Simon Tatham [Wed, 22 Feb 2017 22:10:05 +0000 (22:10 +0000)]
Unix buildinfo: stop saying 'GTK' in pure CLI utilities.
Unix PSCP, PSFTP, Plink and PuTTYgen now just report their build
platform as '64-bit Unix' or '32-bit Unix', without mentioning
irrelevant details of what flavour of GTK the other tools in the suite
might have been built against.
(In particular, they now won't imply anything outright untrue if there
was no GTK present at build time at all!)
Simon Tatham [Wed, 22 Feb 2017 21:57:04 +0000 (21:57 +0000)]
Windows handle sockets: fix error handling in sentdata().
In the sentdata callback function given to handle_output_new, the
'new_backlog' parameter can be negative, and if so, it represents a
Windows error code and not a backlog size at all. handle_sentdata was
not checking for this before passing it on to plug_sent.
Simon Tatham [Wed, 22 Feb 2017 21:51:03 +0000 (21:51 +0000)]
uxproxy: fix write error handling on outgoing pipe.
Jacob pointed out the other day that the call to logevent with NULL
frontend handle can't possibly work, and the comment next to it saying
that it can is an outright lie (probably thoughtlessly copied from
some part of the Windows front end, where it actually would be true).
Furthermore, even if that logevent call didn't dereference NULL and
segfault, the followup call to fatalbox() would be inappropriate,
since proxied connections need not be the primary network connection
of the whole process.
Rewritten as a call to plug_closing, which is the proper channel
through which to report errors on an individual socket or equivalent.
Simon Tatham [Wed, 22 Feb 2017 06:56:43 +0000 (06:56 +0000)]
Pageant and PuTTYgen About boxes: add the website button.
While I'm looking at these two dialog boxes, I notice there's another
prominent difference between PuTTY's one and these: I also never got
round to adding the button to go to PuTTY's main website. Now added.
Simon Tatham [Wed, 22 Feb 2017 06:56:43 +0000 (06:56 +0000)]
Pageant and PuTTYgen About boxes: enlarge to modern size.
The current About boxes are too small to fit in all the buildinfo
data, in particular the source-control commit id. Apparently I forgot
to enlarge them when I enlarged the one in PuTTY proper.
(All the same information is nonetheless *present* in the box, but
there seems to be no way to scroll a static text control, so you can
only find that out by 'Select All' and copying to the clipboard.)
Anyway. Now resized to the same dimensions as the main PuTTY About
box. (Really I should centralise more definitions into a common
resource file, but there we go.)
Simon Tatham [Tue, 21 Feb 2017 22:17:48 +0000 (22:17 +0000)]
Makefile.am: subset the man pages in --without-gtk mode.
If you configure without GTK so that only the non-GUI tools get built
and installed, it makes sense to also only build and install the same
subset of the man pages.
Simon Tatham [Tue, 21 Feb 2017 19:00:49 +0000 (19:00 +0000)]
One more CHECKLST update: mirrors have no .htaccess.
Our recommended package for website mirrors doesn't need one any more,
because its latest.html links already point directly to the numbered
release subdirectory. Hence, remove the release-checklist instruction
to check the mirror package's .htaccess, and replace it with an
instruction to check the links in latest.html instead.
The main tartarus.org host has changed since the last release, so we
now have to upload things to somewhere different. Updated the release
automation in release.pl, and all the mentions of atreus in the manual
checklist too.
Simon Tatham [Mon, 20 Feb 2017 20:52:41 +0000 (20:52 +0000)]
Merge the 0.68 release branchlet to master.
Conflicts in the FAQ are fixed by incorporating Jacob's rewritten
post-0.68 version. (But owing to considerable git confusion I haven't
managed to get his name on to this commit anywhere.)
Simon Tatham [Mon, 20 Feb 2017 20:30:14 +0000 (20:30 +0000)]
Fix buffer management in strbuf_catfv.
Thanks to Tim Kosse for pointing out that I had _completely_ cocked up
all the code that was supposed to enlarge the buffer in the strbuf
structure, by failing to pass in 'oldsize' to the innermost
dupvprintf_inner function by reference, so that the size was never
updated.
Fortunately, this whole mechanism was something I dashed off for the
purposes of buildinfo(), which means it's only ever used to glue
together a fixed number of compile-time string constants, for which
there turns out to be plenty to spare in the standard 512 bytes
allocated to a new strbuf. So it's at least not dangerous, though it
clearly needs to be fixed before I make the mistake of using
strbuf_catf[v] for anything else!
Owen Dunn [Sun, 19 Feb 2017 13:49:12 +0000 (13:49 +0000)]
Make Windows sockets non-inheritable
When we create a socket with socket() (in try_connect, sk_newlistener, and
ipv4_is_local_addr) also call SetHandleInformation to disable handle
inheritance for this socket. This fixes dup-sessions-dont-close.
Simon Tatham [Fri, 17 Feb 2017 19:39:58 +0000 (19:39 +0000)]
Update version number for 0.68 release.
This commit also updates the dumps of Plink's and PSCP's help output,
adding the -proxycmd option to both and the -shareexists option to
Plink.
(Or rather, _re_-adding the latter, since it was introduced in error
by commit 07af4ed10 due to a branch management error and hastily
removed again in 29e8c24f9. This time it really does match reality.)
Simon Tatham [Sat, 18 Feb 2017 17:06:46 +0000 (17:06 +0000)]
Release checklist updates.
These reflect the fact that I'm increasingly preferring to make a
release-candidate build a few days in advance of the actual release,
and give the team time to do a bit of testing on it before putting it
up on the live website. Hence, I can't _quite_ fill in everything in
the website announcement ahead of time - the release date has to wait
until we know what it is, which means I need to have 'now fill in the
release date' as part of the go-live checklist.
Also, I've provided a better bob command for doing a release build
(putting it somewhere safe to begin with, rather than leaving it
precariously in my normal build directory). And while I'm here, I've
standardised all my placeholder version numbers to X.YZ; previously
half of them said 0.XX :-)
Simon Tatham [Sat, 18 Feb 2017 16:50:48 +0000 (16:50 +0000)]
Fix the '--without-gtk' mode in configure.
I had accidentally included the experimental "XT" app class (the
GtkApplication-based packaging of Unix PuTTY/pterm for OS X) among the
things that should still be built even when GTK is absent. That's
definitely wrong.
Simon Tatham [Sat, 11 Feb 2017 07:08:53 +0000 (07:08 +0000)]
Update documentation for 0.68.
Several places in the docs were labelled for review because they need
to change when 0.68's feature set comes in - no SSH-2 to SSH-1
fallback any more, but on the other hand, Unix Pageant now exists.
Simon Tatham [Thu, 16 Feb 2017 20:26:58 +0000 (20:26 +0000)]
Implement deferred closing of Windows handle-sockets.
When a handle socket is in THAWING state and handle_socket_unfreeze is
gradually passing the backlogged data on to the plug, the plug might
suddenly turn round and close the socket in the course of handling
plug_receive(), which means that handle_socket_unfreeze had better be
careful not to have had everything vanish out from under it when that
call returns. To solve this, I've added a 'deferred close' flag which
handle_socket_unfreeze can set around its call to plug_receive, and
handle_socket_close will detect that and not actually free the socket,
instead leaving that for handle_socket_unfreeze to do under its own
control.
Jacob Nevins [Thu, 16 Feb 2017 23:47:03 +0000 (23:47 +0000)]
Document VS2015 impact on very old Windows.
(In a XXX-REVIEW-BEFORE-RELEASE form.)
Also, note the effect of compilation with different Visual Studio
versions on Windows version compatibility in the source README, for the
sake of having it written down somewhere.
Jacob Nevins [Wed, 15 Feb 2017 23:58:25 +0000 (23:58 +0000)]
Remove references to "Win32" and "32-bit Windows".
They were there mainly to distinguish from 16-bit Windows, which hasn't
been a thing since before a noticeable fraction of the userbase were
born, probably. These days the obvious comparison is with 64-bit
Windows.
Also tweak some wording to reflect that official PuTTY executables are
not necessarily 32-bit any more, and add some XXX-REVIEW-BEFORE-RELEASE
in the same vein.
Simon Tatham [Wed, 15 Feb 2017 21:41:28 +0000 (21:41 +0000)]
sink(): finish waiting for remote EOF after a local error.
We responded to a local error writing out the destination file by
going into a mode where we just looped round receiving and throwing
away data until our count of the file size reached the file size we
expected - but once we were in that mode, we never actually
incremented the count!
Simon Tatham [Wed, 15 Feb 2017 21:39:23 +0000 (21:39 +0000)]
scp_recv_filedata: handle EOF more sensibly.
xfer_download_data could return actuallen as either 0 or -1 to
indicate EOF. Now it's always 0, and scp_recv_filedata actually checks
for that case and reports an error.
Owen Dunn [Wed, 15 Feb 2017 19:50:14 +0000 (19:50 +0000)]
Return zero when reporting our version.
When called with -V to ask for our version, return 0 rather than 1.
This is the usual behaviour observed by ssh(1) and other Unix commands.
Also use exit() rather than cleanup_exit() in pscp.c and psftp.c ; at
this point we have nothing to cleanup!
Simon Tatham [Wed, 15 Feb 2017 19:29:05 +0000 (19:29 +0000)]
Include the compile-time GTK version in the build info.
It's obvious to the trained eye whether GTK PuTTY was compiled against
GTK2 or GTK3, but the untrained eye would probably appreciate a little
help, and even the trained eye probably can't tell GTK 3.18 from 3.19
at a glance :-)
Simon Tatham [Wed, 15 Feb 2017 19:19:38 +0000 (19:19 +0000)]
Fix multiple bugs in freeze/thaw of Windows handle-sockets.
Firstly, I had asserted that data would never arrive on a handle
socket in state FREEZING, which is just an error, because FREEZING is
precisely the state of not being quite frozen _yet_ because one last
read is still expected to arrive from the winhandl.c reading subthread
which it's too late to cancel. I meant to assert that it wasn't
FROZEN.
Secondly, when the handle socket was in state FREEZING, I failed to
actually _set_ it to FROZEN.
And thirdly, when the handle socket starts thawing again (i.e. there's
now outgoing buffer space so we can start sending our backlogged
data), I forgot to ever call bufchain_consume, so that the same block
of data would get sent repeatedly.
I can only assume that nothing I've ever done has actually exercised
this code!
Simon Tatham [Wed, 15 Feb 2017 05:31:30 +0000 (05:31 +0000)]
uxpgnt: correct control flow in find_key().
If we try to interpret a string argument as the name of a key file,
sometimes we it's in circumstances where we _know_ it's a key file, so
we must print an error message and return failure if the file can't be
loaded. Other times it's not, and we just fall back to interpreting
the argument in some other way (e.g. as a pattern match against the
comment or fingerprint of a key already in the agent).
My code dealing with failure returns from the public-key loading
functions were mishandling the latter case, if they identified a file
as existing and looking more or less like some kind of key file but
then it turned out to have a format error; they would try to copy and
return a public key that they didn't actually have. Even if
pageant_pubkey_copy avoided crashing as a result, this would still
inhibit the fallback to treating the input string as some other kind
of pattern match.
Simon Tatham [Wed, 15 Feb 2017 05:21:13 +0000 (05:21 +0000)]
Remove a redundant ?: in the nethack_keypad code.
I think all of the cases in this switch must have originally said
(shift_state ? 'this' : 'that'), and in all but the VK_NUMPAD5 case
the two options were different, and I left VK_NUMPAD5 containing a
redundant ?: just to make it line up in a nice table with the others.
But now the others all have more options than that because I had to
support Ctrl as well as Shift modifiers, so there's no reason to have
that silly ?: lingering around (and it annoys Coverity).
Simon Tatham [Tue, 14 Feb 2017 23:19:13 +0000 (23:19 +0000)]
Fixes for winelib building (used by our Coverity build).
Avoided referring to some functions and header files that aren't there
in the winelib world (_vsnprintf, _stricmp, SecureZeroMemory,
multimon.h), and worked around a really amazingly annoying issue in
which Winelib objects to you using the type 'fd_set' unless you
included winsock2.h before stdlib.h.
Simon Tatham [Tue, 14 Feb 2017 21:52:28 +0000 (21:52 +0000)]
Tighten up bounds-checking of agent responses.
I think an agent sending a string length exceeding the buffer bounds
by less than 4 could have made PuTTY read beyond its own buffer end.
Not that I really think a hostile SSH agent is likely to be attacking
PuTTY, but it's as well to fix these things anyway!
Simon Tatham [Tue, 14 Feb 2017 21:15:02 +0000 (21:15 +0000)]
Fix completely broken dialog-building functions.
The loops that were supposed to count up the number of buttons in the
variadic argument list forgot to increment the counter.
On the other hand, these functions aren't actually _used_ anywhere in
the current code - looks as if commit 616c837cf was the last time they
were seen - but manual dialog stuff like PuTTYgen might yet find a use
for them in future.
Simon Tatham [Tue, 14 Feb 2017 20:47:16 +0000 (20:47 +0000)]
Put in some explicit null-pointer checks.
I think these were not strictly necessary, since passing a null
pointer to access(2) would have resulted in EINVAL rather than a
segfault. But it's clearer to put them in (and keeps static checkers a
bit happier).
Simon Tatham [Tue, 14 Feb 2017 20:29:38 +0000 (20:29 +0000)]
wintime: add a precautionary memset to zero.
Coverity observes that sometimes 'struct tm' can have other fields
(e.g. glibc's tm_gmtoff), so it's as well to make sure we initialise
the whole thing to zero.
Simon Tatham [Tue, 14 Feb 2017 20:26:03 +0000 (20:26 +0000)]
uxpgnt: fix an uninitialised structure field in find_key().
Thanks, Coverity - I must have been lucky that Unix Pageant in client
mode hasn't so far happened to have this field come out non-NULL, or
else pageant_pubkey_copy would have tried to dupstr a garbage pointer.
Simon Tatham [Tue, 14 Feb 2017 22:13:24 +0000 (22:13 +0000)]
lz77_compress: change scope of variable 'hash'.
This makes it clearer that it doesn't persist beyond this block, and
would have made it much more obvious that the assignment to it removed
in the previous commit was pointless.
Simon Tatham [Tue, 14 Feb 2017 20:22:05 +0000 (20:22 +0000)]
Remove assorted dead code.
Assignments that are overwritten shortly afterwards and never used,
and a completely unused variable. Also, the bogus array access in
testbn.c could have actually accessed one beyond the array limit
(though of course it's only in a test harness).
Simon Tatham [Tue, 14 Feb 2017 21:31:12 +0000 (21:31 +0000)]
Fix freeing of retkey in openssh_new_read.
Now it's always freed in the cleanup epilogue (unless we're returning
it), rather than ad-hoc earlier in the code. That should make it more
reliably freed on error paths.
Jacob Nevins [Sat, 11 Feb 2017 20:12:55 +0000 (20:12 +0000)]
Unix 'puttygen --help' was a mess.
Bring it into line with the other PuTTY tools: --help goes to stdout,
has a one-line purpose and brief version information, --version ends
with a newline.
(Also, tweak text bring the help message under 80 columns.)
Jacob Nevins [Sat, 11 Feb 2017 00:44:00 +0000 (00:44 +0000)]
Log when -restrict-acl is in use.
Partly to reassure the user that they got what they asked for, and
partly so that's a clue for us in the logs when we get bug reports.
This involved repurposing platform_psftp_post_option_setup() (no longer
used since e22120fe) as platform_psftp_pre_conn_setup(), and moving it
to after logging is set up.
Simon Tatham [Sun, 5 Feb 2017 12:08:13 +0000 (12:08 +0000)]
One more warning fix: spurious 'const' on functions.
These must have been absent-mindedly copied from function declarations
of the form 'const type *fn(args)', where the 'const' is meaningful
and describes the data pointed to by the returned pointer, to
functions of the form 'const type fn(args)' where the 'const' is
completely pointless.
Simon Tatham [Sun, 5 Feb 2017 11:19:12 +0000 (11:19 +0000)]
Fix a few more clang-generated warnings.
These are benign, I think. clang warns about casting non-pointer-sized
integers to pointers, but the Windows API actually does sometimes
involve values that are either pointers or _small_ integers, so in the
two cases involved I just cast through ULONG_PTR to silence the
warning. And clang insists that the integer whose address I give to
sk_getxdmdata is still uninitialised afterwards, which is just a lie.
Simon Tatham [Sun, 5 Feb 2017 11:13:45 +0000 (11:13 +0000)]
Stop using MS-deprecated names stricmp and strnicmp.
clang-cl generates warnings saying they're deprecated, in favour of
the same names but prefixed with an underscore. The warnings are
coming from the standard MS headers, and I'm already #defining those
names differently on Unix, so I'll honour them.
Simon Tatham [Sun, 5 Feb 2017 11:19:22 +0000 (11:19 +0000)]
clang-specific pragmas to suppress -Wmissing-braces.
When I added some extra braces in commit 095072fa4 to suppress this
warning, I think in fact I did the wrong thing, because the
declaration syntax I was originally using is the Microsoft-recommended
one in spite of clang not liking it - I think MS would be within their
rights (should they feel like it) to add those missing braces in a
later version of the WinSock headers, which would make the current
warning-clean code stop compiling. So it's better to put the code back
as it was, and avoid the clang warning by using clang's
warning-suppression pragmas for just those declarations.
I've also done the same thing in winnet.c, for two initialisers of
IPv6 well-known addresses which had the same problem (but which I
didn't notice yesterday because a misjudged set of Windows version
macros had prevented me from compiling that file successfully at all).
Simon Tatham [Sun, 5 Feb 2017 10:59:08 +0000 (10:59 +0000)]
New makefile, for Windows cross-builds with clang-cl.
This was very strange to write, because it's a bizarre combination of
the GNU-make-isms and rc commands of Makefile.mgw with the cl and link
commands of Makefile.vc (but also the latter thankfully doesn't need
those horrible response files).
I've added a big comment in mkfiles.pl about what the build
requirements for this makefile actually are, which _hopefully_ will be
usable by people other than me.
Jacob Nevins [Sat, 4 Feb 2017 12:48:50 +0000 (12:48 +0000)]
Document Inno Setup's new lack of cleanup.
We used to offer to clean up saved sessions, so we should mention that
we don't for the benefit of users of old versions, who might have been
relying on it.
Simon Tatham [Sat, 4 Feb 2017 07:57:36 +0000 (07:57 +0000)]
Pass -restrict-acl, if given, through to sub-PuTTYs.
This change applies to every situation when GUI PuTTY knowingly spawns
another GUI PuTTY, to wit, the System menu options 'New Session',
'Duplicate Session' and the 'Saved Sessions' submenu.
(Literally speaking, what we actually pass through to the sub-PuTTY's
command line is not the "-restrict-acl" option itself, but a special
prefix "&R", which has the same meaning but which lives in the special
pre-argv-splitting command-line namespace like the magic options used
for Duplicate Session and the old '@sessionname' prefix which the
Saved Sessions submenu still uses. Otherwise, by the time we split up
argv and recognised -restrict-acl, it would be too late to parse those
other options.)
One case in which PuTTY spawns a subprocess and this change _doesn't_
apply is when the subprocess is a proxy command which happens to be a
Plink. Recognising Plink commands in that situation would be fragile
and unreliable, and in any case if the user wants a proxy Plink to be
ACL-restricted, they are in control of its exact command line so they
can add -restrict-acl themselves.
Simon Tatham [Fri, 3 Feb 2017 19:37:59 +0000 (19:37 +0000)]
A bunch of further warning fixes in the Windows code.
These ones are stylistic rather than potential bugs: mostly signedness
of char pointers in cases where they clearly aren't going to cause the
wrong thing to actually happen, and one thing in winsecur.c where
clang would have preferred an extra pair of braces around some
initialisers but it's legal with or without. But since some of clang's
warnings turn out to be quite useful, it seems worth silencing these
harmless ones so as to be able to see the rest.
Simon Tatham [Fri, 3 Feb 2017 19:35:41 +0000 (19:35 +0000)]
Move declaration of frontend_is_utf8 into putty.h.
It's a function that exists on all platforms, not just on Unix - it's
used in ldisc.c - so it shouldn't have been declared only in unix.h.
Score another for clang's warnings.
Simon Tatham [Fri, 3 Feb 2017 19:33:50 +0000 (19:33 +0000)]
Fix an EOF-testing goof in winhandl.c.
I was having a play with clang's MSVC compatibility mode, just to see
how much of PuTTY it could compile, and one of its warnings pointed
out this error which must have crept in when I was changing the EOF
flags in winhandl.c from booleans to three-state enums - I left the !
on the front of what was previously an if (!thing) and needed to turn
into if (thing == EOF_NO).
Simon Tatham [Wed, 1 Feb 2017 20:42:21 +0000 (20:42 +0000)]
Fix error reporting pointer parameters in winsecur.c.
Several functions were passing a 'char *error' and assigning error
messages directly into 'error', where they should have been passing
'char **error' and assigning error messages into '*error' if the error
message is to be returned to the caller. This would have led to
incomplete error messages.
Simon Tatham [Mon, 30 Jan 2017 19:42:25 +0000 (19:42 +0000)]
Refuse to forward agent messages > AGENT_MAX_MSGLEN.
Mostly so that we don't have to malloc contiguous space for them
inside PuTTY; since we've already got a handy constant saying how big
is too big, we might as well use it to sanity-check the contents of
our agent forwarding channels.
Simon Tatham [Sat, 28 Jan 2017 21:56:28 +0000 (21:56 +0000)]
Turn off Windows process ACL restriction by default.
As documented in bug 'win-process-acl-finesse', we've had enough
assorted complaints about it breaking various non-malicious pieces of
Windows process interaction (ranging from git->plink integration to
screen readers for the vision-impaired) that I think it's more
sensible to set the process back to its default level of protection.
This precaution was never a fully effective protection anyway, due to
the race condition at process startup; the only properly effective
defence would have been to prevent malware running under the same user
ID as PuTTY in the first place, so in that sense, nothing has changed.
But people who want the arguable defence-in-depth advantage of the ACL
restriction can now turn it on with the '-restrict-acl' command-line
option, and it's up to them whether they can live with the assorted
inconveniences that come with it.
In the course of this change, I've centralised a bit more of the
restriction code into winsecur.c, to avoid repeating the error
handling in multiple places.
Simon Tatham [Mon, 23 Jan 2017 20:08:18 +0000 (20:08 +0000)]
Tweak bounds checks in pageant_add_keyfile.
When we're going through the response from an SSH agent we asked for a
list of keys, and processing the string lengths in the SSH-2 sequence
of (public blob, comment) pairs, we were adding 4 to each string
length, and although we checked if the result came out to a negative
value (if interpreted as a signed integer) or a positive one going
beyond the end of the response buffer, we didn't check if it wrapped
round to a positive value less than 4. As a result, if an agent
returned malformed data sent a length field of 0xFFFFFFFC, the pointer
would advance no distance at all through the buffer, and the next
iteration of the loop would check the same length field again.
(However, this would only consume CPU pointlessly for a limited time,
because the outer loop up to 'nkeys' would still terminate sooner or
later. Also, I don't think this can sensibly be classed as a serious
security hazard - it's arguably a borderline DoS, but it requires a
hostile SSH _agent_ if data of that type is to be sent on purpose, and
an untrusted SSH agent is not part of the normal security model!)
Simon Tatham [Sun, 29 Jan 2017 19:40:38 +0000 (19:40 +0000)]
Rewrite agent forwarding to serialise requests.
The previous agent-forwarding system worked by passing each complete
query received from the input to agent_query() as soon as it was
ready. So if the remote client were to pipeline multiple requests,
then Unix PuTTY (in which agent_query() works asynchronously) would
parallelise them into many _simultaneous_ connections to the real
agent - and would not track which query went out first, so that if the
real agent happened to send its replies (to what _it_ thought were
independent clients) in the wrong order, then PuTTY would serialise
the replies on to the forwarding channel in whatever order it got
them, which wouldn't be the order the remote client was expecting.
To solve this, I've done a considerable rewrite, which keeps the
request stream in a bufchain, and only removes data from the bufchain
when it has a complete request. Then, if agent_query decides to be
asynchronous, the forwarding system waits for _that_ agent response
before even trying to extract the next request's worth of data from
the bufchain.
As an added bonus (in principle), this gives agent-forwarding channels
some actual flow control for the first time ever! If a client spams us
with an endless stream of rapid requests, and never reads its
responses, then the output side of the channel will run out of window,
which causes us to stop processing requests until we have space to
send responses again, which in turn causes us to stop granting extra
window on the input side, which serves the client right.
Simon Tatham [Sun, 29 Jan 2017 20:24:15 +0000 (20:24 +0000)]
Make asynchronous agent_query() requests cancellable.
Now, instead of returning a boolean indicating whether the query has
completed or is still pending, agent_query() returns NULL to indicate
that the query _has_ completed, and if it hasn't, it returns a pointer
to a context structure representing the pending query, so that the
latter can be used to cancel the query if (for example) you later
decide you need to free the thing its callback was using as a context.
This should fix a potential race-condition segfault if you overload an
agent forwarding channel and then close it abruptly. (Which nobody
will be doing for sensible purposes, of course! But I ran across this
while stress-testing other aspects of agent forwarding.)
Simon Tatham [Sun, 29 Jan 2017 20:24:09 +0000 (20:24 +0000)]
Remove the commented-out WINDOWS_ASYNC_AGENT code.
It's been commented out for ages because it never really worked, and
it's about to become further out of date when I make other changes to
the agent client code, so it's time to get rid of it before it gets in
the way.
If and when I do get round to supporting asynchronous agent requests
on Windows, it's now pretty clear to me that trying to coerce this
ghastly window-message IPC into the right shape is the wrong way, and
a better approach will be to make Pageant support a named-pipe based
alternative transport for its agent connections, and speaking the
ordinary stream-oriented agent protocol over that. Then Pageant will
be able to start adding interactive features (like confirmation
dialogs or on-demand decryption) with freedom to reply to multiple
simultaneous agent connections in whatever order it finds convenient.
Simon Tatham [Sun, 29 Jan 2017 19:42:42 +0000 (19:42 +0000)]
Fix Makefile warning about circular empty.h dependency.
In commit be586d53b I made empty.h depend on $(allsources), which
unfortunately was defined so as to include empty.h. This was harmless,
because make just ignored the circular dependency, but annoying,
because it constantly mentioned that it was ignoring it.
Simon Tatham [Sat, 28 Jan 2017 10:56:19 +0000 (10:56 +0000)]
Report the right address in connection setup errors.
backend_socket_log was generating the IP address in its error messages
by means of calling sk_getaddr(). But sk_getaddr only gets a SockAddr,
which may contain a whole list of candidate addresses; it doesn't also
get the information stored in the 'step' field of the Socket that was
actually trying to make the connection, which says _which_ of those
addresses we were in the middle of trying to connect to.
So now we construct a temporary SockAddr that points at the
appropriate one of the addresses, and use that for calls to plug_log
during connection setup.
Simon Tatham [Tue, 24 Jan 2017 22:30:44 +0000 (22:30 +0000)]
Rework handling of asynchronous connect(2) errors on Unix.
If connect() returns EINPROGRESS, then previously we would detect a
successful connection by the socket becoming selectable for writing,
and spot an unsuccessful one by an error code being returned on the
first attempt to read from it.
This isn't the right way to do it: the right way is to respond to the
initial writability notification by calling getsockopt(SO_ERROR) to
retrieve the error code (if any) from the completed connection
attempt. Doing it the old way had the problem that when the socket
became writable, we could sometimes already have written some of our
outgoing data to it before finding out that the connect attempt failed
- which meant we'd discard that data from the bufchain, and no longer
have it to send through a later successful connection to a different
candidate address.
Simon Tatham [Wed, 25 Jan 2017 19:47:08 +0000 (19:47 +0000)]
Fix an integer overflow in get_ssh_string.
If the length field in the input data was so large that adding 4 to it
caused wraparound, the error check could fail to trigger. Fortunately,
this praticular get_ssh_string function is only used during private
key import from foreign file formats, so it won't be facing hostile
data.
Tim Kosse [Mon, 23 Jan 2017 17:51:03 +0000 (18:51 +0100)]
Add error variable to loop condition
In case of connection errors before and during the handshake,
net_select_result is retrying with the next address of the server. It
however was immediately going to the last address as it was not
checking the return value of try_connect for all intermediate
addresses.
Simon Tatham [Sat, 21 Jan 2017 15:29:50 +0000 (15:29 +0000)]
Fix misspelled redirect of the 64-bit installer.
The .htaccess written by Buildscr into the w64 directory was applying
a redirect from 'putty-installer.msi', but in fact the name by which
the website links to snapshot and prerelease installers in that
directory is 'putty-64bit-installer.msi'.
Simon Tatham [Sat, 21 Jan 2017 15:17:03 +0000 (15:17 +0000)]
Rename the maps directory in release.pl.
The code that copies the link maps of the release Windows builds into
the place I store them for later debugging should now not
embarrassingly look in the wrong place when we make our first
post-VS2015 release.
Simon Tatham [Sat, 31 Dec 2016 17:27:30 +0000 (17:27 +0000)]
Checklist updates from the website revamp.
I've now made a new section about how to turn on pre-release mode,
because although it's been carefully made trivial within the website
repo itself, there are still several things in other places I need to
edit.
Also added a note to myself to turn off nightly pre-release builds
after the release has gone out. I found on a previous occasion that my
build machine had been building them for months after they were
needed, which was harmless to the website but a waste of CPU!
Simon Tatham [Sat, 21 Jan 2017 14:57:31 +0000 (14:57 +0000)]
Conditionalise the automake git-commit embedding.
This arranges that the mechanism from the previous commit
automatically turns itself on and off depending on whether a .git
directory even exists (so it won't try to do anything in distribution
tarballs), and also arranges that it can be manually turned off by a
configure option (in case someone who _is_ building from a git
checkout finds it inconvenient for some reason I haven't thought of,
which seems quite plausible to me).