Make our process's ACL more restrictive.

By default Windows processes have wide open ACLs which allow interference
by other processes running as the same user.  Adjust our ACL to make this
a bit harder.

Because it's useful to protect PuTTYtel as well, carve winsecur.c into
advapi functions and wincapi.c for crypt32 functions.

Recipe

@@ -224,7 +224,7 @@ SSH      = ssh sshcrc sshdes sshmd5 sshrsa sshrand sshsha sshblowf
          + sshdh sshcrcda sshpubk sshzlib sshdss x11fwd portfwd
          + sshaes sshccp sshsh256 sshsh512 sshbn wildcard pinger ssharcf
          + sshgssc pgssapi sshshare sshecc
-WINSSH   = SSH winnoise winsecur winpgntc wingss winshare winnps winnpc
+WINSSH   = SSH winnoise wincapi winpgntc wingss winshare winnps winnpc
          + winhsock errsock
 UXSSH    = SSH uxnoise uxagentc uxgss uxshare
 
@@ -235,7 +235,7 @@ SFTP     = sftp int64 logging
 # Pageant or PuTTYgen).
 MISC     = timing callback misc version settings tree234 proxy conf
 WINMISC  = MISC winstore winnet winhandl cmdline windefs winmisc winproxy
-         + wintime winhsock errsock
+         + wintime winhsock errsock winsecur
 UXMISC   = MISC uxstore uxsel uxnet uxpeer cmdline uxmisc uxproxy time
 OSXMISC  = MISC uxstore uxsel osxsel uxnet uxpeer uxmisc uxproxy time
 

windows/wincapi.c

@@ -0,0 +1,27 @@
+/*
+ * wincapi.c: implementation of wincapi.h.
+ */
+
+#include "putty.h"
+
+#if !defined NO_SECURITY
+
+#define WINCAPI_GLOBAL
+#include "wincapi.h"
+
+int got_crypt(void)
+{
+    static int attempted = FALSE;
+    static int successful;
+    static HMODULE crypt;
+
+    if (!attempted) {
+        attempted = TRUE;
+        crypt = load_system32_dll("crypt32.dll");
+        successful = crypt &&
+            GET_WINDOWS_FUNCTION(crypt, CryptProtectMemory);
+    }
+    return successful;
+}
+
+#endif /* !defined NO_SECURITY */

windows/wincapi.h

@@ -0,0 +1,18 @@
+/*
+ * wincapi.h: Windows Crypto API functions defined in wincrypt.c
+ * that use the crypt32 library. Also centralises the machinery
+ * for dynamically loading that library.
+ */
+
+#if !defined NO_SECURITY
+
+#ifndef WINCAPI_GLOBAL
+#define WINCAPI_GLOBAL extern
+#endif
+
+DECL_WINDOWS_FUNCTION(WINCAPI_GLOBAL, BOOL, CryptProtectMemory,
+		      (LPVOID,DWORD,DWORD));
+
+int got_crypt(void);
+
+#endif

windows/window.c

@@ -19,6 +19,7 @@
 #include "terminal.h"
 #include "storage.h"
 #include "win_res.h"
+#include "winsecur.h"
 
 #ifndef NO_MULTIMON
 #include <multimon.h>
@@ -390,6 +391,20 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
 	return 1;
     }
 
+    /*
+     * Protect our process
+     */
+    {
+      char *error = NULL;
+
+      if (! setprocessacl(error)) {
+	/* FIXME: prepare to stuff this into event log somehow */
+    	MessageBox(NULL, "Process protection",
+    		   error, MB_OK | MB_ICONEXCLAMATION);
+      }
+      sfree(error);
+
+    }
     /*
      * Process the command line.
      */

windows/winsecur.c

@@ -36,21 +36,6 @@ int got_advapi(void)
     return successful;
 }
 
-int got_crypt(void)
-{
-    static int attempted = FALSE;
-    static int successful;
-    static HMODULE crypt;
-
-    if (!attempted) {
-        attempted = TRUE;
-        crypt = load_system32_dll("crypt32.dll");
-        successful = crypt &&
-            GET_WINDOWS_FUNCTION(crypt, CryptProtectMemory);
-    }
-    return successful;
-}
-
 PSID get_user_sid(void)
 {
     HANDLE proc = NULL, tok = NULL;
@@ -237,7 +222,7 @@ int make_private_security_descriptor(DWORD permissions,
     return ret;
 }
 
-int protectprocess(char *error)
+int setprocessacl(char *error)
 {
     SID_IDENTIFIER_AUTHORITY world_auth = SECURITY_WORLD_SID_AUTHORITY;
     SID_IDENTIFIER_AUTHORITY nt_auth = SECURITY_NT_AUTHORITY;

windows/winsecur.h

@@ -32,13 +32,6 @@ DECL_WINDOWS_FUNCTION(WINSECUR_GLOBAL, DWORD, SetEntriesInAclA,
 		      (ULONG, PEXPLICIT_ACCESS, PACL, PACL *));
 int got_advapi(void);
 
-/*
- * Functions loaded from crypt32.dll.
- */
-DECL_WINDOWS_FUNCTION(WINSECUR_GLOBAL, BOOL, CryptProtectMemory,
-		      (LPVOID, DWORD, DWORD));
-int got_crypt(void);
-
 /*
  * Find the SID describing the current user. The return value (if not
  * NULL for some error-related reason) is smalloced.
@@ -60,4 +53,6 @@ int make_private_security_descriptor(DWORD permissions,
                                      PACL *acl,
                                      char **error);
 
+int setprocessacl(char *error);
+
 #endif

windows/winshare.c

@@ -14,7 +14,7 @@
 #include "proxy.h"
 #include "ssh.h"
 
-#include "winsecur.h"
+#include "wincapi.h"
 
 #ifdef COVERITY
 /*