From 48db456801cf90369330248075b7e480252696ff Mon Sep 17 00:00:00 2001
From: Owen Dunn <owen@greenend.org.uk>
Date: Tue, 24 Nov 2015 22:02:24 +0000
Subject: [PATCH] Make our process's ACL more restrictive.

By default Windows processes have wide open ACLs which allow interference
by other processes running as the same user.  Adjust our ACL to make this
a bit harder.

Because it's useful to protect PuTTYtel as well, carve winsecur.c into
advapi functions and wincapi.c for crypt32 functions.
---
 Recipe             |  4 ++--
 windows/wincapi.c  | 27 +++++++++++++++++++++++++++
 windows/wincapi.h  | 18 ++++++++++++++++++
 windows/window.c   | 15 +++++++++++++++
 windows/winsecur.c | 17 +----------------
 windows/winsecur.h |  9 ++-------
 windows/winshare.c |  2 +-
 7 files changed, 66 insertions(+), 26 deletions(-)
 create mode 100644 windows/wincapi.c
 create mode 100644 windows/wincapi.h

diff --git a/Recipe b/Recipe
index ebc9908f..67435c68 100644
--- a/Recipe
+++ b/Recipe
@@ -224,7 +224,7 @@ SSH      = ssh sshcrc sshdes sshmd5 sshrsa sshrand sshsha sshblowf
          + sshdh sshcrcda sshpubk sshzlib sshdss x11fwd portfwd
          + sshaes sshccp sshsh256 sshsh512 sshbn wildcard pinger ssharcf
          + sshgssc pgssapi sshshare sshecc
-WINSSH   = SSH winnoise winsecur winpgntc wingss winshare winnps winnpc
+WINSSH   = SSH winnoise wincapi winpgntc wingss winshare winnps winnpc
          + winhsock errsock
 UXSSH    = SSH uxnoise uxagentc uxgss uxshare
 
@@ -235,7 +235,7 @@ SFTP     = sftp int64 logging
 # Pageant or PuTTYgen).
 MISC     = timing callback misc version settings tree234 proxy conf
 WINMISC  = MISC winstore winnet winhandl cmdline windefs winmisc winproxy
-         + wintime winhsock errsock
+         + wintime winhsock errsock winsecur
 UXMISC   = MISC uxstore uxsel uxnet uxpeer cmdline uxmisc uxproxy time
 OSXMISC  = MISC uxstore uxsel osxsel uxnet uxpeer uxmisc uxproxy time
 
diff --git a/windows/wincapi.c b/windows/wincapi.c
new file mode 100644
index 00000000..2550b6de
--- /dev/null
+++ b/windows/wincapi.c
@@ -0,0 +1,27 @@
+/*
+ * wincapi.c: implementation of wincapi.h.
+ */
+
+#include "putty.h"
+
+#if !defined NO_SECURITY
+
+#define WINCAPI_GLOBAL
+#include "wincapi.h"
+
+int got_crypt(void)
+{
+    static int attempted = FALSE;
+    static int successful;
+    static HMODULE crypt;
+
+    if (!attempted) {
+        attempted = TRUE;
+        crypt = load_system32_dll("crypt32.dll");
+        successful = crypt &&
+            GET_WINDOWS_FUNCTION(crypt, CryptProtectMemory);
+    }
+    return successful;
+}
+
+#endif /* !defined NO_SECURITY */
diff --git a/windows/wincapi.h b/windows/wincapi.h
new file mode 100644
index 00000000..06ee2d36
--- /dev/null
+++ b/windows/wincapi.h
@@ -0,0 +1,18 @@
+/*
+ * wincapi.h: Windows Crypto API functions defined in wincrypt.c
+ * that use the crypt32 library. Also centralises the machinery
+ * for dynamically loading that library.
+ */
+
+#if !defined NO_SECURITY
+
+#ifndef WINCAPI_GLOBAL
+#define WINCAPI_GLOBAL extern
+#endif
+
+DECL_WINDOWS_FUNCTION(WINCAPI_GLOBAL, BOOL, CryptProtectMemory,
+		      (LPVOID,DWORD,DWORD));
+
+int got_crypt(void);
+
+#endif
diff --git a/windows/window.c b/windows/window.c
index 23f98a47..db426347 100644
--- a/windows/window.c
+++ b/windows/window.c
@@ -19,6 +19,7 @@
 #include "terminal.h"
 #include "storage.h"
 #include "win_res.h"
+#include "winsecur.h"
 
 #ifndef NO_MULTIMON
 #include <multimon.h>
@@ -390,6 +391,20 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
 	return 1;
     }
 
+    /*
+     * Protect our process
+     */
+    {
+      char *error = NULL;
+
+      if (! setprocessacl(error)) {
+	/* FIXME: prepare to stuff this into event log somehow */
+    	MessageBox(NULL, "Process protection",
+    		   error, MB_OK | MB_ICONEXCLAMATION);
+      }
+      sfree(error);
+
+    }
     /*
      * Process the command line.
      */
diff --git a/windows/winsecur.c b/windows/winsecur.c
index 6e4bd7d4..9cdac26c 100644
--- a/windows/winsecur.c
+++ b/windows/winsecur.c
@@ -36,21 +36,6 @@ int got_advapi(void)
     return successful;
 }
 
-int got_crypt(void)
-{
-    static int attempted = FALSE;
-    static int successful;
-    static HMODULE crypt;
-
-    if (!attempted) {
-        attempted = TRUE;
-        crypt = load_system32_dll("crypt32.dll");
-        successful = crypt &&
-            GET_WINDOWS_FUNCTION(crypt, CryptProtectMemory);
-    }
-    return successful;
-}
-
 PSID get_user_sid(void)
 {
     HANDLE proc = NULL, tok = NULL;
@@ -237,7 +222,7 @@ int make_private_security_descriptor(DWORD permissions,
     return ret;
 }
 
-int protectprocess(char *error)
+int setprocessacl(char *error)
 {
     SID_IDENTIFIER_AUTHORITY world_auth = SECURITY_WORLD_SID_AUTHORITY;
     SID_IDENTIFIER_AUTHORITY nt_auth = SECURITY_NT_AUTHORITY;
diff --git a/windows/winsecur.h b/windows/winsecur.h
index bd649827..03e8314d 100644
--- a/windows/winsecur.h
+++ b/windows/winsecur.h
@@ -32,13 +32,6 @@ DECL_WINDOWS_FUNCTION(WINSECUR_GLOBAL, DWORD, SetEntriesInAclA,
 		      (ULONG, PEXPLICIT_ACCESS, PACL, PACL *));
 int got_advapi(void);
 
-/*
- * Functions loaded from crypt32.dll.
- */
-DECL_WINDOWS_FUNCTION(WINSECUR_GLOBAL, BOOL, CryptProtectMemory,
-		      (LPVOID, DWORD, DWORD));
-int got_crypt(void);
-
 /*
  * Find the SID describing the current user. The return value (if not
  * NULL for some error-related reason) is smalloced.
@@ -60,4 +53,6 @@ int make_private_security_descriptor(DWORD permissions,
                                      PACL *acl,
                                      char **error);
 
+int setprocessacl(char *error);
+
 #endif
diff --git a/windows/winshare.c b/windows/winshare.c
index 2f21638e..5f1c7244 100644
--- a/windows/winshare.c
+++ b/windows/winshare.c
@@ -14,7 +14,7 @@
 #include "proxy.h"
 #include "ssh.h"
 
-#include "winsecur.h"
+#include "wincapi.h"
 
 #ifdef COVERITY
 /*