Annotation of src/usr.bin/ssh/channels.c, Revision 1.109.2.4
1.1 deraadt 1: /*
1.26 deraadt 2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
3: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: * All rights reserved
5: * This file contains functions for generic socket connection forwarding.
6: * There is also code for initiating connection forwarding for X11 connections,
7: * arbitrary tcp/ip connections, and the authentication agent connection.
1.49 markus 8: *
1.67 deraadt 9: * As far as I am concerned, the code I have written for this software
10: * can be used freely for any purpose. Any derived versions of this
11: * software must be clearly marked as such, and if the derived work is
12: * incompatible with the protocol description in the RFC file, it must be
13: * called by a name other than "ssh" or "Secure Shell".
14: *
1.44 markus 15: * SSH2 support added by Markus Friedl.
1.109.2.3 jason 16: * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
1.67 deraadt 17: * Copyright (c) 1999 Dug Song. All rights reserved.
18: * Copyright (c) 1999 Theo de Raadt. All rights reserved.
19: *
20: * Redistribution and use in source and binary forms, with or without
21: * modification, are permitted provided that the following conditions
22: * are met:
23: * 1. Redistributions of source code must retain the above copyright
24: * notice, this list of conditions and the following disclaimer.
25: * 2. Redistributions in binary form must reproduce the above copyright
26: * notice, this list of conditions and the following disclaimer in the
27: * documentation and/or other materials provided with the distribution.
28: *
29: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
30: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
31: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
32: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
33: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
34: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
35: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
36: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
37: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.26 deraadt 39: */
1.1 deraadt 40:
41: #include "includes.h"
1.109.2.4! miod 42: RCSID("$OpenBSD: channels.c,v 1.109.2.3 2001/09/27 19:03:54 jason Exp $");
1.1 deraadt 43:
44: #include "ssh.h"
1.82 markus 45: #include "ssh1.h"
46: #include "ssh2.h"
1.1 deraadt 47: #include "packet.h"
48: #include "xmalloc.h"
49: #include "uidswap.h"
1.82 markus 50: #include "log.h"
51: #include "misc.h"
1.14 markus 52: #include "channels.h"
53: #include "compat.h"
1.82 markus 54: #include "canohost.h"
1.64 markus 55: #include "key.h"
56: #include "authfd.h"
1.44 markus 57:
1.1 deraadt 58:
1.109.2.3 jason 59: /* -- channel core */
1.12 markus 60:
1.27 markus 61: /*
62: * Pointer to an array containing all allocated channels. The array is
63: * dynamically extended as needed.
64: */
1.109.2.3 jason 65: static Channel **channels = NULL;
1.1 deraadt 66:
1.27 markus 67: /*
68: * Size of the channel array. All slots of the array must always be
1.109.2.3 jason 69: * initialized (at least the type field); unused slots set to NULL
1.27 markus 70: */
1.1 deraadt 71: static int channels_alloc = 0;
72:
1.27 markus 73: /*
74: * Maximum file descriptor value used in any of the channels. This is
1.109.2.3 jason 75: * updated in channel_new.
1.27 markus 76: */
1.84 markus 77: static int channel_max_fd = 0;
1.1 deraadt 78:
79:
1.109.2.3 jason 80: /* -- tcp forwarding */
1.1 deraadt 81:
1.27 markus 82: /*
83: * Data structure for storing which hosts are permitted for forward requests.
84: * The local sides of any remote forwards are stored in this array to prevent
85: * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
86: * network (which might be behind a firewall).
87: */
1.25 markus 88: typedef struct {
1.41 markus 89: char *host_to_connect; /* Connect to 'host'. */
90: u_short port_to_connect; /* Connect to 'port'. */
91: u_short listen_port; /* Remote side should listen port number. */
1.1 deraadt 92: } ForwardPermission;
93:
94: /* List of all permitted host/port pairs to connect. */
95: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
1.109.2.3 jason 96:
1.1 deraadt 97: /* Number of permitted host/port pairs in the array. */
98: static int num_permitted_opens = 0;
1.27 markus 99: /*
100: * If this is true, all opens are permitted. This is the case on the server
101: * on which we have to trust the client anyway, and the user could do
102: * anything after logging in anyway.
103: */
1.1 deraadt 104: static int all_opens_permitted = 0;
105:
1.82 markus 106:
1.109.2.3 jason 107: /* -- X11 forwarding */
1.1 deraadt 108:
1.109.2.3 jason 109: /* Maximum number of fake X11 displays to try. */
110: #define MAX_DISPLAYS 1000
1.103 markus 111:
1.109.2.3 jason 112: /* Saved X11 authentication protocol name. */
113: static char *x11_saved_proto = NULL;
1.1 deraadt 114:
1.109.2.3 jason 115: /* Saved X11 authentication data. This is the real data. */
116: static char *x11_saved_data = NULL;
117: static u_int x11_saved_data_len = 0;
118:
119: /*
120: * Fake X11 authentication data. This is what the server will be sending us;
121: * we should replace any occurrences of this by the real data.
122: */
123: static char *x11_fake_data = NULL;
124: static u_int x11_fake_data_len;
125:
126:
127: /* -- agent forwarding */
128:
129: #define NUM_SOCKS 10
130:
131: /* Name and directory of socket for authentication agent forwarding. */
132: static char *auth_sock_name = NULL;
133: static char *auth_sock_dir = NULL;
134:
135: /* AF_UNSPEC or AF_INET or AF_INET6 */
1.109.2.4! miod 136: static int IPv4or6 = AF_UNSPEC;
1.109.2.3 jason 137:
138: /* helper */
139: static void port_open_helper(Channel *c, char *rtype);
1.1 deraadt 140:
1.109.2.3 jason 141: /* -- channel core */
1.41 markus 142:
143: Channel *
144: channel_lookup(int id)
145: {
146: Channel *c;
1.109.2.3 jason 147:
1.63 provos 148: if (id < 0 || id > channels_alloc) {
1.41 markus 149: log("channel_lookup: %d: bad id", id);
150: return NULL;
151: }
1.109.2.3 jason 152: c = channels[id];
153: if (c == NULL) {
1.41 markus 154: log("channel_lookup: %d: bad id: channel free", id);
155: return NULL;
156: }
157: return c;
1.55 markus 158: }
159:
1.27 markus 160: /*
1.55 markus 161: * Register filedescriptors for a channel, used when allocating a channel or
1.52 markus 162: * when the channel consumer/producer is ready, e.g. shell exec'd
1.27 markus 163: */
1.1 deraadt 164:
1.109.2.3 jason 165: static void
1.71 markus 166: channel_register_fds(Channel *c, int rfd, int wfd, int efd,
167: int extusage, int nonblock)
1.1 deraadt 168: {
1.25 markus 169: /* Update the maximum file descriptor value. */
1.84 markus 170: channel_max_fd = MAX(channel_max_fd, rfd);
171: channel_max_fd = MAX(channel_max_fd, wfd);
172: channel_max_fd = MAX(channel_max_fd, efd);
173:
1.27 markus 174: /* XXX set close-on-exec -markus */
1.55 markus 175:
1.52 markus 176: c->rfd = rfd;
177: c->wfd = wfd;
178: c->sock = (rfd == wfd) ? rfd : -1;
179: c->efd = efd;
180: c->extended_usage = extusage;
1.71 markus 181:
1.91 markus 182: /* XXX ugly hack: nonblock is only set by the server */
183: if (nonblock && isatty(c->rfd)) {
1.94 markus 184: debug("channel %d: rfd %d isatty", c->self, c->rfd);
1.91 markus 185: c->isatty = 1;
186: if (!isatty(c->wfd)) {
1.94 markus 187: error("channel %d: wfd %d is not a tty?",
1.91 markus 188: c->self, c->wfd);
189: }
190: } else {
191: c->isatty = 0;
192: }
193:
1.71 markus 194: /* enable nonblocking mode */
195: if (nonblock) {
196: if (rfd != -1)
197: set_nonblock(rfd);
198: if (wfd != -1)
199: set_nonblock(wfd);
200: if (efd != -1)
201: set_nonblock(efd);
202: }
1.52 markus 203: }
204:
205: /*
206: * Allocate a new channel object and set its type and socket. This will cause
207: * remote_name to be freed.
208: */
209:
1.109.2.3 jason 210: Channel *
1.52 markus 211: channel_new(char *ctype, int type, int rfd, int wfd, int efd,
1.71 markus 212: int window, int maxpack, int extusage, char *remote_name, int nonblock)
1.52 markus 213: {
214: int i, found;
215: Channel *c;
1.25 markus 216:
217: /* Do initial allocation if this is the first call. */
218: if (channels_alloc == 0) {
1.44 markus 219: chan_init();
1.25 markus 220: channels_alloc = 10;
1.109.2.3 jason 221: channels = xmalloc(channels_alloc * sizeof(Channel *));
1.25 markus 222: for (i = 0; i < channels_alloc; i++)
1.109.2.3 jason 223: channels[i] = NULL;
224: fatal_add_cleanup((void (*) (void *)) channel_free_all, NULL);
1.25 markus 225: }
226: /* Try to find a free slot where to put the new channel. */
227: for (found = -1, i = 0; i < channels_alloc; i++)
1.109.2.3 jason 228: if (channels[i] == NULL) {
1.25 markus 229: /* Found a free slot. */
230: found = i;
231: break;
232: }
233: if (found == -1) {
1.27 markus 234: /* There are no free slots. Take last+1 slot and expand the array. */
1.25 markus 235: found = channels_alloc;
236: channels_alloc += 10;
1.70 markus 237: debug2("channel: expanding %d", channels_alloc);
1.109.2.3 jason 238: channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
1.25 markus 239: for (i = found; i < channels_alloc; i++)
1.109.2.3 jason 240: channels[i] = NULL;
1.25 markus 241: }
1.109.2.3 jason 242: /* Initialize and return new channel. */
243: c = channels[found] = xmalloc(sizeof(Channel));
1.109.2.4! miod 244: memset(c, 0, sizeof(Channel));
1.25 markus 245: buffer_init(&c->input);
246: buffer_init(&c->output);
1.41 markus 247: buffer_init(&c->extended);
1.25 markus 248: chan_init_iostates(c);
1.71 markus 249: channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
1.25 markus 250: c->self = found;
251: c->type = type;
1.41 markus 252: c->ctype = ctype;
1.51 markus 253: c->local_window = window;
254: c->local_window_max = window;
255: c->local_consumed = 0;
256: c->local_maxpacket = maxpack;
1.25 markus 257: c->remote_id = -1;
258: c->remote_name = remote_name;
1.41 markus 259: c->remote_window = 0;
260: c->remote_maxpacket = 0;
261: c->cb_fn = NULL;
262: c->cb_arg = NULL;
263: c->cb_event = 0;
1.109.2.3 jason 264: c->force_drain = 0;
265: c->detach_user = NULL;
1.65 markus 266: c->input_filter = NULL;
1.25 markus 267: debug("channel %d: new [%s]", found, remote_name);
1.109.2.3 jason 268: return c;
269: }
270:
271: static int
272: channel_find_maxfd(void)
273: {
274: int i, max = 0;
275: Channel *c;
276:
277: for (i = 0; i < channels_alloc; i++) {
278: c = channels[i];
279: if (c != NULL) {
280: max = MAX(max, c->rfd);
281: max = MAX(max, c->wfd);
282: max = MAX(max, c->efd);
283: }
284: }
285: return max;
286: }
287:
288: int
289: channel_close_fd(int *fdp)
290: {
291: int ret = 0, fd = *fdp;
292:
293: if (fd != -1) {
294: ret = close(fd);
295: *fdp = -1;
296: if (fd == channel_max_fd)
297: channel_max_fd = channel_find_maxfd();
298: }
299: return ret;
300: }
301:
302: /* Close all channel fd/socket. */
303:
304: static void
305: channel_close_fds(Channel *c)
306: {
307: debug3("channel_close_fds: channel %d: r %d w %d e %d",
308: c->self, c->rfd, c->wfd, c->efd);
309:
310: channel_close_fd(&c->sock);
311: channel_close_fd(&c->rfd);
312: channel_close_fd(&c->wfd);
313: channel_close_fd(&c->efd);
314: }
315:
316: /* Free the channel and close its fd/socket. */
317:
318: void
319: channel_free(Channel *c)
320: {
321: char *s;
322: int i, n;
323:
324: for (n = 0, i = 0; i < channels_alloc; i++)
325: if (channels[i])
326: n++;
327: debug("channel_free: channel %d: %s, nchannels %d", c->self,
328: c->remote_name ? c->remote_name : "???", n);
329:
330: s = channel_open_message();
331: debug3("channel_free: status: %s", s);
332: xfree(s);
333:
334: if (c->sock != -1)
335: shutdown(c->sock, SHUT_RDWR);
336: channel_close_fds(c);
337: buffer_free(&c->input);
338: buffer_free(&c->output);
339: buffer_free(&c->extended);
340: if (c->remote_name) {
341: xfree(c->remote_name);
342: c->remote_name = NULL;
343: }
344: channels[c->self] = NULL;
345: xfree(c);
346: }
347:
348: void
349: channel_free_all(void)
350: {
351: int i;
352:
353: for (i = 0; i < channels_alloc; i++)
354: if (channels[i] != NULL)
355: channel_free(channels[i]);
356: }
357:
358: /*
359: * Closes the sockets/fds of all channels. This is used to close extra file
360: * descriptors after a fork.
361: */
362:
363: void
364: channel_close_all()
365: {
366: int i;
367:
368: for (i = 0; i < channels_alloc; i++)
369: if (channels[i] != NULL)
370: channel_close_fds(channels[i]);
371: }
372:
373: /*
374: * Stop listening to channels.
375: */
376:
377: void
378: channel_stop_listening(void)
379: {
380: int i;
381: Channel *c;
382:
383: for (i = 0; i < channels_alloc; i++) {
384: c = channels[i];
385: if (c != NULL) {
386: switch (c->type) {
387: case SSH_CHANNEL_AUTH_SOCKET:
388: case SSH_CHANNEL_PORT_LISTENER:
389: case SSH_CHANNEL_RPORT_LISTENER:
390: case SSH_CHANNEL_X11_LISTENER:
391: channel_close_fd(&c->sock);
392: channel_free(c);
393: break;
394: }
395: }
396: }
397: }
398:
399: /*
400: * Returns true if no channel has too much buffered data, and false if one or
401: * more channel is overfull.
402: */
403:
404: int
405: channel_not_very_much_buffered_data()
406: {
407: u_int i;
408: Channel *c;
409:
410: for (i = 0; i < channels_alloc; i++) {
411: c = channels[i];
412: if (c != NULL && c->type == SSH_CHANNEL_OPEN) {
1.109.2.4! miod 413: #if 0
! 414: if (!compat20 &&
! 415: buffer_len(&c->input) > packet_get_maxsize()) {
1.109.2.3 jason 416: debug("channel %d: big input buffer %d",
417: c->self, buffer_len(&c->input));
418: return 0;
419: }
1.109.2.4! miod 420: #endif
1.109.2.3 jason 421: if (buffer_len(&c->output) > packet_get_maxsize()) {
1.109.2.4! miod 422: debug("channel %d: big output buffer %d > %d",
! 423: c->self, buffer_len(&c->output),
! 424: packet_get_maxsize());
1.109.2.3 jason 425: return 0;
426: }
427: }
428: }
429: return 1;
430: }
431:
432: /* Returns true if any channel is still open. */
433:
434: int
435: channel_still_open()
436: {
437: int i;
438: Channel *c;
439:
440: for (i = 0; i < channels_alloc; i++) {
441: c = channels[i];
442: if (c == NULL)
443: continue;
444: switch (c->type) {
445: case SSH_CHANNEL_X11_LISTENER:
446: case SSH_CHANNEL_PORT_LISTENER:
447: case SSH_CHANNEL_RPORT_LISTENER:
448: case SSH_CHANNEL_CLOSED:
449: case SSH_CHANNEL_AUTH_SOCKET:
450: case SSH_CHANNEL_DYNAMIC:
451: case SSH_CHANNEL_CONNECTING:
452: case SSH_CHANNEL_ZOMBIE:
453: continue;
454: case SSH_CHANNEL_LARVAL:
455: if (!compat20)
456: fatal("cannot happen: SSH_CHANNEL_LARVAL");
457: continue;
458: case SSH_CHANNEL_OPENING:
459: case SSH_CHANNEL_OPEN:
460: case SSH_CHANNEL_X11_OPEN:
461: return 1;
462: case SSH_CHANNEL_INPUT_DRAINING:
463: case SSH_CHANNEL_OUTPUT_DRAINING:
464: if (!compat13)
465: fatal("cannot happen: OUT_DRAIN");
466: return 1;
467: default:
468: fatal("channel_still_open: bad channel type %d", c->type);
469: /* NOTREACHED */
470: }
471: }
472: return 0;
1.1 deraadt 473: }
1.109.2.3 jason 474:
475: /* Returns the id of an open channel suitable for keepaliving */
476:
1.49 markus 477: int
1.109.2.3 jason 478: channel_find_open()
479: {
480: int i;
481: Channel *c;
482:
483: for (i = 0; i < channels_alloc; i++) {
484: c = channels[i];
485: if (c == NULL)
486: continue;
487: switch (c->type) {
488: case SSH_CHANNEL_CLOSED:
489: case SSH_CHANNEL_DYNAMIC:
490: case SSH_CHANNEL_X11_LISTENER:
491: case SSH_CHANNEL_PORT_LISTENER:
492: case SSH_CHANNEL_RPORT_LISTENER:
493: case SSH_CHANNEL_OPENING:
494: case SSH_CHANNEL_CONNECTING:
495: case SSH_CHANNEL_ZOMBIE:
496: continue;
497: case SSH_CHANNEL_LARVAL:
498: case SSH_CHANNEL_AUTH_SOCKET:
499: case SSH_CHANNEL_OPEN:
500: case SSH_CHANNEL_X11_OPEN:
501: return i;
502: case SSH_CHANNEL_INPUT_DRAINING:
503: case SSH_CHANNEL_OUTPUT_DRAINING:
504: if (!compat13)
505: fatal("cannot happen: OUT_DRAIN");
506: return i;
507: default:
508: fatal("channel_find_open: bad channel type %d", c->type);
509: /* NOTREACHED */
510: }
511: }
512: return -1;
513: }
514:
515:
516: /*
517: * Returns a message describing the currently open forwarded connections,
518: * suitable for sending to the client. The message contains crlf pairs for
519: * newlines.
520: */
521:
522: char *
523: channel_open_message()
1.41 markus 524: {
1.109.2.3 jason 525: Buffer buffer;
526: Channel *c;
527: char buf[1024], *cp;
528: int i;
529:
530: buffer_init(&buffer);
531: snprintf(buf, sizeof buf, "The following connections are open:\r\n");
532: buffer_append(&buffer, buf, strlen(buf));
533: for (i = 0; i < channels_alloc; i++) {
534: c = channels[i];
535: if (c == NULL)
536: continue;
537: switch (c->type) {
538: case SSH_CHANNEL_X11_LISTENER:
539: case SSH_CHANNEL_PORT_LISTENER:
540: case SSH_CHANNEL_RPORT_LISTENER:
541: case SSH_CHANNEL_CLOSED:
542: case SSH_CHANNEL_AUTH_SOCKET:
543: case SSH_CHANNEL_ZOMBIE:
544: continue;
545: case SSH_CHANNEL_LARVAL:
546: case SSH_CHANNEL_OPENING:
547: case SSH_CHANNEL_CONNECTING:
548: case SSH_CHANNEL_DYNAMIC:
549: case SSH_CHANNEL_OPEN:
550: case SSH_CHANNEL_X11_OPEN:
551: case SSH_CHANNEL_INPUT_DRAINING:
552: case SSH_CHANNEL_OUTPUT_DRAINING:
553: snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n",
554: c->self, c->remote_name,
555: c->type, c->remote_id,
556: c->istate, buffer_len(&c->input),
557: c->ostate, buffer_len(&c->output),
558: c->rfd, c->wfd);
559: buffer_append(&buffer, buf, strlen(buf));
560: continue;
561: default:
562: fatal("channel_open_message: bad channel type %d", c->type);
563: /* NOTREACHED */
564: }
565: }
566: buffer_append(&buffer, "\0", 1);
567: cp = xstrdup(buffer_ptr(&buffer));
568: buffer_free(&buffer);
569: return cp;
570: }
571:
572: void
573: channel_send_open(int id)
574: {
575: Channel *c = channel_lookup(id);
576: if (c == NULL) {
577: log("channel_send_open: %d: bad id", id);
578: return;
579: }
580: debug("send channel open %d", id);
581: packet_start(SSH2_MSG_CHANNEL_OPEN);
582: packet_put_cstring(c->ctype);
583: packet_put_int(c->self);
584: packet_put_int(c->local_window);
585: packet_put_int(c->local_maxpacket);
586: packet_send();
587: }
588:
589: void
590: channel_request(int id, char *service, int wantconfirm)
591: {
592: channel_request_start(id, service, wantconfirm);
593: packet_send();
594: debug("channel request %d: %s", id, service) ;
595: }
596: void
597: channel_request_start(int id, char *service, int wantconfirm)
598: {
599: Channel *c = channel_lookup(id);
600: if (c == NULL) {
601: log("channel_request: %d: bad id", id);
602: return;
603: }
604: packet_start(SSH2_MSG_CHANNEL_REQUEST);
605: packet_put_int(c->remote_id);
606: packet_put_cstring(service);
607: packet_put_char(wantconfirm);
608: }
609: void
610: channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg)
611: {
612: Channel *c = channel_lookup(id);
613: if (c == NULL) {
614: log("channel_register_callback: %d: bad id", id);
615: return;
616: }
617: c->cb_event = mtype;
618: c->cb_fn = fn;
619: c->cb_arg = arg;
620: }
621: void
622: channel_register_cleanup(int id, channel_callback_fn *fn)
623: {
624: Channel *c = channel_lookup(id);
625: if (c == NULL) {
626: log("channel_register_cleanup: %d: bad id", id);
627: return;
628: }
629: c->detach_user = fn;
630: }
631: void
632: channel_cancel_cleanup(int id)
633: {
634: Channel *c = channel_lookup(id);
635: if (c == NULL) {
636: log("channel_cancel_cleanup: %d: bad id", id);
637: return;
638: }
639: c->detach_user = NULL;
1.41 markus 640: }
1.52 markus 641: void
1.109.2.3 jason 642: channel_register_filter(int id, channel_filter_fn *fn)
1.52 markus 643: {
1.109.2.3 jason 644: Channel *c = channel_lookup(id);
645: if (c == NULL) {
646: log("channel_register_filter: %d: bad id", id);
647: return;
1.52 markus 648: }
1.109.2.3 jason 649: c->input_filter = fn;
1.52 markus 650: }
651:
1.49 markus 652: void
1.109.2.3 jason 653: channel_set_fds(int id, int rfd, int wfd, int efd,
654: int extusage, int nonblock)
1.1 deraadt 655: {
1.41 markus 656: Channel *c = channel_lookup(id);
1.109.2.3 jason 657: if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
658: fatal("channel_activate for non-larval channel %d.", id);
659: channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
660: c->type = SSH_CHANNEL_OPEN;
661: /* XXX window size? */
662: c->local_window = c->local_window_max = c->local_maxpacket * 2;
663: packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
664: packet_put_int(c->remote_id);
665: packet_put_int(c->local_window);
666: packet_send();
1.1 deraadt 667: }
668:
1.27 markus 669: /*
1.41 markus 670: * 'channel_pre*' are called just before select() to add any bits relevant to
671: * channels in the select bitmasks.
672: */
673: /*
674: * 'channel_post*': perform any appropriate operations for channels which
675: * have events pending.
1.27 markus 676: */
1.41 markus 677: typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset);
678: chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
679: chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
680:
1.109.2.3 jason 681: static void
1.41 markus 682: channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset)
683: {
684: FD_SET(c->sock, readset);
685: }
686:
1.109.2.3 jason 687: static void
1.75 markus 688: channel_pre_connecting(Channel *c, fd_set * readset, fd_set * writeset)
689: {
690: debug3("channel %d: waiting for connection", c->self);
691: FD_SET(c->sock, writeset);
692: }
693:
1.109.2.3 jason 694: static void
1.41 markus 695: channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
696: {
697: if (buffer_len(&c->input) < packet_get_maxsize())
698: FD_SET(c->sock, readset);
699: if (buffer_len(&c->output) > 0)
700: FD_SET(c->sock, writeset);
701: }
1.1 deraadt 702:
1.109.2.3 jason 703: static void
1.41 markus 704: channel_pre_open_15(Channel *c, fd_set * readset, fd_set * writeset)
705: {
706: /* test whether sockets are 'alive' for read/write */
707: if (c->istate == CHAN_INPUT_OPEN)
708: if (buffer_len(&c->input) < packet_get_maxsize())
709: FD_SET(c->sock, readset);
710: if (c->ostate == CHAN_OUTPUT_OPEN ||
711: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
712: if (buffer_len(&c->output) > 0) {
713: FD_SET(c->sock, writeset);
714: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
715: chan_obuf_empty(c);
716: }
717: }
718: }
719:
1.109.2.3 jason 720: static void
1.44 markus 721: channel_pre_open_20(Channel *c, fd_set * readset, fd_set * writeset)
722: {
723: if (c->istate == CHAN_INPUT_OPEN &&
724: c->remote_window > 0 &&
725: buffer_len(&c->input) < c->remote_window)
726: FD_SET(c->rfd, readset);
727: if (c->ostate == CHAN_OUTPUT_OPEN ||
728: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
729: if (buffer_len(&c->output) > 0) {
730: FD_SET(c->wfd, writeset);
731: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
732: chan_obuf_empty(c);
733: }
734: }
735: /** XXX check close conditions, too */
736: if (c->efd != -1) {
737: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
738: buffer_len(&c->extended) > 0)
739: FD_SET(c->efd, writeset);
740: else if (c->extended_usage == CHAN_EXTENDED_READ &&
741: buffer_len(&c->extended) < c->remote_window)
742: FD_SET(c->efd, readset);
743: }
744: }
745:
1.109.2.3 jason 746: static void
1.41 markus 747: channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
748: {
749: if (buffer_len(&c->input) == 0) {
750: packet_start(SSH_MSG_CHANNEL_CLOSE);
751: packet_put_int(c->remote_id);
752: packet_send();
753: c->type = SSH_CHANNEL_CLOSED;
1.105 markus 754: debug("channel %d: closing after input drain.", c->self);
1.41 markus 755: }
756: }
757:
1.109.2.3 jason 758: static void
1.41 markus 759: channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
760: {
761: if (buffer_len(&c->output) == 0)
1.109.2.3 jason 762: chan_mark_dead(c);
1.49 markus 763: else
1.41 markus 764: FD_SET(c->sock, writeset);
765: }
766:
767: /*
768: * This is a special state for X11 authentication spoofing. An opened X11
769: * connection (when authentication spoofing is being done) remains in this
770: * state until the first packet has been completely read. The authentication
771: * data in that packet is then substituted by the real data if it matches the
772: * fake data, and the channel is put into normal mode.
1.51 markus 773: * XXX All this happens at the client side.
1.109.2.3 jason 774: * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok
1.41 markus 775: */
1.109.2.3 jason 776: static int
777: x11_open_helper(Buffer *b)
1.1 deraadt 778: {
1.77 markus 779: u_char *ucp;
780: u_int proto_len, data_len;
1.25 markus 781:
1.41 markus 782: /* Check if the fixed size part of the packet is in buffer. */
1.109.2.3 jason 783: if (buffer_len(b) < 12)
1.41 markus 784: return 0;
785:
786: /* Parse the lengths of variable-length fields. */
1.109.2.3 jason 787: ucp = (u_char *) buffer_ptr(b);
1.41 markus 788: if (ucp[0] == 0x42) { /* Byte order MSB first. */
789: proto_len = 256 * ucp[6] + ucp[7];
790: data_len = 256 * ucp[8] + ucp[9];
791: } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
792: proto_len = ucp[6] + 256 * ucp[7];
793: data_len = ucp[8] + 256 * ucp[9];
794: } else {
795: debug("Initial X11 packet contains bad byte order byte: 0x%x",
796: ucp[0]);
797: return -1;
798: }
799:
800: /* Check if the whole packet is in buffer. */
1.109.2.3 jason 801: if (buffer_len(b) <
1.41 markus 802: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
803: return 0;
804:
805: /* Check if authentication protocol matches. */
806: if (proto_len != strlen(x11_saved_proto) ||
807: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
808: debug("X11 connection uses different authentication protocol.");
809: return -1;
810: }
811: /* Check if authentication data matches our fake data. */
812: if (data_len != x11_fake_data_len ||
813: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
814: x11_fake_data, x11_fake_data_len) != 0) {
815: debug("X11 auth data does not match fake data.");
816: return -1;
817: }
818: /* Check fake data length */
819: if (x11_fake_data_len != x11_saved_data_len) {
820: error("X11 fake_data_len %d != saved_data_len %d",
821: x11_fake_data_len, x11_saved_data_len);
822: return -1;
823: }
824: /*
825: * Received authentication protocol and data match
826: * our fake data. Substitute the fake data with real
827: * data.
828: */
829: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
830: x11_saved_data, x11_saved_data_len);
831: return 1;
832: }
833:
1.109.2.3 jason 834: static void
1.41 markus 835: channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
836: {
1.109.2.3 jason 837: int ret = x11_open_helper(&c->output);
1.41 markus 838: if (ret == 1) {
839: /* Start normal processing for the channel. */
840: c->type = SSH_CHANNEL_OPEN;
1.47 markus 841: channel_pre_open_13(c, readset, writeset);
1.41 markus 842: } else if (ret == -1) {
843: /*
844: * We have received an X11 connection that has bad
845: * authentication information.
846: */
1.98 millert 847: log("X11 connection rejected because of wrong authentication.");
1.41 markus 848: buffer_clear(&c->input);
849: buffer_clear(&c->output);
1.109.2.3 jason 850: channel_close_fd(&c->sock);
1.41 markus 851: c->sock = -1;
852: c->type = SSH_CHANNEL_CLOSED;
853: packet_start(SSH_MSG_CHANNEL_CLOSE);
854: packet_put_int(c->remote_id);
855: packet_send();
856: }
857: }
1.25 markus 858:
1.109.2.3 jason 859: static void
1.51 markus 860: channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
1.41 markus 861: {
1.109.2.3 jason 862: int ret = x11_open_helper(&c->output);
863:
864: /* c->force_drain = 1; */
865:
1.41 markus 866: if (ret == 1) {
867: c->type = SSH_CHANNEL_OPEN;
1.57 markus 868: if (compat20)
869: channel_pre_open_20(c, readset, writeset);
870: else
871: channel_pre_open_15(c, readset, writeset);
1.41 markus 872: } else if (ret == -1) {
873: debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
1.51 markus 874: chan_read_failed(c); /** force close? */
1.41 markus 875: chan_write_failed(c);
876: debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
877: }
878: }
1.25 markus 879:
1.104 markus 880: /* try to decode a socks4 header */
1.109.2.3 jason 881: static int
1.104 markus 882: channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset)
1.103 markus 883: {
884: u_char *p, *host;
1.109 markus 885: int len, have, i, found;
1.104 markus 886: char username[256];
1.103 markus 887: struct {
888: u_int8_t version;
889: u_int8_t command;
890: u_int16_t dest_port;
1.104 markus 891: struct in_addr dest_addr;
1.103 markus 892: } s4_req, s4_rsp;
893:
1.104 markus 894: debug2("channel %d: decode socks4", c->self);
1.109 markus 895:
896: have = buffer_len(&c->input);
897: len = sizeof(s4_req);
898: if (have < len)
899: return 0;
900: p = buffer_ptr(&c->input);
901: for (found = 0, i = len; i < have; i++) {
902: if (p[i] == '\0') {
903: found = 1;
904: break;
905: }
906: if (i > 1024) {
907: /* the peer is probably sending garbage */
908: debug("channel %d: decode socks4: too long",
909: c->self);
910: return -1;
911: }
912: }
913: if (!found)
914: return 0;
1.103 markus 915: buffer_get(&c->input, (char *)&s4_req.version, 1);
916: buffer_get(&c->input, (char *)&s4_req.command, 1);
917: buffer_get(&c->input, (char *)&s4_req.dest_port, 2);
1.104 markus 918: buffer_get(&c->input, (char *)&s4_req.dest_addr, 4);
1.109 markus 919: have = buffer_len(&c->input);
1.103 markus 920: p = buffer_ptr(&c->input);
921: len = strlen(p);
1.106 markus 922: debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);
1.103 markus 923: if (len > have)
1.104 markus 924: fatal("channel %d: decode socks4: len %d > have %d",
1.103 markus 925: c->self, len, have);
926: strlcpy(username, p, sizeof(username));
927: buffer_consume(&c->input, len);
928: buffer_consume(&c->input, 1); /* trailing '\0' */
929:
1.104 markus 930: host = inet_ntoa(s4_req.dest_addr);
1.103 markus 931: strlcpy(c->path, host, sizeof(c->path));
932: c->host_port = ntohs(s4_req.dest_port);
933:
1.106 markus 934: debug("channel %d: dynamic request: socks4 host %s port %u command %u",
935: c->self, host, c->host_port, s4_req.command);
1.103 markus 936:
1.104 markus 937: if (s4_req.command != 1) {
938: debug("channel %d: cannot handle: socks4 cn %d",
939: c->self, s4_req.command);
940: return -1;
1.103 markus 941: }
1.104 markus 942: s4_rsp.version = 0; /* vn: 0 for reply */
943: s4_rsp.command = 90; /* cd: req granted */
1.103 markus 944: s4_rsp.dest_port = 0; /* ignored */
1.104 markus 945: s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */
1.103 markus 946: buffer_append(&c->output, (char *)&s4_rsp, sizeof(s4_rsp));
1.104 markus 947: return 1;
948: }
949:
950: /* dynamic port forwarding */
1.109.2.3 jason 951: static void
1.104 markus 952: channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
953: {
954: u_char *p;
955: int have, ret;
1.103 markus 956:
1.104 markus 957: have = buffer_len(&c->input);
1.109.2.4! miod 958: c->delayed = 0;
1.104 markus 959: debug2("channel %d: pre_dynamic: have %d", c->self, have);
1.105 markus 960: /* buffer_dump(&c->input); */
1.104 markus 961: /* check if the fixed size part of the packet is in buffer. */
962: if (have < 4) {
963: /* need more */
964: FD_SET(c->sock, readset);
965: return;
966: }
967: /* try to guess the protocol */
968: p = buffer_ptr(&c->input);
969: switch (p[0]) {
970: case 0x04:
971: ret = channel_decode_socks4(c, readset, writeset);
972: break;
973: default:
974: ret = -1;
975: break;
976: }
977: if (ret < 0) {
1.109.2.3 jason 978: chan_mark_dead(c);
1.104 markus 979: } else if (ret == 0) {
980: debug2("channel %d: pre_dynamic: need more", c->self);
981: /* need more */
982: FD_SET(c->sock, readset);
983: } else {
984: /* switch to the next state */
985: c->type = SSH_CHANNEL_OPENING;
986: port_open_helper(c, "direct-tcpip");
987: }
1.103 markus 988: }
989:
1.41 markus 990: /* This is our fake X11 server socket. */
1.109.2.3 jason 991: static void
1.41 markus 992: channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
993: {
1.109.2.3 jason 994: Channel *nc;
1.41 markus 995: struct sockaddr addr;
1.109.2.3 jason 996: int newsock;
1.41 markus 997: socklen_t addrlen;
1.85 markus 998: char buf[16384], *remote_ipaddr;
1.51 markus 999: int remote_port;
1.25 markus 1000:
1.41 markus 1001: if (FD_ISSET(c->sock, readset)) {
1002: debug("X11 connection requested.");
1003: addrlen = sizeof(addr);
1004: newsock = accept(c->sock, &addr, &addrlen);
1005: if (newsock < 0) {
1006: error("accept: %.100s", strerror(errno));
1007: return;
1008: }
1.85 markus 1009: remote_ipaddr = get_peer_ipaddr(newsock);
1.51 markus 1010: remote_port = get_peer_port(newsock);
1.41 markus 1011: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1.85 markus 1012: remote_ipaddr, remote_port);
1.51 markus 1013:
1.109.2.3 jason 1014: nc = channel_new("accepted x11 socket",
1.51 markus 1015: SSH_CHANNEL_OPENING, newsock, newsock, -1,
1016: c->local_window_max, c->local_maxpacket,
1.71 markus 1017: 0, xstrdup(buf), 1);
1.109.2.3 jason 1018: if (nc == NULL) {
1019: close(newsock);
1020: xfree(remote_ipaddr);
1021: return;
1022: }
1.51 markus 1023: if (compat20) {
1024: packet_start(SSH2_MSG_CHANNEL_OPEN);
1025: packet_put_cstring("x11");
1.109.2.3 jason 1026: packet_put_int(nc->self);
1.51 markus 1027: packet_put_int(c->local_window_max);
1028: packet_put_int(c->local_maxpacket);
1.85 markus 1029: /* originator ipaddr and port */
1030: packet_put_cstring(remote_ipaddr);
1.57 markus 1031: if (datafellows & SSH_BUG_X11FWD) {
1032: debug("ssh2 x11 bug compat mode");
1033: } else {
1034: packet_put_int(remote_port);
1035: }
1.51 markus 1036: packet_send();
1037: } else {
1038: packet_start(SSH_SMSG_X11_OPEN);
1.109.2.3 jason 1039: packet_put_int(nc->self);
1040: if (packet_get_protocol_flags() &
1041: SSH_PROTOFLAG_HOST_IN_FWD_OPEN)
1042: packet_put_cstring(buf);
1.51 markus 1043: packet_send();
1044: }
1.85 markus 1045: xfree(remote_ipaddr);
1.41 markus 1046: }
1047: }
1.25 markus 1048:
1.109.2.3 jason 1049: static void
1.103 markus 1050: port_open_helper(Channel *c, char *rtype)
1051: {
1052: int direct;
1053: char buf[1024];
1054: char *remote_ipaddr = get_peer_ipaddr(c->sock);
1055: u_short remote_port = get_peer_port(c->sock);
1056:
1057: direct = (strcmp(rtype, "direct-tcpip") == 0);
1058:
1059: snprintf(buf, sizeof buf,
1060: "%s: listening port %d for %.100s port %d, "
1061: "connect from %.200s port %d",
1062: rtype, c->listening_port, c->path, c->host_port,
1063: remote_ipaddr, remote_port);
1064:
1065: xfree(c->remote_name);
1066: c->remote_name = xstrdup(buf);
1067:
1068: if (compat20) {
1069: packet_start(SSH2_MSG_CHANNEL_OPEN);
1070: packet_put_cstring(rtype);
1071: packet_put_int(c->self);
1072: packet_put_int(c->local_window_max);
1073: packet_put_int(c->local_maxpacket);
1074: if (direct) {
1075: /* target host, port */
1076: packet_put_cstring(c->path);
1077: packet_put_int(c->host_port);
1078: } else {
1079: /* listen address, port */
1080: packet_put_cstring(c->path);
1081: packet_put_int(c->listening_port);
1082: }
1083: /* originator host and port */
1084: packet_put_cstring(remote_ipaddr);
1085: packet_put_int(remote_port);
1086: packet_send();
1087: } else {
1088: packet_start(SSH_MSG_PORT_OPEN);
1089: packet_put_int(c->self);
1090: packet_put_cstring(c->path);
1091: packet_put_int(c->host_port);
1.109.2.3 jason 1092: if (packet_get_protocol_flags() &
1093: SSH_PROTOFLAG_HOST_IN_FWD_OPEN)
1.103 markus 1094: packet_put_cstring(c->remote_name);
1095: packet_send();
1096: }
1097: xfree(remote_ipaddr);
1098: }
1099:
1.41 markus 1100: /*
1101: * This socket is listening for connections to a forwarded TCP/IP port.
1102: */
1.109.2.3 jason 1103: static void
1.41 markus 1104: channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
1105: {
1.103 markus 1106: Channel *nc;
1.41 markus 1107: struct sockaddr addr;
1.109.2.3 jason 1108: int newsock, nextstate;
1.41 markus 1109: socklen_t addrlen;
1.103 markus 1110: char *rtype;
1.73 markus 1111:
1.41 markus 1112: if (FD_ISSET(c->sock, readset)) {
1113: debug("Connection to port %d forwarding "
1114: "to %.100s port %d requested.",
1115: c->listening_port, c->path, c->host_port);
1.103 markus 1116:
1.109.2.4! miod 1117: if (c->type == SSH_CHANNEL_RPORT_LISTENER) {
! 1118: nextstate = SSH_CHANNEL_OPENING;
! 1119: rtype = "forwarded-tcpip";
! 1120: } else {
! 1121: if (c->host_port == 0) {
! 1122: nextstate = SSH_CHANNEL_DYNAMIC;
! 1123: rtype = "dynamic-tcpip";
! 1124: } else {
! 1125: nextstate = SSH_CHANNEL_OPENING;
! 1126: rtype = "direct-tcpip";
! 1127: }
! 1128: }
1.103 markus 1129:
1.41 markus 1130: addrlen = sizeof(addr);
1131: newsock = accept(c->sock, &addr, &addrlen);
1132: if (newsock < 0) {
1133: error("accept: %.100s", strerror(errno));
1134: return;
1135: }
1.109.2.3 jason 1136: nc = channel_new(rtype,
1.103 markus 1137: nextstate, newsock, newsock, -1,
1.41 markus 1138: c->local_window_max, c->local_maxpacket,
1.103 markus 1139: 0, xstrdup(rtype), 1);
1140: if (nc == NULL) {
1.109.2.3 jason 1141: error("channel_post_port_listener: no new channel:");
1142: close(newsock);
1.103 markus 1143: return;
1.41 markus 1144: }
1.103 markus 1145: nc->listening_port = c->listening_port;
1146: nc->host_port = c->host_port;
1147: strlcpy(nc->path, c->path, sizeof(nc->path));
1148:
1.109.2.4! miod 1149: if (nextstate == SSH_CHANNEL_DYNAMIC) {
! 1150: /*
! 1151: * do not call the channel_post handler until
! 1152: * this flag has been reset by a pre-handler.
! 1153: * otherwise the FD_ISSET calls might overflow
! 1154: */
! 1155: nc->delayed = 1;
! 1156: } else {
1.103 markus 1157: port_open_helper(nc, rtype);
1.109.2.4! miod 1158: }
1.41 markus 1159: }
1160: }
1.25 markus 1161:
1.41 markus 1162: /*
1163: * This is the authentication agent socket listening for connections from
1164: * clients.
1165: */
1.109.2.3 jason 1166: static void
1.41 markus 1167: channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
1168: {
1.109.2.3 jason 1169: Channel *nc;
1170: char *name;
1171: int newsock;
1.41 markus 1172: struct sockaddr addr;
1173: socklen_t addrlen;
1.25 markus 1174:
1.41 markus 1175: if (FD_ISSET(c->sock, readset)) {
1176: addrlen = sizeof(addr);
1177: newsock = accept(c->sock, &addr, &addrlen);
1178: if (newsock < 0) {
1179: error("accept from auth socket: %.100s", strerror(errno));
1180: return;
1181: }
1.109.2.3 jason 1182: name = xstrdup("accepted auth socket");
1183: nc = channel_new("accepted auth socket",
1.73 markus 1184: SSH_CHANNEL_OPENING, newsock, newsock, -1,
1185: c->local_window_max, c->local_maxpacket,
1.109.2.3 jason 1186: 0, name, 1);
1187: if (nc == NULL) {
1188: error("channel_post_auth_listener: channel_new failed");
1189: xfree(name);
1190: close(newsock);
1191: }
1.73 markus 1192: if (compat20) {
1193: packet_start(SSH2_MSG_CHANNEL_OPEN);
1194: packet_put_cstring("auth-agent@openssh.com");
1.109.2.3 jason 1195: packet_put_int(nc->self);
1.73 markus 1196: packet_put_int(c->local_window_max);
1197: packet_put_int(c->local_maxpacket);
1198: } else {
1199: packet_start(SSH_SMSG_AGENT_OPEN);
1.109.2.3 jason 1200: packet_put_int(nc->self);
1.73 markus 1201: }
1.41 markus 1202: packet_send();
1203: }
1204: }
1.25 markus 1205:
1.109.2.3 jason 1206: static void
1.75 markus 1207: channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset)
1208: {
1.109.2.3 jason 1209: int err = 0;
1210: socklen_t sz = sizeof(err);
1211:
1.75 markus 1212: if (FD_ISSET(c->sock, writeset)) {
1.109.2.3 jason 1213: if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, (char *)&err,
1214: &sz) < 0) {
1215: err = errno;
1216: error("getsockopt SO_ERROR failed");
1217: }
1218: if (err == 0) {
1219: debug("channel %d: connected", c->self);
1220: c->type = SSH_CHANNEL_OPEN;
1221: if (compat20) {
1222: packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
1223: packet_put_int(c->remote_id);
1224: packet_put_int(c->self);
1225: packet_put_int(c->local_window);
1226: packet_put_int(c->local_maxpacket);
1227: } else {
1228: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1229: packet_put_int(c->remote_id);
1230: packet_put_int(c->self);
1231: }
1.75 markus 1232: } else {
1.109.2.3 jason 1233: debug("channel %d: not connected: %s",
1234: c->self, strerror(err));
1235: if (compat20) {
1236: packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
1237: packet_put_int(c->remote_id);
1238: packet_put_int(SSH2_OPEN_CONNECT_FAILED);
1239: if (!(datafellows & SSH_BUG_OPENFAILURE)) {
1240: packet_put_cstring(strerror(err));
1241: packet_put_cstring("");
1242: }
1.75 markus 1243: } else {
1.109.2.3 jason 1244: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1245: packet_put_int(c->remote_id);
1.75 markus 1246: }
1.109.2.3 jason 1247: chan_mark_dead(c);
1.75 markus 1248: }
1.109.2.3 jason 1249: packet_send();
1.75 markus 1250: }
1251: }
1252:
1.109.2.3 jason 1253: static int
1.41 markus 1254: channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
1255: {
1256: char buf[16*1024];
1257: int len;
1.25 markus 1258:
1.41 markus 1259: if (c->rfd != -1 &&
1260: FD_ISSET(c->rfd, readset)) {
1261: len = read(c->rfd, buf, sizeof(buf));
1.53 markus 1262: if (len < 0 && (errno == EINTR || errno == EAGAIN))
1263: return 1;
1.41 markus 1264: if (len <= 0) {
1.51 markus 1265: debug("channel %d: read<=0 rfd %d len %d",
1.41 markus 1266: c->self, c->rfd, len);
1.104 markus 1267: if (c->type != SSH_CHANNEL_OPEN) {
1268: debug("channel %d: not open", c->self);
1.109.2.3 jason 1269: chan_mark_dead(c);
1.103 markus 1270: return -1;
1.104 markus 1271: } else if (compat13) {
1.41 markus 1272: buffer_consume(&c->output, buffer_len(&c->output));
1273: c->type = SSH_CHANNEL_INPUT_DRAINING;
1.109.2.3 jason 1274: debug("channel %d: input draining.", c->self);
1.25 markus 1275: } else {
1.41 markus 1276: chan_read_failed(c);
1.25 markus 1277: }
1.41 markus 1278: return -1;
1279: }
1.65 markus 1280: if(c->input_filter != NULL) {
1.66 markus 1281: if (c->input_filter(c, buf, len) == -1) {
1.105 markus 1282: debug("channel %d: filter stops", c->self);
1.65 markus 1283: chan_read_failed(c);
1284: }
1285: } else {
1286: buffer_append(&c->input, buf, len);
1287: }
1.41 markus 1288: }
1289: return 1;
1290: }
1.109.2.3 jason 1291: static int
1.41 markus 1292: channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
1293: {
1.95 markus 1294: struct termios tio;
1.109.2.3 jason 1295: u_char *data;
1296: u_int dlen;
1.41 markus 1297: int len;
1.25 markus 1298:
1.41 markus 1299: /* Send buffered output data to the socket. */
1300: if (c->wfd != -1 &&
1301: FD_ISSET(c->wfd, writeset) &&
1302: buffer_len(&c->output) > 0) {
1.109.2.3 jason 1303: data = buffer_ptr(&c->output);
1304: dlen = buffer_len(&c->output);
1305: len = write(c->wfd, data, dlen);
1.53 markus 1306: if (len < 0 && (errno == EINTR || errno == EAGAIN))
1307: return 1;
1.41 markus 1308: if (len <= 0) {
1.104 markus 1309: if (c->type != SSH_CHANNEL_OPEN) {
1310: debug("channel %d: not open", c->self);
1.109.2.3 jason 1311: chan_mark_dead(c);
1.104 markus 1312: return -1;
1313: } else if (compat13) {
1.41 markus 1314: buffer_consume(&c->output, buffer_len(&c->output));
1.109.2.3 jason 1315: debug("channel %d: input draining.", c->self);
1.41 markus 1316: c->type = SSH_CHANNEL_INPUT_DRAINING;
1317: } else {
1318: chan_write_failed(c);
1319: }
1320: return -1;
1.91 markus 1321: }
1.109.2.3 jason 1322: if (compat20 && c->isatty && dlen >= 1 && data[0] != '\r') {
1.91 markus 1323: if (tcgetattr(c->wfd, &tio) == 0 &&
1324: !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
1325: /*
1326: * Simulate echo to reduce the impact of
1.96 markus 1327: * traffic analysis. We need to match the
1.95 markus 1328: * size of a SSH2_MSG_CHANNEL_DATA message
1329: * (4 byte channel id + data)
1.91 markus 1330: */
1.95 markus 1331: packet_send_ignore(4 + len);
1.91 markus 1332: packet_send();
1333: }
1.25 markus 1334: }
1.41 markus 1335: buffer_consume(&c->output, len);
1.44 markus 1336: if (compat20 && len > 0) {
1337: c->local_consumed += len;
1338: }
1339: }
1340: return 1;
1341: }
1.109.2.3 jason 1342: static int
1.44 markus 1343: channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
1344: {
1345: char buf[16*1024];
1346: int len;
1347:
1.45 markus 1348: /** XXX handle drain efd, too */
1.44 markus 1349: if (c->efd != -1) {
1350: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
1351: FD_ISSET(c->efd, writeset) &&
1352: buffer_len(&c->extended) > 0) {
1353: len = write(c->efd, buffer_ptr(&c->extended),
1354: buffer_len(&c->extended));
1.70 markus 1355: debug2("channel %d: written %d to efd %d",
1.44 markus 1356: c->self, len, c->efd);
1.93 markus 1357: if (len < 0 && (errno == EINTR || errno == EAGAIN))
1358: return 1;
1359: if (len <= 0) {
1360: debug2("channel %d: closing write-efd %d",
1361: c->self, c->efd);
1.109.2.3 jason 1362: channel_close_fd(&c->efd);
1.93 markus 1363: } else {
1.44 markus 1364: buffer_consume(&c->extended, len);
1365: c->local_consumed += len;
1366: }
1367: } else if (c->extended_usage == CHAN_EXTENDED_READ &&
1368: FD_ISSET(c->efd, readset)) {
1369: len = read(c->efd, buf, sizeof(buf));
1.70 markus 1370: debug2("channel %d: read %d from efd %d",
1.44 markus 1371: c->self, len, c->efd);
1.93 markus 1372: if (len < 0 && (errno == EINTR || errno == EAGAIN))
1373: return 1;
1374: if (len <= 0) {
1375: debug2("channel %d: closing read-efd %d",
1.45 markus 1376: c->self, c->efd);
1.109.2.3 jason 1377: channel_close_fd(&c->efd);
1.93 markus 1378: } else {
1.44 markus 1379: buffer_append(&c->extended, buf, len);
1.93 markus 1380: }
1.44 markus 1381: }
1382: }
1383: return 1;
1384: }
1.109.2.3 jason 1385: static int
1.93 markus 1386: channel_check_window(Channel *c)
1.44 markus 1387: {
1.104 markus 1388: if (c->type == SSH_CHANNEL_OPEN &&
1389: !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
1.44 markus 1390: c->local_window < c->local_window_max/2 &&
1391: c->local_consumed > 0) {
1392: packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
1393: packet_put_int(c->remote_id);
1394: packet_put_int(c->local_consumed);
1395: packet_send();
1.70 markus 1396: debug2("channel %d: window %d sent adjust %d",
1.44 markus 1397: c->self, c->local_window,
1398: c->local_consumed);
1399: c->local_window += c->local_consumed;
1400: c->local_consumed = 0;
1.1 deraadt 1401: }
1.41 markus 1402: return 1;
1.1 deraadt 1403: }
1404:
1.109.2.3 jason 1405: static void
1.41 markus 1406: channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset)
1407: {
1.109.2.4! miod 1408: if (c->delayed)
! 1409: return;
1.41 markus 1410: channel_handle_rfd(c, readset, writeset);
1411: channel_handle_wfd(c, readset, writeset);
1412: }
1.1 deraadt 1413:
1.109.2.3 jason 1414: static void
1.44 markus 1415: channel_post_open_2(Channel *c, fd_set * readset, fd_set * writeset)
1416: {
1.109.2.4! miod 1417: if (c->delayed)
! 1418: return;
1.44 markus 1419: channel_handle_rfd(c, readset, writeset);
1420: channel_handle_wfd(c, readset, writeset);
1421: channel_handle_efd(c, readset, writeset);
1.93 markus 1422:
1423: channel_check_window(c);
1.44 markus 1424: }
1425:
1.109.2.3 jason 1426: static void
1.41 markus 1427: channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
1.1 deraadt 1428: {
1.41 markus 1429: int len;
1430: /* Send buffered output data to the socket. */
1431: if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
1432: len = write(c->sock, buffer_ptr(&c->output),
1433: buffer_len(&c->output));
1434: if (len <= 0)
1435: buffer_consume(&c->output, buffer_len(&c->output));
1436: else
1437: buffer_consume(&c->output, len);
1438: }
1439: }
1.25 markus 1440:
1.109.2.3 jason 1441: static void
1.44 markus 1442: channel_handler_init_20(void)
1443: {
1444: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20;
1.51 markus 1445: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
1.44 markus 1446: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
1.73 markus 1447: channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener;
1.51 markus 1448: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
1.73 markus 1449: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
1.75 markus 1450: channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting;
1.103 markus 1451: channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic;
1.44 markus 1452:
1453: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2;
1454: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
1.73 markus 1455: channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener;
1.51 markus 1456: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
1.73 markus 1457: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
1.75 markus 1458: channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting;
1.104 markus 1459: channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open_2;
1.44 markus 1460: }
1461:
1.109.2.3 jason 1462: static void
1.41 markus 1463: channel_handler_init_13(void)
1464: {
1465: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13;
1466: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13;
1467: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
1468: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
1469: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
1470: channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining;
1471: channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining;
1.75 markus 1472: channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting;
1.103 markus 1473: channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic;
1.25 markus 1474:
1.41 markus 1475: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
1476: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
1477: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
1478: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
1479: channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13;
1.75 markus 1480: channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting;
1.104 markus 1481: channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open_1;
1.41 markus 1482: }
1.25 markus 1483:
1.109.2.3 jason 1484: static void
1.41 markus 1485: channel_handler_init_15(void)
1486: {
1487: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_15;
1.51 markus 1488: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
1.41 markus 1489: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
1490: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
1491: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
1.75 markus 1492: channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting;
1.103 markus 1493: channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic;
1.25 markus 1494:
1.41 markus 1495: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
1496: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
1497: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
1498: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
1.75 markus 1499: channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting;
1.104 markus 1500: channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open_1;
1.41 markus 1501: }
1.27 markus 1502:
1.109.2.3 jason 1503: static void
1.41 markus 1504: channel_handler_init(void)
1505: {
1506: int i;
1507: for(i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
1508: channel_pre[i] = NULL;
1509: channel_post[i] = NULL;
1510: }
1.44 markus 1511: if (compat20)
1512: channel_handler_init_20();
1513: else if (compat13)
1.41 markus 1514: channel_handler_init_13();
1515: else
1516: channel_handler_init_15();
1517: }
1.25 markus 1518:
1.109.2.4! miod 1519: /* gc dead channels */
! 1520: static void
! 1521: channel_garbage_collect(Channel *c)
! 1522: {
! 1523: if (c == NULL)
! 1524: return;
! 1525: if (c->detach_user != NULL) {
! 1526: if (!chan_is_dead(c, 0))
! 1527: return;
! 1528: debug("channel %d: gc: notify user", c->self);
! 1529: c->detach_user(c->self, NULL);
! 1530: /* if we still have a callback */
! 1531: if (c->detach_user != NULL)
! 1532: return;
! 1533: debug("channel %d: gc: user detached", c->self);
! 1534: }
! 1535: if (!chan_is_dead(c, 1))
! 1536: return;
! 1537: debug("channel %d: garbage collecting", c->self);
! 1538: channel_free(c);
! 1539: }
! 1540:
1.109.2.3 jason 1541: static void
1.41 markus 1542: channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset)
1543: {
1544: static int did_init = 0;
1545: int i;
1546: Channel *c;
1.25 markus 1547:
1.41 markus 1548: if (!did_init) {
1549: channel_handler_init();
1550: did_init = 1;
1551: }
1552: for (i = 0; i < channels_alloc; i++) {
1.109.2.3 jason 1553: c = channels[i];
1554: if (c == NULL)
1.25 markus 1555: continue;
1.109.2.3 jason 1556: if (ftab[c->type] != NULL)
1557: (*ftab[c->type])(c, readset, writeset);
1.109.2.4! miod 1558: channel_garbage_collect(c);
1.1 deraadt 1559: }
1560: }
1561:
1.109.2.3 jason 1562: /*
1563: * Allocate/update select bitmasks and add any bits relevant to channels in
1564: * select bitmasks.
1565: */
1.49 markus 1566: void
1.100 markus 1567: channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
1.109.2.3 jason 1568: int *nallocp, int rekeying)
1.41 markus 1569: {
1.84 markus 1570: int n;
1571: u_int sz;
1572:
1573: n = MAX(*maxfdp, channel_max_fd);
1574:
1575: sz = howmany(n+1, NFDBITS) * sizeof(fd_mask);
1.109.2.3 jason 1576: /* perhaps check sz < nalloc/2 and shrink? */
1577: if (*readsetp == NULL || sz > *nallocp) {
1578: *readsetp = xrealloc(*readsetp, sz);
1579: *writesetp = xrealloc(*writesetp, sz);
1580: *nallocp = sz;
1.84 markus 1581: }
1.109.2.3 jason 1582: *maxfdp = n;
1.84 markus 1583: memset(*readsetp, 0, sz);
1584: memset(*writesetp, 0, sz);
1585:
1.100 markus 1586: if (!rekeying)
1587: channel_handler(channel_pre, *readsetp, *writesetp);
1.41 markus 1588: }
1589:
1.109.2.3 jason 1590: /*
1591: * After select, perform any appropriate operations for channels which have
1592: * events pending.
1593: */
1.49 markus 1594: void
1.41 markus 1595: channel_after_select(fd_set * readset, fd_set * writeset)
1596: {
1597: channel_handler(channel_post, readset, writeset);
1598: }
1599:
1.109.2.3 jason 1600:
1.84 markus 1601: /* If there is data to send to the connection, enqueue some of it now. */
1.1 deraadt 1602:
1.49 markus 1603: void
1.25 markus 1604: channel_output_poll()
1.1 deraadt 1605: {
1.25 markus 1606: int len, i;
1.41 markus 1607: Channel *c;
1.1 deraadt 1608:
1.25 markus 1609: for (i = 0; i < channels_alloc; i++) {
1.109.2.3 jason 1610: c = channels[i];
1611: if (c == NULL)
1612: continue;
1.37 markus 1613:
1.109.2.3 jason 1614: /*
1615: * We are only interested in channels that can have buffered
1616: * incoming data.
1617: */
1.37 markus 1618: if (compat13) {
1.41 markus 1619: if (c->type != SSH_CHANNEL_OPEN &&
1620: c->type != SSH_CHANNEL_INPUT_DRAINING)
1.37 markus 1621: continue;
1622: } else {
1.41 markus 1623: if (c->type != SSH_CHANNEL_OPEN)
1.37 markus 1624: continue;
1625: }
1.46 markus 1626: if (compat20 &&
1627: (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
1.93 markus 1628: /* XXX is this true? */
1.109.2.4! miod 1629: debug3("channel %d: will not send data after close", c->self);
1.44 markus 1630: continue;
1631: }
1.25 markus 1632:
1633: /* Get the amount of buffered data for this channel. */
1.93 markus 1634: if ((c->istate == CHAN_INPUT_OPEN ||
1635: c->istate == CHAN_INPUT_WAIT_DRAIN) &&
1636: (len = buffer_len(&c->input)) > 0) {
1.109.2.3 jason 1637: /*
1638: * Send some data for the other side over the secure
1639: * connection.
1640: */
1.44 markus 1641: if (compat20) {
1642: if (len > c->remote_window)
1643: len = c->remote_window;
1644: if (len > c->remote_maxpacket)
1645: len = c->remote_maxpacket;
1.25 markus 1646: } else {
1.44 markus 1647: if (packet_is_interactive()) {
1648: if (len > 1024)
1649: len = 512;
1650: } else {
1651: /* Keep the packets at reasonable size. */
1652: if (len > packet_get_maxsize()/2)
1653: len = packet_get_maxsize()/2;
1654: }
1.25 markus 1655: }
1.41 markus 1656: if (len > 0) {
1.44 markus 1657: packet_start(compat20 ?
1658: SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
1.41 markus 1659: packet_put_int(c->remote_id);
1660: packet_put_string(buffer_ptr(&c->input), len);
1661: packet_send();
1662: buffer_consume(&c->input, len);
1663: c->remote_window -= len;
1664: }
1665: } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
1.25 markus 1666: if (compat13)
1667: fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
1.27 markus 1668: /*
1669: * input-buffer is empty and read-socket shutdown:
1670: * tell peer, that we will not send more data: send IEOF
1671: */
1.41 markus 1672: chan_ibuf_empty(c);
1.25 markus 1673: }
1.44 markus 1674: /* Send extended data, i.e. stderr */
1675: if (compat20 &&
1676: c->remote_window > 0 &&
1677: (len = buffer_len(&c->extended)) > 0 &&
1678: c->extended_usage == CHAN_EXTENDED_READ) {
1.93 markus 1679: debug2("channel %d: rwin %d elen %d euse %d",
1680: c->self, c->remote_window, buffer_len(&c->extended),
1681: c->extended_usage);
1.44 markus 1682: if (len > c->remote_window)
1683: len = c->remote_window;
1684: if (len > c->remote_maxpacket)
1685: len = c->remote_maxpacket;
1686: packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA);
1687: packet_put_int(c->remote_id);
1688: packet_put_int(SSH2_EXTENDED_DATA_STDERR);
1689: packet_put_string(buffer_ptr(&c->extended), len);
1690: packet_send();
1691: buffer_consume(&c->extended, len);
1692: c->remote_window -= len;
1.93 markus 1693: debug2("channel %d: sent ext data %d", c->self, len);
1.44 markus 1694: }
1.25 markus 1695: }
1.1 deraadt 1696: }
1697:
1.109.2.3 jason 1698:
1699: /* -- protocol input */
1.1 deraadt 1700:
1.49 markus 1701: void
1.69 markus 1702: channel_input_data(int type, int plen, void *ctxt)
1.1 deraadt 1703: {
1.37 markus 1704: int id;
1.25 markus 1705: char *data;
1.77 markus 1706: u_int data_len;
1.41 markus 1707: Channel *c;
1.25 markus 1708:
1709: /* Get the channel number and verify it. */
1.37 markus 1710: id = packet_get_int();
1.41 markus 1711: c = channel_lookup(id);
1712: if (c == NULL)
1.37 markus 1713: packet_disconnect("Received data for nonexistent channel %d.", id);
1.25 markus 1714:
1715: /* Ignore any data for non-open channels (might happen on close) */
1.41 markus 1716: if (c->type != SSH_CHANNEL_OPEN &&
1717: c->type != SSH_CHANNEL_X11_OPEN)
1.37 markus 1718: return;
1719:
1720: /* same for protocol 1.5 if output end is no longer open */
1.41 markus 1721: if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN)
1.25 markus 1722: return;
1723:
1724: /* Get the data. */
1725: data = packet_get_string(&data_len);
1.48 markus 1726: packet_done();
1.41 markus 1727:
1.44 markus 1728: if (compat20){
1729: if (data_len > c->local_maxpacket) {
1730: log("channel %d: rcvd big packet %d, maxpack %d",
1731: c->self, data_len, c->local_maxpacket);
1732: }
1733: if (data_len > c->local_window) {
1734: log("channel %d: rcvd too much data %d, win %d",
1735: c->self, data_len, c->local_window);
1736: xfree(data);
1737: return;
1738: }
1739: c->local_window -= data_len;
1740: }else{
1741: packet_integrity_check(plen, 4 + 4 + data_len, type);
1742: }
1.41 markus 1743: buffer_append(&c->output, data, data_len);
1.25 markus 1744: xfree(data);
1.1 deraadt 1745: }
1.109.2.3 jason 1746:
1.49 markus 1747: void
1.69 markus 1748: channel_input_extended_data(int type, int plen, void *ctxt)
1.44 markus 1749: {
1750: int id;
1751: int tcode;
1752: char *data;
1.77 markus 1753: u_int data_len;
1.44 markus 1754: Channel *c;
1755:
1756: /* Get the channel number and verify it. */
1757: id = packet_get_int();
1758: c = channel_lookup(id);
1759:
1760: if (c == NULL)
1761: packet_disconnect("Received extended_data for bad channel %d.", id);
1762: if (c->type != SSH_CHANNEL_OPEN) {
1763: log("channel %d: ext data for non open", id);
1764: return;
1765: }
1766: tcode = packet_get_int();
1767: if (c->efd == -1 ||
1768: c->extended_usage != CHAN_EXTENDED_WRITE ||
1769: tcode != SSH2_EXTENDED_DATA_STDERR) {
1770: log("channel %d: bad ext data", c->self);
1771: return;
1772: }
1773: data = packet_get_string(&data_len);
1.48 markus 1774: packet_done();
1.44 markus 1775: if (data_len > c->local_window) {
1776: log("channel %d: rcvd too much extended_data %d, win %d",
1777: c->self, data_len, c->local_window);
1778: xfree(data);
1779: return;
1780: }
1.70 markus 1781: debug2("channel %d: rcvd ext data %d", c->self, data_len);
1.44 markus 1782: c->local_window -= data_len;
1783: buffer_append(&c->extended, data, data_len);
1784: xfree(data);
1785: }
1786:
1.49 markus 1787: void
1.69 markus 1788: channel_input_ieof(int type, int plen, void *ctxt)
1.41 markus 1789: {
1790: int id;
1791: Channel *c;
1792:
1793: packet_integrity_check(plen, 4, type);
1794:
1795: id = packet_get_int();
1796: c = channel_lookup(id);
1797: if (c == NULL)
1798: packet_disconnect("Received ieof for nonexistent channel %d.", id);
1799: chan_rcvd_ieof(c);
1.109.2.3 jason 1800:
1801: /* XXX force input close */
1802: if (c->force_drain) {
1803: debug("channel %d: FORCE input drain", c->self);
1804: c->istate = CHAN_INPUT_WAIT_DRAIN;
1805: }
1806:
1.41 markus 1807: }
1.1 deraadt 1808:
1.49 markus 1809: void
1.69 markus 1810: channel_input_close(int type, int plen, void *ctxt)
1.1 deraadt 1811: {
1.41 markus 1812: int id;
1813: Channel *c;
1.1 deraadt 1814:
1.41 markus 1815: packet_integrity_check(plen, 4, type);
1816:
1817: id = packet_get_int();
1818: c = channel_lookup(id);
1819: if (c == NULL)
1820: packet_disconnect("Received close for nonexistent channel %d.", id);
1.27 markus 1821:
1822: /*
1823: * Send a confirmation that we have closed the channel and no more
1824: * data is coming for it.
1825: */
1.25 markus 1826: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
1.41 markus 1827: packet_put_int(c->remote_id);
1.25 markus 1828: packet_send();
1829:
1.27 markus 1830: /*
1831: * If the channel is in closed state, we have sent a close request,
1832: * and the other side will eventually respond with a confirmation.
1833: * Thus, we cannot free the channel here, because then there would be
1834: * no-one to receive the confirmation. The channel gets freed when
1835: * the confirmation arrives.
1836: */
1.41 markus 1837: if (c->type != SSH_CHANNEL_CLOSED) {
1.27 markus 1838: /*
1839: * Not a closed channel - mark it as draining, which will
1840: * cause it to be freed later.
1841: */
1.41 markus 1842: buffer_consume(&c->input, buffer_len(&c->input));
1843: c->type = SSH_CHANNEL_OUTPUT_DRAINING;
1.25 markus 1844: }
1.1 deraadt 1845: }
1846:
1.41 markus 1847: /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
1.49 markus 1848: void
1.69 markus 1849: channel_input_oclose(int type, int plen, void *ctxt)
1.41 markus 1850: {
1851: int id = packet_get_int();
1852: Channel *c = channel_lookup(id);
1853: packet_integrity_check(plen, 4, type);
1854: if (c == NULL)
1855: packet_disconnect("Received oclose for nonexistent channel %d.", id);
1856: chan_rcvd_oclose(c);
1857: }
1.1 deraadt 1858:
1.49 markus 1859: void
1.69 markus 1860: channel_input_close_confirmation(int type, int plen, void *ctxt)
1.1 deraadt 1861: {
1.41 markus 1862: int id = packet_get_int();
1863: Channel *c = channel_lookup(id);
1.1 deraadt 1864:
1.48 markus 1865: packet_done();
1.41 markus 1866: if (c == NULL)
1867: packet_disconnect("Received close confirmation for "
1868: "out-of-range channel %d.", id);
1869: if (c->type != SSH_CHANNEL_CLOSED)
1870: packet_disconnect("Received close confirmation for "
1871: "non-closed channel %d (type %d).", id, c->type);
1.109.2.3 jason 1872: channel_free(c);
1.1 deraadt 1873: }
1874:
1.49 markus 1875: void
1.69 markus 1876: channel_input_open_confirmation(int type, int plen, void *ctxt)
1.1 deraadt 1877: {
1.41 markus 1878: int id, remote_id;
1879: Channel *c;
1.1 deraadt 1880:
1.44 markus 1881: if (!compat20)
1882: packet_integrity_check(plen, 4 + 4, type);
1.25 markus 1883:
1.41 markus 1884: id = packet_get_int();
1885: c = channel_lookup(id);
1.25 markus 1886:
1.41 markus 1887: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1888: packet_disconnect("Received open confirmation for "
1889: "non-opening channel %d.", id);
1890: remote_id = packet_get_int();
1.27 markus 1891: /* Record the remote channel number and mark that the channel is now open. */
1.41 markus 1892: c->remote_id = remote_id;
1893: c->type = SSH_CHANNEL_OPEN;
1.44 markus 1894:
1895: if (compat20) {
1896: c->remote_window = packet_get_int();
1897: c->remote_maxpacket = packet_get_int();
1.48 markus 1898: packet_done();
1.44 markus 1899: if (c->cb_fn != NULL && c->cb_event == type) {
1.70 markus 1900: debug2("callback start");
1.44 markus 1901: c->cb_fn(c->self, c->cb_arg);
1.70 markus 1902: debug2("callback done");
1.44 markus 1903: }
1904: debug("channel %d: open confirm rwindow %d rmax %d", c->self,
1905: c->remote_window, c->remote_maxpacket);
1906: }
1.1 deraadt 1907: }
1908:
1.109.2.3 jason 1909: static char *
1910: reason2txt(int reason)
1911: {
1912: switch(reason) {
1913: case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED:
1914: return "administratively prohibited";
1915: case SSH2_OPEN_CONNECT_FAILED:
1916: return "connect failed";
1917: case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE:
1918: return "unknown channel type";
1919: case SSH2_OPEN_RESOURCE_SHORTAGE:
1920: return "resource shortage";
1921: }
1922: return "unknown reason";
1923: }
1924:
1.49 markus 1925: void
1.69 markus 1926: channel_input_open_failure(int type, int plen, void *ctxt)
1.1 deraadt 1927: {
1.86 markus 1928: int id, reason;
1929: char *msg = NULL, *lang = NULL;
1.41 markus 1930: Channel *c;
1931:
1.44 markus 1932: if (!compat20)
1933: packet_integrity_check(plen, 4, type);
1.41 markus 1934:
1935: id = packet_get_int();
1936: c = channel_lookup(id);
1.25 markus 1937:
1.41 markus 1938: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1939: packet_disconnect("Received open failure for "
1940: "non-opening channel %d.", id);
1.44 markus 1941: if (compat20) {
1.86 markus 1942: reason = packet_get_int();
1.109.2.3 jason 1943: if (!(datafellows & SSH_BUG_OPENFAILURE)) {
1.86 markus 1944: msg = packet_get_string(NULL);
1945: lang = packet_get_string(NULL);
1946: }
1.48 markus 1947: packet_done();
1.109.2.3 jason 1948: log("channel %d: open failed: %s%s%s", id,
1949: reason2txt(reason), msg ? ": ": "", msg ? msg : "");
1.86 markus 1950: if (msg != NULL)
1951: xfree(msg);
1952: if (lang != NULL)
1953: xfree(lang);
1.44 markus 1954: }
1.25 markus 1955: /* Free the channel. This will also close the socket. */
1.109.2.3 jason 1956: channel_free(c);
1.1 deraadt 1957: }
1958:
1.44 markus 1959: void
1.69 markus 1960: channel_input_channel_request(int type, int plen, void *ctxt)
1.44 markus 1961: {
1962: int id;
1963: Channel *c;
1964:
1965: id = packet_get_int();
1966: c = channel_lookup(id);
1967:
1968: if (c == NULL ||
1969: (c->type != SSH_CHANNEL_OPEN && c->type != SSH_CHANNEL_LARVAL))
1970: packet_disconnect("Received request for "
1971: "non-open channel %d.", id);
1972: if (c->cb_fn != NULL && c->cb_event == type) {
1.70 markus 1973: debug2("callback start");
1.44 markus 1974: c->cb_fn(c->self, c->cb_arg);
1.70 markus 1975: debug2("callback done");
1.44 markus 1976: } else {
1977: char *service = packet_get_string(NULL);
1.94 markus 1978: debug("channel %d: rcvd request for %s", c->self, service);
1.70 markus 1979: debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event);
1.44 markus 1980: xfree(service);
1981: }
1982: }
1983:
1.49 markus 1984: void
1.69 markus 1985: channel_input_window_adjust(int type, int plen, void *ctxt)
1.44 markus 1986: {
1987: Channel *c;
1988: int id, adjust;
1989:
1990: if (!compat20)
1991: return;
1992:
1993: /* Get the channel number and verify it. */
1994: id = packet_get_int();
1.109.2.3 jason 1995: c = channel_lookup(id);
1.1 deraadt 1996:
1.109.2.3 jason 1997: if (c == NULL || c->type != SSH_CHANNEL_OPEN) {
1998: log("Received window adjust for "
1999: "non-open channel %d.", id);
2000: return;
2001: }
2002: adjust = packet_get_int();
2003: packet_done();
2004: debug2("channel %d: rcvd adjust %d", id, adjust);
2005: c->remote_window += adjust;
2006: }
1.1 deraadt 2007:
1.109.2.3 jason 2008: void
2009: channel_input_port_open(int type, int plen, void *ctxt)
1.1 deraadt 2010: {
1.109.2.3 jason 2011: Channel *c = NULL;
2012: u_short host_port;
2013: char *host, *originator_string;
2014: int remote_id, sock = -1;
1.25 markus 2015:
1.109.2.3 jason 2016: remote_id = packet_get_int();
2017: host = packet_get_string(NULL);
2018: host_port = packet_get_int();
2019:
2020: if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) {
2021: originator_string = packet_get_string(NULL);
2022: } else {
2023: originator_string = xstrdup("unknown (remote did not supply name)");
2024: }
2025: packet_done();
2026: sock = channel_connect_to(host, host_port);
2027: if (sock != -1) {
2028: c = channel_new("connected socket",
2029: SSH_CHANNEL_CONNECTING, sock, sock, -1, 0, 0, 0,
2030: originator_string, 1);
2031: if (c == NULL) {
2032: error("channel_input_port_open: channel_new failed");
2033: close(sock);
2034: } else {
2035: c->remote_id = remote_id;
1.25 markus 2036: }
2037: }
1.109.2.3 jason 2038: if (c == NULL) {
2039: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2040: packet_put_int(remote_id);
2041: packet_send();
2042: }
2043: xfree(host);
1.1 deraadt 2044: }
2045:
1.109.2.3 jason 2046:
2047: /* -- tcp forwarding */
1.109.2.4! miod 2048:
! 2049: void
! 2050: channel_set_af(int af)
! 2051: {
! 2052: IPv4or6 = af;
! 2053: }
1.109.2.3 jason 2054:
1.27 markus 2055: /*
2056: * Initiate forwarding of connections to local port "port" through the secure
2057: * channel to host:port from remote side.
2058: */
1.87 markus 2059: int
1.73 markus 2060: channel_request_local_forwarding(u_short listen_port, const char *host_to_connect,
2061: u_short port_to_connect, int gateway_ports)
2062: {
1.87 markus 2063: return channel_request_forwarding(
1.73 markus 2064: NULL, listen_port,
2065: host_to_connect, port_to_connect,
2066: gateway_ports, /*remote_fwd*/ 0);
2067: }
1.1 deraadt 2068:
1.73 markus 2069: /*
2070: * If 'remote_fwd' is true we have a '-R style' listener for protocol 2
2071: * (SSH_CHANNEL_RPORT_LISTENER).
2072: */
1.87 markus 2073: int
1.73 markus 2074: channel_request_forwarding(
2075: const char *listen_address, u_short listen_port,
2076: const char *host_to_connect, u_short port_to_connect,
2077: int gateway_ports, int remote_fwd)
1.25 markus 2078: {
1.109.2.3 jason 2079: Channel *c;
2080: int success, sock, on = 1, type;
1.35 markus 2081: struct addrinfo hints, *ai, *aitop;
2082: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1.73 markus 2083: const char *host;
1.28 markus 2084: struct linger linger;
1.25 markus 2085:
1.87 markus 2086: success = 0;
2087:
1.73 markus 2088: if (remote_fwd) {
2089: host = listen_address;
1.109.2.3 jason 2090: type = SSH_CHANNEL_RPORT_LISTENER;
1.73 markus 2091: } else {
2092: host = host_to_connect;
1.109.2.3 jason 2093: type = SSH_CHANNEL_PORT_LISTENER;
1.73 markus 2094: }
2095:
1.109.2.3 jason 2096: if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) {
1.87 markus 2097: error("Forward host name too long.");
2098: return success;
2099: }
1.25 markus 2100:
1.73 markus 2101: /* XXX listen_address is currently ignored */
1.28 markus 2102: /*
1.35 markus 2103: * getaddrinfo returns a loopback address if the hostname is
2104: * set to NULL and hints.ai_flags is not AI_PASSIVE
1.28 markus 2105: */
1.35 markus 2106: memset(&hints, 0, sizeof(hints));
2107: hints.ai_family = IPv4or6;
2108: hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
2109: hints.ai_socktype = SOCK_STREAM;
1.73 markus 2110: snprintf(strport, sizeof strport, "%d", listen_port);
1.35 markus 2111: if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
2112: packet_disconnect("getaddrinfo: fatal error");
2113:
2114: for (ai = aitop; ai; ai = ai->ai_next) {
2115: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2116: continue;
2117: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
2118: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1.73 markus 2119: error("channel_request_forwarding: getnameinfo failed");
1.35 markus 2120: continue;
2121: }
2122: /* Create a port to listen for the host. */
2123: sock = socket(ai->ai_family, SOCK_STREAM, 0);
2124: if (sock < 0) {
2125: /* this is no error since kernel may not support ipv6 */
2126: verbose("socket: %.100s", strerror(errno));
2127: continue;
2128: }
2129: /*
2130: * Set socket options. We would like the socket to disappear
2131: * as soon as it has been closed for whatever reason.
2132: */
2133: setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on));
2134: linger.l_onoff = 1;
2135: linger.l_linger = 5;
2136: setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
2137: debug("Local forwarding listening on %s port %s.", ntop, strport);
2138:
2139: /* Bind the socket to the address. */
2140: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2141: /* address can be in use ipv6 address is already bound */
2142: verbose("bind: %.100s", strerror(errno));
2143: close(sock);
2144: continue;
2145: }
2146: /* Start listening for connections on the socket. */
2147: if (listen(sock, 5) < 0) {
2148: error("listen: %.100s", strerror(errno));
2149: close(sock);
2150: continue;
2151: }
2152: /* Allocate a channel number for the socket. */
1.109.2.3 jason 2153: c = channel_new("port listener", type, sock, sock, -1,
1.51 markus 2154: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1.71 markus 2155: 0, xstrdup("port listener"), 1);
1.109.2.3 jason 2156: if (c == NULL) {
2157: error("channel_request_forwarding: channel_new failed");
2158: close(sock);
2159: continue;
2160: }
2161: strlcpy(c->path, host, sizeof(c->path));
2162: c->host_port = port_to_connect;
2163: c->listening_port = listen_port;
1.35 markus 2164: success = 1;
2165: }
2166: if (success == 0)
1.87 markus 2167: error("channel_request_forwarding: cannot listen to port: %d",
2168: listen_port);
1.35 markus 2169: freeaddrinfo(aitop);
1.87 markus 2170: return success;
1.25 markus 2171: }
1.1 deraadt 2172:
1.27 markus 2173: /*
2174: * Initiate forwarding of connections to port "port" on remote host through
2175: * the secure channel to host:port from local side.
2176: */
1.1 deraadt 2177:
1.49 markus 2178: void
1.73 markus 2179: channel_request_remote_forwarding(u_short listen_port,
2180: const char *host_to_connect, u_short port_to_connect)
1.25 markus 2181: {
1.73 markus 2182: int payload_len, type, success = 0;
2183:
1.25 markus 2184: /* Record locally that connection to this host/port is permitted. */
2185: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
2186: fatal("channel_request_remote_forwarding: too many forwards");
2187:
2188: /* Send the forward request to the remote side. */
1.44 markus 2189: if (compat20) {
2190: const char *address_to_bind = "0.0.0.0";
2191: packet_start(SSH2_MSG_GLOBAL_REQUEST);
2192: packet_put_cstring("tcpip-forward");
2193: packet_put_char(0); /* boolean: want reply */
2194: packet_put_cstring(address_to_bind);
2195: packet_put_int(listen_port);
1.73 markus 2196: packet_send();
2197: packet_write_wait();
2198: /* Assume that server accepts the request */
2199: success = 1;
1.44 markus 2200: } else {
2201: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
1.50 markus 2202: packet_put_int(listen_port);
2203: packet_put_cstring(host_to_connect);
1.44 markus 2204: packet_put_int(port_to_connect);
2205: packet_send();
2206: packet_write_wait();
1.73 markus 2207:
2208: /* Wait for response from the remote side. */
2209: type = packet_read(&payload_len);
2210: switch (type) {
2211: case SSH_SMSG_SUCCESS:
2212: success = 1;
2213: break;
2214: case SSH_SMSG_FAILURE:
2215: log("Warning: Server denied remote port forwarding.");
2216: break;
2217: default:
2218: /* Unknown packet */
2219: packet_disconnect("Protocol error for port forward request:"
2220: "received packet type %d.", type);
2221: }
2222: }
2223: if (success) {
2224: permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
2225: permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
2226: permitted_opens[num_permitted_opens].listen_port = listen_port;
2227: num_permitted_opens++;
1.44 markus 2228: }
1.1 deraadt 2229: }
2230:
1.27 markus 2231: /*
2232: * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
2233: * listening for the port, and sends back a success reply (or disconnect
2234: * message if there was an error). This never returns if there was an error.
2235: */
1.1 deraadt 2236:
1.49 markus 2237: void
1.56 markus 2238: channel_input_port_forward_request(int is_root, int gateway_ports)
1.1 deraadt 2239: {
1.31 markus 2240: u_short port, host_port;
1.25 markus 2241: char *hostname;
1.1 deraadt 2242:
1.25 markus 2243: /* Get arguments from the packet. */
2244: port = packet_get_int();
2245: hostname = packet_get_string(NULL);
2246: host_port = packet_get_int();
2247:
1.27 markus 2248: /*
2249: * Check that an unprivileged user is not trying to forward a
2250: * privileged port.
2251: */
1.25 markus 2252: if (port < IPPORT_RESERVED && !is_root)
2253: packet_disconnect("Requested forwarding of port %d but user is not root.",
2254: port);
1.73 markus 2255: /* Initiate forwarding */
1.56 markus 2256: channel_request_local_forwarding(port, hostname, host_port, gateway_ports);
1.25 markus 2257:
2258: /* Free the argument string. */
2259: xfree(hostname);
1.1 deraadt 2260: }
2261:
1.99 markus 2262: /*
2263: * Permits opening to any host/port if permitted_opens[] is empty. This is
2264: * usually called by the server, because the user could connect to any port
2265: * anyway, and the server has no way to know but to trust the client anyway.
2266: */
2267: void
2268: channel_permit_all_opens()
2269: {
2270: if (num_permitted_opens == 0)
2271: all_opens_permitted = 1;
2272: }
2273:
1.101 markus 2274: void
1.99 markus 2275: channel_add_permitted_opens(char *host, int port)
2276: {
2277: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
2278: fatal("channel_request_remote_forwarding: too many forwards");
2279: debug("allow port forwarding to host %s port %d", host, port);
2280:
2281: permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host);
2282: permitted_opens[num_permitted_opens].port_to_connect = port;
2283: num_permitted_opens++;
2284:
2285: all_opens_permitted = 0;
2286: }
2287:
1.101 markus 2288: void
1.99 markus 2289: channel_clear_permitted_opens(void)
2290: {
2291: int i;
2292:
2293: for (i = 0; i < num_permitted_opens; i++)
2294: xfree(permitted_opens[i].host_to_connect);
2295: num_permitted_opens = 0;
2296:
2297: }
2298:
2299:
2300: /* return socket to remote host, port */
1.109.2.3 jason 2301: static int
1.99 markus 2302: connect_to(const char *host, u_short port)
1.41 markus 2303: {
2304: struct addrinfo hints, *ai, *aitop;
2305: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
2306: int gaierr;
2307: int sock = -1;
2308:
2309: memset(&hints, 0, sizeof(hints));
2310: hints.ai_family = IPv4or6;
2311: hints.ai_socktype = SOCK_STREAM;
1.99 markus 2312: snprintf(strport, sizeof strport, "%d", port);
1.41 markus 2313: if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
1.99 markus 2314: error("connect_to %.100s: unknown host (%s)", host,
2315: gai_strerror(gaierr));
1.41 markus 2316: return -1;
2317: }
2318: for (ai = aitop; ai; ai = ai->ai_next) {
2319: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2320: continue;
2321: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
2322: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1.99 markus 2323: error("connect_to: getnameinfo failed");
1.41 markus 2324: continue;
2325: }
2326: sock = socket(ai->ai_family, SOCK_STREAM, 0);
2327: if (sock < 0) {
2328: error("socket: %.100s", strerror(errno));
2329: continue;
2330: }
1.80 markus 2331: if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0)
1.75 markus 2332: fatal("connect_to: F_SETFL: %s", strerror(errno));
2333: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 &&
2334: errno != EINPROGRESS) {
1.99 markus 2335: error("connect_to %.100s port %s: %.100s", ntop, strport,
1.41 markus 2336: strerror(errno));
2337: close(sock);
1.89 stevesk 2338: continue; /* fail -- try next */
1.41 markus 2339: }
2340: break; /* success */
2341:
2342: }
2343: freeaddrinfo(aitop);
2344: if (!ai) {
1.99 markus 2345: error("connect_to %.100s port %d: failed.", host, port);
1.41 markus 2346: return -1;
2347: }
2348: /* success */
2349: return sock;
2350: }
1.99 markus 2351:
1.73 markus 2352: int
1.109.2.3 jason 2353: channel_connect_by_listen_address(u_short listen_port)
1.73 markus 2354: {
2355: int i;
1.99 markus 2356:
1.73 markus 2357: for (i = 0; i < num_permitted_opens; i++)
2358: if (permitted_opens[i].listen_port == listen_port)
1.99 markus 2359: return connect_to(
1.73 markus 2360: permitted_opens[i].host_to_connect,
2361: permitted_opens[i].port_to_connect);
1.74 markus 2362: error("WARNING: Server requests forwarding for unknown listen_port %d",
2363: listen_port);
1.73 markus 2364: return -1;
2365: }
2366:
1.99 markus 2367: /* Check if connecting to that port is permitted and connect. */
2368: int
2369: channel_connect_to(const char *host, u_short port)
2370: {
2371: int i, permit;
2372:
2373: permit = all_opens_permitted;
2374: if (!permit) {
2375: for (i = 0; i < num_permitted_opens; i++)
2376: if (permitted_opens[i].port_to_connect == port &&
2377: strcmp(permitted_opens[i].host_to_connect, host) == 0)
2378: permit = 1;
2379:
2380: }
2381: if (!permit) {
2382: log("Received request to connect to host %.100s port %d, "
2383: "but the request was denied.", host, port);
2384: return -1;
2385: }
2386: return connect_to(host, port);
2387: }
2388:
1.109.2.3 jason 2389: /* -- X11 forwarding */
1.1 deraadt 2390:
1.27 markus 2391: /*
2392: * Creates an internet domain socket for listening for X11 connections.
2393: * Returns a suitable value for the DISPLAY variable, or NULL if an error
2394: * occurs.
2395: */
1.25 markus 2396: char *
1.33 markus 2397: x11_create_display_inet(int screen_number, int x11_display_offset)
1.1 deraadt 2398: {
1.31 markus 2399: int display_number, sock;
2400: u_short port;
1.35 markus 2401: struct addrinfo hints, *ai, *aitop;
2402: char strport[NI_MAXSERV];
2403: int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
2404: char display[512];
1.25 markus 2405: char hostname[MAXHOSTNAMELEN];
2406:
1.33 markus 2407: for (display_number = x11_display_offset;
1.25 markus 2408: display_number < MAX_DISPLAYS;
2409: display_number++) {
2410: port = 6000 + display_number;
1.35 markus 2411: memset(&hints, 0, sizeof(hints));
2412: hints.ai_family = IPv4or6;
1.36 markus 2413: hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */
1.35 markus 2414: hints.ai_socktype = SOCK_STREAM;
2415: snprintf(strport, sizeof strport, "%d", port);
2416: if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
2417: error("getaddrinfo: %.100s", gai_strerror(gaierr));
1.25 markus 2418: return NULL;
2419: }
1.35 markus 2420: for (ai = aitop; ai; ai = ai->ai_next) {
2421: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2422: continue;
2423: sock = socket(ai->ai_family, SOCK_STREAM, 0);
2424: if (sock < 0) {
2425: error("socket: %.100s", strerror(errno));
2426: return NULL;
2427: }
2428: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2429: debug("bind port %d: %.100s", port, strerror(errno));
2430: shutdown(sock, SHUT_RDWR);
2431: close(sock);
2432: for (n = 0; n < num_socks; n++) {
2433: shutdown(socks[n], SHUT_RDWR);
2434: close(socks[n]);
2435: }
2436: num_socks = 0;
2437: break;
2438: }
2439: socks[num_socks++] = sock;
2440: if (num_socks == NUM_SOCKS)
2441: break;
1.25 markus 2442: }
1.83 stevesk 2443: freeaddrinfo(aitop);
1.35 markus 2444: if (num_socks > 0)
2445: break;
1.25 markus 2446: }
2447: if (display_number >= MAX_DISPLAYS) {
2448: error("Failed to allocate internet-domain X11 display socket.");
2449: return NULL;
2450: }
2451: /* Start listening for connections on the socket. */
1.35 markus 2452: for (n = 0; n < num_socks; n++) {
2453: sock = socks[n];
2454: if (listen(sock, 5) < 0) {
2455: error("listen: %.100s", strerror(errno));
2456: shutdown(sock, SHUT_RDWR);
2457: close(sock);
2458: return NULL;
2459: }
1.25 markus 2460: }
1.35 markus 2461:
1.25 markus 2462: /* Set up a suitable value for the DISPLAY variable. */
2463: if (gethostname(hostname, sizeof(hostname)) < 0)
2464: fatal("gethostname: %.100s", strerror(errno));
1.35 markus 2465: snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
1.25 markus 2466: display_number, screen_number);
2467:
1.35 markus 2468: /* Allocate a channel for each socket. */
2469: for (n = 0; n < num_socks; n++) {
2470: sock = socks[n];
1.51 markus 2471: (void) channel_new("x11 listener",
2472: SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
2473: CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
1.71 markus 2474: 0, xstrdup("X11 inet listener"), 1);
1.35 markus 2475: }
1.1 deraadt 2476:
1.25 markus 2477: /* Return a suitable value for the DISPLAY environment variable. */
1.35 markus 2478: return xstrdup(display);
1.1 deraadt 2479: }
2480:
2481: #ifndef X_UNIX_PATH
2482: #define X_UNIX_PATH "/tmp/.X11-unix/X"
2483: #endif
2484:
1.109.2.3 jason 2485: static int
1.77 markus 2486: connect_local_xsocket(u_int dnr)
1.1 deraadt 2487: {
1.25 markus 2488: static const char *const x_sockets[] = {
2489: X_UNIX_PATH "%u",
2490: "/var/X/.X11-unix/X" "%u",
2491: "/usr/spool/sockets/X11/" "%u",
2492: NULL
2493: };
2494: int sock;
2495: struct sockaddr_un addr;
2496: const char *const * path;
2497:
2498: for (path = x_sockets; *path; ++path) {
2499: sock = socket(AF_UNIX, SOCK_STREAM, 0);
2500: if (sock < 0)
2501: error("socket: %.100s", strerror(errno));
2502: memset(&addr, 0, sizeof(addr));
2503: addr.sun_family = AF_UNIX;
2504: snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
2505: if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
2506: return sock;
2507: close(sock);
2508: }
2509: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
2510: return -1;
1.1 deraadt 2511: }
2512:
1.51 markus 2513: int
2514: x11_connect_display(void)
1.1 deraadt 2515: {
1.51 markus 2516: int display_number, sock = 0;
1.25 markus 2517: const char *display;
1.51 markus 2518: char buf[1024], *cp;
1.35 markus 2519: struct addrinfo hints, *ai, *aitop;
2520: char strport[NI_MAXSERV];
2521: int gaierr;
1.25 markus 2522:
2523: /* Try to open a socket for the local X server. */
2524: display = getenv("DISPLAY");
2525: if (!display) {
2526: error("DISPLAY not set.");
1.51 markus 2527: return -1;
1.25 markus 2528: }
1.27 markus 2529: /*
2530: * Now we decode the value of the DISPLAY variable and make a
2531: * connection to the real X server.
2532: */
2533:
2534: /*
2535: * Check if it is a unix domain socket. Unix domain displays are in
2536: * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
2537: */
1.25 markus 2538: if (strncmp(display, "unix:", 5) == 0 ||
2539: display[0] == ':') {
2540: /* Connect to the unix domain socket. */
2541: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
2542: error("Could not parse display number from DISPLAY: %.100s",
2543: display);
1.51 markus 2544: return -1;
1.25 markus 2545: }
2546: /* Create a socket. */
2547: sock = connect_local_xsocket(display_number);
2548: if (sock < 0)
1.51 markus 2549: return -1;
1.25 markus 2550:
2551: /* OK, we now have a connection to the display. */
1.51 markus 2552: return sock;
1.25 markus 2553: }
1.27 markus 2554: /*
2555: * Connect to an inet socket. The DISPLAY value is supposedly
2556: * hostname:d[.s], where hostname may also be numeric IP address.
2557: */
1.25 markus 2558: strncpy(buf, display, sizeof(buf));
2559: buf[sizeof(buf) - 1] = 0;
2560: cp = strchr(buf, ':');
2561: if (!cp) {
2562: error("Could not find ':' in DISPLAY: %.100s", display);
1.51 markus 2563: return -1;
1.25 markus 2564: }
2565: *cp = 0;
1.27 markus 2566: /* buf now contains the host name. But first we parse the display number. */
1.25 markus 2567: if (sscanf(cp + 1, "%d", &display_number) != 1) {
2568: error("Could not parse display number from DISPLAY: %.100s",
2569: display);
1.51 markus 2570: return -1;
1.25 markus 2571: }
1.35 markus 2572:
2573: /* Look up the host address */
2574: memset(&hints, 0, sizeof(hints));
2575: hints.ai_family = IPv4or6;
2576: hints.ai_socktype = SOCK_STREAM;
2577: snprintf(strport, sizeof strport, "%d", 6000 + display_number);
2578: if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
2579: error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
1.51 markus 2580: return -1;
1.25 markus 2581: }
1.35 markus 2582: for (ai = aitop; ai; ai = ai->ai_next) {
2583: /* Create a socket. */
2584: sock = socket(ai->ai_family, SOCK_STREAM, 0);
2585: if (sock < 0) {
2586: debug("socket: %.100s", strerror(errno));
1.41 markus 2587: continue;
2588: }
2589: /* Connect it to the display. */
2590: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2591: debug("connect %.100s port %d: %.100s", buf,
2592: 6000 + display_number, strerror(errno));
2593: close(sock);
2594: continue;
2595: }
2596: /* Success */
2597: break;
1.35 markus 2598: }
2599: freeaddrinfo(aitop);
2600: if (!ai) {
1.49 markus 2601: error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
1.35 markus 2602: strerror(errno));
1.51 markus 2603: return -1;
1.25 markus 2604: }
1.51 markus 2605: return sock;
2606: }
2607:
2608: /*
2609: * This is called when SSH_SMSG_X11_OPEN is received. The packet contains
2610: * the remote channel number. We should do whatever we want, and respond
2611: * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
2612: */
2613:
2614: void
1.69 markus 2615: x11_input_open(int type, int plen, void *ctxt)
1.51 markus 2616: {
1.109.2.3 jason 2617: Channel *c = NULL;
2618: int remote_id, sock = 0;
1.51 markus 2619: char *remote_host;
1.25 markus 2620:
1.109.2.3 jason 2621: debug("Received X11 open request.");
2622:
2623: remote_id = packet_get_int();
1.51 markus 2624:
1.109.2.3 jason 2625: if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) {
2626: remote_host = packet_get_string(NULL);
1.51 markus 2627: } else {
2628: remote_host = xstrdup("unknown (remote did not supply name)");
2629: }
1.109.2.3 jason 2630: packet_done();
1.25 markus 2631:
1.51 markus 2632: /* Obtain a connection to the real X display. */
2633: sock = x11_connect_display();
1.109.2.3 jason 2634: if (sock != -1) {
2635: /* Allocate a channel for this connection. */
2636: c = channel_new("connected x11 socket",
2637: SSH_CHANNEL_X11_OPEN, sock, sock, -1, 0, 0, 0,
2638: remote_host, 1);
2639: if (c == NULL) {
2640: error("x11_input_open: channel_new failed");
2641: close(sock);
2642: } else {
2643: c->remote_id = remote_id;
2644: c->force_drain = 1;
2645: }
2646: }
2647: if (c == NULL) {
1.51 markus 2648: /* Send refusal to the remote host. */
2649: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1.109.2.3 jason 2650: packet_put_int(remote_id);
1.51 markus 2651: } else {
2652: /* Send a confirmation to the remote host. */
2653: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1.109.2.3 jason 2654: packet_put_int(remote_id);
2655: packet_put_int(c->self);
1.51 markus 2656: }
1.109.2.3 jason 2657: packet_send();
1.72 markus 2658: }
2659:
2660: /* dummy protocol handler that denies SSH-1 requests (agent/x11) */
2661: void
2662: deny_input_open(int type, int plen, void *ctxt)
2663: {
2664: int rchan = packet_get_int();
2665: switch(type){
2666: case SSH_SMSG_AGENT_OPEN:
2667: error("Warning: ssh server tried agent forwarding.");
2668: break;
2669: case SSH_SMSG_X11_OPEN:
2670: error("Warning: ssh server tried X11 forwarding.");
2671: break;
2672: default:
2673: error("deny_input_open: type %d plen %d", type, plen);
2674: break;
2675: }
2676: error("Warning: this is probably a break in attempt by a malicious server.");
2677: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2678: packet_put_int(rchan);
2679: packet_send();
1.1 deraadt 2680: }
2681:
1.27 markus 2682: /*
2683: * Requests forwarding of X11 connections, generates fake authentication
2684: * data, and enables authentication spoofing.
1.109.2.3 jason 2685: * This should be called in the client only.
1.27 markus 2686: */
1.49 markus 2687: void
1.51 markus 2688: x11_request_forwarding_with_spoofing(int client_session_id,
2689: const char *proto, const char *data)
1.1 deraadt 2690: {
1.77 markus 2691: u_int data_len = (u_int) strlen(data) / 2;
1.90 markus 2692: u_int i, value, len;
1.25 markus 2693: char *new_data;
2694: int screen_number;
2695: const char *cp;
2696: u_int32_t rand = 0;
2697:
2698: cp = getenv("DISPLAY");
2699: if (cp)
2700: cp = strchr(cp, ':');
2701: if (cp)
2702: cp = strchr(cp, '.');
2703: if (cp)
2704: screen_number = atoi(cp + 1);
2705: else
2706: screen_number = 0;
2707:
2708: /* Save protocol name. */
2709: x11_saved_proto = xstrdup(proto);
2710:
1.27 markus 2711: /*
2712: * Extract real authentication data and generate fake data of the
2713: * same length.
2714: */
1.25 markus 2715: x11_saved_data = xmalloc(data_len);
2716: x11_fake_data = xmalloc(data_len);
2717: for (i = 0; i < data_len; i++) {
2718: if (sscanf(data + 2 * i, "%2x", &value) != 1)
2719: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
2720: if (i % 4 == 0)
2721: rand = arc4random();
2722: x11_saved_data[i] = value;
2723: x11_fake_data[i] = rand & 0xff;
2724: rand >>= 8;
2725: }
2726: x11_saved_data_len = data_len;
2727: x11_fake_data_len = data_len;
2728:
2729: /* Convert the fake data into hex. */
1.90 markus 2730: len = 2 * data_len + 1;
2731: new_data = xmalloc(len);
1.25 markus 2732: for (i = 0; i < data_len; i++)
1.90 markus 2733: snprintf(new_data + 2 * i, len - 2 * i,
2734: "%02x", (u_char) x11_fake_data[i]);
1.25 markus 2735:
2736: /* Send the request packet. */
1.51 markus 2737: if (compat20) {
2738: channel_request_start(client_session_id, "x11-req", 0);
2739: packet_put_char(0); /* XXX bool single connection */
2740: } else {
2741: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
2742: }
2743: packet_put_cstring(proto);
2744: packet_put_cstring(new_data);
1.25 markus 2745: packet_put_int(screen_number);
2746: packet_send();
2747: packet_write_wait();
2748: xfree(new_data);
1.1 deraadt 2749: }
2750:
1.109.2.3 jason 2751:
2752: /* -- agent forwarding */
2753:
1.1 deraadt 2754: /* Sends a message to the server to request authentication fd forwarding. */
2755:
1.49 markus 2756: void
1.25 markus 2757: auth_request_forwarding()
1.1 deraadt 2758: {
1.25 markus 2759: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
2760: packet_send();
2761: packet_write_wait();
1.1 deraadt 2762: }
2763:
1.27 markus 2764: /*
2765: * Returns the name of the forwarded authentication socket. Returns NULL if
2766: * there is no forwarded authentication socket. The returned value points to
2767: * a static buffer.
2768: */
1.1 deraadt 2769:
1.25 markus 2770: char *
2771: auth_get_socket_name()
1.1 deraadt 2772: {
1.109.2.3 jason 2773: return auth_sock_name;
1.1 deraadt 2774: }
2775:
1.12 markus 2776: /* removes the agent forwarding socket */
2777:
1.49 markus 2778: void
1.109.2.1 jason 2779: auth_sock_cleanup_proc(void *_pw)
1.25 markus 2780: {
1.109.2.1 jason 2781: struct passwd *pw = _pw;
2782:
1.109.2.3 jason 2783: if (auth_sock_name) {
1.109.2.1 jason 2784: temporarily_use_uid(pw);
1.109.2.3 jason 2785: unlink(auth_sock_name);
2786: rmdir(auth_sock_dir);
2787: auth_sock_name = NULL;
1.109.2.1 jason 2788: restore_uid();
2789: }
1.12 markus 2790: }
2791:
1.27 markus 2792: /*
1.59 markus 2793: * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1.27 markus 2794: * This starts forwarding authentication requests.
2795: */
1.1 deraadt 2796:
1.59 markus 2797: int
1.25 markus 2798: auth_input_request_forwarding(struct passwd * pw)
1.1 deraadt 2799: {
1.109.2.3 jason 2800: Channel *nc;
2801: int sock;
1.25 markus 2802: struct sockaddr_un sunaddr;
2803:
1.109.2.3 jason 2804: if (auth_get_socket_name() != NULL) {
2805: error("authentication forwarding requested twice.");
2806: return 0;
2807: }
1.25 markus 2808:
2809: /* Temporarily drop privileged uid for mkdir/bind. */
1.102 markus 2810: temporarily_use_uid(pw);
1.25 markus 2811:
2812: /* Allocate a buffer for the socket name, and format the name. */
1.109.2.3 jason 2813: auth_sock_name = xmalloc(MAXPATHLEN);
2814: auth_sock_dir = xmalloc(MAXPATHLEN);
2815: strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXX", MAXPATHLEN);
1.25 markus 2816:
2817: /* Create private directory for socket */
1.109.2.3 jason 2818: if (mkdtemp(auth_sock_dir) == NULL) {
2819: packet_send_debug("Agent forwarding disabled: "
2820: "mkdtemp() failed: %.100s", strerror(errno));
1.59 markus 2821: restore_uid();
1.109.2.3 jason 2822: xfree(auth_sock_name);
2823: xfree(auth_sock_dir);
2824: auth_sock_name = NULL;
2825: auth_sock_dir = NULL;
1.59 markus 2826: return 0;
2827: }
1.109.2.3 jason 2828: snprintf(auth_sock_name, MAXPATHLEN, "%s/agent.%d",
2829: auth_sock_dir, (int) getpid());
1.25 markus 2830:
1.109.2.1 jason 2831: /* delete agent socket on fatal() */
2832: fatal_add_cleanup(auth_sock_cleanup_proc, pw);
2833:
1.25 markus 2834: /* Create the socket. */
2835: sock = socket(AF_UNIX, SOCK_STREAM, 0);
2836: if (sock < 0)
2837: packet_disconnect("socket: %.100s", strerror(errno));
2838:
2839: /* Bind it to the name. */
2840: memset(&sunaddr, 0, sizeof(sunaddr));
2841: sunaddr.sun_family = AF_UNIX;
1.109.2.3 jason 2842: strncpy(sunaddr.sun_path, auth_sock_name,
1.25 markus 2843: sizeof(sunaddr.sun_path));
2844:
2845: if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
2846: packet_disconnect("bind: %.100s", strerror(errno));
2847:
2848: /* Restore the privileged uid. */
2849: restore_uid();
2850:
2851: /* Start listening on the socket. */
2852: if (listen(sock, 5) < 0)
2853: packet_disconnect("listen: %.100s", strerror(errno));
2854:
2855: /* Allocate a channel for the authentication agent socket. */
1.109.2.3 jason 2856: nc = channel_new("auth socket",
1.73 markus 2857: SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
2858: CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
2859: 0, xstrdup("auth socket"), 1);
1.109.2.3 jason 2860: if (nc == NULL) {
2861: error("auth_input_request_forwarding: channel_new failed");
2862: auth_sock_cleanup_proc(pw);
2863: fatal_remove_cleanup(auth_sock_cleanup_proc, pw);
2864: close(sock);
2865: return 0;
2866: }
2867: strlcpy(nc->path, auth_sock_name, sizeof(nc->path));
1.59 markus 2868: return 1;
1.1 deraadt 2869: }
2870:
2871: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
2872:
1.49 markus 2873: void
1.69 markus 2874: auth_input_open_request(int type, int plen, void *ctxt)
1.1 deraadt 2875: {
1.109.2.3 jason 2876: Channel *c = NULL;
2877: int remote_id, sock;
2878: char *name;
1.41 markus 2879:
2880: packet_integrity_check(plen, 4, type);
1.25 markus 2881:
2882: /* Read the remote channel number from the message. */
1.109.2.3 jason 2883: remote_id = packet_get_int();
1.25 markus 2884:
1.27 markus 2885: /*
2886: * Get a connection to the local authentication agent (this may again
2887: * get forwarded).
2888: */
1.25 markus 2889: sock = ssh_get_authentication_socket();
2890:
1.27 markus 2891: /*
2892: * If we could not connect the agent, send an error message back to
2893: * the server. This should never happen unless the agent dies,
2894: * because authentication forwarding is only enabled if we have an
2895: * agent.
2896: */
1.109.2.3 jason 2897: if (sock >= 0) {
2898: name = xstrdup("authentication agent connection");
2899: c = channel_new("", SSH_CHANNEL_OPEN, sock, sock,
2900: -1, 0, 0, 0, name, 1);
2901: if (c == NULL) {
2902: error("auth_input_open_request: channel_new failed");
2903: xfree(name);
2904: close(sock);
2905: } else {
2906: c->remote_id = remote_id;
2907: c->force_drain = 1;
2908: }
1.44 markus 2909: }
1.65 markus 2910: if (c == NULL) {
1.109.2.3 jason 2911: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2912: packet_put_int(remote_id);
2913: } else {
2914: /* Send a confirmation to the remote host. */
2915: debug("Forwarding authentication connection.");
2916: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
2917: packet_put_int(remote_id);
2918: packet_put_int(c->self);
1.65 markus 2919: }
1.25 markus 2920: packet_send();
1.1 deraadt 2921: }