readHeaderFixed() already assumes the same header pointer will be
passed in next call if the read is incomplete.

We've patched this thing enough to have a different identifier.

By default, Cryptlib uses the type of whatever channel happens to
be currently selected, so if the server has sent some data, that
will be shell.  Instead, look up the new channel and use that type
info.

Ugh.

Previously, it was read into a local variable, and in the case of a
partial read, everything would go to hell and SSH would hang.

"Luckily" this was very hard to trigger.

This should work exactly the same, but is more correct.  It's possible
that in the future, packet data could be added to the buffer after
receiveBufPos, and we could know that no more is required.

The patch that sets the read timeout every time for getData() was
flawed, because getData() itself will sometimes set the read timeout
for the next call.

The patch was intended to ensure that the write timeout never
clobbers the read timeout, so now we track if getData() explicitly
set the timeout and if it did, we don't reset it.

May fix the issues seen updating wiki pages, may not, but is a less
invasive patch either way.

This will trigger more builds of libcl, but at least I won't have
to make people touch(1) a patch to do a rebuild.

As an aside, cleanall.sh doesn't clean 3rdp, no idea if this is
intentional or not.

Should fix the OpenBSD pipeline.

By default, both NetBSD and OpenBSD will not allow pages to be mapped
both writable and executable.

On OpenBSD, if the filesystem is mounted with the wxallowed option,
this would work, and before v6.0, passing -z wxallowed to the linker
would allow it on a per-binary basis.  However, since this is not
the default, and since the JS engine can use mprotect() to switch
between RW and RX, I've decided to enable this instead.  This will
slow things down, but it will work "out of the box".

For NetBSD, the situation is different, you can't switch between
RW and RX using mprotect()... instead, you need to use mremap() to
get a separate mapping for each set of perms.  This does *not*
appear to be present in the 1.8.5 source, so we can't do the same
fix as OpenBSD.  Instead, NetBSD allows paxctl to add an elf note
indicating that RWX is needed, and it "just works" (by default).

We don't need it (I hope), and it plays fast and loose with the config
options so it won't compile with some sets of them, making it hard
to troubleshoot stuff.

commit it.

Also, a couple new patches for a previous commit that I apparently
hadn't added.

Interestingly, when they fail, Synchronet appears to crash.
This is fine.

(such as ec22519), unconditionally fallback to password auth instead
of the previous behaviour of diconnecting.

Much of the "password then pubkey" mentality is showing in these
bits of Cryptlib.

When we're closing the socket, always delete channels and don't wait
for the remote to confirm.

Don't count read closed channels against "is this the last one?" checks
Fix checking of channel attributes are present.
Fully close readclose channel if it's the last one.

Previously, there were (basically) three states... active, closed,
and writeclosed where writeclosed indicated that a channel close
message was sent, no more writes are allowed, and it's waiting for
the close to be acked.

This adds a readclosed state where we have received a close request
from the remote (and acked it), but have not deactivated the channel
ourselves.

This fixes a race condition where we could select a channel, then,
when we write data to it, we receive a close and the channel becomes
inactive so a new active channel is selected (effectively at random).

This is a bit suboptimal though since we still don't get a
notification when a channel is closed by the remote.  Instead, if
we use more than one channel, we need to periodically make the
channel active for writes and explicitly check if it's closed.

If you initially try private key auth for example, allow retrying
with password auth and vice-versa.  This is needed for reasonable
fallback from private-key auth since we don't know in advance
which will work, and we don't want to disconnect an reconnect.

This takes the guardrails of adding a password.  Previously, it was
ensured that a password was always added immediately after a username.
This is to ensure when using the server for example and stuffing a
list full of all the user/pw pairs, each pw goes with a user.

Instead of returning an error, this now allows adding passwords
without a corrsponding user that won't be used, and there will be
no indication of why.

Death Star mode for this feature is better than not having fallback
in my opinion.