Simon Tatham [Tue, 9 Sep 2014 11:46:10 +0000 (11:46 +0000)]
Move base64_decode_atom into misc.c.
I'm about to need to refer to it from a source file that won't
necessarily always be linked against sshpubk.c, so it needs to live
somewhere less specialist. Now it sits alongside base64_encode_atom
(already in misc.c for another reason), which is neater anyway.
Simon Tatham [Tue, 9 Sep 2014 11:46:07 +0000 (11:46 +0000)]
Handle save/load of set-typed config items.
I'm about to introduce a configuration option which is really a _set_
of string values (rather than an ordered list), and I'm going to
represent it in Conf as a string->string map (since that's a data type
we already support) in which every key which exists at all maps to the
empty string.
This change modifies settings.c so that it can write out such options
into the saved session as a comma-separated list of the key strings
only, rather than the form 'string1=,string2=,string3=' which you'd
get if you just used the existing wmap().
(Reading the result back in turns out not to need a code change - the
existing code already does what we want if it's reading a list of
key=value pairs and one of them doesn't have an = sign at all.)
Simon Tatham [Sun, 7 Sep 2014 13:06:52 +0000 (13:06 +0000)]
Close the listening socket when a sharing upstream dies.
Without this, doing 'Restart Session' on Windows in a session with
sharing enabled but no actual sharing being done would crash, because
the first incarnation of the session would become an upstream and
establish a listening named pipe, which then wouldn't get cleaned up
when the session closed, so the restarted session would try to connect
to it, triggering a call to plug_accepting on a freed sharestate.
Simon Tatham [Sun, 7 Sep 2014 13:06:50 +0000 (13:06 +0000)]
Cope with REG_SZ data not having a trailing NUL.
A user points out that the person who writes a REG_SZ into the
registry can choose whether or not to NUL-terminate it properly, and
if they don't, RegQueryValueEx will retrieve it without the NUL. So if
someone does that to PuTTY's saved session data, then PuTTY may
retrieve nonsense strings.
Arguably this is the fault of whoever tampered with the saved session
data without doing it the same way we would have, but even so, there
ought to be some handling at our end other than silently returning the
wrong data, and putting the NUL back on seems more sensible than
complaining loudly.
Simon Tatham [Wed, 27 Aug 2014 22:25:37 +0000 (22:25 +0000)]
Fix null dereference in ldisc_configure.
The IDM_RECONF handler unconditionally calls ldisc_configure to
reconfigure the line discipline for the new echo/edit settings, but in
fact ldisc can be NULL if no session is currently active. (Indeed, the
very next line acknowledges this, by testing it for NULL before
calling ldisc_send!) Thanks to Alexander Wong for the report.
Simon Tatham [Mon, 28 Jul 2014 17:47:36 +0000 (17:47 +0000)]
Fix another crash at KEXINIT time, ahem.
This is the same code I previously fixed for failing to check NULL
pointers coming back from ssh_pkt_getstring if the server's KEXINIT
ended early, leading to an embarrassing segfault in place of a fatal
error message. But I've now also had it pointed out to me that the
fatal error message passes the string as %s, which is inappropriate
because (being read straight out of the middle of an SSH packet) it
isn't necessarily zero-terminated!
This is still just an embarrassing segfault in place of a fatal error
message, and not exploitable as far as I can see, because the string
is passed to a dupprintf, which will either read off the end of
allocated address space and segfault non-exploitably, or else it will
find a NUL after all and carefully allocate enough space to format an
error message containing all of the previous junk. But still, how
embarrassing to have messed up the same code _twice_.
Simon Tatham [Thu, 24 Jul 2014 18:13:16 +0000 (18:13 +0000)]
Truncate all terminal lines when we clear scrollback.
Now Jacob has reminded me that 'resize-no-truncate' was already on the
wishlist, I notice that it suggested Clear Scrollback should remove
the preserved information off to the right. On the basis that that's
(at least partly) a privacy feature, that seems sensible, so let's do it.
Simon Tatham [Wed, 23 Jul 2014 21:48:02 +0000 (21:48 +0000)]
Preserve truncated parts of terminal lines after a resize.
We now only truncate a termline to the current terminal width if we're
actually going to modify it. As a result, resizing to a narrower
terminal width and then immediately back again, with no terminal
output in between, should restore the previous screen contents. Only
lines that are actually modified while the terminal is narrow (and
scrolling them around doesn't count as modification) should now be
truncated.
This will be a bit nicer for Unix window resizing (since X lacks the
Windows distinction between mid-drag resize events and the ultimate
drag-release, so can't defer the call to term_size until the latter as
we can on Windows), but mostly it's inspired by having played with a
tiling window manager recently and hence realised that in some
environments windows will be resized back and forth without much
control as a side effect of just moving them around - so it's
generally desirable for resizes to be non-destructive.
Simon Tatham [Sun, 13 Jul 2014 07:49:29 +0000 (07:49 +0000)]
Another fix to timer handling.
Robert de Bath points out that failure to remove the timer whose
callback returned FALSE may not have been the cause of runaway timer
explosion; another possibility is that a function called from
timer_trigger()'s call to run_timers() has already set a timer up by
the time run_timers() returns, and then we set another one up on top
of it. Fix that too.
Simon Tatham [Tue, 8 Jul 2014 22:22:12 +0000 (22:22 +0000)]
Work around a timer leak with GTK 2.4.22 on openSUSE 13.1.
Mihkel Ader reports that on that system, timers apparently aren't
getting auto-destroyed when timer_trigger returns FALSE, so the change
in r10181 has caused GTK PuTTY to gradually allocate more and more
timers and consume more and more CPU as they all keep firing.
As far as I can see, this must surely be a bug in GTK 2 (the docs say
that timers _are_ auto-destroyed when their callback returns false),
and it doesn't seem to happen for me with GTK 2.4.23 on Ubuntu 14.04.
However, I'll try to work around it by _explicitly_ destroying each
old timer before we zero out the variable containing its id.
Simon Tatham [Mon, 7 Jul 2014 19:47:23 +0000 (19:47 +0000)]
Fix automatic version numbering in the Unix tarball.
Manfred Schwarb points out that when I moved the autoconf machinery up
from the unix subdirectory to the top level, in r10141, I missed a
couple of lingering $(srcdir)/.. in the make rule for version.o, as a
result of which the automatic checking of the manifest wasn't doing
its thing and tools built from a standard .tar.gz were reporting as
'Unidentified build'.
Simon Tatham [Sun, 6 Jul 2014 14:05:39 +0000 (14:05 +0000)]
Implement this year's consensus on CHANNEL_FAILURE vs CHANNEL_CLOSE.
We now expect that after the server has sent us CHANNEL_CLOSE, we
should not expect to see any replies to our outstanding channel
requests, and conversely after we have sent CHANNEL_CLOSE we avoid
sending any reply to channel requests from the server. This was the
consensus among implementors discussing the problem on ietf-ssh in
April 2014.
To cope with current OpenSSH's (and perhaps other servers we don't
know about yet) willingness to send request replies after
CHANNEL_CLOSE, I introduce a bug-compatibility flag which is detected
for every OpenSSH version up to and including the current 6.6 - but
not beyond, since https://bugzilla.mindrot.org/show_bug.cgi?id=1818
promises that 6.7 will also implement the new consensus behaviour.
Simon Tatham [Tue, 13 May 2014 19:19:28 +0000 (19:19 +0000)]
Explicitly set the owning SID in make_private_security_descriptor.
Philippe Maupertuis reports that on one particular machine, Windows
causes the named pipe created by upstream PuTTY to be owned by the
Administrators group SID rather than the user's SID, which defeats the
security check in the downstream PuTTY. No other machine has been
reported to do this, but nonetheless it's clearly a thing that can
sometimes happen, so we now work around it by specifying explicitly in
the security descriptor for the pipe that its owner should be the user
SID rather than any other SID we might have the right to use.
Simon Tatham [Wed, 23 Apr 2014 14:05:31 +0000 (14:05 +0000)]
Prevent double-inclusion of ssh.h in case of -DNO_SECURITY.
winshare.c includes ssh.h, but if you defined NO_SECURITY it then
decides to fall back to including the stub noshare.c, which includes
ssh.h again. Fix by moving a block of includes inside the ifdef.
Simon Tatham [Tue, 22 Apr 2014 17:53:50 +0000 (17:53 +0000)]
Fix the prototype of the stub function in noshare.c.
It's an old prototype from part way through the development of
connection sharing, which I must have forgotten to fix because by the
time I changed the prototype no platform was using noshare.c any more.
Simon Tatham [Sun, 20 Apr 2014 16:48:18 +0000 (16:48 +0000)]
Fix an annoying warning from GTK on Ubuntu 14.04.
Timer objects evaporate when our timer_trigger callback is called, and
therefore we should not remember their ids beyond that time and
attempt to cancel them later. Previous versions of GTK silently
ignored us doing that, but upgrading to Ubuntu Trusty has given me a
version of GTK that complains about it, so let's stop doing it.
Simon Tatham [Thu, 27 Mar 2014 18:07:13 +0000 (18:07 +0000)]
Add auto-recognition of BUG_SSH2_RSA_PADDING for ProFTPD.
Martin Prikryl reports that it had the exact same bug as old OpenSSH
(insisting that RSA signature integers be padded with leading zero
bytes to the same length as the RSA modulus, where in fact RFC 4253
section 6.6 says it ought to have _no_ padding), but is recently
fixed. The first version string to not have the bug is reported to be
"mod_sftp/0.9.9", so here we recognise everything less than that as
requiring our existing workaround.
Simon Tatham [Tue, 4 Mar 2014 23:02:12 +0000 (23:02 +0000)]
New FAQ, aimed at the people who periodically send us large
questionnaires in unfriendly formats like Excel, apparently in the
mistaken belief that we have some kind of incentive to answer them. I
hope I've managed to identify the key reason why they make this
mistake.
Simon Tatham [Tue, 4 Mar 2014 22:56:08 +0000 (22:56 +0000)]
Stop using 'zip -k' to construct the Windows source archive.
It was intended to ensure that people still working with DOS filename
restrictions (or things approximating that, e.g. VFAT) wouldn't have
trouble. Those days are surely long gone, and now zip -k is causing
its own trouble with the new VS2010/VS2012 project files, which
include pairs of filenames that become the same under the zip -k
transformation and hence break the source archive build.
Simon Tatham [Tue, 4 Mar 2014 22:56:03 +0000 (22:56 +0000)]
Have mksrcarc.sh log its activity to standard output.
Its previous policy of silence made sense before we did builds using
bob (gratuitous output on success caused cronmail) but now it just
makes it hard to spot problems.
Simon Tatham [Mon, 24 Feb 2014 23:35:55 +0000 (23:35 +0000)]
Add a missing bn_restore_invariant in RSA blinding code.
We were inventing a random number by starting with a long zero bignum
and then setting bits at random, which left an opportunity for the
result to be a non-normalised representation (with a leading zero
word) and hence fail an assertion in bignum_cmp.
Simon Tatham [Sat, 22 Feb 2014 18:02:14 +0000 (18:02 +0000)]
Add some assertions in sshzlib.c.
gcc 4.8 compiling with -O3 gives a new warning about the access to
st->pending at the top of lz77_compress, because for some reason it
thinks there's an out-of-bounds array access there (or perhaps just a
potential one, I'm not really sure which side -Warray-bounds is erring
on). Add an assertion reassuring it that st->npending can't get bigger
than the size of st->pending at the site it's complaining about, and a
second one at the site where st->npending is increased (just in case
my analysis of why it can't happen was wrong!). Also add a comment
explaining the assertions.
Simon Tatham [Sat, 22 Feb 2014 18:02:06 +0000 (18:02 +0000)]
Add the 'subdir-objects' option in the automake makefile.
This rearranges the object files so that they each live alongside
their original source file, instead of all being in the same
directory. To my way of thinking this is a more or less neutral change
(perhaps marginally less tidy), but autotools is apparently beginning
to think it's the One True Way and 1.14 will give a warning if you
don't have it enabled.
Simon Tatham [Sat, 22 Feb 2014 18:01:32 +0000 (18:01 +0000)]
Move the Unix configure script up to the top level.
Previously, 'configure' and its assorted machinery lived in the 'unix'
subdir, because that seemed like a clean place to keep it given that
all the other per-platform Makefiles live in their platform
directories. However, this never sat all that happily with autotools,
and even less so now that it likes to have object file pathnames
parallel source file pathnames: if you have Makefile.am refer to
source files outside its subdir as "../terminal.c" and enable
subdir-objects then any out-of-tree build calls the corresponding
object file "../terminal.o" and so your build products mostly end up
at the directory above your build dir! And as of autotools 1.14 my
previous compensatory bodge of prefixing every source file path in
Makefile.am with "$(srcdir)" has stopped working too.
So I'm giving in to necessity, and changing policy by moving the
configure machinery up to the top level of the source tree where
autotools will be less confused by it. This should not be taken as any
indication of the primacy of the Unix port, only of the recalcitrance
of autotools.
Whereas before we had a trivial script called 'configure' at the top
level that invoked unix/configure to effectively do an 'out-of-tree
build' (for make purposes) at the top level of the source tree, we now
have a similar script in unix/configure. So this _should_ make very
little difference: people who were previously running configure from
the top level should still be able to, and likewise people who were
running it from the unix subdir.
Simon Tatham [Sun, 16 Feb 2014 16:40:45 +0000 (16:40 +0000)]
Stop sending release events for mouse wheel 'buttons' in X mouse mode.
On Windows (X mouse reporting of the mouse wheel isn't currently done
by the Unix front end, though I'm shortly about to fix that too) a
mouse wheel event is translated into a virtual button, and we send
both a press and a release of that button to terminal.c, which encodes
both in X mouse reporting escape sequences and passes them on to the
server. This isn't consistent with what xterm does - scroll-wheel
events are encoded _like_ button presses, but differ semantically in
that they don't have matching releases. So we're updating to match
xterm.
Simon Tatham [Wed, 5 Feb 2014 21:51:25 +0000 (21:51 +0000)]
Revert half of r10135, and re-fix properly.
One of my changes in uxnet.c was outside the NO_IPV6 ifdef, and broke
compilation in the normal mode. Revert all changes in that file and
replace with a reference to the 'step' parameter in the no-IPv6
version of the SOCKADDR_FAMILY macro, so that those warnings are
squelched anyway.
Simon Tatham [Tue, 4 Feb 2014 22:37:53 +0000 (22:37 +0000)]
Fix warnings when compiling with -DNO_IPV6.
A user pointed out that 'family' was uninitialised in config.c, and
when I tried test-building with -DNO_IPV6 (and the usual -Werror, of
course) some unused variables showed up in uxnet.c too.
Simon Tatham [Sat, 25 Jan 2014 18:38:38 +0000 (18:38 +0000)]
Don't unconditionally reset scrollback on certain escape sequences.
Handlers for a number of escape sequences, notably including ESC[J and
the sequences that switch to/from the alternate screen, were
unconditionally resetting the scrollback instead of first checking the
'Reset scrollback on display activity' configuration option. I've
added the missing if statements, so now 'Reset scrollback on display
activity' should actually mean what it says.
For example, this would have inconvenienced an mplayer user, who
wouldn't be able to go up and check their scrollback while mplayer was
repeatedly redisplaying its status line, because mplayer uses ESC[J to
erase each version of the status line before printing the next
version.
Simon Tatham [Sat, 25 Jan 2014 15:59:04 +0000 (15:59 +0000)]
Fix a potential crash in ssh_setup_portfwd.
If we search for a colon by computing ptr + host_strcspn(ptr,":"),
then the resulting pointer is always non-NULL, and the 'not found'
condition is not !p but !*p.
This typo could have caused PuTTY to overrun a string, but not in a
security-bug sense because any such string would have to have been
loaded from the configuration rather than received from a hostile
source.
Simon Tatham [Sat, 25 Jan 2014 15:58:59 +0000 (15:58 +0000)]
Support explicit IPv6 source addresses in Windows port forwarding.
There's been a long-standing FIXME in Windows's sk_newlistener which
says that in IPv6 mode, an explicit source address (e.g. from a
command-line option of the form -L srcaddr:12345:dest:22) is ignored.
Now it's honoured if possible.
Simon Tatham [Sat, 25 Jan 2014 15:58:57 +0000 (15:58 +0000)]
Avoid misidentifying unbracketed IPv6 literals as host:port.
Both GUI PuTTY front ends have a piece of logic whereby a string is
interpreted as host:port if there's _one_ colon in it, but if there's
more than one colon then it's assumed to be an IPv6 literal with no
trailing port number. This permits the PuTTY command line to take
strings such as 'host', 'host:22' or '[::1]:22', but also cope with a
bare v6 literal such as '::1'.
This logic is also required in the two Plink front ends and in the
processing of CONF_loghost for host key indexing in ssh.c, but was
missing in all those places. Add it.
Simon Tatham [Sat, 25 Jan 2014 15:58:54 +0000 (15:58 +0000)]
Use the new host_str* functions to improve IPv6 literal support.
I've gone through everywhere we handle host names / addresses (on
command lines, in PuTTY config, in port forwarding, in X display
names, in host key storage...) and tried to make them handle IPv6
literals sensibly, by using the host_str* functions I introduced in my
previous commit. Generally it's now OK to use a bracketed IPv6 literal
anywhere a hostname might have been valid; in a few cases where no
ambiguity exists (e.g. no :port suffix is permitted anyway)
unbracketed IPv6 literals are also acceptable.
Simon Tatham [Sat, 25 Jan 2014 15:58:47 +0000 (15:58 +0000)]
New hostname-handling functions in misc.c.
These are intended to make it easier to handle strings of the form
"hostname:port" or other colon-separated things including hostnames
(such as the -L and -R command-line option arguments), even though the
hostname part might be a square-bracketed IPv6 address literal
containing colons that have to _not_ be treated as separating the
top-level string components.
Three of these functions have semantics as much like existing C
library functions as I could make them (host_strchr, host_strrchr,
host_strcspn) so that it wouldn't be too error-prone to replace
existing C functions with them at lots of call sites. The fourth
function (host_strduptrim) just strips square brackets off anything
that looks like an IPv6 literal.
Simon Tatham [Thu, 16 Jan 2014 19:16:19 +0000 (19:16 +0000)]
Fix assertion failure in Unix PuTTYgen exports.
The assertions I added to sshrand.c in r9930 are now justified,
because they were failing when cmdgen was used to convert a key into
either foreign private key file format - both the export functions
require random_byte() for one reason or another, and random_ref()
hadn't been called first.
Simon Tatham [Sat, 11 Jan 2014 11:23:12 +0000 (11:23 +0000)]
Generate IDE project files for Visual Studio 2010 and 2012.
Thanks to Mike Edenfield for the initial version of this patch; I've
polished it up a bit (in particular inventing a more overengineered
GUID generation strategy) but most of it is his.
Simon Tatham [Tue, 7 Jan 2014 23:26:10 +0000 (23:26 +0000)]
Rename the handle-type enumeration values.
Mike Edenfield points out that modern versions of the Windows SDK have
decided that 'INPUT' is a sensible name for an OS data structure
(sigh), and provided a patch to add a disambiguating prefix to
winhandl.c's enum values INPUT, OUTPUT and FOREIGN.
Simon Tatham [Mon, 2 Dec 2013 19:26:36 +0000 (19:26 +0000)]
Fix breakage of SSH-2 packet decompression by r10070.
The line that resets st->pktin->length to cover only the semantic
payload of the SSH message was overwriting the modification to
st->pktin->length performed by the optional decompression step. I
didn't notice because I don't habitually enable compression.
Simon Tatham [Sat, 30 Nov 2013 18:04:57 +0000 (18:04 +0000)]
Make GTK idle and quit function setup idempotent.
I found last week that when a local proxy process terminated
unexpectedly, Unix PuTTY went into a tight loop calling quit
functions, because if idle_toplevel_callback_func is called from
inside a subsidiary gtk_main then it will schedule a quit function and
_not_ disable itself, so that that quit function keeps being
rescheduled on subsequent calls.
To fix, I've tried to make the whole handling of idle and quit
functions more sensibly robust: we keep our own boolean flag
indicating whether each of our functions has already been scheduled
with GTK, and if so, we don't schedule the same one again. Also, when
idle_toplevel_callback_func schedules a quit function, it should
unschedule itself since it's now done everything it can until a
gtk_main instance quits.
Simon Tatham [Mon, 25 Nov 2013 19:46:05 +0000 (19:46 +0000)]
Fix interaction of insch() with selection highlights.
Previously I had unthinkingly called the general-purpose
check_selection() routine to indicate that I was going to mess with n
character cells right of the cursor position, causing the selection
highlight to be removed if it intersected that region. This is all
wrong, since actually the whole region from cursor to EOL is modified
by any character insertion or deletion, so if we were going to call
check_selection it should be on that whole region. (Quick demo: select
part of the line to the right of the cursor, then emit ESC[P or ESC[@
and see the text move left or right while the highlight stays put.)
So we could just call check_selection() on that larger affected
region, and that would be correct. However, we can do something
slightly more elegant in the case where the selection is contained
entirely within the subregion that moves to one side (as opposed to
the characters that actually vanish at one or other end): we can move
the selection highlight with the text under it, to preserve the visual
reminder of which text was selected for as long as possible.
Simon Tatham [Mon, 25 Nov 2013 18:35:14 +0000 (18:35 +0000)]
Switch to using SIDs in make_private_security_descriptor().
Daniel Meidlinger reports that at least one Windows machine which is
not obviously otherwise misconfigured will respond to our
SetEntriesInAcl call with odd errors like ERROR_NONE_MAPPED or
ERROR_TRUSTED_RELATIONSHIP_FAILURE. This is apparently to do with
failure to convert the names "EVERYONE" and "CURRENT_USER" used in the
ACL specification to SIDs. (Or perhaps only one of them is the problem
- I didn't investigate in that direction.)
If we instead construct a fully SID-based ACL, using the well-known
world SID in place of EVERYONE and calling our existing get_user_sid
routine in place of CURRENT_USER, he reports that the problem goes
away, so let's do that instead.
While I'm here, I've slightly simplified the function prototype of
make_private_security_descriptor(), by turning 'networksid' into an
internal static that we can reuse in subsequent calls once we've set
it up. (Mostly because I didn't fancy adding another two pointless
parameters at every call site for the two new SIDs.)
Simon Tatham [Fri, 22 Nov 2013 19:41:43 +0000 (19:41 +0000)]
Include the numeric error code in win_strerror's output.
This will be useful if someone gets a mysterious Windows error on a
system configured into a language we don't speak - if they cut and
paste the error message to send to us, then we won't have to try to
translate it.
Simon Tatham [Mon, 18 Nov 2013 19:07:11 +0000 (19:07 +0000)]
Restore compatibility with older autoconfs.
The one in Ubuntu 10.04 doesn't know what AM_PROG_AR means, so
configure.ac was broken in r10053 when fixing compatibility with later
versions; you can't win...
Simon Tatham [Sun, 17 Nov 2013 14:05:44 +0000 (14:05 +0000)]
Fix an assortment of dupprintf() format string bugs.
I've enabled gcc's format-string checking on dupprintf, by declaring
it in misc.h to have the appropriate GNU-specific attribute. This
pointed out a selection of warnings, which I've fixed.
Simon Tatham [Sun, 17 Nov 2013 14:05:41 +0000 (14:05 +0000)]
Implement connection sharing between instances of PuTTY.
The basic strategy is described at the top of the new source file
sshshare.c. In very brief: an 'upstream' PuTTY opens a Unix-domain
socket or Windows named pipe, and listens for connections from other
PuTTYs wanting to run sessions on the same server. The protocol spoken
down that socket/pipe is essentially the bare ssh-connection protocol,
using a trivial binary packet protocol with no encryption, and the
upstream has to do some fiddly transformations that I've been
referring to as 'channel-number NAT' to avoid resource clashes between
the sessions it's managing.
This is quite different from OpenSSH's approach of using the Unix-
domain socket as a means of passing file descriptors around; the main
reason for that is that fd-passing is Unix-specific but this system
has to work on Windows too. However, there are additional advantages,
such as making it easy for each downstream PuTTY to run its own
independent set of port and X11 forwardings (though the method for
making the latter work is quite painful).
Sharing is off by default, but configuration is intended to be very
easy in the normal case - just tick one box in the SSH config panel
and everything else happens automatically.
Simon Tatham [Sun, 17 Nov 2013 14:05:29 +0000 (14:05 +0000)]
Move the dynamic loading of advapi into its own module.
There's now a winsecur.[ch], which centralises helper functions using
the Windows security stuff in advapi.h (currently just get_user_sid),
and also centralises the run-time loading of those functions and
checking they're all there.
Simon Tatham [Sun, 17 Nov 2013 14:05:23 +0000 (14:05 +0000)]
Get rid of the error-return mechanism from x11_init.
Now that it doesn't actually make a network connection because that's
deferred until after the X authorisation exchange, there's no point in
having it return an error message and write the real output through a
pointer argument. Instead, we can just have it return xconn directly
and simplify the call sites.
Simon Tatham [Sun, 17 Nov 2013 14:05:17 +0000 (14:05 +0000)]
Refactor the construction of X protocol greetings.
I've moved it out into a separate function, preparatory to calling it
from somewhere completely different in changes to come. Also, we now
retain the peer address sent from the SSH server in string form,
rather than translating it immediately into a numeric IP address, so
that its original form will be available later to pass on elsewhere.
Simon Tatham [Sun, 17 Nov 2013 14:05:10 +0000 (14:05 +0000)]
Prepare to have multiple X11 auth cookies valid at once.
Rather than the top-level component of X forwarding being an
X11Display structure which owns some auth data, it's now a collection
of X11FakeAuth structures, each of which owns a display. The idea is
that when we receive an X connection, we wait to see which of our
available auth cookies it matches, and then connect to whatever X
display that auth cookie identifies. At present the tree will only
have one thing in it; this is all groundwork for later changes.
Simon Tatham [Sun, 17 Nov 2013 14:05:04 +0000 (14:05 +0000)]
Decouple X socket opening from x11_init().
Now we wait to open the socket to the X server until we've seen the
authorisation data. This prepares us to do something else with the
channel if we see different auth data, which will come up in
connection sharing.
Simon Tatham [Sun, 17 Nov 2013 14:04:56 +0000 (14:04 +0000)]
Add a missing null pointer check in s_write.
I don't know that this can ever be triggered in the current state of
the code, but when I start mucking around with SSH session closing in
the near future, it may be handy to have it.
Simon Tatham [Sun, 17 Nov 2013 14:04:48 +0000 (14:04 +0000)]
Remove sk_{get,set}_private_ptr completely!
It was only actually used in X11 and port forwarding, to find internal
state structures given only the Socket that ssh.c held. So now that
that lookup has been reworked to be the sensible way round,
private_ptr is no longer used for anything and can be removed.
Simon Tatham [Sun, 17 Nov 2013 14:04:41 +0000 (14:04 +0000)]
Refactor ssh.c's APIs to x11fwd.c and portfwd.c.
The most important change is that, where previously ssh.c held the
Socket pointer for each X11 and port forwarding, and the support
modules would find their internal state structure by calling
sk_get_private_ptr on that Socket, it's now the other way round. ssh.c
now directly holds the internal state structure pointer for each
forwarding, and when the support module needs the Socket it looks it
up in a field of that. This will come in handy when I decouple socket
creation from logical forwarding setup, so that X forwardings can
delay actually opening a connection to an X server until they look at
the authentication data and see which server it has to be.
However, while I'm here, I've also taken the opportunity to clean up a
few other points, notably error message handling, and also the fact
that the same kind of state structure was used for both
connection-type and listening-type port forwardings. Now there are
separate PortForwarding and PortListener structure types, which seems
far more sensible.
Simon Tatham [Sun, 17 Nov 2013 14:04:33 +0000 (14:04 +0000)]
Reliably initialise uxnet's socket fd fields to -1.
This prevents embarrassing mess-ups involving getting back a Socket
which has mostly been memset to 0 but contains an error message,
sk_close()ing it to free the memory, and finding that standard input
has been closed as a side effect.
Simon Tatham [Sun, 17 Nov 2013 14:04:29 +0000 (14:04 +0000)]
Add support in uxnet.c for Unix-domain listening sockets.
There are two new functions: one to construct a SockAddr wrapping a
Unix socket pathname (which can also be used as the destination for
new_connection), and one to establish a new listening Unix-domain
socket.
Simon Tatham [Sun, 17 Nov 2013 14:04:25 +0000 (14:04 +0000)]
Complete rewrite of the packet log censoring code.
Because the upcoming connection sharing changes are going to involve
us emitting outgoing SSH packets into our log file that we didn't
construct ourselves, we can no longer rely on metadata inserted at
packet construction time to tell us which parts of which packets have
to be blanked or omitted in the SSH packet log. Instead, we now have
functions that deal with constructing the blanks array just before
passing all kinds of packet (both SSH-1 and SSH-2, incoming and
outgoing) to logging.c; the blanks/nblanks fields in struct Packet are
therefore no longer needed.
Simon Tatham [Sun, 17 Nov 2013 14:04:18 +0000 (14:04 +0000)]
Clean up the 'data' vs 'body' pointers in struct Packet.
There's always been some confusion over exactly what it all means. I
haven't cleaned it up to the point of complete sensibleness, but I've
got it to a point where I can at least understand and document the
remaining non-sensibleness.
Simon Tatham [Sun, 17 Nov 2013 14:04:01 +0000 (14:04 +0000)]
Add support for Windows named pipes.
This commit adds two new support modules, winnpc.c and winnps.c, which
deal respectively with being a client and server of a Windows named
pipe (which, in spite of what Unix programmers will infer from that
name, is actually closer to Windows's analogue of a Unix-domain
socket). Each one provides a fully featured Socket wrapper around the
hairy Windows named pipe API, so that the rest of the code base should
be able to use these interchangeably with ordinary sockets and hardly
notice the difference.
As part of this work, I've introduced a mechanism in winhandl.c to
permit it to store handles of event objects on behalf of other Windows
support modules and deal with passing them to applications' main event
loops as necessary. (Perhaps it would have been cleaner to split
winhandl.c into an event-object tracking layer analogous to uxsel, and
the handle management which is winhandl.c's proper job, but this is
less disruptive for the present.)
Simon Tatham [Sun, 17 Nov 2013 14:03:55 +0000 (14:03 +0000)]
Replace the hacky 'OSSocket' type with a closure.
The mechanism for constructing a new connection-type Socket when a
listening one receives an incoming connection previously worked by
passing a platform-specific 'OSSocket' type to the plug_accepting
function, which would then call sk_register to wrap it with a proper
Socket instance. This is less flexible than ideal, because it presumes
that only one kind of OS object might ever need to be turned into a
Socket. So I've replaced OSSocket throughout the code base with a pair
of parameters consisting of a function pointer and a context such that
passing the latter to the former returns the appropriate Socket; this
will permit different classes of listening Socket to pass different
function pointers.
In deference to the reality that OSSockets tend to be small integers
or pointer-sized OS handles, I've made the context parameter an
int/pointer union that can hold either of those directly, rather than
the usual approach of making it a plain 'void *' and requiring a
context structure to be dynamically allocated every time.
Simon Tatham [Sun, 17 Nov 2013 14:03:48 +0000 (14:03 +0000)]
Implement freezing on Windows handle sockets.
That's been a FIXME in the code for ages, because it's difficult to
get winhandl.c to stop an already-started read from a handle (since
the read is a blocking system call running in a separate thread). But
I now realise it isn't absolutely necessary to do so - you can just
buffer one lot of data from winhandl and _then_ tell it to stop.
Simon Tatham [Sun, 17 Nov 2013 14:03:44 +0000 (14:03 +0000)]
Factor out the HANDLE-to-Socket adapter from winproxy.c.
It's now kept in a separate module, where it can be reused
conveniently for other kinds of Windows HANDLE that I want to wrap in
the PuTTY Socket abstraction - for example, the named pipes that I
shortly plan to use for the Windows side of connection-sharing IPC.
Simon Tatham [Sun, 17 Nov 2013 14:03:36 +0000 (14:03 +0000)]
Add a Socket implementation which just holds an error message.
This isn't yet used, but I plan to use it in situations where you have
to report errors by returning a valid Socket on which the client wlil
call sk_socket_error, but in fact you notice the error _before_
instantiating your usual kind of Socket. The resulting Socket is
usable for nothing except reading out the error string and closing it.
Simon Tatham [Sun, 17 Nov 2013 14:03:21 +0000 (14:03 +0000)]
Clean up the semantics of the ssh_rportfwd structure.
It's now indexed by source hostname as well as source port (so that
separate requests for the server to listen on addr1:1234 and
addr2:1234 can be disambiguated), and also its destination host name
is dynamically allocated rather than a fixed-size buffer.
Simon Tatham [Sun, 17 Nov 2013 14:03:20 +0000 (14:03 +0000)]
Find ToUnicodeEx() at run time, not load time.
This restores PuTTY's backward compatibility to versions of Windows
too old to have ToUnicodeEx in their system libraries, which was
accidentally broken in 0.63.
Simon Tatham [Mon, 11 Nov 2013 23:01:47 +0000 (23:01 +0000)]
Replace GetQueueStatus with PeekMessage(PM_NOREMOVE).
A couple of users report that my recent reworking of the Windows
top-level message loop has led to messages occasionally being lost,
and MsgWaitForMultipleObjects blocking when it ought to have been
called with a zero timeout. I haven't been able to reproduce this
myself, but according to one reporter, PeekMessage(PM_NOREMOVE) is
effective at checking for a non-empty message queue in a way that
GetQueueStatus is not. Switch to using that instead. Thanks to Eric
Flumerfelt for debugging and testing help.
Simon Tatham [Sat, 26 Oct 2013 14:00:10 +0000 (14:00 +0000)]
Fix build failures on Ubuntu 13.10.
Automake now insists that we run AM_PROG_AR if we're going to build a
library, and AM_PROG_CC_C_O if we're going to build anything with
extra compile options. Those extra macros seem harmless in previous
versions of automake.
Simon Tatham [Fri, 25 Oct 2013 17:44:02 +0000 (17:44 +0000)]
Avoid leaving unread Windows messages in the queue.
Jochen Erwied points out that once you've used PeekMessage to remove
_one_ message from the message queue, MsgWaitForMultipleObjects will
consider the whole queue to have been 'read', or at least looked at
and deemed uninteresting, and so it will block until a further message
comes in. Hence, my change in r10040 which stops us from looping on
PeekMessage until the queue is empty has the effect of causing the
rest of the message queue not to be acted on until a new message comes
in to unblock it. Fix by checking if the queue is nonempty in advance
of calling MsgWaitForMultipleObjects, and if so, giving it a zero
timeout just as we do if there's a pending toplevel callback.
Simon Tatham [Wed, 9 Oct 2013 18:38:35 +0000 (18:38 +0000)]
random_ref() should always increment the reference count.
No current PuTTY utility was calling random_ref more than once per run
(ssh.c and the two main PuTTYgen programs call it once each), but if
one ever does (or if derived code does), it will want the reference
count to actually work sensibly.
Simon Tatham [Wed, 9 Oct 2013 18:36:56 +0000 (18:36 +0000)]
Don't pass WinSock error codes to strerror.
Martin Prikryl helpfully points out that when I revamped the socket
error mechanism using toplevel callbacks, I also accidentally passed
the error code to the wrong function. Use winsock_error_string instead.
Simon Tatham [Mon, 23 Sep 2013 14:35:08 +0000 (14:35 +0000)]
Fix cut-and-paste errors in nonfatal() implementations.
Unix GUI programs should not say 'Fatal Error' in the message box
title, and Plink should not destroy its logging context as a side
effect of printing a non-fatal error. Both appear to have been due to
inattentive cut and paste from the pre-existing fatal error functions.
Simon Tatham [Sun, 15 Sep 2013 14:40:46 +0000 (14:40 +0000)]
Oops! Remove a tight-looping diagnostic.
I temporarily applied it as a means of testing the revised event loops
in r10040, and accidentally folded it into my final commit instead of
backing it out. Ahem.
Simon Tatham [Sun, 15 Sep 2013 14:05:38 +0000 (14:05 +0000)]
Remove the timed part of the terminal paste mechanism.
In r10020 I carefully reimplemented using timing.c and callback.c the
same policy for large pastes that the previous code appeared to be
implementing ad-hoc, which included a 450ms delay between sending
successive lines of pasted text if no visible acknowledgment of the
just-sent line (in the form of a \n or \r) came back from the
application.
However, it turns out that that *wasn't* what the old code was doing.
It *would* have done that, but for the bug that it never actually set
the 'last_paste' variable, and never has done since it was first
introduced way back in r516! So the policy I thought had been in force
forever has in fact only been in force since I unwittingly fixed that
bug in r10020 - and it turns out to be a bad idea, breaking pastes
into vi in particular.
So I've removed the timed paste code completely, on the basis that
it's never actually worked and nobody seems to have been unhappy about
that. Now we still break large pastes into separate lines and send
them in successive top-level callbacks, and the user can still press a
key to interrupt a paste if they manage to catch it still going on,
but there's no attempted *delay* any more.
(It's possible that what I *really* ought to be doing is calling
back->sendbuffer() to see whether the backend is consuming the data
pasted so far, and if not, deferring the rest of the paste until the
send buffer becomes smaller. Then we could have pasting be delayed by
back-pressure from the recipient, and still manually interruptible
during that delay, but not have it delayed by anything else. But what
we have here should at least manage to be equivalent to the *actual*
rather than the intended old policy.)
Simon Tatham [Sun, 15 Sep 2013 14:05:31 +0000 (14:05 +0000)]
Only run one toplevel callback per event loop iteration.
This change attempts to reinstate as a universal property something
which was sporadically true of the ad-hockery that came before
toplevel callbacks: that if there's a _very long_ queue of things to
be done through the callback mechanism, the doing of them will be
interleaved with re-checks of other event sources, which might (e.g.)
cause a flag to be set which makes the next callback decide not to do
anything after all.
Simon Tatham [Sun, 8 Sep 2013 13:20:49 +0000 (13:20 +0000)]
Handle socket errors on half-open channels.
Anthony Ho reports that this can occur naturally in some situation
involving Windows 8 + IE 11 and dynamic port forwarding: apparently we
get through the SOCKS negotiation, send our CHANNEL_OPEN, and then
*immediately* suffer a local WSAECONNABORTED error before the server
has sent back its OPEN_CONFIRMATION or OPEN_FAILURE. In this situation
ssh2_channel_check_close was failing to notice that the channel didn't
yet have a valid server id, and sending out a CHANNEL_CLOSE anyway
containing 32 bits of uninitialised nonsense.
We now handle this by turning our half-open CHAN_SOCKDATA_DORMANT into
a half-open CHAN_ZOMBIE, which means in turn that our handler
functions for OPEN_CONFIRMATION and OPEN_FAILURE have to recognise and
handle that case, the former by immediately initiating channel closure
once we _do_ have the channel's server id to do it with.
Simon Tatham [Sat, 7 Sep 2013 16:15:11 +0000 (16:15 +0000)]
Fix SSH2_MSG_CHANNEL_EXTENDED_DATA in logparse.
It looks as if it's never worked at all: it had a spurious second
printf, it completely forgot to allow for the uint32 type code that
SSH2_MSG_CHANNEL_DATA doesn't have, it accessed the channel state's
sequence number fields in a way that made no sense and didn't match
the rest of the program, *and* it misinvoked the file opening API. I
must have never had an occasion to test it.
Simon Tatham [Sat, 7 Sep 2013 16:15:10 +0000 (16:15 +0000)]
Make logparse handle completely bogus channel numbers.
Previously it would throw a bunch of Perl undefined-variable-usage
warnings; now it cleanly detects the problem, dumps as much of the
message as it still reasonably can, and doesn't update any channel
states.
Simon Tatham [Mon, 26 Aug 2013 11:55:56 +0000 (11:55 +0000)]
Fix free of an uninitialised pointer.
CHAN_AGENT channels need c->u.a.message to be either NULL or valid
dynamically allocated memory, because it'll be freed by
ssh_channel_destroy. This bug triggers if an agent forwarding channel
is opened and closed without having sent any queries.
Simon Tatham [Thu, 22 Aug 2013 17:45:26 +0000 (17:45 +0000)]
Fix handling of IPv6 dynamic forwardings.
During the Conf revamp, I changed the internal representation of
dynamic forwardings so that they were stored as the conceptually
sensible L12345=D rather than the old D12345, and added compensation
code to translate to the latter form for backwards-compatible data
storage and for OpenSSH-harmonised GUI display. Unfortunately I forgot
that keys in the forwarding data can also prefix the L/R with a
character indicating IPv4/IPv6, and my translations didn't take
account of that possibility. Fix them.
Simon Tatham [Sun, 18 Aug 2013 06:48:20 +0000 (06:48 +0000)]
Sensibly enforce non-interactive rekeying.
We now only present the full set of host key algorithms we can handle
in the first key exchange. In subsequent rekeys, we present only the
host key algorithm that we agreed on the previous time, and then we
verify the host key by simply enforcing that it's exactly the same as
the one we saw at first and disconnecting rudely if it isn't.
Simon Tatham [Sat, 17 Aug 2013 16:06:40 +0000 (16:06 +0000)]
Make calling term_nopaste() a cross-platform feature.
It was one of those things that went in ages ago on Windows and never
got replicated in the Unix front end. And it needn't be: ldisc.c is a
perfect place to put it, since it knows which of the data it's sending
is based on a keystroke and which is automatically generated, and it
also has access to the terminal context. So now a keypress can
interrupt a runaway paste on all platforms.
Simon Tatham [Sat, 17 Aug 2013 16:06:27 +0000 (16:06 +0000)]
Revamp net_pending_errors using toplevel callbacks.
Again, I've removed the special-purpose ad-hockery from the assorted
front end message loops that dealt with deferred handling of socket
errors, and instead uxnet.c and winnet.c arrange that for themselves
by calling the new general top-level callback mechanism.
projects / PuTTY.git / log