2 * Windows implementation of SSH connection-sharing IPC setup.
8 #if !defined NO_SECURITY
10 #define DEFINE_PLUG_METHOD_MACROS
21 * The hack I use to build for Coverity scanning, using winegcc and
22 * Makefile.cyg, didn't provide some defines in wincrypt.h last time I
23 * looked. Therefore, define them myself here, but enclosed in #ifdef
24 * COVERITY to ensure I don't make up random nonsense values for any
27 #ifndef CRYPTPROTECTMEMORY_BLOCK_SIZE
28 #define CRYPTPROTECTMEMORY_BLOCK_SIZE 16
30 #ifndef CRYPTPROTECTMEMORY_CROSS_PROCESS
31 #define CRYPTPROTECTMEMORY_CROSS_PROCESS 1
35 #define CONNSHARE_PIPE_PREFIX "\\\\.\\pipe\\putty-connshare"
36 #define CONNSHARE_MUTEX_PREFIX "Local\\putty-connshare-mutex"
38 static char *obfuscate_name(const char *realname)
41 * Windows's named pipes all live in the same namespace, so one
42 * user can see what pipes another user has open. This is an
43 * undesirable privacy leak and in particular permits one user to
44 * know what username@host another user is SSHing to, so we
45 * protect that information by using CryptProtectMemory (which
46 * uses a key built in to each user's account).
51 unsigned char lenbuf[4];
52 unsigned char digest[32];
56 cryptlen = strlen(realname) + 1;
57 cryptlen += CRYPTPROTECTMEMORY_BLOCK_SIZE - 1;
58 cryptlen /= CRYPTPROTECTMEMORY_BLOCK_SIZE;
59 cryptlen *= CRYPTPROTECTMEMORY_BLOCK_SIZE;
61 cryptdata = snewn(cryptlen, char);
62 memset(cryptdata, 0, cryptlen);
63 strcpy(cryptdata, realname);
66 * CRYPTPROTECTMEMORY_CROSS_PROCESS causes CryptProtectMemory to
67 * use the same key in all processes with this user id, meaning
68 * that the next PuTTY process calling this function with the same
69 * input will get the same data.
71 * (Contrast with CryptProtectData, which invents a new session
72 * key every time since its API permits returning more data than
73 * was input, so calling _that_ and hashing the output would not
76 * We don't worry too much if this doesn't work for some reason.
77 * Omitting this step still has _some_ privacy value (in that
78 * another user can test-hash things to confirm guesses as to
79 * where you might be connecting to, but cannot invert SHA-256 in
80 * the absence of any plausible guess). So we don't abort if we
81 * can't call CryptProtectMemory at all, or if it fails.
84 p_CryptProtectMemory(cryptdata, cryptlen,
85 CRYPTPROTECTMEMORY_CROSS_PROCESS);
88 * We don't want to give away the length of the hostname either,
89 * so having got it back out of CryptProtectMemory we now hash it.
92 PUT_32BIT_MSB_FIRST(lenbuf, cryptlen);
93 SHA256_Bytes(&sha, lenbuf, 4);
94 SHA256_Bytes(&sha, cryptdata, cryptlen);
95 SHA256_Final(&sha, digest);
100 * Finally, make printable.
102 for (i = 0; i < 32; i++) {
103 sprintf(retbuf + 2*i, "%02x", digest[i]);
104 /* the last of those will also write the trailing NUL */
107 return dupstr(retbuf);
110 static char *make_name(const char *prefix, const char *name)
112 char *username, *retname;
114 username = get_username();
115 retname = dupprintf("%s.%s.%s", prefix, username, name);
121 Socket new_named_pipe_client(const char *pipename, Plug plug);
122 Socket new_named_pipe_listener(const char *pipename, Plug plug);
124 int platform_ssh_share(const char *pi_name, Conf *conf,
125 Plug downplug, Plug upplug, Socket *sock,
126 char **logtext, char **ds_err, char **us_err,
127 int can_upstream, int can_downstream)
129 char *name, *mutexname, *pipename;
132 PSECURITY_DESCRIPTOR psd;
136 * Transform the platform-independent version of the connection
137 * identifier into the obfuscated version we'll use for our
138 * Windows named pipe and mutex. A side effect of doing this is
139 * that it also eliminates any characters illegal in Windows pipe
142 name = obfuscate_name(pi_name);
144 *logtext = dupprintf("Unable to call CryptProtectMemory: %s",
145 win_strerror(GetLastError()));
150 * Make a mutex name out of the connection identifier, and lock it
151 * while we decide whether to be upstream or downstream.
154 SECURITY_ATTRIBUTES sa;
156 mutexname = make_name(CONNSHARE_MUTEX_PREFIX, name);
157 if (!make_private_security_descriptor(MUTEX_ALL_ACCESS,
158 &psd, &acl, logtext)) {
164 memset(&sa, 0, sizeof(sa));
165 sa.nLength = sizeof(sa);
166 sa.lpSecurityDescriptor = psd;
167 sa.bInheritHandle = FALSE;
169 mutex = CreateMutex(&sa, FALSE, mutexname);
172 *logtext = dupprintf("CreateMutex(\"%s\") failed: %s",
173 mutexname, win_strerror(GetLastError()));
185 WaitForSingleObject(mutex, INFINITE);
188 pipename = make_name(CONNSHARE_PIPE_PREFIX, name);
192 if (can_downstream) {
193 retsock = new_named_pipe_client(pipename, downplug);
194 if (sk_socket_error(retsock) == NULL) {
201 return SHARE_DOWNSTREAM;
204 *ds_err = dupprintf("%s: %s", pipename, sk_socket_error(retsock));
209 retsock = new_named_pipe_listener(pipename, upplug);
210 if (sk_socket_error(retsock) == NULL) {
217 return SHARE_UPSTREAM;
220 *us_err = dupprintf("%s: %s", pipename, sk_socket_error(retsock));
224 /* One of the above clauses ought to have happened. */
225 assert(*logtext || *ds_err || *us_err);
234 void platform_ssh_share_cleanup(const char *name)
238 #else /* !defined NO_SECURITY */
242 #endif /* !defined NO_SECURITY */