Simon Tatham [Sat, 20 Dec 2014 18:43:46 +0000 (18:43 +0000)]
Fix memory management in bignum_random_in_range.
We were allocating a new array in which to make up a random number
every time we went round the loop, and not freeing any of them. Now we
allocate a single array to use for all loop iterations, and clear and
free it properly afterwards.
Simon Tatham [Sat, 20 Dec 2014 18:42:22 +0000 (18:42 +0000)]
Fix a handle leak in Windows PSFTP.
We were checking the return value of CreateThread for validity, but
not keeping it to free afterwards if it _was_ valid. Also, we weren't
closing ctx->event in the valid case either. Patch due to Tim Kosse.
Simon Tatham [Sat, 20 Dec 2014 17:07:17 +0000 (17:07 +0000)]
Fixes to memory management in the elliptic curve code.
There was an error-handling path testing the wrong variable; an
inappropriate call to ec_point_free in decodepoint() (in fact, that
function always gets passed a pointer to an ec_point structure that's
not a dynamically allocated block at all or not in its own right, so
we should have just cleared its contents without freeing the structure
itself); a missing return on an error path which would have caused the
same structure to be freed a second time; and two missing freebn in
ecdsa_sign.
Simon Tatham [Sat, 20 Dec 2014 16:54:28 +0000 (16:54 +0000)]
Add a missing freeaddrinfo() in Unix sk_newlistener.
If we use getaddrinfo to translate the source IP address into a
sockaddr, then we need to freeaddrinfo the returned data later. Patch
due to Tim Kosse.
Simon Tatham [Sat, 22 Nov 2014 16:38:01 +0000 (16:38 +0000)]
Stop referring to Plink as "PuTTY Link".
I don't think anyone has ever actually called it that, colloquially
_or_ formally, and if anyone ever did (in a bug report, say) I'd
probably have to stop and think to work out what they meant. It's
universally called Plink, and should be officially so as well :-)
Simon Tatham [Sat, 22 Nov 2014 16:35:54 +0000 (16:35 +0000)]
Another missing initialisation.
This one spotted in the old-fashioned way, by actually attempting a
Plink raw connection and wondering why it didn't seem to be reading
from standard input! Turns out 'bufsize' is uninitialised until the
first send, which can inhibit any stdin reading if it gets a large
enough nonsense value.
Simon Tatham [Sat, 22 Nov 2014 16:30:29 +0000 (16:30 +0000)]
Consistently use &def for %makefile_extra pieces.
mkfiles.pl was giving a couple of annoying perl warnings, because some
makefile_extra strings were never set by Recipe. We already have the
&def function to convert undefs into "" for this reason, but weren't
using it everywhere. Now I think we are.
Simon Tatham [Sat, 22 Nov 2014 16:12:47 +0000 (16:12 +0000)]
Move echo/edit state change functionality out of ldisc_send.
I'm not actually sure why we've always had back ends notify ldisc of
changes to echo/edit settings by giving ldisc_send(ldisc,NULL,0,0) a
special meaning, instead of by having a separate dedicated notify
function with its own prototype and parameter set. Coverity's recent
observation that the two kinds of call don't even have the same
requirements on the ldisc (particularly, whether ldisc->term can be
NULL) makes me realise that it's really high time I separated the two
conceptually different operations into actually different functions.
While I'm here, I've renamed the confusing ldisc_update() function
which that special operation ends up feeding to, because it's not
actually a function applying to an ldisc - it applies to a front end.
So ldisc_send(ldisc,NULL,0,0) is now ldisc_echoedit_update(ldisc), and
that in turn figures out the current echo/edit settings before passing
them on to frontend_echoedit_update(). I think that should be clearer.
Simon Tatham [Sat, 22 Nov 2014 10:18:16 +0000 (10:18 +0000)]
Fix uninitialised variable in two Windows event loops.
If (Msg)WaitForMultipleObjects returns WAIT_TIMEOUT, we expect 'next'
to have been initialised. This can occur without having called
run_timers(), if a toplevel callback was pending, so we can't expect
run_timers to have reliably initialised 'next'.
I'm not actually convinced this could have come up in either of the
affected programs (Windows PSFTP and Plink), due to the list of things
toplevel callbacks are currently used for, but it certainly wants
fixing anyway for the future.
Simon Tatham [Sat, 22 Nov 2014 10:37:14 +0000 (10:37 +0000)]
Clarify when ldisc->term may be NULL.
Namely, any ldisc that you send actual data through should have a
terminal attached, because the ldisc editing/echoing system is
designed entirely for use with a terminal. The only time you can have
an ldisc with no terminal is when it's only ever used by the backend
to report changes to the front end in edit/echo status, e.g. by Unix
Plink.
Coverity spotted an oddity in ldisc_send which after a while I decided
would never have actually caused a problem, but OTOH I agree that it
was confusing, so now hopefully it's less so.
Simon Tatham [Sat, 22 Nov 2014 10:12:47 +0000 (10:12 +0000)]
Fix typo in validate_manual_hostkey().
'p += strcspn' returns p always non-NULL and sometimes pointing at \0,
as opposed to 'p = strchr' which returns p sometimes non-NULL and
never pointing at \0. Test the pointer after the call accordingly.
Thanks, Coverity.
Simon Tatham [Mon, 10 Nov 2014 18:29:00 +0000 (18:29 +0000)]
Shut down connshare upstream along with the SSH connection.
This ought to happen in ssh_do_close alongside the code that shuts
down other local listening things like port forwardings, for the same
obvious reason. In particular, we should get through this _before_ we
put up a modal dialog box telling the user what just went wrong with
the SSH connection, so that further sessions started while that box is
active don't try futilely to connect to the not-really-listening
zombie upstream.
Jacob Nevins [Sun, 9 Nov 2014 00:08:36 +0000 (00:08 +0000)]
Disable manual host key config in mid-session.
Changing it can't have any useful effect, since we have strictly
enforced that the host key used for rekeys is the same as the first key
exchange since b8e668c.
Simon Tatham [Sat, 1 Nov 2014 19:33:29 +0000 (19:33 +0000)]
Fix details of the Pageant and PuTTYgen GUIs for ECDSA.
Pageant's list box needs its tab stops reorganised a little for new
tendencies in string length, and also has to cope with there only
being one prefix space in the output of the new string fingerprint
function. PuTTYgen needs to squash more radio buttons on to one line.
Chris Staite [Sat, 1 Nov 2014 09:45:20 +0000 (09:45 +0000)]
Elliptic-curve cryptography support.
This provides support for ECDSA public keys, for both hosts and users,
and also ECDH key exchange. Supported curves are currently just the
three NIST curves required by RFC 5656.
Chris Staite [Sat, 1 Nov 2014 08:59:25 +0000 (08:59 +0000)]
Provide SHA-384 and SHA-512 as hashes usable in SSH KEX.
SHA-384 was previously not implemented at all, but is a trivial
adjustment to SHA-512 (different starting constants, and truncate the
output hash). Both are now exposed as 'ssh_hash' structures so that
key exchange methods can ask for them.
Chris Staite [Sat, 1 Nov 2014 09:14:19 +0000 (09:14 +0000)]
Refactoring to prepare for extra public key types.
The OpenSSH key importer and exporter were structured in the
assumption that the strong commonality of format between OpenSSH RSA
and DSA keys would persist across all key types. Moved code around so
it's now clear that this is a peculiarity of those _particular_ two
key types which will not apply to others we add alongside them.
Also, a boolean 'is_dsa' in winpgen.c has been converted into a more
sensible key type enumeration, and the individually typed key pointers
have been piled on top of each other in a union.
This is a pure refactoring change which should have no functional
effect.
Simon Tatham [Sat, 1 Nov 2014 19:48:48 +0000 (19:48 +0000)]
Factor out the DSA deterministic k generator.
It's now a separate function, which you call with an identifying
string to be hashed into the generation of x. The idea is that other
DSA-like signature algorithms can reuse the same function, with a
different id string.
As a minor refinement, we now also never return k=1.
Simon Tatham [Tue, 28 Oct 2014 18:39:55 +0000 (18:39 +0000)]
Fix two double-frees in ssh2_load_userkey().
We should NULL out mac after freeing it, so that the cleanup code
doesn't try to free it again; also if the final key creation fails, we
should avoid freeing ret->comment when we're going to go to that same
cleanup code which will free 'comment' which contains the same pointer.
Thanks to Christopher Staite for pointing these out.
Simon Tatham [Wed, 1 Oct 2014 18:33:45 +0000 (18:33 +0000)]
Add a missing bounds check in the Deflate decompressor.
The symbol alphabet used for encoding ranges of backward distances in
a Deflate compressed block contains 32 symbol values, but two of them
(symbols 30 and 31) have no meaning, and hence it is an encoding error
for them to appear in a compressed block. If a compressed file did so
anyway, this decompressor would index past the end of the distcodes[]
array. Oops.
This is clearly a bug, but I don't believe it's a vulnerability. The
nonsense record we load from distcodes[] in this situation contains an
indeterminate bogus value for 'extrabits' (how many more bits to read
from the input stream to complete the backward distance) and also for
the offset to add to the backward distance after that. But neither of
these can lead to a buffer overflow: if extrabits is so big that
dctx->nbits (which is capped at 32) never exceeds it, then the
decompressor will simply swallow all further data without producing
any output, and otherwise the decompressor will consume _some_ number
of spare bits from the input, work out a backward distance and an
offset in the sliding window which will be utter nonsense and probably
out of bounds, but fortunately will then AND the offset with 0x7FFF at
the last minute, which makes it safe again. So I think the worst that
a malicious compressor can do is to cause the decompressor to generate
strange data, which of course it could do anyway if it wanted to by
sending that same data legally compressed.
Simon Tatham [Wed, 24 Sep 2014 10:33:13 +0000 (10:33 +0000)]
Rework versioning system to not depend on Subversion.
I've shifted away from using the SVN revision number as a monotonic
version identifier (replacing it in the Windows version resource with
a count of days since an arbitrary epoch), and I've removed all uses
of SVN keyword expansion (replacing them with version information
written out by Buildscr).
While I'm at it, I've done a major rewrite of the affected code which
centralises all the computation of the assorted version numbers and
strings into Buildscr, so that they're all more or less alongside each
other rather than scattered across multiple source files.
I've also retired the MD5-based manifest file system. A long time ago,
it seemed like a good idea to arrange that binaries of PuTTY would
automatically cease to identify themselves as a particular upstream
version number if any changes were made to the source code, so that if
someone made a local tweak and distributed the result then I wouldn't
get blamed for the results. Since then I've decided the whole idea is
more trouble than it's worth, so now distribution tarballs will have
version information baked in and people can just cope with that.
Simon Tatham [Tue, 23 Sep 2014 12:38:16 +0000 (12:38 +0000)]
Bodge around the failing Coverity build in winshare.c.
The winegcc hack I use for my Coverity builds is currently using a
version of wincrypt.h that's missing a couple of constants I use.
Ensure they're defined by hand, but (just in case I defined them
_wrong_) also provide a command-line define so I can do that only in
the case of Coverity builds.
Simon Tatham [Tue, 9 Sep 2014 12:47:39 +0000 (12:47 +0000)]
Change the naming policy for connection-sharing Unix sockets.
I had initially assumed that, since all of a user's per-connection
subdirectories live inside a top-level putty-connshare.$USER directory
that's not accessible to anyone else, there would be no need to
obfuscate the names of the internal directories for privacy, because
nobody would be able to look at them anyway.
Unfortunately, that's not true: 'netstat -ax' run by any user will
show up the full pathnames of Unix-domain sockets, including pathname
components that you wouldn't have had the access to go and look at
directly. So the Unix connection sharing socket names do need to be
obfuscated after all.
Since Unix doesn't have Windows's CryptProtectMemory, we have to do
this manually, by creating a file of random salt data inside the
top-level putty-connshare directory (if there isn't one there already)
and then hashing that salt with the "user@host" connection identifier
to get the socket directory name. What a pain.
Simon Tatham [Tue, 9 Sep 2014 11:46:24 +0000 (11:46 +0000)]
New option to manually configure the expected host key(s).
This option is available from the command line as '-hostkey', and is
also configurable through the GUI. When enabled, it completely
replaces all of the automated host key management: the server's host
key will be checked against the manually configured list, and the
connection will be allowed or disconnected on that basis, and the host
key store in the registry will not be either consulted or updated.
The main aim is to provide a means of automatically running Plink,
PSCP or PSFTP deep inside Windows services where HKEY_CURRENT_USER
isn't available to have stored the right host key in. But it also
permits you to specify a list of multiple host keys, which means a
second use case for the same mechanism will probably be round-robin
DNS names that select one of several servers with different host keys.
Host keys can be specified as the standard MD5 fingerprint or as an
SSH-2 base64 blob, and are canonicalised on input. (The base64 blob is
more unwieldy, especially with Windows command-line length limits, but
provides a means of specifying the _whole_ public key in case you
don't trust MD5. I haven't bothered to provide an analogous mechanism
for SSH-1, on the basis that anyone worrying about MD5 should have
stopped using SSH-1 already!)
Simon Tatham [Tue, 9 Sep 2014 11:46:14 +0000 (11:46 +0000)]
Add an option to suppress horizontal scroll bars in list boxes.
I'm about to add a list box which expects to contain some very long
but uninformative strings, and which is also quite vertically squashed
so there's not much room for a horizontal scroll bar to appear in it.
So here's an option in the list box specification structure which
causes the constructed GTKTreeView to use the 'ellipsize' option for
all its cell renderers, i.e. too-long strings are truncated with an
ellipsis.
Windows needs no change, because its list boxes already work this way.
Simon Tatham [Tue, 9 Sep 2014 11:46:10 +0000 (11:46 +0000)]
Move base64_decode_atom into misc.c.
I'm about to need to refer to it from a source file that won't
necessarily always be linked against sshpubk.c, so it needs to live
somewhere less specialist. Now it sits alongside base64_encode_atom
(already in misc.c for another reason), which is neater anyway.
Simon Tatham [Tue, 9 Sep 2014 11:46:07 +0000 (11:46 +0000)]
Handle save/load of set-typed config items.
I'm about to introduce a configuration option which is really a _set_
of string values (rather than an ordered list), and I'm going to
represent it in Conf as a string->string map (since that's a data type
we already support) in which every key which exists at all maps to the
empty string.
This change modifies settings.c so that it can write out such options
into the saved session as a comma-separated list of the key strings
only, rather than the form 'string1=,string2=,string3=' which you'd
get if you just used the existing wmap().
(Reading the result back in turns out not to need a code change - the
existing code already does what we want if it's reading a list of
key=value pairs and one of them doesn't have an = sign at all.)
Simon Tatham [Sun, 7 Sep 2014 13:06:52 +0000 (13:06 +0000)]
Close the listening socket when a sharing upstream dies.
Without this, doing 'Restart Session' on Windows in a session with
sharing enabled but no actual sharing being done would crash, because
the first incarnation of the session would become an upstream and
establish a listening named pipe, which then wouldn't get cleaned up
when the session closed, so the restarted session would try to connect
to it, triggering a call to plug_accepting on a freed sharestate.
Simon Tatham [Sun, 7 Sep 2014 13:06:50 +0000 (13:06 +0000)]
Cope with REG_SZ data not having a trailing NUL.
A user points out that the person who writes a REG_SZ into the
registry can choose whether or not to NUL-terminate it properly, and
if they don't, RegQueryValueEx will retrieve it without the NUL. So if
someone does that to PuTTY's saved session data, then PuTTY may
retrieve nonsense strings.
Arguably this is the fault of whoever tampered with the saved session
data without doing it the same way we would have, but even so, there
ought to be some handling at our end other than silently returning the
wrong data, and putting the NUL back on seems more sensible than
complaining loudly.
Simon Tatham [Wed, 27 Aug 2014 22:25:37 +0000 (22:25 +0000)]
Fix null dereference in ldisc_configure.
The IDM_RECONF handler unconditionally calls ldisc_configure to
reconfigure the line discipline for the new echo/edit settings, but in
fact ldisc can be NULL if no session is currently active. (Indeed, the
very next line acknowledges this, by testing it for NULL before
calling ldisc_send!) Thanks to Alexander Wong for the report.
Simon Tatham [Mon, 28 Jul 2014 17:47:36 +0000 (17:47 +0000)]
Fix another crash at KEXINIT time, ahem.
This is the same code I previously fixed for failing to check NULL
pointers coming back from ssh_pkt_getstring if the server's KEXINIT
ended early, leading to an embarrassing segfault in place of a fatal
error message. But I've now also had it pointed out to me that the
fatal error message passes the string as %s, which is inappropriate
because (being read straight out of the middle of an SSH packet) it
isn't necessarily zero-terminated!
This is still just an embarrassing segfault in place of a fatal error
message, and not exploitable as far as I can see, because the string
is passed to a dupprintf, which will either read off the end of
allocated address space and segfault non-exploitably, or else it will
find a NUL after all and carefully allocate enough space to format an
error message containing all of the previous junk. But still, how
embarrassing to have messed up the same code _twice_.
Simon Tatham [Thu, 24 Jul 2014 18:13:16 +0000 (18:13 +0000)]
Truncate all terminal lines when we clear scrollback.
Now Jacob has reminded me that 'resize-no-truncate' was already on the
wishlist, I notice that it suggested Clear Scrollback should remove
the preserved information off to the right. On the basis that that's
(at least partly) a privacy feature, that seems sensible, so let's do it.
Simon Tatham [Wed, 23 Jul 2014 21:48:02 +0000 (21:48 +0000)]
Preserve truncated parts of terminal lines after a resize.
We now only truncate a termline to the current terminal width if we're
actually going to modify it. As a result, resizing to a narrower
terminal width and then immediately back again, with no terminal
output in between, should restore the previous screen contents. Only
lines that are actually modified while the terminal is narrow (and
scrolling them around doesn't count as modification) should now be
truncated.
This will be a bit nicer for Unix window resizing (since X lacks the
Windows distinction between mid-drag resize events and the ultimate
drag-release, so can't defer the call to term_size until the latter as
we can on Windows), but mostly it's inspired by having played with a
tiling window manager recently and hence realised that in some
environments windows will be resized back and forth without much
control as a side effect of just moving them around - so it's
generally desirable for resizes to be non-destructive.
Simon Tatham [Sun, 13 Jul 2014 07:49:29 +0000 (07:49 +0000)]
Another fix to timer handling.
Robert de Bath points out that failure to remove the timer whose
callback returned FALSE may not have been the cause of runaway timer
explosion; another possibility is that a function called from
timer_trigger()'s call to run_timers() has already set a timer up by
the time run_timers() returns, and then we set another one up on top
of it. Fix that too.
Simon Tatham [Tue, 8 Jul 2014 22:22:12 +0000 (22:22 +0000)]
Work around a timer leak with GTK 2.4.22 on openSUSE 13.1.
Mihkel Ader reports that on that system, timers apparently aren't
getting auto-destroyed when timer_trigger returns FALSE, so the change
in r10181 has caused GTK PuTTY to gradually allocate more and more
timers and consume more and more CPU as they all keep firing.
As far as I can see, this must surely be a bug in GTK 2 (the docs say
that timers _are_ auto-destroyed when their callback returns false),
and it doesn't seem to happen for me with GTK 2.4.23 on Ubuntu 14.04.
However, I'll try to work around it by _explicitly_ destroying each
old timer before we zero out the variable containing its id.
Simon Tatham [Mon, 7 Jul 2014 19:47:23 +0000 (19:47 +0000)]
Fix automatic version numbering in the Unix tarball.
Manfred Schwarb points out that when I moved the autoconf machinery up
from the unix subdirectory to the top level, in r10141, I missed a
couple of lingering $(srcdir)/.. in the make rule for version.o, as a
result of which the automatic checking of the manifest wasn't doing
its thing and tools built from a standard .tar.gz were reporting as
'Unidentified build'.
Simon Tatham [Sun, 6 Jul 2014 14:05:39 +0000 (14:05 +0000)]
Implement this year's consensus on CHANNEL_FAILURE vs CHANNEL_CLOSE.
We now expect that after the server has sent us CHANNEL_CLOSE, we
should not expect to see any replies to our outstanding channel
requests, and conversely after we have sent CHANNEL_CLOSE we avoid
sending any reply to channel requests from the server. This was the
consensus among implementors discussing the problem on ietf-ssh in
April 2014.
To cope with current OpenSSH's (and perhaps other servers we don't
know about yet) willingness to send request replies after
CHANNEL_CLOSE, I introduce a bug-compatibility flag which is detected
for every OpenSSH version up to and including the current 6.6 - but
not beyond, since https://bugzilla.mindrot.org/show_bug.cgi?id=1818
promises that 6.7 will also implement the new consensus behaviour.
Simon Tatham [Tue, 13 May 2014 19:19:28 +0000 (19:19 +0000)]
Explicitly set the owning SID in make_private_security_descriptor.
Philippe Maupertuis reports that on one particular machine, Windows
causes the named pipe created by upstream PuTTY to be owned by the
Administrators group SID rather than the user's SID, which defeats the
security check in the downstream PuTTY. No other machine has been
reported to do this, but nonetheless it's clearly a thing that can
sometimes happen, so we now work around it by specifying explicitly in
the security descriptor for the pipe that its owner should be the user
SID rather than any other SID we might have the right to use.
Simon Tatham [Wed, 23 Apr 2014 14:05:31 +0000 (14:05 +0000)]
Prevent double-inclusion of ssh.h in case of -DNO_SECURITY.
winshare.c includes ssh.h, but if you defined NO_SECURITY it then
decides to fall back to including the stub noshare.c, which includes
ssh.h again. Fix by moving a block of includes inside the ifdef.
Simon Tatham [Tue, 22 Apr 2014 17:53:50 +0000 (17:53 +0000)]
Fix the prototype of the stub function in noshare.c.
It's an old prototype from part way through the development of
connection sharing, which I must have forgotten to fix because by the
time I changed the prototype no platform was using noshare.c any more.
Simon Tatham [Sun, 20 Apr 2014 16:48:18 +0000 (16:48 +0000)]
Fix an annoying warning from GTK on Ubuntu 14.04.
Timer objects evaporate when our timer_trigger callback is called, and
therefore we should not remember their ids beyond that time and
attempt to cancel them later. Previous versions of GTK silently
ignored us doing that, but upgrading to Ubuntu Trusty has given me a
version of GTK that complains about it, so let's stop doing it.
projects / PuTTY.git / log