Simon Tatham [Sun, 17 Nov 2013 14:04:01 +0000 (14:04 +0000)]
Add support for Windows named pipes.
This commit adds two new support modules, winnpc.c and winnps.c, which
deal respectively with being a client and server of a Windows named
pipe (which, in spite of what Unix programmers will infer from that
name, is actually closer to Windows's analogue of a Unix-domain
socket). Each one provides a fully featured Socket wrapper around the
hairy Windows named pipe API, so that the rest of the code base should
be able to use these interchangeably with ordinary sockets and hardly
notice the difference.
As part of this work, I've introduced a mechanism in winhandl.c to
permit it to store handles of event objects on behalf of other Windows
support modules and deal with passing them to applications' main event
loops as necessary. (Perhaps it would have been cleaner to split
winhandl.c into an event-object tracking layer analogous to uxsel, and
the handle management which is winhandl.c's proper job, but this is
less disruptive for the present.)
Simon Tatham [Sun, 17 Nov 2013 14:03:55 +0000 (14:03 +0000)]
Replace the hacky 'OSSocket' type with a closure.
The mechanism for constructing a new connection-type Socket when a
listening one receives an incoming connection previously worked by
passing a platform-specific 'OSSocket' type to the plug_accepting
function, which would then call sk_register to wrap it with a proper
Socket instance. This is less flexible than ideal, because it presumes
that only one kind of OS object might ever need to be turned into a
Socket. So I've replaced OSSocket throughout the code base with a pair
of parameters consisting of a function pointer and a context such that
passing the latter to the former returns the appropriate Socket; this
will permit different classes of listening Socket to pass different
function pointers.
In deference to the reality that OSSockets tend to be small integers
or pointer-sized OS handles, I've made the context parameter an
int/pointer union that can hold either of those directly, rather than
the usual approach of making it a plain 'void *' and requiring a
context structure to be dynamically allocated every time.
Simon Tatham [Sun, 17 Nov 2013 14:03:48 +0000 (14:03 +0000)]
Implement freezing on Windows handle sockets.
That's been a FIXME in the code for ages, because it's difficult to
get winhandl.c to stop an already-started read from a handle (since
the read is a blocking system call running in a separate thread). But
I now realise it isn't absolutely necessary to do so - you can just
buffer one lot of data from winhandl and _then_ tell it to stop.
Simon Tatham [Sun, 17 Nov 2013 14:03:44 +0000 (14:03 +0000)]
Factor out the HANDLE-to-Socket adapter from winproxy.c.
It's now kept in a separate module, where it can be reused
conveniently for other kinds of Windows HANDLE that I want to wrap in
the PuTTY Socket abstraction - for example, the named pipes that I
shortly plan to use for the Windows side of connection-sharing IPC.
Simon Tatham [Sun, 17 Nov 2013 14:03:36 +0000 (14:03 +0000)]
Add a Socket implementation which just holds an error message.
This isn't yet used, but I plan to use it in situations where you have
to report errors by returning a valid Socket on which the client wlil
call sk_socket_error, but in fact you notice the error _before_
instantiating your usual kind of Socket. The resulting Socket is
usable for nothing except reading out the error string and closing it.
Simon Tatham [Sun, 17 Nov 2013 14:03:21 +0000 (14:03 +0000)]
Clean up the semantics of the ssh_rportfwd structure.
It's now indexed by source hostname as well as source port (so that
separate requests for the server to listen on addr1:1234 and
addr2:1234 can be disambiguated), and also its destination host name
is dynamically allocated rather than a fixed-size buffer.
Simon Tatham [Sun, 17 Nov 2013 14:03:20 +0000 (14:03 +0000)]
Find ToUnicodeEx() at run time, not load time.
This restores PuTTY's backward compatibility to versions of Windows
too old to have ToUnicodeEx in their system libraries, which was
accidentally broken in 0.63.
Simon Tatham [Mon, 11 Nov 2013 23:01:47 +0000 (23:01 +0000)]
Replace GetQueueStatus with PeekMessage(PM_NOREMOVE).
A couple of users report that my recent reworking of the Windows
top-level message loop has led to messages occasionally being lost,
and MsgWaitForMultipleObjects blocking when it ought to have been
called with a zero timeout. I haven't been able to reproduce this
myself, but according to one reporter, PeekMessage(PM_NOREMOVE) is
effective at checking for a non-empty message queue in a way that
GetQueueStatus is not. Switch to using that instead. Thanks to Eric
Flumerfelt for debugging and testing help.
Simon Tatham [Sat, 26 Oct 2013 14:00:10 +0000 (14:00 +0000)]
Fix build failures on Ubuntu 13.10.
Automake now insists that we run AM_PROG_AR if we're going to build a
library, and AM_PROG_CC_C_O if we're going to build anything with
extra compile options. Those extra macros seem harmless in previous
versions of automake.
Simon Tatham [Fri, 25 Oct 2013 17:44:02 +0000 (17:44 +0000)]
Avoid leaving unread Windows messages in the queue.
Jochen Erwied points out that once you've used PeekMessage to remove
_one_ message from the message queue, MsgWaitForMultipleObjects will
consider the whole queue to have been 'read', or at least looked at
and deemed uninteresting, and so it will block until a further message
comes in. Hence, my change in r10040 which stops us from looping on
PeekMessage until the queue is empty has the effect of causing the
rest of the message queue not to be acted on until a new message comes
in to unblock it. Fix by checking if the queue is nonempty in advance
of calling MsgWaitForMultipleObjects, and if so, giving it a zero
timeout just as we do if there's a pending toplevel callback.
Simon Tatham [Wed, 9 Oct 2013 18:38:35 +0000 (18:38 +0000)]
random_ref() should always increment the reference count.
No current PuTTY utility was calling random_ref more than once per run
(ssh.c and the two main PuTTYgen programs call it once each), but if
one ever does (or if derived code does), it will want the reference
count to actually work sensibly.
Simon Tatham [Wed, 9 Oct 2013 18:36:56 +0000 (18:36 +0000)]
Don't pass WinSock error codes to strerror.
Martin Prikryl helpfully points out that when I revamped the socket
error mechanism using toplevel callbacks, I also accidentally passed
the error code to the wrong function. Use winsock_error_string instead.
Simon Tatham [Mon, 23 Sep 2013 14:35:08 +0000 (14:35 +0000)]
Fix cut-and-paste errors in nonfatal() implementations.
Unix GUI programs should not say 'Fatal Error' in the message box
title, and Plink should not destroy its logging context as a side
effect of printing a non-fatal error. Both appear to have been due to
inattentive cut and paste from the pre-existing fatal error functions.
Simon Tatham [Sun, 15 Sep 2013 14:40:46 +0000 (14:40 +0000)]
Oops! Remove a tight-looping diagnostic.
I temporarily applied it as a means of testing the revised event loops
in r10040, and accidentally folded it into my final commit instead of
backing it out. Ahem.
Simon Tatham [Sun, 15 Sep 2013 14:05:38 +0000 (14:05 +0000)]
Remove the timed part of the terminal paste mechanism.
In r10020 I carefully reimplemented using timing.c and callback.c the
same policy for large pastes that the previous code appeared to be
implementing ad-hoc, which included a 450ms delay between sending
successive lines of pasted text if no visible acknowledgment of the
just-sent line (in the form of a \n or \r) came back from the
application.
However, it turns out that that *wasn't* what the old code was doing.
It *would* have done that, but for the bug that it never actually set
the 'last_paste' variable, and never has done since it was first
introduced way back in r516! So the policy I thought had been in force
forever has in fact only been in force since I unwittingly fixed that
bug in r10020 - and it turns out to be a bad idea, breaking pastes
into vi in particular.
So I've removed the timed paste code completely, on the basis that
it's never actually worked and nobody seems to have been unhappy about
that. Now we still break large pastes into separate lines and send
them in successive top-level callbacks, and the user can still press a
key to interrupt a paste if they manage to catch it still going on,
but there's no attempted *delay* any more.
(It's possible that what I *really* ought to be doing is calling
back->sendbuffer() to see whether the backend is consuming the data
pasted so far, and if not, deferring the rest of the paste until the
send buffer becomes smaller. Then we could have pasting be delayed by
back-pressure from the recipient, and still manually interruptible
during that delay, but not have it delayed by anything else. But what
we have here should at least manage to be equivalent to the *actual*
rather than the intended old policy.)
Simon Tatham [Sun, 15 Sep 2013 14:05:31 +0000 (14:05 +0000)]
Only run one toplevel callback per event loop iteration.
This change attempts to reinstate as a universal property something
which was sporadically true of the ad-hockery that came before
toplevel callbacks: that if there's a _very long_ queue of things to
be done through the callback mechanism, the doing of them will be
interleaved with re-checks of other event sources, which might (e.g.)
cause a flag to be set which makes the next callback decide not to do
anything after all.
Simon Tatham [Sun, 8 Sep 2013 13:20:49 +0000 (13:20 +0000)]
Handle socket errors on half-open channels.
Anthony Ho reports that this can occur naturally in some situation
involving Windows 8 + IE 11 and dynamic port forwarding: apparently we
get through the SOCKS negotiation, send our CHANNEL_OPEN, and then
*immediately* suffer a local WSAECONNABORTED error before the server
has sent back its OPEN_CONFIRMATION or OPEN_FAILURE. In this situation
ssh2_channel_check_close was failing to notice that the channel didn't
yet have a valid server id, and sending out a CHANNEL_CLOSE anyway
containing 32 bits of uninitialised nonsense.
We now handle this by turning our half-open CHAN_SOCKDATA_DORMANT into
a half-open CHAN_ZOMBIE, which means in turn that our handler
functions for OPEN_CONFIRMATION and OPEN_FAILURE have to recognise and
handle that case, the former by immediately initiating channel closure
once we _do_ have the channel's server id to do it with.
Simon Tatham [Sat, 7 Sep 2013 16:15:11 +0000 (16:15 +0000)]
Fix SSH2_MSG_CHANNEL_EXTENDED_DATA in logparse.
It looks as if it's never worked at all: it had a spurious second
printf, it completely forgot to allow for the uint32 type code that
SSH2_MSG_CHANNEL_DATA doesn't have, it accessed the channel state's
sequence number fields in a way that made no sense and didn't match
the rest of the program, *and* it misinvoked the file opening API. I
must have never had an occasion to test it.
Simon Tatham [Sat, 7 Sep 2013 16:15:10 +0000 (16:15 +0000)]
Make logparse handle completely bogus channel numbers.
Previously it would throw a bunch of Perl undefined-variable-usage
warnings; now it cleanly detects the problem, dumps as much of the
message as it still reasonably can, and doesn't update any channel
states.
Simon Tatham [Mon, 26 Aug 2013 11:55:56 +0000 (11:55 +0000)]
Fix free of an uninitialised pointer.
CHAN_AGENT channels need c->u.a.message to be either NULL or valid
dynamically allocated memory, because it'll be freed by
ssh_channel_destroy. This bug triggers if an agent forwarding channel
is opened and closed without having sent any queries.
Simon Tatham [Thu, 22 Aug 2013 17:45:26 +0000 (17:45 +0000)]
Fix handling of IPv6 dynamic forwardings.
During the Conf revamp, I changed the internal representation of
dynamic forwardings so that they were stored as the conceptually
sensible L12345=D rather than the old D12345, and added compensation
code to translate to the latter form for backwards-compatible data
storage and for OpenSSH-harmonised GUI display. Unfortunately I forgot
that keys in the forwarding data can also prefix the L/R with a
character indicating IPv4/IPv6, and my translations didn't take
account of that possibility. Fix them.
Simon Tatham [Sun, 18 Aug 2013 06:48:20 +0000 (06:48 +0000)]
Sensibly enforce non-interactive rekeying.
We now only present the full set of host key algorithms we can handle
in the first key exchange. In subsequent rekeys, we present only the
host key algorithm that we agreed on the previous time, and then we
verify the host key by simply enforcing that it's exactly the same as
the one we saw at first and disconnecting rudely if it isn't.
Simon Tatham [Sat, 17 Aug 2013 16:06:40 +0000 (16:06 +0000)]
Make calling term_nopaste() a cross-platform feature.
It was one of those things that went in ages ago on Windows and never
got replicated in the Unix front end. And it needn't be: ldisc.c is a
perfect place to put it, since it knows which of the data it's sending
is based on a keystroke and which is automatically generated, and it
also has access to the terminal context. So now a keypress can
interrupt a runaway paste on all platforms.
Simon Tatham [Sat, 17 Aug 2013 16:06:27 +0000 (16:06 +0000)]
Revamp net_pending_errors using toplevel callbacks.
Again, I've removed the special-purpose ad-hockery from the assorted
front end message loops that dealt with deferred handling of socket
errors, and instead uxnet.c and winnet.c arrange that for themselves
by calling the new general top-level callback mechanism.
Simon Tatham [Sat, 17 Aug 2013 16:06:22 +0000 (16:06 +0000)]
Revamp GTK's session close handling using toplevel callbacks.
Instead of having a special GTK idle function for dealing with session
closing, I now use the new top-level callback mechanism which is
slightly simpler for calling a one-off function.
Also in this commit, I've arranged for connection_fatal to queue a
call to the same session close function after displaying the message
box, with the effect that now all the same processing takes place no
matter whether the session closes cleanly or uncleanly - e.g. the SSH
specials submenu is cleaned out, as it should be.
Simon Tatham [Sat, 17 Aug 2013 16:06:18 +0000 (16:06 +0000)]
Revamp Windows's close_session() using toplevel callbacks.
Instead of setting a must_close_session flag and having special code
in the message loop to check it, we'll schedule the call to
close_session using the new top-level callback system.
Simon Tatham [Sat, 17 Aug 2013 16:06:12 +0000 (16:06 +0000)]
Revamp the terminal paste mechanism using toplevel callbacks.
I've removed the ad-hoc front-end bodgery in the Windows and GTK ports
to arrange for term_paste to be called at the right moments, and
instead, terminal.c itself deals with knowing when to send the next
chunk of pasted data using a combination of timers and the new
top-level callback mechanism.
As a happy side effect, it's now all in one place so I can actually
understand what it's doing! It turns out that what all that confusing
code was up to is: send a line of pasted data, and delay sending the
next line until either a CR or LF is returned from the server
(typically indicating that the pasted text has been received and
echoed) or 450ms elapse, whichever comes first.
Simon Tatham [Sat, 17 Aug 2013 16:06:08 +0000 (16:06 +0000)]
Add a general way to request an immediate top-level callback.
This is a little like schedule_timer, in that the callback you provide
will be run from the top-level message loop of whatever application
you're in; but unlike the timer mechanism, it will happen
_immediately_.
The aim is to provide a general way to avoid re-entrance of code, in
cases where just _doing_ the thing you want done is liable to trigger
a confusing recursive call to the function in which you came to the
decision to do it; instead, you just request a top-level callback at
the message loop's earliest convenience, and do it then.
Simon Tatham [Thu, 15 Aug 2013 06:42:36 +0000 (06:42 +0000)]
Sebastian Kuschel reports that pfd_closing can be called for a socket
error with pr->c NULL, in which case calling sshfwd_unclean_close on
it will dereference NULL and segfault. Write an alternative error
handling path for that possibility.
(I don't know if it's the only way, but one way this can happen is if
you're doing dynamic forwarding and the socket error occurs during
SOCKS negotiation, in which case no SSH channel has been set up yet
because we haven't yet found out what we want to put in the
direct-tcpip channel open message.)
Simon Tatham [Tue, 13 Aug 2013 06:46:51 +0000 (06:46 +0000)]
It turns out I was a little over-strict in my handling of EOF in
pscp.c when I did the big revamp in r9279: I assumed that in any SCP
connection we would be the first to send EOF, but in fact this isn't
true - doing downloads with old-SCP, EOF is initiated by the server,
so we were spuriously reporting an error for 'unexpected' EOF when
everything had gone fine. Thanks to Nathan Phelan for the report.
Simon Tatham [Thu, 8 Aug 2013 17:22:07 +0000 (17:22 +0000)]
sbcsgen.pl uses 'select' to point Perl at a different default output
handle. Revert that when we hackily call it from mkfiles.pl, so that
if I have a need to insert diagnostics in the latter they won't go
into the end of sbcsdat.c.
Simon Tatham [Wed, 7 Aug 2013 06:22:52 +0000 (06:22 +0000)]
Revert the default for font bolding style back to using colours rather
than fonts. I broke this in r9559 when I added the option for 'both',
because the internal representation got offset by one so as to change
from a boolean to two bitfields and I must have confused myself about
what the default should be.
Simon Tatham [Mon, 5 Aug 2013 19:50:51 +0000 (19:50 +0000)]
The bignum code has two representations of zero, since
bn_restore_invariant (and the many loops that duplicate it) leaves a
single zero word in a bignum representing 0, whereas the constant
'Zero' does not have any data words at all. Cope with this in
bignum_cmp.
(It would be a better plan to decide on one representation and stick
with it, but this is the less disruptive fix for the moment.)
Simon Tatham [Sun, 4 Aug 2013 19:34:10 +0000 (19:34 +0000)]
Spot when we didn't successfully create an RSA public key from a
public blob, and return a proper error in that situation rather than a
struct with unhelpful NULLs in.
Simon Tatham [Sun, 4 Aug 2013 19:33:53 +0000 (19:33 +0000)]
More consistently defend against division by zero with assertions. We
now check that all the modular functions (modpow, modinv, modmul,
bigdivmod) have nonzero moduli, and that modinv also has a nonzero
thing to try to invert.
Simon Tatham [Sun, 4 Aug 2013 19:32:10 +0000 (19:32 +0000)]
Reinstate a piece of code accidentally removed in r9214, where Windows
PuTTY does not trim a colon suffix off the hostname if it contains
_more than one_ colon. This allows IPv6 literals to be entered.
(Really we need to do a much bigger revamp of all uses of hostnames to
arrange that square-bracketed IPv6 literals work consistently, but
this at least removes a regression over 0.62.)
Simon Tatham [Fri, 2 Aug 2013 22:33:40 +0000 (22:33 +0000)]
Raise the default scrollback from 200 to 2000 lines. The former was
not so silly in the 1990s and before I implemented scrollback
compression, but it's been a ridiculously low default for a while now.
Simon Tatham [Mon, 29 Jul 2013 17:47:33 +0000 (17:47 +0000)]
Remove one of the frees added in r9916. stat_name points to somewhere
within the same string that destfname points to the start of, so
freeing it causes at best a double-free of destfname and more likely a
free of something that isn't even the start of an allocated block.
Simon Tatham [Wed, 24 Jul 2013 19:18:06 +0000 (19:18 +0000)]
Get rid of the variable 'advapi' in Pageant's WinMain, which was never
actually used for anything sensible and could have been freed while
containing nonsense at program end.
Simon Tatham [Mon, 22 Jul 2013 07:12:31 +0000 (07:12 +0000)]
Increase FONT_MAXNO from 0x2f to 0x40, to ensure the fonts[] array
includes every possible combination of the font bitfields, in
particular ATTR_OEM|ATTR_NARROW.
Simon Tatham [Mon, 22 Jul 2013 07:12:26 +0000 (07:12 +0000)]
Correct an inequality sign causing the bounds check in Windows
palette_set() to be bogus. Fortunately, this isn't exploitable through
the terminal emulator, because the palette escape sequence parser
contains its own bounds check before even calling palette_set().
While I'm at it, fix the same goof in the OS X version! That port is
more or less abandoned, but that's no excuse for leaving obviously
wrong code lying around.
Simon Tatham [Mon, 22 Jul 2013 07:12:05 +0000 (07:12 +0000)]
Rationalise null pointer checks in both decode_codepage functions, so
that decode_codepage(NULL) and decode_codepage("") both return the
default character set.
Simon Tatham [Mon, 22 Jul 2013 07:11:58 +0000 (07:11 +0000)]
Fix a double error handling goof in the winstore side of the jump list
support: transform_jumplist_registry should give its caller
dynamically allocated data if and only if it returns JUMPLISTREG_OK,
and get_jumplist_registry_entries should test the return value against
JUMPLISTREG_OK rather than a value from a totally different enum.
Simon Tatham [Mon, 22 Jul 2013 07:11:54 +0000 (07:11 +0000)]
Another big batch of memory leak fixes, again mostly on error paths.
The most interesting one is printer_add_enum, which I've modified to
take a char ** rather than a char * so that it can both realloc its
input buffer _and_ return NULL to indicate error.
Simon Tatham [Mon, 22 Jul 2013 07:11:44 +0000 (07:11 +0000)]
Report an error if deleting a random seed file fails.
(This has also required me to add a currently unused nonfatal() to
PuTTYgen, since although PuTTYgen won't actually try to delete
putty.rnd, it does link in winstore.c as a whole.)
Simon Tatham [Mon, 22 Jul 2013 07:11:39 +0000 (07:11 +0000)]
Invent a win_strerror() function which behaves as much like Unix
strerror as I can arrange, wrapping up all the ugly FormatMessage
nonsense and caching previously looked-up messages for reuse so that
callers can treat them as static.
Simon Tatham [Sun, 21 Jul 2013 10:12:58 +0000 (10:12 +0000)]
If the SSH server sends us CHANNEL_CLOSE for a channel on which we're
sitting on a pile of buffered data waiting for WINDOW_ADJUSTs, we
should throw away that buffered data, because the CHANNEL_CLOSE tells
us that we won't be receiving those WINDOW_ADJUSTs, and if we hang on
to the data and keep trying then it'll prevent ssh_channel_try_eof
from sending the CHANNEL_EOF which is a prerequisite of sending our
own CHANNEL_CLOSE.
Simon Tatham [Sun, 21 Jul 2013 09:16:37 +0000 (09:16 +0000)]
Add '.so' to the list of file extensions cleared up by 'make clean' in
Makefile.cyg, since if you're building against Winelib it will
generate one of those alongside each .exe file.
Simon Tatham [Sun, 21 Jul 2013 07:40:36 +0000 (07:40 +0000)]
Completely remove the 'frozen_readable' mechanism from uxnet.c. It
parallels a similar mechanism in winnet.c and came over by copy and
paste, but is pointless in the Unix networking API.
On Windows, if you're using a mechanism such as WSAAsyncSelect which
delivers readability notifications as messages rather than return
values from a system call, you only get notified that a socket is
readable once - it remembers that it's told you, and doesn't tell you
again until after you've done a read. So in the case where we
intentionally stop reading from a socket because our local buffer is
full, and later want to start reading again, we do a read from the
socket with MSG_PEEK set, and that clears Windows's flag and tells it
to start sending us readability notifications again.
On Unix, select() and friends didn't do anything so strange in the
first place, so the whole mechanism is unnecessary.
Simon Tatham [Sat, 20 Jul 2013 13:15:11 +0000 (13:15 +0000)]
Another two mis-fixes from r9919: when we sfree(line) on exit from the
ssh.com and OpenSSH key import loops, we should also null it out so
that the cleanup path doesn't try to re-free the same pointer.
Simon Tatham [Sat, 20 Jul 2013 13:15:10 +0000 (13:15 +0000)]
Redo a mis-fix of a memory leak in r9919: I added sfree(data)
immediately after conf_deserialise in the Duplicate Session receiver,
whereas I should have put it after the subsequent loop that extracts
the pty argv if any.
Simon Tatham [Sat, 20 Jul 2013 11:31:24 +0000 (11:31 +0000)]
Switch to translating keystrokes using ToUnicodeEx rather than
ToAsciiEx, where possible.
This enables support for keys which generate Unicode characters that
aren't in the system code page, which seems to me like a perverse way
for Windows to have set up the system code page but apparently does
happen, e.g. (I'm told) U+0219 and U+021B on Romanian keyboards.
Simon Tatham [Sat, 20 Jul 2013 08:34:54 +0000 (08:34 +0000)]
Been meaning to get round to this for a while: use CryptGenRandom to
gather extra entropy at Windows PuTTY startup time. (It's only used as
one of the inputs to PuTTY's internal entropy pool, so nobody is
required to trust it.)
Simon Tatham [Fri, 19 Jul 2013 17:44:58 +0000 (17:44 +0000)]
Add some conditionally-compilable diagnostics to the RNG. I got
briefly worried that it might not be doing what I thought it was
doing, but examining these diagnostics shows that it is after all, and
now I've written them it would be a shame not to keep them for future
use.
Simon Tatham [Fri, 19 Jul 2013 17:44:28 +0000 (17:44 +0000)]
Add a nonfatal() function everywhere, to be used for reporting things
that the user really ought to know but that are not actually fatal to
continued operation of PuTTY or a single network connection.
projects / PuTTY.git / log