Annotation of src/usr.bin/ssh/channels.c, Revision 1.19
1.1 deraadt 1: /*
2:
3: channels.c
4:
5: Author: Tatu Ylonen <ylo@cs.hut.fi>
6:
7: Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: All rights reserved
9:
10: Created: Fri Mar 24 16:35:24 1995 ylo
11:
12: This file contains functions for generic socket connection forwarding.
13: There is also code for initiating connection forwarding for X11 connections,
14: arbitrary tcp/ip connections, and the authentication agent connection.
15:
16: */
17:
18: #include "includes.h"
1.19 ! markus 19: RCSID("$Id: channels.c,v 1.18 1999/10/28 21:26:09 markus Exp $");
1.1 deraadt 20:
21: #include "ssh.h"
22: #include "packet.h"
23: #include "xmalloc.h"
24: #include "buffer.h"
25: #include "authfd.h"
26: #include "uidswap.h"
1.3 deraadt 27: #include "servconf.h"
1.1 deraadt 28:
1.14 markus 29: #include "channels.h"
30: #include "nchan.h"
31: #include "compat.h"
32:
1.1 deraadt 33: /* Maximum number of fake X11 displays to try. */
34: #define MAX_DISPLAYS 1000
35:
1.12 markus 36: /* Max len of agent socket */
37: #define MAX_SOCKET_NAME 100
38:
1.1 deraadt 39: /* Pointer to an array containing all allocated channels. The array is
40: dynamically extended as needed. */
41: static Channel *channels = NULL;
42:
43: /* Size of the channel array. All slots of the array must always be
44: initialized (at least the type field); unused slots are marked with
45: type SSH_CHANNEL_FREE. */
46: static int channels_alloc = 0;
47:
48: /* Maximum file descriptor value used in any of the channels. This is updated
49: in channel_allocate. */
50: static int channel_max_fd_value = 0;
51:
1.12 markus 52: /* Name and directory of socket for authentication agent forwarding. */
1.1 deraadt 53: static char *channel_forwarded_auth_socket_name = NULL;
1.12 markus 54: static char *channel_forwarded_auth_socket_dir = NULL;
1.1 deraadt 55:
56: /* Saved X11 authentication protocol name. */
57: char *x11_saved_proto = NULL;
58:
59: /* Saved X11 authentication data. This is the real data. */
60: char *x11_saved_data = NULL;
61: unsigned int x11_saved_data_len = 0;
62:
63: /* Fake X11 authentication data. This is what the server will be sending
64: us; we should replace any occurrences of this by the real data. */
65: char *x11_fake_data = NULL;
66: unsigned int x11_fake_data_len;
67:
68: /* Data structure for storing which hosts are permitted for forward requests.
69: The local sides of any remote forwards are stored in this array to prevent
70: a corrupt remote server from accessing arbitrary TCP/IP ports on our
71: local network (which might be behind a firewall). */
72: typedef struct
73: {
74: char *host; /* Host name. */
75: int port; /* Port number. */
76: } ForwardPermission;
77:
78: /* List of all permitted host/port pairs to connect. */
79: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
80: /* Number of permitted host/port pairs in the array. */
81: static int num_permitted_opens = 0;
82: /* If this is true, all opens are permitted. This is the case on the
83: server on which we have to trust the client anyway, and the user could
84: do anything after logging in anyway. */
85: static int all_opens_permitted = 0;
86:
87: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
88: static int have_hostname_in_open = 0;
89:
90: /* Sets specific protocol options. */
91:
92: void channel_set_options(int hostname_in_open)
93: {
94: have_hostname_in_open = hostname_in_open;
95: }
96:
97: /* Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
98: called by the server, because the user could connect to any port anyway,
99: and the server has no way to know but to trust the client anyway. */
100:
101: void channel_permit_all_opens()
102: {
103: all_opens_permitted = 1;
104: }
105:
106: /* Allocate a new channel object and set its type and socket.
107: This will cause remote_name to be freed. */
108:
109: int channel_allocate(int type, int sock, char *remote_name)
110: {
1.17 markus 111: int i, found;
112: Channel *c;
1.1 deraadt 113:
114: /* Update the maximum file descriptor value. */
115: if (sock > channel_max_fd_value)
116: channel_max_fd_value = sock;
117:
118: /* Do initial allocation if this is the first call. */
119: if (channels_alloc == 0)
120: {
121: channels_alloc = 10;
122: channels = xmalloc(channels_alloc * sizeof(Channel));
123: for (i = 0; i < channels_alloc; i++)
124: channels[i].type = SSH_CHANNEL_FREE;
125:
126: /* Kludge: arrange a call to channel_stop_listening if we terminate
127: with fatal(). */
128: fatal_add_cleanup((void (*)(void *))channel_stop_listening, NULL);
129: }
130:
131: /* Try to find a free slot where to put the new channel. */
1.17 markus 132: for (found = -1, i = 0; i < channels_alloc; i++)
1.1 deraadt 133: if (channels[i].type == SSH_CHANNEL_FREE)
134: {
1.17 markus 135: /* Found a free slot. */
136: found = i;
137: break;
1.1 deraadt 138: }
139:
1.17 markus 140: if (found == -1)
141: {
142: /* There are no free slots. Take last+1 slot and expand the array. */
143: found = channels_alloc;
144: channels_alloc += 10;
145: debug("channel: expanding %d", channels_alloc);
146: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
147: for (i = found; i < channels_alloc; i++)
148: channels[i].type = SSH_CHANNEL_FREE;
149: }
150:
151: /* Initialize and return new channel number. */
152: c=&channels[found];
153: buffer_init(&c->input);
154: buffer_init(&c->output);
155: chan_init_iostates(c);
156: c->self = found;
157: c->type = type;
158: c->sock = sock;
159: c->remote_id = -1;
160: c->remote_name = remote_name;
161: debug("channel %d: new [%s]", found, remote_name);
162: return found;
1.1 deraadt 163: }
164:
165: /* Free the channel and close its socket. */
166:
167: void channel_free(int channel)
168: {
1.19 ! markus 169: if (channel < 0 || channel >= channels_alloc ||
! 170: channels[channel].type == SSH_CHANNEL_FREE)
! 171: packet_disconnect("channel free: bad local channel %d", channel);
! 172:
1.14 markus 173: if(compat13)
174: shutdown(channels[channel].sock, SHUT_RDWR);
1.1 deraadt 175: close(channels[channel].sock);
176: buffer_free(&channels[channel].input);
177: buffer_free(&channels[channel].output);
178: channels[channel].type = SSH_CHANNEL_FREE;
179: if (channels[channel].remote_name)
180: {
181: xfree(channels[channel].remote_name);
182: channels[channel].remote_name = NULL;
183: }
184: }
185:
186: /* This is called just before select() to add any bits relevant to
187: channels in the select bitmasks. */
188:
189: void channel_prepare_select(fd_set *readset, fd_set *writeset)
190: {
191: int i;
192: Channel *ch;
193: unsigned char *ucp;
194: unsigned int proto_len, data_len;
195:
196: for (i = 0; i < channels_alloc; i++)
197: {
198: ch = &channels[i];
199: redo:
200: switch (ch->type)
201: {
202: case SSH_CHANNEL_X11_LISTENER:
203: case SSH_CHANNEL_PORT_LISTENER:
204: case SSH_CHANNEL_AUTH_SOCKET:
205: FD_SET(ch->sock, readset);
206: break;
207:
208: case SSH_CHANNEL_OPEN:
1.14 markus 209: if(compat13){
210: if (buffer_len(&ch->input) < 32768)
211: FD_SET(ch->sock, readset);
212: if (buffer_len(&ch->output) > 0)
213: FD_SET(ch->sock, writeset);
214: break;
215: }
216: /* test whether sockets are 'alive' for read/write */
1.16 markus 217: if (ch->istate == CHAN_INPUT_OPEN)
1.14 markus 218: if (buffer_len(&ch->input) < 32768)
219: FD_SET(ch->sock, readset);
1.16 markus 220: if (ch->ostate == CHAN_OUTPUT_OPEN || ch->ostate == CHAN_OUTPUT_WAIT_DRAIN){
1.14 markus 221: if (buffer_len(&ch->output) > 0){
222: FD_SET(ch->sock, writeset);
1.16 markus 223: }else if(ch->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
224: chan_obuf_empty(ch);
1.14 markus 225: }
226: }
227: break;
1.1 deraadt 228:
229: case SSH_CHANNEL_INPUT_DRAINING:
1.14 markus 230: if (!compat13)
231: fatal("cannot happen: IN_DRAIN");
1.1 deraadt 232: if (buffer_len(&ch->input) == 0)
233: {
234: packet_start(SSH_MSG_CHANNEL_CLOSE);
235: packet_put_int(ch->remote_id);
236: packet_send();
237: ch->type = SSH_CHANNEL_CLOSED;
238: debug("Closing channel %d after input drain.", i);
239: break;
240: }
241: break;
242:
243: case SSH_CHANNEL_OUTPUT_DRAINING:
1.14 markus 244: if (!compat13)
245: fatal("cannot happen: OUT_DRAIN");
1.1 deraadt 246: if (buffer_len(&ch->output) == 0)
247: {
248: /* debug("Freeing channel %d after output drain.", i); */
249: channel_free(i);
250: break;
251: }
252: FD_SET(ch->sock, writeset);
253: break;
254:
255: case SSH_CHANNEL_X11_OPEN:
256: /* This is a special state for X11 authentication spoofing. An
257: opened X11 connection (when authentication spoofing is being
258: done) remains in this state until the first packet has been
259: completely read. The authentication data in that packet is
260: then substituted by the real data if it matches the fake data,
261: and the channel is put into normal mode. */
262:
263: /* Check if the fixed size part of the packet is in buffer. */
264: if (buffer_len(&ch->output) < 12)
265: break;
266:
267: /* Parse the lengths of variable-length fields. */
268: ucp = (unsigned char *)buffer_ptr(&ch->output);
269: if (ucp[0] == 0x42)
270: { /* Byte order MSB first. */
271: proto_len = 256 * ucp[6] + ucp[7];
272: data_len = 256 * ucp[8] + ucp[9];
273: }
274: else
275: if (ucp[0] == 0x6c)
276: { /* Byte order LSB first. */
277: proto_len = ucp[6] + 256 * ucp[7];
278: data_len = ucp[8] + 256 * ucp[9];
279: }
280: else
281: {
282: debug("Initial X11 packet contains bad byte order byte: 0x%x",
283: ucp[0]);
284: ch->type = SSH_CHANNEL_OPEN;
285: goto reject;
286: }
287:
288: /* Check if the whole packet is in buffer. */
289: if (buffer_len(&ch->output) <
290: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
291: break;
292:
293: /* Check if authentication protocol matches. */
294: if (proto_len != strlen(x11_saved_proto) ||
295: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0)
296: {
297: debug("X11 connection uses different authentication protocol.");
298: ch->type = SSH_CHANNEL_OPEN;
299: goto reject;
300: }
301:
302: /* Check if authentication data matches our fake data. */
303: if (data_len != x11_fake_data_len ||
304: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
305: x11_fake_data, x11_fake_data_len) != 0)
306: {
307: debug("X11 auth data does not match fake data.");
308: ch->type = SSH_CHANNEL_OPEN;
309: goto reject;
310: }
311:
1.19 ! markus 312: /* Check fake data length */
! 313: if (x11_fake_data_len != x11_saved_data_len)
! 314: {
! 315: error("X11 fake_data_len %d != saved_data_len %d",
! 316: x11_fake_data_len, x11_saved_data_len);
! 317: ch->type = SSH_CHANNEL_OPEN;
! 318: goto reject;
! 319: }
! 320:
1.1 deraadt 321: /* Received authentication protocol and data match our fake data.
322: Substitute the fake data with real data. */
323: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
324: x11_saved_data, x11_saved_data_len);
325:
326: /* Start normal processing for the channel. */
327: ch->type = SSH_CHANNEL_OPEN;
328: goto redo;
329:
330: reject:
331: /* We have received an X11 connection that has bad authentication
332: information. */
333: log("X11 connection rejected because of wrong authentication.\r\n");
334: buffer_clear(&ch->input);
335: buffer_clear(&ch->output);
1.14 markus 336: if (compat13) {
337: close(ch->sock);
338: ch->sock = -1;
339: ch->type = SSH_CHANNEL_CLOSED;
340: packet_start(SSH_MSG_CHANNEL_CLOSE);
341: packet_put_int(ch->remote_id);
342: packet_send();
343: }else{
1.17 markus 344: debug("X11 rejected %d i%d/o%d", ch->self, ch->istate, ch->ostate);
1.16 markus 345: chan_read_failed(ch);
346: chan_write_failed(ch);
1.17 markus 347: debug("X11 rejected %d i%d/o%d", ch->self, ch->istate, ch->ostate);
1.14 markus 348: }
1.1 deraadt 349: break;
350:
351: case SSH_CHANNEL_FREE:
352: default:
353: continue;
354: }
355: }
356: }
357:
358: /* After select, perform any appropriate operations for channels which
359: have events pending. */
360:
361: void channel_after_select(fd_set *readset, fd_set *writeset)
362: {
363: struct sockaddr addr;
1.13 markus 364: int addrlen, newsock, i, newch, len;
1.1 deraadt 365: Channel *ch;
366: char buf[16384], *remote_hostname;
367:
368: /* Loop over all channels... */
369: for (i = 0; i < channels_alloc; i++)
370: {
371: ch = &channels[i];
372: switch (ch->type)
373: {
374: case SSH_CHANNEL_X11_LISTENER:
375: /* This is our fake X11 server socket. */
376: if (FD_ISSET(ch->sock, readset))
377: {
378: debug("X11 connection requested.");
379: addrlen = sizeof(addr);
380: newsock = accept(ch->sock, &addr, &addrlen);
381: if (newsock < 0)
382: {
383: error("accept: %.100s", strerror(errno));
384: break;
385: }
386: remote_hostname = get_remote_hostname(newsock);
1.15 deraadt 387: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1.1 deraadt 388: remote_hostname, get_peer_port(newsock));
389: xfree(remote_hostname);
390: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
391: xstrdup(buf));
392: packet_start(SSH_SMSG_X11_OPEN);
393: packet_put_int(newch);
394: if (have_hostname_in_open)
395: packet_put_string(buf, strlen(buf));
396: packet_send();
397: }
398: break;
399:
400: case SSH_CHANNEL_PORT_LISTENER:
401: /* This socket is listening for connections to a forwarded TCP/IP
402: port. */
403: if (FD_ISSET(ch->sock, readset))
404: {
405: debug("Connection to port %d forwarding to %.100s:%d requested.",
406: ch->listening_port, ch->path, ch->host_port);
407: addrlen = sizeof(addr);
408: newsock = accept(ch->sock, &addr, &addrlen);
409: if (newsock < 0)
410: {
411: error("accept: %.100s", strerror(errno));
412: break;
413: }
414: remote_hostname = get_remote_hostname(newsock);
1.17 markus 415: snprintf(buf, sizeof buf, "listen port %d:%.100s:%d, connect from %.200s:%d",
416: ch->listening_port, ch->path, ch->host_port,
417: remote_hostname, get_peer_port(newsock));
1.1 deraadt 418: xfree(remote_hostname);
419: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
420: xstrdup(buf));
421: packet_start(SSH_MSG_PORT_OPEN);
422: packet_put_int(newch);
423: packet_put_string(ch->path, strlen(ch->path));
424: packet_put_int(ch->host_port);
425: if (have_hostname_in_open)
426: packet_put_string(buf, strlen(buf));
427: packet_send();
428: }
429: break;
430:
431: case SSH_CHANNEL_AUTH_SOCKET:
432: /* This is the authentication agent socket listening for connections
433: from clients. */
434: if (FD_ISSET(ch->sock, readset))
435: {
1.13 markus 436: int nchan;
1.1 deraadt 437: len = sizeof(addr);
438: newsock = accept(ch->sock, &addr, &len);
439: if (newsock < 0)
1.13 markus 440: {
441: error("accept from auth socket: %.100s", strerror(errno));
442: break;
443: }
444:
445: nchan = channel_allocate(SSH_CHANNEL_OPENING, newsock,
1.1 deraadt 446: xstrdup("accepted auth socket"));
1.13 markus 447: packet_start(SSH_SMSG_AGENT_OPEN);
448: packet_put_int(nchan);
449: packet_send();
1.1 deraadt 450: }
451: break;
452:
453: case SSH_CHANNEL_OPEN:
454: /* This is an open two-way communication channel. It is not of
455: interest to us at this point what kind of data is being
456: transmitted. */
1.14 markus 457:
458: /* Read available incoming data and append it to buffer;
459: shutdown socket, if read or write failes */
1.1 deraadt 460: if (FD_ISSET(ch->sock, readset))
461: {
462: len = read(ch->sock, buf, sizeof(buf));
463: if (len <= 0)
464: {
1.14 markus 465: if (compat13) {
466: buffer_consume(&ch->output, buffer_len(&ch->output));
467: ch->type = SSH_CHANNEL_INPUT_DRAINING;
468: debug("Channel %d status set to input draining.", i);
469: }else{
1.16 markus 470: chan_read_failed(ch);
1.14 markus 471: }
1.1 deraadt 472: break;
473: }
474: buffer_append(&ch->input, buf, len);
475: }
476: /* Send buffered output data to the socket. */
477: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0)
478: {
479: len = write(ch->sock, buffer_ptr(&ch->output),
480: buffer_len(&ch->output));
481: if (len <= 0)
482: {
1.14 markus 483: if (compat13) {
484: buffer_consume(&ch->output, buffer_len(&ch->output));
485: debug("Channel %d status set to input draining.", i);
486: ch->type = SSH_CHANNEL_INPUT_DRAINING;
487: }else{
1.16 markus 488: chan_write_failed(ch);
1.14 markus 489: }
1.1 deraadt 490: break;
491: }
492: buffer_consume(&ch->output, len);
493: }
494: break;
495:
496: case SSH_CHANNEL_OUTPUT_DRAINING:
1.14 markus 497: if (!compat13)
498: fatal("cannot happen: OUT_DRAIN");
1.1 deraadt 499: /* Send buffered output data to the socket. */
500: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0)
501: {
502: len = write(ch->sock, buffer_ptr(&ch->output),
503: buffer_len(&ch->output));
504: if (len <= 0)
505: buffer_consume(&ch->output, buffer_len(&ch->output));
506: else
507: buffer_consume(&ch->output, len);
508: }
509: break;
510:
511: case SSH_CHANNEL_X11_OPEN:
512: case SSH_CHANNEL_FREE:
513: default:
514: continue;
515: }
516: }
517: }
518:
519: /* If there is data to send to the connection, send some of it now. */
520:
521: void channel_output_poll()
522: {
523: int len, i;
524: Channel *ch;
525:
526: for (i = 0; i < channels_alloc; i++)
527: {
528: ch = &channels[i];
529: /* We are only interested in channels that can have buffered incoming
530: data. */
531: if (ch->type != SSH_CHANNEL_OPEN &&
532: ch->type != SSH_CHANNEL_INPUT_DRAINING)
533: continue;
534:
535: /* Get the amount of buffered data for this channel. */
536: len = buffer_len(&ch->input);
537: if (len > 0)
538: {
539: /* Send some data for the other side over the secure connection. */
540: if (packet_is_interactive())
541: {
542: if (len > 1024)
543: len = 512;
544: }
545: else
546: {
547: if (len > 16384)
548: len = 16384; /* Keep the packets at reasonable size. */
549: }
550: packet_start(SSH_MSG_CHANNEL_DATA);
551: packet_put_int(ch->remote_id);
552: packet_put_string(buffer_ptr(&ch->input), len);
553: packet_send();
554: buffer_consume(&ch->input, len);
555: }
1.16 markus 556: else if(ch->istate == CHAN_INPUT_WAIT_DRAIN)
1.14 markus 557: {
558: if (compat13)
1.16 markus 559: fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
1.14 markus 560: /* input-buffer is empty and read-socket shutdown:
561: tell peer, that we will not send more data: send IEOF */
1.16 markus 562: chan_ibuf_empty(ch);
1.14 markus 563: }
1.1 deraadt 564: }
565: }
566:
567: /* This is called when a packet of type CHANNEL_DATA has just been received.
568: The message type has already been consumed, but channel number and data
569: is still there. */
570:
571: void channel_input_data(int payload_len)
572: {
573: int channel;
574: char *data;
575: unsigned int data_len;
576:
577: /* Get the channel number and verify it. */
578: channel = packet_get_int();
579: if (channel < 0 || channel >= channels_alloc ||
580: channels[channel].type == SSH_CHANNEL_FREE)
581: packet_disconnect("Received data for nonexistent channel %d.", channel);
582:
583: /* Ignore any data for non-open channels (might happen on close) */
584: if (channels[channel].type != SSH_CHANNEL_OPEN &&
585: channels[channel].type != SSH_CHANNEL_X11_OPEN)
586: return;
587:
588: /* Get the data. */
589: data = packet_get_string(&data_len);
590: packet_integrity_check(payload_len, 4 + 4+data_len, SSH_MSG_CHANNEL_DATA);
591: buffer_append(&channels[channel].output, data, data_len);
592: xfree(data);
593: }
594:
595: /* Returns true if no channel has too much buffered data, and false if
596: one or more channel is overfull. */
597:
598: int channel_not_very_much_buffered_data()
599: {
600: unsigned int i;
601: Channel *ch;
602:
603: for (i = 0; i < channels_alloc; i++)
604: {
605: ch = &channels[i];
1.14 markus 606: switch (ch->type)
1.1 deraadt 607: {
608: case SSH_CHANNEL_X11_LISTENER:
609: case SSH_CHANNEL_PORT_LISTENER:
610: case SSH_CHANNEL_AUTH_SOCKET:
611: continue;
612: case SSH_CHANNEL_OPEN:
613: if (buffer_len(&ch->input) > 32768)
614: return 0;
615: if (buffer_len(&ch->output) > 32768)
616: return 0;
617: continue;
618: case SSH_CHANNEL_INPUT_DRAINING:
619: case SSH_CHANNEL_OUTPUT_DRAINING:
620: case SSH_CHANNEL_X11_OPEN:
621: case SSH_CHANNEL_FREE:
622: default:
623: continue;
624: }
625: }
626: return 1;
627: }
628:
1.14 markus 629: /* This is called after receiving CHANNEL_CLOSE/IEOF. */
1.1 deraadt 630:
631: void channel_input_close()
632: {
633: int channel;
634:
635: /* Get the channel number and verify it. */
636: channel = packet_get_int();
637: if (channel < 0 || channel >= channels_alloc ||
638: channels[channel].type == SSH_CHANNEL_FREE)
639: packet_disconnect("Received data for nonexistent channel %d.", channel);
640:
1.14 markus 641: if(!compat13){
642: /* proto version 1.5 overloads CLOSE with IEOF */
643: chan_rcvd_ieof(&channels[channel]);
644: return;
645: }
646:
1.1 deraadt 647: /* Send a confirmation that we have closed the channel and no more data is
648: coming for it. */
649: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
650: packet_put_int(channels[channel].remote_id);
651: packet_send();
652:
653: /* If the channel is in closed state, we have sent a close request, and
654: the other side will eventually respond with a confirmation. Thus,
655: we cannot free the channel here, because then there would be no-one to
656: receive the confirmation. The channel gets freed when the confirmation
657: arrives. */
658: if (channels[channel].type != SSH_CHANNEL_CLOSED)
659: {
660: /* Not a closed channel - mark it as draining, which will cause it to
661: be freed later. */
662: buffer_consume(&channels[channel].input,
663: buffer_len(&channels[channel].input));
664: channels[channel].type = SSH_CHANNEL_OUTPUT_DRAINING;
665: /* debug("Setting status to output draining; output len = %d",
666: buffer_len(&channels[channel].output)); */
667: }
668: }
669:
1.14 markus 670: /* This is called after receiving CHANNEL_CLOSE_CONFIRMATION/OCLOSE. */
1.1 deraadt 671:
672: void channel_input_close_confirmation()
673: {
674: int channel;
675:
676: /* Get the channel number and verify it. */
677: channel = packet_get_int();
678: if (channel < 0 || channel >= channels_alloc)
679: packet_disconnect("Received close confirmation for out-of-range channel %d.",
680: channel);
1.14 markus 681:
682: if(!compat13){
683: /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
684: chan_rcvd_oclose(&channels[channel]);
685: return;
686: }
687:
1.1 deraadt 688: if (channels[channel].type != SSH_CHANNEL_CLOSED)
689: packet_disconnect("Received close confirmation for non-closed channel %d (type %d).",
690: channel, channels[channel].type);
691:
692: /* Free the channel. */
693: channel_free(channel);
694: }
695:
696: /* This is called after receiving CHANNEL_OPEN_CONFIRMATION. */
697:
698: void channel_input_open_confirmation()
699: {
700: int channel, remote_channel;
701:
702: /* Get the channel number and verify it. */
703: channel = packet_get_int();
704: if (channel < 0 || channel >= channels_alloc ||
705: channels[channel].type != SSH_CHANNEL_OPENING)
706: packet_disconnect("Received open confirmation for non-opening channel %d.",
707: channel);
708:
709: /* Get remote side's id for this channel. */
710: remote_channel = packet_get_int();
711:
712: /* Record the remote channel number and mark that the channel is now open. */
713: channels[channel].remote_id = remote_channel;
714: channels[channel].type = SSH_CHANNEL_OPEN;
715: }
716:
717: /* This is called after receiving CHANNEL_OPEN_FAILURE from the other side. */
718:
719: void channel_input_open_failure()
720: {
721: int channel;
722:
723: /* Get the channel number and verify it. */
724: channel = packet_get_int();
725: if (channel < 0 || channel >= channels_alloc ||
726: channels[channel].type != SSH_CHANNEL_OPENING)
727: packet_disconnect("Received open failure for non-opening channel %d.",
728: channel);
729:
730: /* Free the channel. This will also close the socket. */
731: channel_free(channel);
732: }
733:
734: /* Stops listening for channels, and removes any unix domain sockets that
735: we might have. */
736:
737: void channel_stop_listening()
738: {
739: int i;
740: for (i = 0; i < channels_alloc; i++)
741: {
742: switch (channels[i].type)
743: {
744: case SSH_CHANNEL_AUTH_SOCKET:
745: close(channels[i].sock);
746: remove(channels[i].path);
747: channel_free(i);
748: break;
749: case SSH_CHANNEL_PORT_LISTENER:
750: case SSH_CHANNEL_X11_LISTENER:
751: close(channels[i].sock);
752: channel_free(i);
753: break;
754: default:
755: break;
756: }
757: }
758: }
759:
760: /* Closes the sockets of all channels. This is used to close extra file
761: descriptors after a fork. */
762:
763: void channel_close_all()
764: {
765: int i;
766: for (i = 0; i < channels_alloc; i++)
767: {
768: if (channels[i].type != SSH_CHANNEL_FREE)
769: close(channels[i].sock);
770: }
771: }
772:
773: /* Returns the maximum file descriptor number used by the channels. */
774:
775: int channel_max_fd()
776: {
777: return channel_max_fd_value;
778: }
779:
780: /* Returns true if any channel is still open. */
781:
782: int channel_still_open()
783: {
784: unsigned int i;
785: for (i = 0; i < channels_alloc; i++)
786: switch (channels[i].type)
787: {
788: case SSH_CHANNEL_FREE:
789: case SSH_CHANNEL_X11_LISTENER:
790: case SSH_CHANNEL_PORT_LISTENER:
791: case SSH_CHANNEL_CLOSED:
792: case SSH_CHANNEL_AUTH_SOCKET:
793: continue;
794: case SSH_CHANNEL_OPENING:
795: case SSH_CHANNEL_OPEN:
796: case SSH_CHANNEL_X11_OPEN:
1.14 markus 797: return 1;
1.1 deraadt 798: case SSH_CHANNEL_INPUT_DRAINING:
799: case SSH_CHANNEL_OUTPUT_DRAINING:
1.14 markus 800: if (!compat13)
801: fatal("cannot happen: OUT_DRAIN");
1.1 deraadt 802: return 1;
803: default:
804: fatal("channel_still_open: bad channel type %d", channels[i].type);
805: /*NOTREACHED*/
806: }
807: return 0;
808: }
809:
810: /* Returns a message describing the currently open forwarded
811: connections, suitable for sending to the client. The message
812: contains crlf pairs for newlines. */
813:
814: char *channel_open_message()
815: {
816: Buffer buffer;
817: int i;
818: char buf[512], *cp;
819:
820: buffer_init(&buffer);
1.15 deraadt 821: snprintf(buf, sizeof buf, "The following connections are open:\r\n");
1.1 deraadt 822: buffer_append(&buffer, buf, strlen(buf));
1.14 markus 823: for (i = 0; i < channels_alloc; i++){
824: Channel *c=&channels[i];
825: switch (c->type)
1.1 deraadt 826: {
827: case SSH_CHANNEL_FREE:
828: case SSH_CHANNEL_X11_LISTENER:
829: case SSH_CHANNEL_PORT_LISTENER:
830: case SSH_CHANNEL_CLOSED:
831: case SSH_CHANNEL_AUTH_SOCKET:
832: continue;
833: case SSH_CHANNEL_OPENING:
834: case SSH_CHANNEL_OPEN:
835: case SSH_CHANNEL_X11_OPEN:
836: case SSH_CHANNEL_INPUT_DRAINING:
837: case SSH_CHANNEL_OUTPUT_DRAINING:
1.17 markus 838: snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d o%d)\r\n",
839: c->self,c->remote_name,
840: c->type,c->remote_id, c->istate,c->ostate);
1.1 deraadt 841: buffer_append(&buffer, buf, strlen(buf));
842: continue;
843: default:
1.14 markus 844: fatal("channel_still_open: bad channel type %d", c->type);
1.1 deraadt 845: /*NOTREACHED*/
846: }
1.14 markus 847: }
1.1 deraadt 848: buffer_append(&buffer, "\0", 1);
849: cp = xstrdup(buffer_ptr(&buffer));
850: buffer_free(&buffer);
851: return cp;
852: }
853:
854: /* Initiate forwarding of connections to local port "port" through the secure
855: channel to host:port from remote side. */
856:
857: void channel_request_local_forwarding(int port, const char *host,
858: int host_port)
859: {
860: int ch, sock;
861: struct sockaddr_in sin;
1.4 deraadt 862: extern Options options;
1.1 deraadt 863:
864: if (strlen(host) > sizeof(channels[0].path) - 1)
865: packet_disconnect("Forward host name too long.");
866:
867: /* Create a port to listen for the host. */
868: sock = socket(AF_INET, SOCK_STREAM, 0);
869: if (sock < 0)
870: packet_disconnect("socket: %.100s", strerror(errno));
871:
872: /* Initialize socket address. */
873: memset(&sin, 0, sizeof(sin));
874: sin.sin_family = AF_INET;
1.4 deraadt 875: if (options.gateway_ports == 1)
876: sin.sin_addr.s_addr = htonl(INADDR_ANY);
877: else
878: sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
1.1 deraadt 879: sin.sin_port = htons(port);
880:
881: /* Bind the socket to the address. */
882: if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
883: packet_disconnect("bind: %.100s", strerror(errno));
884:
885: /* Start listening for connections on the socket. */
886: if (listen(sock, 5) < 0)
887: packet_disconnect("listen: %.100s", strerror(errno));
888:
889: /* Allocate a channel number for the socket. */
890: ch = channel_allocate(SSH_CHANNEL_PORT_LISTENER, sock,
891: xstrdup("port listener"));
892: strcpy(channels[ch].path, host); /* note: host name stored here */
893: channels[ch].host_port = host_port; /* port on host to connect to */
894: channels[ch].listening_port = port; /* port being listened */
895: }
896:
897: /* Initiate forwarding of connections to port "port" on remote host through
898: the secure channel to host:port from local side. */
899:
900: void channel_request_remote_forwarding(int port, const char *host,
901: int remote_port)
902: {
903: int payload_len;
904: /* Record locally that connection to this host/port is permitted. */
905: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
906: fatal("channel_request_remote_forwarding: too many forwards");
907: permitted_opens[num_permitted_opens].host = xstrdup(host);
908: permitted_opens[num_permitted_opens].port = remote_port;
909: num_permitted_opens++;
910:
911: /* Send the forward request to the remote side. */
912: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
913: packet_put_int(port);
914: packet_put_string(host, strlen(host));
915: packet_put_int(remote_port);
916: packet_send();
917: packet_write_wait();
918:
919: /* Wait for response from the remote side. It will send a disconnect
920: message on failure, and we will never see it here. */
921: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
922: }
923:
924: /* This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
925: listening for the port, and sends back a success reply (or disconnect
926: message if there was an error). This never returns if there was an
927: error. */
928:
929: void channel_input_port_forward_request(int is_root)
930: {
931: int port, host_port;
932: char *hostname;
933:
934: /* Get arguments from the packet. */
935: port = packet_get_int();
936: hostname = packet_get_string(NULL);
937: host_port = packet_get_int();
938:
939: /* Port numbers are 16 bit quantities. */
940: if ((port & 0xffff) != port)
941: packet_disconnect("Requested forwarding of nonexistent port %d.", port);
942:
943: /* Check that an unprivileged user is not trying to forward a privileged
944: port. */
1.8 deraadt 945: if (port < IPPORT_RESERVED && !is_root)
1.1 deraadt 946: packet_disconnect("Requested forwarding of port %d but user is not root.",
947: port);
948:
949: /* Initiate forwarding. */
950: channel_request_local_forwarding(port, hostname, host_port);
951:
952: /* Free the argument string. */
953: xfree(hostname);
954: }
955:
956: /* This is called after receiving PORT_OPEN message. This attempts to connect
957: to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION or
958: CHANNEL_OPEN_FAILURE. */
959:
960: void channel_input_port_open(int payload_len)
961: {
962: int remote_channel, sock, newch, host_port, i;
963: struct sockaddr_in sin;
964: char *host, *originator_string;
965: struct hostent *hp;
966: int host_len, originator_len;
967:
968: /* Get remote channel number. */
969: remote_channel = packet_get_int();
970:
971: /* Get host name to connect to. */
972: host = packet_get_string(&host_len);
973:
974: /* Get port to connect to. */
975: host_port = packet_get_int();
976:
977: /* Get remote originator name. */
978: if (have_hostname_in_open)
979: originator_string = packet_get_string(&originator_len);
980: else
981: originator_string = xstrdup("unknown (remote did not supply name)");
982:
983: packet_integrity_check(payload_len,
984: 4 + 4 + host_len + 4 + 4 + originator_len,
985: SSH_MSG_PORT_OPEN);
986:
987: /* Check if opening that port is permitted. */
988: if (!all_opens_permitted)
989: {
990: /* Go trough all permitted ports. */
991: for (i = 0; i < num_permitted_opens; i++)
992: if (permitted_opens[i].port == host_port &&
993: strcmp(permitted_opens[i].host, host) == 0)
994: break;
995:
996: /* Check if we found the requested port among those permitted. */
997: if (i >= num_permitted_opens)
998: {
999: /* The port is not permitted. */
1000: log("Received request to connect to %.100s:%d, but the request was denied.",
1001: host, host_port);
1002: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1003: packet_put_int(remote_channel);
1004: packet_send();
1005: }
1006: }
1007:
1008: memset(&sin, 0, sizeof(sin));
1009: sin.sin_addr.s_addr = inet_addr(host);
1010: if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
1011: {
1012: /* It was a valid numeric host address. */
1013: sin.sin_family = AF_INET;
1014: }
1015: else
1016: {
1017: /* Look up the host address from the name servers. */
1018: hp = gethostbyname(host);
1019: if (!hp)
1020: {
1021: error("%.100s: unknown host.", host);
1022: goto fail;
1023: }
1024: if (!hp->h_addr_list[0])
1025: {
1026: error("%.100s: host has no IP address.", host);
1027: goto fail;
1028: }
1029: sin.sin_family = hp->h_addrtype;
1030: memcpy(&sin.sin_addr, hp->h_addr_list[0],
1031: sizeof(sin.sin_addr));
1032: }
1033: sin.sin_port = htons(host_port);
1034:
1035: /* Create the socket. */
1036: sock = socket(sin.sin_family, SOCK_STREAM, 0);
1037: if (sock < 0)
1038: {
1039: error("socket: %.100s", strerror(errno));
1040: goto fail;
1041: }
1042:
1043: /* Connect to the host/port. */
1044: if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1045: {
1046: error("connect %.100s:%d: %.100s", host, host_port,
1047: strerror(errno));
1048: close(sock);
1049: goto fail;
1050: }
1051:
1052: /* Successful connection. */
1053:
1054: /* Allocate a channel for this connection. */
1055: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1056: channels[newch].remote_id = remote_channel;
1057:
1058: /* Send a confirmation to the remote host. */
1059: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1060: packet_put_int(remote_channel);
1061: packet_put_int(newch);
1062: packet_send();
1063:
1064: /* Free the argument string. */
1065: xfree(host);
1066:
1067: return;
1068:
1069: fail:
1070: /* Free the argument string. */
1071: xfree(host);
1072:
1073: /* Send refusal to the remote host. */
1074: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1075: packet_put_int(remote_channel);
1076: packet_send();
1077: }
1078:
1079: /* Creates an internet domain socket for listening for X11 connections.
1080: Returns a suitable value for the DISPLAY variable, or NULL if an error
1081: occurs. */
1082:
1083: char *x11_create_display_inet(int screen_number)
1084: {
1.3 deraadt 1085: extern ServerOptions options;
1.1 deraadt 1086: int display_number, port, sock;
1087: struct sockaddr_in sin;
1088: char buf[512];
1.6 deraadt 1089: char hostname[MAXHOSTNAMELEN];
1.1 deraadt 1090:
1.3 deraadt 1091: for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++)
1.1 deraadt 1092: {
1093: port = 6000 + display_number;
1094: memset(&sin, 0, sizeof(sin));
1095: sin.sin_family = AF_INET;
1.4 deraadt 1096: sin.sin_addr.s_addr = htonl(INADDR_ANY);
1.1 deraadt 1097: sin.sin_port = htons(port);
1098:
1099: sock = socket(AF_INET, SOCK_STREAM, 0);
1100: if (sock < 0)
1101: {
1102: error("socket: %.100s", strerror(errno));
1103: return NULL;
1104: }
1105:
1106: if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1107: {
1108: debug("bind port %d: %.100s", port, strerror(errno));
1.10 deraadt 1109: shutdown(sock, SHUT_RDWR);
1.1 deraadt 1110: close(sock);
1111: continue;
1112: }
1113: break;
1114: }
1115: if (display_number >= MAX_DISPLAYS)
1116: {
1117: error("Failed to allocate internet-domain X11 display socket.");
1118: return NULL;
1119: }
1120:
1121: /* Start listening for connections on the socket. */
1122: if (listen(sock, 5) < 0)
1123: {
1124: error("listen: %.100s", strerror(errno));
1.10 deraadt 1125: shutdown(sock, SHUT_RDWR);
1.1 deraadt 1126: close(sock);
1127: return NULL;
1128: }
1129:
1130: /* Set up a suitable value for the DISPLAY variable. */
1131: if (gethostname(hostname, sizeof(hostname)) < 0)
1132: fatal("gethostname: %.100s", strerror(errno));
1.6 deraadt 1133: snprintf(buf, sizeof buf, "%.400s:%d.%d", hostname,
1134: display_number, screen_number);
1.1 deraadt 1135:
1136: /* Allocate a channel for the socket. */
1137: (void)channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
1138: xstrdup("X11 inet listener"));
1139:
1140: /* Return a suitable value for the DISPLAY environment variable. */
1141: return xstrdup(buf);
1142: }
1143:
1144: #ifndef X_UNIX_PATH
1145: #define X_UNIX_PATH "/tmp/.X11-unix/X"
1146: #endif
1147:
1148: static
1149: int
1150: connect_local_xsocket(unsigned dnr)
1151: {
1152: static const char *const x_sockets[] = {
1153: X_UNIX_PATH "%u",
1154: "/var/X/.X11-unix/X" "%u",
1155: "/usr/spool/sockets/X11/" "%u",
1156: NULL
1157: };
1158: int sock;
1159: struct sockaddr_un addr;
1160: const char *const *path;
1161:
1162: for (path = x_sockets; *path; ++path)
1163: {
1164: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1165: if (sock < 0)
1166: error("socket: %.100s", strerror(errno));
1167: memset(&addr, 0, sizeof(addr));
1168: addr.sun_family = AF_UNIX;
1.15 deraadt 1169: snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
1.1 deraadt 1170: if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
1171: return sock;
1172: close(sock);
1173: }
1174: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1175: return -1;
1176: }
1177:
1178:
1179: /* This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1180: the remote channel number. We should do whatever we want, and respond
1181: with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. */
1182:
1183: void x11_input_open(int payload_len)
1184: {
1185: int remote_channel, display_number, sock, newch;
1186: const char *display;
1187: struct sockaddr_in sin;
1188: char buf[1024], *cp, *remote_host;
1189: struct hostent *hp;
1190: int remote_len;
1191:
1192: /* Get remote channel number. */
1193: remote_channel = packet_get_int();
1194:
1195: /* Get remote originator name. */
1196: if (have_hostname_in_open)
1197: remote_host = packet_get_string(&remote_len);
1198: else
1199: remote_host = xstrdup("unknown (remote did not supply name)");
1200:
1201: debug("Received X11 open request.");
1202: packet_integrity_check(payload_len, 4 + 4+remote_len, SSH_SMSG_X11_OPEN);
1203:
1204: /* Try to open a socket for the local X server. */
1205: display = getenv("DISPLAY");
1206: if (!display)
1207: {
1208: error("DISPLAY not set.");
1209: goto fail;
1210: }
1211:
1212: /* Now we decode the value of the DISPLAY variable and make a connection
1213: to the real X server. */
1214:
1215: /* Check if it is a unix domain socket. Unix domain displays are in one
1216: of the following formats: unix:d[.s], :d[.s], ::d[.s] */
1217: if (strncmp(display, "unix:", 5) == 0 ||
1218: display[0] == ':')
1219: {
1220: /* Connect to the unix domain socket. */
1221: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1)
1222: {
1223: error("Could not parse display number from DISPLAY: %.100s",
1224: display);
1225: goto fail;
1226: }
1227: /* Create a socket. */
1228: sock = connect_local_xsocket(display_number);
1229: if (sock < 0)
1230: goto fail;
1231:
1232: /* OK, we now have a connection to the display. */
1233: goto success;
1234: }
1235:
1236: /* Connect to an inet socket. The DISPLAY value is supposedly
1237: hostname:d[.s], where hostname may also be numeric IP address. */
1238: strncpy(buf, display, sizeof(buf));
1239: buf[sizeof(buf) - 1] = 0;
1240: cp = strchr(buf, ':');
1241: if (!cp)
1242: {
1243: error("Could not find ':' in DISPLAY: %.100s", display);
1244: goto fail;
1245: }
1246: *cp = 0;
1247: /* buf now contains the host name. But first we parse the display number. */
1248: if (sscanf(cp + 1, "%d", &display_number) != 1)
1249: {
1250: error("Could not parse display number from DISPLAY: %.100s",
1251: display);
1252: goto fail;
1253: }
1254:
1255: /* Try to parse the host name as a numeric IP address. */
1256: memset(&sin, 0, sizeof(sin));
1257: sin.sin_addr.s_addr = inet_addr(buf);
1258: if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
1259: {
1260: /* It was a valid numeric host address. */
1261: sin.sin_family = AF_INET;
1262: }
1263: else
1264: {
1265: /* Not a numeric IP address. */
1266: /* Look up the host address from the name servers. */
1267: hp = gethostbyname(buf);
1268: if (!hp)
1269: {
1270: error("%.100s: unknown host.", buf);
1271: goto fail;
1272: }
1273: if (!hp->h_addr_list[0])
1274: {
1275: error("%.100s: host has no IP address.", buf);
1276: goto fail;
1277: }
1278: sin.sin_family = hp->h_addrtype;
1279: memcpy(&sin.sin_addr, hp->h_addr_list[0],
1280: sizeof(sin.sin_addr));
1281: }
1282: /* Set port number. */
1283: sin.sin_port = htons(6000 + display_number);
1284:
1285: /* Create a socket. */
1286: sock = socket(sin.sin_family, SOCK_STREAM, 0);
1287: if (sock < 0)
1288: {
1289: error("socket: %.100s", strerror(errno));
1290: goto fail;
1291: }
1292: /* Connect it to the display. */
1293: if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1294: {
1295: error("connect %.100s:%d: %.100s", buf, 6000 + display_number,
1296: strerror(errno));
1297: close(sock);
1298: goto fail;
1299: }
1300:
1301: success:
1302: /* We have successfully obtained a connection to the real X display. */
1303:
1304: /* Allocate a channel for this connection. */
1305: if (x11_saved_proto == NULL)
1306: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, remote_host);
1307: else
1308: newch = channel_allocate(SSH_CHANNEL_X11_OPEN, sock, remote_host);
1309: channels[newch].remote_id = remote_channel;
1310:
1311: /* Send a confirmation to the remote host. */
1312: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1313: packet_put_int(remote_channel);
1314: packet_put_int(newch);
1315: packet_send();
1316:
1317: return;
1318:
1319: fail:
1320: /* Send refusal to the remote host. */
1321: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1322: packet_put_int(remote_channel);
1323: packet_send();
1324: }
1325:
1326: /* Requests forwarding of X11 connections, generates fake authentication
1327: data, and enables authentication spoofing. */
1328:
1.2 provos 1329: void x11_request_forwarding_with_spoofing(const char *proto, const char *data)
1.1 deraadt 1330: {
1331: unsigned int data_len = (unsigned int)strlen(data) / 2;
1332: unsigned int i, value;
1333: char *new_data;
1334: int screen_number;
1335: const char *cp;
1.5 dugsong 1336: u_int32_t rand = 0;
1.1 deraadt 1337:
1338: cp = getenv("DISPLAY");
1339: if (cp)
1340: cp = strchr(cp, ':');
1341: if (cp)
1342: cp = strchr(cp, '.');
1343: if (cp)
1344: screen_number = atoi(cp + 1);
1345: else
1346: screen_number = 0;
1347:
1348: /* Save protocol name. */
1349: x11_saved_proto = xstrdup(proto);
1350:
1351: /* Extract real authentication data and generate fake data of the same
1352: length. */
1353: x11_saved_data = xmalloc(data_len);
1354: x11_fake_data = xmalloc(data_len);
1355: for (i = 0; i < data_len; i++)
1356: {
1357: if (sscanf(data + 2 * i, "%2x", &value) != 1)
1358: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
1.2 provos 1359: if (i % 4 == 0)
1360: rand = arc4random();
1.1 deraadt 1361: x11_saved_data[i] = value;
1.2 provos 1362: x11_fake_data[i] = rand & 0xff;
1363: rand >>= 8;
1.1 deraadt 1364: }
1365: x11_saved_data_len = data_len;
1366: x11_fake_data_len = data_len;
1367:
1368: /* Convert the fake data into hex. */
1369: new_data = xmalloc(2 * data_len + 1);
1370: for (i = 0; i < data_len; i++)
1371: sprintf(new_data + 2 * i, "%02x", (unsigned char)x11_fake_data[i]);
1372:
1373: /* Send the request packet. */
1374: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
1375: packet_put_string(proto, strlen(proto));
1376: packet_put_string(new_data, strlen(new_data));
1377: packet_put_int(screen_number);
1378: packet_send();
1379: packet_write_wait();
1380: xfree(new_data);
1381: }
1382:
1383: /* Sends a message to the server to request authentication fd forwarding. */
1384:
1385: void auth_request_forwarding()
1386: {
1387: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
1388: packet_send();
1389: packet_write_wait();
1390: }
1391:
1392: /* Returns the name of the forwarded authentication socket. Returns NULL
1393: if there is no forwarded authentication socket. The returned value
1394: points to a static buffer. */
1395:
1396: char *auth_get_socket_name()
1397: {
1398: return channel_forwarded_auth_socket_name;
1399: }
1400:
1.12 markus 1401: /* removes the agent forwarding socket */
1402:
1403: void cleanup_socket(void) {
1404: remove(channel_forwarded_auth_socket_name);
1405: rmdir(channel_forwarded_auth_socket_dir);
1406: }
1407:
1.1 deraadt 1408: /* This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1409: This starts forwarding authentication requests. */
1410:
1411: void auth_input_request_forwarding(struct passwd *pw)
1412: {
1.11 markus 1413: int sock, newch;
1414: struct sockaddr_un sunaddr;
1.1 deraadt 1415:
1.11 markus 1416: if (auth_get_socket_name() != NULL)
1417: fatal("Protocol error: authentication forwarding requested twice.");
1418:
1.12 markus 1419: /* Temporarily drop privileged uid for mkdir/bind. */
1420: temporarily_use_uid(pw->pw_uid);
1421:
1.11 markus 1422: /* Allocate a buffer for the socket name, and format the name. */
1.12 markus 1423: channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
1424: channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
1425: strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
1426:
1427: /* Create private directory for socket */
1428: if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL)
1429: packet_disconnect("mkdtemp: %.100s", strerror(errno));
1430: snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME,
1431: "%s/agent.%d", channel_forwarded_auth_socket_dir, (int)getpid());
1432:
1433: if (atexit(cleanup_socket) < 0) {
1434: int saved=errno;
1435: cleanup_socket();
1436: packet_disconnect("socket: %.100s", strerror(saved));
1437: }
1.1 deraadt 1438:
1.11 markus 1439: /* Create the socket. */
1440: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1441: if (sock < 0)
1442: packet_disconnect("socket: %.100s", strerror(errno));
1.1 deraadt 1443:
1.11 markus 1444: /* Bind it to the name. */
1445: memset(&sunaddr, 0, sizeof(sunaddr));
1446: sunaddr.sun_family = AF_UNIX;
1447: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
1448: sizeof(sunaddr.sun_path));
1.1 deraadt 1449:
1.11 markus 1450: if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0)
1451: packet_disconnect("bind: %.100s", strerror(errno));
1.1 deraadt 1452:
1.11 markus 1453: /* Restore the privileged uid. */
1454: restore_uid();
1.1 deraadt 1455:
1.11 markus 1456: /* Start listening on the socket. */
1457: if (listen(sock, 5) < 0)
1458: packet_disconnect("listen: %.100s", strerror(errno));
1.1 deraadt 1459:
1.11 markus 1460: /* Allocate a channel for the authentication agent socket. */
1461: newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
1462: xstrdup("auth socket"));
1463: strcpy(channels[newch].path, channel_forwarded_auth_socket_name);
1.1 deraadt 1464: }
1465:
1466: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
1467:
1468: void auth_input_open_request()
1469: {
1.13 markus 1470: int remch, sock, newch;
1.1 deraadt 1471: char *dummyname;
1472:
1.13 markus 1473: /* Read the remote channel number from the message. */
1474: remch = packet_get_int();
1.1 deraadt 1475:
1476: /* Get a connection to the local authentication agent (this may again get
1477: forwarded). */
1.13 markus 1478: sock = ssh_get_authentication_socket();
1.1 deraadt 1479:
1.13 markus 1480: /* If we could not connect the agent, send an error message back to
1481: the server. This should never happen unless the agent
1.1 deraadt 1482: dies, because authentication forwarding is only enabled if we have an
1483: agent. */
1.13 markus 1484: if (sock < 0){
1485: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1486: packet_put_int(remch);
1487: packet_send();
1.1 deraadt 1488: return;
1.13 markus 1489: }
1.1 deraadt 1490:
1491: debug("Forwarding authentication connection.");
1492:
1493: /* Dummy host name. This will be freed when the channel is freed; it will
1494: still be valid in the packet_put_string below since the channel cannot
1495: yet be freed at that point. */
1496: dummyname = xstrdup("authentication agent connection");
1497:
1.13 markus 1498: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
1499: channels[newch].remote_id = remch;
1500:
1501: /* Send a confirmation to the remote host. */
1502: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1503: packet_put_int(remch);
1.1 deraadt 1504: packet_put_int(newch);
1505: packet_send();
1506: }