Annotation of src/usr.bin/ssh/channels.c, Revision 1.15
1.1 deraadt 1: /*
2:
3: channels.c
4:
5: Author: Tatu Ylonen <ylo@cs.hut.fi>
6:
7: Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: All rights reserved
9:
10: Created: Fri Mar 24 16:35:24 1995 ylo
11:
12: This file contains functions for generic socket connection forwarding.
13: There is also code for initiating connection forwarding for X11 connections,
14: arbitrary tcp/ip connections, and the authentication agent connection.
15:
16: */
17:
18: #include "includes.h"
1.15 ! deraadt 19: RCSID("$Id: channels.c,v 1.14 1999/10/16 20:47:13 markus Exp $");
1.1 deraadt 20:
21: #include "ssh.h"
22: #include "packet.h"
23: #include "xmalloc.h"
24: #include "buffer.h"
25: #include "authfd.h"
26: #include "uidswap.h"
1.3 deraadt 27: #include "servconf.h"
1.1 deraadt 28:
1.14 markus 29: #include "channels.h"
30: #include "nchan.h"
31: #include "compat.h"
32:
1.1 deraadt 33: /* Maximum number of fake X11 displays to try. */
34: #define MAX_DISPLAYS 1000
35:
1.12 markus 36: /* Max len of agent socket */
37: #define MAX_SOCKET_NAME 100
38:
1.1 deraadt 39: /* Pointer to an array containing all allocated channels. The array is
40: dynamically extended as needed. */
41: static Channel *channels = NULL;
42:
43: /* Size of the channel array. All slots of the array must always be
44: initialized (at least the type field); unused slots are marked with
45: type SSH_CHANNEL_FREE. */
46: static int channels_alloc = 0;
47:
48: /* Maximum file descriptor value used in any of the channels. This is updated
49: in channel_allocate. */
50: static int channel_max_fd_value = 0;
51:
1.12 markus 52: /* Name and directory of socket for authentication agent forwarding. */
1.1 deraadt 53: static char *channel_forwarded_auth_socket_name = NULL;
1.12 markus 54: static char *channel_forwarded_auth_socket_dir = NULL;
1.1 deraadt 55:
56: /* Saved X11 authentication protocol name. */
57: char *x11_saved_proto = NULL;
58:
59: /* Saved X11 authentication data. This is the real data. */
60: char *x11_saved_data = NULL;
61: unsigned int x11_saved_data_len = 0;
62:
63: /* Fake X11 authentication data. This is what the server will be sending
64: us; we should replace any occurrences of this by the real data. */
65: char *x11_fake_data = NULL;
66: unsigned int x11_fake_data_len;
67:
68: /* Data structure for storing which hosts are permitted for forward requests.
69: The local sides of any remote forwards are stored in this array to prevent
70: a corrupt remote server from accessing arbitrary TCP/IP ports on our
71: local network (which might be behind a firewall). */
72: typedef struct
73: {
74: char *host; /* Host name. */
75: int port; /* Port number. */
76: } ForwardPermission;
77:
78: /* List of all permitted host/port pairs to connect. */
79: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
80: /* Number of permitted host/port pairs in the array. */
81: static int num_permitted_opens = 0;
82: /* If this is true, all opens are permitted. This is the case on the
83: server on which we have to trust the client anyway, and the user could
84: do anything after logging in anyway. */
85: static int all_opens_permitted = 0;
86:
87: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
88: static int have_hostname_in_open = 0;
89:
90: /* Sets specific protocol options. */
91:
92: void channel_set_options(int hostname_in_open)
93: {
94: have_hostname_in_open = hostname_in_open;
95: }
96:
97: /* Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
98: called by the server, because the user could connect to any port anyway,
99: and the server has no way to know but to trust the client anyway. */
100:
101: void channel_permit_all_opens()
102: {
103: all_opens_permitted = 1;
104: }
105:
106: /* Allocate a new channel object and set its type and socket.
107: This will cause remote_name to be freed. */
108:
109: int channel_allocate(int type, int sock, char *remote_name)
110: {
111: int i, old_channels;
112:
113: /* Update the maximum file descriptor value. */
114: if (sock > channel_max_fd_value)
115: channel_max_fd_value = sock;
116:
117: /* Do initial allocation if this is the first call. */
118: if (channels_alloc == 0)
119: {
120: channels_alloc = 10;
121: channels = xmalloc(channels_alloc * sizeof(Channel));
122: for (i = 0; i < channels_alloc; i++)
123: channels[i].type = SSH_CHANNEL_FREE;
124:
125: /* Kludge: arrange a call to channel_stop_listening if we terminate
126: with fatal(). */
127: fatal_add_cleanup((void (*)(void *))channel_stop_listening, NULL);
128: }
129:
130: /* Try to find a free slot where to put the new channel. */
131: for (i = 0; i < channels_alloc; i++)
132: if (channels[i].type == SSH_CHANNEL_FREE)
133: {
134: /* Found a free slot. Initialize the fields and return its number. */
135: buffer_init(&channels[i].input);
136: buffer_init(&channels[i].output);
1.14 markus 137: channels[i].self = i;
1.1 deraadt 138: channels[i].type = type;
139: channels[i].sock = sock;
1.14 markus 140: channels[i].flags = 0;
1.1 deraadt 141: channels[i].remote_id = -1;
142: channels[i].remote_name = remote_name;
143: return i;
144: }
145:
146: /* There are no free slots. Must expand the array. */
147: old_channels = channels_alloc;
148: channels_alloc += 10;
149: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
150: for (i = old_channels; i < channels_alloc; i++)
151: channels[i].type = SSH_CHANNEL_FREE;
152:
153: /* We know that the next one after the old maximum channel number is now
154: available. Initialize and return its number. */
155: buffer_init(&channels[old_channels].input);
156: buffer_init(&channels[old_channels].output);
1.14 markus 157: channels[old_channels].self = old_channels;
1.1 deraadt 158: channels[old_channels].type = type;
159: channels[old_channels].sock = sock;
1.14 markus 160: channels[old_channels].flags = 0;
1.1 deraadt 161: channels[old_channels].remote_id = -1;
162: channels[old_channels].remote_name = remote_name;
163: return old_channels;
164: }
165:
166: /* Free the channel and close its socket. */
167:
168: void channel_free(int channel)
169: {
170: assert(channel >= 0 && channel < channels_alloc &&
171: channels[channel].type != SSH_CHANNEL_FREE);
1.14 markus 172: if(compat13)
173: shutdown(channels[channel].sock, SHUT_RDWR);
1.1 deraadt 174: close(channels[channel].sock);
175: buffer_free(&channels[channel].input);
176: buffer_free(&channels[channel].output);
177: channels[channel].type = SSH_CHANNEL_FREE;
178: if (channels[channel].remote_name)
179: {
180: xfree(channels[channel].remote_name);
181: channels[channel].remote_name = NULL;
182: }
183: }
184:
185: /* This is called just before select() to add any bits relevant to
186: channels in the select bitmasks. */
187:
188: void channel_prepare_select(fd_set *readset, fd_set *writeset)
189: {
190: int i;
191: Channel *ch;
192: unsigned char *ucp;
193: unsigned int proto_len, data_len;
194:
195: for (i = 0; i < channels_alloc; i++)
196: {
197: ch = &channels[i];
198: redo:
199: switch (ch->type)
200: {
201: case SSH_CHANNEL_X11_LISTENER:
202: case SSH_CHANNEL_PORT_LISTENER:
203: case SSH_CHANNEL_AUTH_SOCKET:
204: FD_SET(ch->sock, readset);
205: break;
206:
207: case SSH_CHANNEL_OPEN:
1.14 markus 208: if(compat13){
209: if (buffer_len(&ch->input) < 32768)
210: FD_SET(ch->sock, readset);
211: if (buffer_len(&ch->output) > 0)
212: FD_SET(ch->sock, writeset);
213: break;
214: }
215: /* test whether sockets are 'alive' for read/write */
216: if (!(ch->flags & CHAN_SHUT_RD))
217: if (buffer_len(&ch->input) < 32768)
218: FD_SET(ch->sock, readset);
219: if (!(ch->flags & CHAN_SHUT_WR)){
220: if (buffer_len(&ch->output) > 0){
221: FD_SET(ch->sock, writeset);
222: }else if(ch->flags & CHAN_IEOF_RCVD){
223: /* if output-buffer empty AND IEOF received,
224: we won't get more data for writing */
225: chan_shutdown_write(ch);
226: chan_send_oclose(ch);
227: }
228: }
229: break;
1.1 deraadt 230:
231: case SSH_CHANNEL_INPUT_DRAINING:
1.14 markus 232: if (!compat13)
233: fatal("cannot happen: IN_DRAIN");
1.1 deraadt 234: if (buffer_len(&ch->input) == 0)
235: {
236: packet_start(SSH_MSG_CHANNEL_CLOSE);
237: packet_put_int(ch->remote_id);
238: packet_send();
239: ch->type = SSH_CHANNEL_CLOSED;
240: debug("Closing channel %d after input drain.", i);
241: break;
242: }
243: break;
244:
245: case SSH_CHANNEL_OUTPUT_DRAINING:
1.14 markus 246: if (!compat13)
247: fatal("cannot happen: OUT_DRAIN");
1.1 deraadt 248: if (buffer_len(&ch->output) == 0)
249: {
250: /* debug("Freeing channel %d after output drain.", i); */
251: channel_free(i);
252: break;
253: }
254: FD_SET(ch->sock, writeset);
255: break;
256:
257: case SSH_CHANNEL_X11_OPEN:
258: /* This is a special state for X11 authentication spoofing. An
259: opened X11 connection (when authentication spoofing is being
260: done) remains in this state until the first packet has been
261: completely read. The authentication data in that packet is
262: then substituted by the real data if it matches the fake data,
263: and the channel is put into normal mode. */
264:
265: /* Check if the fixed size part of the packet is in buffer. */
266: if (buffer_len(&ch->output) < 12)
267: break;
268:
269: /* Parse the lengths of variable-length fields. */
270: ucp = (unsigned char *)buffer_ptr(&ch->output);
271: if (ucp[0] == 0x42)
272: { /* Byte order MSB first. */
273: proto_len = 256 * ucp[6] + ucp[7];
274: data_len = 256 * ucp[8] + ucp[9];
275: }
276: else
277: if (ucp[0] == 0x6c)
278: { /* Byte order LSB first. */
279: proto_len = ucp[6] + 256 * ucp[7];
280: data_len = ucp[8] + 256 * ucp[9];
281: }
282: else
283: {
284: debug("Initial X11 packet contains bad byte order byte: 0x%x",
285: ucp[0]);
286: ch->type = SSH_CHANNEL_OPEN;
287: goto reject;
288: }
289:
290: /* Check if the whole packet is in buffer. */
291: if (buffer_len(&ch->output) <
292: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
293: break;
294:
295: /* Check if authentication protocol matches. */
296: if (proto_len != strlen(x11_saved_proto) ||
297: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0)
298: {
299: debug("X11 connection uses different authentication protocol.");
300: ch->type = SSH_CHANNEL_OPEN;
301: goto reject;
302: }
303:
304: /* Check if authentication data matches our fake data. */
305: if (data_len != x11_fake_data_len ||
306: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
307: x11_fake_data, x11_fake_data_len) != 0)
308: {
309: debug("X11 auth data does not match fake data.");
310: ch->type = SSH_CHANNEL_OPEN;
311: goto reject;
312: }
313:
314: /* Received authentication protocol and data match our fake data.
315: Substitute the fake data with real data. */
316: assert(x11_fake_data_len == x11_saved_data_len);
317: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
318: x11_saved_data, x11_saved_data_len);
319:
320: /* Start normal processing for the channel. */
321: ch->type = SSH_CHANNEL_OPEN;
322: goto redo;
323:
324: reject:
325: /* We have received an X11 connection that has bad authentication
326: information. */
327: log("X11 connection rejected because of wrong authentication.\r\n");
328: buffer_clear(&ch->input);
329: buffer_clear(&ch->output);
1.14 markus 330: if (compat13) {
331: close(ch->sock);
332: ch->sock = -1;
333: ch->type = SSH_CHANNEL_CLOSED;
334: packet_start(SSH_MSG_CHANNEL_CLOSE);
335: packet_put_int(ch->remote_id);
336: packet_send();
337: }else{
338: chan_shutdown_read(ch); /* shutdown, since close() does not update ch->flags */
339: chan_send_ieof(ch); /* no need to wait for output-buffer */
340: chan_shutdown_write(ch);
341: chan_send_oclose(ch);
342: }
1.1 deraadt 343: break;
344:
345: case SSH_CHANNEL_FREE:
346: default:
347: continue;
348: }
349: }
350: }
351:
352: /* After select, perform any appropriate operations for channels which
353: have events pending. */
354:
355: void channel_after_select(fd_set *readset, fd_set *writeset)
356: {
357: struct sockaddr addr;
1.13 markus 358: int addrlen, newsock, i, newch, len;
1.1 deraadt 359: Channel *ch;
360: char buf[16384], *remote_hostname;
361:
362: /* Loop over all channels... */
363: for (i = 0; i < channels_alloc; i++)
364: {
365: ch = &channels[i];
366: switch (ch->type)
367: {
368: case SSH_CHANNEL_X11_LISTENER:
369: /* This is our fake X11 server socket. */
370: if (FD_ISSET(ch->sock, readset))
371: {
372: debug("X11 connection requested.");
373: addrlen = sizeof(addr);
374: newsock = accept(ch->sock, &addr, &addrlen);
375: if (newsock < 0)
376: {
377: error("accept: %.100s", strerror(errno));
378: break;
379: }
380: remote_hostname = get_remote_hostname(newsock);
1.15 ! deraadt 381: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1.1 deraadt 382: remote_hostname, get_peer_port(newsock));
383: xfree(remote_hostname);
384: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
385: xstrdup(buf));
386: packet_start(SSH_SMSG_X11_OPEN);
387: packet_put_int(newch);
388: if (have_hostname_in_open)
389: packet_put_string(buf, strlen(buf));
390: packet_send();
391: }
392: break;
393:
394: case SSH_CHANNEL_PORT_LISTENER:
395: /* This socket is listening for connections to a forwarded TCP/IP
396: port. */
397: if (FD_ISSET(ch->sock, readset))
398: {
399: debug("Connection to port %d forwarding to %.100s:%d requested.",
400: ch->listening_port, ch->path, ch->host_port);
401: addrlen = sizeof(addr);
402: newsock = accept(ch->sock, &addr, &addrlen);
403: if (newsock < 0)
404: {
405: error("accept: %.100s", strerror(errno));
406: break;
407: }
408: remote_hostname = get_remote_hostname(newsock);
1.15 ! deraadt 409: snprintf(buf, sizeof buf, "port %d, connection from %.200s port %d",
1.1 deraadt 410: ch->listening_port, remote_hostname,
411: get_peer_port(newsock));
412: xfree(remote_hostname);
413: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
414: xstrdup(buf));
415: packet_start(SSH_MSG_PORT_OPEN);
416: packet_put_int(newch);
417: packet_put_string(ch->path, strlen(ch->path));
418: packet_put_int(ch->host_port);
419: if (have_hostname_in_open)
420: packet_put_string(buf, strlen(buf));
421: packet_send();
422: }
423: break;
424:
425: case SSH_CHANNEL_AUTH_SOCKET:
426: /* This is the authentication agent socket listening for connections
427: from clients. */
428: if (FD_ISSET(ch->sock, readset))
429: {
1.13 markus 430: int nchan;
1.1 deraadt 431: len = sizeof(addr);
432: newsock = accept(ch->sock, &addr, &len);
433: if (newsock < 0)
1.13 markus 434: {
435: error("accept from auth socket: %.100s", strerror(errno));
436: break;
437: }
438:
439: nchan = channel_allocate(SSH_CHANNEL_OPENING, newsock,
1.1 deraadt 440: xstrdup("accepted auth socket"));
1.13 markus 441: packet_start(SSH_SMSG_AGENT_OPEN);
442: packet_put_int(nchan);
443: packet_send();
1.1 deraadt 444: }
445: break;
446:
447: case SSH_CHANNEL_OPEN:
448: /* This is an open two-way communication channel. It is not of
449: interest to us at this point what kind of data is being
450: transmitted. */
1.14 markus 451:
452: /* Read available incoming data and append it to buffer;
453: shutdown socket, if read or write failes */
1.1 deraadt 454: if (FD_ISSET(ch->sock, readset))
455: {
456: len = read(ch->sock, buf, sizeof(buf));
457: if (len <= 0)
458: {
1.14 markus 459: if (compat13) {
460: buffer_consume(&ch->output, buffer_len(&ch->output));
461: ch->type = SSH_CHANNEL_INPUT_DRAINING;
462: debug("Channel %d status set to input draining.", i);
463: }else{
464: buffer_consume(&ch->output, buffer_len(&ch->output));
465: chan_shutdown_read(ch);
466: /* we have to wait until the input-buffer has been
467: sent to our peer before we can send IEOF */
468: }
1.1 deraadt 469: break;
470: }
471: buffer_append(&ch->input, buf, len);
472: }
473: /* Send buffered output data to the socket. */
474: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0)
475: {
476: len = write(ch->sock, buffer_ptr(&ch->output),
477: buffer_len(&ch->output));
478: if (len <= 0)
479: {
1.14 markus 480: if (compat13) {
481: buffer_consume(&ch->output, buffer_len(&ch->output));
482: debug("Channel %d status set to input draining.", i);
483: ch->type = SSH_CHANNEL_INPUT_DRAINING;
484: }else{
485: buffer_consume(&ch->output, buffer_len(&ch->output));
486: chan_shutdown_write(ch);
487: chan_send_oclose(ch);
488: }
1.1 deraadt 489: break;
490: }
491: buffer_consume(&ch->output, len);
492: }
1.14 markus 493: chan_del_if_dead(ch);
1.1 deraadt 494: break;
495:
496: case SSH_CHANNEL_OUTPUT_DRAINING:
1.14 markus 497: if (!compat13)
498: fatal("cannot happen: OUT_DRAIN");
1.1 deraadt 499: /* Send buffered output data to the socket. */
500: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0)
501: {
502: len = write(ch->sock, buffer_ptr(&ch->output),
503: buffer_len(&ch->output));
504: if (len <= 0)
505: buffer_consume(&ch->output, buffer_len(&ch->output));
506: else
507: buffer_consume(&ch->output, len);
508: }
509: break;
510:
511: case SSH_CHANNEL_X11_OPEN:
512: case SSH_CHANNEL_FREE:
513: default:
514: continue;
515: }
516: }
517: }
518:
519: /* If there is data to send to the connection, send some of it now. */
520:
521: void channel_output_poll()
522: {
523: int len, i;
524: Channel *ch;
525:
526: for (i = 0; i < channels_alloc; i++)
527: {
528: ch = &channels[i];
529: /* We are only interested in channels that can have buffered incoming
530: data. */
531: if (ch->type != SSH_CHANNEL_OPEN &&
532: ch->type != SSH_CHANNEL_INPUT_DRAINING)
533: continue;
534:
535: /* Get the amount of buffered data for this channel. */
536: len = buffer_len(&ch->input);
537: if (len > 0)
538: {
539: /* Send some data for the other side over the secure connection. */
540: if (packet_is_interactive())
541: {
542: if (len > 1024)
543: len = 512;
544: }
545: else
546: {
547: if (len > 16384)
548: len = 16384; /* Keep the packets at reasonable size. */
549: }
550: packet_start(SSH_MSG_CHANNEL_DATA);
551: packet_put_int(ch->remote_id);
552: packet_put_string(buffer_ptr(&ch->input), len);
553: packet_send();
554: buffer_consume(&ch->input, len);
555: }
1.14 markus 556: else if(ch->flags & CHAN_SHUT_RD)
557: {
558: if (compat13)
559: fatal("cannot happen: CHAN_SHUT_RD set for proto 1.3");
560: /* input-buffer is empty and read-socket shutdown:
561: tell peer, that we will not send more data: send IEOF */
562: chan_send_ieof(ch);
563: }
1.1 deraadt 564: }
565: }
566:
567: /* This is called when a packet of type CHANNEL_DATA has just been received.
568: The message type has already been consumed, but channel number and data
569: is still there. */
570:
571: void channel_input_data(int payload_len)
572: {
573: int channel;
574: char *data;
575: unsigned int data_len;
576:
577: /* Get the channel number and verify it. */
578: channel = packet_get_int();
579: if (channel < 0 || channel >= channels_alloc ||
580: channels[channel].type == SSH_CHANNEL_FREE)
581: packet_disconnect("Received data for nonexistent channel %d.", channel);
582:
583: /* Ignore any data for non-open channels (might happen on close) */
584: if (channels[channel].type != SSH_CHANNEL_OPEN &&
585: channels[channel].type != SSH_CHANNEL_X11_OPEN)
586: return;
587:
588: /* Get the data. */
589: data = packet_get_string(&data_len);
590: packet_integrity_check(payload_len, 4 + 4+data_len, SSH_MSG_CHANNEL_DATA);
591: buffer_append(&channels[channel].output, data, data_len);
592: xfree(data);
593: }
594:
595: /* Returns true if no channel has too much buffered data, and false if
596: one or more channel is overfull. */
597:
598: int channel_not_very_much_buffered_data()
599: {
600: unsigned int i;
601: Channel *ch;
602:
603: for (i = 0; i < channels_alloc; i++)
604: {
605: ch = &channels[i];
1.14 markus 606: switch (ch->type)
1.1 deraadt 607: {
608: case SSH_CHANNEL_X11_LISTENER:
609: case SSH_CHANNEL_PORT_LISTENER:
610: case SSH_CHANNEL_AUTH_SOCKET:
611: continue;
612: case SSH_CHANNEL_OPEN:
613: if (buffer_len(&ch->input) > 32768)
614: return 0;
615: if (buffer_len(&ch->output) > 32768)
616: return 0;
617: continue;
618: case SSH_CHANNEL_INPUT_DRAINING:
619: case SSH_CHANNEL_OUTPUT_DRAINING:
620: case SSH_CHANNEL_X11_OPEN:
621: case SSH_CHANNEL_FREE:
622: default:
623: continue;
624: }
625: }
626: return 1;
627: }
628:
1.14 markus 629: /* This is called after receiving CHANNEL_CLOSE/IEOF. */
1.1 deraadt 630:
631: void channel_input_close()
632: {
633: int channel;
634:
635: /* Get the channel number and verify it. */
636: channel = packet_get_int();
637: if (channel < 0 || channel >= channels_alloc ||
638: channels[channel].type == SSH_CHANNEL_FREE)
639: packet_disconnect("Received data for nonexistent channel %d.", channel);
640:
1.14 markus 641: if(!compat13){
642: /* proto version 1.5 overloads CLOSE with IEOF */
643: chan_rcvd_ieof(&channels[channel]);
644: return;
645: }
646:
1.1 deraadt 647: /* Send a confirmation that we have closed the channel and no more data is
648: coming for it. */
649: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
650: packet_put_int(channels[channel].remote_id);
651: packet_send();
652:
653: /* If the channel is in closed state, we have sent a close request, and
654: the other side will eventually respond with a confirmation. Thus,
655: we cannot free the channel here, because then there would be no-one to
656: receive the confirmation. The channel gets freed when the confirmation
657: arrives. */
658: if (channels[channel].type != SSH_CHANNEL_CLOSED)
659: {
660: /* Not a closed channel - mark it as draining, which will cause it to
661: be freed later. */
662: buffer_consume(&channels[channel].input,
663: buffer_len(&channels[channel].input));
664: channels[channel].type = SSH_CHANNEL_OUTPUT_DRAINING;
665: /* debug("Setting status to output draining; output len = %d",
666: buffer_len(&channels[channel].output)); */
667: }
668: }
669:
1.14 markus 670: /* This is called after receiving CHANNEL_CLOSE_CONFIRMATION/OCLOSE. */
1.1 deraadt 671:
672: void channel_input_close_confirmation()
673: {
674: int channel;
675:
676: /* Get the channel number and verify it. */
677: channel = packet_get_int();
678: if (channel < 0 || channel >= channels_alloc)
679: packet_disconnect("Received close confirmation for out-of-range channel %d.",
680: channel);
1.14 markus 681:
682: if(!compat13){
683: /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
684: chan_rcvd_oclose(&channels[channel]);
685: return;
686: }
687:
1.1 deraadt 688: if (channels[channel].type != SSH_CHANNEL_CLOSED)
689: packet_disconnect("Received close confirmation for non-closed channel %d (type %d).",
690: channel, channels[channel].type);
691:
692: /* Free the channel. */
693: channel_free(channel);
694: }
695:
696: /* This is called after receiving CHANNEL_OPEN_CONFIRMATION. */
697:
698: void channel_input_open_confirmation()
699: {
700: int channel, remote_channel;
701:
702: /* Get the channel number and verify it. */
703: channel = packet_get_int();
704: if (channel < 0 || channel >= channels_alloc ||
705: channels[channel].type != SSH_CHANNEL_OPENING)
706: packet_disconnect("Received open confirmation for non-opening channel %d.",
707: channel);
708:
709: /* Get remote side's id for this channel. */
710: remote_channel = packet_get_int();
711:
712: /* Record the remote channel number and mark that the channel is now open. */
713: channels[channel].remote_id = remote_channel;
714: channels[channel].type = SSH_CHANNEL_OPEN;
715: }
716:
717: /* This is called after receiving CHANNEL_OPEN_FAILURE from the other side. */
718:
719: void channel_input_open_failure()
720: {
721: int channel;
722:
723: /* Get the channel number and verify it. */
724: channel = packet_get_int();
725: if (channel < 0 || channel >= channels_alloc ||
726: channels[channel].type != SSH_CHANNEL_OPENING)
727: packet_disconnect("Received open failure for non-opening channel %d.",
728: channel);
729:
730: /* Free the channel. This will also close the socket. */
731: channel_free(channel);
732: }
733:
734: /* Stops listening for channels, and removes any unix domain sockets that
735: we might have. */
736:
737: void channel_stop_listening()
738: {
739: int i;
740: for (i = 0; i < channels_alloc; i++)
741: {
742: switch (channels[i].type)
743: {
744: case SSH_CHANNEL_AUTH_SOCKET:
745: close(channels[i].sock);
746: remove(channels[i].path);
747: channel_free(i);
748: break;
749: case SSH_CHANNEL_PORT_LISTENER:
750: case SSH_CHANNEL_X11_LISTENER:
751: close(channels[i].sock);
752: channel_free(i);
753: break;
754: default:
755: break;
756: }
757: }
758: }
759:
760: /* Closes the sockets of all channels. This is used to close extra file
761: descriptors after a fork. */
762:
763: void channel_close_all()
764: {
765: int i;
766: for (i = 0; i < channels_alloc; i++)
767: {
768: if (channels[i].type != SSH_CHANNEL_FREE)
769: close(channels[i].sock);
770: }
771: }
772:
773: /* Returns the maximum file descriptor number used by the channels. */
774:
775: int channel_max_fd()
776: {
777: return channel_max_fd_value;
778: }
779:
780: /* Returns true if any channel is still open. */
781:
782: int channel_still_open()
783: {
784: unsigned int i;
785: for (i = 0; i < channels_alloc; i++)
786: switch (channels[i].type)
787: {
788: case SSH_CHANNEL_FREE:
789: case SSH_CHANNEL_X11_LISTENER:
790: case SSH_CHANNEL_PORT_LISTENER:
791: case SSH_CHANNEL_CLOSED:
792: case SSH_CHANNEL_AUTH_SOCKET:
793: continue;
794: case SSH_CHANNEL_OPENING:
795: case SSH_CHANNEL_OPEN:
796: case SSH_CHANNEL_X11_OPEN:
1.14 markus 797: return 1;
1.1 deraadt 798: case SSH_CHANNEL_INPUT_DRAINING:
799: case SSH_CHANNEL_OUTPUT_DRAINING:
1.14 markus 800: if (!compat13)
801: fatal("cannot happen: OUT_DRAIN");
1.1 deraadt 802: return 1;
803: default:
804: fatal("channel_still_open: bad channel type %d", channels[i].type);
805: /*NOTREACHED*/
806: }
807: return 0;
808: }
809:
810: /* Returns a message describing the currently open forwarded
811: connections, suitable for sending to the client. The message
812: contains crlf pairs for newlines. */
813:
814: char *channel_open_message()
815: {
816: Buffer buffer;
817: int i;
818: char buf[512], *cp;
819:
820: buffer_init(&buffer);
1.15 ! deraadt 821: snprintf(buf, sizeof buf, "The following connections are open:\r\n");
1.1 deraadt 822: buffer_append(&buffer, buf, strlen(buf));
1.14 markus 823: for (i = 0; i < channels_alloc; i++){
824: Channel *c=&channels[i];
825: switch (c->type)
1.1 deraadt 826: {
827: case SSH_CHANNEL_FREE:
828: case SSH_CHANNEL_X11_LISTENER:
829: case SSH_CHANNEL_PORT_LISTENER:
830: case SSH_CHANNEL_CLOSED:
831: case SSH_CHANNEL_AUTH_SOCKET:
832: continue;
833: case SSH_CHANNEL_OPENING:
834: case SSH_CHANNEL_OPEN:
835: case SSH_CHANNEL_X11_OPEN:
836: case SSH_CHANNEL_INPUT_DRAINING:
837: case SSH_CHANNEL_OUTPUT_DRAINING:
1.14 markus 838: snprintf(buf, sizeof buf, " #%d/%d %.300s\r\n",
839: c->self,c->type,c->remote_name);
1.1 deraadt 840: buffer_append(&buffer, buf, strlen(buf));
841: continue;
842: default:
1.14 markus 843: fatal("channel_still_open: bad channel type %d", c->type);
1.1 deraadt 844: /*NOTREACHED*/
845: }
1.14 markus 846: }
1.1 deraadt 847: buffer_append(&buffer, "\0", 1);
848: cp = xstrdup(buffer_ptr(&buffer));
849: buffer_free(&buffer);
850: return cp;
851: }
852:
853: /* Initiate forwarding of connections to local port "port" through the secure
854: channel to host:port from remote side. */
855:
856: void channel_request_local_forwarding(int port, const char *host,
857: int host_port)
858: {
859: int ch, sock;
860: struct sockaddr_in sin;
1.4 deraadt 861: extern Options options;
1.1 deraadt 862:
863: if (strlen(host) > sizeof(channels[0].path) - 1)
864: packet_disconnect("Forward host name too long.");
865:
866: /* Create a port to listen for the host. */
867: sock = socket(AF_INET, SOCK_STREAM, 0);
868: if (sock < 0)
869: packet_disconnect("socket: %.100s", strerror(errno));
870:
871: /* Initialize socket address. */
872: memset(&sin, 0, sizeof(sin));
873: sin.sin_family = AF_INET;
1.4 deraadt 874: if (options.gateway_ports == 1)
875: sin.sin_addr.s_addr = htonl(INADDR_ANY);
876: else
877: sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
1.1 deraadt 878: sin.sin_port = htons(port);
879:
880: /* Bind the socket to the address. */
881: if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
882: packet_disconnect("bind: %.100s", strerror(errno));
883:
884: /* Start listening for connections on the socket. */
885: if (listen(sock, 5) < 0)
886: packet_disconnect("listen: %.100s", strerror(errno));
887:
888: /* Allocate a channel number for the socket. */
889: ch = channel_allocate(SSH_CHANNEL_PORT_LISTENER, sock,
890: xstrdup("port listener"));
891: strcpy(channels[ch].path, host); /* note: host name stored here */
892: channels[ch].host_port = host_port; /* port on host to connect to */
893: channels[ch].listening_port = port; /* port being listened */
894: }
895:
896: /* Initiate forwarding of connections to port "port" on remote host through
897: the secure channel to host:port from local side. */
898:
899: void channel_request_remote_forwarding(int port, const char *host,
900: int remote_port)
901: {
902: int payload_len;
903: /* Record locally that connection to this host/port is permitted. */
904: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
905: fatal("channel_request_remote_forwarding: too many forwards");
906: permitted_opens[num_permitted_opens].host = xstrdup(host);
907: permitted_opens[num_permitted_opens].port = remote_port;
908: num_permitted_opens++;
909:
910: /* Send the forward request to the remote side. */
911: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
912: packet_put_int(port);
913: packet_put_string(host, strlen(host));
914: packet_put_int(remote_port);
915: packet_send();
916: packet_write_wait();
917:
918: /* Wait for response from the remote side. It will send a disconnect
919: message on failure, and we will never see it here. */
920: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
921: }
922:
923: /* This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
924: listening for the port, and sends back a success reply (or disconnect
925: message if there was an error). This never returns if there was an
926: error. */
927:
928: void channel_input_port_forward_request(int is_root)
929: {
930: int port, host_port;
931: char *hostname;
932:
933: /* Get arguments from the packet. */
934: port = packet_get_int();
935: hostname = packet_get_string(NULL);
936: host_port = packet_get_int();
937:
938: /* Port numbers are 16 bit quantities. */
939: if ((port & 0xffff) != port)
940: packet_disconnect("Requested forwarding of nonexistent port %d.", port);
941:
942: /* Check that an unprivileged user is not trying to forward a privileged
943: port. */
1.8 deraadt 944: if (port < IPPORT_RESERVED && !is_root)
1.1 deraadt 945: packet_disconnect("Requested forwarding of port %d but user is not root.",
946: port);
947:
948: /* Initiate forwarding. */
949: channel_request_local_forwarding(port, hostname, host_port);
950:
951: /* Free the argument string. */
952: xfree(hostname);
953: }
954:
955: /* This is called after receiving PORT_OPEN message. This attempts to connect
956: to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION or
957: CHANNEL_OPEN_FAILURE. */
958:
959: void channel_input_port_open(int payload_len)
960: {
961: int remote_channel, sock, newch, host_port, i;
962: struct sockaddr_in sin;
963: char *host, *originator_string;
964: struct hostent *hp;
965: int host_len, originator_len;
966:
967: /* Get remote channel number. */
968: remote_channel = packet_get_int();
969:
970: /* Get host name to connect to. */
971: host = packet_get_string(&host_len);
972:
973: /* Get port to connect to. */
974: host_port = packet_get_int();
975:
976: /* Get remote originator name. */
977: if (have_hostname_in_open)
978: originator_string = packet_get_string(&originator_len);
979: else
980: originator_string = xstrdup("unknown (remote did not supply name)");
981:
982: packet_integrity_check(payload_len,
983: 4 + 4 + host_len + 4 + 4 + originator_len,
984: SSH_MSG_PORT_OPEN);
985:
986: /* Check if opening that port is permitted. */
987: if (!all_opens_permitted)
988: {
989: /* Go trough all permitted ports. */
990: for (i = 0; i < num_permitted_opens; i++)
991: if (permitted_opens[i].port == host_port &&
992: strcmp(permitted_opens[i].host, host) == 0)
993: break;
994:
995: /* Check if we found the requested port among those permitted. */
996: if (i >= num_permitted_opens)
997: {
998: /* The port is not permitted. */
999: log("Received request to connect to %.100s:%d, but the request was denied.",
1000: host, host_port);
1001: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1002: packet_put_int(remote_channel);
1003: packet_send();
1004: }
1005: }
1006:
1007: memset(&sin, 0, sizeof(sin));
1008: sin.sin_addr.s_addr = inet_addr(host);
1009: if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
1010: {
1011: /* It was a valid numeric host address. */
1012: sin.sin_family = AF_INET;
1013: }
1014: else
1015: {
1016: /* Look up the host address from the name servers. */
1017: hp = gethostbyname(host);
1018: if (!hp)
1019: {
1020: error("%.100s: unknown host.", host);
1021: goto fail;
1022: }
1023: if (!hp->h_addr_list[0])
1024: {
1025: error("%.100s: host has no IP address.", host);
1026: goto fail;
1027: }
1028: sin.sin_family = hp->h_addrtype;
1029: memcpy(&sin.sin_addr, hp->h_addr_list[0],
1030: sizeof(sin.sin_addr));
1031: }
1032: sin.sin_port = htons(host_port);
1033:
1034: /* Create the socket. */
1035: sock = socket(sin.sin_family, SOCK_STREAM, 0);
1036: if (sock < 0)
1037: {
1038: error("socket: %.100s", strerror(errno));
1039: goto fail;
1040: }
1041:
1042: /* Connect to the host/port. */
1043: if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1044: {
1045: error("connect %.100s:%d: %.100s", host, host_port,
1046: strerror(errno));
1047: close(sock);
1048: goto fail;
1049: }
1050:
1051: /* Successful connection. */
1052:
1053: /* Allocate a channel for this connection. */
1054: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1055: channels[newch].remote_id = remote_channel;
1056:
1057: /* Send a confirmation to the remote host. */
1058: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1059: packet_put_int(remote_channel);
1060: packet_put_int(newch);
1061: packet_send();
1062:
1063: /* Free the argument string. */
1064: xfree(host);
1065:
1066: return;
1067:
1068: fail:
1069: /* Free the argument string. */
1070: xfree(host);
1071:
1072: /* Send refusal to the remote host. */
1073: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1074: packet_put_int(remote_channel);
1075: packet_send();
1076: }
1077:
1078: /* Creates an internet domain socket for listening for X11 connections.
1079: Returns a suitable value for the DISPLAY variable, or NULL if an error
1080: occurs. */
1081:
1082: char *x11_create_display_inet(int screen_number)
1083: {
1.3 deraadt 1084: extern ServerOptions options;
1.1 deraadt 1085: int display_number, port, sock;
1086: struct sockaddr_in sin;
1087: char buf[512];
1.6 deraadt 1088: char hostname[MAXHOSTNAMELEN];
1.1 deraadt 1089:
1.3 deraadt 1090: for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++)
1.1 deraadt 1091: {
1092: port = 6000 + display_number;
1093: memset(&sin, 0, sizeof(sin));
1094: sin.sin_family = AF_INET;
1.4 deraadt 1095: sin.sin_addr.s_addr = htonl(INADDR_ANY);
1.1 deraadt 1096: sin.sin_port = htons(port);
1097:
1098: sock = socket(AF_INET, SOCK_STREAM, 0);
1099: if (sock < 0)
1100: {
1101: error("socket: %.100s", strerror(errno));
1102: return NULL;
1103: }
1104:
1105: if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1106: {
1107: debug("bind port %d: %.100s", port, strerror(errno));
1.10 deraadt 1108: shutdown(sock, SHUT_RDWR);
1.1 deraadt 1109: close(sock);
1110: continue;
1111: }
1112: break;
1113: }
1114: if (display_number >= MAX_DISPLAYS)
1115: {
1116: error("Failed to allocate internet-domain X11 display socket.");
1117: return NULL;
1118: }
1119:
1120: /* Start listening for connections on the socket. */
1121: if (listen(sock, 5) < 0)
1122: {
1123: error("listen: %.100s", strerror(errno));
1.10 deraadt 1124: shutdown(sock, SHUT_RDWR);
1.1 deraadt 1125: close(sock);
1126: return NULL;
1127: }
1128:
1129: /* Set up a suitable value for the DISPLAY variable. */
1130: if (gethostname(hostname, sizeof(hostname)) < 0)
1131: fatal("gethostname: %.100s", strerror(errno));
1.6 deraadt 1132: snprintf(buf, sizeof buf, "%.400s:%d.%d", hostname,
1133: display_number, screen_number);
1.1 deraadt 1134:
1135: /* Allocate a channel for the socket. */
1136: (void)channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
1137: xstrdup("X11 inet listener"));
1138:
1139: /* Return a suitable value for the DISPLAY environment variable. */
1140: return xstrdup(buf);
1141: }
1142:
1143: #ifndef X_UNIX_PATH
1144: #define X_UNIX_PATH "/tmp/.X11-unix/X"
1145: #endif
1146:
1147: static
1148: int
1149: connect_local_xsocket(unsigned dnr)
1150: {
1151: static const char *const x_sockets[] = {
1152: X_UNIX_PATH "%u",
1153: "/var/X/.X11-unix/X" "%u",
1154: "/usr/spool/sockets/X11/" "%u",
1155: NULL
1156: };
1157: int sock;
1158: struct sockaddr_un addr;
1159: const char *const *path;
1160:
1161: for (path = x_sockets; *path; ++path)
1162: {
1163: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1164: if (sock < 0)
1165: error("socket: %.100s", strerror(errno));
1166: memset(&addr, 0, sizeof(addr));
1167: addr.sun_family = AF_UNIX;
1.15 ! deraadt 1168: snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
1.1 deraadt 1169: if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
1170: return sock;
1171: close(sock);
1172: }
1173: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1174: return -1;
1175: }
1176:
1177:
1178: /* This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1179: the remote channel number. We should do whatever we want, and respond
1180: with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. */
1181:
1182: void x11_input_open(int payload_len)
1183: {
1184: int remote_channel, display_number, sock, newch;
1185: const char *display;
1186: struct sockaddr_in sin;
1187: char buf[1024], *cp, *remote_host;
1188: struct hostent *hp;
1189: int remote_len;
1190:
1191: /* Get remote channel number. */
1192: remote_channel = packet_get_int();
1193:
1194: /* Get remote originator name. */
1195: if (have_hostname_in_open)
1196: remote_host = packet_get_string(&remote_len);
1197: else
1198: remote_host = xstrdup("unknown (remote did not supply name)");
1199:
1200: debug("Received X11 open request.");
1201: packet_integrity_check(payload_len, 4 + 4+remote_len, SSH_SMSG_X11_OPEN);
1202:
1203: /* Try to open a socket for the local X server. */
1204: display = getenv("DISPLAY");
1205: if (!display)
1206: {
1207: error("DISPLAY not set.");
1208: goto fail;
1209: }
1210:
1211: /* Now we decode the value of the DISPLAY variable and make a connection
1212: to the real X server. */
1213:
1214: /* Check if it is a unix domain socket. Unix domain displays are in one
1215: of the following formats: unix:d[.s], :d[.s], ::d[.s] */
1216: if (strncmp(display, "unix:", 5) == 0 ||
1217: display[0] == ':')
1218: {
1219: /* Connect to the unix domain socket. */
1220: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1)
1221: {
1222: error("Could not parse display number from DISPLAY: %.100s",
1223: display);
1224: goto fail;
1225: }
1226: /* Create a socket. */
1227: sock = connect_local_xsocket(display_number);
1228: if (sock < 0)
1229: goto fail;
1230:
1231: /* OK, we now have a connection to the display. */
1232: goto success;
1233: }
1234:
1235: /* Connect to an inet socket. The DISPLAY value is supposedly
1236: hostname:d[.s], where hostname may also be numeric IP address. */
1237: strncpy(buf, display, sizeof(buf));
1238: buf[sizeof(buf) - 1] = 0;
1239: cp = strchr(buf, ':');
1240: if (!cp)
1241: {
1242: error("Could not find ':' in DISPLAY: %.100s", display);
1243: goto fail;
1244: }
1245: *cp = 0;
1246: /* buf now contains the host name. But first we parse the display number. */
1247: if (sscanf(cp + 1, "%d", &display_number) != 1)
1248: {
1249: error("Could not parse display number from DISPLAY: %.100s",
1250: display);
1251: goto fail;
1252: }
1253:
1254: /* Try to parse the host name as a numeric IP address. */
1255: memset(&sin, 0, sizeof(sin));
1256: sin.sin_addr.s_addr = inet_addr(buf);
1257: if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
1258: {
1259: /* It was a valid numeric host address. */
1260: sin.sin_family = AF_INET;
1261: }
1262: else
1263: {
1264: /* Not a numeric IP address. */
1265: /* Look up the host address from the name servers. */
1266: hp = gethostbyname(buf);
1267: if (!hp)
1268: {
1269: error("%.100s: unknown host.", buf);
1270: goto fail;
1271: }
1272: if (!hp->h_addr_list[0])
1273: {
1274: error("%.100s: host has no IP address.", buf);
1275: goto fail;
1276: }
1277: sin.sin_family = hp->h_addrtype;
1278: memcpy(&sin.sin_addr, hp->h_addr_list[0],
1279: sizeof(sin.sin_addr));
1280: }
1281: /* Set port number. */
1282: sin.sin_port = htons(6000 + display_number);
1283:
1284: /* Create a socket. */
1285: sock = socket(sin.sin_family, SOCK_STREAM, 0);
1286: if (sock < 0)
1287: {
1288: error("socket: %.100s", strerror(errno));
1289: goto fail;
1290: }
1291: /* Connect it to the display. */
1292: if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1293: {
1294: error("connect %.100s:%d: %.100s", buf, 6000 + display_number,
1295: strerror(errno));
1296: close(sock);
1297: goto fail;
1298: }
1299:
1300: success:
1301: /* We have successfully obtained a connection to the real X display. */
1302:
1303: /* Allocate a channel for this connection. */
1304: if (x11_saved_proto == NULL)
1305: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, remote_host);
1306: else
1307: newch = channel_allocate(SSH_CHANNEL_X11_OPEN, sock, remote_host);
1308: channels[newch].remote_id = remote_channel;
1309:
1310: /* Send a confirmation to the remote host. */
1311: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1312: packet_put_int(remote_channel);
1313: packet_put_int(newch);
1314: packet_send();
1315:
1316: return;
1317:
1318: fail:
1319: /* Send refusal to the remote host. */
1320: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1321: packet_put_int(remote_channel);
1322: packet_send();
1323: }
1324:
1325: /* Requests forwarding of X11 connections, generates fake authentication
1326: data, and enables authentication spoofing. */
1327:
1.2 provos 1328: void x11_request_forwarding_with_spoofing(const char *proto, const char *data)
1.1 deraadt 1329: {
1330: unsigned int data_len = (unsigned int)strlen(data) / 2;
1331: unsigned int i, value;
1332: char *new_data;
1333: int screen_number;
1334: const char *cp;
1.5 dugsong 1335: u_int32_t rand = 0;
1.1 deraadt 1336:
1337: cp = getenv("DISPLAY");
1338: if (cp)
1339: cp = strchr(cp, ':');
1340: if (cp)
1341: cp = strchr(cp, '.');
1342: if (cp)
1343: screen_number = atoi(cp + 1);
1344: else
1345: screen_number = 0;
1346:
1347: /* Save protocol name. */
1348: x11_saved_proto = xstrdup(proto);
1349:
1350: /* Extract real authentication data and generate fake data of the same
1351: length. */
1352: x11_saved_data = xmalloc(data_len);
1353: x11_fake_data = xmalloc(data_len);
1354: for (i = 0; i < data_len; i++)
1355: {
1356: if (sscanf(data + 2 * i, "%2x", &value) != 1)
1357: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
1.2 provos 1358: if (i % 4 == 0)
1359: rand = arc4random();
1.1 deraadt 1360: x11_saved_data[i] = value;
1.2 provos 1361: x11_fake_data[i] = rand & 0xff;
1362: rand >>= 8;
1.1 deraadt 1363: }
1364: x11_saved_data_len = data_len;
1365: x11_fake_data_len = data_len;
1366:
1367: /* Convert the fake data into hex. */
1368: new_data = xmalloc(2 * data_len + 1);
1369: for (i = 0; i < data_len; i++)
1370: sprintf(new_data + 2 * i, "%02x", (unsigned char)x11_fake_data[i]);
1371:
1372: /* Send the request packet. */
1373: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
1374: packet_put_string(proto, strlen(proto));
1375: packet_put_string(new_data, strlen(new_data));
1376: packet_put_int(screen_number);
1377: packet_send();
1378: packet_write_wait();
1379: xfree(new_data);
1380: }
1381:
1382: /* Sends a message to the server to request authentication fd forwarding. */
1383:
1384: void auth_request_forwarding()
1385: {
1386: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
1387: packet_send();
1388: packet_write_wait();
1389: }
1390:
1391: /* Returns the name of the forwarded authentication socket. Returns NULL
1392: if there is no forwarded authentication socket. The returned value
1393: points to a static buffer. */
1394:
1395: char *auth_get_socket_name()
1396: {
1397: return channel_forwarded_auth_socket_name;
1398: }
1399:
1.12 markus 1400: /* removes the agent forwarding socket */
1401:
1402: void cleanup_socket(void) {
1403: remove(channel_forwarded_auth_socket_name);
1404: rmdir(channel_forwarded_auth_socket_dir);
1405: }
1406:
1.1 deraadt 1407: /* This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1408: This starts forwarding authentication requests. */
1409:
1410: void auth_input_request_forwarding(struct passwd *pw)
1411: {
1.11 markus 1412: int sock, newch;
1413: struct sockaddr_un sunaddr;
1.1 deraadt 1414:
1.11 markus 1415: if (auth_get_socket_name() != NULL)
1416: fatal("Protocol error: authentication forwarding requested twice.");
1417:
1.12 markus 1418: /* Temporarily drop privileged uid for mkdir/bind. */
1419: temporarily_use_uid(pw->pw_uid);
1420:
1.11 markus 1421: /* Allocate a buffer for the socket name, and format the name. */
1.12 markus 1422: channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
1423: channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
1424: strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
1425:
1426: /* Create private directory for socket */
1427: if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL)
1428: packet_disconnect("mkdtemp: %.100s", strerror(errno));
1429: snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME,
1430: "%s/agent.%d", channel_forwarded_auth_socket_dir, (int)getpid());
1431:
1432: if (atexit(cleanup_socket) < 0) {
1433: int saved=errno;
1434: cleanup_socket();
1435: packet_disconnect("socket: %.100s", strerror(saved));
1436: }
1.1 deraadt 1437:
1.11 markus 1438: /* Create the socket. */
1439: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1440: if (sock < 0)
1441: packet_disconnect("socket: %.100s", strerror(errno));
1.1 deraadt 1442:
1.11 markus 1443: /* Bind it to the name. */
1444: memset(&sunaddr, 0, sizeof(sunaddr));
1445: sunaddr.sun_family = AF_UNIX;
1446: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
1447: sizeof(sunaddr.sun_path));
1.1 deraadt 1448:
1.11 markus 1449: if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0)
1450: packet_disconnect("bind: %.100s", strerror(errno));
1.1 deraadt 1451:
1.11 markus 1452: /* Restore the privileged uid. */
1453: restore_uid();
1.1 deraadt 1454:
1.11 markus 1455: /* Start listening on the socket. */
1456: if (listen(sock, 5) < 0)
1457: packet_disconnect("listen: %.100s", strerror(errno));
1.1 deraadt 1458:
1.11 markus 1459: /* Allocate a channel for the authentication agent socket. */
1460: newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
1461: xstrdup("auth socket"));
1462: strcpy(channels[newch].path, channel_forwarded_auth_socket_name);
1.1 deraadt 1463: }
1464:
1465: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
1466:
1467: void auth_input_open_request()
1468: {
1.13 markus 1469: int remch, sock, newch;
1.1 deraadt 1470: char *dummyname;
1471:
1.13 markus 1472: /* Read the remote channel number from the message. */
1473: remch = packet_get_int();
1.1 deraadt 1474:
1475: /* Get a connection to the local authentication agent (this may again get
1476: forwarded). */
1.13 markus 1477: sock = ssh_get_authentication_socket();
1.1 deraadt 1478:
1.13 markus 1479: /* If we could not connect the agent, send an error message back to
1480: the server. This should never happen unless the agent
1.1 deraadt 1481: dies, because authentication forwarding is only enabled if we have an
1482: agent. */
1.13 markus 1483: if (sock < 0){
1484: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1485: packet_put_int(remch);
1486: packet_send();
1.1 deraadt 1487: return;
1.13 markus 1488: }
1.1 deraadt 1489:
1490: debug("Forwarding authentication connection.");
1491:
1492: /* Dummy host name. This will be freed when the channel is freed; it will
1493: still be valid in the packet_put_string below since the channel cannot
1494: yet be freed at that point. */
1495: dummyname = xstrdup("authentication agent connection");
1496:
1.13 markus 1497: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
1498: channels[newch].remote_id = remch;
1499:
1500: /* Send a confirmation to the remote host. */
1501: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1502: packet_put_int(remch);
1.1 deraadt 1503: packet_put_int(newch);
1504: packet_send();
1505: }