Annotation of src/usr.bin/ssh/channels.c, Revision 1.23
1.1 deraadt 1: /*
2:
3: channels.c
4:
5: Author: Tatu Ylonen <ylo@cs.hut.fi>
6:
7: Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: All rights reserved
9:
10: Created: Fri Mar 24 16:35:24 1995 ylo
11:
12: This file contains functions for generic socket connection forwarding.
13: There is also code for initiating connection forwarding for X11 connections,
14: arbitrary tcp/ip connections, and the authentication agent connection.
15:
16: */
17:
18: #include "includes.h"
1.23 ! markus 19: RCSID("$Id: channels.c,v 1.22 1999/11/19 19:18:20 deraadt Exp $");
1.1 deraadt 20:
21: #include "ssh.h"
22: #include "packet.h"
23: #include "xmalloc.h"
24: #include "buffer.h"
25: #include "authfd.h"
26: #include "uidswap.h"
1.20 markus 27: #include "readconf.h"
1.3 deraadt 28: #include "servconf.h"
1.1 deraadt 29:
1.14 markus 30: #include "channels.h"
31: #include "nchan.h"
32: #include "compat.h"
33:
1.1 deraadt 34: /* Maximum number of fake X11 displays to try. */
35: #define MAX_DISPLAYS 1000
36:
1.12 markus 37: /* Max len of agent socket */
38: #define MAX_SOCKET_NAME 100
39:
1.1 deraadt 40: /* Pointer to an array containing all allocated channels. The array is
41: dynamically extended as needed. */
42: static Channel *channels = NULL;
43:
44: /* Size of the channel array. All slots of the array must always be
45: initialized (at least the type field); unused slots are marked with
46: type SSH_CHANNEL_FREE. */
47: static int channels_alloc = 0;
48:
49: /* Maximum file descriptor value used in any of the channels. This is updated
50: in channel_allocate. */
51: static int channel_max_fd_value = 0;
52:
1.12 markus 53: /* Name and directory of socket for authentication agent forwarding. */
1.1 deraadt 54: static char *channel_forwarded_auth_socket_name = NULL;
1.12 markus 55: static char *channel_forwarded_auth_socket_dir = NULL;
1.1 deraadt 56:
57: /* Saved X11 authentication protocol name. */
58: char *x11_saved_proto = NULL;
59:
60: /* Saved X11 authentication data. This is the real data. */
61: char *x11_saved_data = NULL;
62: unsigned int x11_saved_data_len = 0;
63:
64: /* Fake X11 authentication data. This is what the server will be sending
65: us; we should replace any occurrences of this by the real data. */
66: char *x11_fake_data = NULL;
67: unsigned int x11_fake_data_len;
68:
69: /* Data structure for storing which hosts are permitted for forward requests.
70: The local sides of any remote forwards are stored in this array to prevent
71: a corrupt remote server from accessing arbitrary TCP/IP ports on our
72: local network (which might be behind a firewall). */
73: typedef struct
74: {
75: char *host; /* Host name. */
76: int port; /* Port number. */
77: } ForwardPermission;
78:
79: /* List of all permitted host/port pairs to connect. */
80: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
81: /* Number of permitted host/port pairs in the array. */
82: static int num_permitted_opens = 0;
83: /* If this is true, all opens are permitted. This is the case on the
84: server on which we have to trust the client anyway, and the user could
85: do anything after logging in anyway. */
86: static int all_opens_permitted = 0;
87:
88: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
89: static int have_hostname_in_open = 0;
90:
91: /* Sets specific protocol options. */
92:
93: void channel_set_options(int hostname_in_open)
94: {
95: have_hostname_in_open = hostname_in_open;
96: }
97:
98: /* Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
99: called by the server, because the user could connect to any port anyway,
100: and the server has no way to know but to trust the client anyway. */
101:
102: void channel_permit_all_opens()
103: {
104: all_opens_permitted = 1;
105: }
106:
107: /* Allocate a new channel object and set its type and socket.
108: This will cause remote_name to be freed. */
109:
110: int channel_allocate(int type, int sock, char *remote_name)
111: {
1.17 markus 112: int i, found;
113: Channel *c;
1.1 deraadt 114:
115: /* Update the maximum file descriptor value. */
116: if (sock > channel_max_fd_value)
117: channel_max_fd_value = sock;
118:
119: /* Do initial allocation if this is the first call. */
120: if (channels_alloc == 0)
121: {
122: channels_alloc = 10;
123: channels = xmalloc(channels_alloc * sizeof(Channel));
124: for (i = 0; i < channels_alloc; i++)
125: channels[i].type = SSH_CHANNEL_FREE;
126:
127: /* Kludge: arrange a call to channel_stop_listening if we terminate
128: with fatal(). */
129: fatal_add_cleanup((void (*)(void *))channel_stop_listening, NULL);
130: }
131:
132: /* Try to find a free slot where to put the new channel. */
1.17 markus 133: for (found = -1, i = 0; i < channels_alloc; i++)
1.1 deraadt 134: if (channels[i].type == SSH_CHANNEL_FREE)
135: {
1.17 markus 136: /* Found a free slot. */
137: found = i;
138: break;
1.1 deraadt 139: }
140:
1.17 markus 141: if (found == -1)
142: {
143: /* There are no free slots. Take last+1 slot and expand the array. */
144: found = channels_alloc;
145: channels_alloc += 10;
146: debug("channel: expanding %d", channels_alloc);
147: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
148: for (i = found; i < channels_alloc; i++)
149: channels[i].type = SSH_CHANNEL_FREE;
150: }
151:
152: /* Initialize and return new channel number. */
153: c=&channels[found];
154: buffer_init(&c->input);
155: buffer_init(&c->output);
156: chan_init_iostates(c);
157: c->self = found;
158: c->type = type;
159: c->sock = sock;
160: c->remote_id = -1;
161: c->remote_name = remote_name;
162: debug("channel %d: new [%s]", found, remote_name);
163: return found;
1.1 deraadt 164: }
165:
166: /* Free the channel and close its socket. */
167:
168: void channel_free(int channel)
169: {
1.19 markus 170: if (channel < 0 || channel >= channels_alloc ||
171: channels[channel].type == SSH_CHANNEL_FREE)
172: packet_disconnect("channel free: bad local channel %d", channel);
173:
1.14 markus 174: if(compat13)
175: shutdown(channels[channel].sock, SHUT_RDWR);
1.1 deraadt 176: close(channels[channel].sock);
177: buffer_free(&channels[channel].input);
178: buffer_free(&channels[channel].output);
179: channels[channel].type = SSH_CHANNEL_FREE;
180: if (channels[channel].remote_name)
181: {
182: xfree(channels[channel].remote_name);
183: channels[channel].remote_name = NULL;
184: }
185: }
186:
187: /* This is called just before select() to add any bits relevant to
188: channels in the select bitmasks. */
189:
190: void channel_prepare_select(fd_set *readset, fd_set *writeset)
191: {
192: int i;
193: Channel *ch;
194: unsigned char *ucp;
195: unsigned int proto_len, data_len;
196:
197: for (i = 0; i < channels_alloc; i++)
198: {
199: ch = &channels[i];
200: redo:
201: switch (ch->type)
202: {
203: case SSH_CHANNEL_X11_LISTENER:
204: case SSH_CHANNEL_PORT_LISTENER:
205: case SSH_CHANNEL_AUTH_SOCKET:
206: FD_SET(ch->sock, readset);
207: break;
208:
209: case SSH_CHANNEL_OPEN:
1.14 markus 210: if(compat13){
1.23 ! markus 211: if (buffer_len(&ch->input) < packet_get_maxsize())
1.14 markus 212: FD_SET(ch->sock, readset);
213: if (buffer_len(&ch->output) > 0)
214: FD_SET(ch->sock, writeset);
215: break;
216: }
217: /* test whether sockets are 'alive' for read/write */
1.16 markus 218: if (ch->istate == CHAN_INPUT_OPEN)
1.23 ! markus 219: if (buffer_len(&ch->input) < packet_get_maxsize())
1.14 markus 220: FD_SET(ch->sock, readset);
1.16 markus 221: if (ch->ostate == CHAN_OUTPUT_OPEN || ch->ostate == CHAN_OUTPUT_WAIT_DRAIN){
1.14 markus 222: if (buffer_len(&ch->output) > 0){
223: FD_SET(ch->sock, writeset);
1.16 markus 224: }else if(ch->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
225: chan_obuf_empty(ch);
1.14 markus 226: }
227: }
228: break;
1.1 deraadt 229:
230: case SSH_CHANNEL_INPUT_DRAINING:
1.14 markus 231: if (!compat13)
232: fatal("cannot happen: IN_DRAIN");
1.1 deraadt 233: if (buffer_len(&ch->input) == 0)
234: {
235: packet_start(SSH_MSG_CHANNEL_CLOSE);
236: packet_put_int(ch->remote_id);
237: packet_send();
238: ch->type = SSH_CHANNEL_CLOSED;
239: debug("Closing channel %d after input drain.", i);
240: break;
241: }
242: break;
243:
244: case SSH_CHANNEL_OUTPUT_DRAINING:
1.14 markus 245: if (!compat13)
246: fatal("cannot happen: OUT_DRAIN");
1.1 deraadt 247: if (buffer_len(&ch->output) == 0)
248: {
249: /* debug("Freeing channel %d after output drain.", i); */
250: channel_free(i);
251: break;
252: }
253: FD_SET(ch->sock, writeset);
254: break;
255:
256: case SSH_CHANNEL_X11_OPEN:
257: /* This is a special state for X11 authentication spoofing. An
258: opened X11 connection (when authentication spoofing is being
259: done) remains in this state until the first packet has been
260: completely read. The authentication data in that packet is
261: then substituted by the real data if it matches the fake data,
262: and the channel is put into normal mode. */
263:
264: /* Check if the fixed size part of the packet is in buffer. */
265: if (buffer_len(&ch->output) < 12)
266: break;
267:
268: /* Parse the lengths of variable-length fields. */
269: ucp = (unsigned char *)buffer_ptr(&ch->output);
270: if (ucp[0] == 0x42)
271: { /* Byte order MSB first. */
272: proto_len = 256 * ucp[6] + ucp[7];
273: data_len = 256 * ucp[8] + ucp[9];
274: }
275: else
276: if (ucp[0] == 0x6c)
277: { /* Byte order LSB first. */
278: proto_len = ucp[6] + 256 * ucp[7];
279: data_len = ucp[8] + 256 * ucp[9];
280: }
281: else
282: {
283: debug("Initial X11 packet contains bad byte order byte: 0x%x",
284: ucp[0]);
285: ch->type = SSH_CHANNEL_OPEN;
286: goto reject;
287: }
288:
289: /* Check if the whole packet is in buffer. */
290: if (buffer_len(&ch->output) <
291: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
292: break;
293:
294: /* Check if authentication protocol matches. */
295: if (proto_len != strlen(x11_saved_proto) ||
296: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0)
297: {
298: debug("X11 connection uses different authentication protocol.");
299: ch->type = SSH_CHANNEL_OPEN;
300: goto reject;
301: }
302:
303: /* Check if authentication data matches our fake data. */
304: if (data_len != x11_fake_data_len ||
305: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
306: x11_fake_data, x11_fake_data_len) != 0)
307: {
308: debug("X11 auth data does not match fake data.");
309: ch->type = SSH_CHANNEL_OPEN;
310: goto reject;
311: }
312:
1.19 markus 313: /* Check fake data length */
314: if (x11_fake_data_len != x11_saved_data_len)
315: {
316: error("X11 fake_data_len %d != saved_data_len %d",
317: x11_fake_data_len, x11_saved_data_len);
318: ch->type = SSH_CHANNEL_OPEN;
319: goto reject;
320: }
321:
1.1 deraadt 322: /* Received authentication protocol and data match our fake data.
323: Substitute the fake data with real data. */
324: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
325: x11_saved_data, x11_saved_data_len);
326:
327: /* Start normal processing for the channel. */
328: ch->type = SSH_CHANNEL_OPEN;
329: goto redo;
330:
331: reject:
332: /* We have received an X11 connection that has bad authentication
333: information. */
334: log("X11 connection rejected because of wrong authentication.\r\n");
335: buffer_clear(&ch->input);
336: buffer_clear(&ch->output);
1.14 markus 337: if (compat13) {
338: close(ch->sock);
339: ch->sock = -1;
340: ch->type = SSH_CHANNEL_CLOSED;
341: packet_start(SSH_MSG_CHANNEL_CLOSE);
342: packet_put_int(ch->remote_id);
343: packet_send();
344: }else{
1.17 markus 345: debug("X11 rejected %d i%d/o%d", ch->self, ch->istate, ch->ostate);
1.16 markus 346: chan_read_failed(ch);
347: chan_write_failed(ch);
1.17 markus 348: debug("X11 rejected %d i%d/o%d", ch->self, ch->istate, ch->ostate);
1.14 markus 349: }
1.1 deraadt 350: break;
351:
352: case SSH_CHANNEL_FREE:
353: default:
354: continue;
355: }
356: }
357: }
358:
359: /* After select, perform any appropriate operations for channels which
360: have events pending. */
361:
362: void channel_after_select(fd_set *readset, fd_set *writeset)
363: {
364: struct sockaddr addr;
1.13 markus 365: int addrlen, newsock, i, newch, len;
1.1 deraadt 366: Channel *ch;
367: char buf[16384], *remote_hostname;
368:
369: /* Loop over all channels... */
370: for (i = 0; i < channels_alloc; i++)
371: {
372: ch = &channels[i];
373: switch (ch->type)
374: {
375: case SSH_CHANNEL_X11_LISTENER:
376: /* This is our fake X11 server socket. */
377: if (FD_ISSET(ch->sock, readset))
378: {
379: debug("X11 connection requested.");
380: addrlen = sizeof(addr);
381: newsock = accept(ch->sock, &addr, &addrlen);
382: if (newsock < 0)
383: {
384: error("accept: %.100s", strerror(errno));
385: break;
386: }
387: remote_hostname = get_remote_hostname(newsock);
1.15 deraadt 388: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1.1 deraadt 389: remote_hostname, get_peer_port(newsock));
390: xfree(remote_hostname);
391: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
392: xstrdup(buf));
393: packet_start(SSH_SMSG_X11_OPEN);
394: packet_put_int(newch);
395: if (have_hostname_in_open)
396: packet_put_string(buf, strlen(buf));
397: packet_send();
398: }
399: break;
400:
401: case SSH_CHANNEL_PORT_LISTENER:
402: /* This socket is listening for connections to a forwarded TCP/IP
403: port. */
404: if (FD_ISSET(ch->sock, readset))
405: {
406: debug("Connection to port %d forwarding to %.100s:%d requested.",
407: ch->listening_port, ch->path, ch->host_port);
408: addrlen = sizeof(addr);
409: newsock = accept(ch->sock, &addr, &addrlen);
410: if (newsock < 0)
411: {
412: error("accept: %.100s", strerror(errno));
413: break;
414: }
415: remote_hostname = get_remote_hostname(newsock);
1.17 markus 416: snprintf(buf, sizeof buf, "listen port %d:%.100s:%d, connect from %.200s:%d",
417: ch->listening_port, ch->path, ch->host_port,
418: remote_hostname, get_peer_port(newsock));
1.1 deraadt 419: xfree(remote_hostname);
420: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
421: xstrdup(buf));
422: packet_start(SSH_MSG_PORT_OPEN);
423: packet_put_int(newch);
424: packet_put_string(ch->path, strlen(ch->path));
425: packet_put_int(ch->host_port);
426: if (have_hostname_in_open)
427: packet_put_string(buf, strlen(buf));
428: packet_send();
429: }
430: break;
431:
432: case SSH_CHANNEL_AUTH_SOCKET:
433: /* This is the authentication agent socket listening for connections
434: from clients. */
435: if (FD_ISSET(ch->sock, readset))
436: {
1.13 markus 437: int nchan;
1.1 deraadt 438: len = sizeof(addr);
439: newsock = accept(ch->sock, &addr, &len);
440: if (newsock < 0)
1.13 markus 441: {
442: error("accept from auth socket: %.100s", strerror(errno));
443: break;
444: }
445:
446: nchan = channel_allocate(SSH_CHANNEL_OPENING, newsock,
1.1 deraadt 447: xstrdup("accepted auth socket"));
1.13 markus 448: packet_start(SSH_SMSG_AGENT_OPEN);
449: packet_put_int(nchan);
450: packet_send();
1.1 deraadt 451: }
452: break;
453:
454: case SSH_CHANNEL_OPEN:
455: /* This is an open two-way communication channel. It is not of
456: interest to us at this point what kind of data is being
457: transmitted. */
1.14 markus 458:
459: /* Read available incoming data and append it to buffer;
460: shutdown socket, if read or write failes */
1.1 deraadt 461: if (FD_ISSET(ch->sock, readset))
462: {
463: len = read(ch->sock, buf, sizeof(buf));
464: if (len <= 0)
465: {
1.14 markus 466: if (compat13) {
467: buffer_consume(&ch->output, buffer_len(&ch->output));
468: ch->type = SSH_CHANNEL_INPUT_DRAINING;
469: debug("Channel %d status set to input draining.", i);
470: }else{
1.16 markus 471: chan_read_failed(ch);
1.14 markus 472: }
1.1 deraadt 473: break;
474: }
475: buffer_append(&ch->input, buf, len);
476: }
477: /* Send buffered output data to the socket. */
478: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0)
479: {
480: len = write(ch->sock, buffer_ptr(&ch->output),
481: buffer_len(&ch->output));
482: if (len <= 0)
483: {
1.14 markus 484: if (compat13) {
485: buffer_consume(&ch->output, buffer_len(&ch->output));
486: debug("Channel %d status set to input draining.", i);
487: ch->type = SSH_CHANNEL_INPUT_DRAINING;
488: }else{
1.16 markus 489: chan_write_failed(ch);
1.14 markus 490: }
1.1 deraadt 491: break;
492: }
493: buffer_consume(&ch->output, len);
494: }
495: break;
496:
497: case SSH_CHANNEL_OUTPUT_DRAINING:
1.14 markus 498: if (!compat13)
499: fatal("cannot happen: OUT_DRAIN");
1.1 deraadt 500: /* Send buffered output data to the socket. */
501: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0)
502: {
503: len = write(ch->sock, buffer_ptr(&ch->output),
504: buffer_len(&ch->output));
505: if (len <= 0)
506: buffer_consume(&ch->output, buffer_len(&ch->output));
507: else
508: buffer_consume(&ch->output, len);
509: }
510: break;
511:
512: case SSH_CHANNEL_X11_OPEN:
513: case SSH_CHANNEL_FREE:
514: default:
515: continue;
516: }
517: }
518: }
519:
520: /* If there is data to send to the connection, send some of it now. */
521:
522: void channel_output_poll()
523: {
524: int len, i;
525: Channel *ch;
526:
527: for (i = 0; i < channels_alloc; i++)
528: {
529: ch = &channels[i];
530: /* We are only interested in channels that can have buffered incoming
531: data. */
532: if (ch->type != SSH_CHANNEL_OPEN &&
533: ch->type != SSH_CHANNEL_INPUT_DRAINING)
534: continue;
535:
536: /* Get the amount of buffered data for this channel. */
537: len = buffer_len(&ch->input);
538: if (len > 0)
539: {
540: /* Send some data for the other side over the secure connection. */
541: if (packet_is_interactive())
542: {
543: if (len > 1024)
544: len = 512;
545: }
546: else
547: {
548: if (len > 16384)
549: len = 16384; /* Keep the packets at reasonable size. */
550: }
551: packet_start(SSH_MSG_CHANNEL_DATA);
552: packet_put_int(ch->remote_id);
553: packet_put_string(buffer_ptr(&ch->input), len);
554: packet_send();
555: buffer_consume(&ch->input, len);
556: }
1.16 markus 557: else if(ch->istate == CHAN_INPUT_WAIT_DRAIN)
1.14 markus 558: {
559: if (compat13)
1.16 markus 560: fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
1.14 markus 561: /* input-buffer is empty and read-socket shutdown:
562: tell peer, that we will not send more data: send IEOF */
1.16 markus 563: chan_ibuf_empty(ch);
1.14 markus 564: }
1.1 deraadt 565: }
566: }
567:
568: /* This is called when a packet of type CHANNEL_DATA has just been received.
569: The message type has already been consumed, but channel number and data
570: is still there. */
571:
572: void channel_input_data(int payload_len)
573: {
574: int channel;
575: char *data;
576: unsigned int data_len;
577:
578: /* Get the channel number and verify it. */
579: channel = packet_get_int();
580: if (channel < 0 || channel >= channels_alloc ||
581: channels[channel].type == SSH_CHANNEL_FREE)
582: packet_disconnect("Received data for nonexistent channel %d.", channel);
583:
584: /* Ignore any data for non-open channels (might happen on close) */
585: if (channels[channel].type != SSH_CHANNEL_OPEN &&
586: channels[channel].type != SSH_CHANNEL_X11_OPEN)
587: return;
588:
589: /* Get the data. */
590: data = packet_get_string(&data_len);
591: packet_integrity_check(payload_len, 4 + 4+data_len, SSH_MSG_CHANNEL_DATA);
592: buffer_append(&channels[channel].output, data, data_len);
593: xfree(data);
594: }
595:
596: /* Returns true if no channel has too much buffered data, and false if
597: one or more channel is overfull. */
598:
599: int channel_not_very_much_buffered_data()
600: {
601: unsigned int i;
602: Channel *ch;
603:
604: for (i = 0; i < channels_alloc; i++)
605: {
606: ch = &channels[i];
1.14 markus 607: switch (ch->type)
1.1 deraadt 608: {
609: case SSH_CHANNEL_X11_LISTENER:
610: case SSH_CHANNEL_PORT_LISTENER:
611: case SSH_CHANNEL_AUTH_SOCKET:
612: continue;
613: case SSH_CHANNEL_OPEN:
1.23 ! markus 614: if (buffer_len(&ch->input) > packet_get_maxsize())
1.1 deraadt 615: return 0;
1.23 ! markus 616: if (buffer_len(&ch->output) > packet_get_maxsize())
1.1 deraadt 617: return 0;
618: continue;
619: case SSH_CHANNEL_INPUT_DRAINING:
620: case SSH_CHANNEL_OUTPUT_DRAINING:
621: case SSH_CHANNEL_X11_OPEN:
622: case SSH_CHANNEL_FREE:
623: default:
624: continue;
625: }
626: }
627: return 1;
628: }
629:
1.14 markus 630: /* This is called after receiving CHANNEL_CLOSE/IEOF. */
1.1 deraadt 631:
632: void channel_input_close()
633: {
634: int channel;
635:
636: /* Get the channel number and verify it. */
637: channel = packet_get_int();
638: if (channel < 0 || channel >= channels_alloc ||
639: channels[channel].type == SSH_CHANNEL_FREE)
640: packet_disconnect("Received data for nonexistent channel %d.", channel);
641:
1.14 markus 642: if(!compat13){
643: /* proto version 1.5 overloads CLOSE with IEOF */
644: chan_rcvd_ieof(&channels[channel]);
645: return;
646: }
647:
1.1 deraadt 648: /* Send a confirmation that we have closed the channel and no more data is
649: coming for it. */
650: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
651: packet_put_int(channels[channel].remote_id);
652: packet_send();
653:
654: /* If the channel is in closed state, we have sent a close request, and
655: the other side will eventually respond with a confirmation. Thus,
656: we cannot free the channel here, because then there would be no-one to
657: receive the confirmation. The channel gets freed when the confirmation
658: arrives. */
659: if (channels[channel].type != SSH_CHANNEL_CLOSED)
660: {
661: /* Not a closed channel - mark it as draining, which will cause it to
662: be freed later. */
663: buffer_consume(&channels[channel].input,
664: buffer_len(&channels[channel].input));
665: channels[channel].type = SSH_CHANNEL_OUTPUT_DRAINING;
666: /* debug("Setting status to output draining; output len = %d",
667: buffer_len(&channels[channel].output)); */
668: }
669: }
670:
1.14 markus 671: /* This is called after receiving CHANNEL_CLOSE_CONFIRMATION/OCLOSE. */
1.1 deraadt 672:
673: void channel_input_close_confirmation()
674: {
675: int channel;
676:
677: /* Get the channel number and verify it. */
678: channel = packet_get_int();
679: if (channel < 0 || channel >= channels_alloc)
680: packet_disconnect("Received close confirmation for out-of-range channel %d.",
681: channel);
1.14 markus 682:
683: if(!compat13){
684: /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
685: chan_rcvd_oclose(&channels[channel]);
686: return;
687: }
688:
1.1 deraadt 689: if (channels[channel].type != SSH_CHANNEL_CLOSED)
690: packet_disconnect("Received close confirmation for non-closed channel %d (type %d).",
691: channel, channels[channel].type);
692:
693: /* Free the channel. */
694: channel_free(channel);
695: }
696:
697: /* This is called after receiving CHANNEL_OPEN_CONFIRMATION. */
698:
699: void channel_input_open_confirmation()
700: {
701: int channel, remote_channel;
702:
703: /* Get the channel number and verify it. */
704: channel = packet_get_int();
705: if (channel < 0 || channel >= channels_alloc ||
706: channels[channel].type != SSH_CHANNEL_OPENING)
707: packet_disconnect("Received open confirmation for non-opening channel %d.",
708: channel);
709:
710: /* Get remote side's id for this channel. */
711: remote_channel = packet_get_int();
712:
713: /* Record the remote channel number and mark that the channel is now open. */
714: channels[channel].remote_id = remote_channel;
715: channels[channel].type = SSH_CHANNEL_OPEN;
716: }
717:
718: /* This is called after receiving CHANNEL_OPEN_FAILURE from the other side. */
719:
720: void channel_input_open_failure()
721: {
722: int channel;
723:
724: /* Get the channel number and verify it. */
725: channel = packet_get_int();
726: if (channel < 0 || channel >= channels_alloc ||
727: channels[channel].type != SSH_CHANNEL_OPENING)
728: packet_disconnect("Received open failure for non-opening channel %d.",
729: channel);
730:
731: /* Free the channel. This will also close the socket. */
732: channel_free(channel);
733: }
734:
735: /* Stops listening for channels, and removes any unix domain sockets that
736: we might have. */
737:
738: void channel_stop_listening()
739: {
740: int i;
741: for (i = 0; i < channels_alloc; i++)
742: {
743: switch (channels[i].type)
744: {
745: case SSH_CHANNEL_AUTH_SOCKET:
746: close(channels[i].sock);
747: remove(channels[i].path);
748: channel_free(i);
749: break;
750: case SSH_CHANNEL_PORT_LISTENER:
751: case SSH_CHANNEL_X11_LISTENER:
752: close(channels[i].sock);
753: channel_free(i);
754: break;
755: default:
756: break;
757: }
758: }
759: }
760:
761: /* Closes the sockets of all channels. This is used to close extra file
762: descriptors after a fork. */
763:
764: void channel_close_all()
765: {
766: int i;
767: for (i = 0; i < channels_alloc; i++)
768: {
769: if (channels[i].type != SSH_CHANNEL_FREE)
770: close(channels[i].sock);
771: }
772: }
773:
774: /* Returns the maximum file descriptor number used by the channels. */
775:
776: int channel_max_fd()
777: {
778: return channel_max_fd_value;
779: }
780:
781: /* Returns true if any channel is still open. */
782:
783: int channel_still_open()
784: {
785: unsigned int i;
786: for (i = 0; i < channels_alloc; i++)
787: switch (channels[i].type)
788: {
789: case SSH_CHANNEL_FREE:
790: case SSH_CHANNEL_X11_LISTENER:
791: case SSH_CHANNEL_PORT_LISTENER:
792: case SSH_CHANNEL_CLOSED:
793: case SSH_CHANNEL_AUTH_SOCKET:
794: continue;
795: case SSH_CHANNEL_OPENING:
796: case SSH_CHANNEL_OPEN:
797: case SSH_CHANNEL_X11_OPEN:
1.14 markus 798: return 1;
1.1 deraadt 799: case SSH_CHANNEL_INPUT_DRAINING:
800: case SSH_CHANNEL_OUTPUT_DRAINING:
1.14 markus 801: if (!compat13)
802: fatal("cannot happen: OUT_DRAIN");
1.1 deraadt 803: return 1;
804: default:
805: fatal("channel_still_open: bad channel type %d", channels[i].type);
806: /*NOTREACHED*/
807: }
808: return 0;
809: }
810:
811: /* Returns a message describing the currently open forwarded
812: connections, suitable for sending to the client. The message
813: contains crlf pairs for newlines. */
814:
815: char *channel_open_message()
816: {
817: Buffer buffer;
818: int i;
819: char buf[512], *cp;
820:
821: buffer_init(&buffer);
1.15 deraadt 822: snprintf(buf, sizeof buf, "The following connections are open:\r\n");
1.1 deraadt 823: buffer_append(&buffer, buf, strlen(buf));
1.14 markus 824: for (i = 0; i < channels_alloc; i++){
825: Channel *c=&channels[i];
826: switch (c->type)
1.1 deraadt 827: {
828: case SSH_CHANNEL_FREE:
829: case SSH_CHANNEL_X11_LISTENER:
830: case SSH_CHANNEL_PORT_LISTENER:
831: case SSH_CHANNEL_CLOSED:
832: case SSH_CHANNEL_AUTH_SOCKET:
833: continue;
834: case SSH_CHANNEL_OPENING:
835: case SSH_CHANNEL_OPEN:
836: case SSH_CHANNEL_X11_OPEN:
837: case SSH_CHANNEL_INPUT_DRAINING:
838: case SSH_CHANNEL_OUTPUT_DRAINING:
1.17 markus 839: snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d o%d)\r\n",
840: c->self,c->remote_name,
841: c->type,c->remote_id, c->istate,c->ostate);
1.1 deraadt 842: buffer_append(&buffer, buf, strlen(buf));
843: continue;
844: default:
1.14 markus 845: fatal("channel_still_open: bad channel type %d", c->type);
1.1 deraadt 846: /*NOTREACHED*/
847: }
1.14 markus 848: }
1.1 deraadt 849: buffer_append(&buffer, "\0", 1);
850: cp = xstrdup(buffer_ptr(&buffer));
851: buffer_free(&buffer);
852: return cp;
853: }
854:
855: /* Initiate forwarding of connections to local port "port" through the secure
856: channel to host:port from remote side. */
857:
858: void channel_request_local_forwarding(int port, const char *host,
859: int host_port)
860: {
861: int ch, sock;
862: struct sockaddr_in sin;
1.4 deraadt 863: extern Options options;
1.1 deraadt 864:
865: if (strlen(host) > sizeof(channels[0].path) - 1)
866: packet_disconnect("Forward host name too long.");
867:
868: /* Create a port to listen for the host. */
869: sock = socket(AF_INET, SOCK_STREAM, 0);
870: if (sock < 0)
871: packet_disconnect("socket: %.100s", strerror(errno));
872:
873: /* Initialize socket address. */
874: memset(&sin, 0, sizeof(sin));
875: sin.sin_family = AF_INET;
1.4 deraadt 876: if (options.gateway_ports == 1)
877: sin.sin_addr.s_addr = htonl(INADDR_ANY);
878: else
879: sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
1.1 deraadt 880: sin.sin_port = htons(port);
881:
882: /* Bind the socket to the address. */
883: if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
884: packet_disconnect("bind: %.100s", strerror(errno));
885:
886: /* Start listening for connections on the socket. */
887: if (listen(sock, 5) < 0)
888: packet_disconnect("listen: %.100s", strerror(errno));
889:
890: /* Allocate a channel number for the socket. */
891: ch = channel_allocate(SSH_CHANNEL_PORT_LISTENER, sock,
892: xstrdup("port listener"));
893: strcpy(channels[ch].path, host); /* note: host name stored here */
894: channels[ch].host_port = host_port; /* port on host to connect to */
895: channels[ch].listening_port = port; /* port being listened */
896: }
897:
898: /* Initiate forwarding of connections to port "port" on remote host through
899: the secure channel to host:port from local side. */
900:
901: void channel_request_remote_forwarding(int port, const char *host,
902: int remote_port)
903: {
904: int payload_len;
905: /* Record locally that connection to this host/port is permitted. */
906: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
907: fatal("channel_request_remote_forwarding: too many forwards");
908: permitted_opens[num_permitted_opens].host = xstrdup(host);
909: permitted_opens[num_permitted_opens].port = remote_port;
910: num_permitted_opens++;
911:
912: /* Send the forward request to the remote side. */
913: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
914: packet_put_int(port);
915: packet_put_string(host, strlen(host));
916: packet_put_int(remote_port);
917: packet_send();
918: packet_write_wait();
919:
920: /* Wait for response from the remote side. It will send a disconnect
921: message on failure, and we will never see it here. */
922: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
923: }
924:
925: /* This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
926: listening for the port, and sends back a success reply (or disconnect
927: message if there was an error). This never returns if there was an
928: error. */
929:
930: void channel_input_port_forward_request(int is_root)
931: {
932: int port, host_port;
933: char *hostname;
934:
935: /* Get arguments from the packet. */
936: port = packet_get_int();
937: hostname = packet_get_string(NULL);
938: host_port = packet_get_int();
939:
940: /* Port numbers are 16 bit quantities. */
941: if ((port & 0xffff) != port)
942: packet_disconnect("Requested forwarding of nonexistent port %d.", port);
943:
944: /* Check that an unprivileged user is not trying to forward a privileged
945: port. */
1.8 deraadt 946: if (port < IPPORT_RESERVED && !is_root)
1.1 deraadt 947: packet_disconnect("Requested forwarding of port %d but user is not root.",
948: port);
949:
950: /* Initiate forwarding. */
951: channel_request_local_forwarding(port, hostname, host_port);
952:
953: /* Free the argument string. */
954: xfree(hostname);
955: }
956:
957: /* This is called after receiving PORT_OPEN message. This attempts to connect
958: to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION or
959: CHANNEL_OPEN_FAILURE. */
960:
961: void channel_input_port_open(int payload_len)
962: {
963: int remote_channel, sock, newch, host_port, i;
964: struct sockaddr_in sin;
965: char *host, *originator_string;
966: struct hostent *hp;
967: int host_len, originator_len;
968:
969: /* Get remote channel number. */
970: remote_channel = packet_get_int();
971:
972: /* Get host name to connect to. */
973: host = packet_get_string(&host_len);
974:
975: /* Get port to connect to. */
976: host_port = packet_get_int();
977:
978: /* Get remote originator name. */
979: if (have_hostname_in_open)
980: originator_string = packet_get_string(&originator_len);
981: else
982: originator_string = xstrdup("unknown (remote did not supply name)");
983:
984: packet_integrity_check(payload_len,
985: 4 + 4 + host_len + 4 + 4 + originator_len,
986: SSH_MSG_PORT_OPEN);
987:
988: /* Check if opening that port is permitted. */
989: if (!all_opens_permitted)
990: {
991: /* Go trough all permitted ports. */
992: for (i = 0; i < num_permitted_opens; i++)
993: if (permitted_opens[i].port == host_port &&
994: strcmp(permitted_opens[i].host, host) == 0)
995: break;
996:
997: /* Check if we found the requested port among those permitted. */
998: if (i >= num_permitted_opens)
999: {
1000: /* The port is not permitted. */
1001: log("Received request to connect to %.100s:%d, but the request was denied.",
1002: host, host_port);
1003: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1004: packet_put_int(remote_channel);
1005: packet_send();
1006: }
1007: }
1008:
1009: memset(&sin, 0, sizeof(sin));
1010: sin.sin_addr.s_addr = inet_addr(host);
1011: if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
1012: {
1013: /* It was a valid numeric host address. */
1014: sin.sin_family = AF_INET;
1015: }
1016: else
1017: {
1018: /* Look up the host address from the name servers. */
1019: hp = gethostbyname(host);
1020: if (!hp)
1021: {
1022: error("%.100s: unknown host.", host);
1023: goto fail;
1024: }
1025: if (!hp->h_addr_list[0])
1026: {
1027: error("%.100s: host has no IP address.", host);
1028: goto fail;
1029: }
1030: sin.sin_family = hp->h_addrtype;
1031: memcpy(&sin.sin_addr, hp->h_addr_list[0],
1032: sizeof(sin.sin_addr));
1033: }
1034: sin.sin_port = htons(host_port);
1035:
1036: /* Create the socket. */
1037: sock = socket(sin.sin_family, SOCK_STREAM, 0);
1038: if (sock < 0)
1039: {
1040: error("socket: %.100s", strerror(errno));
1041: goto fail;
1042: }
1043:
1044: /* Connect to the host/port. */
1045: if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1046: {
1047: error("connect %.100s:%d: %.100s", host, host_port,
1048: strerror(errno));
1049: close(sock);
1050: goto fail;
1051: }
1052:
1053: /* Successful connection. */
1054:
1055: /* Allocate a channel for this connection. */
1056: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1057: channels[newch].remote_id = remote_channel;
1058:
1059: /* Send a confirmation to the remote host. */
1060: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1061: packet_put_int(remote_channel);
1062: packet_put_int(newch);
1063: packet_send();
1064:
1065: /* Free the argument string. */
1066: xfree(host);
1067:
1068: return;
1069:
1070: fail:
1071: /* Free the argument string. */
1072: xfree(host);
1073:
1074: /* Send refusal to the remote host. */
1075: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1076: packet_put_int(remote_channel);
1077: packet_send();
1078: }
1079:
1080: /* Creates an internet domain socket for listening for X11 connections.
1081: Returns a suitable value for the DISPLAY variable, or NULL if an error
1082: occurs. */
1083:
1084: char *x11_create_display_inet(int screen_number)
1085: {
1.3 deraadt 1086: extern ServerOptions options;
1.1 deraadt 1087: int display_number, port, sock;
1088: struct sockaddr_in sin;
1089: char buf[512];
1.6 deraadt 1090: char hostname[MAXHOSTNAMELEN];
1.1 deraadt 1091:
1.3 deraadt 1092: for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++)
1.1 deraadt 1093: {
1094: port = 6000 + display_number;
1095: memset(&sin, 0, sizeof(sin));
1096: sin.sin_family = AF_INET;
1.4 deraadt 1097: sin.sin_addr.s_addr = htonl(INADDR_ANY);
1.1 deraadt 1098: sin.sin_port = htons(port);
1099:
1100: sock = socket(AF_INET, SOCK_STREAM, 0);
1101: if (sock < 0)
1102: {
1103: error("socket: %.100s", strerror(errno));
1104: return NULL;
1105: }
1106:
1107: if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1108: {
1109: debug("bind port %d: %.100s", port, strerror(errno));
1.10 deraadt 1110: shutdown(sock, SHUT_RDWR);
1.1 deraadt 1111: close(sock);
1112: continue;
1113: }
1114: break;
1115: }
1116: if (display_number >= MAX_DISPLAYS)
1117: {
1118: error("Failed to allocate internet-domain X11 display socket.");
1119: return NULL;
1120: }
1121:
1122: /* Start listening for connections on the socket. */
1123: if (listen(sock, 5) < 0)
1124: {
1125: error("listen: %.100s", strerror(errno));
1.10 deraadt 1126: shutdown(sock, SHUT_RDWR);
1.1 deraadt 1127: close(sock);
1128: return NULL;
1129: }
1130:
1131: /* Set up a suitable value for the DISPLAY variable. */
1132: if (gethostname(hostname, sizeof(hostname)) < 0)
1133: fatal("gethostname: %.100s", strerror(errno));
1.6 deraadt 1134: snprintf(buf, sizeof buf, "%.400s:%d.%d", hostname,
1135: display_number, screen_number);
1.1 deraadt 1136:
1137: /* Allocate a channel for the socket. */
1138: (void)channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
1139: xstrdup("X11 inet listener"));
1140:
1141: /* Return a suitable value for the DISPLAY environment variable. */
1142: return xstrdup(buf);
1143: }
1144:
1145: #ifndef X_UNIX_PATH
1146: #define X_UNIX_PATH "/tmp/.X11-unix/X"
1147: #endif
1148:
1149: static
1150: int
1151: connect_local_xsocket(unsigned dnr)
1152: {
1153: static const char *const x_sockets[] = {
1154: X_UNIX_PATH "%u",
1155: "/var/X/.X11-unix/X" "%u",
1156: "/usr/spool/sockets/X11/" "%u",
1157: NULL
1158: };
1159: int sock;
1160: struct sockaddr_un addr;
1161: const char *const *path;
1162:
1163: for (path = x_sockets; *path; ++path)
1164: {
1165: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1166: if (sock < 0)
1167: error("socket: %.100s", strerror(errno));
1168: memset(&addr, 0, sizeof(addr));
1169: addr.sun_family = AF_UNIX;
1.15 deraadt 1170: snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
1.1 deraadt 1171: if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
1172: return sock;
1173: close(sock);
1174: }
1175: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1176: return -1;
1177: }
1178:
1179:
1180: /* This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1181: the remote channel number. We should do whatever we want, and respond
1182: with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. */
1183:
1184: void x11_input_open(int payload_len)
1185: {
1186: int remote_channel, display_number, sock, newch;
1187: const char *display;
1188: struct sockaddr_in sin;
1189: char buf[1024], *cp, *remote_host;
1190: struct hostent *hp;
1191: int remote_len;
1192:
1193: /* Get remote channel number. */
1194: remote_channel = packet_get_int();
1195:
1196: /* Get remote originator name. */
1197: if (have_hostname_in_open)
1198: remote_host = packet_get_string(&remote_len);
1199: else
1200: remote_host = xstrdup("unknown (remote did not supply name)");
1201:
1202: debug("Received X11 open request.");
1203: packet_integrity_check(payload_len, 4 + 4+remote_len, SSH_SMSG_X11_OPEN);
1204:
1205: /* Try to open a socket for the local X server. */
1206: display = getenv("DISPLAY");
1207: if (!display)
1208: {
1209: error("DISPLAY not set.");
1210: goto fail;
1211: }
1212:
1213: /* Now we decode the value of the DISPLAY variable and make a connection
1214: to the real X server. */
1215:
1216: /* Check if it is a unix domain socket. Unix domain displays are in one
1217: of the following formats: unix:d[.s], :d[.s], ::d[.s] */
1218: if (strncmp(display, "unix:", 5) == 0 ||
1219: display[0] == ':')
1220: {
1221: /* Connect to the unix domain socket. */
1222: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1)
1223: {
1224: error("Could not parse display number from DISPLAY: %.100s",
1225: display);
1226: goto fail;
1227: }
1228: /* Create a socket. */
1229: sock = connect_local_xsocket(display_number);
1230: if (sock < 0)
1231: goto fail;
1232:
1233: /* OK, we now have a connection to the display. */
1234: goto success;
1235: }
1236:
1237: /* Connect to an inet socket. The DISPLAY value is supposedly
1238: hostname:d[.s], where hostname may also be numeric IP address. */
1239: strncpy(buf, display, sizeof(buf));
1240: buf[sizeof(buf) - 1] = 0;
1241: cp = strchr(buf, ':');
1242: if (!cp)
1243: {
1244: error("Could not find ':' in DISPLAY: %.100s", display);
1245: goto fail;
1246: }
1247: *cp = 0;
1248: /* buf now contains the host name. But first we parse the display number. */
1249: if (sscanf(cp + 1, "%d", &display_number) != 1)
1250: {
1251: error("Could not parse display number from DISPLAY: %.100s",
1252: display);
1253: goto fail;
1254: }
1255:
1256: /* Try to parse the host name as a numeric IP address. */
1257: memset(&sin, 0, sizeof(sin));
1258: sin.sin_addr.s_addr = inet_addr(buf);
1259: if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
1260: {
1261: /* It was a valid numeric host address. */
1262: sin.sin_family = AF_INET;
1263: }
1264: else
1265: {
1266: /* Not a numeric IP address. */
1267: /* Look up the host address from the name servers. */
1268: hp = gethostbyname(buf);
1269: if (!hp)
1270: {
1271: error("%.100s: unknown host.", buf);
1272: goto fail;
1273: }
1274: if (!hp->h_addr_list[0])
1275: {
1276: error("%.100s: host has no IP address.", buf);
1277: goto fail;
1278: }
1279: sin.sin_family = hp->h_addrtype;
1280: memcpy(&sin.sin_addr, hp->h_addr_list[0],
1281: sizeof(sin.sin_addr));
1282: }
1283: /* Set port number. */
1284: sin.sin_port = htons(6000 + display_number);
1285:
1286: /* Create a socket. */
1287: sock = socket(sin.sin_family, SOCK_STREAM, 0);
1288: if (sock < 0)
1289: {
1290: error("socket: %.100s", strerror(errno));
1291: goto fail;
1292: }
1293: /* Connect it to the display. */
1294: if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1295: {
1296: error("connect %.100s:%d: %.100s", buf, 6000 + display_number,
1297: strerror(errno));
1298: close(sock);
1299: goto fail;
1300: }
1301:
1302: success:
1303: /* We have successfully obtained a connection to the real X display. */
1304:
1305: /* Allocate a channel for this connection. */
1306: if (x11_saved_proto == NULL)
1307: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, remote_host);
1308: else
1309: newch = channel_allocate(SSH_CHANNEL_X11_OPEN, sock, remote_host);
1310: channels[newch].remote_id = remote_channel;
1311:
1312: /* Send a confirmation to the remote host. */
1313: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1314: packet_put_int(remote_channel);
1315: packet_put_int(newch);
1316: packet_send();
1317:
1318: return;
1319:
1320: fail:
1321: /* Send refusal to the remote host. */
1322: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1323: packet_put_int(remote_channel);
1324: packet_send();
1325: }
1326:
1327: /* Requests forwarding of X11 connections, generates fake authentication
1328: data, and enables authentication spoofing. */
1329:
1.2 provos 1330: void x11_request_forwarding_with_spoofing(const char *proto, const char *data)
1.1 deraadt 1331: {
1332: unsigned int data_len = (unsigned int)strlen(data) / 2;
1333: unsigned int i, value;
1334: char *new_data;
1335: int screen_number;
1336: const char *cp;
1.5 dugsong 1337: u_int32_t rand = 0;
1.1 deraadt 1338:
1339: cp = getenv("DISPLAY");
1340: if (cp)
1341: cp = strchr(cp, ':');
1342: if (cp)
1343: cp = strchr(cp, '.');
1344: if (cp)
1345: screen_number = atoi(cp + 1);
1346: else
1347: screen_number = 0;
1348:
1349: /* Save protocol name. */
1350: x11_saved_proto = xstrdup(proto);
1351:
1352: /* Extract real authentication data and generate fake data of the same
1353: length. */
1354: x11_saved_data = xmalloc(data_len);
1355: x11_fake_data = xmalloc(data_len);
1356: for (i = 0; i < data_len; i++)
1357: {
1358: if (sscanf(data + 2 * i, "%2x", &value) != 1)
1359: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
1.2 provos 1360: if (i % 4 == 0)
1361: rand = arc4random();
1.1 deraadt 1362: x11_saved_data[i] = value;
1.2 provos 1363: x11_fake_data[i] = rand & 0xff;
1364: rand >>= 8;
1.1 deraadt 1365: }
1366: x11_saved_data_len = data_len;
1367: x11_fake_data_len = data_len;
1368:
1369: /* Convert the fake data into hex. */
1370: new_data = xmalloc(2 * data_len + 1);
1371: for (i = 0; i < data_len; i++)
1372: sprintf(new_data + 2 * i, "%02x", (unsigned char)x11_fake_data[i]);
1373:
1374: /* Send the request packet. */
1375: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
1376: packet_put_string(proto, strlen(proto));
1377: packet_put_string(new_data, strlen(new_data));
1378: packet_put_int(screen_number);
1379: packet_send();
1380: packet_write_wait();
1381: xfree(new_data);
1382: }
1383:
1384: /* Sends a message to the server to request authentication fd forwarding. */
1385:
1386: void auth_request_forwarding()
1387: {
1388: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
1389: packet_send();
1390: packet_write_wait();
1391: }
1392:
1393: /* Returns the name of the forwarded authentication socket. Returns NULL
1394: if there is no forwarded authentication socket. The returned value
1395: points to a static buffer. */
1396:
1397: char *auth_get_socket_name()
1398: {
1399: return channel_forwarded_auth_socket_name;
1400: }
1401:
1.12 markus 1402: /* removes the agent forwarding socket */
1403:
1404: void cleanup_socket(void) {
1405: remove(channel_forwarded_auth_socket_name);
1406: rmdir(channel_forwarded_auth_socket_dir);
1407: }
1408:
1.1 deraadt 1409: /* This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1410: This starts forwarding authentication requests. */
1411:
1412: void auth_input_request_forwarding(struct passwd *pw)
1413: {
1.11 markus 1414: int sock, newch;
1415: struct sockaddr_un sunaddr;
1.1 deraadt 1416:
1.11 markus 1417: if (auth_get_socket_name() != NULL)
1418: fatal("Protocol error: authentication forwarding requested twice.");
1419:
1.12 markus 1420: /* Temporarily drop privileged uid for mkdir/bind. */
1421: temporarily_use_uid(pw->pw_uid);
1422:
1.11 markus 1423: /* Allocate a buffer for the socket name, and format the name. */
1.12 markus 1424: channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
1425: channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
1426: strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
1427:
1428: /* Create private directory for socket */
1429: if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL)
1430: packet_disconnect("mkdtemp: %.100s", strerror(errno));
1431: snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME,
1432: "%s/agent.%d", channel_forwarded_auth_socket_dir, (int)getpid());
1433:
1434: if (atexit(cleanup_socket) < 0) {
1435: int saved=errno;
1436: cleanup_socket();
1437: packet_disconnect("socket: %.100s", strerror(saved));
1438: }
1.1 deraadt 1439:
1.11 markus 1440: /* Create the socket. */
1441: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1442: if (sock < 0)
1443: packet_disconnect("socket: %.100s", strerror(errno));
1.1 deraadt 1444:
1.11 markus 1445: /* Bind it to the name. */
1446: memset(&sunaddr, 0, sizeof(sunaddr));
1447: sunaddr.sun_family = AF_UNIX;
1448: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
1449: sizeof(sunaddr.sun_path));
1.1 deraadt 1450:
1.11 markus 1451: if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0)
1452: packet_disconnect("bind: %.100s", strerror(errno));
1.1 deraadt 1453:
1.11 markus 1454: /* Restore the privileged uid. */
1455: restore_uid();
1.1 deraadt 1456:
1.11 markus 1457: /* Start listening on the socket. */
1458: if (listen(sock, 5) < 0)
1459: packet_disconnect("listen: %.100s", strerror(errno));
1.1 deraadt 1460:
1.11 markus 1461: /* Allocate a channel for the authentication agent socket. */
1462: newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
1463: xstrdup("auth socket"));
1464: strcpy(channels[newch].path, channel_forwarded_auth_socket_name);
1.1 deraadt 1465: }
1466:
1467: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
1468:
1469: void auth_input_open_request()
1470: {
1.13 markus 1471: int remch, sock, newch;
1.1 deraadt 1472: char *dummyname;
1473:
1.13 markus 1474: /* Read the remote channel number from the message. */
1475: remch = packet_get_int();
1.1 deraadt 1476:
1477: /* Get a connection to the local authentication agent (this may again get
1478: forwarded). */
1.13 markus 1479: sock = ssh_get_authentication_socket();
1.1 deraadt 1480:
1.13 markus 1481: /* If we could not connect the agent, send an error message back to
1482: the server. This should never happen unless the agent
1.1 deraadt 1483: dies, because authentication forwarding is only enabled if we have an
1484: agent. */
1.13 markus 1485: if (sock < 0){
1486: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1487: packet_put_int(remch);
1488: packet_send();
1.1 deraadt 1489: return;
1.13 markus 1490: }
1.1 deraadt 1491:
1492: debug("Forwarding authentication connection.");
1493:
1494: /* Dummy host name. This will be freed when the channel is freed; it will
1495: still be valid in the packet_put_string below since the channel cannot
1496: yet be freed at that point. */
1497: dummyname = xstrdup("authentication agent connection");
1498:
1.13 markus 1499: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
1500: channels[newch].remote_id = remch;
1501:
1502: /* Send a confirmation to the remote host. */
1503: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1504: packet_put_int(remch);
1.1 deraadt 1505: packet_put_int(newch);
1506: packet_send();
1507: }