whitespace

mark const string array contents const too, i.e.
static const char *array => static const char * const array
from Mike Frysinger

restore blocking status on stdio fds before close

ssh(1) needs to set file descriptors to non-blocking mode to operate
but it was not restoring the original state on exit. This could cause
problems with fds shared with other programs via the shell, e.g.

> $ cat > test.sh << _EOF
> #!/bin/sh
> {
> ssh -Fnone -oLogLevel=verbose ::1 hostname
> cat /usr/share/dict/words
> } | sleep 10
> _EOF
> $ ./test.sh
> Authenticated to ::1 ([::1]:22).
> Transferred: sent 2352, received 2928 bytes, in 0.1 seconds
> Bytes per second: sent 44338.9, received 55197.4
> cat: stdout: Resource temporarily unavailable

This restores the blocking status for fds 0,1,2 (stdio) before ssh(1)
abandons/closes them.

This was reported as bz3280 and GHPR246; ok dtucker@

remove global variable used to stash compat flags and use the
purpose-built ssh->compat variable instead; feedback/ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

when the peer sends a channel-close message, make sure we close the
local extended read fd (stderr) along with the regular read fd (stdout).
Avoids weird stuck processed in multiplexing mode.

Report and analysis by Nelson Elhage and Geoffrey Thomas in bz#2863

ok dtucker@ markus@

include a little more information about the status and disposition of
channel's extended (stderr) fd; makes debugging some things a bit easier.
No behaviour change.

Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

obliterate ssh1.h and some dead code that used it

ok markus@

remove compat20/compat13/compat15 variables

ok markus@

rewrite ssh(1) multiplexing code to a more sensible protocol.

The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.

avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.

implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.

add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.

document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).

feedback Salvador Fandino, dtucker@
channel changes ok markus@

add space to some log/debug messages for readability; ok djm@ markus@

only send eow and no-more-sessions requests to openssh 5 and newer;
fixes interop problems with broken ssh v2 implementations; ok djm@

only send eow@openssh.com notifications for session channels; ok! markus@

unbreak
ssh -2 localhost od /bin/ls | true
ignoring SIGPIPE by adding a new channel message (EOW) that signals
the peer that we're not interested in any data it might send.
fixes bz #85; discussion, debugging and ok djm@

Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).

Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.

ok markus@ (as part of a larger diff)

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <sys/socket.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.51.6; 1.51.8;
spaces

make ssh -Wshadow clean, no functional changes
markus@ ok

branches: 1.49.2; 1.49.4;
be less chatty; debug -> debug2, cleanup; ok henning@

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.47.2; 1.47.4;
KNF done automatically while reading....

use tab not spaces (|unexpand)

branches: 1.45.2;
don't send stderr data after EOF, accept this from older known (broken)
sshd servers only, fixes http://bugzilla.mindrot.org/show_bug.cgi?id=179

cleanup channels faster if the are empty and we are in drain-state; ok deraadt@

(c) 2002

remove function pointers for events, remove chan_init*; ok provos@

remove duplicated code; ok provos@

correct fn names for ssh2, do not switch from closed to closed; ok provos@

merge chan_[io]buf_empty[12]; ok provos@

chan_send_oclose1() no longer calls chan_shutdown_write(); ok provos@

add chan_set_[io]state(), order states, state is now an u_int,
simplifies debugging messages; ok provos@

more unused code (with channels.c:1.156)

remove dead code (skip drain)

replace buffer_consume(b, buffer_len(b)) with buffer_clear(b); ok provos@

basic KNF done while i was looking for something else

branches: 1.32.2;
try to keep channels open until an exit-status message is sent.
don't kill the login shells if the shells stdin/out/err is closed.
this should now work:
ssh -2n localhost 'exec > /dev/null 2>&1; sleep 10; exit 5'; echo ?

keep track of both maxfd and the size of the malloc'ed fdsets.
update maxfd if maxfd gets closed.

update copyright for 2001

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

undo the .c file split, just merge the header and keep the cvs history

channel layer cleanup: merge header files and split .c files

undo broken channel fix and try a different one. there
should be still some select errors...

more select() error fixes (don't set rfd/wfd to -1).

move to Channel **channels (instead of Channel *channels), fixes realloc problems.
channel_new now returns a Channel *, favour Channel * over channel id.
remove old channel_allocate interface.

branches: 1.23.2;
make sure remote stderr does not get truncated.
remove closed fd's from the select mask.

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

agent forwarding and -R for ssh2, based on work from jhuuskon@messi.uku.fi

branches: 1.19.2;
cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

branches: 1.17.2;
no drain if ibuf_empty, fixes x11fwd problems; tests by fries@

fix close for non-open ssh1 channels

use c-style comments

whitespace cleanup

channel layer support for ssh2

sync w/ channels.c

replace big switch() with function tables (prepare for ssh2)

handle OCLOSE for CHAN_INPUT_WAIT_DRAIN, i.e. do not drain buffer if
peer is not going to read the data.

use error() for internal errors

it's not an error() if shutdown_write failes in nchan.

missing copyright

KNF part 1

remove buggy 'x11-fix'

typo in debug messages (input vs. ouput)

re-implement the proto-1.5 channel close protocol, see nchan.ms.

add CVS tags, fix comments and whitespace

support for SSH protocol 1.5 which is poorly documented, the RFC.troff lies.
interops (x11,agent,etc) with 1.2.27 and protocol 1.3

mark const string array contents const too, i.e.
static const char *array => static const char * const array
from Mike Frysinger

restore blocking status on stdio fds before close

ssh(1) needs to set file descriptors to non-blocking mode to operate
but it was not restoring the original state on exit. This could cause
problems with fds shared with other programs via the shell, e.g.

> $ cat > test.sh << _EOF
> #!/bin/sh
> {
> ssh -Fnone -oLogLevel=verbose ::1 hostname
> cat /usr/share/dict/words
> } | sleep 10
> _EOF
> $ ./test.sh
> Authenticated to ::1 ([::1]:22).
> Transferred: sent 2352, received 2928 bytes, in 0.1 seconds
> Bytes per second: sent 44338.9, received 55197.4
> cat: stdout: Resource temporarily unavailable

This restores the blocking status for fds 0,1,2 (stdio) before ssh(1)
abandons/closes them.

This was reported as bz3280 and GHPR246; ok dtucker@

remove global variable used to stash compat flags and use the
purpose-built ssh->compat variable instead; feedback/ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

when the peer sends a channel-close message, make sure we close the
local extended read fd (stderr) along with the regular read fd (stdout).
Avoids weird stuck processed in multiplexing mode.

Report and analysis by Nelson Elhage and Geoffrey Thomas in bz#2863

ok dtucker@ markus@

include a little more information about the status and disposition of
channel's extended (stderr) fd; makes debugging some things a bit easier.
No behaviour change.

Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

obliterate ssh1.h and some dead code that used it

ok markus@

remove compat20/compat13/compat15 variables

ok markus@

rewrite ssh(1) multiplexing code to a more sensible protocol.

The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.

avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.

implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.

add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.

document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).

feedback Salvador Fandino, dtucker@
channel changes ok markus@

add space to some log/debug messages for readability; ok djm@ markus@

only send eow and no-more-sessions requests to openssh 5 and newer;
fixes interop problems with broken ssh v2 implementations; ok djm@

only send eow@openssh.com notifications for session channels; ok! markus@

unbreak
ssh -2 localhost od /bin/ls | true
ignoring SIGPIPE by adding a new channel message (EOW) that signals
the peer that we're not interested in any data it might send.
fixes bz #85; discussion, debugging and ok djm@

Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).

Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.

ok markus@ (as part of a larger diff)

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <sys/socket.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.51.6; 1.51.8;
spaces

make ssh -Wshadow clean, no functional changes
markus@ ok

branches: 1.49.2; 1.49.4;
be less chatty; debug -> debug2, cleanup; ok henning@

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.47.2; 1.47.4;
KNF done automatically while reading....

use tab not spaces (|unexpand)

branches: 1.45.2;
don't send stderr data after EOF, accept this from older known (broken)
sshd servers only, fixes http://bugzilla.mindrot.org/show_bug.cgi?id=179

cleanup channels faster if the are empty and we are in drain-state; ok deraadt@

(c) 2002

remove function pointers for events, remove chan_init*; ok provos@

remove duplicated code; ok provos@

correct fn names for ssh2, do not switch from closed to closed; ok provos@

merge chan_[io]buf_empty[12]; ok provos@

chan_send_oclose1() no longer calls chan_shutdown_write(); ok provos@

add chan_set_[io]state(), order states, state is now an u_int,
simplifies debugging messages; ok provos@

more unused code (with channels.c:1.156)

remove dead code (skip drain)

replace buffer_consume(b, buffer_len(b)) with buffer_clear(b); ok provos@

basic KNF done while i was looking for something else

branches: 1.32.2;
try to keep channels open until an exit-status message is sent.
don't kill the login shells if the shells stdin/out/err is closed.
this should now work:
ssh -2n localhost 'exec > /dev/null 2>&1; sleep 10; exit 5'; echo ?

keep track of both maxfd and the size of the malloc'ed fdsets.
update maxfd if maxfd gets closed.

update copyright for 2001

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

undo the .c file split, just merge the header and keep the cvs history

channel layer cleanup: merge header files and split .c files

undo broken channel fix and try a different one. there
should be still some select errors...

more select() error fixes (don't set rfd/wfd to -1).

move to Channel **channels (instead of Channel *channels), fixes realloc problems.
channel_new now returns a Channel *, favour Channel * over channel id.
remove old channel_allocate interface.

branches: 1.23.2;
make sure remote stderr does not get truncated.
remove closed fd's from the select mask.

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

agent forwarding and -R for ssh2, based on work from jhuuskon@messi.uku.fi

branches: 1.19.2;
cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

branches: 1.17.2;
no drain if ibuf_empty, fixes x11fwd problems; tests by fries@

fix close for non-open ssh1 channels

use c-style comments

whitespace cleanup

channel layer support for ssh2

sync w/ channels.c

replace big switch() with function tables (prepare for ssh2)

handle OCLOSE for CHAN_INPUT_WAIT_DRAIN, i.e. do not drain buffer if
peer is not going to read the data.

use error() for internal errors

it's not an error() if shutdown_write failes in nchan.

missing copyright

KNF part 1

remove buggy 'x11-fix'

typo in debug messages (input vs. ouput)

re-implement the proto-1.5 channel close protocol, see nchan.ms.

add CVS tags, fix comments and whitespace

support for SSH protocol 1.5 which is poorly documented, the RFC.troff lies.
interops (x11,agent,etc) with 1.2.27 and protocol 1.3

restore blocking status on stdio fds before close

ssh(1) needs to set file descriptors to non-blocking mode to operate
but it was not restoring the original state on exit. This could cause
problems with fds shared with other programs via the shell, e.g.

> $ cat > test.sh << _EOF
> #!/bin/sh
> {
> ssh -Fnone -oLogLevel=verbose ::1 hostname
> cat /usr/share/dict/words
> } | sleep 10
> _EOF
> $ ./test.sh
> Authenticated to ::1 ([::1]:22).
> Transferred: sent 2352, received 2928 bytes, in 0.1 seconds
> Bytes per second: sent 44338.9, received 55197.4
> cat: stdout: Resource temporarily unavailable

This restores the blocking status for fds 0,1,2 (stdio) before ssh(1)
abandons/closes them.

This was reported as bz3280 and GHPR246; ok dtucker@

remove global variable used to stash compat flags and use the
purpose-built ssh->compat variable instead; feedback/ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

when the peer sends a channel-close message, make sure we close the
local extended read fd (stderr) along with the regular read fd (stdout).
Avoids weird stuck processed in multiplexing mode.

Report and analysis by Nelson Elhage and Geoffrey Thomas in bz#2863

ok dtucker@ markus@

include a little more information about the status and disposition of
channel's extended (stderr) fd; makes debugging some things a bit easier.
No behaviour change.

Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

obliterate ssh1.h and some dead code that used it

ok markus@

remove compat20/compat13/compat15 variables

ok markus@

rewrite ssh(1) multiplexing code to a more sensible protocol.

The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.

avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.

implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.

add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.

document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).

feedback Salvador Fandino, dtucker@
channel changes ok markus@

add space to some log/debug messages for readability; ok djm@ markus@

only send eow and no-more-sessions requests to openssh 5 and newer;
fixes interop problems with broken ssh v2 implementations; ok djm@

only send eow@openssh.com notifications for session channels; ok! markus@

unbreak
ssh -2 localhost od /bin/ls | true
ignoring SIGPIPE by adding a new channel message (EOW) that signals
the peer that we're not interested in any data it might send.
fixes bz #85; discussion, debugging and ok djm@

Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).

Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.

ok markus@ (as part of a larger diff)

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <sys/socket.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.51.6; 1.51.8;
spaces

make ssh -Wshadow clean, no functional changes
markus@ ok

branches: 1.49.2; 1.49.4;
be less chatty; debug -> debug2, cleanup; ok henning@

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.47.2; 1.47.4;
KNF done automatically while reading....

use tab not spaces (|unexpand)

branches: 1.45.2;
don't send stderr data after EOF, accept this from older known (broken)
sshd servers only, fixes http://bugzilla.mindrot.org/show_bug.cgi?id=179

cleanup channels faster if the are empty and we are in drain-state; ok deraadt@

(c) 2002

remove function pointers for events, remove chan_init*; ok provos@

remove duplicated code; ok provos@

correct fn names for ssh2, do not switch from closed to closed; ok provos@

merge chan_[io]buf_empty[12]; ok provos@

chan_send_oclose1() no longer calls chan_shutdown_write(); ok provos@

add chan_set_[io]state(), order states, state is now an u_int,
simplifies debugging messages; ok provos@

more unused code (with channels.c:1.156)

remove dead code (skip drain)

replace buffer_consume(b, buffer_len(b)) with buffer_clear(b); ok provos@

basic KNF done while i was looking for something else

branches: 1.32.2;
try to keep channels open until an exit-status message is sent.
don't kill the login shells if the shells stdin/out/err is closed.
this should now work:
ssh -2n localhost 'exec > /dev/null 2>&1; sleep 10; exit 5'; echo ?

keep track of both maxfd and the size of the malloc'ed fdsets.
update maxfd if maxfd gets closed.

update copyright for 2001

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

undo the .c file split, just merge the header and keep the cvs history

channel layer cleanup: merge header files and split .c files

undo broken channel fix and try a different one. there
should be still some select errors...

more select() error fixes (don't set rfd/wfd to -1).

move to Channel **channels (instead of Channel *channels), fixes realloc problems.
channel_new now returns a Channel *, favour Channel * over channel id.
remove old channel_allocate interface.

branches: 1.23.2;
make sure remote stderr does not get truncated.
remove closed fd's from the select mask.

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

agent forwarding and -R for ssh2, based on work from jhuuskon@messi.uku.fi

branches: 1.19.2;
cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

branches: 1.17.2;
no drain if ibuf_empty, fixes x11fwd problems; tests by fries@

fix close for non-open ssh1 channels

use c-style comments

whitespace cleanup

channel layer support for ssh2

sync w/ channels.c

replace big switch() with function tables (prepare for ssh2)

handle OCLOSE for CHAN_INPUT_WAIT_DRAIN, i.e. do not drain buffer if
peer is not going to read the data.

use error() for internal errors

it's not an error() if shutdown_write failes in nchan.

missing copyright

KNF part 1

remove buggy 'x11-fix'

typo in debug messages (input vs. ouput)

re-implement the proto-1.5 channel close protocol, see nchan.ms.

add CVS tags, fix comments and whitespace

support for SSH protocol 1.5 which is poorly documented, the RFC.troff lies.
interops (x11,agent,etc) with 1.2.27 and protocol 1.3

remove global variable used to stash compat flags and use the
purpose-built ssh->compat variable instead; feedback/ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

when the peer sends a channel-close message, make sure we close the
local extended read fd (stderr) along with the regular read fd (stdout).
Avoids weird stuck processed in multiplexing mode.

Report and analysis by Nelson Elhage and Geoffrey Thomas in bz#2863

ok dtucker@ markus@

include a little more information about the status and disposition of
channel's extended (stderr) fd; makes debugging some things a bit easier.
No behaviour change.

Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

obliterate ssh1.h and some dead code that used it

ok markus@

remove compat20/compat13/compat15 variables

ok markus@

rewrite ssh(1) multiplexing code to a more sensible protocol.

The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.

avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.

implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.

add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.

document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).

feedback Salvador Fandino, dtucker@
channel changes ok markus@

add space to some log/debug messages for readability; ok djm@ markus@

only send eow and no-more-sessions requests to openssh 5 and newer;
fixes interop problems with broken ssh v2 implementations; ok djm@

only send eow@openssh.com notifications for session channels; ok! markus@

unbreak
ssh -2 localhost od /bin/ls | true
ignoring SIGPIPE by adding a new channel message (EOW) that signals
the peer that we're not interested in any data it might send.
fixes bz #85; discussion, debugging and ok djm@

Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).

Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.

ok markus@ (as part of a larger diff)

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <sys/socket.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.51.6; 1.51.8;
spaces

make ssh -Wshadow clean, no functional changes
markus@ ok

branches: 1.49.2; 1.49.4;
be less chatty; debug -> debug2, cleanup; ok henning@

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.47.2; 1.47.4;
KNF done automatically while reading....

use tab not spaces (|unexpand)

branches: 1.45.2;
don't send stderr data after EOF, accept this from older known (broken)
sshd servers only, fixes http://bugzilla.mindrot.org/show_bug.cgi?id=179

cleanup channels faster if the are empty and we are in drain-state; ok deraadt@

(c) 2002

remove function pointers for events, remove chan_init*; ok provos@

remove duplicated code; ok provos@

correct fn names for ssh2, do not switch from closed to closed; ok provos@

merge chan_[io]buf_empty[12]; ok provos@

chan_send_oclose1() no longer calls chan_shutdown_write(); ok provos@

add chan_set_[io]state(), order states, state is now an u_int,
simplifies debugging messages; ok provos@

more unused code (with channels.c:1.156)

remove dead code (skip drain)

replace buffer_consume(b, buffer_len(b)) with buffer_clear(b); ok provos@

basic KNF done while i was looking for something else

branches: 1.32.2;
try to keep channels open until an exit-status message is sent.
don't kill the login shells if the shells stdin/out/err is closed.
this should now work:
ssh -2n localhost 'exec > /dev/null 2>&1; sleep 10; exit 5'; echo ?

keep track of both maxfd and the size of the malloc'ed fdsets.
update maxfd if maxfd gets closed.

update copyright for 2001

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

undo the .c file split, just merge the header and keep the cvs history

channel layer cleanup: merge header files and split .c files

undo broken channel fix and try a different one. there
should be still some select errors...

more select() error fixes (don't set rfd/wfd to -1).

move to Channel **channels (instead of Channel *channels), fixes realloc problems.
channel_new now returns a Channel *, favour Channel * over channel id.
remove old channel_allocate interface.

branches: 1.23.2;
make sure remote stderr does not get truncated.
remove closed fd's from the select mask.

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

agent forwarding and -R for ssh2, based on work from jhuuskon@messi.uku.fi

branches: 1.19.2;
cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

branches: 1.17.2;
no drain if ibuf_empty, fixes x11fwd problems; tests by fries@

fix close for non-open ssh1 channels

use c-style comments

whitespace cleanup

channel layer support for ssh2

sync w/ channels.c

replace big switch() with function tables (prepare for ssh2)

handle OCLOSE for CHAN_INPUT_WAIT_DRAIN, i.e. do not drain buffer if
peer is not going to read the data.

use error() for internal errors

it's not an error() if shutdown_write failes in nchan.

missing copyright

KNF part 1

remove buggy 'x11-fix'

typo in debug messages (input vs. ouput)

re-implement the proto-1.5 channel close protocol, see nchan.ms.

add CVS tags, fix comments and whitespace

support for SSH protocol 1.5 which is poorly documented, the RFC.troff lies.
interops (x11,agent,etc) with 1.2.27 and protocol 1.3

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

when the peer sends a channel-close message, make sure we close the
local extended read fd (stderr) along with the regular read fd (stdout).
Avoids weird stuck processed in multiplexing mode.

Report and analysis by Nelson Elhage and Geoffrey Thomas in bz#2863

ok dtucker@ markus@

include a little more information about the status and disposition of
channel's extended (stderr) fd; makes debugging some things a bit easier.
No behaviour change.

Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

obliterate ssh1.h and some dead code that used it

ok markus@

remove compat20/compat13/compat15 variables

ok markus@

rewrite ssh(1) multiplexing code to a more sensible protocol.

The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.

avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.

implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.

add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.

document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).

feedback Salvador Fandino, dtucker@
channel changes ok markus@

add space to some log/debug messages for readability; ok djm@ markus@

only send eow and no-more-sessions requests to openssh 5 and newer;
fixes interop problems with broken ssh v2 implementations; ok djm@

only send eow@openssh.com notifications for session channels; ok! markus@

unbreak
ssh -2 localhost od /bin/ls | true
ignoring SIGPIPE by adding a new channel message (EOW) that signals
the peer that we're not interested in any data it might send.
fixes bz #85; discussion, debugging and ok djm@

Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).

Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.

ok markus@ (as part of a larger diff)

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <sys/socket.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.51.6; 1.51.8;
spaces

make ssh -Wshadow clean, no functional changes
markus@ ok

branches: 1.49.2; 1.49.4;
be less chatty; debug -> debug2, cleanup; ok henning@

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.47.2; 1.47.4;
KNF done automatically while reading....

use tab not spaces (|unexpand)

branches: 1.45.2;
don't send stderr data after EOF, accept this from older known (broken)
sshd servers only, fixes http://bugzilla.mindrot.org/show_bug.cgi?id=179

cleanup channels faster if the are empty and we are in drain-state; ok deraadt@

(c) 2002

remove function pointers for events, remove chan_init*; ok provos@

remove duplicated code; ok provos@

correct fn names for ssh2, do not switch from closed to closed; ok provos@

merge chan_[io]buf_empty[12]; ok provos@

chan_send_oclose1() no longer calls chan_shutdown_write(); ok provos@

add chan_set_[io]state(), order states, state is now an u_int,
simplifies debugging messages; ok provos@

more unused code (with channels.c:1.156)

remove dead code (skip drain)

replace buffer_consume(b, buffer_len(b)) with buffer_clear(b); ok provos@

basic KNF done while i was looking for something else

branches: 1.32.2;
try to keep channels open until an exit-status message is sent.
don't kill the login shells if the shells stdin/out/err is closed.
this should now work:
ssh -2n localhost 'exec > /dev/null 2>&1; sleep 10; exit 5'; echo ?

keep track of both maxfd and the size of the malloc'ed fdsets.
update maxfd if maxfd gets closed.

update copyright for 2001

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

undo the .c file split, just merge the header and keep the cvs history

channel layer cleanup: merge header files and split .c files

undo broken channel fix and try a different one. there
should be still some select errors...

more select() error fixes (don't set rfd/wfd to -1).

move to Channel **channels (instead of Channel *channels), fixes realloc problems.
channel_new now returns a Channel *, favour Channel * over channel id.
remove old channel_allocate interface.

branches: 1.23.2;
make sure remote stderr does not get truncated.
remove closed fd's from the select mask.

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

agent forwarding and -R for ssh2, based on work from jhuuskon@messi.uku.fi

branches: 1.19.2;
cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

branches: 1.17.2;
no drain if ibuf_empty, fixes x11fwd problems; tests by fries@

fix close for non-open ssh1 channels

use c-style comments

whitespace cleanup

channel layer support for ssh2

sync w/ channels.c

replace big switch() with function tables (prepare for ssh2)

handle OCLOSE for CHAN_INPUT_WAIT_DRAIN, i.e. do not drain buffer if
peer is not going to read the data.

use error() for internal errors

it's not an error() if shutdown_write failes in nchan.

missing copyright

KNF part 1

remove buggy 'x11-fix'

typo in debug messages (input vs. ouput)

re-implement the proto-1.5 channel close protocol, see nchan.ms.

add CVS tags, fix comments and whitespace

support for SSH protocol 1.5 which is poorly documented, the RFC.troff lies.
interops (x11,agent,etc) with 1.2.27 and protocol 1.3

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

when the peer sends a channel-close message, make sure we close the
local extended read fd (stderr) along with the regular read fd (stdout).
Avoids weird stuck processed in multiplexing mode.

Report and analysis by Nelson Elhage and Geoffrey Thomas in bz#2863

ok dtucker@ markus@

include a little more information about the status and disposition of
channel's extended (stderr) fd; makes debugging some things a bit easier.
No behaviour change.

Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

obliterate ssh1.h and some dead code that used it

ok markus@

remove compat20/compat13/compat15 variables

ok markus@

rewrite ssh(1) multiplexing code to a more sensible protocol.

The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.

avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.

implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.

add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.

document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).

feedback Salvador Fandino, dtucker@
channel changes ok markus@

add space to some log/debug messages for readability; ok djm@ markus@

only send eow and no-more-sessions requests to openssh 5 and newer;
fixes interop problems with broken ssh v2 implementations; ok djm@

only send eow@openssh.com notifications for session channels; ok! markus@

unbreak
ssh -2 localhost od /bin/ls | true
ignoring SIGPIPE by adding a new channel message (EOW) that signals
the peer that we're not interested in any data it might send.
fixes bz #85; discussion, debugging and ok djm@

Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).

Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.

ok markus@ (as part of a larger diff)

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <sys/socket.h> out of includes.h

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.51.6; 1.51.8;
spaces

make ssh -Wshadow clean, no functional changes
markus@ ok

branches: 1.49.2; 1.49.4;
be less chatty; debug -> debug2, cleanup; ok henning@

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.47.2; 1.47.4;
KNF done automatically while reading....

use tab not spaces (|unexpand)

branches: 1.45.2;
don't send stderr data after EOF, accept this from older known (broken)
sshd servers only, fixes http://bugzilla.mindrot.org/show_bug.cgi?id=179

cleanup channels faster if the are empty and we are in drain-state; ok deraadt@

(c) 2002

remove function pointers for events, remove chan_init*; ok provos@

remove duplicated code; ok provos@

correct fn names for ssh2, do not switch from closed to closed; ok provos@

merge chan_[io]buf_empty[12]; ok provos@

chan_send_oclose1() no longer calls chan_shutdown_write(); ok provos@

add chan_set_[io]state(), order states, state is now an u_int,
simplifies debugging messages; ok provos@

more unused code (with channels.c:1.156)

remove dead code (skip drain)

replace buffer_consume(b, buffer_len(b)) with buffer_clear(b); ok provos@

basic KNF done while i was looking for something else

branches: 1.32.2;
try to keep channels open until an exit-status message is sent.
don't kill the login shells if the shells stdin/out/err is closed.
this should now work:
ssh -2n localhost 'exec > /dev/null 2>&1; sleep 10; exit 5'; echo ?

keep track of both maxfd and the size of the malloc'ed fdsets.
update maxfd if maxfd gets closed.

update copyright for 2001

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

undo the .c file split, just merge the header and keep the cvs history

channel layer cleanup: merge header files and split .c files

undo broken channel fix and try a different one. there
should be still some select errors...

more select() error fixes (don't set rfd/wfd to -1).

move to Channel **channels (instead of Channel *channels), fixes realloc problems.
channel_new now returns a Channel *, favour Channel * over channel id.
remove old channel_allocate interface.

branches: 1.23.2;
make sure remote stderr does not get truncated.
remove closed fd's from the select mask.

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

move ssh1 definitions to ssh1.h, pathnames to pathnames.h

agent forwarding and -R for ssh2, based on work from jhuuskon@messi.uku.fi

branches: 1.19.2;
cleanup copyright notices on all files. I have attempted to be accurate with
the details. everything is now under Tatu's licence (which I copied from his
readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd
developers under a 2-term bsd licence. We're not changing any rules, just
being accurate.

OpenBSD tag

branches: 1.17.2;
no drain if ibuf_empty, fixes x11fwd problems; tests by fries@

fix close for non-open ssh1 channels

use c-style comments

whitespace cleanup

channel layer support for ssh2

sync w/ channels.c

replace big switch() with function tables (prepare for ssh2)

handle OCLOSE for CHAN_INPUT_WAIT_DRAIN, i.e. do not drain buffer if
peer is not going to read the data.

use error() for internal errors

it's not an error() if shutdown_write failes in nchan.

missing copyright

KNF part 1

remove buggy 'x11-fix'

typo in debug messages (input vs. ouput)

re-implement the proto-1.5 channel close protocol, see nchan.ms.

add CVS tags, fix comments and whitespace

support for SSH protocol 1.5 which is poorly documented, the RFC.troff lies.
interops (x11,agent,etc) with 1.2.27 and protocol 1.3

when the peer sends a channel-close message, make sure we close the
local extended read fd (stderr) along with the regular read fd (stdout).
Avoids weird stuck processed in multiplexing mode.

Report and analysis by Nelson Elhage and Geoffrey Thomas in bz#2863

ok dtucker@ markus@

include a little more information about the status and disposition of
channel's extended (stderr) fd; makes debugging some things a bit easier.
No behaviour change.

Make remote channel ID a u_int

Previously we tracked the remote channel IDs in an int, but this is
strictly incorrect: the wire protocol uses uint32 and there is nothing
in-principle stopping a SSH implementation from sending, say, 0xffff0000.

In practice everyone numbers their channels sequentially, so this has
never been a problem.

ok markus@

refactor channels.c

Move static state to a "struct ssh_channels" that is allocated at
runtime and tracked as a member of struct ssh.

Explicitly pass "struct ssh" to all channels functions.

Replace use of the legacy packet APIs in channels.c.

Rework sshd_config PermitOpen handling: previously the configuration
parser would call directly into the channels layer. After the refactor
this is not possible, as the channels structures are allocated at
connection time and aren't available when the configuration is parsed.
The server config parser now tracks PermitOpen itself and explicitly
configures the channels code later.

ok markus@

obliterate ssh1.h and some dead code that used it

ok markus@

remove compat20/compat13/compat15 variables

ok markus@

rewrite ssh(1) multiplexing code to a more sensible protocol.

The new multiplexing code uses channels for the listener and
accepted control sockets to make the mux master non-blocking, so
no stalls when processing messages from a slave.

avoid use of fatal() in mux master protocol parsing so an errant slave
process cannot take down a running master.

implement requesting of port-forwards over multiplexed sessions. Any
port forwards requested by the slave are added to those the master has
established.

add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.

document master/slave mux protocol so that other tools can use it to
control a running ssh(1). Note: there are no guarantees that this
protocol won't be incompatibly changed (though it is versioned).

feedback Salvador Fandino, dtucker@
channel changes ok markus@

add space to some log/debug messages for readability; ok djm@ markus@

only send eow and no-more-sessions requests to openssh 5 and newer;
fixes interop problems with broken ssh v2 implementations; ok djm@

only send eow@openssh.com notifications for session channels; ok! markus@

unbreak
ssh -2 localhost od /bin/ls | true
ignoring SIGPIPE by adding a new channel message (EOW) that signals
the peer that we're not interested in any data it might send.
fixes bz #85; discussion, debugging and ok djm@

Implement a channel success/failure status confirmation callback
mechanism. Each channel maintains a queue of callbacks, which will
be drained in order (RFC4253 guarantees confirm messages are not
reordered within an channel).

Also includes a abandonment callback to clean up if a channel is
closed without sending confirmation messages. This probably
shouldn't happen in compliant implementations, but it could be
abused to leak memory.

ok markus@ (as part of a larger diff)

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <string.h> out of includes.h