Annotation of src/usr.bin/ssh/channels.c, Revision 1.25
1.1 deraadt 1: /*
2:
3: channels.c
4:
5: Author: Tatu Ylonen <ylo@cs.hut.fi>
6:
7: Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: All rights reserved
9:
10: Created: Fri Mar 24 16:35:24 1995 ylo
11:
12: This file contains functions for generic socket connection forwarding.
13: There is also code for initiating connection forwarding for X11 connections,
14: arbitrary tcp/ip connections, and the authentication agent connection.
15:
16: */
17:
18: #include "includes.h"
1.25 ! markus 19: RCSID("$Id: channels.c,v 1.24 1999/11/22 21:02:38 markus Exp $");
1.1 deraadt 20:
21: #include "ssh.h"
22: #include "packet.h"
23: #include "xmalloc.h"
24: #include "buffer.h"
25: #include "authfd.h"
26: #include "uidswap.h"
1.20 markus 27: #include "readconf.h"
1.3 deraadt 28: #include "servconf.h"
1.1 deraadt 29:
1.14 markus 30: #include "channels.h"
31: #include "nchan.h"
32: #include "compat.h"
33:
1.1 deraadt 34: /* Maximum number of fake X11 displays to try. */
35: #define MAX_DISPLAYS 1000
36:
1.12 markus 37: /* Max len of agent socket */
38: #define MAX_SOCKET_NAME 100
39:
1.1 deraadt 40: /* Pointer to an array containing all allocated channels. The array is
41: dynamically extended as needed. */
42: static Channel *channels = NULL;
43:
44: /* Size of the channel array. All slots of the array must always be
45: initialized (at least the type field); unused slots are marked with
46: type SSH_CHANNEL_FREE. */
47: static int channels_alloc = 0;
48:
49: /* Maximum file descriptor value used in any of the channels. This is updated
50: in channel_allocate. */
51: static int channel_max_fd_value = 0;
52:
1.12 markus 53: /* Name and directory of socket for authentication agent forwarding. */
1.1 deraadt 54: static char *channel_forwarded_auth_socket_name = NULL;
1.25 ! markus 55: static char *channel_forwarded_auth_socket_dir = NULL;
1.1 deraadt 56:
57: /* Saved X11 authentication protocol name. */
58: char *x11_saved_proto = NULL;
59:
60: /* Saved X11 authentication data. This is the real data. */
61: char *x11_saved_data = NULL;
62: unsigned int x11_saved_data_len = 0;
63:
64: /* Fake X11 authentication data. This is what the server will be sending
65: us; we should replace any occurrences of this by the real data. */
66: char *x11_fake_data = NULL;
67: unsigned int x11_fake_data_len;
68:
69: /* Data structure for storing which hosts are permitted for forward requests.
70: The local sides of any remote forwards are stored in this array to prevent
71: a corrupt remote server from accessing arbitrary TCP/IP ports on our
72: local network (which might be behind a firewall). */
1.25 ! markus 73: typedef struct {
! 74: char *host; /* Host name. */
! 75: int port; /* Port number. */
1.1 deraadt 76: } ForwardPermission;
77:
78: /* List of all permitted host/port pairs to connect. */
79: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
80: /* Number of permitted host/port pairs in the array. */
81: static int num_permitted_opens = 0;
82: /* If this is true, all opens are permitted. This is the case on the
83: server on which we have to trust the client anyway, and the user could
84: do anything after logging in anyway. */
85: static int all_opens_permitted = 0;
86:
87: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
88: static int have_hostname_in_open = 0;
89:
90: /* Sets specific protocol options. */
91:
1.25 ! markus 92: void
! 93: channel_set_options(int hostname_in_open)
1.1 deraadt 94: {
1.25 ! markus 95: have_hostname_in_open = hostname_in_open;
1.1 deraadt 96: }
97:
98: /* Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
99: called by the server, because the user could connect to any port anyway,
100: and the server has no way to know but to trust the client anyway. */
101:
1.25 ! markus 102: void
! 103: channel_permit_all_opens()
1.1 deraadt 104: {
1.25 ! markus 105: all_opens_permitted = 1;
1.1 deraadt 106: }
107:
1.25 ! markus 108: /* Allocate a new channel object and set its type and socket.
1.1 deraadt 109: This will cause remote_name to be freed. */
110:
1.25 ! markus 111: int
! 112: channel_allocate(int type, int sock, char *remote_name)
1.1 deraadt 113: {
1.25 ! markus 114: int i, found;
! 115: Channel *c;
1.1 deraadt 116:
1.25 ! markus 117: /* Update the maximum file descriptor value. */
! 118: if (sock > channel_max_fd_value)
! 119: channel_max_fd_value = sock;
! 120:
! 121: /* Do initial allocation if this is the first call. */
! 122: if (channels_alloc == 0) {
! 123: channels_alloc = 10;
! 124: channels = xmalloc(channels_alloc * sizeof(Channel));
! 125: for (i = 0; i < channels_alloc; i++)
! 126: channels[i].type = SSH_CHANNEL_FREE;
! 127:
! 128: /* Kludge: arrange a call to channel_stop_listening if we
! 129: terminate with fatal(). */
! 130: fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL);
! 131: }
! 132: /* Try to find a free slot where to put the new channel. */
! 133: for (found = -1, i = 0; i < channels_alloc; i++)
! 134: if (channels[i].type == SSH_CHANNEL_FREE) {
! 135: /* Found a free slot. */
! 136: found = i;
! 137: break;
! 138: }
! 139: if (found == -1) {
! 140: /* There are no free slots. Take last+1 slot and expand
! 141: the array. */
! 142: found = channels_alloc;
! 143: channels_alloc += 10;
! 144: debug("channel: expanding %d", channels_alloc);
! 145: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
! 146: for (i = found; i < channels_alloc; i++)
! 147: channels[i].type = SSH_CHANNEL_FREE;
! 148: }
! 149: /* Initialize and return new channel number. */
! 150: c = &channels[found];
! 151: buffer_init(&c->input);
! 152: buffer_init(&c->output);
! 153: chan_init_iostates(c);
! 154: c->self = found;
! 155: c->type = type;
! 156: c->sock = sock;
! 157: c->remote_id = -1;
! 158: c->remote_name = remote_name;
! 159: debug("channel %d: new [%s]", found, remote_name);
! 160: return found;
1.1 deraadt 161: }
162:
163: /* Free the channel and close its socket. */
164:
1.25 ! markus 165: void
! 166: channel_free(int channel)
1.1 deraadt 167: {
1.25 ! markus 168: if (channel < 0 || channel >= channels_alloc ||
! 169: channels[channel].type == SSH_CHANNEL_FREE)
! 170: packet_disconnect("channel free: bad local channel %d", channel);
! 171:
! 172: if (compat13)
! 173: shutdown(channels[channel].sock, SHUT_RDWR);
! 174: close(channels[channel].sock);
! 175: buffer_free(&channels[channel].input);
! 176: buffer_free(&channels[channel].output);
! 177: channels[channel].type = SSH_CHANNEL_FREE;
! 178: if (channels[channel].remote_name) {
! 179: xfree(channels[channel].remote_name);
! 180: channels[channel].remote_name = NULL;
! 181: }
1.1 deraadt 182: }
183:
184: /* This is called just before select() to add any bits relevant to
185: channels in the select bitmasks. */
186:
1.25 ! markus 187: void
! 188: channel_prepare_select(fd_set * readset, fd_set * writeset)
1.1 deraadt 189: {
1.25 ! markus 190: int i;
! 191: Channel *ch;
! 192: unsigned char *ucp;
! 193: unsigned int proto_len, data_len;
! 194:
! 195: for (i = 0; i < channels_alloc; i++) {
! 196: ch = &channels[i];
! 197: redo:
! 198: switch (ch->type) {
! 199: case SSH_CHANNEL_X11_LISTENER:
! 200: case SSH_CHANNEL_PORT_LISTENER:
! 201: case SSH_CHANNEL_AUTH_SOCKET:
! 202: FD_SET(ch->sock, readset);
! 203: break;
! 204:
! 205: case SSH_CHANNEL_OPEN:
! 206: if (compat13) {
! 207: if (buffer_len(&ch->input) < packet_get_maxsize())
! 208: FD_SET(ch->sock, readset);
! 209: if (buffer_len(&ch->output) > 0)
! 210: FD_SET(ch->sock, writeset);
! 211: break;
! 212: }
! 213: /* test whether sockets are 'alive' for read/write */
! 214: if (ch->istate == CHAN_INPUT_OPEN)
! 215: if (buffer_len(&ch->input) < packet_get_maxsize())
! 216: FD_SET(ch->sock, readset);
! 217: if (ch->ostate == CHAN_OUTPUT_OPEN ||
! 218: ch->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
! 219: if (buffer_len(&ch->output) > 0) {
! 220: FD_SET(ch->sock, writeset);
! 221: } else if (ch->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
! 222: chan_obuf_empty(ch);
! 223: }
! 224: }
! 225: break;
! 226:
! 227: case SSH_CHANNEL_INPUT_DRAINING:
! 228: if (!compat13)
! 229: fatal("cannot happen: IN_DRAIN");
! 230: if (buffer_len(&ch->input) == 0) {
! 231: packet_start(SSH_MSG_CHANNEL_CLOSE);
! 232: packet_put_int(ch->remote_id);
! 233: packet_send();
! 234: ch->type = SSH_CHANNEL_CLOSED;
! 235: debug("Closing channel %d after input drain.", i);
! 236: break;
! 237: }
! 238: break;
! 239:
! 240: case SSH_CHANNEL_OUTPUT_DRAINING:
! 241: if (!compat13)
! 242: fatal("cannot happen: OUT_DRAIN");
! 243: if (buffer_len(&ch->output) == 0) {
! 244: channel_free(i);
! 245: break;
! 246: }
! 247: FD_SET(ch->sock, writeset);
! 248: break;
! 249:
! 250: case SSH_CHANNEL_X11_OPEN:
! 251: /* This is a special state for X11 authentication
! 252: spoofing. An opened X11 connection (when
! 253: authentication spoofing is being done) remains
! 254: in this state until the first packet has been
! 255: completely read. The authentication data in
! 256: that packet is then substituted by the real
! 257: data if it matches the fake data, and the
! 258: channel is put into normal mode. */
! 259:
! 260: /* Check if the fixed size part of the packet is in buffer. */
! 261: if (buffer_len(&ch->output) < 12)
! 262: break;
! 263:
! 264: /* Parse the lengths of variable-length fields. */
! 265: ucp = (unsigned char *) buffer_ptr(&ch->output);
! 266: if (ucp[0] == 0x42) { /* Byte order MSB first. */
! 267: proto_len = 256 * ucp[6] + ucp[7];
! 268: data_len = 256 * ucp[8] + ucp[9];
! 269: } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
! 270: proto_len = ucp[6] + 256 * ucp[7];
! 271: data_len = ucp[8] + 256 * ucp[9];
! 272: } else {
! 273: debug("Initial X11 packet contains bad byte order byte: 0x%x",
! 274: ucp[0]);
! 275: ch->type = SSH_CHANNEL_OPEN;
! 276: goto reject;
! 277: }
! 278:
! 279: /* Check if the whole packet is in buffer. */
! 280: if (buffer_len(&ch->output) <
! 281: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
! 282: break;
! 283:
! 284: /* Check if authentication protocol matches. */
! 285: if (proto_len != strlen(x11_saved_proto) ||
! 286: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
! 287: debug("X11 connection uses different authentication protocol.");
! 288: ch->type = SSH_CHANNEL_OPEN;
! 289: goto reject;
! 290: }
! 291: /* Check if authentication data matches our fake data. */
! 292: if (data_len != x11_fake_data_len ||
! 293: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
! 294: x11_fake_data, x11_fake_data_len) != 0) {
! 295: debug("X11 auth data does not match fake data.");
! 296: ch->type = SSH_CHANNEL_OPEN;
! 297: goto reject;
! 298: }
! 299: /* Check fake data length */
! 300: if (x11_fake_data_len != x11_saved_data_len) {
! 301: error("X11 fake_data_len %d != saved_data_len %d",
! 302: x11_fake_data_len, x11_saved_data_len);
! 303: ch->type = SSH_CHANNEL_OPEN;
! 304: goto reject;
! 305: }
! 306: /* Received authentication protocol and data match
! 307: our fake data. Substitute the fake data with
! 308: real data. */
! 309: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
! 310: x11_saved_data, x11_saved_data_len);
! 311:
! 312: /* Start normal processing for the channel. */
! 313: ch->type = SSH_CHANNEL_OPEN;
! 314: goto redo;
! 315:
1.1 deraadt 316: reject:
1.25 ! markus 317: /* We have received an X11 connection that has bad
! 318: authentication information. */
! 319: log("X11 connection rejected because of wrong authentication.\r\n");
! 320: buffer_clear(&ch->input);
! 321: buffer_clear(&ch->output);
! 322: if (compat13) {
! 323: close(ch->sock);
! 324: ch->sock = -1;
! 325: ch->type = SSH_CHANNEL_CLOSED;
! 326: packet_start(SSH_MSG_CHANNEL_CLOSE);
! 327: packet_put_int(ch->remote_id);
! 328: packet_send();
! 329: } else {
! 330: debug("X11 rejected %d i%d/o%d", ch->self, ch->istate, ch->ostate);
! 331: chan_read_failed(ch);
! 332: chan_write_failed(ch);
! 333: debug("X11 rejected %d i%d/o%d", ch->self, ch->istate, ch->ostate);
! 334: }
! 335: break;
! 336:
! 337: case SSH_CHANNEL_FREE:
! 338: default:
! 339: continue;
! 340: }
1.1 deraadt 341: }
342: }
343:
344: /* After select, perform any appropriate operations for channels which
345: have events pending. */
346:
1.25 ! markus 347: void
! 348: channel_after_select(fd_set * readset, fd_set * writeset)
1.1 deraadt 349: {
1.25 ! markus 350: struct sockaddr addr;
! 351: int addrlen, newsock, i, newch, len;
! 352: Channel *ch;
! 353: char buf[16384], *remote_hostname;
! 354:
! 355: /* Loop over all channels... */
! 356: for (i = 0; i < channels_alloc; i++) {
! 357: ch = &channels[i];
! 358: switch (ch->type) {
! 359: case SSH_CHANNEL_X11_LISTENER:
! 360: /* This is our fake X11 server socket. */
! 361: if (FD_ISSET(ch->sock, readset)) {
! 362: debug("X11 connection requested.");
! 363: addrlen = sizeof(addr);
! 364: newsock = accept(ch->sock, &addr, &addrlen);
! 365: if (newsock < 0) {
! 366: error("accept: %.100s", strerror(errno));
! 367: break;
! 368: }
! 369: remote_hostname = get_remote_hostname(newsock);
! 370: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
! 371: remote_hostname, get_peer_port(newsock));
! 372: xfree(remote_hostname);
! 373: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
! 374: xstrdup(buf));
! 375: packet_start(SSH_SMSG_X11_OPEN);
! 376: packet_put_int(newch);
! 377: if (have_hostname_in_open)
! 378: packet_put_string(buf, strlen(buf));
! 379: packet_send();
! 380: }
! 381: break;
! 382:
! 383: case SSH_CHANNEL_PORT_LISTENER:
! 384: /* This socket is listening for connections to a
! 385: forwarded TCP/IP port. */
! 386: if (FD_ISSET(ch->sock, readset)) {
! 387: debug("Connection to port %d forwarding to %.100s:%d requested.",
! 388: ch->listening_port, ch->path, ch->host_port);
! 389: addrlen = sizeof(addr);
! 390: newsock = accept(ch->sock, &addr, &addrlen);
! 391: if (newsock < 0) {
! 392: error("accept: %.100s", strerror(errno));
! 393: break;
! 394: }
! 395: remote_hostname = get_remote_hostname(newsock);
! 396: snprintf(buf, sizeof buf, "listen port %d:%.100s:%d, connect from %.200s:%d",
! 397: ch->listening_port, ch->path, ch->host_port,
! 398: remote_hostname, get_peer_port(newsock));
! 399: xfree(remote_hostname);
! 400: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
! 401: xstrdup(buf));
! 402: packet_start(SSH_MSG_PORT_OPEN);
! 403: packet_put_int(newch);
! 404: packet_put_string(ch->path, strlen(ch->path));
! 405: packet_put_int(ch->host_port);
! 406: if (have_hostname_in_open)
! 407: packet_put_string(buf, strlen(buf));
! 408: packet_send();
! 409: }
! 410: break;
! 411:
! 412: case SSH_CHANNEL_AUTH_SOCKET:
! 413: /* This is the authentication agent socket
! 414: listening for connections from clients. */
! 415: if (FD_ISSET(ch->sock, readset)) {
! 416: int nchan;
! 417: len = sizeof(addr);
! 418: newsock = accept(ch->sock, &addr, &len);
! 419: if (newsock < 0) {
! 420: error("accept from auth socket: %.100s", strerror(errno));
! 421: break;
! 422: }
! 423: nchan = channel_allocate(SSH_CHANNEL_OPENING, newsock,
! 424: xstrdup("accepted auth socket"));
! 425: packet_start(SSH_SMSG_AGENT_OPEN);
! 426: packet_put_int(nchan);
! 427: packet_send();
! 428: }
! 429: break;
! 430:
! 431: case SSH_CHANNEL_OPEN:
! 432: /* This is an open two-way communication channel.
! 433: It is not of interest to us at this point what
! 434: kind of data is being transmitted. */
! 435:
! 436: /* Read available incoming data and append it to
! 437: buffer; shutdown socket, if read or write
! 438: failes */
! 439: if (FD_ISSET(ch->sock, readset)) {
! 440: len = read(ch->sock, buf, sizeof(buf));
! 441: if (len <= 0) {
! 442: if (compat13) {
! 443: buffer_consume(&ch->output, buffer_len(&ch->output));
! 444: ch->type = SSH_CHANNEL_INPUT_DRAINING;
! 445: debug("Channel %d status set to input draining.", i);
! 446: } else {
! 447: chan_read_failed(ch);
! 448: }
! 449: break;
! 450: }
! 451: buffer_append(&ch->input, buf, len);
! 452: }
! 453: /* Send buffered output data to the socket. */
! 454: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0) {
! 455: len = write(ch->sock, buffer_ptr(&ch->output),
! 456: buffer_len(&ch->output));
! 457: if (len <= 0) {
! 458: if (compat13) {
! 459: buffer_consume(&ch->output, buffer_len(&ch->output));
! 460: debug("Channel %d status set to input draining.", i);
! 461: ch->type = SSH_CHANNEL_INPUT_DRAINING;
! 462: } else {
! 463: chan_write_failed(ch);
! 464: }
! 465: break;
! 466: }
! 467: buffer_consume(&ch->output, len);
! 468: }
! 469: break;
! 470:
! 471: case SSH_CHANNEL_OUTPUT_DRAINING:
! 472: if (!compat13)
! 473: fatal("cannot happen: OUT_DRAIN");
! 474: /* Send buffered output data to the socket. */
! 475: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0) {
! 476: len = write(ch->sock, buffer_ptr(&ch->output),
! 477: buffer_len(&ch->output));
! 478: if (len <= 0)
! 479: buffer_consume(&ch->output, buffer_len(&ch->output));
! 480: else
! 481: buffer_consume(&ch->output, len);
! 482: }
! 483: break;
! 484:
! 485: case SSH_CHANNEL_X11_OPEN:
! 486: case SSH_CHANNEL_FREE:
! 487: default:
! 488: continue;
1.1 deraadt 489: }
490: }
491: }
492:
493: /* If there is data to send to the connection, send some of it now. */
494:
1.25 ! markus 495: void
! 496: channel_output_poll()
1.1 deraadt 497: {
1.25 ! markus 498: int len, i;
! 499: Channel *ch;
1.1 deraadt 500:
1.25 ! markus 501: for (i = 0; i < channels_alloc; i++) {
! 502: ch = &channels[i];
! 503: /* We are only interested in channels that can have
! 504: buffered incoming data. */
! 505: if (ch->type != SSH_CHANNEL_OPEN &&
! 506: ch->type != SSH_CHANNEL_INPUT_DRAINING)
! 507: continue;
! 508:
! 509: /* Get the amount of buffered data for this channel. */
! 510: len = buffer_len(&ch->input);
! 511: if (len > 0) {
! 512: /* Send some data for the other side over the
! 513: secure connection. */
! 514: if (packet_is_interactive()) {
! 515: if (len > 1024)
! 516: len = 512;
! 517: } else {
! 518: /* Keep the packets at reasonable size. */
! 519: if (len > 16384)
! 520: len = 16384;
! 521: }
! 522: packet_start(SSH_MSG_CHANNEL_DATA);
! 523: packet_put_int(ch->remote_id);
! 524: packet_put_string(buffer_ptr(&ch->input), len);
! 525: packet_send();
! 526: buffer_consume(&ch->input, len);
! 527: } else if (ch->istate == CHAN_INPUT_WAIT_DRAIN) {
! 528: if (compat13)
! 529: fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
! 530: /* input-buffer is empty and read-socket shutdown:
! 531: tell peer, that we will not send more data:
! 532: send IEOF */
! 533: chan_ibuf_empty(ch);
! 534: }
! 535: }
1.1 deraadt 536: }
537:
538: /* This is called when a packet of type CHANNEL_DATA has just been received.
539: The message type has already been consumed, but channel number and data
540: is still there. */
541:
1.25 ! markus 542: void
! 543: channel_input_data(int payload_len)
1.1 deraadt 544: {
1.25 ! markus 545: int channel;
! 546: char *data;
! 547: unsigned int data_len;
! 548:
! 549: /* Get the channel number and verify it. */
! 550: channel = packet_get_int();
! 551: if (channel < 0 || channel >= channels_alloc ||
! 552: channels[channel].type == SSH_CHANNEL_FREE)
! 553: packet_disconnect("Received data for nonexistent channel %d.", channel);
! 554:
! 555: /* Ignore any data for non-open channels (might happen on close) */
! 556: if (channels[channel].type != SSH_CHANNEL_OPEN &&
! 557: channels[channel].type != SSH_CHANNEL_X11_OPEN)
! 558: return;
! 559:
! 560: /* Get the data. */
! 561: data = packet_get_string(&data_len);
! 562: packet_integrity_check(payload_len, 4 + 4 + data_len, SSH_MSG_CHANNEL_DATA);
! 563: buffer_append(&channels[channel].output, data, data_len);
! 564: xfree(data);
1.1 deraadt 565: }
566:
567: /* Returns true if no channel has too much buffered data, and false if
568: one or more channel is overfull. */
569:
1.25 ! markus 570: int
! 571: channel_not_very_much_buffered_data()
1.1 deraadt 572: {
1.25 ! markus 573: unsigned int i;
! 574: Channel *ch;
! 575:
! 576: for (i = 0; i < channels_alloc; i++) {
! 577: ch = &channels[i];
! 578: switch (ch->type) {
! 579: case SSH_CHANNEL_X11_LISTENER:
! 580: case SSH_CHANNEL_PORT_LISTENER:
! 581: case SSH_CHANNEL_AUTH_SOCKET:
! 582: continue;
! 583: case SSH_CHANNEL_OPEN:
! 584: if (buffer_len(&ch->input) > packet_get_maxsize())
! 585: return 0;
! 586: if (buffer_len(&ch->output) > packet_get_maxsize())
! 587: return 0;
! 588: continue;
! 589: case SSH_CHANNEL_INPUT_DRAINING:
! 590: case SSH_CHANNEL_OUTPUT_DRAINING:
! 591: case SSH_CHANNEL_X11_OPEN:
! 592: case SSH_CHANNEL_FREE:
! 593: default:
! 594: continue;
! 595: }
1.1 deraadt 596: }
1.25 ! markus 597: return 1;
1.1 deraadt 598: }
599:
1.14 markus 600: /* This is called after receiving CHANNEL_CLOSE/IEOF. */
1.1 deraadt 601:
1.25 ! markus 602: void
! 603: channel_input_close()
1.1 deraadt 604: {
1.25 ! markus 605: int channel;
1.1 deraadt 606:
1.25 ! markus 607: /* Get the channel number and verify it. */
! 608: channel = packet_get_int();
! 609: if (channel < 0 || channel >= channels_alloc ||
! 610: channels[channel].type == SSH_CHANNEL_FREE)
! 611: packet_disconnect("Received data for nonexistent channel %d.", channel);
! 612:
! 613: if (!compat13) {
! 614: /* proto version 1.5 overloads CLOSE with IEOF */
! 615: chan_rcvd_ieof(&channels[channel]);
! 616: return;
! 617: }
! 618: /* Send a confirmation that we have closed the channel and no more
! 619: data is coming for it. */
! 620: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
! 621: packet_put_int(channels[channel].remote_id);
! 622: packet_send();
! 623:
! 624: /* If the channel is in closed state, we have sent a close
! 625: request, and the other side will eventually respond with a
! 626: confirmation. Thus, we cannot free the channel here, because
! 627: then there would be no-one to receive the confirmation. The
! 628: channel gets freed when the confirmation arrives. */
! 629: if (channels[channel].type != SSH_CHANNEL_CLOSED) {
! 630: /* Not a closed channel - mark it as draining, which will
! 631: cause it to be freed later. */
! 632: buffer_consume(&channels[channel].input,
! 633: buffer_len(&channels[channel].input));
! 634: channels[channel].type = SSH_CHANNEL_OUTPUT_DRAINING;
! 635: }
1.1 deraadt 636: }
637:
1.14 markus 638: /* This is called after receiving CHANNEL_CLOSE_CONFIRMATION/OCLOSE. */
1.1 deraadt 639:
1.25 ! markus 640: void
! 641: channel_input_close_confirmation()
1.1 deraadt 642: {
1.25 ! markus 643: int channel;
1.1 deraadt 644:
1.25 ! markus 645: /* Get the channel number and verify it. */
! 646: channel = packet_get_int();
! 647: if (channel < 0 || channel >= channels_alloc)
! 648: packet_disconnect("Received close confirmation for out-of-range channel %d.",
! 649: channel);
! 650:
! 651: if (!compat13) {
! 652: /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
! 653: chan_rcvd_oclose(&channels[channel]);
! 654: return;
! 655: }
! 656: if (channels[channel].type != SSH_CHANNEL_CLOSED)
! 657: packet_disconnect("Received close confirmation for non-closed channel %d (type %d).",
! 658: channel, channels[channel].type);
1.1 deraadt 659:
1.25 ! markus 660: /* Free the channel. */
! 661: channel_free(channel);
1.1 deraadt 662: }
663:
664: /* This is called after receiving CHANNEL_OPEN_CONFIRMATION. */
665:
1.25 ! markus 666: void
! 667: channel_input_open_confirmation()
1.1 deraadt 668: {
1.25 ! markus 669: int channel, remote_channel;
1.1 deraadt 670:
1.25 ! markus 671: /* Get the channel number and verify it. */
! 672: channel = packet_get_int();
! 673: if (channel < 0 || channel >= channels_alloc ||
! 674: channels[channel].type != SSH_CHANNEL_OPENING)
! 675: packet_disconnect("Received open confirmation for non-opening channel %d.",
! 676: channel);
! 677:
! 678: /* Get remote side's id for this channel. */
! 679: remote_channel = packet_get_int();
! 680:
! 681: /* Record the remote channel number and mark that the channel is
! 682: now open. */
! 683: channels[channel].remote_id = remote_channel;
! 684: channels[channel].type = SSH_CHANNEL_OPEN;
1.1 deraadt 685: }
686:
687: /* This is called after receiving CHANNEL_OPEN_FAILURE from the other side. */
688:
1.25 ! markus 689: void
! 690: channel_input_open_failure()
1.1 deraadt 691: {
1.25 ! markus 692: int channel;
! 693:
! 694: /* Get the channel number and verify it. */
! 695: channel = packet_get_int();
! 696: if (channel < 0 || channel >= channels_alloc ||
! 697: channels[channel].type != SSH_CHANNEL_OPENING)
! 698: packet_disconnect("Received open failure for non-opening channel %d.",
! 699: channel);
1.1 deraadt 700:
1.25 ! markus 701: /* Free the channel. This will also close the socket. */
! 702: channel_free(channel);
1.1 deraadt 703: }
704:
705: /* Stops listening for channels, and removes any unix domain sockets that
706: we might have. */
707:
1.25 ! markus 708: void
! 709: channel_stop_listening()
1.1 deraadt 710: {
1.25 ! markus 711: int i;
! 712: for (i = 0; i < channels_alloc; i++) {
! 713: switch (channels[i].type) {
! 714: case SSH_CHANNEL_AUTH_SOCKET:
! 715: close(channels[i].sock);
! 716: remove(channels[i].path);
! 717: channel_free(i);
! 718: break;
! 719: case SSH_CHANNEL_PORT_LISTENER:
! 720: case SSH_CHANNEL_X11_LISTENER:
! 721: close(channels[i].sock);
! 722: channel_free(i);
! 723: break;
! 724: default:
! 725: break;
! 726: }
1.1 deraadt 727: }
728: }
729:
730: /* Closes the sockets of all channels. This is used to close extra file
731: descriptors after a fork. */
732:
1.25 ! markus 733: void
! 734: channel_close_all()
1.1 deraadt 735: {
1.25 ! markus 736: int i;
! 737: for (i = 0; i < channels_alloc; i++) {
! 738: if (channels[i].type != SSH_CHANNEL_FREE)
! 739: close(channels[i].sock);
! 740: }
1.1 deraadt 741: }
742:
743: /* Returns the maximum file descriptor number used by the channels. */
744:
1.25 ! markus 745: int
! 746: channel_max_fd()
1.1 deraadt 747: {
1.25 ! markus 748: return channel_max_fd_value;
1.1 deraadt 749: }
750:
751: /* Returns true if any channel is still open. */
752:
1.25 ! markus 753: int
! 754: channel_still_open()
1.1 deraadt 755: {
1.25 ! markus 756: unsigned int i;
! 757: for (i = 0; i < channels_alloc; i++)
! 758: switch (channels[i].type) {
! 759: case SSH_CHANNEL_FREE:
! 760: case SSH_CHANNEL_X11_LISTENER:
! 761: case SSH_CHANNEL_PORT_LISTENER:
! 762: case SSH_CHANNEL_CLOSED:
! 763: case SSH_CHANNEL_AUTH_SOCKET:
! 764: continue;
! 765: case SSH_CHANNEL_OPENING:
! 766: case SSH_CHANNEL_OPEN:
! 767: case SSH_CHANNEL_X11_OPEN:
! 768: return 1;
! 769: case SSH_CHANNEL_INPUT_DRAINING:
! 770: case SSH_CHANNEL_OUTPUT_DRAINING:
! 771: if (!compat13)
! 772: fatal("cannot happen: OUT_DRAIN");
! 773: return 1;
! 774: default:
! 775: fatal("channel_still_open: bad channel type %d", channels[i].type);
! 776: /* NOTREACHED */
! 777: }
! 778: return 0;
1.1 deraadt 779: }
780:
781: /* Returns a message describing the currently open forwarded
782: connections, suitable for sending to the client. The message
783: contains crlf pairs for newlines. */
784:
1.25 ! markus 785: char *
! 786: channel_open_message()
1.1 deraadt 787: {
1.25 ! markus 788: Buffer buffer;
! 789: int i;
! 790: char buf[512], *cp;
! 791:
! 792: buffer_init(&buffer);
! 793: snprintf(buf, sizeof buf, "The following connections are open:\r\n");
1.1 deraadt 794: buffer_append(&buffer, buf, strlen(buf));
1.25 ! markus 795: for (i = 0; i < channels_alloc; i++) {
! 796: Channel *c = &channels[i];
! 797: switch (c->type) {
! 798: case SSH_CHANNEL_FREE:
! 799: case SSH_CHANNEL_X11_LISTENER:
! 800: case SSH_CHANNEL_PORT_LISTENER:
! 801: case SSH_CHANNEL_CLOSED:
! 802: case SSH_CHANNEL_AUTH_SOCKET:
! 803: continue;
! 804: case SSH_CHANNEL_OPENING:
! 805: case SSH_CHANNEL_OPEN:
! 806: case SSH_CHANNEL_X11_OPEN:
! 807: case SSH_CHANNEL_INPUT_DRAINING:
! 808: case SSH_CHANNEL_OUTPUT_DRAINING:
! 809: snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d o%d)\r\n",
! 810: c->self, c->remote_name,
! 811: c->type, c->remote_id, c->istate, c->ostate);
! 812: buffer_append(&buffer, buf, strlen(buf));
! 813: continue;
! 814: default:
! 815: fatal("channel_still_open: bad channel type %d", c->type);
! 816: /* NOTREACHED */
! 817: }
! 818: }
! 819: buffer_append(&buffer, "\0", 1);
! 820: cp = xstrdup(buffer_ptr(&buffer));
! 821: buffer_free(&buffer);
! 822: return cp;
1.1 deraadt 823: }
824:
825: /* Initiate forwarding of connections to local port "port" through the secure
826: channel to host:port from remote side. */
827:
1.25 ! markus 828: void
! 829: channel_request_local_forwarding(int port, const char *host,
! 830: int host_port)
! 831: {
! 832: int ch, sock;
! 833: struct sockaddr_in sin;
! 834: extern Options options;
! 835:
! 836: if (strlen(host) > sizeof(channels[0].path) - 1)
! 837: packet_disconnect("Forward host name too long.");
! 838:
! 839: /* Create a port to listen for the host. */
! 840: sock = socket(AF_INET, SOCK_STREAM, 0);
! 841: if (sock < 0)
! 842: packet_disconnect("socket: %.100s", strerror(errno));
! 843:
! 844: /* Initialize socket address. */
! 845: memset(&sin, 0, sizeof(sin));
! 846: sin.sin_family = AF_INET;
! 847: if (options.gateway_ports == 1)
! 848: sin.sin_addr.s_addr = htonl(INADDR_ANY);
! 849: else
! 850: sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
! 851: sin.sin_port = htons(port);
! 852:
! 853: /* Bind the socket to the address. */
! 854: if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
! 855: packet_disconnect("bind: %.100s", strerror(errno));
! 856:
! 857: /* Start listening for connections on the socket. */
! 858: if (listen(sock, 5) < 0)
! 859: packet_disconnect("listen: %.100s", strerror(errno));
! 860:
! 861: /* Allocate a channel number for the socket. */
! 862: ch = channel_allocate(SSH_CHANNEL_PORT_LISTENER, sock,
! 863: xstrdup("port listener"));
! 864: strcpy(channels[ch].path, host);
! 865: channels[ch].host_port = host_port;
! 866: channels[ch].listening_port = port;
! 867: }
1.1 deraadt 868:
869: /* Initiate forwarding of connections to port "port" on remote host through
870: the secure channel to host:port from local side. */
871:
1.25 ! markus 872: void
! 873: channel_request_remote_forwarding(int port, const char *host,
! 874: int remote_port)
! 875: {
! 876: int payload_len;
! 877: /* Record locally that connection to this host/port is permitted. */
! 878: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
! 879: fatal("channel_request_remote_forwarding: too many forwards");
! 880:
! 881: permitted_opens[num_permitted_opens].host = xstrdup(host);
! 882: permitted_opens[num_permitted_opens].port = remote_port;
! 883: num_permitted_opens++;
! 884:
! 885: /* Send the forward request to the remote side. */
! 886: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
! 887: packet_put_int(port);
! 888: packet_put_string(host, strlen(host));
! 889: packet_put_int(remote_port);
! 890: packet_send();
! 891: packet_write_wait();
! 892:
! 893: /* Wait for response from the remote side. It will send a
! 894: disconnect message on failure, and we will never see it here. */
! 895: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
1.1 deraadt 896: }
897:
898: /* This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
899: listening for the port, and sends back a success reply (or disconnect
1.25 ! markus 900: message if there was an error). This never returns if there was an
1.1 deraadt 901: error. */
902:
1.25 ! markus 903: void
! 904: channel_input_port_forward_request(int is_root)
1.1 deraadt 905: {
1.25 ! markus 906: int port, host_port;
! 907: char *hostname;
1.1 deraadt 908:
1.25 ! markus 909: /* Get arguments from the packet. */
! 910: port = packet_get_int();
! 911: hostname = packet_get_string(NULL);
! 912: host_port = packet_get_int();
! 913:
! 914: /* Port numbers are 16 bit quantities. */
! 915: if ((port & 0xffff) != port)
! 916: packet_disconnect("Requested forwarding of nonexistent port %d.", port);
! 917:
! 918: /* Check that an unprivileged user is not trying to forward a
! 919: privileged port. */
! 920: if (port < IPPORT_RESERVED && !is_root)
! 921: packet_disconnect("Requested forwarding of port %d but user is not root.",
! 922: port);
1.1 deraadt 923:
1.25 ! markus 924: /* Initiate forwarding. */
! 925: channel_request_local_forwarding(port, hostname, host_port);
! 926:
! 927: /* Free the argument string. */
! 928: xfree(hostname);
1.1 deraadt 929: }
930:
931: /* This is called after receiving PORT_OPEN message. This attempts to connect
932: to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION or
933: CHANNEL_OPEN_FAILURE. */
934:
1.25 ! markus 935: void
! 936: channel_input_port_open(int payload_len)
1.1 deraadt 937: {
1.25 ! markus 938: int remote_channel, sock, newch, host_port, i;
! 939: struct sockaddr_in sin;
! 940: char *host, *originator_string;
! 941: struct hostent *hp;
! 942: int host_len, originator_len;
! 943:
! 944: /* Get remote channel number. */
! 945: remote_channel = packet_get_int();
! 946:
! 947: /* Get host name to connect to. */
! 948: host = packet_get_string(&host_len);
! 949:
! 950: /* Get port to connect to. */
! 951: host_port = packet_get_int();
! 952:
! 953: /* Get remote originator name. */
! 954: if (have_hostname_in_open)
! 955: originator_string = packet_get_string(&originator_len);
! 956: else
! 957: originator_string = xstrdup("unknown (remote did not supply name)");
! 958:
! 959: packet_integrity_check(payload_len,
! 960: 4 + 4 + host_len + 4 + 4 + originator_len,
! 961: SSH_MSG_PORT_OPEN);
! 962:
! 963: /* Check if opening that port is permitted. */
! 964: if (!all_opens_permitted) {
! 965: /* Go trough all permitted ports. */
! 966: for (i = 0; i < num_permitted_opens; i++)
! 967: if (permitted_opens[i].port == host_port &&
! 968: strcmp(permitted_opens[i].host, host) == 0)
! 969: break;
! 970:
! 971: /* Check if we found the requested port among those permitted. */
! 972: if (i >= num_permitted_opens) {
! 973: /* The port is not permitted. */
! 974: log("Received request to connect to %.100s:%d, but the request was denied.",
! 975: host, host_port);
! 976: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
! 977: packet_put_int(remote_channel);
! 978: packet_send();
! 979: }
! 980: }
! 981: memset(&sin, 0, sizeof(sin));
! 982: sin.sin_addr.s_addr = inet_addr(host);
! 983: if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff) {
! 984: /* It was a valid numeric host address. */
! 985: sin.sin_family = AF_INET;
! 986: } else {
! 987: /* Look up the host address from the name servers. */
! 988: hp = gethostbyname(host);
! 989: if (!hp) {
! 990: error("%.100s: unknown host.", host);
! 991: goto fail;
! 992: }
! 993: if (!hp->h_addr_list[0]) {
! 994: error("%.100s: host has no IP address.", host);
! 995: goto fail;
! 996: }
! 997: sin.sin_family = hp->h_addrtype;
! 998: memcpy(&sin.sin_addr, hp->h_addr_list[0],
! 999: sizeof(sin.sin_addr));
! 1000: }
! 1001: sin.sin_port = htons(host_port);
! 1002:
! 1003: /* Create the socket. */
! 1004: sock = socket(sin.sin_family, SOCK_STREAM, 0);
! 1005: if (sock < 0) {
! 1006: error("socket: %.100s", strerror(errno));
! 1007: goto fail;
! 1008: }
! 1009: /* Connect to the host/port. */
! 1010: if (connect(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0) {
! 1011: error("connect %.100s:%d: %.100s", host, host_port,
! 1012: strerror(errno));
! 1013: close(sock);
! 1014: goto fail;
! 1015: }
! 1016: /* Successful connection. */
! 1017:
! 1018: /* Allocate a channel for this connection. */
! 1019: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
! 1020: channels[newch].remote_id = remote_channel;
! 1021:
! 1022: /* Send a confirmation to the remote host. */
! 1023: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
! 1024: packet_put_int(remote_channel);
! 1025: packet_put_int(newch);
! 1026: packet_send();
! 1027:
! 1028: /* Free the argument string. */
! 1029: xfree(host);
! 1030:
! 1031: return;
! 1032:
! 1033: fail:
! 1034: /* Free the argument string. */
! 1035: xfree(host);
! 1036:
! 1037: /* Send refusal to the remote host. */
! 1038: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
! 1039: packet_put_int(remote_channel);
! 1040: packet_send();
1.1 deraadt 1041: }
1042:
1.25 ! markus 1043: /* Creates an internet domain socket for listening for X11 connections.
1.1 deraadt 1044: Returns a suitable value for the DISPLAY variable, or NULL if an error
1045: occurs. */
1046:
1.25 ! markus 1047: char *
! 1048: x11_create_display_inet(int screen_number)
1.1 deraadt 1049: {
1.25 ! markus 1050: extern ServerOptions options;
! 1051: int display_number, port, sock;
! 1052: struct sockaddr_in sin;
! 1053: char buf[512];
! 1054: char hostname[MAXHOSTNAMELEN];
! 1055:
! 1056: for (display_number = options.x11_display_offset;
! 1057: display_number < MAX_DISPLAYS;
! 1058: display_number++) {
! 1059: port = 6000 + display_number;
! 1060: memset(&sin, 0, sizeof(sin));
! 1061: sin.sin_family = AF_INET;
! 1062: sin.sin_addr.s_addr = htonl(INADDR_ANY);
! 1063: sin.sin_port = htons(port);
! 1064:
! 1065: sock = socket(AF_INET, SOCK_STREAM, 0);
! 1066: if (sock < 0) {
! 1067: error("socket: %.100s", strerror(errno));
! 1068: return NULL;
! 1069: }
! 1070: if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0) {
! 1071: debug("bind port %d: %.100s", port, strerror(errno));
! 1072: shutdown(sock, SHUT_RDWR);
! 1073: close(sock);
! 1074: continue;
! 1075: }
! 1076: break;
! 1077: }
! 1078: if (display_number >= MAX_DISPLAYS) {
! 1079: error("Failed to allocate internet-domain X11 display socket.");
! 1080: return NULL;
! 1081: }
! 1082: /* Start listening for connections on the socket. */
! 1083: if (listen(sock, 5) < 0) {
! 1084: error("listen: %.100s", strerror(errno));
! 1085: shutdown(sock, SHUT_RDWR);
! 1086: close(sock);
! 1087: return NULL;
! 1088: }
! 1089: /* Set up a suitable value for the DISPLAY variable. */
! 1090: if (gethostname(hostname, sizeof(hostname)) < 0)
! 1091: fatal("gethostname: %.100s", strerror(errno));
! 1092: snprintf(buf, sizeof buf, "%.400s:%d.%d", hostname,
! 1093: display_number, screen_number);
! 1094:
! 1095: /* Allocate a channel for the socket. */
! 1096: (void) channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
! 1097: xstrdup("X11 inet listener"));
1.1 deraadt 1098:
1.25 ! markus 1099: /* Return a suitable value for the DISPLAY environment variable. */
! 1100: return xstrdup(buf);
1.1 deraadt 1101: }
1102:
1103: #ifndef X_UNIX_PATH
1104: #define X_UNIX_PATH "/tmp/.X11-unix/X"
1105: #endif
1106:
1107: static
1108: int
1109: connect_local_xsocket(unsigned dnr)
1110: {
1.25 ! markus 1111: static const char *const x_sockets[] = {
! 1112: X_UNIX_PATH "%u",
! 1113: "/var/X/.X11-unix/X" "%u",
! 1114: "/usr/spool/sockets/X11/" "%u",
! 1115: NULL
! 1116: };
! 1117: int sock;
! 1118: struct sockaddr_un addr;
! 1119: const char *const * path;
! 1120:
! 1121: for (path = x_sockets; *path; ++path) {
! 1122: sock = socket(AF_UNIX, SOCK_STREAM, 0);
! 1123: if (sock < 0)
! 1124: error("socket: %.100s", strerror(errno));
! 1125: memset(&addr, 0, sizeof(addr));
! 1126: addr.sun_family = AF_UNIX;
! 1127: snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
! 1128: if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
! 1129: return sock;
! 1130: close(sock);
! 1131: }
! 1132: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
! 1133: return -1;
1.1 deraadt 1134: }
1135:
1136:
1137: /* This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1138: the remote channel number. We should do whatever we want, and respond
1139: with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. */
1140:
1.25 ! markus 1141: void
! 1142: x11_input_open(int payload_len)
1.1 deraadt 1143: {
1.25 ! markus 1144: int remote_channel, display_number, sock, newch;
! 1145: const char *display;
! 1146: struct sockaddr_in sin;
! 1147: char buf[1024], *cp, *remote_host;
! 1148: struct hostent *hp;
! 1149: int remote_len;
! 1150:
! 1151: /* Get remote channel number. */
! 1152: remote_channel = packet_get_int();
! 1153:
! 1154: /* Get remote originator name. */
! 1155: if (have_hostname_in_open)
! 1156: remote_host = packet_get_string(&remote_len);
! 1157: else
! 1158: remote_host = xstrdup("unknown (remote did not supply name)");
! 1159:
! 1160: debug("Received X11 open request.");
! 1161: packet_integrity_check(payload_len, 4 + 4 + remote_len, SSH_SMSG_X11_OPEN);
! 1162:
! 1163: /* Try to open a socket for the local X server. */
! 1164: display = getenv("DISPLAY");
! 1165: if (!display) {
! 1166: error("DISPLAY not set.");
! 1167: goto fail;
! 1168: }
! 1169: /* Now we decode the value of the DISPLAY variable and make a
! 1170: connection to the real X server. */
! 1171:
! 1172: /* Check if it is a unix domain socket. Unix domain displays are
! 1173: in one of the following formats: unix:d[.s], :d[.s], ::d[.s] */
! 1174: if (strncmp(display, "unix:", 5) == 0 ||
! 1175: display[0] == ':') {
! 1176: /* Connect to the unix domain socket. */
! 1177: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
! 1178: error("Could not parse display number from DISPLAY: %.100s",
! 1179: display);
! 1180: goto fail;
! 1181: }
! 1182: /* Create a socket. */
! 1183: sock = connect_local_xsocket(display_number);
! 1184: if (sock < 0)
! 1185: goto fail;
! 1186:
! 1187: /* OK, we now have a connection to the display. */
! 1188: goto success;
! 1189: }
! 1190: /* Connect to an inet socket. The DISPLAY value is supposedly
! 1191: hostname:d[.s], where hostname may also be numeric IP address. */
! 1192: strncpy(buf, display, sizeof(buf));
! 1193: buf[sizeof(buf) - 1] = 0;
! 1194: cp = strchr(buf, ':');
! 1195: if (!cp) {
! 1196: error("Could not find ':' in DISPLAY: %.100s", display);
! 1197: goto fail;
! 1198: }
! 1199: *cp = 0;
! 1200: /* buf now contains the host name. But first we parse the display
! 1201: number. */
! 1202: if (sscanf(cp + 1, "%d", &display_number) != 1) {
! 1203: error("Could not parse display number from DISPLAY: %.100s",
! 1204: display);
! 1205: goto fail;
! 1206: }
! 1207: /* Try to parse the host name as a numeric IP address. */
! 1208: memset(&sin, 0, sizeof(sin));
! 1209: sin.sin_addr.s_addr = inet_addr(buf);
! 1210: if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff) {
! 1211: /* It was a valid numeric host address. */
! 1212: sin.sin_family = AF_INET;
! 1213: } else {
! 1214: /* Not a numeric IP address. */
! 1215: /* Look up the host address from the name servers. */
! 1216: hp = gethostbyname(buf);
! 1217: if (!hp) {
! 1218: error("%.100s: unknown host.", buf);
! 1219: goto fail;
! 1220: }
! 1221: if (!hp->h_addr_list[0]) {
! 1222: error("%.100s: host has no IP address.", buf);
! 1223: goto fail;
! 1224: }
! 1225: sin.sin_family = hp->h_addrtype;
! 1226: memcpy(&sin.sin_addr, hp->h_addr_list[0],
! 1227: sizeof(sin.sin_addr));
! 1228: }
! 1229: /* Set port number. */
! 1230: sin.sin_port = htons(6000 + display_number);
! 1231:
! 1232: /* Create a socket. */
! 1233: sock = socket(sin.sin_family, SOCK_STREAM, 0);
! 1234: if (sock < 0) {
! 1235: error("socket: %.100s", strerror(errno));
! 1236: goto fail;
! 1237: }
! 1238: /* Connect it to the display. */
! 1239: if (connect(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0) {
! 1240: error("connect %.100s:%d: %.100s", buf, 6000 + display_number,
! 1241: strerror(errno));
! 1242: close(sock);
! 1243: goto fail;
! 1244: }
! 1245: success:
! 1246: /* We have successfully obtained a connection to the real X display. */
! 1247:
! 1248: /* Allocate a channel for this connection. */
! 1249: if (x11_saved_proto == NULL)
! 1250: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, remote_host);
! 1251: else
! 1252: newch = channel_allocate(SSH_CHANNEL_X11_OPEN, sock, remote_host);
! 1253: channels[newch].remote_id = remote_channel;
! 1254:
! 1255: /* Send a confirmation to the remote host. */
! 1256: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
! 1257: packet_put_int(remote_channel);
! 1258: packet_put_int(newch);
! 1259: packet_send();
! 1260:
! 1261: return;
! 1262:
! 1263: fail:
! 1264: /* Send refusal to the remote host. */
! 1265: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
! 1266: packet_put_int(remote_channel);
! 1267: packet_send();
1.1 deraadt 1268: }
1269:
1270: /* Requests forwarding of X11 connections, generates fake authentication
1271: data, and enables authentication spoofing. */
1272:
1.25 ! markus 1273: void
! 1274: x11_request_forwarding_with_spoofing(const char *proto, const char *data)
1.1 deraadt 1275: {
1.25 ! markus 1276: unsigned int data_len = (unsigned int) strlen(data) / 2;
! 1277: unsigned int i, value;
! 1278: char *new_data;
! 1279: int screen_number;
! 1280: const char *cp;
! 1281: u_int32_t rand = 0;
! 1282:
! 1283: cp = getenv("DISPLAY");
! 1284: if (cp)
! 1285: cp = strchr(cp, ':');
! 1286: if (cp)
! 1287: cp = strchr(cp, '.');
! 1288: if (cp)
! 1289: screen_number = atoi(cp + 1);
! 1290: else
! 1291: screen_number = 0;
! 1292:
! 1293: /* Save protocol name. */
! 1294: x11_saved_proto = xstrdup(proto);
! 1295:
! 1296: /* Extract real authentication data and generate fake data of the
! 1297: same length. */
! 1298: x11_saved_data = xmalloc(data_len);
! 1299: x11_fake_data = xmalloc(data_len);
! 1300: for (i = 0; i < data_len; i++) {
! 1301: if (sscanf(data + 2 * i, "%2x", &value) != 1)
! 1302: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
! 1303: if (i % 4 == 0)
! 1304: rand = arc4random();
! 1305: x11_saved_data[i] = value;
! 1306: x11_fake_data[i] = rand & 0xff;
! 1307: rand >>= 8;
! 1308: }
! 1309: x11_saved_data_len = data_len;
! 1310: x11_fake_data_len = data_len;
! 1311:
! 1312: /* Convert the fake data into hex. */
! 1313: new_data = xmalloc(2 * data_len + 1);
! 1314: for (i = 0; i < data_len; i++)
! 1315: sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]);
! 1316:
! 1317: /* Send the request packet. */
! 1318: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
! 1319: packet_put_string(proto, strlen(proto));
! 1320: packet_put_string(new_data, strlen(new_data));
! 1321: packet_put_int(screen_number);
! 1322: packet_send();
! 1323: packet_write_wait();
! 1324: xfree(new_data);
1.1 deraadt 1325: }
1326:
1327: /* Sends a message to the server to request authentication fd forwarding. */
1328:
1.25 ! markus 1329: void
! 1330: auth_request_forwarding()
1.1 deraadt 1331: {
1.25 ! markus 1332: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
! 1333: packet_send();
! 1334: packet_write_wait();
1.1 deraadt 1335: }
1336:
1337: /* Returns the name of the forwarded authentication socket. Returns NULL
1338: if there is no forwarded authentication socket. The returned value
1339: points to a static buffer. */
1340:
1.25 ! markus 1341: char *
! 1342: auth_get_socket_name()
1.1 deraadt 1343: {
1.25 ! markus 1344: return channel_forwarded_auth_socket_name;
1.1 deraadt 1345: }
1346:
1.12 markus 1347: /* removes the agent forwarding socket */
1348:
1.25 ! markus 1349: void
! 1350: cleanup_socket(void)
! 1351: {
! 1352: remove(channel_forwarded_auth_socket_name);
! 1353: rmdir(channel_forwarded_auth_socket_dir);
1.12 markus 1354: }
1355:
1.1 deraadt 1356: /* This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1357: This starts forwarding authentication requests. */
1358:
1.25 ! markus 1359: void
! 1360: auth_input_request_forwarding(struct passwd * pw)
1.1 deraadt 1361: {
1.25 ! markus 1362: int sock, newch;
! 1363: struct sockaddr_un sunaddr;
! 1364:
! 1365: if (auth_get_socket_name() != NULL)
! 1366: fatal("Protocol error: authentication forwarding requested twice.");
! 1367:
! 1368: /* Temporarily drop privileged uid for mkdir/bind. */
! 1369: temporarily_use_uid(pw->pw_uid);
! 1370:
! 1371: /* Allocate a buffer for the socket name, and format the name. */
! 1372: channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
! 1373: channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
! 1374: strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
! 1375:
! 1376: /* Create private directory for socket */
! 1377: if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL)
! 1378: packet_disconnect("mkdtemp: %.100s", strerror(errno));
! 1379: snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
! 1380: channel_forwarded_auth_socket_dir, (int) getpid());
! 1381:
! 1382: if (atexit(cleanup_socket) < 0) {
! 1383: int saved = errno;
! 1384: cleanup_socket();
! 1385: packet_disconnect("socket: %.100s", strerror(saved));
! 1386: }
! 1387: /* Create the socket. */
! 1388: sock = socket(AF_UNIX, SOCK_STREAM, 0);
! 1389: if (sock < 0)
! 1390: packet_disconnect("socket: %.100s", strerror(errno));
! 1391:
! 1392: /* Bind it to the name. */
! 1393: memset(&sunaddr, 0, sizeof(sunaddr));
! 1394: sunaddr.sun_family = AF_UNIX;
! 1395: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
! 1396: sizeof(sunaddr.sun_path));
! 1397:
! 1398: if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
! 1399: packet_disconnect("bind: %.100s", strerror(errno));
! 1400:
! 1401: /* Restore the privileged uid. */
! 1402: restore_uid();
! 1403:
! 1404: /* Start listening on the socket. */
! 1405: if (listen(sock, 5) < 0)
! 1406: packet_disconnect("listen: %.100s", strerror(errno));
! 1407:
! 1408: /* Allocate a channel for the authentication agent socket. */
! 1409: newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
! 1410: xstrdup("auth socket"));
! 1411: strcpy(channels[newch].path, channel_forwarded_auth_socket_name);
1.1 deraadt 1412: }
1413:
1414: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
1415:
1.25 ! markus 1416: void
! 1417: auth_input_open_request()
1.1 deraadt 1418: {
1.25 ! markus 1419: int remch, sock, newch;
! 1420: char *dummyname;
! 1421:
! 1422: /* Read the remote channel number from the message. */
! 1423: remch = packet_get_int();
! 1424:
! 1425: /* Get a connection to the local authentication agent (this may
! 1426: again get forwarded). */
! 1427: sock = ssh_get_authentication_socket();
! 1428:
! 1429: /* If we could not connect the agent, send an error message back
! 1430: to the server. This should never happen unless the agent dies,
! 1431: because authentication forwarding is only enabled if we have an
! 1432: agent. */
! 1433: if (sock < 0) {
! 1434: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
! 1435: packet_put_int(remch);
! 1436: packet_send();
! 1437: return;
! 1438: }
! 1439: debug("Forwarding authentication connection.");
1.1 deraadt 1440:
1.25 ! markus 1441: /* Dummy host name. This will be freed when the channel is freed;
! 1442: it will still be valid in the packet_put_string below since the
! 1443: channel cannot yet be freed at that point. */
! 1444: dummyname = xstrdup("authentication agent connection");
! 1445:
! 1446: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
! 1447: channels[newch].remote_id = remch;
! 1448:
! 1449: /* Send a confirmation to the remote host. */
! 1450: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
! 1451: packet_put_int(remch);
! 1452: packet_put_int(newch);
! 1453: packet_send();
1.1 deraadt 1454: }