_pubkey_free(key);
|
|
|
|
}
|
|
|
|
break;
|
2015-05-11 16:58:55 +00:00
|
|
|
case KEYACT_CLIENT_DEL_ALL:
|
2015-05-12 13:55:44 +00:00
|
|
|
if (pageant_delete_all_keys(&retstr) == PAGEANT_ACTION_FAILURE) {
|
|
|
|
fprintf(stderr, "pageant: deleting all keys: %s\n", retstr);
|
|
|
|
sfree(retstr);
|
2018-10-29 19:50:29 +00:00
|
|
|
errors = true;
|
2015-05-12 13:55:44 +00:00
|
|
|
}
|
2015-05-11 16:58:55 +00:00
|
|
|
break;
|
2020-02-15 16:40:19 +00:00
|
|
|
case KEYACT_CLIENT_REENCRYPT_ALL: {
|
|
|
|
int status = pageant_reencrypt_all_keys(&retstr);
|
|
|
|
if (status == PAGEANT_ACTION_FAILURE) {
|
|
|
|
fprintf(stderr, "pageant: re-encrypting all keys: "
|
|
|
|
"%s\n", retstr);
|
|
|
|
sfree(retstr);
|
|
|
|
errors = true;
|
|
|
|
} else if (status == PAGEANT_ACTION_WARNING) {
|
|
|
|
fprintf(stderr, "pageant: re-encrypting all keys: "
|
|
|
|
"warning: %s\n", retstr);
|
|
|
|
sfree(retstr);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
2020-02-09 21:56:21 +00:00
|
|
|
case KEYACT_CLIENT_SIGN:
|
|
|
|
key = NULL;
|
|
|
|
if (!message_loaded) {
|
|
|
|
message_loaded = true;
|
|
|
|
switch(lf_load_fp(message, stdin)) {
|
|
|
|
case LF_TOO_BIG:
|
|
|
|
fprintf(stderr, "pageant: message to sign is too big\n");
|
|
|
|
errors = true;
|
|
|
|
break;
|
|
|
|
case LF_ERROR:
|
|
|
|
fprintf(stderr, "pageant: reading message to sign: %s\n",
|
|
|
|
strerror(errno));
|
|
|
|
errors = true;
|
|
|
|
break;
|
|
|
|
case LF_OK:
|
|
|
|
message_ok = true;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!message_ok)
|
|
|
|
break;
|
|
|
|
strbuf_clear(signature);
|
|
|
|
if (!(key = find_key(act->filename, &retstr)) ||
|
|
|
|
pageant_sign(key, ptrlen_from_lf(message), signature,
|
|
|
|
sign_flags, &retstr) == PAGEANT_ACTION_FAILURE) {
|
|
|
|
fprintf(stderr, "pageant: signing with key '%s': %s\n",
|
|
|
|
act->filename, retstr);
|
|
|
|
sfree(retstr);
|
|
|
|
errors = true;
|
|
|
|
} else {
|
|
|
|
fwrite(signature->s, 1, signature->len, stdout);
|
|
|
|
}
|
|
|
|
if (key)
|
|
|
|
pageant_pubkey_free(key);
|
|
|
|
break;
|
2015-05-11 16:58:55 +00:00
|
|
|
default:
|
2019-01-03 08:12:19 +00:00
|
|
|
unreachable("Invalid client action found");
|
2015-05-11 16:58:55 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-02-09 21:56:21 +00:00
|
|
|
lf_free(message);
|
|
|
|
strbuf_free(signature);
|
|
|
|
|
2015-05-11 16:58:55 +00:00
|
|
|
if (errors)
|
|
|
|
exit(1);
|
2015-05-11 16:56:37 +00:00
|
|
|
}
|
|
|
|
|
2018-10-05 06:03:46 +00:00
|
|
|
static const PlugVtable X11Connection_plugvt = {
|
Change vtable defs to use C99 designated initialisers.
This is a sweeping change applied across the whole code base by a spot
of Emacs Lisp. Now, everywhere I declare a vtable filled with function
pointers (and the occasional const data member), all the members of
the vtable structure are initialised by name using the '.fieldname =
value' syntax introduced in C99.
We were already using this syntax for a handful of things in the new
key-generation progress report system, so it's not new to the code
base as a whole.
The advantage is that now, when a vtable only declares a subset of the
available fields, I can initialise the rest to NULL or zero just by
leaving them out. This is most dramatic in a couple of the outlying
vtables in things like psocks (which has a ConnectionLayerVtable
containing only one non-NULL method), but less dramatically, it means
that the new 'flags' field in BackendVtable can be completely left out
of every backend definition except for the SUPDUP one which defines it
to a nonzero value. Similarly, the test_for_upstream method only used
by SSH doesn't have to be mentioned in the rest of the backends;
network Plugs for listening sockets don't have to explicitly null out
'receive' and 'sent', and vice versa for 'accepting', and so on.
While I'm at it, I've normalised the declarations so they don't use
the unnecessarily verbose 'struct' keyword. Also a handful of them
weren't const; now they are.
2020-03-10 21:06:29 +00:00
|
|
|
.log = x11_log,
|
|
|
|
.closing = x11_closing,
|
|
|
|
.receive = x11_receive,
|
|
|
|
.sent = x11_sent,
|
2018-05-27 08:29:33 +00:00
|
|
|
};
|
|
|
|
|
2020-02-07 19:14:32 +00:00
|
|
|
|
|
|
|
static bool agent_loop_pw_setup(void *vctx, pollwrapper *pw)
|
|
|
|
{
|
|
|
|
struct uxpgnt_client *upc = (struct uxpgnt_client *)vctx;
|
|
|
|
|
|
|
|
if (signalpipe[0] >= 0) {
|
|
|
|
pollwrap_add_fd_rwx(pw, signalpipe[0], SELECT_R);
|
|
|
|
}
|
|
|
|
|
2020-02-08 18:36:09 +00:00
|
|
|
if (upc->prompt_active)
|
2020-02-07 19:14:32 +00:00
|
|
|
pollwrap_add_fd_rwx(pw, upc->passphrase_fd, SELECT_R);
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void agent_loop_pw_check(void *vctx, pollwrapper *pw)
|
|
|
|
{
|
|
|
|
struct uxpgnt_client *upc = (struct uxpgnt_client *)vctx;
|
|
|
|
|
|
|
|
if (life == LIFE_TTY) {
|
|
|
|
/*
|
|
|
|
* Every time we wake up (whether it was due to tty_timer
|
|
|
|
* elapsing or for any other reason), poll to see if we still
|
|
|
|
* have a controlling terminal. If we don't, then our
|
|
|
|
* containing tty session has ended, so it's time to clean up
|
|
|
|
* and leave.
|
|
|
|
*/
|
|
|
|
if (!have_controlling_tty()) {
|
|
|
|
time_to_die = true;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (signalpipe[0] >= 0 &&
|
|
|
|
pollwrap_check_fd_rwx(pw, signalpipe[0], SELECT_R)) {
|
|
|
|
char c[1];
|
|
|
|
if (read(signalpipe[0], c, 1) <= 0)
|
|
|
|
/* ignore error */;
|
|
|
|
/* ignore its value; it'll be `x' */
|
|
|
|
while (1) {
|
|
|
|
int status;
|
|
|
|
pid_t pid;
|
|
|
|
pid = waitpid(-1, &status, WNOHANG);
|
|
|
|
if (pid <= 0)
|
|
|
|
break;
|
|
|
|
if (pid == upc->termination_pid)
|
|
|
|
time_to_die = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-02-08 18:36:09 +00:00
|
|
|
if (upc->prompt_active &&
|
2020-02-07 19:14:32 +00:00
|
|
|
pollwrap_check_fd_rwx(pw, upc->passphrase_fd, SELECT_R)) {
|
|
|
|
char c;
|
|
|
|
int retd = read(upc->passphrase_fd, &c, 1);
|
2020-02-08 18:36:09 +00:00
|
|
|
|
|
|
|
switch (upc->prompt_type) {
|
|
|
|
case RTPROMPT_GUI:
|
|
|
|
if (retd <= 0) {
|
|
|
|
close(upc->passphrase_fd);
|
|
|
|
upc->passphrase_fd = -1;
|
|
|
|
bool ok = (retd == 0);
|
|
|
|
if (!strbuf_chomp(upc->prompt_buf, '\n'))
|
|
|
|
ok = false;
|
|
|
|
passphrase_done(upc, ok);
|
|
|
|
} else {
|
|
|
|
put_byte(upc->prompt_buf, c);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case RTPROMPT_DEBUG:
|
|
|
|
if (retd <= 0) {
|
|
|
|
passphrase_done(upc, false);
|
|
|
|
/* Now never try to read from stdin again */
|
|
|
|
upc->prompt_type = RTPROMPT_UNAVAILABLE;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2020-02-07 19:14:32 +00:00
|
|
|
switch (c) {
|
|
|
|
case '\n':
|
|
|
|
case '\r':
|
|
|
|
passphrase_done(upc, true);
|
|
|
|
break;
|
|
|
|
case '\004':
|
|
|
|
passphrase_done(upc, false);
|
|
|
|
break;
|
|
|
|
case '\b':
|
|
|
|
case '\177':
|
2020-02-08 18:36:09 +00:00
|
|
|
strbuf_shrink_by(upc->prompt_buf, 1);
|
2020-02-07 19:14:32 +00:00
|
|
|
break;
|
|
|
|
case '\025':
|
2020-02-08 18:36:09 +00:00
|
|
|
strbuf_clear(upc->prompt_buf);
|
2020-02-07 19:14:32 +00:00
|
|
|
break;
|
|
|
|
default:
|
2020-02-08 18:36:09 +00:00
|
|
|
put_byte(upc->prompt_buf, c);
|
2020-02-07 19:14:32 +00:00
|
|
|
break;
|
|
|
|
}
|
2020-02-08 18:36:09 +00:00
|
|
|
break;
|
|
|
|
case RTPROMPT_UNAVAILABLE:
|
|
|
|
unreachable("Should never have started a prompt at all");
|
2020-02-07 19:14:32 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool agent_loop_continue(void *vctx, bool fd, bool cb)
|
|
|
|
{
|
|
|
|
return !time_to_die;
|
|
|
|
}
|
|
|
|
|
2020-02-02 18:52:10 +00:00
|
|
|
void run_agent(FILE *logfp, const char *symlink_path)
|
2015-05-05 19:16:23 +00:00
|
|
|
{
|
|
|
|
const char *err;
|
2018-10-14 17:48:02 +00:00
|
|
|
char *errw;
|
2015-05-05 19:16:23 +00:00
|
|
|
struct pageant_listen_state *pl;
|
Get rid of lots of implicit pointer types.
All the main backend structures - Ssh, Telnet, Pty, Serial etc - now
describe structure types themselves rather than pointers to them. The
same goes for the codebase-wide trait types Socket and Plug, and the
supporting types SockAddr and Pinger.
All those things that were typedefed as pointers are older types; the
newer ones have the explicit * at the point of use, because that's
what I now seem to be preferring. But whichever one of those is
better, inconsistently using a mixture of the two styles is worse, so
let's make everything consistent.
A few types are still implicitly pointers, such as Bignum and some of
the GSSAPI types; generally this is either because they have to be
void *, or because they're typedefed differently on different
platforms and aren't always pointers at all. Can't be helped. But I've
got rid of the main ones, at least.
2018-10-04 18:10:23 +00:00
|
|
|
Plug *pl_plug;
|
|
|
|
Socket *sock;
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool errors = false;
|
2015-05-07 18:04:25 +00:00
|
|
|
Conf *conf;
|
2015-05-11 16:58:55 +00:00
|
|
|
const struct cmdline_key_action *act;
|
2015-05-05 19:16:23 +00:00
|
|
|
|
2015-05-11 16:58:55 +00:00
|
|
|
pageant_init();
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Start by loading any keys provided on the command line.
|
|
|
|
*/
|
|
|
|
for (act = keyact_head; act; act = act->next) {
|
2020-02-08 17:28:46 +00:00
|
|
|
assert(act->action == KEYACT_AGENT_LOAD ||
|
|
|
|
act->action == KEYACT_AGENT_LOAD_ENCRYPTED);
|
|
|
|
if (!unix_add_keyfile(act->filename,
|
|
|
|
act->action == KEYACT_AGENT_LOAD_ENCRYPTED))
|
2018-10-29 19:50:29 +00:00
|
|
|
errors = true;
|
2015-05-11 16:58:55 +00:00
|
|
|
}
|
|
|
|
if (errors)
|
|
|
|
exit(1);
|
|
|
|
|
2015-05-05 19:16:23 +00:00
|
|
|
/*
|
|
|
|
* Set up a listening socket and run Pageant on it.
|
|
|
|
*/
|
Pageant: new asynchronous internal APIs.
This is a pure refactoring: no functional change expected.
This commit introduces two new small vtable-style APIs. One is
PageantClient, which identifies a particular client of the Pageant
'core' (meaning the code that handles each individual request). This
changes pageant_handle_msg into an asynchronous operation: you pass in
an agent request message and an identifier, and at some later point,
the got_response method in your PageantClient will be called with the
answer (and the same identifier, to allow you to match requests to
responses). The trait vtable also contains a logging system.
The main importance of PageantClient, and the reason why it has to
exist instead of just passing pageant_handle_msg a bare callback
function pointer and context parameter, is that it provides robustness
if a client stops existing while a request is still pending. You call
pageant_unregister_client, and any unfinished requests associated with
that client in the Pageant core will be cleaned up, so that you're
guaranteed that after the unregister operation, no stray callbacks
will happen with a stale pointer to that client.
The WM_COPYDATA interface of Windows Pageant is a direct client of
this API. The other client is PageantListener, the system that lives
in pageant.c and handles stream-based agent connections for both Unix
Pageant and the new Windows named-pipe IPC. More specifically, each
individual connection to the listening socket is a separate
PageantClient, which means that if a socket is closed abruptly or
suffers an OS error, that client can be unregistered and any pending
requests cancelled without disrupting other connections.
Users of PageantListener have a second client vtable they can use,
called PageantListenerClient. That contains _only_ logging facilities,
and at the moment, only Unix Pageant bothers to use it (and even that
only in debugging mode).
Finally, internally to the Pageant core, there's a new trait called
PageantAsyncOp which describes an agent request in the process of
being handled. But at the moment, it has only one trivial
implementation, which is handed the full response message already
constructed, and on the next toplevel callback, passes it back to the
PageantClient.
2020-01-25 17:24:28 +00:00
|
|
|
struct uxpgnt_client upc[1];
|
2020-02-02 16:43:58 +00:00
|
|
|
memset(upc, 0, sizeof(upc));
|
Pageant: new asynchronous internal APIs.
This is a pure refactoring: no functional change expected.
This commit introduces two new small vtable-style APIs. One is
PageantClient, which identifies a particular client of the Pageant
'core' (meaning the code that handles each individual request). This
changes pageant_handle_msg into an asynchronous operation: you pass in
an agent request message and an identifier, and at some later point,
the got_response method in your PageantClient will be called with the
answer (and the same identifier, to allow you to match requests to
responses). The trait vtable also contains a logging system.
The main importance of PageantClient, and the reason why it has to
exist instead of just passing pageant_handle_msg a bare callback
function pointer and context parameter, is that it provides robustness
if a client stops existing while a request is still pending. You call
pageant_unregister_client, and any unfinished requests associated with
that client in the Pageant core will be cleaned up, so that you're
guaranteed that after the unregister operation, no stray callbacks
will happen with a stale pointer to that client.
The WM_COPYDATA interface of Windows Pageant is a direct client of
this API. The other client is PageantListener, the system that lives
in pageant.c and handles stream-based agent connections for both Unix
Pageant and the new Windows named-pipe IPC. More specifically, each
individual connection to the listening socket is a separate
PageantClient, which means that if a socket is closed abruptly or
suffers an OS error, that client can be unregistered and any pending
requests cancelled without disrupting other connections.
Users of PageantListener have a second client vtable they can use,
called PageantListenerClient. That contains _only_ logging facilities,
and at the moment, only Unix Pageant bothers to use it (and even that
only in debugging mode).
Finally, internally to the Pageant core, there's a new trait called
PageantAsyncOp which describes an agent request in the process of
being handled. But at the moment, it has only one trivial
implementation, which is handed the full response message already
constructed, and on the next toplevel callback, passes it back to the
PageantClient.
2020-01-25 17:24:28 +00:00
|
|
|
upc->plc.vt = &uxpgnt_vtable;
|
2020-02-02 16:43:58 +00:00
|
|
|
upc->logfp = logfp;
|
2020-02-07 19:14:32 +00:00
|
|
|
upc->passphrase_fd = -1;
|
|
|
|
upc->termination_pid = -1;
|
2020-02-08 18:36:09 +00:00
|
|
|
upc->prompt_buf = strbuf_new_nm();
|
|
|
|
upc->prompt_type = display ? RTPROMPT_GUI : RTPROMPT_UNAVAILABLE;
|
Pageant: new asynchronous internal APIs.
This is a pure refactoring: no functional change expected.
This commit introduces two new small vtable-style APIs. One is
PageantClient, which identifies a particular client of the Pageant
'core' (meaning the code that handles each individual request). This
changes pageant_handle_msg into an asynchronous operation: you pass in
an agent request message and an identifier, and at some later point,
the got_response method in your PageantClient will be called with the
answer (and the same identifier, to allow you to match requests to
responses). The trait vtable also contains a logging system.
The main importance of PageantClient, and the reason why it has to
exist instead of just passing pageant_handle_msg a bare callback
function pointer and context parameter, is that it provides robustness
if a client stops existing while a request is still pending. You call
pageant_unregister_client, and any unfinished requests associated with
that client in the Pageant core will be cleaned up, so that you're
guaranteed that after the unregister operation, no stray callbacks
will happen with a stale pointer to that client.
The WM_COPYDATA interface of Windows Pageant is a direct client of
this API. The other client is PageantListener, the system that lives
in pageant.c and handles stream-based agent connections for both Unix
Pageant and the new Windows named-pipe IPC. More specifically, each
individual connection to the listening socket is a separate
PageantClient, which means that if a socket is closed abruptly or
suffers an OS error, that client can be unregistered and any pending
requests cancelled without disrupting other connections.
Users of PageantListener have a second client vtable they can use,
called PageantListenerClient. That contains _only_ logging facilities,
and at the moment, only Unix Pageant bothers to use it (and even that
only in debugging mode).
Finally, internally to the Pageant core, there's a new trait called
PageantAsyncOp which describes an agent request in the process of
being handled. But at the moment, it has only one trivial
implementation, which is handed the full response message already
constructed, and on the next toplevel callback, passes it back to the
PageantClient.
2020-01-25 17:24:28 +00:00
|
|
|
pl = pageant_listener_new(&pl_plug, &upc->plc);
|
2018-10-14 17:48:02 +00:00
|
|
|
sock = platform_make_agent_socket(pl_plug, PAGEANT_DIR_PREFIX,
|
|
|
|
&errw, &socketname);
|
|
|
|
if (!sock) {
|
|
|
|
fprintf(stderr, "pageant: %s\n", errw);
|
|
|
|
sfree(errw);
|
2015-05-07 18:04:25 +00:00
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
pageant_listener_got_socket(pl, sock);
|
2015-05-05 19:16:23 +00:00
|
|
|
|
2020-02-02 18:52:10 +00:00
|
|
|
if (symlink_path) {
|
|
|
|
/*
|
|
|
|
* Try to make a symlink to the Unix socket, in a location of
|
|
|
|
* the user's choosing.
|
|
|
|
*
|
|
|
|
* If the link already exists, we want to replace it. There
|
|
|
|
* are two ways we could do this: either make it under another
|
|
|
|
* name and then rename it over the top, or remove the old
|
|
|
|
* link first. The former is what 'ln -sf' does, on the
|
|
|
|
* grounds that it's more atomic. But I think in this case,
|
|
|
|
* where the expected use case is that the previous agent has
|
|
|
|
* long since shut down, atomicity isn't a critical concern
|
|
|
|
* compared to not accidentally overwriting some non-symlink
|
|
|
|
* that might have important data in it!
|
|
|
|
*/
|
|
|
|
struct stat st;
|
|
|
|
if (lstat(symlink_path, &st) == 0 && S_ISLNK(st.st_mode))
|
|
|
|
unlink(symlink_path);
|
|
|
|
if (symlink(socketname, symlink_path) < 0)
|
|
|
|
fprintf(stderr, "pageant: making symlink %s: %s\n",
|
|
|
|
symlink_path, strerror(errno));
|
|
|
|
}
|
|
|
|
|
2015-05-05 19:16:23 +00:00
|
|
|
conf = conf_new();
|
|
|
|
conf_set_int(conf, CONF_proxy_type, PROXY_NONE);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Lifetime preparations.
|
|
|
|
*/
|
|
|
|
if (life == LIFE_X11) {
|
|
|
|
struct X11Display *disp;
|
|
|
|
void *greeting;
|
|
|
|
int greetinglen;
|
Get rid of lots of implicit pointer types.
All the main backend structures - Ssh, Telnet, Pty, Serial etc - now
describe structure types themselves rather than pointers to them. The
same goes for the codebase-wide trait types Socket and Plug, and the
supporting types SockAddr and Pinger.
All those things that were typedefed as pointers are older types; the
newer ones have the explicit * at the point of use, because that's
what I now seem to be preferring. But whichever one of those is
better, inconsistently using a mixture of the two styles is worse, so
let's make everything consistent.
A few types are still implicitly pointers, such as Bignum and some of
the GSSAPI types; generally this is either because they have to be
void *, or because they're typedefed differently on different
platforms and aren't always pointers at all. Can't be helped. But I've
got rid of the main ones, at least.
2018-10-04 18:10:23 +00:00
|
|
|
Socket *s;
|
2015-05-05 19:16:23 +00:00
|
|
|
struct X11Connection *conn;
|
2018-10-06 09:43:04 +00:00
|
|
|
char *x11_setup_err;
|
2015-05-05 19:16:23 +00:00
|
|
|
|
|
|
|
if (!display) {
|
|
|
|
fprintf(stderr, "pageant: no DISPLAY for -X mode\n");
|
|
|
|
exit(1);
|
|
|
|
}
|
2018-10-06 09:43:04 +00:00
|
|
|
disp = x11_setup_display(display, conf, &x11_setup_err);
|
|
|
|
if (!disp) {
|
|
|
|
fprintf(stderr, "pageant: unable to connect to X server: %s\n",
|
|
|
|
x11_setup_err);
|
|
|
|
sfree(x11_setup_err);
|
|
|
|
exit(1);
|
|
|
|
}
|
2015-05-05 19:16:23 +00:00
|
|
|
|
|
|
|
conn = snew(struct X11Connection);
|
2018-10-05 06:24:16 +00:00
|
|
|
conn->plug.vt = &X11Connection_plugvt;
|
2015-05-05 19:16:23 +00:00
|
|
|
s = new_connection(sk_addr_dup(disp->addr),
|
|
|
|
disp->realhost, disp->port,
|
2021-09-13 16:17:20 +00:00
|
|
|
false, true, false, false, &conn->plug, conf,
|
Allow new_connection to take an optional Seat. (NFC)
This is working towards allowing the subsidiary SSH connection in an
SshProxy to share the main user-facing Seat, so as to be able to pass
through interactive prompts.
This is more difficult than the similar change with LogPolicy, because
Seats are stateful. In particular, the trust-sigil status will need to
be controlled by the SshProxy until it's ready to pass over control to
the main SSH (or whatever) connection.
To make this work, I've introduced a thing called a TempSeat, which is
(yet) another Seat implementation. When a backend hands its Seat to
new_connection(), it does it in a way that allows new_connection() to
borrow it completely, and replace it in the main backend structure
with a TempSeat, which acts as a temporary placeholder. If the main
backend tries to do things like changing trust status or sending
output, the TempSeat will buffer them; later on, when the connection
is established, TempSeat will replay the changes into the real Seat.
So, in each backend, I've made the following changes:
- pass &foo->seat to new_connection, which may overwrite it with a
TempSeat.
- if it has done so (which we can tell via the is_tempseat() query
function), then we have to free the TempSeat and reinstate our main
Seat. The signal that we can do so is the PLUGLOG_CONNECT_SUCCESS
notification, which indicates that SshProxy has finished all its
connection setup work.
- we also have to remember to free the TempSeat if our backend is
disposed of without that having happened (e.g. because the
connection _doesn't_ succeed).
- in backends which have no local auth phase to worry about, ensure
we don't call seat_set_trust_status on the main Seat _before_ it
gets potentially replaced with a TempSeat. Moved some calls of
seat_set_trust_status to just after new_connection(), so that now
the initial trust status setup will go into the TempSeat (if
appropriate) and be buffered until that seat is relinquished.
In all other uses of new_connection, where we don't have a Seat
available at all, we just pass NULL.
This is NFC, because neither new_connection() nor any of its delegates
will _actually_ do this replacement yet. We're just setting up the
framework to enable it to do so in the next commit.
2021-09-13 16:17:20 +00:00
|
|
|
NULL, NULL);
|
2015-05-05 19:16:23 +00:00
|
|
|
if ((err = sk_socket_error(s)) != NULL) {
|
|
|
|
fprintf(stderr, "pageant: unable to connect to X server: %s", err);
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
greeting = x11_make_greeting('B', 11, 0, disp->localauthproto,
|
|
|
|
disp->localauthdata,
|
|
|
|
disp->localauthdatalen,
|
|
|
|
NULL, 0, &greetinglen);
|
|
|
|
sk_write(s, greeting, greetinglen);
|
|
|
|
smemclr(greeting, greetinglen);
|
|
|
|
sfree(greeting);
|
|
|
|
|
2018-10-29 19:50:29 +00:00
|
|
|
pageant_fork_and_print_env(false);
|
Unix Pageant: -T option, tying lifetime to controlling tty.
This is intended to be a useful mode when you want to run an ssh agent
in a terminal session with no X11 available. You just execute a
command along the lines of eval $(pageant -T), and then Pageant will
run in the background for the rest of that terminal session - and when
the terminal session ends, so that Pageant loses its controlling tty,
it will take that as the signal to shut down. So, no need to manually
kill it, and unlike 'pageant --exec $SHELL', you can also do this half
way through a session if you don't realise until later that you need
an SSH agent, without losing any shell command history or other shell
context that you've accumulated so far in the session.
Unfortunately, I haven't been able to find any reliable way to
actually implement this -T mode, short of having Pageant wake up at
regular intervals and try to open /dev/tty to see if it's still there.
I had hoped that I could arrange to reliably get SIGHUP, or select on
/dev/tty for exceptional conditions, or some such, but nothing I've
tried along those lines seems to work.
2015-05-08 18:50:48 +00:00
|
|
|
} else if (life == LIFE_TTY) {
|
|
|
|
schedule_timer(TTY_LIFE_POLL_INTERVAL,
|
|
|
|
tty_life_timer, &dummy_timer_ctx);
|
2018-10-29 19:50:29 +00:00
|
|
|
pageant_fork_and_print_env(true);
|
2015-05-05 19:16:23 +00:00
|
|
|
} else if (life == LIFE_PERM) {
|
2018-10-29 19:50:29 +00:00
|
|
|
pageant_fork_and_print_env(false);
|
2015-05-05 19:16:23 +00:00
|
|
|
} else if (life == LIFE_DEBUG) {
|
|
|
|
pageant_print_env(getpid());
|
2020-02-02 16:43:58 +00:00
|
|
|
upc->logfp = stdout;
|
|
|
|
|
|
|
|
struct termios orig_termios;
|
2020-02-07 19:14:32 +00:00
|
|
|
upc->passphrase_fd = fileno(stdin);
|
|
|
|
if (tcgetattr(upc->passphrase_fd, &orig_termios) == 0) {
|
2020-02-02 16:43:58 +00:00
|
|
|
struct termios new_termios = orig_termios;
|
|
|
|
new_termios.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL | ICANON);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Try to set up a watchdog process that will restore
|
|
|
|
* termios if we crash or are killed. If successful, turn
|
|
|
|
* off echo, for runtime passphrase prompts.
|
|
|
|
*/
|
|
|
|
int pipefd[2];
|
|
|
|
if (pipe(pipefd) == 0) {
|
|
|
|
pid_t pid = fork();
|
|
|
|
if (pid == 0) {
|
2020-02-07 19:14:32 +00:00
|
|
|
tcsetattr(upc->passphrase_fd, TCSADRAIN, &new_termios);
|
2020-02-02 16:43:58 +00:00
|
|
|
close(pipefd[1]);
|
|
|
|
char buf[4096];
|
|
|
|
while (read(pipefd[0], buf, sizeof(buf)) > 0);
|
2020-02-07 19:14:32 +00:00
|
|
|
tcsetattr(upc->passphrase_fd, TCSADRAIN, &new_termios);
|
2020-02-02 16:43:58 +00:00
|
|
|
_exit(0);
|
|
|
|
} else if (pid > 0) {
|
2020-02-08 18:36:09 +00:00
|
|
|
upc->prompt_type = RTPROMPT_DEBUG;
|
2020-02-02 16:43:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
close(pipefd[0]);
|
|
|
|
if (pid < 0)
|
|
|
|
close(pipefd[1]);
|
|
|
|
}
|
|
|
|
}
|
2015-05-05 19:16:23 +00:00
|
|
|
} else if (life == LIFE_EXEC) {
|
|
|
|
pid_t agentpid, pid;
|
|
|
|
|
|
|
|
agentpid = getpid();
|
2020-02-08 18:35:37 +00:00
|
|
|
setup_sigchld_handler();
|
2015-05-05 19:16:23 +00:00
|
|
|
|
|
|
|
pid = fork();
|
|
|
|
if (pid < 0) {
|
|
|
|
perror("fork");
|
|
|
|
exit(1);
|
|
|
|
} else if (pid == 0) {
|
2018-10-29 19:50:29 +00:00
|
|
|
setenv("SSH_AUTH_SOCK", socketname, true);
|
|
|
|
setenv("SSH_AGENT_PID", dupprintf("%d", (int)agentpid), true);
|
2015-05-05 19:16:23 +00:00
|
|
|
execvp(exec_args[0], exec_args);
|
|
|
|
perror("exec");
|
|
|
|
_exit(127);
|
|
|
|
} else {
|
2020-02-07 19:14:32 +00:00
|
|
|
upc->termination_pid = pid;
|
2015-05-05 19:16:23 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-02-02 16:43:58 +00:00
|
|
|
if (!upc->logfp)
|
Pageant: new asynchronous internal APIs.
This is a pure refactoring: no functional change expected.
This commit introduces two new small vtable-style APIs. One is
PageantClient, which identifies a particular client of the Pageant
'core' (meaning the code that handles each individual request). This
changes pageant_handle_msg into an asynchronous operation: you pass in
an agent request message and an identifier, and at some later point,
the got_response method in your PageantClient will be called with the
answer (and the same identifier, to allow you to match requests to
responses). The trait vtable also contains a logging system.
The main importance of PageantClient, and the reason why it has to
exist instead of just passing pageant_handle_msg a bare callback
function pointer and context parameter, is that it provides robustness
if a client stops existing while a request is still pending. You call
pageant_unregister_client, and any unfinished requests associated with
that client in the Pageant core will be cleaned up, so that you're
guaranteed that after the unregister operation, no stray callbacks
will happen with a stale pointer to that client.
The WM_COPYDATA interface of Windows Pageant is a direct client of
this API. The other client is PageantListener, the system that lives
in pageant.c and handles stream-based agent connections for both Unix
Pageant and the new Windows named-pipe IPC. More specifically, each
individual connection to the listening socket is a separate
PageantClient, which means that if a socket is closed abruptly or
suffers an OS error, that client can be unregistered and any pending
requests cancelled without disrupting other connections.
Users of PageantListener have a second client vtable they can use,
called PageantListenerClient. That contains _only_ logging facilities,
and at the moment, only Unix Pageant bothers to use it (and even that
only in debugging mode).
Finally, internally to the Pageant core, there's a new trait called
PageantAsyncOp which describes an agent request in the process of
being handled. But at the moment, it has only one trivial
implementation, which is handed the full response message already
constructed, and on the next toplevel callback, passes it back to the
PageantClient.
2020-01-25 17:24:28 +00:00
|
|
|
upc->plc.suppress_logging = true;
|
2015-05-06 18:32:26 +00:00
|
|
|
|
2020-02-07 19:14:32 +00:00
|
|
|
cli_main_loop(agent_loop_pw_setup, agent_loop_pw_check,
|
|
|
|
agent_loop_continue, upc);
|
2015-05-05 19:16:23 +00:00
|
|
|
|
2015-05-07 18:04:25 +00:00
|
|
|
/*
|
2020-02-07 19:14:32 +00:00
|
|
|
* Before terminating, clean up our Unix socket file if possible.
|
2015-05-07 18:04:25 +00:00
|
|
|
*/
|
|
|
|
if (unlink(socketname) < 0) {
|
|
|
|
fprintf(stderr, "pageant: %s: %s\n", socketname, strerror(errno));
|
|
|
|
exit(1);
|
|
|
|
}
|
2017-02-14 20:42:26 +00:00
|
|
|
|
2020-02-15 15:55:30 +00:00
|
|
|
strbuf_free(upc->prompt_buf);
|
2017-02-14 20:42:26 +00:00
|
|
|
conf_free(conf);
|
2015-05-11 16:56:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
int main(int argc, char **argv)
|
|
|
|
{
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool doing_opts = true;
|
2015-05-11 16:56:37 +00:00
|
|
|
keyact curr_keyact = KEYACT_AGENT_LOAD;
|
2018-05-14 07:08:34 +00:00
|
|
|
const char *standalone_askpass_prompt = NULL;
|
2020-02-02 18:52:10 +00:00
|
|
|
const char *symlink_path = NULL;
|
2020-02-02 16:43:58 +00:00
|
|
|
FILE *logfp = NULL;
|
2015-05-11 16:56:37 +00:00
|
|
|
|
2020-02-08 18:36:09 +00:00
|
|
|
progname = argv[0];
|
|
|
|
|
2015-05-11 16:56:37 +00:00
|
|
|
/*
|
|
|
|
* Process the command line.
|
|
|
|
*/
|
|
|
|
while (--argc > 0) {
|
2019-09-08 19:29:00 +00:00
|
|
|
char *p = *++argv;
|
|
|
|
if (*p == '-' && doing_opts) {
|
2015-05-11 16:56:37 +00:00
|
|
|
if (!strcmp(p, "-V") || !strcmp(p, "--version")) {
|
|
|
|
version();
|
2019-09-08 19:29:00 +00:00
|
|
|
} else if (!strcmp(p, "--help")) {
|
2015-05-11 16:56:37 +00:00
|
|
|
usage();
|
|
|
|
exit(0);
|
|
|
|
} else if (!strcmp(p, "-v")) {
|
2020-02-02 16:43:58 +00:00
|
|
|
logfp = stderr;
|
2015-05-11 16:56:37 +00:00
|
|
|
} else if (!strcmp(p, "-a")) {
|
|
|
|
curr_keyact = KEYACT_CLIENT_ADD;
|
|
|
|
} else if (!strcmp(p, "-d")) {
|
|
|
|
curr_keyact = KEYACT_CLIENT_DEL;
|
2020-02-15 16:40:19 +00:00
|
|
|
} else if (!strcmp(p, "-r")) {
|
|
|
|
curr_keyact = KEYACT_CLIENT_REENCRYPT;
|
2016-03-25 16:43:59 +00:00
|
|
|
} else if (!strcmp(p, "-s")) {
|
|
|
|
shell_type = SHELL_SH;
|
|
|
|
} else if (!strcmp(p, "-c")) {
|
|
|
|
shell_type = SHELL_CSH;
|
2015-05-11 16:56:37 +00:00
|
|
|
} else if (!strcmp(p, "-D")) {
|
|
|
|
add_keyact(KEYACT_CLIENT_DEL_ALL, NULL);
|
2020-02-15 16:40:19 +00:00
|
|
|
} else if (!strcmp(p, "-R")) {
|
|
|
|
add_keyact(KEYACT_CLIENT_REENCRYPT_ALL, NULL);
|
2015-05-11 16:56:37 +00:00
|
|
|
} else if (!strcmp(p, "-l")) {
|
|
|
|
add_keyact(KEYACT_CLIENT_LIST, NULL);
|
2015-05-12 13:48:32 +00:00
|
|
|
} else if (!strcmp(p, "--public")) {
|
|
|
|
curr_keyact = KEYACT_CLIENT_PUBLIC;
|
2018-06-03 14:38:57 +00:00
|
|
|
} else if (!strcmp(p, "--public-openssh") || !strcmp(p, "-L")) {
|
2015-05-12 13:48:32 +00:00
|
|
|
curr_keyact = KEYACT_CLIENT_PUBLIC_OPENSSH;
|
2015-05-11 16:56:37 +00:00
|
|
|
} else if (!strcmp(p, "-X")) {
|
|
|
|
life = LIFE_X11;
|
|
|
|
} else if (!strcmp(p, "-T")) {
|
|
|
|
life = LIFE_TTY;
|
2021-04-03 09:30:27 +00:00
|
|
|
} else if (!strcmp(p, "--no-decrypt") ||
|
|
|
|
!strcmp(p, "-no-decrypt") ||
|
|
|
|
!strcmp(p, "--no_decrypt") ||
|
|
|
|
!strcmp(p, "-no_decrypt") ||
|
|
|
|
!strcmp(p, "--nodecrypt") ||
|
|
|
|
!strcmp(p, "-nodecrypt") ||
|
|
|
|
!strcmp(p, "--encrypted") ||
|
|
|
|
!strcmp(p, "-encrypted")) {
|
2020-02-08 17:28:46 +00:00
|
|
|
if (curr_keyact == KEYACT_AGENT_LOAD)
|
|
|
|
curr_keyact = KEYACT_AGENT_LOAD_ENCRYPTED;
|
|
|
|
else if (curr_keyact == KEYACT_CLIENT_ADD)
|
|
|
|
curr_keyact = KEYACT_CLIENT_ADD_ENCRYPTED;
|
|
|
|
else {
|
|
|
|
fprintf(stderr, "pageant: unexpected -E while not adding "
|
|
|
|
"keys\n");
|
|
|
|
exit(1);
|
|
|
|
}
|
2015-05-11 16:56:37 +00:00
|
|
|
} else if (!strcmp(p, "--debug")) {
|
|
|
|
life = LIFE_DEBUG;
|
2020-02-09 21:56:21 +00:00
|
|
|
} else if (!strcmp(p, "--test-sign")) {
|
|
|
|
curr_keyact = KEYACT_CLIENT_SIGN;
|
|
|
|
sign_flags = 0;
|
|
|
|
} else if (strstartswith(p, "--test-sign-with-flags=")) {
|
|
|
|
curr_keyact = KEYACT_CLIENT_SIGN;
|
|
|
|
sign_flags = atoi(p + strlen("--test-sign-with-flags="));
|
2015-05-11 16:56:37 +00:00
|
|
|
} else if (!strcmp(p, "--permanent")) {
|
|
|
|
life = LIFE_PERM;
|
|
|
|
} else if (!strcmp(p, "--exec")) {
|
|
|
|
life = LIFE_EXEC;
|
|
|
|
/* Now all subsequent arguments go to the exec command. */
|
|
|
|
if (--argc > 0) {
|
|
|
|
exec_args = ++argv;
|
|
|
|
argc = 0; /* force end of option processing */
|
|
|
|
} else {
|
|
|
|
fprintf(stderr, "pageant: expected a command "
|
|
|
|
"after --exec\n");
|
|
|
|
exit(1);
|
|
|
|
}
|
2018-05-14 06:36:05 +00:00
|
|
|
} else if (!strcmp(p, "--tty-prompt")) {
|
|
|
|
prompt_type = PROMPT_TTY;
|
|
|
|
} else if (!strcmp(p, "--gui-prompt")) {
|
|
|
|
prompt_type = PROMPT_GUI;
|
2018-05-14 07:08:34 +00:00
|
|
|
} else if (!strcmp(p, "--askpass")) {
|
|
|
|
if (--argc > 0) {
|
|
|
|
standalone_askpass_prompt = *++argv;
|
|
|
|
} else {
|
|
|
|
fprintf(stderr, "pageant: expected a prompt message "
|
|
|
|
"after --askpass\n");
|
|
|
|
exit(1);
|
|
|
|
}
|
2020-02-02 18:52:10 +00:00
|
|
|
} else if (!strcmp(p, "--symlink")) {
|
|
|
|
if (--argc > 0) {
|
|
|
|
symlink_path = *++argv;
|
|
|
|
} else {
|
|
|
|
fprintf(stderr, "pageant: expected a pathname "
|
|
|
|
"after --symlink\n");
|
|
|
|
exit(1);
|
2021-03-13 10:27:50 +00:00
|
|
|
}
|
2021-04-03 09:30:27 +00:00
|
|
|
} else if (!strcmp(p, "-E") || !strcmp(p, "--fptype")) {
|
2021-03-13 10:27:50 +00:00
|
|
|
const char *keyword;
|
|
|
|
if (--argc > 0) {
|
|
|
|
keyword = *++argv;
|
|
|
|
} else {
|
2021-03-27 18:21:21 +00:00
|
|
|
fprintf(stderr, "pageant: expected a type string "
|
2021-04-03 09:30:27 +00:00
|
|
|
"after %s\n", p);
|
2021-03-13 10:27:50 +00:00
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
if (!strcmp(keyword, "md5"))
|
|
|
|
key_list_fptype = SSH_FPTYPE_MD5;
|
|
|
|
else if (!strcmp(keyword, "sha256"))
|
|
|
|
key_list_fptype = SSH_FPTYPE_SHA256;
|
|
|
|
else {
|
|
|
|
fprintf(stderr, "pageant: unknown fingerprint type `%s'\n",
|
|
|
|
keyword);
|
|
|
|
exit(1);
|
2020-02-02 18:52:10 +00:00
|
|
|
}
|
2015-05-11 16:56:37 +00:00
|
|
|
} else if (!strcmp(p, "--")) {
|
2018-10-29 19:50:29 +00:00
|
|
|
doing_opts = false;
|
2020-02-02 18:52:10 +00:00
|
|
|
} else {
|
|
|
|
fprintf(stderr, "pageant: unrecognised option '%s'\n", p);
|
|
|
|
exit(1);
|
2015-05-11 16:56:37 +00:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Non-option arguments (apart from those after --exec,
|
|
|
|
* which are treated specially above) are interpreted as
|
|
|
|
* the names of private key files to either add or delete
|
|
|
|
* from an agent.
|
|
|
|
*/
|
|
|
|
add_keyact(curr_keyact, p);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (life == LIFE_EXEC && !exec_args) {
|
|
|
|
fprintf(stderr, "pageant: expected a command with --exec\n");
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
2018-05-14 07:08:34 +00:00
|
|
|
if (!display) {
|
|
|
|
display = getenv("DISPLAY");
|
|
|
|
if (display && !*display)
|
|
|
|
display = NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Deal with standalone-askpass mode.
|
|
|
|
*/
|
|
|
|
if (standalone_askpass_prompt) {
|
|
|
|
char *passphrase = askpass(standalone_askpass_prompt);
|
|
|
|
|
|
|
|
if (!passphrase)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
puts(passphrase);
|
2020-02-08 18:57:57 +00:00
|
|
|
fflush(stdout);
|
|
|
|
|
2018-05-14 07:08:34 +00:00
|
|
|
smemclr(passphrase, strlen(passphrase));
|
|
|
|
sfree(passphrase);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-05-11 16:56:37 +00:00
|
|
|
/*
|
|
|
|
* Block SIGPIPE, so that we'll get EPIPE individually on
|
|
|
|
* particular network connections that go wrong.
|
|
|
|
*/
|
|
|
|
putty_signal(SIGPIPE, SIG_IGN);
|
|
|
|
|
|
|
|
sk_init();
|
|
|
|
uxsel_init();
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now distinguish our two main running modes. Either we're
|
|
|
|
* actually starting up an agent, in which case we should have a
|
|
|
|
* lifetime mode, and no key actions of KEYACT_CLIENT_* type; or
|
|
|
|
* else we're contacting an existing agent to add or remove keys,
|
|
|
|
* in which case we should have no lifetime mode, and no key
|
|
|
|
* actions of KEYACT_AGENT_* type.
|
|
|
|
*/
|
|
|
|
{
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool has_agent_actions = false;
|
|
|
|
bool has_client_actions = false;
|
|
|
|
bool has_lifetime = false;
|
2015-05-11 16:56:37 +00:00
|
|
|
const struct cmdline_key_action *act;
|
|
|
|
|
|
|
|
for (act = keyact_head; act; act = act->next) {
|
|
|
|
if (is_agent_action(act->action))
|
2018-10-29 19:50:29 +00:00
|
|
|
has_agent_actions = true;
|
2015-05-11 16:56:37 +00:00
|
|
|
else
|
2018-10-29 19:50:29 +00:00
|
|
|
has_client_actions = true;
|
2015-05-11 16:56:37 +00:00
|
|
|
}
|
|
|
|
if (life != LIFE_UNSPEC)
|
2018-10-29 19:50:29 +00:00
|
|
|
has_lifetime = true;
|
2015-05-11 16:56:37 +00:00
|
|
|
|
|
|
|
if (has_lifetime && has_client_actions) {
|
2021-04-05 17:35:38 +00:00
|
|
|
fprintf(stderr, "pageant: client key actions (-a, -d, -D, -r, -R, "
|
|
|
|
"-l, -L) do not go with an agent lifetime option\n");
|
2015-05-11 16:56:37 +00:00
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
if (!has_lifetime && has_agent_actions) {
|
|
|
|
fprintf(stderr, "pageant: expected an agent lifetime option with"
|
|
|
|
" bare key file arguments\n");
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
if (!has_lifetime && !has_client_actions) {
|
|
|
|
fprintf(stderr, "pageant: expected an agent lifetime option"
|
|
|
|
" or a client key action\n");
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (has_lifetime) {
|
2020-02-02 18:52:10 +00:00
|
|
|
run_agent(logfp, symlink_path);
|
2015-05-11 16:56:37 +00:00
|
|
|
} else if (has_client_actions) {
|
|
|
|
run_client();
|
|
|
|
}
|
|
|
|
}
|
2015-05-07 18:04:25 +00:00
|
|
|
|
2015-05-05 19:16:23 +00:00
|
|
|
return 0;
|
|
|
|
}
|