Граф коммитов

71 Коммитов

Автор SHA1 Сообщение Дата
Simon Tatham 37cdfdcd51 Tell the truth about DNS lookups in the Event Log.
We've always had the back-end code unconditionally print 'Looking up
host' before calling name_lookup. But name_lookup doesn't always do an
actual lookup - in cases where the connection will be proxied and
we're configured to let the proxy do the DNS for us, it just calls
sk_nonamelookup to return a dummy SockAddr with the unresolved name
still in it. It's better to print a message that varies depending on
whether we're _really_ doing DNS or not, e.g. so that people can tell
the difference between DNS failure and proxy misconfiguration.

Hence, those log messages are now generated inside name_lookup(),
which takes a couple of extra parameters for the purpose - a frontend
pointer to pass to logevent(), and a reason string so that it can say
what the hostname it's (optionally) looking up is going to be used
for. (The latter is intended for possible use in logging subsidiary
lookups for port forwarding, though  the moment I haven't changed
the current setup where those connection setups aren't logged in
detail - we just pass NULL in that situation.)
2015-11-22 15:10:59 +00:00
Simon Tatham b8dd15b8ff Stop using abs(unsigned) in X11 time comparison.
The validation end of XDM-AUTHORIZATION-1 needs to check that two
time_t values differ by at most XDM_MAXSKEW, which it was doing by
subtracting them and passing the result to abs(). This provoked a
warning from OS X's clang, on the reasonable enough basis that the
value passed to abs was unsigned.

Fixed by using the (well defined) unsigned arithmetic wraparound: to
check that the mathematical difference of two unsigned numbers is in
the interval [-k,+k], compute their difference _plus k_ as an
unsigned, and check the result is in the interval [0,2k] by doing an
unsigned comparison against 2k.
2015-08-27 18:44:51 +01:00
Simon Tatham 89da2ddf56 Giant const-correctness patch of doom!
Having found a lot of unfixed constness issues in recent development,
I thought perhaps it was time to get proactive, so I compiled the
whole codebase with -Wwrite-strings. That turned up a huge load of
const problems, which I've fixed in this commit: the Unix build now
goes cleanly through with -Wwrite-strings, and the Windows build is as
close as I could get it (there are some lingering issues due to
occasional Windows API functions like AcquireCredentialsHandle not
having the right constness).

Notable fallout beyond the purely mechanical changing of types:
 - the stuff saved by cmdline_save_param() is now explicitly
   dupstr()ed, and freed in cmdline_run_saved.
 - I couldn't make both string arguments to cmdline_process_param()
   const, because it intentionally writes to one of them in the case
   where it's the argument to -pw (in the vain hope of being at least
   slightly friendly to 'ps'), so elsewhere I had to temporarily
   dupstr() something for the sake of passing it to that function
 - I had to invent a silly parallel version of const_cmp() so I could
   pass const string literals in to lookup functions.
 - stripslashes() in pscp.c and psftp.c has the annoying strchr nature
2015-05-15 12:47:44 +01:00
Simon Tatham a53e4e2cb6 Const-correctness in x11_setup_display.
The 'display' parameter should have been a const char *. No call sites
affected.
2015-05-05 20:16:18 +01:00
Simon Tatham 8da4fa5063 Use the new host_str* functions to improve IPv6 literal support.
I've gone through everywhere we handle host names / addresses (on
command lines, in PuTTY config, in port forwarding, in X display
names, in host key storage...) and tried to make them handle IPv6
literals sensibly, by using the host_str* functions I introduced in my
previous commit. Generally it's now OK to use a bracketed IPv6 literal
anywhere a hostname might have been valid; in a few cases where no
ambiguity exists (e.g. no :port suffix is permitted anyway)
unbracketed IPv6 literals are also acceptable.

[originally from svn r10120]
2014-01-25 15:58:54 +00:00
Simon Tatham bb78583ad2 Implement connection sharing between instances of PuTTY.
The basic strategy is described at the top of the new source file
sshshare.c. In very brief: an 'upstream' PuTTY opens a Unix-domain
socket or Windows named pipe, and listens for connections from other
PuTTYs wanting to run sessions on the same server. The protocol spoken
down that socket/pipe is essentially the bare ssh-connection protocol,
using a trivial binary packet protocol with no encryption, and the
upstream has to do some fiddly transformations that I've been
referring to as 'channel-number NAT' to avoid resource clashes between
the sessions it's managing.

This is quite different from OpenSSH's approach of using the Unix-
domain socket as a means of passing file descriptors around; the main
reason for that is that fd-passing is Unix-specific but this system
has to work on Windows too. However, there are additional advantages,
such as making it easy for each downstream PuTTY to run its own
independent set of port and X11 forwardings (though the method for
making the latter work is quite painful).

Sharing is off by default, but configuration is intended to be very
easy in the normal case - just tick one box in the SSH config panel
and everything else happens automatically.

[originally from svn r10083]
2013-11-17 14:05:41 +00:00
Simon Tatham e5a3e28eec Get rid of the error-return mechanism from x11_init.
Now that it doesn't actually make a network connection because that's
deferred until after the X authorisation exchange, there's no point in
having it return an error message and write the real output through a
pointer argument. Instead, we can just have it return xconn directly
and simplify the call sites.

[originally from svn r10081]
2013-11-17 14:05:23 +00:00
Simon Tatham 94e8f97d3f Refactor the construction of X protocol greetings.
I've moved it out into a separate function, preparatory to calling it
from somewhere completely different in changes to come. Also, we now
retain the peer address sent from the SSH server in string form,
rather than translating it immediately into a numeric IP address, so
that its original form will be available later to pass on elsewhere.

[originally from svn r10080]
2013-11-17 14:05:17 +00:00
Simon Tatham cc4fbe33bc Prepare to have multiple X11 auth cookies valid at once.
Rather than the top-level component of X forwarding being an
X11Display structure which owns some auth data, it's now a collection
of X11FakeAuth structures, each of which owns a display. The idea is
that when we receive an X connection, we wait to see which of our
available auth cookies it matches, and then connect to whatever X
display that auth cookie identifies. At present the tree will only
have one thing in it; this is all groundwork for later changes.

[originally from svn r10079]
2013-11-17 14:05:10 +00:00
Simon Tatham 01085358e4 Decouple X socket opening from x11_init().
Now we wait to open the socket to the X server until we've seen the
authorisation data. This prepares us to do something else with the
channel if we see different auth data, which will come up in
connection sharing.

[originally from svn r10078]
2013-11-17 14:05:04 +00:00
Simon Tatham 9cbcd17651 Refactor ssh.c's APIs to x11fwd.c and portfwd.c.
The most important change is that, where previously ssh.c held the
Socket pointer for each X11 and port forwarding, and the support
modules would find their internal state structure by calling
sk_get_private_ptr on that Socket, it's now the other way round. ssh.c
now directly holds the internal state structure pointer for each
forwarding, and when the support module needs the Socket it looks it
up in a field of that. This will come in handy when I decouple socket
creation from logical forwarding setup, so that X forwardings can
delay actually opening a connection to an X server until they look at
the authentication data and see which server it has to be.

However, while I'm here, I've also taken the opportunity to clean up a
few other points, notably error message handling, and also the fact
that the same kind of state structure was used for both
connection-type and listening-type port forwardings. Now there are
separate PortForwarding and PortListener structure types, which seems
far more sensible.

[originally from svn r10074]
2013-11-17 14:04:41 +00:00
Simon Tatham 19fba3fe55 Replace the hacky 'OSSocket' type with a closure.
The mechanism for constructing a new connection-type Socket when a
listening one receives an incoming connection previously worked by
passing a platform-specific 'OSSocket' type to the plug_accepting
function, which would then call sk_register to wrap it with a proper
Socket instance. This is less flexible than ideal, because it presumes
that only one kind of OS object might ever need to be turned into a
Socket. So I've replaced OSSocket throughout the code base with a pair
of parameters consisting of a function pointer and a context such that
passing the latter to the former returns the appropriate Socket; this
will permit different classes of listening Socket to pass different
function pointers.

In deference to the reality that OSSockets tend to be small integers
or pointer-sized OS handles, I've made the context parameter an
int/pointer union that can hold either of those directly, rather than
the usual approach of making it a plain 'void *' and requiring a
context structure to be dynamically allocated every time.

[originally from svn r10068]
2013-11-17 14:03:55 +00:00
Simon Tatham 8e7b0d0e4b Pass an error message through to sshfwd_unclean_close.
We have access to one at every call site, so there's really no reason
not to send it through to ssh.c to be logged.

[originally from svn r10038]
2013-09-08 07:14:56 +00:00
Simon Tatham ea301bdd9b Fix another giant batch of resource leaks. (Mostly memory, but there's
one missing fclose too.)

[originally from svn r9919]
2013-07-14 10:46:07 +00:00
Simon Tatham aa5bae8916 Introduce a new utility function smemclr(), which memsets things to
zero but does it in such a way that over-clever compilers hopefully
won't helpfully optimise the call away if you do it just before
freeing something or letting it go out of scope. Use this for
(hopefully) every memset whose job is to destroy sensitive data that
might otherwise be left lying around in the process's memory.

[originally from svn r9586]
2012-07-22 19:51:50 +00:00
Simon Tatham 76a27757e6 Call sshfwd_unclean_close() in the event of a local socket error on a
forwarded X connection. (I somehow forgot to do this in r9364, despite
making the identical change in portfwd.c.)

[originally from svn r9470]
[r9364 == 49927f6c4d]
2012-04-23 17:59:53 +00:00
Simon Tatham 947962e0b9 Revamp of EOF handling in all network connections, pipes and other
data channels. Should comprehensively fix 'half-closed', in principle,
though it's a big and complicated change and so there's a good chance
I've made at least one mistake somewhere.

All connections should now be rigorous about propagating end-of-file
(or end-of-data-stream, or socket shutdown, or whatever) independently
in both directions, except in frontends with no mechanism for sending
explicit EOF (e.g. interactive terminal windows) or backends which are
basically always used for interactive sessions so it's unlikely that
an application would be depending on independent EOF (telnet, rlogin).

EOF should now never accidentally be sent while there's still buffered
data to go out before it. (May help fix 'portfwd-corrupt', and also I
noticed recently that the ssh main session channel can accidentally
have MSG_EOF sent before the output bufchain is clear, leading to
embarrassment when it subsequently does send the output).

[originally from svn r9279]
2011-09-13 11:44:03 +00:00
Simon Tatham a1f3b7a358 Post-release destabilisation! Completely remove the struct type
'Config' in putty.h, which stores all PuTTY's settings and includes an
arbitrary length limit on every single one of those settings which is
stored in string form. In place of it is 'Conf', an opaque data type
everywhere outside the new file conf.c, which stores a list of (key,
value) pairs in which every key contains an integer identifying a
configuration setting, and for some of those integers the key also
contains extra parts (so that, for instance, CONF_environmt is a
string-to-string mapping). Everywhere that a Config was previously
used, a Conf is now; everywhere there was a Config structure copy,
conf_copy() is called; every lookup, adjustment, load and save
operation on a Config has been rewritten; and there's a mechanism for
serialising a Conf into a binary blob and back for use with Duplicate
Session.

User-visible effects of this change _should_ be minimal, though I
don't doubt I've introduced one or two bugs here and there which will
eventually be found. The _intended_ visible effects of this change are
that all arbitrary limits on configuration strings and lists (e.g.
limit on number of port forwardings) should now disappear; that list
boxes in the configuration will now be displayed in a sorted order
rather than the arbitrary order in which they were added to the list
(since the underlying data structure is now a sorted tree234 rather
than an ad-hoc comma-separated string); and one more specific change,
which is that local and dynamic port forwardings on the same port
number are now mutually exclusive in the configuration (putting 'D' in
the key rather than the value was a mistake in the first place).

One other reorganisation as a result of this is that I've moved all
the dialog.c standard handlers (dlg_stdeditbox_handler and friends)
out into config.c, because I can't really justify calling them generic
any more. When they took a pointer to an arbitrary structure type and
the offset of a field within that structure, they were independent of
whether that structure was a Config or something completely different,
but now they really do expect to talk to a Conf, which can _only_ be
used for PuTTY configuration, so I've renamed them all things like
conf_editbox_handler and moved them out of the nominally independent
dialog-box management module into the PuTTY-specific config.c.

[originally from svn r9214]
2011-07-14 18:52:21 +00:00
Simon Tatham c7ac5745ab When giving authorisation errors from the proxy code in x11fwd.c,
name the proxy using the global 'appname' variable, instead of
statically calling it PuTTY.

(Knock-on effect is that PSCP and PSFTP have to declare that
variable, though of course they shouldn't ever actually _use_ the X
forwarding code. Probably I ought to replace it with a stub
nox11fwd.c for those applications.)

[originally from svn r8501]
2009-04-23 17:39:36 +00:00
Jacob Nevins d699530e4c Since r8305, Unix PuTTY has always "upgraded" an X11 display like "localhost:0"
to a Unix-domain socket. This typically works fine when PuTTY is run on the
same machine as the X server, but it's broken multi-hop X forwarding through
OpenSSH; when OpenSSH creates a proxy X server "localhost:10", it only listens
on TCP, not on a Unix-domain socket.

Instead, when deciding on the details of the display, we actively probe to see
if there's a Unix-domain socket we can use instead, and only use it if it's
there, falling back to the specified IP "localhost" if not.

Independently, when looking for local auth details in Xauthority for a
"localhost" TCP display, we prefer a matching Unix-domain entry, but will fall
back to an IP "localhost" entry (which would be unusual, but we don't trust a
Windows X server not to do it) -- this is a generalisation of the special case
added in r2538 (but removed in r8305, as the automatic upgrade masked the need
for it).
(This is now done in platform-independent code, so a side-effect is that
get_hostname() is now part of the networking abstraction on all platforms.)

[originally from svn r8462]
[r2538 == fda9983243]
[r8305 == ca6fc3a4da]
2009-02-24 01:01:23 +00:00
Jacob Nevins db6ad48673 r8305 seems to have made Unix PuTTY rather over-keen on Unix-domain sockets;
unless a protocol is explicitly specified with "tcp/foovax:0", it assume a
Unix-domain socket, thus not allowing a remote display on a machine other than
the client.

[originally from svn r8381]
[r8305 == ca6fc3a4da]
2009-01-04 23:28:25 +00:00
Simon Tatham ca6fc3a4da Revamp of the local X11 connection code. We now parse X display
strings more rigorously, and then we look up the local X authority
data in .Xauthority _ourself_ rather than delegating to an external
xauth program. This is (negligibly) more efficient on Unix, assuming
I haven't got it wrong in some subtle way, but its major benefit is
that we can now support X authority lookups on Windows as well
provided the user points us at an appropriate X authority file in
the standard format. A new Windows-specific config option has been
added for this purpose.

[originally from svn r8305]
2008-11-17 18:38:09 +00:00
Simon Tatham 14d825d42f OS X Leopard, it turns out, has a new and exciting strategy for
addressing X displays. Update PuTTY's display-name-to-Unix-socket-
path translation code to cope with it, thus causing X forwarding to
start working again on Leopard.

[originally from svn r8020]
2008-05-28 19:23:57 +00:00
Simon Tatham 42801b7e9e Get rid of all the MSVC warnings.
[originally from svn r7086]
2007-01-09 18:24:07 +00:00
Jacob Nevins 54d78e2fe4 A zero-length return from platform_get_x_display() (for instance, a
zero-length DISPLAY variable in the environment) caused an assertion
failure when X11 forwarding was attempted. Fixed (now treated the same
as a NULL return, e.g., a non-existent DISPLAY variable).

[originally from svn r6549]
2006-02-11 18:00:23 +00:00
Jacob Nevins 6eec320f0b Unify GET_32BIT()/PUT_32BIT() et al from numerous source files into misc.h.
I've done a bit of testing (not exhaustive), and I don't _think_ I've broken
anything...

[originally from svn r5632]
2005-04-12 20:04:56 +00:00
Ben Harris f09e3841de Make sure that auth->xdmseen is initialised (to NULL) even if it's not used.
[originally from svn r5375]
2005-02-21 18:13:51 +00:00
Ben Harris b69e9d0781 Implement anti-replay protection for XDM-AUTHORIZATION-1, as required by
the specification.  We keep a cache of tickets we've seen recently and 
reject duplicates.  Once a ticket in our cache is old enough that we
wouldn't accept a duplicate anyway, we expire it.

[originally from svn r5236]
2005-02-02 23:51:58 +00:00
Owen Dunn a057db9fee Another compiler pickiness. It feels wrong to be doing this to
perfectly idiomatic code, somehow, and I half wonder whether the
Mac compilers are too stupid to be allowed to treat warnings as
errors.

[originally from svn r5228]
2005-01-29 22:50:18 +00:00
Ben Harris 865fbaa8ce Overhaul of client-side XDM-AUTHORIZATION-1:
* Make sk_getxdmdata() return an arbitrary string rather than two integers.
  This better matches the spec, even if the current version always returns
  six bytes
* On Unix, for PF_UNIX sockets, return a counter rather than a constant along
  with the PID.  This should allow multiple clients to connect within one
  second, and is what Xlib does.
* On Unix, interpret AF_INET6 addresses like Xlib does, returning the
  embedded IPv4 address for v4-mapped addresses, and six bytes of zeroes
  otherwise.  The latter is silly, but if I'm going to do anything more sane
  I need to check that X servers won't reject it.

[originally from svn r5219]
2005-01-28 11:39:45 +00:00
Owen Dunn eb4bb72cc6 Fix/bludgeon Mac compile wrinkles.
[originally from svn r5154]
2005-01-20 16:42:25 +00:00
Simon Tatham f70efc5cc6 Support for falling back through the list of addresses returned from
a DNS lookup, whether they're IPv4, v6 or a mixture of both.

[originally from svn r5119]
[this svn revision also touched putty-wishlist]
2005-01-16 14:29:34 +00:00
Simon Tatham 6daf6faede Integrate unfix.org's IPv6 patches up to level 10, with rather a lot
of polishing to bring them to what I think should in principle be
release quality. Unlike the unfix.org patches themselves, this
checkin enables IPv6 by default; if you want to leave it out, you
have to build with COMPAT=-DNO_IPV6.

I have tested that this compiles on Visual C 7 (so the nightlies
_should_ acquire IPv6 support without missing a beat), but since I
don't have IPv6 set up myself I haven't actually tested that it
_works_. It still seems to make correct IPv4 connections, but that's
all I've been able to verify for myself. Further testing is needed.

[originally from svn r5047]
[this svn revision also touched putty-wishlist]
2004-12-30 16:45:11 +00:00
Jacob Nevins 2a41bc0808 *sigh* X11 forwarding to a local display (":0" or similar) specified in the
environment rather than the configuraton was failing as of 0.56 (introduced
in r4604). This probably only bit users of Unix PuTTY. Didn't spot in testing
as I was forwarding to already-forwarded displays. I really wasn't having a
good month that month, was I?

[originally from svn r4816]
[r4604 == 98028c746f]
2004-11-18 17:13:45 +00:00
Jacob Nevins 98028c746f X forwarding changes:
- new function platform_get_x_display() to find a sensible local display.
   On Unix, the Gtk apps weren't taking account of --display when
   determining where to send forwarded X traffic.
 - explicitly document that leaving X display location blank in config tries
   to do something sensible (and that it's now blank by default)
 - don't override X11Display setting in plink, since that's more properly
   done later

[originally from svn r4604]
2004-10-06 22:31:07 +00:00
Jacob Nevins 20f433efac Add a configuration option for TCP keepalives (SO_KEEPALIVE), default off.
No very good reason, but I've occasionally wanted to frob it to see if it
makes any difference to problems I'm having, and it was easy.

Tested that it does actually cause keepalives on Windows (with tcpdump);
should also work on Unix. Not implemented on Mac (does nothing), but then
neither is TCP_NODELAY.

Quite a big checkin, much of which is adding `keepalive' alongside `nodelay'
in network function calls.

[originally from svn r4309]
2004-06-20 17:07:38 +00:00
Simon Tatham a2acc6ae0d RJK's patch to enable PuTTY's X forwarding to connect to local X
servers using Unix sockets (on Unix only, obviously!).

[originally from svn r4263]
2004-05-31 14:01:52 +00:00
Jacob Nevins 92db92af5a Control of 'addr' is now handed over to {platform_,}new_connection() and
sk_new() on invocation; these functions become responsible for (eventually)
freeing it. The caller must not do anything with 'addr' after it's been passed
in. (Ick.)

Why:
A SOCKS5 crash appears to have been caused by overzealous freeing of
a SockAddr (ssh.c:1.257 [r2492]), which for proxied connections is
squirreled away long-term (and this can't easily be avoided).

It would have been nice to make a copy of the SockAddr, in case the caller has
a use for it, but one of the implementations (uxnet.c) hides a "struct
addrinfo" in there, and we have no defined way to duplicate those. (None of the
current callers _do_ have a further use for the SockAddr.)

As far as I can tell, everything _except_ proxying only needs addr for the
duration of the call, so sk_addr_free()s immediately. If I'm mistaken, it
should at least be easier to find the offending free()...

[originally from svn r3383]
[r2492 == bdd6633970]
2003-08-07 16:04:33 +00:00
Simon Tatham 6bb121ecb9 Colin's const-fixing Patch Of Death. Seems to build fine on Windows
as well as Unix, so it can go in.

[originally from svn r3162]
2003-05-04 14:18:18 +00:00
Simon Tatham c1d61052ae Fix another segfault on abrupt X connection shutdown. This should
have happened in rev 1.5 [r996] but didn't! Now we never call
sk_get_private_ptr() on a socket unless we've ensured it's non-NULL.

[originally from svn r3140]
[r996 == 7b0e082700]
2003-04-25 16:42:36 +00:00
Ben Harris 3e4386d810 In a couple of places, snewn() was being asked for an array of char which was
then assigned to an unsigned char * variabe.  This fixes that.

[originally from svn r3023]
2003-03-29 23:05:36 +00:00
Simon Tatham d36a4c3685 Introduced wrapper macros snew(), snewn() and sresize() for the
malloc functions, which automatically cast to the same type they're
allocating the size of. Should prevent any future errors involving
mallocing the size of the wrong structure type, and will also make
life easier if we ever need to turn the PuTTY core code from real C
into C++-friendly C. I haven't touched the Mac frontend in this
checkin because I couldn't compile or test it.

[originally from svn r3014]
2003-03-29 16:14:26 +00:00
Ben Harris 694aafa071 Add the ability to close sessions. This adds *_free() functions to most
areas of the code.  Not all back-ends have been tested, but Telnet and SSH
behave reasonably.

Incidentally, almost all of this patch was written through Mac PuTTY,
admittedly over a Telnet connection.

[originally from svn r2615]
2003-01-15 23:30:21 +00:00
Simon Tatham 952857fca3 proxy.c now no longer refers to `cfg'. Instead, each of the three
proxy-indirection network functions (name_lookup, new_connection,
new_listener) takes a `const Config *' as an argument, and extracts
enough information from it before returning to handle that
particular network operation in accordance with the proxy settings
it specifies. This involved {win,ux}net.c due to a `const'
repercussion.

[originally from svn r2567]
2003-01-12 15:26:10 +00:00
Simon Tatham fee1624c69 Support for XDM-AUTHORIZATION-1 at the SSH server end, making use of
the remote IP/port data provided by the server for forwarded
connections. Disabled by default, since it's incompatible with SSH2,
probably incompatible with some X clients, and tickles a bug in
at least one version of OpenSSH.

[originally from svn r2554]
2003-01-12 14:11:38 +00:00
Ben Harris 3aec19fa72 Move the prototype for platform_get_x11_auth() from x11fwd.c to ssh.h so that
it can be checked against the implementation.

[originally from svn r2542]
2003-01-11 14:20:00 +00:00
Ben Harris 8adae8f2ff Add a cast for a char * vs unsigned char * conflict.
[originally from svn r2541]
2003-01-11 14:08:46 +00:00
Simon Tatham 87f9446a26 Support XDM-AUTHORIZATION-1 for connecting to local X servers. If
we're going to be a security program, we can at least make a token
effort to use the most secure local X auth available! And I'm still
half-tempted to see if I can support it for remote X servers too...

[originally from svn r2537]
2003-01-11 09:31:54 +00:00
Simon Tatham 86977efa81 Introduce framework for authenticating with the local X server.
Windows and Mac backends have acquired auth-finding functions which
do nothing; Unix backend has acquired one which actually works, so
Plink can now do X forwarding believably.
(This checkin stretches into some unlikely parts of the code because
there have been one or two knock-on effects involving `const'. Bah.)

[originally from svn r2536]
2003-01-10 18:33:35 +00:00
Ben Harris 3f055f22d8 Move x11fwd and portfwd prototypes from ssh.c into ssh.h so they can be seen
by (and checked against) the definitions.

[originally from svn r2474]
2003-01-05 22:53:23 +00:00