nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-09 17:38:00 +00:00
Code Issues Projects Releases Wiki Activity

Fix command-line password handling in Restart Session.

Browse Source 
When the user provides a password on the PuTTY command line, via -pw
or -pwfile, the flag 'tried_once' inside cmdline_get_passwd_input() is
intended to arrange that we only try sending that password once, and
after we've sent it, we don't try again.

But this plays badly with the 'Restart Session' operation. If the
connection is lost and then restarted at user request, we _do_ want to
send that password again!

So this commit moves that static variable out into a small state
structure held by the client of cmdline_get_passwd_input. Each client
can decide how to manage that state itself.

Clients that support 'Restart Session' - i.e. just GUI PuTTY itself -
will initialise the state at the same time as instantiating the
backend, so that every time the session is restarted, we return
to (correctly) believing that we _haven't_ yet tried the password
provided on the command line.

But clients that don't support 'Restart Session' - i.e. Plink and file
transfer tools - can do the same thing that cmdline.c was doing
before: just keep the state in a static variable.

This also means that the GUI login tools will now retain the
command-line password in memory, whereas previously they'd have wiped
it out once it was used. But the other tools will still wipe and free
the password, because I've also added a 'bool restartable' flag to
cmdline_get_passwd_input to let it know when it _is_ allowed to do
that.

In the GUI tools, I don't see any way to get round that, because if
the session is restarted you _have_ to still have the password to use
again. (And you can't infer that that will never happen from the
CONF_close_on_exit setting, because that too could be changed in
mid-session.) On the other hand, I think it's not all that worrying,
because the use of either -pw or -pwfile means that a persistent copy
of your password is *already* stored somewhere, so another one isn't
too big a stretch.

(Due to the change of -pw policy in 0.77, the effect of this bug was
that an attempt to reconnect in a session set up this way would lead
to "Configured password was not accepted". In 0.76, the failure mode
was different: PuTTY would interactively prompt for the password,
having wiped it out of memory after it was used the first time round.)
This commit is contained in:
Simon Tatham 2022-05-18 13:04:56 +01:00
parent 81dcbd6267
commit 787c358d37
12 changed files with 73 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
cmdline.c
View File

@ -81,10 +81,9 @@ void cmdline_cleanup(void)
* -1 return means that we aren't capable of processing the prompt and * -1 return means that we aren't capable of processing the prompt and
* someone else should do it. * someone else should do it.
*/ */
SeatPromptResult cmdline_get_passwd_input(prompts_t *p) SeatPromptResult cmdline_get_passwd_input(
prompts_t *p, cmdline_get_passwd_input_state *state, bool restartable)
{ {
static bool tried_once = false;
/* /*
* We only handle prompts which don't echo (which we assume to be * We only handle prompts which don't echo (which we assume to be
* passwords), and (currently) we only cope with a password prompt * passwords), and (currently) we only cope with a password prompt
@ -98,23 +97,32 @@ SeatPromptResult cmdline_get_passwd_input(prompts_t *p)
* If we've tried once, return utter failure (no more passwords left * If we've tried once, return utter failure (no more passwords left
* to try). * to try).
*/ */
if (tried_once) if (state->tried)
return SPR_SW_ABORT("Configured password was not accepted"); return SPR_SW_ABORT("Configured password was not accepted");
/* /*
* If we never had a password available in the first place, we * If we never had a password available in the first place, we
* can't do anything in any case. (But we delay this test until * can't do anything in any case. (But we delay this test until
* after tried_once, so that after we free cmdline_password below, * after trying once, so that even if we free cmdline_password
* we'll still remember that we _used_ to have one.) * below, we'll still remember that we _used_ to have one.)
*/ */
if (!cmdline_password) if (!cmdline_password)
return SPR_INCOMPLETE; return SPR_INCOMPLETE;
prompt_set_result(p->prompts[0], cmdline_password); prompt_set_result(p->prompts[0], cmdline_password);
smemclr(cmdline_password, strlen(cmdline_password)); state->tried = true;
sfree(cmdline_password);
cmdline_password = NULL; if (!restartable) {
tried_once = true; /*
* If there's no possibility of needing to do this again after
* a 'Restart Session' event, then wipe our copy of the
* password out of memory.
*/
smemclr(cmdline_password, strlen(cmdline_password));
sfree(cmdline_password);
cmdline_password = NULL;
}
return SPR_OK; return SPR_OK;
} }

2
defs.h
View File

@ -118,6 +118,8 @@ typedef struct Seat Seat;
typedef struct SeatVtable SeatVtable; typedef struct SeatVtable SeatVtable;
typedef struct SeatPromptResult SeatPromptResult; typedef struct SeatPromptResult SeatPromptResult;
typedef struct cmdline_get_passwd_input_state cmdline_get_passwd_input_state;
typedef struct TermWin TermWin; typedef struct TermWin TermWin;
typedef struct TermWinVtable TermWinVtable; typedef struct TermWinVtable TermWinVtable;

7
putty.h
View File

@ -2525,10 +2525,15 @@ void printer_finish_job(printer_job *);
* zero out password arguments in the hope of not having them show up * zero out password arguments in the hope of not having them show up
* avoidably in Unix 'ps'. * avoidably in Unix 'ps'.
*/ */
struct cmdline_get_passwd_input_state { bool tried; };
#define CMDLINE_GET_PASSWD_INPUT_STATE_INIT { .tried = false }
extern const cmdline_get_passwd_input_state cmdline_get_passwd_input_state_new;
int cmdline_process_param(const char *, char *, int, Conf *); int cmdline_process_param(const char *, char *, int, Conf *);
void cmdline_run_saved(Conf *); void cmdline_run_saved(Conf *);
void cmdline_cleanup(void); void cmdline_cleanup(void);
SeatPromptResult cmdline_get_passwd_input(prompts_t *p); SeatPromptResult cmdline_get_passwd_input(
prompts_t *p, cmdline_get_passwd_input_state *state, bool restartable);
bool cmdline_host_ok(Conf *); bool cmdline_host_ok(Conf *);
bool cmdline_verbose(void); bool cmdline_verbose(void);
bool cmdline_loaded_session(void); bool cmdline_loaded_session(void);

3
stubs/nocmdline.c
View File

@ -15,7 +15,8 @@
* handling, then there is no such option, so that function always * handling, then there is no such option, so that function always
* returns failure. * returns failure.
*/ */
SeatPromptResult cmdline_get_passwd_input(prompts_t *p) SeatPromptResult cmdline_get_passwd_input(
prompts_t *p, cmdline_get_passwd_input_state *state, bool restartable)
{ {
return SPR_INCOMPLETE; return SPR_INCOMPLETE;
} }

7
unix/plink.c
View File

@ -373,8 +373,13 @@ static bool plink_eof(Seat *seat)
static SeatPromptResult plink_get_userpass_input(Seat *seat, prompts_t *p) static SeatPromptResult plink_get_userpass_input(Seat *seat, prompts_t *p)
{ {
/* Plink doesn't support Restart Session, so we can just have a
* single static cmdline_get_passwd_input_state that's never reset */
static cmdline_get_passwd_input_state cmdline_state =
CMDLINE_GET_PASSWD_INPUT_STATE_INIT;
SeatPromptResult spr; SeatPromptResult spr;
spr = cmdline_get_passwd_input(p); spr = cmdline_get_passwd_input(p, &cmdline_state, false);
if (spr.kind == SPRK_INCOMPLETE) if (spr.kind == SPRK_INCOMPLETE)
spr = console_get_userpass_input(p); spr = console_get_userpass_input(p);
return spr; return spr;

8
unix/sftp.c
View File

@ -65,8 +65,14 @@ Filename *platform_default_filename(const char *name)
SeatPromptResult filexfer_get_userpass_input(Seat *seat, prompts_t *p) SeatPromptResult filexfer_get_userpass_input(Seat *seat, prompts_t *p)
{ {
/* The file transfer tools don't support Restart Session, so we
* can just have a single static cmdline_get_passwd_input_state
* that's never reset */
static cmdline_get_passwd_input_state cmdline_state =
CMDLINE_GET_PASSWD_INPUT_STATE_INIT;
SeatPromptResult spr; SeatPromptResult spr;
spr = cmdline_get_passwd_input(p); spr = cmdline_get_passwd_input(p, &cmdline_state, false);
if (spr.kind == SPRK_INCOMPLETE) if (spr.kind == SPRK_INCOMPLETE)
spr = console_get_userpass_input(p); spr = console_get_userpass_input(p);
return spr; return spr;

5
unix/window.c
View File

@ -160,6 +160,7 @@ struct GtkFrontend {
Ldisc *ldisc; Ldisc *ldisc;
Backend *backend; Backend *backend;
Terminal *term; Terminal *term;
cmdline_get_passwd_input_state cmdline_get_passwd_state;
LogContext *logctx; LogContext *logctx;
bool exited; bool exited;
struct unicode_data ucsdata; struct unicode_data ucsdata;
@ -343,7 +344,7 @@ static SeatPromptResult gtk_seat_get_userpass_input(Seat *seat, prompts_t *p)
{ {
GtkFrontend *inst = container_of(seat, GtkFrontend, seat); GtkFrontend *inst = container_of(seat, GtkFrontend, seat);
SeatPromptResult spr; SeatPromptResult spr;
spr = cmdline_get_passwd_input(p); spr = cmdline_get_passwd_input(p, &inst->cmdline_get_passwd_state, true);
if (spr.kind == SPRK_INCOMPLETE) if (spr.kind == SPRK_INCOMPLETE)
spr = term_get_userpass_input(inst->term, p); spr = term_get_userpass_input(inst->term, p);
return spr; return spr;
@ -5105,6 +5106,8 @@ static void start_backend(GtkFrontend *inst)
const struct BackendVtable *vt; const struct BackendVtable *vt;
char *error, *realhost; char *error, *realhost;
inst->cmdline_get_passwd_state = cmdline_get_passwd_input_state_new;
vt = select_backend(inst->conf); vt = select_backend(inst->conf);
seat_set_trust_status(&inst->seat, true); seat_set_trust_status(&inst->seat, true);

1
utils/CMakeLists.txt
View File

@ -7,6 +7,7 @@ add_sources_from_current_dir(utils
buildinfo.c buildinfo.c
burnstr.c burnstr.c
chomp.c chomp.c
cmdline_get_passwd_input_state_new.c
conf.c conf.c
conf_dest.c conf_dest.c
conf_launchable.c conf_launchable.c

9
utils/cmdline_get_passwd_input_state_new.c Normal file
View File

@ -0,0 +1,9 @@
/*
* A preinitialised cmdline_get_passwd_input_state which makes it easy
* to assign by structure copy.
*/
#include "putty.h"
const cmdline_get_passwd_input_state cmdline_get_passwd_input_state_new =
CMDLINE_GET_PASSWD_INPUT_STATE_INIT;

7
windows/plink.c
View File

@ -67,8 +67,13 @@ static bool plink_eof(Seat *seat)
static SeatPromptResult plink_get_userpass_input(Seat *seat, prompts_t *p) static SeatPromptResult plink_get_userpass_input(Seat *seat, prompts_t *p)
{ {
/* Plink doesn't support Restart Session, so we can just have a
* single static cmdline_get_passwd_input_state that's never reset */
static cmdline_get_passwd_input_state cmdline_state =
CMDLINE_GET_PASSWD_INPUT_STATE_INIT;
SeatPromptResult spr; SeatPromptResult spr;
spr = cmdline_get_passwd_input(p); spr = cmdline_get_passwd_input(p, &cmdline_state, false);
if (spr.kind == SPRK_INCOMPLETE) if (spr.kind == SPRK_INCOMPLETE)
spr = console_get_userpass_input(p); spr = console_get_userpass_input(p);
return spr; return spr;

8
windows/sftp.c
View File

@ -14,8 +14,14 @@
SeatPromptResult filexfer_get_userpass_input(Seat *seat, prompts_t *p) SeatPromptResult filexfer_get_userpass_input(Seat *seat, prompts_t *p)
{ {
/* The file transfer tools don't support Restart Session, so we
* can just have a single static cmdline_get_passwd_input_state
* that's never reset */
static cmdline_get_passwd_input_state cmdline_state =
CMDLINE_GET_PASSWD_INPUT_STATE_INIT;
SeatPromptResult spr; SeatPromptResult spr;
spr = cmdline_get_passwd_input(p); spr = cmdline_get_passwd_input(p, &cmdline_state, false);
if (spr.kind == SPRK_INCOMPLETE) if (spr.kind == SPRK_INCOMPLETE)
spr = console_get_userpass_input(p); spr = console_get_userpass_input(p);
return spr; return spr;

6
windows/window.c
View File

@ -130,6 +130,8 @@ static int kbd_codepage;
static Ldisc *ldisc; static Ldisc *ldisc;
static Backend *backend; static Backend *backend;
static cmdline_get_passwd_input_state cmdline_get_passwd_state;
static struct unicode_data ucsdata; static struct unicode_data ucsdata;
static bool session_closed; static bool session_closed;
static bool reconfiguring = false; static bool reconfiguring = false;
@ -371,6 +373,8 @@ static void start_backend(void)
char *error, *realhost; char *error, *realhost;
int i; int i;
cmdline_get_passwd_state = cmdline_get_passwd_input_state_new;
vt = backend_vt_from_conf(conf); vt = backend_vt_from_conf(conf);
seat_set_trust_status(&wgs.seat, true); seat_set_trust_status(&wgs.seat, true);
@ -5909,7 +5913,7 @@ static bool win_seat_eof(Seat *seat)
static SeatPromptResult win_seat_get_userpass_input(Seat *seat, prompts_t *p) static SeatPromptResult win_seat_get_userpass_input(Seat *seat, prompts_t *p)
{ {
SeatPromptResult spr; SeatPromptResult spr;
spr = cmdline_get_passwd_input(p); spr = cmdline_get_passwd_input(p, &cmdline_get_passwd_state, true);
if (spr.kind == SPRK_INCOMPLETE) if (spr.kind == SPRK_INCOMPLETE)
spr = term_get_userpass_input(term, p); spr = term_get_userpass_input(term, p);
return spr; return spr;