2002-03-23 17:47:21 +00:00
|
|
|
/*
|
|
|
|
|
* Network proxy abstraction in PuTTY
|
|
|
|
|
*
|
|
|
|
|
* A proxy layer, if necessary, wedges itself between the network
|
|
|
|
|
* code and the higher level backend.
|
|
|
|
|
*/
|
|
|
|
|
|
2002-09-21 16:52:21 +00:00
|
|
|
#include <assert.h>
|
2002-10-23 14:24:40 +00:00
|
|
|
#include <ctype.h>
|
|
|
|
|
#include <string.h>
|
2002-09-21 16:52:21 +00:00
|
|
|
|
2002-03-23 17:47:21 +00:00
|
|
|
#include "putty.h"
|
|
|
|
|
#include "network.h"
|
|
|
|
|
#include "proxy.h"
|
|
|
|
|
|
Post-release destabilisation! Completely remove the struct type
'Config' in putty.h, which stores all PuTTY's settings and includes an
arbitrary length limit on every single one of those settings which is
stored in string form. In place of it is 'Conf', an opaque data type
everywhere outside the new file conf.c, which stores a list of (key,
value) pairs in which every key contains an integer identifying a
configuration setting, and for some of those integers the key also
contains extra parts (so that, for instance, CONF_environmt is a
string-to-string mapping). Everywhere that a Config was previously
used, a Conf is now; everywhere there was a Config structure copy,
conf_copy() is called; every lookup, adjustment, load and save
operation on a Config has been rewritten; and there's a mechanism for
serialising a Conf into a binary blob and back for use with Duplicate
Session.
User-visible effects of this change _should_ be minimal, though I
don't doubt I've introduced one or two bugs here and there which will
eventually be found. The _intended_ visible effects of this change are
that all arbitrary limits on configuration strings and lists (e.g.
limit on number of port forwardings) should now disappear; that list
boxes in the configuration will now be displayed in a sorted order
rather than the arbitrary order in which they were added to the list
(since the underlying data structure is now a sorted tree234 rather
than an ad-hoc comma-separated string); and one more specific change,
which is that local and dynamic port forwardings on the same port
number are now mutually exclusive in the configuration (putting 'D' in
the key rather than the value was a mistake in the first place).
One other reorganisation as a result of this is that I've moved all
the dialog.c standard handlers (dlg_stdeditbox_handler and friends)
out into config.c, because I can't really justify calling them generic
any more. When they took a pointer to an arbitrary structure type and
the offset of a field within that structure, they were independent of
whether that structure was a Config or something completely different,
but now they really do expect to talk to a Conf, which can _only_ be
used for PuTTY configuration, so I've renamed them all things like
conf_editbox_handler and moved them out of the nominally independent
dialog-box management module into the PuTTY-specific config.c.
[originally from svn r9214]
2011-07-14 18:52:21 +00:00
|
|
|
#define do_proxy_dns(conf) \
|
|
|
|
|
(conf_get_int(conf, CONF_proxy_dns) == FORCE_ON || \
|
2019-09-08 19:29:00 +00:00
|
|
|
(conf_get_int(conf, CONF_proxy_dns) == AUTO && \
|
|
|
|
|
conf_get_int(conf, CONF_proxy_type) != PROXY_SOCKS4))
|
2002-12-18 16:23:11 +00:00
|
|
|
|
2021-11-19 11:05:14 +00:00
|
|
|
static void proxy_negotiator_cleanup(ProxySocket *ps)
|
|
|
|
|
{
|
|
|
|
|
if (ps->pn) {
|
|
|
|
|
proxy_negotiator_free(ps->pn);
|
|
|
|
|
ps->pn = NULL;
|
|
|
|
|
}
|
|
|
|
|
if (ps->clientseat) {
|
|
|
|
|
interactor_return_seat(ps->clientitr);
|
|
|
|
|
ps->clientitr = NULL;
|
|
|
|
|
ps->clientseat = NULL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2002-03-23 17:47:21 +00:00
|
|
|
/*
|
|
|
|
|
* Call this when proxy negotiation is complete, so that this
|
|
|
|
|
* socket can begin working normally.
|
|
|
|
|
*/
|
2022-09-03 11:02:48 +00:00
|
|
|
static void proxy_activate(ProxySocket *ps)
|
2002-03-23 17:47:21 +00:00
|
|
|
{
|
2019-02-06 20:46:45 +00:00
|
|
|
size_t output_before, output_after;
|
2019-09-08 19:29:00 +00:00
|
|
|
|
2021-11-19 11:05:14 +00:00
|
|
|
proxy_negotiator_cleanup(ps);
|
2002-03-23 17:47:21 +00:00
|
|
|
|
2024-06-26 07:29:39 +00:00
|
|
|
plug_log(ps->plug, &ps->sock, PLUGLOG_CONNECT_SUCCESS, NULL, 0, NULL, 0);
|
2021-09-13 13:28:47 +00:00
|
|
|
|
2002-10-22 09:40:38 +00:00
|
|
|
/* we want to ignore new receive events until we have sent
|
|
|
|
|
* all of our buffered receive data.
|
|
|
|
|
*/
|
2021-11-19 10:14:43 +00:00
|
|
|
sk_set_frozen(ps->sub_socket, true);
|
2002-03-23 17:47:21 +00:00
|
|
|
|
2002-10-22 09:40:38 +00:00
|
|
|
/* how many bytes of output have we buffered? */
|
2021-11-19 10:14:43 +00:00
|
|
|
output_before = bufchain_size(&ps->pending_oob_output_data) +
|
|
|
|
|
bufchain_size(&ps->pending_output_data);
|
2002-10-22 09:40:38 +00:00
|
|
|
/* and keep track of how many bytes do not get sent. */
|
|
|
|
|
output_after = 0;
|
2019-09-08 19:29:00 +00:00
|
|
|
|
2002-03-27 21:09:16 +00:00
|
|
|
/* send buffered OOB writes */
|
2021-11-19 10:14:43 +00:00
|
|
|
while (bufchain_size(&ps->pending_oob_output_data) > 0) {
|
|
|
|
|
ptrlen data = bufchain_prefix(&ps->pending_oob_output_data);
|
|
|
|
|
output_after += sk_write_oob(ps->sub_socket, data.ptr, data.len);
|
|
|
|
|
bufchain_consume(&ps->pending_oob_output_data, data.len);
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|
|
|
|
|
|
2002-03-27 21:09:16 +00:00
|
|
|
/* send buffered normal writes */
|
2021-11-19 10:14:43 +00:00
|
|
|
while (bufchain_size(&ps->pending_output_data) > 0) {
|
|
|
|
|
ptrlen data = bufchain_prefix(&ps->pending_output_data);
|
|
|
|
|
output_after += sk_write(ps->sub_socket, data.ptr, data.len);
|
|
|
|
|
bufchain_consume(&ps->pending_output_data, data.len);
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|
2002-10-22 09:40:38 +00:00
|
|
|
|
|
|
|
|
/* if we managed to send any data, let the higher levels know. */
|
|
|
|
|
if (output_after < output_before)
|
2021-11-19 10:14:43 +00:00
|
|
|
plug_sent(ps->plug, output_after);
|
2002-03-23 17:47:21 +00:00
|
|
|
|
2011-09-13 11:44:03 +00:00
|
|
|
/* if we have a pending EOF to send, send it */
|
2021-11-19 10:14:43 +00:00
|
|
|
if (ps->pending_eof) sk_write_eof(ps->sub_socket);
|
2011-09-13 11:44:03 +00:00
|
|
|
|
2002-10-22 09:40:38 +00:00
|
|
|
/* if the backend wanted the socket unfrozen, try to unfreeze.
|
|
|
|
|
* our set_frozen handler will flush buffered receive data before
|
|
|
|
|
* unfreezing the actual underlying socket.
|
|
|
|
|
*/
|
2021-11-19 10:14:43 +00:00
|
|
|
if (!ps->freeze)
|
|
|
|
|
sk_set_frozen(&ps->sock, false);
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* basic proxy socket functions */
|
|
|
|
|
|
Get rid of lots of implicit pointer types.
All the main backend structures - Ssh, Telnet, Pty, Serial etc - now
describe structure types themselves rather than pointers to them. The
same goes for the codebase-wide trait types Socket and Plug, and the
supporting types SockAddr and Pinger.
All those things that were typedefed as pointers are older types; the
newer ones have the explicit * at the point of use, because that's
what I now seem to be preferring. But whichever one of those is
better, inconsistently using a mixture of the two styles is worse, so
let's make everything consistent.
A few types are still implicitly pointers, such as Bignum and some of
the GSSAPI types; generally this is either because they have to be
void *, or because they're typedefed differently on different
platforms and aren't always pointers at all. Can't be helped. But I've
got rid of the main ones, at least.
2018-10-04 18:10:23 +00:00
|
|
|
static Plug *sk_proxy_plug (Socket *s, Plug *p)
|
2002-03-23 17:47:21 +00:00
|
|
|
{
|
2018-10-05 22:49:08 +00:00
|
|
|
ProxySocket *ps = container_of(s, ProxySocket, sock);
|
Get rid of lots of implicit pointer types.
All the main backend structures - Ssh, Telnet, Pty, Serial etc - now
describe structure types themselves rather than pointers to them. The
same goes for the codebase-wide trait types Socket and Plug, and the
supporting types SockAddr and Pinger.
All those things that were typedefed as pointers are older types; the
newer ones have the explicit * at the point of use, because that's
what I now seem to be preferring. But whichever one of those is
better, inconsistently using a mixture of the two styles is worse, so
let's make everything consistent.
A few types are still implicitly pointers, such as Bignum and some of
the GSSAPI types; generally this is either because they have to be
void *, or because they're typedefed differently on different
platforms and aren't always pointers at all. Can't be helped. But I've
got rid of the main ones, at least.
2018-10-04 18:10:23 +00:00
|
|
|
Plug *ret = ps->plug;
|
2002-03-23 17:47:21 +00:00
|
|
|
if (p)
|
2019-09-08 19:29:00 +00:00
|
|
|
ps->plug = p;
|
2002-03-23 17:47:21 +00:00
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
Get rid of lots of implicit pointer types.
All the main backend structures - Ssh, Telnet, Pty, Serial etc - now
describe structure types themselves rather than pointers to them. The
same goes for the codebase-wide trait types Socket and Plug, and the
supporting types SockAddr and Pinger.
All those things that were typedefed as pointers are older types; the
newer ones have the explicit * at the point of use, because that's
what I now seem to be preferring. But whichever one of those is
better, inconsistently using a mixture of the two styles is worse, so
let's make everything consistent.
A few types are still implicitly pointers, such as Bignum and some of
the GSSAPI types; generally this is either because they have to be
void *, or because they're typedefed differently on different
platforms and aren't always pointers at all. Can't be helped. But I've
got rid of the main ones, at least.
2018-10-04 18:10:23 +00:00
|
|
|
static void sk_proxy_close (Socket *s)
|
2002-03-23 17:47:21 +00:00
|
|
|
{
|
2018-10-05 22:49:08 +00:00
|
|
|
ProxySocket *ps = container_of(s, ProxySocket, sock);
|
2002-03-23 17:47:21 +00:00
|
|
|
|
|
|
|
|
sk_close(ps->sub_socket);
|
2022-02-19 12:04:09 +00:00
|
|
|
sk_addr_free(ps->proxy_addr);
|
2003-08-07 16:04:33 +00:00
|
|
|
sk_addr_free(ps->remote_addr);
|
2021-11-19 11:05:14 +00:00
|
|
|
proxy_negotiator_cleanup(ps);
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
bufchain_clear(&ps->output_from_negotiator);
|
2002-03-23 17:47:21 +00:00
|
|
|
sfree(ps);
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 20:42:44 +00:00
|
|
|
static size_t sk_proxy_write (Socket *s, const void *data, size_t len)
|
2002-03-23 17:47:21 +00:00
|
|
|
{
|
2018-10-05 22:49:08 +00:00
|
|
|
ProxySocket *ps = container_of(s, ProxySocket, sock);
|
2002-03-23 17:47:21 +00:00
|
|
|
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
if (ps->pn) {
|
2019-09-08 19:29:00 +00:00
|
|
|
bufchain_add(&ps->pending_output_data, data, len);
|
|
|
|
|
return bufchain_size(&ps->pending_output_data);
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|
|
|
|
|
return sk_write(ps->sub_socket, data, len);
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 20:42:44 +00:00
|
|
|
static size_t sk_proxy_write_oob (Socket *s, const void *data, size_t len)
|
2002-03-23 17:47:21 +00:00
|
|
|
{
|
2018-10-05 22:49:08 +00:00
|
|
|
ProxySocket *ps = container_of(s, ProxySocket, sock);
|
2002-03-23 17:47:21 +00:00
|
|
|
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
if (ps->pn) {
|
2019-09-08 19:29:00 +00:00
|
|
|
bufchain_clear(&ps->pending_output_data);
|
|
|
|
|
bufchain_clear(&ps->pending_oob_output_data);
|
|
|
|
|
bufchain_add(&ps->pending_oob_output_data, data, len);
|
|
|
|
|
return len;
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|
|
|
|
|
return sk_write_oob(ps->sub_socket, data, len);
|
|
|
|
|
}
|
|
|
|
|
|
Get rid of lots of implicit pointer types.
All the main backend structures - Ssh, Telnet, Pty, Serial etc - now
describe structure types themselves rather than pointers to them. The
same goes for the codebase-wide trait types Socket and Plug, and the
supporting types SockAddr and Pinger.
All those things that were typedefed as pointers are older types; the
newer ones have the explicit * at the point of use, because that's
what I now seem to be preferring. But whichever one of those is
better, inconsistently using a mixture of the two styles is worse, so
let's make everything consistent.
A few types are still implicitly pointers, such as Bignum and some of
the GSSAPI types; generally this is either because they have to be
void *, or because they're typedefed differently on different
platforms and aren't always pointers at all. Can't be helped. But I've
got rid of the main ones, at least.
2018-10-04 18:10:23 +00:00
|
|
|
static void sk_proxy_write_eof (Socket *s)
|
2011-09-13 11:44:03 +00:00
|
|
|
{
|
2018-10-05 22:49:08 +00:00
|
|
|
ProxySocket *ps = container_of(s, ProxySocket, sock);
|
2011-09-13 11:44:03 +00:00
|
|
|
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
if (ps->pn) {
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
ps->pending_eof = true;
|
2019-09-08 19:29:00 +00:00
|
|
|
return;
|
2011-09-13 11:44:03 +00:00
|
|
|
}
|
|
|
|
|
sk_write_eof(ps->sub_socket);
|
|
|
|
|
}
|
|
|
|
|
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
static void sk_proxy_set_frozen (Socket *s, bool is_frozen)
|
2002-03-23 17:47:21 +00:00
|
|
|
{
|
2018-10-05 22:49:08 +00:00
|
|
|
ProxySocket *ps = container_of(s, ProxySocket, sock);
|
2002-03-23 17:47:21 +00:00
|
|
|
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
if (ps->pn) {
|
2019-09-08 19:29:00 +00:00
|
|
|
ps->freeze = is_frozen;
|
|
|
|
|
return;
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|
2019-09-08 19:29:00 +00:00
|
|
|
|
2002-10-22 09:40:38 +00:00
|
|
|
/* handle any remaining buffered recv data first */
|
|
|
|
|
if (bufchain_size(&ps->pending_input_data) > 0) {
|
2019-09-08 19:29:00 +00:00
|
|
|
ps->freeze = is_frozen;
|
2002-10-22 09:40:38 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
/* loop while we still have buffered data, and while we are
|
|
|
|
|
* unfrozen. the plug_receive call in the loop could result
|
|
|
|
|
* in a call back into this function refreezing the socket,
|
|
|
|
|
* so we have to check each time.
|
|
|
|
|
*/
|
2002-10-22 09:40:38 +00:00
|
|
|
while (!ps->freeze && bufchain_size(&ps->pending_input_data) > 0) {
|
2019-09-08 19:29:00 +00:00
|
|
|
char databuf[512];
|
|
|
|
|
ptrlen data = bufchain_prefix(&ps->pending_input_data);
|
|
|
|
|
if (data.len > lenof(databuf))
|
|
|
|
|
data.len = lenof(databuf);
|
|
|
|
|
memcpy(databuf, data.ptr, data.len);
|
|
|
|
|
bufchain_consume(&ps->pending_input_data, data.len);
|
|
|
|
|
plug_receive(ps->plug, 0, databuf, data.len);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* if we're still frozen, we'll have to wait for another
|
|
|
|
|
* call from the backend to finish unbuffering the data.
|
|
|
|
|
*/
|
|
|
|
|
if (ps->freeze) return;
|
2002-10-22 09:40:38 +00:00
|
|
|
}
|
2019-09-08 19:29:00 +00:00
|
|
|
|
2002-03-23 17:47:21 +00:00
|
|
|
sk_set_frozen(ps->sub_socket, is_frozen);
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-03 19:48:46 +00:00
|
|
|
static const char *sk_proxy_socket_error (Socket *s)
|
2002-03-23 17:47:21 +00:00
|
|
|
{
|
2018-10-05 22:49:08 +00:00
|
|
|
ProxySocket *ps = container_of(s, ProxySocket, sock);
|
2002-03-23 17:47:21 +00:00
|
|
|
if (ps->error != NULL || ps->sub_socket == NULL) {
|
2019-09-08 19:29:00 +00:00
|
|
|
return ps->error;
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|
|
|
|
|
return sk_socket_error(ps->sub_socket);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* basic proxy plug functions */
|
|
|
|
|
|
2024-06-26 07:29:39 +00:00
|
|
|
static void plug_proxy_log(Plug *plug, Socket *s, PlugLogType type,
|
|
|
|
|
SockAddr *addr, int port,
|
|
|
|
|
const char *error_msg, int error_code)
|
2005-01-16 14:29:34 +00:00
|
|
|
{
|
2018-10-05 22:49:08 +00:00
|
|
|
ProxySocket *ps = container_of(plug, ProxySocket, plugimpl);
|
2005-01-16 14:29:34 +00:00
|
|
|
|
2024-06-26 07:29:39 +00:00
|
|
|
plug_log(ps->plug, &ps->sock, type, addr, port, error_msg, error_code);
|
2005-01-16 14:29:34 +00:00
|
|
|
}
|
|
|
|
|
|
New API for plug_closing() with a custom type enum.
Passing an operating-system-specific error code to plug_closing(),
such as errno or GetLastError(), was always a bit weird, given that it
generally had to be handled by cross-platform receiving code in
backends. I had the platform.h implementations #define any error
values that the cross-platform code would have to handle specially,
but that's still not a great system, because it also doesn't leave
freedom to invent error representations of my own that don't
correspond to any OS code. (For example, the ones I just removed from
proxy.h.)
So now, the OS error code is gone from the plug_closing API, and in
its place is a custom enumeration of closure types: normal, error, and
the special case BROKEN_PIPE which is the only OS error code we have
so far needed to handle specially. (All others just mean 'abandon the
connection and print the textual message'.)
Having already centralised the handling of OS error codes in the
previous commit, we've now got a convenient place to add any further
type codes for errors needing special handling: each of Unix
plug_closing_errno(), Windows plug_closing_system_error(), and Windows
plug_closing_winsock_error() can easily grow extra special cases if
need be, and each one will only have to live in one place.
2021-11-06 13:28:32 +00:00
|
|
|
static void plug_proxy_closing(Plug *p, PlugCloseType type,
|
|
|
|
|
const char *error_msg)
|
2002-03-23 17:47:21 +00:00
|
|
|
{
|
2018-10-05 22:49:08 +00:00
|
|
|
ProxySocket *ps = container_of(p, ProxySocket, plugimpl);
|
2002-03-23 17:47:21 +00:00
|
|
|
|
2021-11-19 11:05:14 +00:00
|
|
|
proxy_negotiator_cleanup(ps);
|
2021-11-19 10:42:20 +00:00
|
|
|
plug_closing(ps->plug, type, error_msg);
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|
|
|
|
|
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
static void proxy_negotiate(ProxySocket *ps)
|
|
|
|
|
{
|
|
|
|
|
assert(ps->pn);
|
|
|
|
|
proxy_negotiator_process_queue(ps->pn);
|
2021-11-19 16:36:29 +00:00
|
|
|
|
|
|
|
|
if (ps->pn->error) {
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
char *err = dupprintf("Proxy error: %s", ps->pn->error);
|
|
|
|
|
sfree(ps->pn->error);
|
2021-11-19 11:05:14 +00:00
|
|
|
proxy_negotiator_cleanup(ps);
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
plug_closing_error(ps->plug, err);
|
|
|
|
|
sfree(err);
|
2021-11-19 16:36:29 +00:00
|
|
|
return;
|
2021-11-19 11:05:14 +00:00
|
|
|
} else if (ps->pn->aborted) {
|
|
|
|
|
proxy_negotiator_cleanup(ps);
|
|
|
|
|
plug_closing_user_abort(ps->plug);
|
2021-11-19 16:36:29 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-19 12:04:09 +00:00
|
|
|
if (ps->pn->reconnect) {
|
|
|
|
|
sk_close(ps->sub_socket);
|
|
|
|
|
SockAddr *proxy_addr = sk_addr_dup(ps->proxy_addr);
|
|
|
|
|
ps->sub_socket = sk_new(proxy_addr, ps->proxy_port,
|
|
|
|
|
ps->proxy_privport, ps->proxy_oobinline,
|
|
|
|
|
ps->proxy_nodelay, ps->proxy_keepalive,
|
|
|
|
|
&ps->plugimpl);
|
|
|
|
|
ps->pn->reconnect = false;
|
Proxy: discard buffered input data on reconnection.
When talking to a web proxy which requires a password, our HTTP proxy
code sends an initial attempt to connect without authentication,
receives the 407 status indicating that authentication was required
(and which kind), and then closes and reopens the connection (if given
"Connection: close"). Then, on the next attempt, we try again with
authentication, and expect the first thing in the input bufchain to be
the HTTP status response to the revised request.
But what happened about the error document that followed those HTTP
headers? It - or at least some of it - would already have been in the
input bufchain.
With an HTTP/1.1 proxy, we already read it and discarded it (either
via a Content-length header or chunked transfer encoding), before we
set the 'reconnect' flag. So, assuming the proxy HTTP server is
behaving sensibly, our input bufchain ought to be empty at the point
when we start the fresh connection.
But if the proxy only speaks HTTP/1.0 (which does still happen -
'tinyproxy' is a still-current example), then we didn't get a
Content-length header either, so we didn't run any of the code that
skips over the error document. (And HTTP/1.0 implicitly has
"Connection: close" semantics, which is why that doesn't matter.) As a
result, some of it would still be in the input bufchain, and never got
cleared out, and we'd try to parse _that_ as if it was the HTTP
response from the second network connection.
The simple solution is that when we close and reopen the proxy network
connection, we also clear the input bufchain, so that the fresh
connection starts from a clean slate.
2022-05-18 11:41:44 +00:00
|
|
|
/* If the negotiator has asked us to reconnect, they are
|
|
|
|
|
* expecting that on the next call their input queue will
|
|
|
|
|
* consist entirely of data from the _new_ connection, without
|
|
|
|
|
* any remaining data buffered from the old one. (If they'd
|
|
|
|
|
* wanted the latter, they could have read it out of the input
|
|
|
|
|
* queue before asking us to close the connection.) */
|
|
|
|
|
bufchain_clear(&ps->pending_input_data);
|
2022-02-19 12:04:09 +00:00
|
|
|
}
|
|
|
|
|
|
2021-11-19 16:36:29 +00:00
|
|
|
while (bufchain_size(&ps->output_from_negotiator)) {
|
|
|
|
|
ptrlen data = bufchain_prefix(&ps->output_from_negotiator);
|
|
|
|
|
sk_write(ps->sub_socket, data.ptr, data.len);
|
|
|
|
|
bufchain_consume(&ps->output_from_negotiator, data.len);
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
}
|
2021-11-19 16:36:29 +00:00
|
|
|
if (ps->pn->done)
|
|
|
|
|
proxy_activate(ps);
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
}
|
|
|
|
|
|
2019-02-06 20:42:44 +00:00
|
|
|
static void plug_proxy_receive(
|
|
|
|
|
Plug *p, int urgent, const char *data, size_t len)
|
2002-03-23 17:47:21 +00:00
|
|
|
{
|
2018-10-05 22:49:08 +00:00
|
|
|
ProxySocket *ps = container_of(p, ProxySocket, plugimpl);
|
2002-03-23 17:47:21 +00:00
|
|
|
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
if (ps->pn) {
|
2019-09-08 19:29:00 +00:00
|
|
|
/* we will lose the urgentness of this data, but since most,
|
|
|
|
|
* if not all, of this data will be consumed by the negotiation
|
|
|
|
|
* process, hopefully it won't affect the protocol above us
|
|
|
|
|
*/
|
|
|
|
|
bufchain_add(&ps->pending_input_data, data, len);
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
proxy_negotiate(ps);
|
2016-06-02 22:03:24 +00:00
|
|
|
} else {
|
|
|
|
|
plug_receive(ps->plug, urgent, data, len);
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 20:42:44 +00:00
|
|
|
static void plug_proxy_sent (Plug *p, size_t bufsize)
|
2002-03-23 17:47:21 +00:00
|
|
|
{
|
2018-10-05 22:49:08 +00:00
|
|
|
ProxySocket *ps = container_of(p, ProxySocket, plugimpl);
|
2002-03-23 17:47:21 +00:00
|
|
|
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
if (ps->pn)
|
2019-09-08 19:29:00 +00:00
|
|
|
return;
|
2002-03-23 17:47:21 +00:00
|
|
|
plug_sent(ps->plug, bufsize);
|
|
|
|
|
}
|
|
|
|
|
|
Get rid of lots of implicit pointer types.
All the main backend structures - Ssh, Telnet, Pty, Serial etc - now
describe structure types themselves rather than pointers to them. The
same goes for the codebase-wide trait types Socket and Plug, and the
supporting types SockAddr and Pinger.
All those things that were typedefed as pointers are older types; the
newer ones have the explicit * at the point of use, because that's
what I now seem to be preferring. But whichever one of those is
better, inconsistently using a mixture of the two styles is worse, so
let's make everything consistent.
A few types are still implicitly pointers, such as Bignum and some of
the GSSAPI types; generally this is either because they have to be
void *, or because they're typedefed differently on different
platforms and aren't always pointers at all. Can't be helped. But I've
got rid of the main ones, at least.
2018-10-04 18:10:23 +00:00
|
|
|
static int plug_proxy_accepting(Plug *p,
|
2013-11-17 14:03:55 +00:00
|
|
|
accept_fn_t constructor, accept_ctx_t ctx)
|
2002-03-23 17:47:21 +00:00
|
|
|
{
|
2021-11-19 10:42:20 +00:00
|
|
|
unreachable("ProxySockets never create listening Sockets");
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|
|
|
|
|
|
2002-12-18 16:23:11 +00:00
|
|
|
/*
|
|
|
|
|
* This function can accept a NULL pointer as `addr', in which case
|
|
|
|
|
* it will only check the host name.
|
|
|
|
|
*/
|
2019-07-28 10:38:40 +00:00
|
|
|
static bool proxy_for_destination(SockAddr *addr, const char *hostname,
|
|
|
|
|
int port, Conf *conf)
|
2002-03-23 17:47:21 +00:00
|
|
|
{
|
|
|
|
|
int s = 0, e = 0;
|
|
|
|
|
char hostip[64];
|
|
|
|
|
int hostip_len, hostname_len;
|
2003-01-12 15:26:10 +00:00
|
|
|
const char *exclude_list;
|
2002-03-23 17:47:21 +00:00
|
|
|
|
2012-10-16 20:15:51 +00:00
|
|
|
/*
|
|
|
|
|
* Special local connections such as Unix-domain sockets
|
|
|
|
|
* unconditionally cannot be proxied, even in proxy-localhost
|
|
|
|
|
* mode. There just isn't any way to ask any known proxy type for
|
|
|
|
|
* them.
|
|
|
|
|
*/
|
|
|
|
|
if (addr && sk_address_is_special_local(addr))
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
return false; /* do not proxy */
|
2012-10-16 20:15:51 +00:00
|
|
|
|
2002-12-18 12:18:54 +00:00
|
|
|
/*
|
|
|
|
|
* Check the host name and IP against the hard-coded
|
|
|
|
|
* representations of `localhost'.
|
|
|
|
|
*/
|
2018-10-29 19:57:31 +00:00
|
|
|
if (!conf_get_bool(conf, CONF_even_proxy_localhost) &&
|
2019-09-08 19:29:00 +00:00
|
|
|
(sk_hostname_is_local(hostname) ||
|
|
|
|
|
(addr && sk_address_is_local(addr))))
|
|
|
|
|
return false; /* do not proxy */
|
2002-12-18 12:18:54 +00:00
|
|
|
|
2002-03-23 17:47:21 +00:00
|
|
|
/* we want a string representation of the IP address for comparisons */
|
2002-12-18 16:23:11 +00:00
|
|
|
if (addr) {
|
2019-09-08 19:29:00 +00:00
|
|
|
sk_getaddr(addr, hostip, 64);
|
|
|
|
|
hostip_len = strlen(hostip);
|
2003-04-23 13:48:09 +00:00
|
|
|
} else
|
2019-09-08 19:29:00 +00:00
|
|
|
hostip_len = 0; /* placate gcc; shouldn't be required */
|
2002-03-23 17:47:21 +00:00
|
|
|
|
|
|
|
|
hostname_len = strlen(hostname);
|
|
|
|
|
|
Post-release destabilisation! Completely remove the struct type
'Config' in putty.h, which stores all PuTTY's settings and includes an
arbitrary length limit on every single one of those settings which is
stored in string form. In place of it is 'Conf', an opaque data type
everywhere outside the new file conf.c, which stores a list of (key,
value) pairs in which every key contains an integer identifying a
configuration setting, and for some of those integers the key also
contains extra parts (so that, for instance, CONF_environmt is a
string-to-string mapping). Everywhere that a Config was previously
used, a Conf is now; everywhere there was a Config structure copy,
conf_copy() is called; every lookup, adjustment, load and save
operation on a Config has been rewritten; and there's a mechanism for
serialising a Conf into a binary blob and back for use with Duplicate
Session.
User-visible effects of this change _should_ be minimal, though I
don't doubt I've introduced one or two bugs here and there which will
eventually be found. The _intended_ visible effects of this change are
that all arbitrary limits on configuration strings and lists (e.g.
limit on number of port forwardings) should now disappear; that list
boxes in the configuration will now be displayed in a sorted order
rather than the arbitrary order in which they were added to the list
(since the underlying data structure is now a sorted tree234 rather
than an ad-hoc comma-separated string); and one more specific change,
which is that local and dynamic port forwardings on the same port
number are now mutually exclusive in the configuration (putting 'D' in
the key rather than the value was a mistake in the first place).
One other reorganisation as a result of this is that I've moved all
the dialog.c standard handlers (dlg_stdeditbox_handler and friends)
out into config.c, because I can't really justify calling them generic
any more. When they took a pointer to an arbitrary structure type and
the offset of a field within that structure, they were independent of
whether that structure was a Config or something completely different,
but now they really do expect to talk to a Conf, which can _only_ be
used for PuTTY configuration, so I've renamed them all things like
conf_editbox_handler and moved them out of the nominally independent
dialog-box management module into the PuTTY-specific config.c.
[originally from svn r9214]
2011-07-14 18:52:21 +00:00
|
|
|
exclude_list = conf_get_str(conf, CONF_proxy_exclude_list);
|
2002-03-23 17:47:21 +00:00
|
|
|
|
|
|
|
|
/* now parse the exclude list, and see if either our IP
|
|
|
|
|
* or hostname matches anything in it.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
while (exclude_list[s]) {
|
2019-09-08 19:29:00 +00:00
|
|
|
while (exclude_list[s] &&
|
|
|
|
|
(isspace((unsigned char)exclude_list[s]) ||
|
|
|
|
|
exclude_list[s] == ',')) s++;
|
2002-03-23 17:47:21 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
if (!exclude_list[s]) break;
|
2002-03-23 17:47:21 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
e = s;
|
2002-03-23 17:47:21 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
while (exclude_list[e] &&
|
|
|
|
|
(isalnum((unsigned char)exclude_list[e]) ||
|
|
|
|
|
exclude_list[e] == '-' ||
|
|
|
|
|
exclude_list[e] == '.' ||
|
|
|
|
|
exclude_list[e] == '*')) e++;
|
2002-03-23 17:47:21 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
if (exclude_list[s] == '*') {
|
|
|
|
|
/* wildcard at beginning of entry */
|
2002-03-23 17:47:21 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
if ((addr && strnicmp(hostip + hostip_len - (e - s - 1),
|
|
|
|
|
exclude_list + s + 1, e - s - 1) == 0) ||
|
|
|
|
|
strnicmp(hostname + hostname_len - (e - s - 1),
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
exclude_list + s + 1, e - s - 1) == 0) {
|
|
|
|
|
/* IP/hostname range excluded. do not use proxy. */
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2019-09-08 19:29:00 +00:00
|
|
|
} else if (exclude_list[e-1] == '*') {
|
|
|
|
|
/* wildcard at end of entry */
|
2002-03-23 17:47:21 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
if ((addr && strnicmp(hostip, exclude_list + s, e - s - 1) == 0) ||
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
strnicmp(hostname, exclude_list + s, e - s - 1) == 0) {
|
|
|
|
|
/* IP/hostname range excluded. do not use proxy. */
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2019-09-08 19:29:00 +00:00
|
|
|
} else {
|
|
|
|
|
/* no wildcard at either end, so let's try an absolute
|
|
|
|
|
* match (ie. a specific IP)
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
if (addr && strnicmp(hostip, exclude_list + s, e - s) == 0)
|
|
|
|
|
return false; /* IP/hostname excluded. do not use proxy. */
|
|
|
|
|
if (strnicmp(hostname, exclude_list + s, e - s) == 0)
|
|
|
|
|
return false; /* IP/hostname excluded. do not use proxy. */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
s = e;
|
|
|
|
|
|
|
|
|
|
/* Make sure we really have reached the next comma or end-of-string */
|
|
|
|
|
while (exclude_list[s] &&
|
|
|
|
|
!isspace((unsigned char)exclude_list[s]) &&
|
|
|
|
|
exclude_list[s] != ',') s++;
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* no matches in the exclude list, so use the proxy */
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
return true;
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-22 12:15:52 +00:00
|
|
|
static char *dns_log_msg(const char *host, int addressfamily,
|
|
|
|
|
const char *reason)
|
|
|
|
|
{
|
|
|
|
|
return dupprintf("Looking up host \"%s\"%s for %s", host,
|
|
|
|
|
(addressfamily == ADDRTYPE_IPV4 ? " (IPv4)" :
|
|
|
|
|
addressfamily == ADDRTYPE_IPV6 ? " (IPv6)" :
|
|
|
|
|
""), reason);
|
|
|
|
|
}
|
|
|
|
|
|
Get rid of lots of implicit pointer types.
All the main backend structures - Ssh, Telnet, Pty, Serial etc - now
describe structure types themselves rather than pointers to them. The
same goes for the codebase-wide trait types Socket and Plug, and the
supporting types SockAddr and Pinger.
All those things that were typedefed as pointers are older types; the
newer ones have the explicit * at the point of use, because that's
what I now seem to be preferring. But whichever one of those is
better, inconsistently using a mixture of the two styles is worse, so
let's make everything consistent.
A few types are still implicitly pointers, such as Bignum and some of
the GSSAPI types; generally this is either because they have to be
void *, or because they're typedefed differently on different
platforms and aren't always pointers at all. Can't be helped. But I've
got rid of the main ones, at least.
2018-10-04 18:10:23 +00:00
|
|
|
SockAddr *name_lookup(const char *host, int port, char **canonicalname,
|
2022-08-03 19:48:46 +00:00
|
|
|
Conf *conf, int addressfamily, LogContext *logctx,
|
|
|
|
|
const char *reason)
|
2002-12-18 16:23:11 +00:00
|
|
|
{
|
Post-release destabilisation! Completely remove the struct type
'Config' in putty.h, which stores all PuTTY's settings and includes an
arbitrary length limit on every single one of those settings which is
stored in string form. In place of it is 'Conf', an opaque data type
everywhere outside the new file conf.c, which stores a list of (key,
value) pairs in which every key contains an integer identifying a
configuration setting, and for some of those integers the key also
contains extra parts (so that, for instance, CONF_environmt is a
string-to-string mapping). Everywhere that a Config was previously
used, a Conf is now; everywhere there was a Config structure copy,
conf_copy() is called; every lookup, adjustment, load and save
operation on a Config has been rewritten; and there's a mechanism for
serialising a Conf into a binary blob and back for use with Duplicate
Session.
User-visible effects of this change _should_ be minimal, though I
don't doubt I've introduced one or two bugs here and there which will
eventually be found. The _intended_ visible effects of this change are
that all arbitrary limits on configuration strings and lists (e.g.
limit on number of port forwardings) should now disappear; that list
boxes in the configuration will now be displayed in a sorted order
rather than the arbitrary order in which they were added to the list
(since the underlying data structure is now a sorted tree234 rather
than an ad-hoc comma-separated string); and one more specific change,
which is that local and dynamic port forwardings on the same port
number are now mutually exclusive in the configuration (putting 'D' in
the key rather than the value was a mistake in the first place).
One other reorganisation as a result of this is that I've moved all
the dialog.c standard handlers (dlg_stdeditbox_handler and friends)
out into config.c, because I can't really justify calling them generic
any more. When they took a pointer to an arbitrary structure type and
the offset of a field within that structure, they were independent of
whether that structure was a Config or something completely different,
but now they really do expect to talk to a Conf, which can _only_ be
used for PuTTY configuration, so I've renamed them all things like
conf_editbox_handler and moved them out of the nominally independent
dialog-box management module into the PuTTY-specific config.c.
[originally from svn r9214]
2011-07-14 18:52:21 +00:00
|
|
|
if (conf_get_int(conf, CONF_proxy_type) != PROXY_NONE &&
|
2019-09-08 19:29:00 +00:00
|
|
|
do_proxy_dns(conf) &&
|
|
|
|
|
proxy_for_destination(NULL, host, port, conf)) {
|
2015-11-22 09:58:14 +00:00
|
|
|
|
Refactor the LogContext type.
LogContext is now the owner of the logevent() function that back ends
and so forth are constantly calling. Previously, logevent was owned by
the Frontend, which would store the message into its list for the GUI
Event Log dialog (or print it to standard error, or whatever) and then
pass it _back_ to LogContext to write to the currently open log file.
Now it's the other way round: LogContext gets the message from the
back end first, writes it to its log file if it feels so inclined, and
communicates it back to the front end.
This means that lots of parts of the back end system no longer need to
have a pointer to a full-on Frontend; the only thing they needed it
for was logging, so now they just have a LogContext (which many of
them had to have anyway, e.g. for logging SSH packets or session
traffic).
LogContext itself also doesn't get a full Frontend pointer any more:
it now talks back to the front end via a little vtable of its own
called LogPolicy, which contains the method that passes Event Log
entries through, the old askappend() function that decides whether to
truncate a pre-existing log file, and an emergency function for
printing an especially prominent message if the log file can't be
created. One minor nice effect of this is that console and GUI apps
can implement that last function subtly differently, so that Unix
console apps can write it with a plain \n instead of the \r\n
(harmless but inelegant) that the old centralised implementation
generated.
One other consequence of this is that the LogContext has to be
provided to backend_init() so that it's available to backends from the
instant of creation, rather than being provided via a separate API
call a couple of function calls later, because backends have typically
started doing things that need logging (like making network
connections) before the call to backend_provide_logctx. Fortunately,
there's no case in the whole code base where we don't already have
logctx by the time we make a backend (so I don't actually remember why
I ever delayed providing one). So that shortens the backend API by one
function, which is always nice.
While I'm tidying up, I've also moved the printf-style logeventf() and
the handy logevent_and_free() into logging.c, instead of having copies
of them scattered around other places. This has also let me remove
some stub functions from a couple of outlying applications like
Pageant. Finally, I've removed the pointless "_tag" at the end of
LogContext's official struct name.
2018-10-10 18:26:18 +00:00
|
|
|
if (logctx)
|
|
|
|
|
logeventf(logctx, "Leaving host lookup to proxy of \"%s\""
|
|
|
|
|
" (for %s)", host, reason);
|
2015-11-22 09:58:14 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
*canonicalname = dupstr(host);
|
|
|
|
|
return sk_nonamelookup(host);
|
2015-11-22 09:58:14 +00:00
|
|
|
} else {
|
Refactor the LogContext type.
LogContext is now the owner of the logevent() function that back ends
and so forth are constantly calling. Previously, logevent was owned by
the Frontend, which would store the message into its list for the GUI
Event Log dialog (or print it to standard error, or whatever) and then
pass it _back_ to LogContext to write to the currently open log file.
Now it's the other way round: LogContext gets the message from the
back end first, writes it to its log file if it feels so inclined, and
communicates it back to the front end.
This means that lots of parts of the back end system no longer need to
have a pointer to a full-on Frontend; the only thing they needed it
for was logging, so now they just have a LogContext (which many of
them had to have anyway, e.g. for logging SSH packets or session
traffic).
LogContext itself also doesn't get a full Frontend pointer any more:
it now talks back to the front end via a little vtable of its own
called LogPolicy, which contains the method that passes Event Log
entries through, the old askappend() function that decides whether to
truncate a pre-existing log file, and an emergency function for
printing an especially prominent message if the log file can't be
created. One minor nice effect of this is that console and GUI apps
can implement that last function subtly differently, so that Unix
console apps can write it with a plain \n instead of the \r\n
(harmless but inelegant) that the old centralised implementation
generated.
One other consequence of this is that the LogContext has to be
provided to backend_init() so that it's available to backends from the
instant of creation, rather than being provided via a separate API
call a couple of function calls later, because backends have typically
started doing things that need logging (like making network
connections) before the call to backend_provide_logctx. Fortunately,
there's no case in the whole code base where we don't already have
logctx by the time we make a backend (so I don't actually remember why
I ever delayed providing one). So that shortens the backend API by one
function, which is always nice.
While I'm tidying up, I've also moved the printf-style logeventf() and
the handy logevent_and_free() into logging.c, instead of having copies
of them scattered around other places. This has also let me remove
some stub functions from a couple of outlying applications like
Pageant. Finally, I've removed the pointless "_tag" at the end of
LogContext's official struct name.
2018-10-10 18:26:18 +00:00
|
|
|
if (logctx)
|
|
|
|
|
logevent_and_free(
|
|
|
|
|
logctx, dns_log_msg(host, addressfamily, reason));
|
2015-11-22 09:58:14 +00:00
|
|
|
|
|
|
|
|
return sk_namelookup(host, canonicalname, addressfamily);
|
2002-12-18 16:23:11 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-26 05:47:53 +00:00
|
|
|
static SocketEndpointInfo *sk_proxy_endpoint_info(Socket *s, bool peer)
|
|
|
|
|
{
|
|
|
|
|
ProxySocket *ps = container_of(s, ProxySocket, sock);
|
|
|
|
|
|
|
|
|
|
/* We can't reliably find out where we ended up connecting _to_:
|
|
|
|
|
* that's at the far end of the proxy, and might be anything. */
|
|
|
|
|
if (peer)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
/* But we can at least tell where we're coming _from_. */
|
|
|
|
|
return sk_endpoint_info(ps->sub_socket, false);
|
|
|
|
|
}
|
|
|
|
|
|
Change vtable defs to use C99 designated initialisers.
This is a sweeping change applied across the whole code base by a spot
of Emacs Lisp. Now, everywhere I declare a vtable filled with function
pointers (and the occasional const data member), all the members of
the vtable structure are initialised by name using the '.fieldname =
value' syntax introduced in C99.
We were already using this syntax for a handful of things in the new
key-generation progress report system, so it's not new to the code
base as a whole.
The advantage is that now, when a vtable only declares a subset of the
available fields, I can initialise the rest to NULL or zero just by
leaving them out. This is most dramatic in a couple of the outlying
vtables in things like psocks (which has a ConnectionLayerVtable
containing only one non-NULL method), but less dramatically, it means
that the new 'flags' field in BackendVtable can be completely left out
of every backend definition except for the SUPDUP one which defines it
to a nonzero value. Similarly, the test_for_upstream method only used
by SSH doesn't have to be mentioned in the rest of the backends;
network Plugs for listening sockets don't have to explicitly null out
'receive' and 'sent', and vice versa for 'accepting', and so on.
While I'm at it, I've normalised the declarations so they don't use
the unnecessarily verbose 'struct' keyword. Also a handful of them
weren't const; now they are.
2020-03-10 21:06:29 +00:00
|
|
|
static const SocketVtable ProxySocket_sockvt = {
|
|
|
|
|
.plug = sk_proxy_plug,
|
|
|
|
|
.close = sk_proxy_close,
|
|
|
|
|
.write = sk_proxy_write,
|
|
|
|
|
.write_oob = sk_proxy_write_oob,
|
|
|
|
|
.write_eof = sk_proxy_write_eof,
|
|
|
|
|
.set_frozen = sk_proxy_set_frozen,
|
|
|
|
|
.socket_error = sk_proxy_socket_error,
|
2024-06-26 05:47:53 +00:00
|
|
|
.endpoint_info = sk_proxy_endpoint_info,
|
2018-05-27 08:29:33 +00:00
|
|
|
};
|
|
|
|
|
|
Change vtable defs to use C99 designated initialisers.
This is a sweeping change applied across the whole code base by a spot
of Emacs Lisp. Now, everywhere I declare a vtable filled with function
pointers (and the occasional const data member), all the members of
the vtable structure are initialised by name using the '.fieldname =
value' syntax introduced in C99.
We were already using this syntax for a handful of things in the new
key-generation progress report system, so it's not new to the code
base as a whole.
The advantage is that now, when a vtable only declares a subset of the
available fields, I can initialise the rest to NULL or zero just by
leaving them out. This is most dramatic in a couple of the outlying
vtables in things like psocks (which has a ConnectionLayerVtable
containing only one non-NULL method), but less dramatically, it means
that the new 'flags' field in BackendVtable can be completely left out
of every backend definition except for the SUPDUP one which defines it
to a nonzero value. Similarly, the test_for_upstream method only used
by SSH doesn't have to be mentioned in the rest of the backends;
network Plugs for listening sockets don't have to explicitly null out
'receive' and 'sent', and vice versa for 'accepting', and so on.
While I'm at it, I've normalised the declarations so they don't use
the unnecessarily verbose 'struct' keyword. Also a handful of them
weren't const; now they are.
2020-03-10 21:06:29 +00:00
|
|
|
static const PlugVtable ProxySocket_plugvt = {
|
|
|
|
|
.log = plug_proxy_log,
|
|
|
|
|
.closing = plug_proxy_closing,
|
|
|
|
|
.receive = plug_proxy_receive,
|
|
|
|
|
.sent = plug_proxy_sent,
|
|
|
|
|
.accepting = plug_proxy_accepting
|
2018-05-27 08:29:33 +00:00
|
|
|
};
|
|
|
|
|
|
2021-11-19 11:05:14 +00:00
|
|
|
static char *proxy_description(Interactor *itr)
|
|
|
|
|
{
|
|
|
|
|
ProxySocket *ps = container_of(itr, ProxySocket, interactor);
|
|
|
|
|
assert(ps->pn);
|
|
|
|
|
return dupprintf("%s connection to %s port %d", ps->pn->vt->type,
|
|
|
|
|
conf_get_str(ps->conf, CONF_proxy_host),
|
|
|
|
|
conf_get_int(ps->conf, CONF_proxy_port));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static LogPolicy *proxy_logpolicy(Interactor *itr)
|
|
|
|
|
{
|
|
|
|
|
ProxySocket *ps = container_of(itr, ProxySocket, interactor);
|
|
|
|
|
return ps->clientlp;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static Seat *proxy_get_seat(Interactor *itr)
|
|
|
|
|
{
|
|
|
|
|
ProxySocket *ps = container_of(itr, ProxySocket, interactor);
|
|
|
|
|
return ps->clientseat;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void proxy_set_seat(Interactor *itr, Seat *seat)
|
|
|
|
|
{
|
|
|
|
|
ProxySocket *ps = container_of(itr, ProxySocket, interactor);
|
|
|
|
|
ps->clientseat = seat;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const InteractorVtable ProxySocket_interactorvt = {
|
|
|
|
|
.description = proxy_description,
|
|
|
|
|
.logpolicy = proxy_logpolicy,
|
|
|
|
|
.get_seat = proxy_get_seat,
|
|
|
|
|
.set_seat = proxy_set_seat,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static void proxy_prompts_callback(void *ctx)
|
|
|
|
|
{
|
|
|
|
|
proxy_negotiate((ProxySocket *)ctx);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
prompts_t *proxy_new_prompts(ProxySocket *ps)
|
|
|
|
|
{
|
|
|
|
|
prompts_t *prs = new_prompts();
|
|
|
|
|
prs->callback = proxy_prompts_callback;
|
|
|
|
|
prs->callback_ctx = ps;
|
|
|
|
|
return prs;
|
|
|
|
|
}
|
|
|
|
|
|
Richer data type for interactive prompt results.
All the seat functions that request an interactive prompt of some kind
to the user - both the main seat_get_userpass_input and the various
confirmation dialogs for things like host keys - were using a simple
int return value, with the general semantics of 0 = "fail", 1 =
"proceed" (and in the case of seat_get_userpass_input, answers to the
prompts were provided), and -1 = "request in progress, wait for a
callback".
In this commit I change all those functions' return types to a new
struct called SeatPromptResult, whose primary field is an enum
replacing those simple integer values.
The main purpose is that the enum has not three but _four_ values: the
"fail" result has been split into 'user abort' and 'software abort'.
The distinction is that a user abort occurs as a result of an
interactive UI action, such as the user clicking 'cancel' in a dialog
box or hitting ^D or ^C at a terminal password prompt - and therefore,
there's no need to display an error message telling the user that the
interactive operation has failed, because the user already knows,
because they _did_ it. 'Software abort' is from any other cause, where
PuTTY is the first to know there was a problem, and has to tell the
user.
We already had this 'user abort' vs 'software abort' distinction in
other parts of the code - the SSH backend has separate termination
functions which protocol layers can call. But we assumed that any
failure from an interactive prompt request fell into the 'user abort'
category, which is not true. A couple of examples: if you configure a
host key fingerprint in your saved session via the SSH > Host keys
pane, and the server presents a host key that doesn't match it, then
verify_ssh_host_key would report that the user had aborted the
connection, and feel no need to tell the user what had gone wrong!
Similarly, if a password provided on the command line was not
accepted, then (after I fixed the semantics of that in the previous
commit) the same wrong handling would occur.
So now, those Seat prompt functions too can communicate whether the
user or the software originated a connection abort. And in the latter
case, we also provide an error message to present to the user. Result:
in those two example cases (and others), error messages should no
longer go missing.
Implementation note: to avoid the hassle of having the error message
in a SeatPromptResult being a dynamically allocated string (and hence,
every recipient of one must always check whether it's non-NULL and
free it on every exit path, plus being careful about copying the
struct around), I've instead arranged that the structure contains a
function pointer and a couple of parameters, so that the string form
of the message can be constructed on demand. That way, the only users
who need to free it are the ones who actually _asked_ for it in the
first place, which is a much smaller set.
(This is one of the rare occasions that I regret not having C++'s
extra features available in this code base - a unique_ptr or
shared_ptr to a string would have been just the thing here, and the
compiler would have done all the hard work for me of remembering where
to insert the frees!)
2021-12-28 17:52:00 +00:00
|
|
|
void proxy_spr_abort(ProxyNegotiator *pn, SeatPromptResult spr)
|
|
|
|
|
{
|
|
|
|
|
if (spr.kind == SPRK_SW_ABORT) {
|
|
|
|
|
pn->error = spr_get_error_message(spr);
|
|
|
|
|
} else {
|
|
|
|
|
assert(spr.kind == SPRK_USER_ABORT);
|
|
|
|
|
pn->aborted = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
Get rid of lots of implicit pointer types.
All the main backend structures - Ssh, Telnet, Pty, Serial etc - now
describe structure types themselves rather than pointers to them. The
same goes for the codebase-wide trait types Socket and Plug, and the
supporting types SockAddr and Pinger.
All those things that were typedefed as pointers are older types; the
newer ones have the explicit * at the point of use, because that's
what I now seem to be preferring. But whichever one of those is
better, inconsistently using a mixture of the two styles is worse, so
let's make everything consistent.
A few types are still implicitly pointers, such as Bignum and some of
the GSSAPI types; generally this is either because they have to be
void *, or because they're typedefed differently on different
platforms and aren't always pointers at all. Can't be helped. But I've
got rid of the main ones, at least.
2018-10-04 18:10:23 +00:00
|
|
|
Socket *new_connection(SockAddr *addr, const char *hostname,
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
int port, bool privport,
|
|
|
|
|
bool oobinline, bool nodelay, bool keepalive,
|
2021-10-30 16:36:52 +00:00
|
|
|
Plug *plug, Conf *conf, Interactor *itr)
|
2002-03-23 17:47:21 +00:00
|
|
|
{
|
2021-05-24 12:52:51 +00:00
|
|
|
int type = conf_get_int(conf, CONF_proxy_type);
|
|
|
|
|
|
|
|
|
|
if (type != PROXY_NONE &&
|
2022-12-28 15:37:57 +00:00
|
|
|
proxy_for_destination(addr, hostname, port, conf)) {
|
2021-11-19 10:14:43 +00:00
|
|
|
ProxySocket *ps;
|
2019-09-08 19:29:00 +00:00
|
|
|
SockAddr *proxy_addr;
|
|
|
|
|
char *proxy_canonical_name;
|
|
|
|
|
Socket *sret;
|
|
|
|
|
|
2022-04-22 13:12:15 +00:00
|
|
|
if ((type == PROXY_SSH_TCPIP ||
|
|
|
|
|
type == PROXY_SSH_EXEC ||
|
|
|
|
|
type == PROXY_SSH_SUBSYSTEM) &&
|
2021-05-24 12:52:51 +00:00
|
|
|
(sret = sshproxy_new_connection(addr, hostname, port, privport,
|
Initial support for in-process proxy SSH connections.
This introduces a new entry to the radio-button list of proxy types,
in which the 'Proxy host' box is taken to be the name of an SSH server
or saved session. We make an entire subsidiary SSH connection to that
host, open a direct-tcpip channel through it, and use that as the
connection over which to run the primary network connection.
The result is basically the same as if you used a local proxy
subprocess, with a command along the lines of 'plink -batch %proxyhost
-nc %host:%port'. But it's all done in-process, by having an SshProxy
object implement the Socket trait to talk to the main connection, and
implement Seat and LogPolicy to talk to its subsidiary SSH backend.
All the refactoring in recent years has got us to the point where we
can do that without both SSH instances fighting over some global
variable or unique piece of infrastructure.
From an end user perspective, doing SSH proxying in-process like this
is a little bit easier to set up: it doesn't require you to bake the
full pathname of Plink into your saved session (or to have it on the
system PATH), and the SshProxy setup function automatically turns off
SSH features that would be inappropriate in this context, such as
additional port forwardings, or acting as a connection-sharing
upstream. And it has minor advantages like getting the Event Log for
the subsidiary connection interleaved in the main Event Log, as if it
were stderr output from a proxy subcommand, without having to
deliberately configure the subsidiary Plink into verbose mode.
However, this is an initial implementation only, and it doesn't yet
support the _big_ payoff for doing this in-process, which (I hope)
will be the ability to handle interactive prompts from the subsidiary
SSH connection via the same user interface as the primary one. For
example, you might need to answer two password prompts in succession,
or (the first time you use a session configured this way) confirm the
host keys for both proxy and destination SSH servers. Comments in the
new source file discuss some design thoughts on filling in this gap.
For the moment, if the proxy SSH connection encounters any situation
where an interactive prompt is needed, it will make the safe
assumption, the same way 'plink -batch' would do. So it's at least no
_worse_ than the existing technique of putting the proxy connection in
a subprocess.
2021-05-22 11:51:23 +00:00
|
|
|
oobinline, nodelay, keepalive,
|
2021-10-30 16:36:52 +00:00
|
|
|
plug, conf, itr)) != NULL)
|
Initial support for in-process proxy SSH connections.
This introduces a new entry to the radio-button list of proxy types,
in which the 'Proxy host' box is taken to be the name of an SSH server
or saved session. We make an entire subsidiary SSH connection to that
host, open a direct-tcpip channel through it, and use that as the
connection over which to run the primary network connection.
The result is basically the same as if you used a local proxy
subprocess, with a command along the lines of 'plink -batch %proxyhost
-nc %host:%port'. But it's all done in-process, by having an SshProxy
object implement the Socket trait to talk to the main connection, and
implement Seat and LogPolicy to talk to its subsidiary SSH backend.
All the refactoring in recent years has got us to the point where we
can do that without both SSH instances fighting over some global
variable or unique piece of infrastructure.
From an end user perspective, doing SSH proxying in-process like this
is a little bit easier to set up: it doesn't require you to bake the
full pathname of Plink into your saved session (or to have it on the
system PATH), and the SshProxy setup function automatically turns off
SSH features that would be inappropriate in this context, such as
additional port forwardings, or acting as a connection-sharing
upstream. And it has minor advantages like getting the Event Log for
the subsidiary connection interleaved in the main Event Log, as if it
were stderr output from a proxy subcommand, without having to
deliberately configure the subsidiary Plink into verbose mode.
However, this is an initial implementation only, and it doesn't yet
support the _big_ payoff for doing this in-process, which (I hope)
will be the ability to handle interactive prompts from the subsidiary
SSH connection via the same user interface as the primary one. For
example, you might need to answer two password prompts in succession,
or (the first time you use a session configured this way) confirm the
host keys for both proxy and destination SSH servers. Comments in the
new source file discuss some design thoughts on filling in this gap.
For the moment, if the proxy SSH connection encounters any situation
where an interactive prompt is needed, it will make the safe
assumption, the same way 'plink -batch' would do. So it's at least no
_worse_ than the existing technique of putting the proxy connection in
a subprocess.
2021-05-22 11:51:23 +00:00
|
|
|
return sret;
|
|
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
if ((sret = platform_new_connection(addr, hostname, port, privport,
|
|
|
|
|
oobinline, nodelay, keepalive,
|
2021-12-21 13:35:51 +00:00
|
|
|
plug, conf, itr)) != NULL)
|
2019-09-08 19:29:00 +00:00
|
|
|
return sret;
|
|
|
|
|
|
2021-11-19 10:14:43 +00:00
|
|
|
ps = snew(ProxySocket);
|
|
|
|
|
ps->sock.vt = &ProxySocket_sockvt;
|
|
|
|
|
ps->plugimpl.vt = &ProxySocket_plugvt;
|
2021-11-19 11:05:14 +00:00
|
|
|
ps->interactor.vt = &ProxySocket_interactorvt;
|
2021-11-19 10:14:43 +00:00
|
|
|
ps->conf = conf_copy(conf);
|
|
|
|
|
ps->plug = plug;
|
|
|
|
|
ps->remote_addr = addr; /* will need to be freed on close */
|
|
|
|
|
ps->remote_port = port;
|
2019-09-08 19:29:00 +00:00
|
|
|
|
2021-11-19 10:14:43 +00:00
|
|
|
ps->error = NULL;
|
|
|
|
|
ps->pending_eof = false;
|
|
|
|
|
ps->freeze = false;
|
2019-09-08 19:29:00 +00:00
|
|
|
|
2021-11-19 10:14:43 +00:00
|
|
|
bufchain_init(&ps->pending_input_data);
|
|
|
|
|
bufchain_init(&ps->pending_output_data);
|
|
|
|
|
bufchain_init(&ps->pending_oob_output_data);
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
bufchain_init(&ps->output_from_negotiator);
|
2019-09-08 19:29:00 +00:00
|
|
|
|
2021-11-19 10:14:43 +00:00
|
|
|
ps->sub_socket = NULL;
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
|
2021-11-19 11:05:14 +00:00
|
|
|
/*
|
|
|
|
|
* If we've been given an Interactor by the caller, set ourselves
|
|
|
|
|
* up to work with it.
|
|
|
|
|
*/
|
|
|
|
|
if (itr) {
|
|
|
|
|
ps->clientitr = itr;
|
|
|
|
|
interactor_set_child(ps->clientitr, &ps->interactor);
|
|
|
|
|
ps->clientlp = interactor_logpolicy(ps->clientitr);
|
|
|
|
|
ps->clientseat = interactor_borrow_seat(ps->clientitr);
|
|
|
|
|
}
|
|
|
|
|
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
const ProxyNegotiatorVT *vt;
|
|
|
|
|
switch (type) {
|
|
|
|
|
case PROXY_HTTP:
|
|
|
|
|
vt = &http_proxy_negotiator_vt;
|
|
|
|
|
break;
|
|
|
|
|
case PROXY_SOCKS4:
|
|
|
|
|
vt = &socks4_proxy_negotiator_vt;
|
|
|
|
|
break;
|
|
|
|
|
case PROXY_SOCKS5:
|
|
|
|
|
vt = &socks5_proxy_negotiator_vt;
|
|
|
|
|
break;
|
|
|
|
|
case PROXY_TELNET:
|
|
|
|
|
vt = &telnet_proxy_negotiator_vt;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2021-11-19 10:14:43 +00:00
|
|
|
ps->error = "Proxy error: Unknown proxy method";
|
|
|
|
|
return &ps->sock;
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
ps->pn = proxy_negotiator_new(vt);
|
|
|
|
|
ps->pn->ps = ps;
|
|
|
|
|
ps->pn->done = false;
|
|
|
|
|
ps->pn->error = NULL;
|
2021-11-19 11:05:14 +00:00
|
|
|
ps->pn->aborted = false;
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
ps->pn->input = &ps->pending_input_data;
|
2021-11-19 11:05:14 +00:00
|
|
|
/* Provide an Interactor to the negotiator if and only if we
|
|
|
|
|
* are usefully able to ask interactive questions of the user */
|
|
|
|
|
ps->pn->itr = ps->clientseat ? &ps->interactor : NULL;
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
bufchain_sink_init(ps->pn->output, &ps->output_from_negotiator);
|
2002-03-23 17:47:21 +00:00
|
|
|
|
2015-11-22 12:15:52 +00:00
|
|
|
{
|
|
|
|
|
char *logmsg = dupprintf("Will use %s proxy at %s:%d to connect"
|
2022-08-03 19:48:46 +00:00
|
|
|
" to %s:%d", vt->type,
|
|
|
|
|
conf_get_str(conf, CONF_proxy_host),
|
|
|
|
|
conf_get_int(conf, CONF_proxy_port),
|
|
|
|
|
hostname, port);
|
2024-06-26 07:29:39 +00:00
|
|
|
plug_log(plug, &ps->sock, PLUGLOG_PROXY_MSG, NULL, 0, logmsg, 0);
|
2015-11-22 12:15:52 +00:00
|
|
|
sfree(logmsg);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
char *logmsg = dns_log_msg(conf_get_str(conf, CONF_proxy_host),
|
|
|
|
|
conf_get_int(conf, CONF_addressfamily),
|
|
|
|
|
"proxy");
|
2024-06-26 07:29:39 +00:00
|
|
|
plug_log(plug, &ps->sock, PLUGLOG_PROXY_MSG, NULL, 0, logmsg, 0);
|
2015-11-22 12:15:52 +00:00
|
|
|
sfree(logmsg);
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
/* look-up proxy */
|
|
|
|
|
proxy_addr = sk_namelookup(conf_get_str(conf, CONF_proxy_host),
|
|
|
|
|
&proxy_canonical_name,
|
|
|
|
|
conf_get_int(conf, CONF_addressfamily));
|
|
|
|
|
if (sk_addr_error(proxy_addr) != NULL) {
|
2021-11-19 10:14:43 +00:00
|
|
|
ps->error = "Proxy error: Unable to resolve proxy host name";
|
2013-07-22 19:55:55 +00:00
|
|
|
sk_addr_free(proxy_addr);
|
2021-11-19 10:14:43 +00:00
|
|
|
return &ps->sock;
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
|
|
|
|
sfree(proxy_canonical_name);
|
2002-03-23 17:47:21 +00:00
|
|
|
|
2015-11-22 12:15:52 +00:00
|
|
|
{
|
|
|
|
|
char addrbuf[256], *logmsg;
|
2017-02-04 14:36:12 +00:00
|
|
|
sk_getaddr(proxy_addr, addrbuf, lenof(addrbuf));
|
2015-11-22 12:15:52 +00:00
|
|
|
logmsg = dupprintf("Connecting to %s proxy at %s port %d",
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
vt->type, addrbuf,
|
2015-11-22 12:15:52 +00:00
|
|
|
conf_get_int(conf, CONF_proxy_port));
|
2024-06-26 07:29:39 +00:00
|
|
|
plug_log(plug, &ps->sock, PLUGLOG_PROXY_MSG, NULL, 0, logmsg, 0);
|
2015-11-22 12:15:52 +00:00
|
|
|
sfree(logmsg);
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
/* create the actual socket we will be using,
|
|
|
|
|
* connected to our proxy server and port.
|
|
|
|
|
*/
|
2022-02-19 12:04:09 +00:00
|
|
|
ps->proxy_addr = sk_addr_dup(proxy_addr);
|
|
|
|
|
ps->proxy_port = conf_get_int(conf, CONF_proxy_port);
|
|
|
|
|
ps->proxy_privport = privport;
|
|
|
|
|
ps->proxy_oobinline = oobinline;
|
|
|
|
|
ps->proxy_nodelay = nodelay;
|
|
|
|
|
ps->proxy_keepalive = keepalive;
|
|
|
|
|
ps->sub_socket = sk_new(proxy_addr, ps->proxy_port,
|
|
|
|
|
ps->proxy_privport, ps->proxy_oobinline,
|
|
|
|
|
ps->proxy_nodelay, ps->proxy_keepalive,
|
|
|
|
|
&ps->plugimpl);
|
2021-11-19 10:14:43 +00:00
|
|
|
if (sk_socket_error(ps->sub_socket) != NULL)
|
|
|
|
|
return &ps->sock;
|
2019-09-08 19:29:00 +00:00
|
|
|
|
|
|
|
|
/* start the proxy negotiation process... */
|
2021-11-19 10:14:43 +00:00
|
|
|
sk_set_frozen(ps->sub_socket, false);
|
Reorganise proxy system into coroutines.
Previously, the proxy negotiation functions were written as explicit
state machines, with ps->state being manually set to a sequence of
positive integer values which would be tested by if statements in the
next call to the same negotiation function.
That's not how this code base likes to do things! We have a coroutine
system to allow those state machines to be implicit rather than
explicit, so that we can use ordinary control flow statements like
while loops. Reorganised each proxy negotiation function into a
coroutine-based system like that.
While I'm at it, I've also moved each proxy negotiator out into its
own source file, to make proxy.c less overcrowded and monolithic. And
_that_ gave me the opportunity to define each negotiator as an
implementation of a trait rather than as a single function - which
means now each one can define its own local variables and have its own
cleanup function, instead of all of them having to share the variables
inside the main ProxySocket struct.
In the new coroutine system, negotiators don't have to worry about the
mechanics of actually sending data down the underlying Socket any
more. The negotiator coroutine just appends to a bufchain (via a
provided bufchain_sink), and after every call to the coroutine,
central code in proxy.c transfers the data to the Socket itself. This
avoids a lot of intermediate allocations within the negotiators, which
previously kept having to make temporary strbufs or arrays in order to
have something to point an sk_write() at; now they can just put
formatted data directly into the output bufchain via the marshal.h
interface.
In this version of the code, I've also moved most of the SOCKS5 CHAP
implementation from cproxy.c into socks5.c, so that it can sit in the
same coroutine as the rest of the proxy negotiation control flow.
That's because calling a sub-coroutine (co-subroutine?) is awkward to
set up (though it is _possible_ - we do SSH-2 kex that way), and
there's no real need to bother in this case, since the only thing that
really needs to go in cproxy.c is the actual cryptography plus a flag
to tell socks5.c whether to offer CHAP authentication in the first
place.
2021-11-19 10:26:41 +00:00
|
|
|
proxy_negotiate(ps);
|
2019-09-08 19:29:00 +00:00
|
|
|
|
2021-11-19 10:14:43 +00:00
|
|
|
return &ps->sock;
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* no proxy, so just return the direct socket */
|
2004-06-20 17:07:38 +00:00
|
|
|
return sk_new(addr, port, privport, oobinline, nodelay, keepalive, plug);
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|
|
|
|
|
|
Get rid of lots of implicit pointer types.
All the main backend structures - Ssh, Telnet, Pty, Serial etc - now
describe structure types themselves rather than pointers to them. The
same goes for the codebase-wide trait types Socket and Plug, and the
supporting types SockAddr and Pinger.
All those things that were typedefed as pointers are older types; the
newer ones have the explicit * at the point of use, because that's
what I now seem to be preferring. But whichever one of those is
better, inconsistently using a mixture of the two styles is worse, so
let's make everything consistent.
A few types are still implicitly pointers, such as Bignum and some of
the GSSAPI types; generally this is either because they have to be
void *, or because they're typedefed differently on different
platforms and aren't always pointers at all. Can't be helped. But I've
got rid of the main ones, at least.
2018-10-04 18:10:23 +00:00
|
|
|
Socket *new_listener(const char *srcaddr, int port, Plug *plug,
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool local_host_only, Conf *conf, int addressfamily)
|
2002-03-23 17:47:21 +00:00
|
|
|
{
|
|
|
|
|
/* TODO: SOCKS (and potentially others) support inbound
|
|
|
|
|
* TODO: connections via the proxy. support them.
|
|
|
|
|
*/
|
|
|
|
|
|
2004-12-30 16:45:11 +00:00
|
|
|
return sk_newlistener(srcaddr, port, plug, local_host_only, addressfamily);
|
2002-03-23 17:47:21 +00:00
|
|
|
}
|