spelling; ok djm@

Make sure sftp_get_limits() only returns 0 if 'limits' was initialized.
This fixes a potential uninitialized use of 'limits' in sftp_init() if
sftp_get_limits() returned early because of an unexpected message type.

ok djm@

fix recursive remote-remote copies of directories that contain symlinks
to other directories (similar to bz3611)

the sftp code was one of my first contributions to OpenSSH and it
shows - the function names are terrible.

Rename do_blah() to sftp_blah() to make them less so.

Completely mechanical except for sftp_stat() and sftp_lstat() which
change from returning a pointer to a static variable (error-prone) to
taking a pointer to a caller-provided receiver.

fix scp in SFTP mode recursive upload and download of directories
that contain symlinks to other directories. In scp mode, the links
would be followed, but in SFTP mode they were not. bz3611, ok dtucker@

adjust ftruncate() logic to handle servers that reorder requests.

sftp/scp will ftruncate the destination file after a transfer completes,
to deal with the case where a longer destination file already existed.
We tracked the highest contiguous block transferred to deal with this
case, but our naive tracking doesn't deal with servers that reorder
requests - a misfeature strictly permitted by the protocol but seldom
implemented.

Adjust the logic to ftruncate() at the highest absolute block received
when the transfer is successful. feedback deraadt@ ok markus@

prompted by https://github.com/openssh/openssh-portable/commit/9b733#commitcomment-110679778

Plug more mem leaks in sftp by making make_absolute_pwd_glob work in
the same way as make_absolute: you pass it a dynamically allocated string
and it either returns it, or frees it and allocates a new one.
Patch from emaste at freebsd.org and https://reviews.freebsd.org/D37253
ok djm@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

clamp the minimum buffer lengths and number of inflight requests too

ignore bogus upload/download buffer lengths in the limits extension

add a -X option to both scp(1) and sftp(1) to allow control over
some SFTP protocol knobs: the copy buffer length and the number of
inflight requests, both of which are used during upload/download.

Previously these could be controlled in sftp(1) using the -b/-R options.
This makes them available in both SFTP protocol clients using the same
option character sequence.

ok dtucker@

sftp client library support for users-groups-by-id@openssh.com;
ok markus@

fix in-place copies; r1.163 incorrectly skipped truncation in all cases,
not just at the start of a transfer. This could cause overwrites of larger
files to leave junk at the end. Spotted by tb@

arrange for scp, when in sftp mode, to not ftruncate(3) files early

previous behavious of unconditionally truncating the destination file
would cause "scp ~/foo localhost:" and "scp localhost:foo ~/" to
delete all the contents of their destination.

spotted by solene@ sthen@, also bz3431; ok dtucker@

add a sftp client "cp" command that supports server-side copying
of files. Useful for this task and for testing the copy-data
extension. Patch from Mike Frysinger; ok dtucker@

make most of the sftp errors more idiomatic, following the general form
of "[local/remote] operation path: error message"; ok markus

use status error message to communicate ~user expansion failures;
provides better experience for scp in sftp mode, where ~user paths
are more likely to be used; spotted jsg, feedback jsg & deraadt
ok jsg & markus

more idiomatic error messages; spotted by jsg & deraadt
ok jsg & markus

spelling
ok dtucker@

Plug a couple of minor mem leaks. From beldmit at gmail.com via github
PR#283, ok markus@

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

Remove redundant attrib_clear in upload_dir_internal. The subsequent
call to stat_to_attrib clears the struct as its first step anyway.
From pmeinhardt via github PR#220, ok djm@

SFTP protocol extension to allow the server to expand ~-prefixed
paths, in particular ~user ones. Allows scp in sftp mode to accept
these paths, like scp in rcp mode does.

prompted by and much discussion deraadt@
ok markus@

show only the final path component in the progress meter;
more useful with long paths (that may truncate) and better
matches traditional scp behaviour; spotted by naddy@
ok deraadt@

sftp-client.c needs poll.h

remove unused variable

do_upload() used a near-identical structure for tracking
expected status replies from the server to what do_download()
was using.

Refactor it to use the same structure and factor out some common
code into helper functions.

make scp(1) in SFTP mode follow symlinks like traditional scp(1)
ok markus@

fix incorrect directory permissions on scp -3 transfers;
ok markus@

a bit more debugging of file attributes being sent/received
over the wire

make scp(1) in SFTP mode output better match original scp(1) by
suppressing "Retrieving [path]" lines that were emitted to support
the interactive sftp(1) client. ok markus@

factor out a structure duplicated between downloading and
crossloading; ok markus@

support for "cross"-loading files/directories, i.e. downloading
from one SFTP server while simultaneously uploading to another.

feedback & ok markus@

factor our SSH2_FXP_OPEN calls into their own function;
"looks fine" markus@

degrade gracefully if a sftp-server offers the limits@openssh.com
extension but fails when the client tries to invoke it.
Reported by Hector Martin via bz3318

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

Use new limits@openssh.com protocol extension to let the client select
good limits based on what the server supports. Split the download and
upload buffer sizes to allow them to be chosen independently.

In practice (and assuming upgraded sftp/sftp-server at each end), this
increases the download buffer 32->64KiB and the upload buffer
32->255KiB.

Patches from Mike Frysinger; ok dtucker@

no need to reset buffer after send_msg() as that is done for us;
patch from Mike Frysinger

shuffle a few utility functions into sftp-client.c; from Jakub Jelen

When doing an sftp recursive upload or download of a read-only directory,
ensure that the directory is created with write and execute permissions
in the interim so that we can actually complete the transfer, then set
the directory permission as the final step. (The execute bit is only
likely to be an issue with a non-POSIX server). bz#3222, ok djm@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

fix off-by-one error that caused sftp downloads to make one more
concurrent request that desired. This prevented using sftp(1) in
unpipelined request/response mode, which is useful when debugging.
Patch from Stephen Goetze in bz#3054

fix memory leak in error path; bz#3074
patch from krishnaiah.bommu@intel.com, ok dtucker

print explicit "not modified" message if a file was requested for
resumed download but was considered already complete.

bz#2978 ok dtucker

Have progressmeter force an update at the beginning and end of each
transfer. Fixes the problem recently introduces where very quick
transfers do not display the progressmeter at all. Spotted by naddy@

Sanitize scp filenames via snmprintf. To do this we move the
progressmeter formatting outside of signal handler context and have
the atomicio callback called for EINTR too. bz#2434 with contributions
from djm and jjelen at redhat.com, ok djm@

Add "-h" flag to sftp chown/chgrp/chmod commands to request they do
not follow symlinks. Requires recently-committed lsetstat@openssh.com
extension on the server side.

ok markus@ dtucker@

fix some memory leaks spotted by Coverity via Jakub Jelen in bz#2366
feedback and ok dtucker@

Fix return value confusion in several functions (readdir, download and
fsync). These should return -1 on error, not a sftp status code.

patch from Petr Cerny in bz#2871

Have sftp print a warning about shell cleanliness when decoding the first
packet fails, which is usually caused by shells polluting stdout of
non-interactive starups. bz#2800, ok markus@ deraadt@.

don't print verbose error message when ssh disconnects under sftp;
bz#2750; ok dtucker@

check number of entries in SSH2_FXP_NAME response; avoids
unreachable overflow later. Reported by Jann Horn

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

To prevent screwing up terminal settings when printing to the
terminal, for ASCII and UTF-8, escape bytes not forming characters
and bytes forming non-printable characters with vis(3) VIS_OCTAL.
For other character sets, abort printing of the current string in
these cases. In particular,
* let scp(1) respect the local user's LC_CTYPE locale(1);
* sanitize data received from the remote host;
* sanitize filenames, usernames, and similar data even locally;
* take character display widths into account for the progressmeter.

This is believed to be sufficient to keep the local terminal safe
on OpenBSD, but bad things can still happen on other systems with
state-dependent locales because many places in the code print
unencoded ASCII characters into the output stream.

Using feedback from djm@ and martijn@,
various aspects discussed with many others.

deraadt@ says it should go in now, i probably already hesitated too long

fix signed/unsigned errors reported by clang-3.7; add
sshbuf_dup_string() to replace a common idiom of
strdup(sshbuf_ptr()) with better safety checking;
feedback and ok markus@

whitespace at EOL

fix regression in openssh-6.8 sftp client: existing destination
directories would incorrectly terminate recursive uploads;
bz#2528

add error message on ftruncate failure; bz#2176

fix a memory leak in an error path
ok markus@ dtucker@

rename xrealloc() to xreallocarray() since it follows that form.
ok djm

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

update sftp client and server to new buffer API.
pretty much just mechanical changes; with & ok markus

Implement sftp upload resume support.

OK from djm@, with input from guenther@, mlarkin@ and
okan@

replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker

signed/unsigned comparison warning fix; from portable

needless and incorrect cast to size_t can break resumption of
large download; patch from tobias@

fix memory leak in error path in do_readdir(); pointed out by
Loganaden Velvindron @ AfriNIC in bz#2163

bz#2171: don't leak local_fd on error; from Loganaden Velvindron @
AfriNIC

Include stdlib.h for free() as per the man page.

use calloc for all structure allocations; from markus@

fsync@openssh.com protocol extension for sftp-server
client support to allow calling fsync() faster successful transfer
patch mostly by imorgan AT nas.nasa.gov; bz#1798
"fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@

missed one arg reorder

rename flag arguments to be more clear and consistent.
reorder some internal function arguments to make adding additional flags
easier.

no functional change

fix swapped pflag and printflag in sftp upload_dir; from Iain Morgan

two problems found by a to-be-committed regress test: 1) msg_id was not
being initialised so was starting at a random value from the heap
(harmless, but confusing). 2) some error conditions were not being
propagated back to the caller

add a "-l" flag for the rename command to force it to use the silly
standard SSH_FXP_RENAME command instead of the POSIX-rename- like
posix-rename@openssh.com extension.

intended for use in regress tests, so no documentation.

branches: 1.101.2;
sftp support for resuming partial downloads; patch mostly by Loganaden
Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@
"Just be careful" deraadt@

Update progressmeter when data is acked, not when it's sent. bz#2108, from
Debian via Colin Watson, ok djm@

Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch
from Nathan Osman via bz#2085. ok deraadt.

bye, bye xfree(); ok markus@

branches: 1.97.4;
fix a couple of "assigned but not used" warnings. ok markus@

fix leak in do_lsreaddir(); ok djm

fix leaks in do_hardlink() and do_readlink(); bz#1921
from Loganaden Velvindron

add a protocol extension to support a hard link operation. It is
available through the "ln" command in the client. The old "ln"
behaviour of creating a symlink is available using its "-s" option
or through the preexisting "symlink" command; based on a patch from
miklos AT szeredi.hu in bz#1555; ok markus@

add an option per-read/write callback to atomicio

factor out bandwidth limiting code from scp(1) into a generic bandwidth
limiter that can be attached using the atomicio callback mechanism

add a bandwidth limit option to sftp(1) using the above

"very nice" markus@

bz#1797: fix swapped args in upload_dir_internal(), breaking recursive
upload depth checks and causing verbose printing of transfers to always
be turned on; patch from imorgan AT nas.nasa.gov

fix memory leak in do_realpath() error path; bz#1771, patch from
anicka AT suse.cz

d_type isn't portable so use lstat to get dirent modes. Suggested by and
"looks sane" deraadt@

recursive transfer support for get/put and on the commandline
work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code
with some tweaks by me; "go for it" deraadt@

make the "get_handle: ..." error messages vaguely useful by allowing
callers to specify their own error message strings.

alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm

allow the sftp chmod(2)-equivalent operation to set set[ug]id/sticky
bits. Note that this only affects explicit setting of modes (e.g. via
sftp(1)'s chmod command) and not file transfers. (bz#1310)
ok deraadt@ at c2k8

print extension revisions for extensions that we understand

Have the sftp client store the statvfs replies in wire format,
which prevents problems when the server's native sizes exceed the
client's.

Also extends the sizes of the remaining 32bit wire format to 64bit,
they're specified as unsigned long in the standard.

statvfs member fsid needs to be wider, increase it to 64 bits and
crank extension revision number to 2; prodded and ok dtucker@

introduce sftp extension methods statvfs@openssh.com and
fstatvfs@openssh.com that implement statvfs(2)-like operations,
based on a patch from miklos AT szeredi.hu (bz#1399)

also add a "df" command to the sftp client that uses the
statvfs@openssh.com to produce a df(1)-like display of filesystem
space and inode utilisation

ok markus@

prefer POSIX-style file renaming over filexfer rename behaviour if the server
supports the posix-rename@openssh.com extension.

Note that the old (filexfer) behaviour would refuse to clobber an existing
file. Users who depended on this should adjust their sftp(1) usage.

ok deraadt@ markus@

when a remote write error occurs during an upload, ensure that ACKs for all
issued requests are properly drained. patch from t8m AT centrum.cz

fix remote handle leak in do_download() local file open error path;
report and fix from sworley AT chkno.net

disable unused functions

initially from tobias@, but disabled them by placing them in "#ifdef notyet" which was asked by djm@

ok djm@ tobias@

use off_t instead of u_int64_t for file offsets, matching what the
progressmeter code expects; bz #842

return error from do_upload() when a write fails. fixes bz#1252: zero
exit status from sftp when uploading to a full device. report from
jirkat AT atlas.cz; ok dtucker@

cancel progress meter when upload write fails; ok deraadt@

branches: 1.74.4;
almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <sys/param.h> out of includes.h

move #include <sys/time.h> out of includes.h

#include <signal.h> for sig_atomic_t; need this prior to <sys/param.h>
move

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <fcntl.h> out of includes.h

avoid making a tiny 4-byte write to send the packet length of sftp
commands, which would result in a separate tiny packet on the wire by
using atomiciov(writev, ...) to write the length and the command in one
pass; ok deraadt@

replace {GET,PUT}_XXBIT macros with functionally similar functions,
silencing a heap of lint warnings. also allows them to use
__bounded__ checking which can't be applied to macros; requested
by and feedback from deraadt@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

change OpenSSH's xrealloc() function from being xrealloc(p, new_size) to
xrealloc(p, new_nmemb, new_itemsize).

realloc is particularly prone to integer overflows because it is almost
always allocating "n * size" bytes, so this is a far safer API;
ok deraadt@

RCSID() can die

branches: 1.60.2;
move #include <sys/stat.h> out of includes.h; ok markus@

typo in comment; ok djm@

use a common max. packet length, no binary change

branches: 1.57.2;
Silence bogus -Wuninitialized warnings; ok djm@

knf says that a 2nd level indent is four (not three or five) spaces

make this -Wsign-compare clean; ok avsm@ markus@

Switch atomicio to use a simpler interface; it now returns a size_t
(containing number of bytes read/written), and indicates error by
returning 0. EOF is signalled by errno==EPIPE.
Typical use now becomes:

if (atomicio(read, ..., len) != len)
err(1,"read");

ok deraadt@, cloder@, djm@

branches: 1.53.2;
spacing

leak; from mpech

branches: 1.51.2;
spaces

initialize pointers, ok markus@

gracefully abort transfers on receipt of SIGINT, also ignore SIGINT while
waiting for a command; ok markus@

sync comment with reality

branches: 1.47.2;
Don't print duplicate messages when progressmeter is off
Spotted by job317 AT mailvault.com; ok markus@

switch to license.template for code written by me (belated, I know...)

unexpand and delete whitespace at EOL; ok markus@

branches: 1.44.2;
deal with typing of write vs read in atomicio

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.42.2;
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@

Don't try to upload or download non-regular files. Report from
apoloval@pantuflo.escet.urjc.es; ok markus@

Simplify and avoid redundancy in packet send and receive function; ok fgs@

sftp progress meter support.
original diffs by Nils Nordman <nino at nforced dot com> via markus@, merged
to -current by me, djm@ ok.

Fix "get -p" download to not add user-write perm. mindrot bug #426 reported
by gfernandez@livevault.com; ok markus@

KNF

typo; GaryF@livevault.com

branches: 1.35.2;
support for short/long listings and globbing in "ls"; ok markus@

use xfree()

bunch of u_int vs int stuff

use tab not spaces (|unexpand)

branches: 1.31.2;
Fix occasional corruption on upload due to bad reuse of request id, spotted
by chombier@mac.com; ok markus@

fallback to stat if server does not support lstat

20480 is an upper limit for older server

KNF whitespace

indent

correct type mismatches (u_int64_t != unsigned long long)

printf type mismatch

early close(), missing free; ok stevesk@

API cleanup and backwards compat for filexfer v.0 servers; ok markus@

Let overlapped upload path handle servers which reorder ACKs. This may be
permitted by the protocol spec; ok markus@

Perform multiple overlapping read/write requests in file transfer. Mostly
done by Tobias Ringstrom <tori@ringstrom.mine.nu>; ok markus@

Add "-B" option to specify copy buffer length (default 32k); ok markus@

basic KNF done while i was looking for something else

branches: 1.18.2;
delete spurious #includes; ok deraadt@ markus@

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

branches: 1.16.2;
fix whitespace: unexpand + trailing spaces.

Report ssh connection closing correctly; ok deraadt@

Revise globbing for get/put to be more shell-like. In particular,
"get/put file* directory/" now works. ok markus@

Wall

sftp client filename globbing for get, put, ch{mod,grp,own}. ok markus@

branches: 1.11.2;
Support for new draft (draft-ietf-secsh-filexfer-01). New symlink handling
functions and small protocol change.

branches: 1.10.2;
Fix and document 'preserve modes & times' option ('-p' flag in sftp);
ok markus@

typo; ok Niels

%i -> %d

older servers reply with SSH2_FXP_NAME + count==0 instead of EOF

unsigned long long -> %llu, not %qu. markus ok

Don't free handles before we are done with them. Based on work from
Corinna Vinschen <vinschen@redhat.com>. ok markus@

replace arc4random with counter for request ids; ok markus@

unexpand and remove end-of-line whitespace; ok markus@

make gcc on the alpha even happier

Basic interactive sftp client; ok theo@

Make sure sftp_get_limits() only returns 0 if 'limits' was initialized.
This fixes a potential uninitialized use of 'limits' in sftp_init() if
sftp_get_limits() returned early because of an unexpected message type.

ok djm@

fix recursive remote-remote copies of directories that contain symlinks
to other directories (similar to bz3611)

the sftp code was one of my first contributions to OpenSSH and it
shows - the function names are terrible.

Rename do_blah() to sftp_blah() to make them less so.

Completely mechanical except for sftp_stat() and sftp_lstat() which
change from returning a pointer to a static variable (error-prone) to
taking a pointer to a caller-provided receiver.

fix scp in SFTP mode recursive upload and download of directories
that contain symlinks to other directories. In scp mode, the links
would be followed, but in SFTP mode they were not. bz3611, ok dtucker@

adjust ftruncate() logic to handle servers that reorder requests.

sftp/scp will ftruncate the destination file after a transfer completes,
to deal with the case where a longer destination file already existed.
We tracked the highest contiguous block transferred to deal with this
case, but our naive tracking doesn't deal with servers that reorder
requests - a misfeature strictly permitted by the protocol but seldom
implemented.

Adjust the logic to ftruncate() at the highest absolute block received
when the transfer is successful. feedback deraadt@ ok markus@

prompted by https://github.com/openssh/openssh-portable/commit/9b733#commitcomment-110679778

Plug more mem leaks in sftp by making make_absolute_pwd_glob work in
the same way as make_absolute: you pass it a dynamically allocated string
and it either returns it, or frees it and allocates a new one.
Patch from emaste at freebsd.org and https://reviews.freebsd.org/D37253
ok djm@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

clamp the minimum buffer lengths and number of inflight requests too

ignore bogus upload/download buffer lengths in the limits extension

add a -X option to both scp(1) and sftp(1) to allow control over
some SFTP protocol knobs: the copy buffer length and the number of
inflight requests, both of which are used during upload/download.

Previously these could be controlled in sftp(1) using the -b/-R options.
This makes them available in both SFTP protocol clients using the same
option character sequence.

ok dtucker@

sftp client library support for users-groups-by-id@openssh.com;
ok markus@

fix in-place copies; r1.163 incorrectly skipped truncation in all cases,
not just at the start of a transfer. This could cause overwrites of larger
files to leave junk at the end. Spotted by tb@

arrange for scp, when in sftp mode, to not ftruncate(3) files early

previous behavious of unconditionally truncating the destination file
would cause "scp ~/foo localhost:" and "scp localhost:foo ~/" to
delete all the contents of their destination.

spotted by solene@ sthen@, also bz3431; ok dtucker@

add a sftp client "cp" command that supports server-side copying
of files. Useful for this task and for testing the copy-data
extension. Patch from Mike Frysinger; ok dtucker@

make most of the sftp errors more idiomatic, following the general form
of "[local/remote] operation path: error message"; ok markus

use status error message to communicate ~user expansion failures;
provides better experience for scp in sftp mode, where ~user paths
are more likely to be used; spotted jsg, feedback jsg & deraadt
ok jsg & markus

more idiomatic error messages; spotted by jsg & deraadt
ok jsg & markus

spelling
ok dtucker@

Plug a couple of minor mem leaks. From beldmit at gmail.com via github
PR#283, ok markus@

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

Remove redundant attrib_clear in upload_dir_internal. The subsequent
call to stat_to_attrib clears the struct as its first step anyway.
From pmeinhardt via github PR#220, ok djm@

SFTP protocol extension to allow the server to expand ~-prefixed
paths, in particular ~user ones. Allows scp in sftp mode to accept
these paths, like scp in rcp mode does.

prompted by and much discussion deraadt@
ok markus@

show only the final path component in the progress meter;
more useful with long paths (that may truncate) and better
matches traditional scp behaviour; spotted by naddy@
ok deraadt@

sftp-client.c needs poll.h

remove unused variable

do_upload() used a near-identical structure for tracking
expected status replies from the server to what do_download()
was using.

Refactor it to use the same structure and factor out some common
code into helper functions.

make scp(1) in SFTP mode follow symlinks like traditional scp(1)
ok markus@

fix incorrect directory permissions on scp -3 transfers;
ok markus@

a bit more debugging of file attributes being sent/received
over the wire

make scp(1) in SFTP mode output better match original scp(1) by
suppressing "Retrieving [path]" lines that were emitted to support
the interactive sftp(1) client. ok markus@

factor out a structure duplicated between downloading and
crossloading; ok markus@

support for "cross"-loading files/directories, i.e. downloading
from one SFTP server while simultaneously uploading to another.

feedback & ok markus@

factor our SSH2_FXP_OPEN calls into their own function;
"looks fine" markus@

degrade gracefully if a sftp-server offers the limits@openssh.com
extension but fails when the client tries to invoke it.
Reported by Hector Martin via bz3318

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

Use new limits@openssh.com protocol extension to let the client select
good limits based on what the server supports. Split the download and
upload buffer sizes to allow them to be chosen independently.

In practice (and assuming upgraded sftp/sftp-server at each end), this
increases the download buffer 32->64KiB and the upload buffer
32->255KiB.

Patches from Mike Frysinger; ok dtucker@

no need to reset buffer after send_msg() as that is done for us;
patch from Mike Frysinger

shuffle a few utility functions into sftp-client.c; from Jakub Jelen

When doing an sftp recursive upload or download of a read-only directory,
ensure that the directory is created with write and execute permissions
in the interim so that we can actually complete the transfer, then set
the directory permission as the final step. (The execute bit is only
likely to be an issue with a non-POSIX server). bz#3222, ok djm@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

fix off-by-one error that caused sftp downloads to make one more
concurrent request that desired. This prevented using sftp(1) in
unpipelined request/response mode, which is useful when debugging.
Patch from Stephen Goetze in bz#3054

fix memory leak in error path; bz#3074
patch from krishnaiah.bommu@intel.com, ok dtucker

print explicit "not modified" message if a file was requested for
resumed download but was considered already complete.

bz#2978 ok dtucker

Have progressmeter force an update at the beginning and end of each
transfer. Fixes the problem recently introduces where very quick
transfers do not display the progressmeter at all. Spotted by naddy@

Sanitize scp filenames via snmprintf. To do this we move the
progressmeter formatting outside of signal handler context and have
the atomicio callback called for EINTR too. bz#2434 with contributions
from djm and jjelen at redhat.com, ok djm@

Add "-h" flag to sftp chown/chgrp/chmod commands to request they do
not follow symlinks. Requires recently-committed lsetstat@openssh.com
extension on the server side.

ok markus@ dtucker@

fix some memory leaks spotted by Coverity via Jakub Jelen in bz#2366
feedback and ok dtucker@

Fix return value confusion in several functions (readdir, download and
fsync). These should return -1 on error, not a sftp status code.

patch from Petr Cerny in bz#2871

Have sftp print a warning about shell cleanliness when decoding the first
packet fails, which is usually caused by shells polluting stdout of
non-interactive starups. bz#2800, ok markus@ deraadt@.

don't print verbose error message when ssh disconnects under sftp;
bz#2750; ok dtucker@

check number of entries in SSH2_FXP_NAME response; avoids
unreachable overflow later. Reported by Jann Horn

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

To prevent screwing up terminal settings when printing to the
terminal, for ASCII and UTF-8, escape bytes not forming characters
and bytes forming non-printable characters with vis(3) VIS_OCTAL.
For other character sets, abort printing of the current string in
these cases. In particular,
* let scp(1) respect the local user's LC_CTYPE locale(1);
* sanitize data received from the remote host;
* sanitize filenames, usernames, and similar data even locally;
* take character display widths into account for the progressmeter.

This is believed to be sufficient to keep the local terminal safe
on OpenBSD, but bad things can still happen on other systems with
state-dependent locales because many places in the code print
unencoded ASCII characters into the output stream.

Using feedback from djm@ and martijn@,
various aspects discussed with many others.

deraadt@ says it should go in now, i probably already hesitated too long

fix signed/unsigned errors reported by clang-3.7; add
sshbuf_dup_string() to replace a common idiom of
strdup(sshbuf_ptr()) with better safety checking;
feedback and ok markus@

whitespace at EOL

fix regression in openssh-6.8 sftp client: existing destination
directories would incorrectly terminate recursive uploads;
bz#2528

add error message on ftruncate failure; bz#2176

fix a memory leak in an error path
ok markus@ dtucker@

rename xrealloc() to xreallocarray() since it follows that form.
ok djm

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

update sftp client and server to new buffer API.
pretty much just mechanical changes; with & ok markus

Implement sftp upload resume support.

OK from djm@, with input from guenther@, mlarkin@ and
okan@

replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker

signed/unsigned comparison warning fix; from portable

needless and incorrect cast to size_t can break resumption of
large download; patch from tobias@

fix memory leak in error path in do_readdir(); pointed out by
Loganaden Velvindron @ AfriNIC in bz#2163

bz#2171: don't leak local_fd on error; from Loganaden Velvindron @
AfriNIC

Include stdlib.h for free() as per the man page.

use calloc for all structure allocations; from markus@

fsync@openssh.com protocol extension for sftp-server
client support to allow calling fsync() faster successful transfer
patch mostly by imorgan AT nas.nasa.gov; bz#1798
"fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@

missed one arg reorder

rename flag arguments to be more clear and consistent.
reorder some internal function arguments to make adding additional flags
easier.

no functional change

fix swapped pflag and printflag in sftp upload_dir; from Iain Morgan

two problems found by a to-be-committed regress test: 1) msg_id was not
being initialised so was starting at a random value from the heap
(harmless, but confusing). 2) some error conditions were not being
propagated back to the caller

add a "-l" flag for the rename command to force it to use the silly
standard SSH_FXP_RENAME command instead of the POSIX-rename- like
posix-rename@openssh.com extension.

intended for use in regress tests, so no documentation.

branches: 1.101.2;
sftp support for resuming partial downloads; patch mostly by Loganaden
Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@
"Just be careful" deraadt@

Update progressmeter when data is acked, not when it's sent. bz#2108, from
Debian via Colin Watson, ok djm@

Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch
from Nathan Osman via bz#2085. ok deraadt.

bye, bye xfree(); ok markus@

branches: 1.97.4;
fix a couple of "assigned but not used" warnings. ok markus@

fix leak in do_lsreaddir(); ok djm

fix leaks in do_hardlink() and do_readlink(); bz#1921
from Loganaden Velvindron

add a protocol extension to support a hard link operation. It is
available through the "ln" command in the client. The old "ln"
behaviour of creating a symlink is available using its "-s" option
or through the preexisting "symlink" command; based on a patch from
miklos AT szeredi.hu in bz#1555; ok markus@

add an option per-read/write callback to atomicio

factor out bandwidth limiting code from scp(1) into a generic bandwidth
limiter that can be attached using the atomicio callback mechanism

add a bandwidth limit option to sftp(1) using the above

"very nice" markus@

bz#1797: fix swapped args in upload_dir_internal(), breaking recursive
upload depth checks and causing verbose printing of transfers to always
be turned on; patch from imorgan AT nas.nasa.gov

fix memory leak in do_realpath() error path; bz#1771, patch from
anicka AT suse.cz

d_type isn't portable so use lstat to get dirent modes. Suggested by and
"looks sane" deraadt@

recursive transfer support for get/put and on the commandline
work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code
with some tweaks by me; "go for it" deraadt@

make the "get_handle: ..." error messages vaguely useful by allowing
callers to specify their own error message strings.

alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm

allow the sftp chmod(2)-equivalent operation to set set[ug]id/sticky
bits. Note that this only affects explicit setting of modes (e.g. via
sftp(1)'s chmod command) and not file transfers. (bz#1310)
ok deraadt@ at c2k8

print extension revisions for extensions that we understand

Have the sftp client store the statvfs replies in wire format,
which prevents problems when the server's native sizes exceed the
client's.

Also extends the sizes of the remaining 32bit wire format to 64bit,
they're specified as unsigned long in the standard.

statvfs member fsid needs to be wider, increase it to 64 bits and
crank extension revision number to 2; prodded and ok dtucker@

introduce sftp extension methods statvfs@openssh.com and
fstatvfs@openssh.com that implement statvfs(2)-like operations,
based on a patch from miklos AT szeredi.hu (bz#1399)

also add a "df" command to the sftp client that uses the
statvfs@openssh.com to produce a df(1)-like display of filesystem
space and inode utilisation

ok markus@

prefer POSIX-style file renaming over filexfer rename behaviour if the server
supports the posix-rename@openssh.com extension.

Note that the old (filexfer) behaviour would refuse to clobber an existing
file. Users who depended on this should adjust their sftp(1) usage.

ok deraadt@ markus@

when a remote write error occurs during an upload, ensure that ACKs for all
issued requests are properly drained. patch from t8m AT centrum.cz

fix remote handle leak in do_download() local file open error path;
report and fix from sworley AT chkno.net

disable unused functions

initially from tobias@, but disabled them by placing them in "#ifdef notyet" which was asked by djm@

ok djm@ tobias@

use off_t instead of u_int64_t for file offsets, matching what the
progressmeter code expects; bz #842

return error from do_upload() when a write fails. fixes bz#1252: zero
exit status from sftp when uploading to a full device. report from
jirkat AT atlas.cz; ok dtucker@

cancel progress meter when upload write fails; ok deraadt@

branches: 1.74.4;
almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <sys/param.h> out of includes.h

move #include <sys/time.h> out of includes.h

#include <signal.h> for sig_atomic_t; need this prior to <sys/param.h>
move

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <fcntl.h> out of includes.h

avoid making a tiny 4-byte write to send the packet length of sftp
commands, which would result in a separate tiny packet on the wire by
using atomiciov(writev, ...) to write the length and the command in one
pass; ok deraadt@

replace {GET,PUT}_XXBIT macros with functionally similar functions,
silencing a heap of lint warnings. also allows them to use
__bounded__ checking which can't be applied to macros; requested
by and feedback from deraadt@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

change OpenSSH's xrealloc() function from being xrealloc(p, new_size) to
xrealloc(p, new_nmemb, new_itemsize).

realloc is particularly prone to integer overflows because it is almost
always allocating "n * size" bytes, so this is a far safer API;
ok deraadt@

RCSID() can die

branches: 1.60.2;
move #include <sys/stat.h> out of includes.h; ok markus@

typo in comment; ok djm@

use a common max. packet length, no binary change

branches: 1.57.2;
Silence bogus -Wuninitialized warnings; ok djm@

knf says that a 2nd level indent is four (not three or five) spaces

make this -Wsign-compare clean; ok avsm@ markus@

Switch atomicio to use a simpler interface; it now returns a size_t
(containing number of bytes read/written), and indicates error by
returning 0. EOF is signalled by errno==EPIPE.
Typical use now becomes:

if (atomicio(read, ..., len) != len)
err(1,"read");

ok deraadt@, cloder@, djm@

branches: 1.53.2;
spacing

leak; from mpech

branches: 1.51.2;
spaces

initialize pointers, ok markus@

gracefully abort transfers on receipt of SIGINT, also ignore SIGINT while
waiting for a command; ok markus@

sync comment with reality

branches: 1.47.2;
Don't print duplicate messages when progressmeter is off
Spotted by job317 AT mailvault.com; ok markus@

switch to license.template for code written by me (belated, I know...)

unexpand and delete whitespace at EOL; ok markus@

branches: 1.44.2;
deal with typing of write vs read in atomicio

rename log() into logit() to avoid name conflict. markus ok, from netbsd

branches: 1.42.2;
fix memory leaks; from dlheine@suif.Stanford.EDU/CLOUSEAU; ok djm@

Don't try to upload or download non-regular files. Report from
apoloval@pantuflo.escet.urjc.es; ok markus@

Simplify and avoid redundancy in packet send and receive function; ok fgs@

sftp progress meter support.
original diffs by Nils Nordman <nino at nforced dot com> via markus@, merged
to -current by me, djm@ ok.

Fix "get -p" download to not add user-write perm. mindrot bug #426 reported
by gfernandez@livevault.com; ok markus@

KNF

typo; GaryF@livevault.com

branches: 1.35.2;
support for short/long listings and globbing in "ls"; ok markus@

use xfree()

bunch of u_int vs int stuff

use tab not spaces (|unexpand)

branches: 1.31.2;
Fix occasional corruption on upload due to bad reuse of request id, spotted
by chombier@mac.com; ok markus@

fallback to stat if server does not support lstat

20480 is an upper limit for older server

KNF whitespace

indent

correct type mismatches (u_int64_t != unsigned long long)

printf type mismatch

early close(), missing free; ok stevesk@

API cleanup and backwards compat for filexfer v.0 servers; ok markus@

Let overlapped upload path handle servers which reorder ACKs. This may be
permitted by the protocol spec; ok markus@

Perform multiple overlapping read/write requests in file transfer. Mostly
done by Tobias Ringstrom <tori@ringstrom.mine.nu>; ok markus@

Add "-B" option to specify copy buffer length (default 32k); ok markus@

basic KNF done while i was looking for something else

branches: 1.18.2;
delete spurious #includes; ok deraadt@ markus@

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

branches: 1.16.2;
fix whitespace: unexpand + trailing spaces.

Report ssh connection closing correctly; ok deraadt@

Revise globbing for get/put to be more shell-like. In particular,
"get/put file* directory/" now works. ok markus@

Wall

sftp client filename globbing for get, put, ch{mod,grp,own}. ok markus@

branches: 1.11.2;
Support for new draft (draft-ietf-secsh-filexfer-01). New symlink handling
functions and small protocol change.

branches: 1.10.2;
Fix and document 'preserve modes & times' option ('-p' flag in sftp);
ok markus@

typo; ok Niels

%i -> %d

older servers reply with SSH2_FXP_NAME + count==0 instead of EOF

unsigned long long -> %llu, not %qu. markus ok

Don't free handles before we are done with them. Based on work from
Corinna Vinschen <vinschen@redhat.com>. ok markus@

replace arc4random with counter for request ids; ok markus@

unexpand and remove end-of-line whitespace; ok markus@

make gcc on the alpha even happier

Basic interactive sftp client; ok theo@

fix recursive remote-remote copies of directories that contain symlinks
to other directories (similar to bz3611)

the sftp code was one of my first contributions to OpenSSH and it
shows - the function names are terrible.

Rename do_blah() to sftp_blah() to make them less so.

Completely mechanical except for sftp_stat() and sftp_lstat() which
change from returning a pointer to a static variable (error-prone) to
taking a pointer to a caller-provided receiver.

fix scp in SFTP mode recursive upload and download of directories
that contain symlinks to other directories. In scp mode, the links
would be followed, but in SFTP mode they were not. bz3611, ok dtucker@

adjust ftruncate() logic to handle servers that reorder requests.

sftp/scp will ftruncate the destination file after a transfer completes,
to deal with the case where a longer destination file already existed.
We tracked the highest contiguous block transferred to deal with this
case, but our naive tracking doesn't deal with servers that reorder
requests - a misfeature strictly permitted by the protocol but seldom
implemented.

Adjust the logic to ftruncate() at the highest absolute block received
when the transfer is successful. feedback deraadt@ ok markus@

prompted by https://github.com/openssh/openssh-portable/commit/9b733#commitcomment-110679778

Plug more mem leaks in sftp by making make_absolute_pwd_glob work in
the same way as make_absolute: you pass it a dynamically allocated string
and it either returns it, or frees it and allocates a new one.
Patch from emaste at freebsd.org and https://reviews.freebsd.org/D37253
ok djm@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

clamp the minimum buffer lengths and number of inflight requests too

ignore bogus upload/download buffer lengths in the limits extension

add a -X option to both scp(1) and sftp(1) to allow control over
some SFTP protocol knobs: the copy buffer length and the number of
inflight requests, both of which are used during upload/download.

Previously these could be controlled in sftp(1) using the -b/-R options.
This makes them available in both SFTP protocol clients using the same
option character sequence.

ok dtucker@

sftp client library support for users-groups-by-id@openssh.com;
ok markus@

fix in-place copies; r1.163 incorrectly skipped truncation in all cases,
not just at the start of a transfer. This could cause overwrites of larger
files to leave junk at the end. Spotted by tb@

arrange for scp, when in sftp mode, to not ftruncate(3) files early

previous behavious of unconditionally truncating the destination file
would cause "scp ~/foo localhost:" and "scp localhost:foo ~/" to
delete all the contents of their destination.

spotted by solene@ sthen@, also bz3431; ok dtucker@

add a sftp client "cp" command that supports server-side copying
of files. Useful for this task and for testing the copy-data
extension. Patch from Mike Frysinger; ok dtucker@

make most of the sftp errors more idiomatic, following the general form
of "[local/remote] operation path: error message"; ok markus

use status error message to communicate ~user expansion failures;
provides better experience for scp in sftp mode, where ~user paths
are more likely to be used; spotted jsg, feedback jsg & deraadt
ok jsg & markus

more idiomatic error messages; spotted by jsg & deraadt
ok jsg & markus

spelling
ok dtucker@

Plug a couple of minor mem leaks. From beldmit at gmail.com via github
PR#283, ok markus@

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

Remove redundant attrib_clear in upload_dir_internal. The subsequent
call to stat_to_attrib clears the struct as its first step anyway.
From pmeinhardt via github PR#220, ok djm@

SFTP protocol extension to allow the server to expand ~-prefixed
paths, in particular ~user ones. Allows scp in sftp mode to accept
these paths, like scp in rcp mode does.

prompted by and much discussion deraadt@
ok markus@

show only the final path component in the progress meter;
more useful with long paths (that may truncate) and better
matches traditional scp behaviour; spotted by naddy@
ok deraadt@

sftp-client.c needs poll.h

remove unused variable

do_upload() used a near-identical structure for tracking
expected status replies from the server to what do_download()
was using.

Refactor it to use the same structure and factor out some common
code into helper functions.

make scp(1) in SFTP mode follow symlinks like traditional scp(1)
ok markus@

fix incorrect directory permissions on scp -3 transfers;
ok markus@

a bit more debugging of file attributes being sent/received
over the wire

make scp(1) in SFTP mode output better match original scp(1) by
suppressing "Retrieving [path]" lines that were emitted to support
the interactive sftp(1) client. ok markus@

factor out a structure duplicated between downloading and
crossloading; ok markus@

support for "cross"-loading files/directories, i.e. downloading
from one SFTP server while simultaneously uploading to another.

feedback & ok markus@

factor our SSH2_FXP_OPEN calls into their own function;
"looks fine" markus@

degrade gracefully if a sftp-server offers the limits@openssh.com
extension but fails when the client tries to invoke it.
Reported by Hector Martin via bz3318

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

Use new limits@openssh.com protocol extension to let the client select
good limits based on what the server supports. Split the download and
upload buffer sizes to allow them to be chosen independently.

In practice (and assuming upgraded sftp/sftp-server at each end), this
increases the download buffer 32->64KiB and the upload buffer
32->255KiB.

Patches from Mike Frysinger; ok dtucker@

no need to reset buffer after send_msg() as that is done for us;
patch from Mike Frysinger

shuffle a few utility functions into sftp-client.c; from Jakub Jelen

When doing an sftp recursive upload or download of a read-only directory,
ensure that the directory is created with write and execute permissions
in the interim so that we can actually complete the transfer, then set
the directory permission as the final step. (The execute bit is only
likely to be an issue with a non-POSIX server). bz#3222, ok djm@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

fix off-by-one error that caused sftp downloads to make one more
concurrent request that desired. This prevented using sftp(1) in
unpipelined request/response mode, which is useful when debugging.
Patch from Stephen Goetze in bz#3054

fix memory leak in error path; bz#3074
patch from krishnaiah.bommu@intel.com, ok dtucker

print explicit "not modified" message if a file was requested for
resumed download but was considered already complete.

bz#2978 ok dtucker

Have progressmeter force an update at the beginning and end of each
transfer. Fixes the problem recently introduces where very quick
transfers do not display the progressmeter at all. Spotted by naddy@

Sanitize scp filenames via snmprintf. To do this we move the
progressmeter formatting outside of signal handler context and have
the atomicio callback called for EINTR too. bz#2434 with contributions
from djm and jjelen at redhat.com, ok djm@

Add "-h" flag to sftp chown/chgrp/chmod commands to request they do
not follow symlinks. Requires recently-committed lsetstat@openssh.com
extension on the server side.

ok markus@ dtucker@

fix some memory leaks spotted by Coverity via Jakub Jelen in bz#2366
feedback and ok dtucker@

Fix return value confusion in several functions (readdir, download and
fsync). These should return -1 on error, not a sftp status code.

patch from Petr Cerny in bz#2871

Have sftp print a warning about shell cleanliness when decoding the first
packet fails, which is usually caused by shells polluting stdout of
non-interactive starups. bz#2800, ok markus@ deraadt@.

don't print verbose error message when ssh disconnects under sftp;
bz#2750; ok dtucker@

check number of entries in SSH2_FXP_NAME response; avoids
unreachable overflow later. Reported by Jann Horn

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

To prevent screwing up terminal settings when printing to the
terminal, for ASCII and UTF-8, escape bytes not forming characters
and bytes forming non-printable characters with vis(3) VIS_OCTAL.
For other character sets, abort printing of the current string in
these cases. In particular,
* let scp(1) respect the local user's LC_CTYPE locale(1);
* sanitize data received from the remote host;
* sanitize filenames, usernames, and similar data even locally;
* take character display widths into account for the progressmeter.

This is believed to be sufficient to keep the local terminal safe
on OpenBSD, but bad things can still happen on other systems with
state-dependent locales because many places in the code print
unencoded ASCII characters into the output stream.

Using feedback from djm@ and martijn@,
various aspects discussed with many others.

deraadt@ says it should go in now, i probably already hesitated too long

fix signed/unsigned errors reported by clang-3.7; add
sshbuf_dup_string() to replace a common idiom of
strdup(sshbuf_ptr()) with better safety checking;
feedback and ok markus@

whitespace at EOL

fix regression in openssh-6.8 sftp client: existing destination
directories would incorrectly terminate recursive uploads;
bz#2528

add error message on ftruncate failure; bz#2176

fix a memory leak in an error path
ok markus@ dtucker@

rename xrealloc() to xreallocarray() since it follows that form.
ok djm

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

update sftp client and server to new buffer API.
pretty much just mechanical changes; with & ok markus

Implement sftp upload resume support.

OK from djm@, with input from guenther@, mlarkin@ and
okan@

replace most bzero with explicit_bzero, except a few that cna be memset
ok djm dtucker

signed/unsigned comparison warning fix; from portable

needless and incorrect cast to size_t can break resumption of
large download; patch from tobias@

fix memory leak in error path in do_readdir(); pointed out by
Loganaden Velvindron @ AfriNIC in bz#2163

bz#2171: don't leak local_fd on error; from Loganaden Velvindron @
AfriNIC

Include stdlib.h for free() as per the man page.

use calloc for all structure allocations; from markus@

fsync@openssh.com protocol extension for sftp-server
client support to allow calling fsync() faster successful transfer
patch mostly by imorgan AT nas.nasa.gov; bz#1798
"fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@

missed one arg reorder

rename flag arguments to be more clear and consistent.
reorder some internal function arguments to make adding additional flags
easier.

no functional change

fix swapped pflag and printflag in sftp upload_dir; from Iain Morgan

two problems found by a to-be-committed regress test: 1) msg_id was not
being initialised so was starting at a random value from the heap
(harmless, but confusing). 2) some error conditions were not being
propagated back to the caller

add a "-l" flag for the rename command to force it to use the silly
standard SSH_FXP_RENAME command instead of the POSIX-rename- like
posix-rename@openssh.com extension.

intended for use in regress tests, so no documentation.

branches: 1.101.2;
sftp support for resuming partial downloads; patch mostly by Loganaden
Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@
"Just be careful" deraadt@

Update progressmeter when data is acked, not when it's sent. bz#2108, from
Debian via Colin Watson, ok djm@

Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patch
from Nathan Osman via bz#2085. ok deraadt.

bye, bye xfree(); ok markus@

branches: 1.97.4;
fix a couple of "assigned but not used" warnings. ok markus@

fix leak in do_lsreaddir(); ok djm

fix leaks in do_hardlink() and do_readlink(); bz#1921
from Loganaden Velvindron

add a protocol extension to support a hard link operation. It is
available through the "ln" command in the client. The old "ln"
behaviour of creating a symlink is available using its "-s" option
or through the preexisting "symlink" command; based on a patch from
miklos AT szeredi.hu in bz#1555; ok markus@

add an option per-read/write callback to atomicio

factor out bandwidth limiting code from scp(1) into a generic bandwidth
limiter that can be attached using the atomicio callback mechanism

add a bandwidth limit option to sftp(1) using the above

"very nice" markus@

bz#1797: fix swapped args in upload_dir_internal(), breaking recursive
upload depth checks and causing verbose printing of transfers to always
be turned on; patch from imorgan AT nas.nasa.gov

fix memory leak in do_realpath() error path; bz#1771, patch from
anicka AT suse.cz

d_type isn't portable so use lstat to get dirent modes. Suggested by and
"looks sane" deraadt@

recursive transfer support for get/put and on the commandline
work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code
with some tweaks by me; "go for it" deraadt@

make the "get_handle: ..." error messages vaguely useful by allowing
callers to specify their own error message strings.

alphabetize includes; reduces diff vs portable and style(9). ok stevesk djm

allow the sftp chmod(2)-equivalent operation to set set[ug]id/sticky
bits. Note that this only affects explicit setting of modes (e.g. via
sftp(1)'s chmod command) and not file transfers. (bz#1310)
ok deraadt@ at c2k8

print extension revisions for extensions that we understand

Have the sftp client store the statvfs replies in wire format,
which prevents problems when the server's native sizes exceed the
client's.

Also extends the sizes of the remaining 32bit wire format to 64bit,
they're specified as unsigned long in the standard.

statvfs member fsid needs to be wider, increase it to 64 bits and
crank extension revision number to 2; prodded and ok dtucker@

introduce sftp extension methods statvfs@openssh.com and
fstatvfs@openssh.com that implement statvfs(2)-like operations,
based on a patch from miklos AT szeredi.hu (bz#1399)

also add a "df" command to the sftp client that uses the
statvfs@openssh.com to produce a df(1)-like display of filesystem
space and inode utilisation

ok markus@

prefer POSIX-style file renaming over filexfer rename behaviour if the server
supports the posix-rename@openssh.com extension.

Note that the old (filexfer) behaviour would refuse to clobber an existing
file. Users who depended on this should adjust their sftp(1) usage.

ok deraadt@ markus@