Jacob Nevins [Tue, 28 Jul 2009 23:45:48 +0000 (23:45 +0000)]
Alex Besogonov suggests that our Unix autoconf GSSAPI library search order is
sub-optimal -- apparently it prefers shishi above Heimdal, and apparently
that's bad.
Simon Tatham [Wed, 10 Jun 2009 17:42:15 +0000 (17:42 +0000)]
Clearing and refilling the code-pages list box can cause a
re-entrant call to its handler in config.c, which destroys the
previous value in cfg->line_codepage. Therefore, preserve the right
value in an automatic variable until all the re-entrant calls have
finished.
Simon Tatham [Mon, 11 May 2009 08:46:17 +0000 (08:46 +0000)]
Pango-based font handling: combine display of adjacent characters
into a single gdk_draw_layout() where conveniently feasible, after
some work with xtrace revealed this as a major source of pterm's
slow display updates when using client-side fonts.
Ideally we ought to be able to do better. I know exactly what
sequence of X protocol operations I want to see on the wire, but I
don't know how to persuade Pango to generate them.
Simon Tatham [Thu, 23 Apr 2009 17:39:36 +0000 (17:39 +0000)]
When giving authorisation errors from the proxy code in x11fwd.c,
name the proxy using the global 'appname' variable, instead of
statically calling it PuTTY.
(Knock-on effect is that PSCP and PSFTP have to declare that
variable, though of course they shouldn't ever actually _use_ the X
forwarding code. Probably I ought to replace it with a stub
nox11fwd.c for those applications.)
Simon Tatham [Thu, 23 Apr 2009 17:33:42 +0000 (17:33 +0000)]
When starting a SOCKS connection in dynamic forwarding, freeze the
local socket _before_ calling the SSH setup functions. This makes no
difference to ssh.c itself, but it makes portfwd.c easier to reuse
for other purposes (e.g. as a component of a standalone SOCKS
server), because now ssh_send_port_open() can itself call
pfd_confirm() without the freeze and unfreeze happening in the wrong
order.
Simon Tatham [Tue, 24 Mar 2009 22:24:31 +0000 (22:24 +0000)]
Support in the cross-platform code for translating to and from
UTF-16 when exchanging wchar_t strings with the front end. Enabled
by a #define in the platform's header file (one should not
promiscuously translate UTF-16 surrogate pairs on 32-bit wchar_t
platforms since that could give rise to redundant encoding attacks),
which is present on Windows.
Jacob Nevins [Tue, 3 Mar 2009 19:57:58 +0000 (19:57 +0000)]
Fix cosmetic keyboard-interactive issue: at the end of a normal k-i session,
some servers (Debian in particular seems prone to this) send a k-i packet with
no prompts and nothing to display. We were printing an extra "Using
keyboard-interactive authentication" message in this case. (Introduced by me
in r8172, I think.)
Simon Tatham [Tue, 3 Mar 2009 18:35:53 +0000 (18:35 +0000)]
Handle more gracefully the possibility of a keyboard-interactive
prompts packet containing no actual prompts (perhaps due to odd
server organisation, or perhaps so it can print a banner message and
do nothing else). Previously, the get_userpass_input functions
always returned failure when in '-batch' mode, even in this case
where no actual input would be required.
Simon Tatham [Sat, 28 Feb 2009 23:04:58 +0000 (23:04 +0000)]
Stop using physical tabs in Python. (I was goaded into doing this by
my editor, which has defaulted to showing them as explicit ^I for a
while now, but it seems like a generally prudent idea in any case.)
Simon Tatham [Sat, 28 Feb 2009 16:52:42 +0000 (16:52 +0000)]
Debian bug #517535: we were unconditionally interpreting the
'string' field in a GdkEventKey structure as ISO-8859-1, which was
correct for GTK 1.2 but in 2.0 that field is encoded according to
the current C library locale. Hence, we now process that field by
converting it to UTF-8 via trips through both libc and libcharset,
and then let lpage_send() convert from UTF-8 back to whatever it's
supposed to actually go down the line in.
Jacob Nevins [Tue, 24 Feb 2009 01:01:23 +0000 (01:01 +0000)]
Since r8305, Unix PuTTY has always "upgraded" an X11 display like "localhost:0"
to a Unix-domain socket. This typically works fine when PuTTY is run on the
same machine as the X server, but it's broken multi-hop X forwarding through
OpenSSH; when OpenSSH creates a proxy X server "localhost:10", it only listens
on TCP, not on a Unix-domain socket.
Instead, when deciding on the details of the display, we actively probe to see
if there's a Unix-domain socket we can use instead, and only use it if it's
there, falling back to the specified IP "localhost" if not.
Independently, when looking for local auth details in Xauthority for a
"localhost" TCP display, we prefer a matching Unix-domain entry, but will fall
back to an IP "localhost" entry (which would be unusual, but we don't trust a
Windows X server not to do it) -- this is a generalisation of the special case
added in r2538 (but removed in r8305, as the automatic upgrade masked the need
for it).
(This is now done in platform-independent code, so a side-effect is that
get_hostname() is now part of the networking abstraction on all platforms.)
Jacob Nevins [Mon, 23 Feb 2009 22:40:09 +0000 (22:40 +0000)]
Stop attempting to make session logs private on Unix. This was introduced in
r7084 at the same time as sensible permissions when writing private key files;
however, it causes an assertion failure whenever an attempt is made to append
to an existing log file on Unix, and it's not clear what "is_private" *should*
do for append, so revert to log file security being the user's responsibility.
(Fixes Ubuntu LP#212711.)
Simon Tatham [Tue, 3 Feb 2009 21:22:52 +0000 (21:22 +0000)]
The Windows config option to point at an X authority file is only
read at connection setup time, so don't offer it in the Change
Settings dialog box.
(In particular, this fixes an assertion failure when selecting
Change Settings on a non-SSH connection, since wincfg.c would have
added that control to Connection/SSH/X11 when the parent panel
Connection/SSH didn't exist. Making the control conditional on the
selected protocol would have been sufficient to fix that failure,
but I now realise that the setting should never have been presented
in mid-session in any case.)
Simon Tatham [Wed, 21 Jan 2009 18:47:03 +0000 (18:47 +0000)]
Don't call ReleaseCapture() on any mouse-button-up event. Instead,
only call it when the _last_ mouse button comes back up. Otherwise,
xterm mouse tracking will lose a button-up event if you press down
two buttons, move the mouse outside the window, then release them
one at a time.
Simon Tatham [Mon, 12 Jan 2009 20:41:28 +0000 (20:41 +0000)]
Patch from Gert-Jan Vons: create an event handle to go in the
OVERLAPPED structure in output threads, as we already do for input
threads. This apparently sorts out a hanging issue with serial ports
when trying to do simultaneous read and write, because (GJV says,
and it sounds plausible to me) in the absence of that event object
Windows signals the file handle itself to notify GetOverlappedResult
that it can return - and since the file handle might be being
signalled by a read operation instead, that leads to ambiguity.
Using an explicit event object in both directions means Windows
always knows which way the data is going.
Also a trivial fix in handle_output_new(), which was referencing the
wrong element of a union due to a copy and paste error. (Since the
result was address-taken and cast to void *, this wasn't a
functional error, but it was conceptually wrong.)
Ben Harris [Sun, 11 Jan 2009 14:26:27 +0000 (14:26 +0000)]
Arguments to ctype functions are required to be either EOF or representable
as unsigned char. This means that passing in a bare char is incorrect on
systems where char is signed. Sprinkle some appropriate casts to prevent
this.
Simon Tatham [Fri, 9 Jan 2009 18:55:45 +0000 (18:55 +0000)]
Weaken the assertion in general_textout(). It was failing in the
case of double-width text (ESC # 3, ESC # 4, ESC # 6), because the
string passed to it was not truncated to the same width as the
clipping rectangle. (In fact, it _can't_ reliably be, in the case
where the window width is odd.) So instead we just assert that we
managed to _at least_ fill the clipping rectangle, not that we
exactly filled it.
The problem is easily reproduced by sending ESC # 8 (fill the screen
with Es) followed by ESC # 3. It doesn't typically happen, though,
if you _manually_ fill the screen with Es, because in that case
PuTTY's terminal buffer ends up being filled with CSET_ACP | 'E' or
similar, which means that general_textout() never gets called
because one of the other branches of do_text_internal() does the
work instead. ESC # 8 will fill the terminal buffer with genuine
_Unicode_ 'E' characters, which exercises the failing code path.
Simon Tatham [Thu, 8 Jan 2009 18:19:52 +0000 (18:19 +0000)]
Colin also suggests that we can replace the backticks in the GTK
makefile with make's own $(shell ...) function, which means that
gtk-config and krb5-config and so on only get run once per make
invocation instead of once per gcc invocation.
Simon Tatham [Thu, 8 Jan 2009 18:18:14 +0000 (18:18 +0000)]
Colin Watson reports a strange problem whereby krb5-config
incorporates the environment variable CFLAGS into its output. Avoid
exporting our version of it from the Makefile (which actually causes
build failures, since quoting phase issues mean that the backticks
in our version end up unexpanded).
Jacob Nevins [Mon, 5 Jan 2009 23:36:14 +0000 (23:36 +0000)]
sk_address_is_local() failed to cope when presented with a Unix-domain socket.
This could cause Unix PuTTY to segfault when X forwarding over an SSH session
through a proxy.
(sk_getaddr() wouldn't cope either -- in that case, add an assertion to make it
more obvious; I don't think it should ever happen.)
Jacob Nevins [Mon, 5 Jan 2009 22:53:14 +0000 (22:53 +0000)]
Be prepared for x11_setup_display() to return NULL (for instance, if DISPLAY
has invalid contents). Simply refuse to try X forwarding in this circumstance.
Jacob Nevins [Mon, 5 Jan 2009 19:39:27 +0000 (19:39 +0000)]
r5080 didn't go far enough -- since 0.58, anyone on Unix who didn't previously
have default settings for "bell overload" mode will have inherited a twitchy
set of defaults where bells are disabled after 2ms and enabled after 5ms,
rather than 2s and 5s as intended. This error has probably propagated into some
people's saved sessions by now, but there's not much to be done.
Jacob Nevins [Mon, 5 Jan 2009 02:45:38 +0000 (02:45 +0000)]
Add some hard-coded textual literal-IP representations of localhost to
sk_hostname_is_local(), to catch the case where we're doing something like X11
forwarding over SSH through a proxy, and we've thus disabled local lookup of
hostnames.
(I think this is what's behind the report in
<e9a86996-5dc2-4428-9b0c-c65693ca6351@m32g2000hsf.googlegroups.com>
in comp.security.ssh, although I'd like to know more of the circumstances.)
Jacob Nevins [Mon, 5 Jan 2009 01:01:58 +0000 (01:01 +0000)]
Cope with a (non-standard) ENAMETOOLONG return from gethostname(); glibc will
do this if the supplied buffer isn't big enough, which shouldn't lead to
complete abandonment of X11 auth. (Would only have bitten with hostnames
>255 chars anyway.)
Jacob Nevins [Sun, 4 Jan 2009 23:28:25 +0000 (23:28 +0000)]
r8305 seems to have made Unix PuTTY rather over-keen on Unix-domain sockets;
unless a protocol is explicitly specified with "tcp/foovax:0", it assume a
Unix-domain socket, thus not allowing a remote display on a machine other than
the client.
Jacob Nevins [Sun, 4 Jan 2009 22:24:08 +0000 (22:24 +0000)]
Bah, I've bumped into this often enough. Change one unsatisfactory cast for
another to shut up "warning: cast from pointer to integer of different size"
(and hence a -Werror compile failure) when compiling for Unix with DEBUG
defined on atreus (x86_64). Minimally checked that it doesn't introduce upset
elsewhere (i386).
Jacob Nevins [Sat, 20 Dec 2008 19:43:20 +0000 (19:43 +0000)]
"Derek" reports that the DECSLPP report of window-size-in-pixels (CSI 14 t)
has width and height swapped. Since both a random xterm I have and
<http://invisible-island.net/xterm/ctlseqs/ctlseqs.txt> agree with him, I've
changed ours. (This stuff appears to originate in dtterm, but I can't check the
behaviour of that right now.)
While I'm here, the are-we-iconified report (CSI 11 t) looks to have the
wrong sense compared to the same sources, so swap that too.
(All this has been this way since it was originally implemented in r1414,
which doesn't cite a source. all-escapes is silent too.)
Simon Tatham [Mon, 1 Dec 2008 23:03:11 +0000 (23:03 +0000)]
Add missing call to gtk_selection_clear_targets(), without which the
list of selection targets offered by GTK PuTTY/pterm grows an extra
copy of each of the three supported text formats every time the user
makes a selection!
Ben Harris [Mon, 1 Dec 2008 21:18:29 +0000 (21:18 +0000)]
Change the Unix version of Ssh_gss_name to be a gss_name_t rather than
void *, and hence eliminate a few casts. The Windows definition is
unchanged, but I daresay I've managed to stop it compiling nonetheless.
Jacob Nevins [Sun, 30 Nov 2008 21:35:33 +0000 (21:35 +0000)]
As far as I can tell, "simple@putty.projects.tartarus.org" has always been
implemented as a channel request, not a global one. Change documentation to
match implementation.
Simon Tatham [Fri, 28 Nov 2008 18:28:23 +0000 (18:28 +0000)]
Move the code that reads the Windows clipboard into a trivial
subthread, so that it won't deadlock if fetching the content of the
clipboard turns out to depend on a network connection forwarded
through PuTTY.
Ben Harris [Wed, 26 Nov 2008 14:30:58 +0000 (14:30 +0000)]
Jacob correctly points out that I accidentally lost a clearing of
s->gss_sndtok in r8326. I'm not sure it was strictly necessary, since
even if there's no send token, gss_init_sec_context() is meant to explicitly
make it empty, but it wasn't an intentional change.
Ben Harris [Wed, 26 Nov 2008 12:49:25 +0000 (12:49 +0000)]
Mitigation for VU#958563: When using a CBC-mode server-to-client cipher
under SSH-2, don't risk looking at the length field of an incoming packet
until we've successfully MAC'ed the packet.
This requires a change to the MAC mechanics so that we can calculate MACs
incrementally, and output a MAC for the packet so far while still being
able to add more data to the packet later.
Ben Harris [Tue, 25 Nov 2008 22:11:17 +0000 (22:11 +0000)]
Now that we use real gss_buffer_ts, there's no need to muck about with
casts when passing them to GSS-API functions. Removing them makes the code
more readable and allows better type-checking.
Simon Tatham [Tue, 25 Nov 2008 18:54:05 +0000 (18:54 +0000)]
Have wingss.c include <windows.h> by way of putty.h rather than
directly. Fixes a build failure involving name clashes between
winsock2.h and winsock.h, which had somehow managed to get included
in succession.
Jacob Nevins [Tue, 25 Nov 2008 18:43:52 +0000 (18:43 +0000)]
Fixed a PuTTYtel startup assertion failure introduced in r8305.
While I'm here, a cosmetic PuTTYtel change: remove a reference to SSH from the
"logical host name" label in PuTTYtel only.
Ben Harris [Mon, 24 Nov 2008 23:44:55 +0000 (23:44 +0000)]
Change how we handle the Ssh_gss_buf type. Previously, we defined it
ourselves, but on Unix then assumed it was compatible with the system's
gss_buffer_desc, which wasn't the case on LP64 systems. Now, on Unix
we make Ssh_gss_buf into an alias for gss_buffer_desc, though we keep
something similar to the existing behaviour on Windows. This requires
renaming a couple of the fields in Ssh_gss_buf, and hence fixing all
the references.
Tested on Linux (MIT Kerberos) and Solaris. Compiled on NetBSD (Heimdal).
Not tested on Windows because neither mingw32 nor winegcc worked out of the
box for me. I think the Windows changes are all syntactic, though, so
if this compiles it should work no worse than before.
Jacob Nevins [Mon, 24 Nov 2008 17:51:42 +0000 (17:51 +0000)]
New option to allow use of the local OS username for login to the remote side
if we have no better ideas, with UI shamelessly stolen from Quest PuTTY.
Off by default, which effectively reverts the change to using the local
username by default that came in with GSSAPI support in r8138. Anyone wanting
seamless single sign-on will need to set the new option. (The previous
default behaviour was getting in the way in ad-hoc scenarios.)
Note that the PSCP and Unix-Plink behaviour of using the local username by
default have remained unchanged throughout; they are not affected by the new
option. Not sure if that's the Right Thing.
Ben Harris [Sat, 22 Nov 2008 22:06:42 +0000 (22:06 +0000)]
Changes to make this compile on Solaris 9: use <gssapi/gssapi.h> rather
than <gssapi/gssapi_krb5.h> and provide the OID for Kerberos 5 ourselves
(since it's a known constant). I'm not sure this actually works on Solaris
yet, mind.
Simon Tatham [Mon, 17 Nov 2008 18:38:09 +0000 (18:38 +0000)]
Revamp of the local X11 connection code. We now parse X display
strings more rigorously, and then we look up the local X authority
data in .Xauthority _ourself_ rather than delegating to an external
xauth program. This is (negligibly) more efficient on Unix, assuming
I haven't got it wrong in some subtle way, but its major benefit is
that we can now support X authority lookups on Windows as well
provided the user points us at an appropriate X authority file in
the standard format. A new Windows-specific config option has been
added for this purpose.
Simon Tatham [Mon, 17 Nov 2008 18:36:27 +0000 (18:36 +0000)]
Avoid freeing the backend in notify_remote_exit(), since that's
called from within a backend function which will expect its own
backend pointer to still be valid on return. Instead, move all the
real functionality of notify_remote_exit() out into a GTK idle
function.
Simon Tatham [Tue, 11 Nov 2008 07:47:27 +0000 (07:47 +0000)]
In SSH packet logging mode, log SSH-2 packet sequence numbers, in
both directions. We had a bug report yesterday about a Cisco router
sending SSH2_MSG_UNIMPLEMENTED and it wasn't clear for which packet;
logging the sequence numbers should make such problems much easier
to diagnose.
(In fact this logging fix wouldn't have helped in yesterday's case,
because the router also didn't bother to fill in the sequence number
field in the SSH2_MSG_UNIMPLEMENTED packet! This is a precautionary
measure against the next one of these problems.)
Simon Tatham [Sat, 8 Nov 2008 16:45:45 +0000 (16:45 +0000)]
Move out of the SockAddr structure the mutable fields "ai" and
"curraddr", and turn "family" into a macro-derived property of the
other fields. The idea is that this renders SockAddrs immutable once
created, which should open up the possibility of duplicating and
reusing one without having to redo the actual DNS lookup.
I _hope_ I haven't broken anything. The new code architecture
contains several rather dubious-looking operations (namely the
arbitrary choice of the first returned address in functions like
sk_getaddr and sk_address_is_local - what if, for instance, a DNS
lookup returned a local and a non-local address?), but I think they
were functionally just as dubious beforehand and all this change has
done is to make them more obviously so to a reader.
Jacob Nevins [Fri, 17 Oct 2008 20:55:08 +0000 (20:55 +0000)]
Patch from Iain Patterson: fix crash on Windows when GSSAPI auth is attempted
but fails for some reason (such as not having a tgt for the server's realm).
Jacob Nevins [Mon, 13 Oct 2008 22:34:57 +0000 (22:34 +0000)]
Rejig the Translation panel controls and documentation to remove the emphasis
on received data. Experiment and suggestion suggest that the character set
configuration applies equally to keystrokes sent to the server, or at least
that that's close enough to being true that we should document it as a first
approximation.
Simon Tatham [Tue, 7 Oct 2008 17:48:59 +0000 (17:48 +0000)]
sshrsa.c now obeys the RFC793 Robustness Principle when it comes to
the ordering of the primes in a fully specified RSA private key:
when the key format typically has p > q, it will always output p > q
but be willing to tolerate p < q on input. (Inspired by seeing an
OpenSSH-format key file in the wild which had p < q, which I've
never seen before; I suspect a third-party application incautiously
generating the format.)
Simon Tatham [Tue, 16 Sep 2008 22:56:08 +0000 (22:56 +0000)]
Further correction: on reflection, after examining all the call
sites for uint64_make(), we _shouldn't_ attempt to preserve high
bits in the low-order argument; it turns out not to be what the call
sites want.
Simon Tatham [Tue, 16 Sep 2008 18:21:33 +0000 (18:21 +0000)]
64-bit cleanliness in int64.c. This is all hideous; really I ought
to be trying harder to find a 32-bit type rather than making a
uint64 structure out of two potentially 64-bit unsigned longs. And
really I ought to be using the C99 64-bit integers anyway if they're
available. But this should do for the moment.
Simon Tatham [Sun, 14 Sep 2008 15:11:42 +0000 (15:11 +0000)]
Some Windows keymaps, it turns out, don't translate the key
combination Ctrl + \ as the Ctrl-\ character. All of mine have, but
at least one laptop turns out not to. Do so explicitly.
Jacob Nevins [Tue, 9 Sep 2008 20:36:40 +0000 (20:36 +0000)]
If we got a keyboard-interactive INFO_REQUEST with an "instruction" string but
no actual prompts, we weren't displaying the former, which was wrong. We
should now (although I haven't found a server to test it against).
Simon Tatham [Mon, 1 Sep 2008 17:56:20 +0000 (17:56 +0000)]
Fix punctuation in the large print statements. In particular, one
semicolon which crept in in r8138 was causing a lot of the "make
install" implementation to be missing from Makefile.gtk.
Simon Tatham [Sun, 31 Aug 2008 21:45:39 +0000 (21:45 +0000)]
Good grief. When I originally wrote the local proxy code two years
ago, I apparently caused all data received from local proxies to be
unconditionally tagged as TCP Urgent. Most network backends ignore
this, but it's critical to the Telnet backend, which will ignore all
Urgent-marked data in the assumption that there's a SYNCH on its way
that it should wait for. Nobody has noticed in two years, presumably
meaning that nobody has ever tried to do Telnet over a local proxy
in that time.
Simon Tatham [Sun, 31 Aug 2008 19:18:17 +0000 (19:18 +0000)]
Colin Watson points out an apparently erroneous cast: Ssh_gss_name
and gss_name_t are supposed to be congruent types, so a pointer to
one should never be cast to a non-indirect instance of the other.
Simon Tatham [Sun, 31 Aug 2008 17:12:37 +0000 (17:12 +0000)]
Minor code cleanup: I just happened to be looking at this file for
other reasons and I noticed that the list of TELOPTs is given twice
and hence needs to be kept in sync. Replace with my now-standard
second-order-macro approach which allows the list to be maintained
in only one place.
Jacob Nevins [Wed, 20 Aug 2008 22:21:04 +0000 (22:21 +0000)]
Fix for portfwd-addr-family: on Unix, when a tunnel is specified as "Auto"
(rather than IPv4 or IPv6-only; this is the default), try to open up listening
sockets on both address families, rather than (unhelpfully) just IPv6. (And
don't open one if the other can't be bound, in a nod to CVE-2008-1483.)
Based on a patch from Ben A L Jemmett.
Simon Tatham [Thu, 17 Jul 2008 17:01:27 +0000 (17:01 +0000)]
At least one version of gcc won't figure out that "clear" is never
read uninitialised (because the only circumstance under which it
isn't initialised is when "update" is FALSE, in which case it isn't
read either). Placate it.