Annotation of src/usr.bin/ssh/channels.c, Revision 1.3
1.1 deraadt 1: /*
2:
3: channels.c
4:
5: Author: Tatu Ylonen <ylo@cs.hut.fi>
6:
7: Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: All rights reserved
9:
10: Created: Fri Mar 24 16:35:24 1995 ylo
11:
12: This file contains functions for generic socket connection forwarding.
13: There is also code for initiating connection forwarding for X11 connections,
14: arbitrary tcp/ip connections, and the authentication agent connection.
15:
16: */
17:
18: #include "includes.h"
1.3 ! deraadt 19: RCSID("$Id: channels.c,v 1.2 1999/09/28 04:45:36 provos Exp $");
1.1 deraadt 20:
21: #ifndef HAVE_GETHOSTNAME
22: #include <sys/utsname.h>
23: #endif
24: #include "ssh.h"
25: #include "packet.h"
26: #include "xmalloc.h"
27: #include "buffer.h"
28: #include "authfd.h"
29: #include "uidswap.h"
1.3 ! deraadt 30: #include "servconf.h"
1.1 deraadt 31:
32: /* Maximum number of fake X11 displays to try. */
33: #define MAX_DISPLAYS 1000
34:
35: /* Definitions for channel types. */
36: #define SSH_CHANNEL_FREE 0 /* This channel is free (unused). */
37: #define SSH_CHANNEL_X11_LISTENER 1 /* Listening for inet X11 conn. */
38: #define SSH_CHANNEL_PORT_LISTENER 2 /* Listening on a port. */
39: #define SSH_CHANNEL_OPENING 3 /* waiting for confirmation */
40: #define SSH_CHANNEL_OPEN 4 /* normal open two-way channel */
41: #define SSH_CHANNEL_CLOSED 5 /* waiting for close confirmation */
42: #define SSH_CHANNEL_AUTH_FD 6 /* authentication fd */
43: #define SSH_CHANNEL_AUTH_SOCKET 7 /* authentication socket */
44: #define SSH_CHANNEL_AUTH_SOCKET_FD 8 /* connection to auth socket */
45: #define SSH_CHANNEL_X11_OPEN 9 /* reading first X11 packet */
46: #define SSH_CHANNEL_INPUT_DRAINING 10 /* sending remaining data to conn */
47: #define SSH_CHANNEL_OUTPUT_DRAINING 11 /* sending remaining data to app */
48:
49: /* Data structure for channel data. This is iniailized in channel_allocate
50: and cleared in channel_free. */
51:
52: typedef struct
53: {
54: int type;
55: int sock;
56: int remote_id;
57: Buffer input;
58: Buffer output;
59: char path[200]; /* path for unix domain sockets, or host name for forwards */
60: int host_port; /* port to connect for forwards */
61: int listening_port; /* port being listened for forwards */
62: char *remote_name;
63: } Channel;
64:
65: /* Pointer to an array containing all allocated channels. The array is
66: dynamically extended as needed. */
67: static Channel *channels = NULL;
68:
69: /* Size of the channel array. All slots of the array must always be
70: initialized (at least the type field); unused slots are marked with
71: type SSH_CHANNEL_FREE. */
72: static int channels_alloc = 0;
73:
74: /* Maximum file descriptor value used in any of the channels. This is updated
75: in channel_allocate. */
76: static int channel_max_fd_value = 0;
77:
78: /* These two variables are for authentication agent forwarding. */
79: static int channel_forwarded_auth_fd = -1;
80: static char *channel_forwarded_auth_socket_name = NULL;
81:
82: /* Saved X11 authentication protocol name. */
83: char *x11_saved_proto = NULL;
84:
85: /* Saved X11 authentication data. This is the real data. */
86: char *x11_saved_data = NULL;
87: unsigned int x11_saved_data_len = 0;
88:
89: /* Fake X11 authentication data. This is what the server will be sending
90: us; we should replace any occurrences of this by the real data. */
91: char *x11_fake_data = NULL;
92: unsigned int x11_fake_data_len;
93:
94: /* Data structure for storing which hosts are permitted for forward requests.
95: The local sides of any remote forwards are stored in this array to prevent
96: a corrupt remote server from accessing arbitrary TCP/IP ports on our
97: local network (which might be behind a firewall). */
98: typedef struct
99: {
100: char *host; /* Host name. */
101: int port; /* Port number. */
102: } ForwardPermission;
103:
104: /* List of all permitted host/port pairs to connect. */
105: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
106: /* Number of permitted host/port pairs in the array. */
107: static int num_permitted_opens = 0;
108: /* If this is true, all opens are permitted. This is the case on the
109: server on which we have to trust the client anyway, and the user could
110: do anything after logging in anyway. */
111: static int all_opens_permitted = 0;
112:
113: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
114: static int have_hostname_in_open = 0;
115:
116: /* Sets specific protocol options. */
117:
118: void channel_set_options(int hostname_in_open)
119: {
120: have_hostname_in_open = hostname_in_open;
121: }
122:
123: /* Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
124: called by the server, because the user could connect to any port anyway,
125: and the server has no way to know but to trust the client anyway. */
126:
127: void channel_permit_all_opens()
128: {
129: all_opens_permitted = 1;
130: }
131:
132: /* Allocate a new channel object and set its type and socket.
133: This will cause remote_name to be freed. */
134:
135: int channel_allocate(int type, int sock, char *remote_name)
136: {
137: int i, old_channels;
138:
139: /* Update the maximum file descriptor value. */
140: if (sock > channel_max_fd_value)
141: channel_max_fd_value = sock;
142:
143: /* Do initial allocation if this is the first call. */
144: if (channels_alloc == 0)
145: {
146: channels_alloc = 10;
147: channels = xmalloc(channels_alloc * sizeof(Channel));
148: for (i = 0; i < channels_alloc; i++)
149: channels[i].type = SSH_CHANNEL_FREE;
150:
151: /* Kludge: arrange a call to channel_stop_listening if we terminate
152: with fatal(). */
153: fatal_add_cleanup((void (*)(void *))channel_stop_listening, NULL);
154: }
155:
156: /* Try to find a free slot where to put the new channel. */
157: for (i = 0; i < channels_alloc; i++)
158: if (channels[i].type == SSH_CHANNEL_FREE)
159: {
160: /* Found a free slot. Initialize the fields and return its number. */
161: buffer_init(&channels[i].input);
162: buffer_init(&channels[i].output);
163: channels[i].type = type;
164: channels[i].sock = sock;
165: channels[i].remote_id = -1;
166: channels[i].remote_name = remote_name;
167: return i;
168: }
169:
170: /* There are no free slots. Must expand the array. */
171: old_channels = channels_alloc;
172: channels_alloc += 10;
173: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
174: for (i = old_channels; i < channels_alloc; i++)
175: channels[i].type = SSH_CHANNEL_FREE;
176:
177: /* We know that the next one after the old maximum channel number is now
178: available. Initialize and return its number. */
179: buffer_init(&channels[old_channels].input);
180: buffer_init(&channels[old_channels].output);
181: channels[old_channels].type = type;
182: channels[old_channels].sock = sock;
183: channels[old_channels].remote_id = -1;
184: channels[old_channels].remote_name = remote_name;
185: return old_channels;
186: }
187:
188: /* Free the channel and close its socket. */
189:
190: void channel_free(int channel)
191: {
192: assert(channel >= 0 && channel < channels_alloc &&
193: channels[channel].type != SSH_CHANNEL_FREE);
194: shutdown(channels[channel].sock, 2);
195: close(channels[channel].sock);
196: buffer_free(&channels[channel].input);
197: buffer_free(&channels[channel].output);
198: channels[channel].type = SSH_CHANNEL_FREE;
199: if (channels[channel].remote_name)
200: {
201: xfree(channels[channel].remote_name);
202: channels[channel].remote_name = NULL;
203: }
204: }
205:
206: /* This is called just before select() to add any bits relevant to
207: channels in the select bitmasks. */
208:
209: void channel_prepare_select(fd_set *readset, fd_set *writeset)
210: {
211: int i;
212: Channel *ch;
213: unsigned char *ucp;
214: unsigned int proto_len, data_len;
215:
216: for (i = 0; i < channels_alloc; i++)
217: {
218: ch = &channels[i];
219: redo:
220: switch (ch->type)
221: {
222: case SSH_CHANNEL_X11_LISTENER:
223: case SSH_CHANNEL_PORT_LISTENER:
224: case SSH_CHANNEL_AUTH_SOCKET:
225: case SSH_CHANNEL_AUTH_SOCKET_FD:
226: case SSH_CHANNEL_AUTH_FD:
227: FD_SET(ch->sock, readset);
228: break;
229:
230: case SSH_CHANNEL_OPEN:
231: if (buffer_len(&ch->input) < 32768)
232: FD_SET(ch->sock, readset);
233: if (buffer_len(&ch->output) > 0)
234: FD_SET(ch->sock, writeset);
235: break;
236:
237: case SSH_CHANNEL_INPUT_DRAINING:
238: if (buffer_len(&ch->input) == 0)
239: {
240: packet_start(SSH_MSG_CHANNEL_CLOSE);
241: packet_put_int(ch->remote_id);
242: packet_send();
243: ch->type = SSH_CHANNEL_CLOSED;
244: debug("Closing channel %d after input drain.", i);
245: break;
246: }
247: break;
248:
249: case SSH_CHANNEL_OUTPUT_DRAINING:
250: if (buffer_len(&ch->output) == 0)
251: {
252: /* debug("Freeing channel %d after output drain.", i); */
253: channel_free(i);
254: break;
255: }
256: FD_SET(ch->sock, writeset);
257: break;
258:
259: case SSH_CHANNEL_X11_OPEN:
260: /* This is a special state for X11 authentication spoofing. An
261: opened X11 connection (when authentication spoofing is being
262: done) remains in this state until the first packet has been
263: completely read. The authentication data in that packet is
264: then substituted by the real data if it matches the fake data,
265: and the channel is put into normal mode. */
266:
267: /* Check if the fixed size part of the packet is in buffer. */
268: if (buffer_len(&ch->output) < 12)
269: break;
270:
271: /* Parse the lengths of variable-length fields. */
272: ucp = (unsigned char *)buffer_ptr(&ch->output);
273: if (ucp[0] == 0x42)
274: { /* Byte order MSB first. */
275: proto_len = 256 * ucp[6] + ucp[7];
276: data_len = 256 * ucp[8] + ucp[9];
277: }
278: else
279: if (ucp[0] == 0x6c)
280: { /* Byte order LSB first. */
281: proto_len = ucp[6] + 256 * ucp[7];
282: data_len = ucp[8] + 256 * ucp[9];
283: }
284: else
285: {
286: debug("Initial X11 packet contains bad byte order byte: 0x%x",
287: ucp[0]);
288: ch->type = SSH_CHANNEL_OPEN;
289: goto reject;
290: }
291:
292: /* Check if the whole packet is in buffer. */
293: if (buffer_len(&ch->output) <
294: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
295: break;
296:
297: /* Check if authentication protocol matches. */
298: if (proto_len != strlen(x11_saved_proto) ||
299: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0)
300: {
301: debug("X11 connection uses different authentication protocol.");
302: ch->type = SSH_CHANNEL_OPEN;
303: goto reject;
304: }
305:
306: /* Check if authentication data matches our fake data. */
307: if (data_len != x11_fake_data_len ||
308: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
309: x11_fake_data, x11_fake_data_len) != 0)
310: {
311: debug("X11 auth data does not match fake data.");
312: ch->type = SSH_CHANNEL_OPEN;
313: goto reject;
314: }
315:
316: /* Received authentication protocol and data match our fake data.
317: Substitute the fake data with real data. */
318: assert(x11_fake_data_len == x11_saved_data_len);
319: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
320: x11_saved_data, x11_saved_data_len);
321:
322: /* Start normal processing for the channel. */
323: ch->type = SSH_CHANNEL_OPEN;
324: goto redo;
325:
326: reject:
327: /* We have received an X11 connection that has bad authentication
328: information. */
329: log("X11 connection rejected because of wrong authentication.\r\n");
330: buffer_clear(&ch->input);
331: buffer_clear(&ch->output);
332: close(ch->sock);
333: ch->sock = -1;
334: ch->type = SSH_CHANNEL_CLOSED;
335: packet_start(SSH_MSG_CHANNEL_CLOSE);
336: packet_put_int(ch->remote_id);
337: packet_send();
338: break;
339:
340: case SSH_CHANNEL_FREE:
341: default:
342: continue;
343: }
344: }
345: }
346:
347: /* After select, perform any appropriate operations for channels which
348: have events pending. */
349:
350: void channel_after_select(fd_set *readset, fd_set *writeset)
351: {
352: struct sockaddr addr;
353: int addrlen, newsock, i, newch, len, port;
354: Channel *ch;
355: char buf[16384], *remote_hostname;
356:
357: /* Loop over all channels... */
358: for (i = 0; i < channels_alloc; i++)
359: {
360: ch = &channels[i];
361: switch (ch->type)
362: {
363: case SSH_CHANNEL_X11_LISTENER:
364: /* This is our fake X11 server socket. */
365: if (FD_ISSET(ch->sock, readset))
366: {
367: debug("X11 connection requested.");
368: addrlen = sizeof(addr);
369: newsock = accept(ch->sock, &addr, &addrlen);
370: if (newsock < 0)
371: {
372: error("accept: %.100s", strerror(errno));
373: break;
374: }
375: remote_hostname = get_remote_hostname(newsock);
376: sprintf(buf, "X11 connection from %.200s port %d",
377: remote_hostname, get_peer_port(newsock));
378: xfree(remote_hostname);
379: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
380: xstrdup(buf));
381: packet_start(SSH_SMSG_X11_OPEN);
382: packet_put_int(newch);
383: if (have_hostname_in_open)
384: packet_put_string(buf, strlen(buf));
385: packet_send();
386: }
387: break;
388:
389: case SSH_CHANNEL_PORT_LISTENER:
390: /* This socket is listening for connections to a forwarded TCP/IP
391: port. */
392: if (FD_ISSET(ch->sock, readset))
393: {
394: debug("Connection to port %d forwarding to %.100s:%d requested.",
395: ch->listening_port, ch->path, ch->host_port);
396: addrlen = sizeof(addr);
397: newsock = accept(ch->sock, &addr, &addrlen);
398: if (newsock < 0)
399: {
400: error("accept: %.100s", strerror(errno));
401: break;
402: }
403: remote_hostname = get_remote_hostname(newsock);
404: sprintf(buf, "port %d, connection from %.200s port %d",
405: ch->listening_port, remote_hostname,
406: get_peer_port(newsock));
407: xfree(remote_hostname);
408: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
409: xstrdup(buf));
410: packet_start(SSH_MSG_PORT_OPEN);
411: packet_put_int(newch);
412: packet_put_string(ch->path, strlen(ch->path));
413: packet_put_int(ch->host_port);
414: if (have_hostname_in_open)
415: packet_put_string(buf, strlen(buf));
416: packet_send();
417: }
418: break;
419:
420: case SSH_CHANNEL_AUTH_FD:
421: /* This is the authentication agent file descriptor. It is used to
422: obtain the real connection to the agent. */
423: case SSH_CHANNEL_AUTH_SOCKET_FD:
424: /* This is the temporary connection obtained by connecting the
425: authentication agent socket. */
426: if (FD_ISSET(ch->sock, readset))
427: {
428: len = recv(ch->sock, buf, sizeof(buf), 0);
429: if (len <= 0)
430: {
431: channel_free(i);
432: break;
433: }
434: if (len != 3 || (unsigned char)buf[0] != SSH_AUTHFD_CONNECT)
435: break; /* Ignore any messages of wrong length or type. */
436: port = 256 * (unsigned char)buf[1] + (unsigned char)buf[2];
437: packet_start(SSH_SMSG_AGENT_OPEN);
438: packet_put_int(port);
439: packet_send();
440: }
441: break;
442:
443: case SSH_CHANNEL_AUTH_SOCKET:
444: /* This is the authentication agent socket listening for connections
445: from clients. */
446: if (FD_ISSET(ch->sock, readset))
447: {
448: len = sizeof(addr);
449: newsock = accept(ch->sock, &addr, &len);
450: if (newsock < 0)
451: error("Accept from authentication socket failed");
452: (void)channel_allocate(SSH_CHANNEL_AUTH_SOCKET_FD, newsock,
453: xstrdup("accepted auth socket"));
454: }
455: break;
456:
457: case SSH_CHANNEL_OPEN:
458: /* This is an open two-way communication channel. It is not of
459: interest to us at this point what kind of data is being
460: transmitted. */
461: /* Read available incoming data and append it to buffer. */
462: if (FD_ISSET(ch->sock, readset))
463: {
464: len = read(ch->sock, buf, sizeof(buf));
465: if (len <= 0)
466: {
467: buffer_consume(&ch->output, buffer_len(&ch->output));
468: ch->type = SSH_CHANNEL_INPUT_DRAINING;
469: debug("Channel %d status set to input draining.", i);
470: break;
471: }
472: buffer_append(&ch->input, buf, len);
473: }
474: /* Send buffered output data to the socket. */
475: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0)
476: {
477: len = write(ch->sock, buffer_ptr(&ch->output),
478: buffer_len(&ch->output));
479: if (len <= 0)
480: {
481: buffer_consume(&ch->output, buffer_len(&ch->output));
482: debug("Channel %d status set to input draining.", i);
483: ch->type = SSH_CHANNEL_INPUT_DRAINING;
484: break;
485: }
486: buffer_consume(&ch->output, len);
487: }
488: break;
489:
490: case SSH_CHANNEL_OUTPUT_DRAINING:
491: /* Send buffered output data to the socket. */
492: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0)
493: {
494: len = write(ch->sock, buffer_ptr(&ch->output),
495: buffer_len(&ch->output));
496: if (len <= 0)
497: buffer_consume(&ch->output, buffer_len(&ch->output));
498: else
499: buffer_consume(&ch->output, len);
500: }
501: break;
502:
503: case SSH_CHANNEL_X11_OPEN:
504: case SSH_CHANNEL_FREE:
505: default:
506: continue;
507: }
508: }
509: }
510:
511: /* If there is data to send to the connection, send some of it now. */
512:
513: void channel_output_poll()
514: {
515: int len, i;
516: Channel *ch;
517:
518: for (i = 0; i < channels_alloc; i++)
519: {
520: ch = &channels[i];
521: /* We are only interested in channels that can have buffered incoming
522: data. */
523: if (ch->type != SSH_CHANNEL_OPEN &&
524: ch->type != SSH_CHANNEL_INPUT_DRAINING)
525: continue;
526:
527: /* Get the amount of buffered data for this channel. */
528: len = buffer_len(&ch->input);
529: if (len > 0)
530: {
531: /* Send some data for the other side over the secure connection. */
532: if (packet_is_interactive())
533: {
534: if (len > 1024)
535: len = 512;
536: }
537: else
538: {
539: if (len > 16384)
540: len = 16384; /* Keep the packets at reasonable size. */
541: }
542: packet_start(SSH_MSG_CHANNEL_DATA);
543: packet_put_int(ch->remote_id);
544: packet_put_string(buffer_ptr(&ch->input), len);
545: packet_send();
546: buffer_consume(&ch->input, len);
547: }
548: }
549: }
550:
551: /* This is called when a packet of type CHANNEL_DATA has just been received.
552: The message type has already been consumed, but channel number and data
553: is still there. */
554:
555: void channel_input_data(int payload_len)
556: {
557: int channel;
558: char *data;
559: unsigned int data_len;
560:
561: /* Get the channel number and verify it. */
562: channel = packet_get_int();
563: if (channel < 0 || channel >= channels_alloc ||
564: channels[channel].type == SSH_CHANNEL_FREE)
565: packet_disconnect("Received data for nonexistent channel %d.", channel);
566:
567: /* Ignore any data for non-open channels (might happen on close) */
568: if (channels[channel].type != SSH_CHANNEL_OPEN &&
569: channels[channel].type != SSH_CHANNEL_X11_OPEN)
570: return;
571:
572: /* Get the data. */
573: data = packet_get_string(&data_len);
574: packet_integrity_check(payload_len, 4 + 4+data_len, SSH_MSG_CHANNEL_DATA);
575: buffer_append(&channels[channel].output, data, data_len);
576: xfree(data);
577: }
578:
579: /* Returns true if no channel has too much buffered data, and false if
580: one or more channel is overfull. */
581:
582: int channel_not_very_much_buffered_data()
583: {
584: unsigned int i;
585: Channel *ch;
586:
587: for (i = 0; i < channels_alloc; i++)
588: {
589: ch = &channels[i];
590: switch (channels[i].type)
591: {
592: case SSH_CHANNEL_X11_LISTENER:
593: case SSH_CHANNEL_PORT_LISTENER:
594: case SSH_CHANNEL_AUTH_SOCKET:
595: case SSH_CHANNEL_AUTH_SOCKET_FD:
596: case SSH_CHANNEL_AUTH_FD:
597: continue;
598: case SSH_CHANNEL_OPEN:
599: if (buffer_len(&ch->input) > 32768)
600: return 0;
601: if (buffer_len(&ch->output) > 32768)
602: return 0;
603: continue;
604: case SSH_CHANNEL_INPUT_DRAINING:
605: case SSH_CHANNEL_OUTPUT_DRAINING:
606: case SSH_CHANNEL_X11_OPEN:
607: case SSH_CHANNEL_FREE:
608: default:
609: continue;
610: }
611: }
612: return 1;
613: }
614:
615: /* This is called after receiving CHANNEL_CLOSE. */
616:
617: void channel_input_close()
618: {
619: int channel;
620:
621: /* Get the channel number and verify it. */
622: channel = packet_get_int();
623: if (channel < 0 || channel >= channels_alloc ||
624: channels[channel].type == SSH_CHANNEL_FREE)
625: packet_disconnect("Received data for nonexistent channel %d.", channel);
626:
627: /* Send a confirmation that we have closed the channel and no more data is
628: coming for it. */
629: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
630: packet_put_int(channels[channel].remote_id);
631: packet_send();
632:
633: /* If the channel is in closed state, we have sent a close request, and
634: the other side will eventually respond with a confirmation. Thus,
635: we cannot free the channel here, because then there would be no-one to
636: receive the confirmation. The channel gets freed when the confirmation
637: arrives. */
638: if (channels[channel].type != SSH_CHANNEL_CLOSED)
639: {
640: /* Not a closed channel - mark it as draining, which will cause it to
641: be freed later. */
642: buffer_consume(&channels[channel].input,
643: buffer_len(&channels[channel].input));
644: channels[channel].type = SSH_CHANNEL_OUTPUT_DRAINING;
645: /* debug("Setting status to output draining; output len = %d",
646: buffer_len(&channels[channel].output)); */
647: }
648: }
649:
650: /* This is called after receiving CHANNEL_CLOSE_CONFIRMATION. */
651:
652: void channel_input_close_confirmation()
653: {
654: int channel;
655:
656: /* Get the channel number and verify it. */
657: channel = packet_get_int();
658: if (channel < 0 || channel >= channels_alloc)
659: packet_disconnect("Received close confirmation for out-of-range channel %d.",
660: channel);
661: if (channels[channel].type != SSH_CHANNEL_CLOSED)
662: packet_disconnect("Received close confirmation for non-closed channel %d (type %d).",
663: channel, channels[channel].type);
664:
665: /* Free the channel. */
666: channel_free(channel);
667: }
668:
669: /* This is called after receiving CHANNEL_OPEN_CONFIRMATION. */
670:
671: void channel_input_open_confirmation()
672: {
673: int channel, remote_channel;
674:
675: /* Get the channel number and verify it. */
676: channel = packet_get_int();
677: if (channel < 0 || channel >= channels_alloc ||
678: channels[channel].type != SSH_CHANNEL_OPENING)
679: packet_disconnect("Received open confirmation for non-opening channel %d.",
680: channel);
681:
682: /* Get remote side's id for this channel. */
683: remote_channel = packet_get_int();
684:
685: /* Record the remote channel number and mark that the channel is now open. */
686: channels[channel].remote_id = remote_channel;
687: channels[channel].type = SSH_CHANNEL_OPEN;
688: }
689:
690: /* This is called after receiving CHANNEL_OPEN_FAILURE from the other side. */
691:
692: void channel_input_open_failure()
693: {
694: int channel;
695:
696: /* Get the channel number and verify it. */
697: channel = packet_get_int();
698: if (channel < 0 || channel >= channels_alloc ||
699: channels[channel].type != SSH_CHANNEL_OPENING)
700: packet_disconnect("Received open failure for non-opening channel %d.",
701: channel);
702:
703: /* Free the channel. This will also close the socket. */
704: channel_free(channel);
705: }
706:
707: /* Stops listening for channels, and removes any unix domain sockets that
708: we might have. */
709:
710: void channel_stop_listening()
711: {
712: int i;
713: for (i = 0; i < channels_alloc; i++)
714: {
715: switch (channels[i].type)
716: {
717: case SSH_CHANNEL_AUTH_SOCKET:
718: close(channels[i].sock);
719: remove(channels[i].path);
720: channel_free(i);
721: break;
722: case SSH_CHANNEL_PORT_LISTENER:
723: case SSH_CHANNEL_X11_LISTENER:
724: close(channels[i].sock);
725: channel_free(i);
726: break;
727: default:
728: break;
729: }
730: }
731: }
732:
733: /* Closes the sockets of all channels. This is used to close extra file
734: descriptors after a fork. */
735:
736: void channel_close_all()
737: {
738: int i;
739: for (i = 0; i < channels_alloc; i++)
740: {
741: if (channels[i].type != SSH_CHANNEL_FREE)
742: close(channels[i].sock);
743: }
744: }
745:
746: /* Returns the maximum file descriptor number used by the channels. */
747:
748: int channel_max_fd()
749: {
750: return channel_max_fd_value;
751: }
752:
753: /* Returns true if any channel is still open. */
754:
755: int channel_still_open()
756: {
757: unsigned int i;
758: for (i = 0; i < channels_alloc; i++)
759: switch (channels[i].type)
760: {
761: case SSH_CHANNEL_FREE:
762: case SSH_CHANNEL_X11_LISTENER:
763: case SSH_CHANNEL_PORT_LISTENER:
764: case SSH_CHANNEL_CLOSED:
765: case SSH_CHANNEL_AUTH_FD:
766: case SSH_CHANNEL_AUTH_SOCKET:
767: case SSH_CHANNEL_AUTH_SOCKET_FD:
768: continue;
769: case SSH_CHANNEL_OPENING:
770: case SSH_CHANNEL_OPEN:
771: case SSH_CHANNEL_X11_OPEN:
772: case SSH_CHANNEL_INPUT_DRAINING:
773: case SSH_CHANNEL_OUTPUT_DRAINING:
774: return 1;
775: default:
776: fatal("channel_still_open: bad channel type %d", channels[i].type);
777: /*NOTREACHED*/
778: }
779: return 0;
780: }
781:
782: /* Returns a message describing the currently open forwarded
783: connections, suitable for sending to the client. The message
784: contains crlf pairs for newlines. */
785:
786: char *channel_open_message()
787: {
788: Buffer buffer;
789: int i;
790: char buf[512], *cp;
791:
792: buffer_init(&buffer);
793: sprintf(buf, "The following connections are open:\r\n");
794: buffer_append(&buffer, buf, strlen(buf));
795: for (i = 0; i < channels_alloc; i++)
796: switch (channels[i].type)
797: {
798: case SSH_CHANNEL_FREE:
799: case SSH_CHANNEL_X11_LISTENER:
800: case SSH_CHANNEL_PORT_LISTENER:
801: case SSH_CHANNEL_CLOSED:
802: case SSH_CHANNEL_AUTH_FD:
803: case SSH_CHANNEL_AUTH_SOCKET:
804: case SSH_CHANNEL_AUTH_SOCKET_FD:
805: continue;
806: case SSH_CHANNEL_OPENING:
807: case SSH_CHANNEL_OPEN:
808: case SSH_CHANNEL_X11_OPEN:
809: case SSH_CHANNEL_INPUT_DRAINING:
810: case SSH_CHANNEL_OUTPUT_DRAINING:
811: sprintf(buf, " %.300s\r\n", channels[i].remote_name);
812: buffer_append(&buffer, buf, strlen(buf));
813: continue;
814: default:
815: fatal("channel_still_open: bad channel type %d", channels[i].type);
816: /*NOTREACHED*/
817: }
818: buffer_append(&buffer, "\0", 1);
819: cp = xstrdup(buffer_ptr(&buffer));
820: buffer_free(&buffer);
821: return cp;
822: }
823:
824: /* Initiate forwarding of connections to local port "port" through the secure
825: channel to host:port from remote side. */
826:
827: void channel_request_local_forwarding(int port, const char *host,
828: int host_port)
829: {
830: int ch, sock;
831: struct sockaddr_in sin;
832:
833: if (strlen(host) > sizeof(channels[0].path) - 1)
834: packet_disconnect("Forward host name too long.");
835:
836: /* Create a port to listen for the host. */
837: sock = socket(AF_INET, SOCK_STREAM, 0);
838: if (sock < 0)
839: packet_disconnect("socket: %.100s", strerror(errno));
840:
841: /* Initialize socket address. */
842: memset(&sin, 0, sizeof(sin));
843: sin.sin_family = AF_INET;
844: sin.sin_addr.s_addr = INADDR_ANY;
845: sin.sin_port = htons(port);
846:
847: /* Bind the socket to the address. */
848: if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
849: packet_disconnect("bind: %.100s", strerror(errno));
850:
851: /* Start listening for connections on the socket. */
852: if (listen(sock, 5) < 0)
853: packet_disconnect("listen: %.100s", strerror(errno));
854:
855: /* Allocate a channel number for the socket. */
856: ch = channel_allocate(SSH_CHANNEL_PORT_LISTENER, sock,
857: xstrdup("port listener"));
858: strcpy(channels[ch].path, host); /* note: host name stored here */
859: channels[ch].host_port = host_port; /* port on host to connect to */
860: channels[ch].listening_port = port; /* port being listened */
861: }
862:
863: /* Initiate forwarding of connections to port "port" on remote host through
864: the secure channel to host:port from local side. */
865:
866: void channel_request_remote_forwarding(int port, const char *host,
867: int remote_port)
868: {
869: int payload_len;
870: /* Record locally that connection to this host/port is permitted. */
871: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
872: fatal("channel_request_remote_forwarding: too many forwards");
873: permitted_opens[num_permitted_opens].host = xstrdup(host);
874: permitted_opens[num_permitted_opens].port = remote_port;
875: num_permitted_opens++;
876:
877: /* Send the forward request to the remote side. */
878: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
879: packet_put_int(port);
880: packet_put_string(host, strlen(host));
881: packet_put_int(remote_port);
882: packet_send();
883: packet_write_wait();
884:
885: /* Wait for response from the remote side. It will send a disconnect
886: message on failure, and we will never see it here. */
887: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
888: }
889:
890: /* This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
891: listening for the port, and sends back a success reply (or disconnect
892: message if there was an error). This never returns if there was an
893: error. */
894:
895: void channel_input_port_forward_request(int is_root)
896: {
897: int port, host_port;
898: char *hostname;
899:
900: /* Get arguments from the packet. */
901: port = packet_get_int();
902: hostname = packet_get_string(NULL);
903: host_port = packet_get_int();
904:
905: /* Port numbers are 16 bit quantities. */
906: if ((port & 0xffff) != port)
907: packet_disconnect("Requested forwarding of nonexistent port %d.", port);
908:
909:
910: /* Check that an unprivileged user is not trying to forward a privileged
911: port. */
912: if (port < 1024 && !is_root)
913: packet_disconnect("Requested forwarding of port %d but user is not root.",
914: port);
915:
916: /* Initiate forwarding. */
917: channel_request_local_forwarding(port, hostname, host_port);
918:
919: /* Free the argument string. */
920: xfree(hostname);
921: }
922:
923: /* This is called after receiving PORT_OPEN message. This attempts to connect
924: to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION or
925: CHANNEL_OPEN_FAILURE. */
926:
927: void channel_input_port_open(int payload_len)
928: {
929: int remote_channel, sock, newch, host_port, i;
930: struct sockaddr_in sin;
931: char *host, *originator_string;
932: struct hostent *hp;
933: int host_len, originator_len;
934:
935: /* Get remote channel number. */
936: remote_channel = packet_get_int();
937:
938: /* Get host name to connect to. */
939: host = packet_get_string(&host_len);
940:
941: /* Get port to connect to. */
942: host_port = packet_get_int();
943:
944: /* Get remote originator name. */
945: if (have_hostname_in_open)
946: originator_string = packet_get_string(&originator_len);
947: else
948: originator_string = xstrdup("unknown (remote did not supply name)");
949:
950: packet_integrity_check(payload_len,
951: 4 + 4 + host_len + 4 + 4 + originator_len,
952: SSH_MSG_PORT_OPEN);
953:
954: /* Check if opening that port is permitted. */
955: if (!all_opens_permitted)
956: {
957: /* Go trough all permitted ports. */
958: for (i = 0; i < num_permitted_opens; i++)
959: if (permitted_opens[i].port == host_port &&
960: strcmp(permitted_opens[i].host, host) == 0)
961: break;
962:
963: /* Check if we found the requested port among those permitted. */
964: if (i >= num_permitted_opens)
965: {
966: /* The port is not permitted. */
967: log("Received request to connect to %.100s:%d, but the request was denied.",
968: host, host_port);
969: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
970: packet_put_int(remote_channel);
971: packet_send();
972: }
973: }
974:
975: memset(&sin, 0, sizeof(sin));
976: #ifdef BROKEN_INET_ADDR
977: sin.sin_addr.s_addr = inet_network(host);
978: #else /* BROKEN_INET_ADDR */
979: sin.sin_addr.s_addr = inet_addr(host);
980: #endif /* BROKEN_INET_ADDR */
981: if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
982: {
983: /* It was a valid numeric host address. */
984: sin.sin_family = AF_INET;
985: }
986: else
987: {
988: /* Look up the host address from the name servers. */
989: hp = gethostbyname(host);
990: if (!hp)
991: {
992: error("%.100s: unknown host.", host);
993: goto fail;
994: }
995: if (!hp->h_addr_list[0])
996: {
997: error("%.100s: host has no IP address.", host);
998: goto fail;
999: }
1000: sin.sin_family = hp->h_addrtype;
1001: memcpy(&sin.sin_addr, hp->h_addr_list[0],
1002: sizeof(sin.sin_addr));
1003: }
1004: sin.sin_port = htons(host_port);
1005:
1006: /* Create the socket. */
1007: sock = socket(sin.sin_family, SOCK_STREAM, 0);
1008: if (sock < 0)
1009: {
1010: error("socket: %.100s", strerror(errno));
1011: goto fail;
1012: }
1013:
1014: /* Connect to the host/port. */
1015: if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1016: {
1017: error("connect %.100s:%d: %.100s", host, host_port,
1018: strerror(errno));
1019: close(sock);
1020: goto fail;
1021: }
1022:
1023: /* Successful connection. */
1024:
1025: /* Allocate a channel for this connection. */
1026: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1027: channels[newch].remote_id = remote_channel;
1028:
1029: /* Send a confirmation to the remote host. */
1030: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1031: packet_put_int(remote_channel);
1032: packet_put_int(newch);
1033: packet_send();
1034:
1035: /* Free the argument string. */
1036: xfree(host);
1037:
1038: return;
1039:
1040: fail:
1041: /* Free the argument string. */
1042: xfree(host);
1043:
1044: /* Send refusal to the remote host. */
1045: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1046: packet_put_int(remote_channel);
1047: packet_send();
1048: }
1049:
1050: /* Creates an internet domain socket for listening for X11 connections.
1051: Returns a suitable value for the DISPLAY variable, or NULL if an error
1052: occurs. */
1053:
1054: char *x11_create_display_inet(int screen_number)
1055: {
1.3 ! deraadt 1056: extern ServerOptions options;
1.1 deraadt 1057: int display_number, port, sock;
1058: struct sockaddr_in sin;
1059: char buf[512];
1060: #ifdef HAVE_GETHOSTNAME
1061: char hostname[257];
1062: #else
1063: struct utsname uts;
1064: #endif
1065:
1.3 ! deraadt 1066: for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++)
1.1 deraadt 1067: {
1068: port = 6000 + display_number;
1069: memset(&sin, 0, sizeof(sin));
1070: sin.sin_family = AF_INET;
1071: sin.sin_addr.s_addr = INADDR_ANY;
1072: sin.sin_port = htons(port);
1073:
1074: sock = socket(AF_INET, SOCK_STREAM, 0);
1075: if (sock < 0)
1076: {
1077: error("socket: %.100s", strerror(errno));
1078: return NULL;
1079: }
1080:
1081: if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1082: {
1083: debug("bind port %d: %.100s", port, strerror(errno));
1084: shutdown(sock, 2);
1085: close(sock);
1086: continue;
1087: }
1088: break;
1089: }
1090: if (display_number >= MAX_DISPLAYS)
1091: {
1092: error("Failed to allocate internet-domain X11 display socket.");
1093: return NULL;
1094: }
1095:
1096: /* Start listening for connections on the socket. */
1097: if (listen(sock, 5) < 0)
1098: {
1099: error("listen: %.100s", strerror(errno));
1100: shutdown(sock, 2);
1101: close(sock);
1102: return NULL;
1103: }
1104:
1105: /* Set up a suitable value for the DISPLAY variable. */
1106: #ifdef HPSUX_NONSTANDARD_X11_KLUDGE
1107: /* HPSUX has some special shared memory stuff in their X server, which
1108: appears to be enable if the host name matches that of the local machine.
1109: However, it can be circumvented by using the IP address of the local
1110: machine instead. */
1111: if (gethostname(hostname, sizeof(hostname)) < 0)
1112: fatal("gethostname: %.100s", strerror(errno));
1113: {
1114: struct hostent *hp;
1115: struct in_addr addr;
1116: hp = gethostbyname(hostname);
1117: if (!hp->h_addr_list[0])
1118: {
1119: error("Could not server IP address for %.200d.", hostname);
1120: packet_send_debug("Could not get server IP address for %.200d.",
1121: hostname);
1122: shutdown(sock, 2);
1123: close(sock);
1124: return NULL;
1125: }
1126: memcpy(&addr, hp->h_addr_list[0], sizeof(addr));
1127: sprintf(buf, "%.100s:%d.%d", inet_ntoa(addr), display_number,
1128: screen_number);
1129: }
1130: #else /* HPSUX_NONSTANDARD_X11_KLUDGE */
1131: #ifdef HAVE_GETHOSTNAME
1132: if (gethostname(hostname, sizeof(hostname)) < 0)
1133: fatal("gethostname: %.100s", strerror(errno));
1134: sprintf(buf, "%.400s:%d.%d", hostname, display_number, screen_number);
1135: #else /* HAVE_GETHOSTNAME */
1136: if (uname(&uts) < 0)
1137: fatal("uname: %s", strerror(errno));
1138: sprintf(buf, "%.400s:%d.%d", uts.nodename, display_number, screen_number);
1139: #endif /* HAVE_GETHOSTNAME */
1140: #endif /* HPSUX_NONSTANDARD_X11_KLUDGE */
1141:
1142: /* Allocate a channel for the socket. */
1143: (void)channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
1144: xstrdup("X11 inet listener"));
1145:
1146: /* Return a suitable value for the DISPLAY environment variable. */
1147: return xstrdup(buf);
1148: }
1149:
1150: #ifndef X_UNIX_PATH
1151: #define X_UNIX_PATH "/tmp/.X11-unix/X"
1152: #endif
1153:
1154: static
1155: int
1156: connect_local_xsocket(unsigned dnr)
1157: {
1158: static const char *const x_sockets[] = {
1159: X_UNIX_PATH "%u",
1160: "/var/X/.X11-unix/X" "%u",
1161: "/usr/spool/sockets/X11/" "%u",
1162: NULL
1163: };
1164: int sock;
1165: struct sockaddr_un addr;
1166: const char *const *path;
1167:
1168: for (path = x_sockets; *path; ++path)
1169: {
1170: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1171: if (sock < 0)
1172: error("socket: %.100s", strerror(errno));
1173: memset(&addr, 0, sizeof(addr));
1174: addr.sun_family = AF_UNIX;
1175: sprintf(addr.sun_path, *path, dnr);
1176: if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
1177: return sock;
1178: close(sock);
1179: }
1180: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1181: return -1;
1182: }
1183:
1184:
1185: /* This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1186: the remote channel number. We should do whatever we want, and respond
1187: with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. */
1188:
1189: void x11_input_open(int payload_len)
1190: {
1191: int remote_channel, display_number, sock, newch;
1192: const char *display;
1193: struct sockaddr_in sin;
1194: char buf[1024], *cp, *remote_host;
1195: struct hostent *hp;
1196: int remote_len;
1197:
1198: /* Get remote channel number. */
1199: remote_channel = packet_get_int();
1200:
1201: /* Get remote originator name. */
1202: if (have_hostname_in_open)
1203: remote_host = packet_get_string(&remote_len);
1204: else
1205: remote_host = xstrdup("unknown (remote did not supply name)");
1206:
1207: debug("Received X11 open request.");
1208: packet_integrity_check(payload_len, 4 + 4+remote_len, SSH_SMSG_X11_OPEN);
1209:
1210: /* Try to open a socket for the local X server. */
1211: display = getenv("DISPLAY");
1212: if (!display)
1213: {
1214: error("DISPLAY not set.");
1215: goto fail;
1216: }
1217:
1218: /* Now we decode the value of the DISPLAY variable and make a connection
1219: to the real X server. */
1220:
1221: /* Check if it is a unix domain socket. Unix domain displays are in one
1222: of the following formats: unix:d[.s], :d[.s], ::d[.s] */
1223: if (strncmp(display, "unix:", 5) == 0 ||
1224: display[0] == ':')
1225: {
1226: /* Connect to the unix domain socket. */
1227: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1)
1228: {
1229: error("Could not parse display number from DISPLAY: %.100s",
1230: display);
1231: goto fail;
1232: }
1233: /* Create a socket. */
1234: sock = connect_local_xsocket(display_number);
1235: if (sock < 0)
1236: goto fail;
1237:
1238: /* OK, we now have a connection to the display. */
1239: goto success;
1240: }
1241:
1242: /* Connect to an inet socket. The DISPLAY value is supposedly
1243: hostname:d[.s], where hostname may also be numeric IP address. */
1244: strncpy(buf, display, sizeof(buf));
1245: buf[sizeof(buf) - 1] = 0;
1246: cp = strchr(buf, ':');
1247: if (!cp)
1248: {
1249: error("Could not find ':' in DISPLAY: %.100s", display);
1250: goto fail;
1251: }
1252: *cp = 0;
1253: /* buf now contains the host name. But first we parse the display number. */
1254: if (sscanf(cp + 1, "%d", &display_number) != 1)
1255: {
1256: error("Could not parse display number from DISPLAY: %.100s",
1257: display);
1258: goto fail;
1259: }
1260:
1261: /* Try to parse the host name as a numeric IP address. */
1262: memset(&sin, 0, sizeof(sin));
1263: #ifdef BROKEN_INET_ADDR
1264: sin.sin_addr.s_addr = inet_network(buf);
1265: #else /* BROKEN_INET_ADDR */
1266: sin.sin_addr.s_addr = inet_addr(buf);
1267: #endif /* BROKEN_INET_ADDR */
1268: if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
1269: {
1270: /* It was a valid numeric host address. */
1271: sin.sin_family = AF_INET;
1272: }
1273: else
1274: {
1275: /* Not a numeric IP address. */
1276: /* Look up the host address from the name servers. */
1277: hp = gethostbyname(buf);
1278: if (!hp)
1279: {
1280: error("%.100s: unknown host.", buf);
1281: goto fail;
1282: }
1283: if (!hp->h_addr_list[0])
1284: {
1285: error("%.100s: host has no IP address.", buf);
1286: goto fail;
1287: }
1288: sin.sin_family = hp->h_addrtype;
1289: memcpy(&sin.sin_addr, hp->h_addr_list[0],
1290: sizeof(sin.sin_addr));
1291: }
1292: /* Set port number. */
1293: sin.sin_port = htons(6000 + display_number);
1294:
1295: /* Create a socket. */
1296: sock = socket(sin.sin_family, SOCK_STREAM, 0);
1297: if (sock < 0)
1298: {
1299: error("socket: %.100s", strerror(errno));
1300: goto fail;
1301: }
1302: /* Connect it to the display. */
1303: if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1304: {
1305: error("connect %.100s:%d: %.100s", buf, 6000 + display_number,
1306: strerror(errno));
1307: close(sock);
1308: goto fail;
1309: }
1310:
1311: success:
1312: /* We have successfully obtained a connection to the real X display. */
1313:
1314: /* Allocate a channel for this connection. */
1315: if (x11_saved_proto == NULL)
1316: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, remote_host);
1317: else
1318: newch = channel_allocate(SSH_CHANNEL_X11_OPEN, sock, remote_host);
1319: channels[newch].remote_id = remote_channel;
1320:
1321: /* Send a confirmation to the remote host. */
1322: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1323: packet_put_int(remote_channel);
1324: packet_put_int(newch);
1325: packet_send();
1326:
1327: return;
1328:
1329: fail:
1330: /* Send refusal to the remote host. */
1331: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1332: packet_put_int(remote_channel);
1333: packet_send();
1334: }
1335:
1336: /* Requests forwarding of X11 connections, generates fake authentication
1337: data, and enables authentication spoofing. */
1338:
1.2 provos 1339: void x11_request_forwarding_with_spoofing(const char *proto, const char *data)
1.1 deraadt 1340: {
1341: unsigned int data_len = (unsigned int)strlen(data) / 2;
1342: unsigned int i, value;
1343: char *new_data;
1344: int screen_number;
1345: const char *cp;
1.2 provos 1346: u_int32_t rand;
1.1 deraadt 1347:
1348: cp = getenv("DISPLAY");
1349: if (cp)
1350: cp = strchr(cp, ':');
1351: if (cp)
1352: cp = strchr(cp, '.');
1353: if (cp)
1354: screen_number = atoi(cp + 1);
1355: else
1356: screen_number = 0;
1357:
1358: /* Save protocol name. */
1359: x11_saved_proto = xstrdup(proto);
1360:
1361: /* Extract real authentication data and generate fake data of the same
1362: length. */
1363: x11_saved_data = xmalloc(data_len);
1364: x11_fake_data = xmalloc(data_len);
1365: for (i = 0; i < data_len; i++)
1366: {
1367: if (sscanf(data + 2 * i, "%2x", &value) != 1)
1368: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
1.2 provos 1369: if (i % 4 == 0)
1370: rand = arc4random();
1.1 deraadt 1371: x11_saved_data[i] = value;
1.2 provos 1372: x11_fake_data[i] = rand & 0xff;
1373: rand >>= 8;
1.1 deraadt 1374: }
1375: x11_saved_data_len = data_len;
1376: x11_fake_data_len = data_len;
1377:
1378: /* Convert the fake data into hex. */
1379: new_data = xmalloc(2 * data_len + 1);
1380: for (i = 0; i < data_len; i++)
1381: sprintf(new_data + 2 * i, "%02x", (unsigned char)x11_fake_data[i]);
1382:
1383: /* Send the request packet. */
1384: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
1385: packet_put_string(proto, strlen(proto));
1386: packet_put_string(new_data, strlen(new_data));
1387: packet_put_int(screen_number);
1388: packet_send();
1389: packet_write_wait();
1390: xfree(new_data);
1391: }
1392:
1393: /* Sends a message to the server to request authentication fd forwarding. */
1394:
1395: void auth_request_forwarding()
1396: {
1397: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
1398: packet_send();
1399: packet_write_wait();
1400: }
1401:
1402: /* Returns the number of the file descriptor to pass to child programs as
1403: the authentication fd. Returns -1 if there is no forwarded authentication
1404: fd. */
1405:
1406: int auth_get_fd()
1407: {
1408: return channel_forwarded_auth_fd;
1409: }
1410:
1411: /* Returns the name of the forwarded authentication socket. Returns NULL
1412: if there is no forwarded authentication socket. The returned value
1413: points to a static buffer. */
1414:
1415: char *auth_get_socket_name()
1416: {
1417: return channel_forwarded_auth_socket_name;
1418: }
1419:
1420: /* This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1421: This starts forwarding authentication requests. */
1422:
1423: void auth_input_request_forwarding(struct passwd *pw)
1424: {
1425: int pfd = get_permanent_fd(pw->pw_shell);
1426: #ifdef HAVE_UMASK
1427: mode_t savedumask;
1428: #endif /* HAVE_UMASK */
1429:
1430: if (pfd < 0)
1431: {
1432: int sock, newch;
1433: struct sockaddr_un sunaddr;
1434:
1435: if (auth_get_socket_name() != NULL)
1436: fatal("Protocol error: authentication forwarding requested twice.");
1437:
1438: /* Allocate a buffer for the socket name, and format the name. */
1439: channel_forwarded_auth_socket_name = xmalloc(100);
1440: sprintf(channel_forwarded_auth_socket_name, SSH_AGENT_SOCKET,
1441: (int)getpid());
1442:
1443: /* Create the socket. */
1444: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1445: if (sock < 0)
1446: packet_disconnect("socket: %.100s", strerror(errno));
1447:
1448: /* Bind it to the name. */
1449: memset(&sunaddr, 0, sizeof(sunaddr));
1450: sunaddr.sun_family = AF_UNIX;
1451: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
1452: sizeof(sunaddr.sun_path));
1453:
1454: #ifdef HAVE_UMASK
1455: savedumask = umask(0077);
1456: #endif /* HAVE_UMASK */
1457:
1458: /* Temporarily use a privileged uid. */
1459: temporarily_use_uid(pw->pw_uid);
1460:
1461: if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0)
1462: packet_disconnect("bind: %.100s", strerror(errno));
1463:
1464: /* Restore the privileged uid. */
1465: restore_uid();
1466:
1467: #ifdef HAVE_UMASK
1468: umask(savedumask);
1469: #endif /* HAVE_UMASK */
1470:
1471: /* Start listening on the socket. */
1472: if (listen(sock, 5) < 0)
1473: packet_disconnect("listen: %.100s", strerror(errno));
1474:
1475: /* Allocate a channel for the authentication agent socket. */
1476: newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
1477: xstrdup("auth socket"));
1478: strcpy(channels[newch].path, channel_forwarded_auth_socket_name);
1479: }
1480: else
1481: {
1482: int sockets[2], i, cnt, newfd;
1483: int *dups = xmalloc(sizeof (int) * (pfd + 1));
1484:
1485: if (auth_get_fd() != -1)
1486: fatal("Protocol error: authentication forwarding requested twice.");
1487:
1488: /* Create a socket pair. */
1489: if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockets) < 0)
1490: packet_disconnect("socketpair: %.100s", strerror(errno));
1491:
1492: /* Dup some descriptors to get the authentication fd to pfd,
1493: because some shells arbitrarily close descriptors below that.
1494: Don't use dup2 because maybe some systems don't have it?? */
1495: for (cnt = 0;; cnt++)
1496: {
1497: if ((dups[cnt] = dup(packet_get_connection_in())) < 0)
1498: fatal("auth_input_request_forwarding: dup failed");
1499: if (dups[cnt] == pfd)
1500: break;
1501: }
1502: close(dups[cnt]);
1503:
1504: /* Move the file descriptor we pass to children up high where
1505: the shell won't close it. */
1506: newfd = dup(sockets[1]);
1507: if (newfd != pfd)
1508: fatal ("auth_input_request_forwarding: dup didn't return %d.", pfd);
1509: close(sockets[1]);
1510: sockets[1] = newfd;
1511: /* Close duped descriptors. */
1512: for (i = 0; i < cnt; i++)
1513: close(dups[i]);
1514: free(dups);
1515:
1516: /* Record the file descriptor to be passed to children. */
1517: channel_forwarded_auth_fd = sockets[1];
1518:
1519: /* Allcate a channel for the authentication fd. */
1520: (void)channel_allocate(SSH_CHANNEL_AUTH_FD, sockets[0],
1521: xstrdup("auth fd"));
1522: }
1523: }
1524:
1525: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
1526:
1527: void auth_input_open_request()
1528: {
1529: int port, sock, newch;
1530: char *dummyname;
1531:
1532: /* Read the port number from the message. */
1533: port = packet_get_int();
1534:
1535: /* Get a connection to the local authentication agent (this may again get
1536: forwarded). */
1537: sock = ssh_get_authentication_connection_fd();
1538:
1539: /* If we could not connect the agent, just return. This will cause the
1540: client to timeout and fail. This should never happen unless the agent
1541: dies, because authentication forwarding is only enabled if we have an
1542: agent. */
1543: if (sock < 0)
1544: return;
1545:
1546: debug("Forwarding authentication connection.");
1547:
1548: /* Dummy host name. This will be freed when the channel is freed; it will
1549: still be valid in the packet_put_string below since the channel cannot
1550: yet be freed at that point. */
1551: dummyname = xstrdup("authentication agent connection");
1552:
1553: /* Allocate a channel for the new connection. */
1554: newch = channel_allocate(SSH_CHANNEL_OPENING, sock, dummyname);
1555:
1556: /* Fake a forwarding request. */
1557: packet_start(SSH_MSG_PORT_OPEN);
1558: packet_put_int(newch);
1559: packet_put_string("localhost", strlen("localhost"));
1560: packet_put_int(port);
1561: if (have_hostname_in_open)
1562: packet_put_string(dummyname, strlen(dummyname));
1563: packet_send();
1564: }