Annotation of src/usr.bin/ssh/channels.c, Revision 1.34
1.1 deraadt 1: /*
1.26 deraadt 2: *
3: * channels.c
4: *
5: * Author: Tatu Ylonen <ylo@cs.hut.fi>
6: *
7: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: * All rights reserved
9: *
10: * Created: Fri Mar 24 16:35:24 1995 ylo
11: *
12: * This file contains functions for generic socket connection forwarding.
13: * There is also code for initiating connection forwarding for X11 connections,
14: * arbitrary tcp/ip connections, and the authentication agent connection.
15: *
16: */
1.1 deraadt 17:
18: #include "includes.h"
1.34 ! markus 19: RCSID("$Id: channels.c,v 1.33 1999/12/12 19:20:02 markus Exp $");
1.1 deraadt 20:
21: #include "ssh.h"
22: #include "packet.h"
23: #include "xmalloc.h"
24: #include "buffer.h"
25: #include "authfd.h"
26: #include "uidswap.h"
1.20 markus 27: #include "readconf.h"
1.3 deraadt 28: #include "servconf.h"
1.1 deraadt 29:
1.14 markus 30: #include "channels.h"
31: #include "nchan.h"
32: #include "compat.h"
33:
1.1 deraadt 34: /* Maximum number of fake X11 displays to try. */
35: #define MAX_DISPLAYS 1000
36:
1.12 markus 37: /* Max len of agent socket */
38: #define MAX_SOCKET_NAME 100
39:
1.27 markus 40: /*
41: * Pointer to an array containing all allocated channels. The array is
42: * dynamically extended as needed.
43: */
1.1 deraadt 44: static Channel *channels = NULL;
45:
1.27 markus 46: /*
47: * Size of the channel array. All slots of the array must always be
48: * initialized (at least the type field); unused slots are marked with type
49: * SSH_CHANNEL_FREE.
50: */
1.1 deraadt 51: static int channels_alloc = 0;
52:
1.27 markus 53: /*
54: * Maximum file descriptor value used in any of the channels. This is
55: * updated in channel_allocate.
56: */
1.1 deraadt 57: static int channel_max_fd_value = 0;
58:
1.12 markus 59: /* Name and directory of socket for authentication agent forwarding. */
1.1 deraadt 60: static char *channel_forwarded_auth_socket_name = NULL;
1.25 markus 61: static char *channel_forwarded_auth_socket_dir = NULL;
1.1 deraadt 62:
63: /* Saved X11 authentication protocol name. */
64: char *x11_saved_proto = NULL;
65:
66: /* Saved X11 authentication data. This is the real data. */
67: char *x11_saved_data = NULL;
68: unsigned int x11_saved_data_len = 0;
69:
1.27 markus 70: /*
71: * Fake X11 authentication data. This is what the server will be sending us;
72: * we should replace any occurrences of this by the real data.
73: */
1.1 deraadt 74: char *x11_fake_data = NULL;
75: unsigned int x11_fake_data_len;
76:
1.27 markus 77: /*
78: * Data structure for storing which hosts are permitted for forward requests.
79: * The local sides of any remote forwards are stored in this array to prevent
80: * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
81: * network (which might be behind a firewall).
82: */
1.25 markus 83: typedef struct {
84: char *host; /* Host name. */
1.31 markus 85: u_short port; /* Port number. */
1.1 deraadt 86: } ForwardPermission;
87:
88: /* List of all permitted host/port pairs to connect. */
89: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
90: /* Number of permitted host/port pairs in the array. */
91: static int num_permitted_opens = 0;
1.27 markus 92: /*
93: * If this is true, all opens are permitted. This is the case on the server
94: * on which we have to trust the client anyway, and the user could do
95: * anything after logging in anyway.
96: */
1.1 deraadt 97: static int all_opens_permitted = 0;
98:
99: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
100: static int have_hostname_in_open = 0;
101:
102: /* Sets specific protocol options. */
103:
1.25 markus 104: void
105: channel_set_options(int hostname_in_open)
1.1 deraadt 106: {
1.25 markus 107: have_hostname_in_open = hostname_in_open;
1.1 deraadt 108: }
109:
1.27 markus 110: /*
111: * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
112: * called by the server, because the user could connect to any port anyway,
113: * and the server has no way to know but to trust the client anyway.
114: */
1.1 deraadt 115:
1.25 markus 116: void
117: channel_permit_all_opens()
1.1 deraadt 118: {
1.25 markus 119: all_opens_permitted = 1;
1.1 deraadt 120: }
121:
1.27 markus 122: /*
123: * Allocate a new channel object and set its type and socket. This will cause
124: * remote_name to be freed.
125: */
1.1 deraadt 126:
1.25 markus 127: int
128: channel_allocate(int type, int sock, char *remote_name)
1.1 deraadt 129: {
1.25 markus 130: int i, found;
131: Channel *c;
1.1 deraadt 132:
1.25 markus 133: /* Update the maximum file descriptor value. */
134: if (sock > channel_max_fd_value)
135: channel_max_fd_value = sock;
1.27 markus 136: /* XXX set close-on-exec -markus */
1.25 markus 137:
138: /* Do initial allocation if this is the first call. */
139: if (channels_alloc == 0) {
140: channels_alloc = 10;
141: channels = xmalloc(channels_alloc * sizeof(Channel));
142: for (i = 0; i < channels_alloc; i++)
143: channels[i].type = SSH_CHANNEL_FREE;
1.27 markus 144: /*
145: * Kludge: arrange a call to channel_stop_listening if we
146: * terminate with fatal().
147: */
1.25 markus 148: fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL);
149: }
150: /* Try to find a free slot where to put the new channel. */
151: for (found = -1, i = 0; i < channels_alloc; i++)
152: if (channels[i].type == SSH_CHANNEL_FREE) {
153: /* Found a free slot. */
154: found = i;
155: break;
156: }
157: if (found == -1) {
1.27 markus 158: /* There are no free slots. Take last+1 slot and expand the array. */
1.25 markus 159: found = channels_alloc;
160: channels_alloc += 10;
161: debug("channel: expanding %d", channels_alloc);
162: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
163: for (i = found; i < channels_alloc; i++)
164: channels[i].type = SSH_CHANNEL_FREE;
165: }
166: /* Initialize and return new channel number. */
167: c = &channels[found];
168: buffer_init(&c->input);
169: buffer_init(&c->output);
170: chan_init_iostates(c);
171: c->self = found;
172: c->type = type;
173: c->sock = sock;
174: c->remote_id = -1;
175: c->remote_name = remote_name;
176: debug("channel %d: new [%s]", found, remote_name);
177: return found;
1.1 deraadt 178: }
179:
180: /* Free the channel and close its socket. */
181:
1.25 markus 182: void
183: channel_free(int channel)
1.1 deraadt 184: {
1.25 markus 185: if (channel < 0 || channel >= channels_alloc ||
186: channels[channel].type == SSH_CHANNEL_FREE)
187: packet_disconnect("channel free: bad local channel %d", channel);
188:
189: if (compat13)
190: shutdown(channels[channel].sock, SHUT_RDWR);
191: close(channels[channel].sock);
192: buffer_free(&channels[channel].input);
193: buffer_free(&channels[channel].output);
194: channels[channel].type = SSH_CHANNEL_FREE;
195: if (channels[channel].remote_name) {
196: xfree(channels[channel].remote_name);
197: channels[channel].remote_name = NULL;
198: }
1.1 deraadt 199: }
200:
1.27 markus 201: /*
202: * This is called just before select() to add any bits relevant to channels
203: * in the select bitmasks.
204: */
1.1 deraadt 205:
1.25 markus 206: void
207: channel_prepare_select(fd_set * readset, fd_set * writeset)
1.1 deraadt 208: {
1.25 markus 209: int i;
210: Channel *ch;
211: unsigned char *ucp;
212: unsigned int proto_len, data_len;
213:
214: for (i = 0; i < channels_alloc; i++) {
215: ch = &channels[i];
216: redo:
217: switch (ch->type) {
218: case SSH_CHANNEL_X11_LISTENER:
219: case SSH_CHANNEL_PORT_LISTENER:
220: case SSH_CHANNEL_AUTH_SOCKET:
221: FD_SET(ch->sock, readset);
222: break;
223:
224: case SSH_CHANNEL_OPEN:
225: if (compat13) {
226: if (buffer_len(&ch->input) < packet_get_maxsize())
227: FD_SET(ch->sock, readset);
228: if (buffer_len(&ch->output) > 0)
229: FD_SET(ch->sock, writeset);
230: break;
231: }
232: /* test whether sockets are 'alive' for read/write */
233: if (ch->istate == CHAN_INPUT_OPEN)
234: if (buffer_len(&ch->input) < packet_get_maxsize())
235: FD_SET(ch->sock, readset);
236: if (ch->ostate == CHAN_OUTPUT_OPEN ||
237: ch->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
238: if (buffer_len(&ch->output) > 0) {
239: FD_SET(ch->sock, writeset);
240: } else if (ch->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
241: chan_obuf_empty(ch);
242: }
243: }
244: break;
245:
246: case SSH_CHANNEL_INPUT_DRAINING:
247: if (!compat13)
248: fatal("cannot happen: IN_DRAIN");
249: if (buffer_len(&ch->input) == 0) {
250: packet_start(SSH_MSG_CHANNEL_CLOSE);
251: packet_put_int(ch->remote_id);
252: packet_send();
253: ch->type = SSH_CHANNEL_CLOSED;
1.34 ! markus 254: debug("Closing channel %d after input drain.", ch->self);
1.25 markus 255: break;
256: }
257: break;
258:
259: case SSH_CHANNEL_OUTPUT_DRAINING:
260: if (!compat13)
261: fatal("cannot happen: OUT_DRAIN");
262: if (buffer_len(&ch->output) == 0) {
263: channel_free(i);
264: break;
265: }
266: FD_SET(ch->sock, writeset);
267: break;
268:
269: case SSH_CHANNEL_X11_OPEN:
1.27 markus 270: /*
271: * This is a special state for X11 authentication
272: * spoofing. An opened X11 connection (when
273: * authentication spoofing is being done) remains in
274: * this state until the first packet has been
275: * completely read. The authentication data in that
276: * packet is then substituted by the real data if it
277: * matches the fake data, and the channel is put into
278: * normal mode.
279: */
1.25 markus 280: /* Check if the fixed size part of the packet is in buffer. */
281: if (buffer_len(&ch->output) < 12)
282: break;
283:
284: /* Parse the lengths of variable-length fields. */
285: ucp = (unsigned char *) buffer_ptr(&ch->output);
286: if (ucp[0] == 0x42) { /* Byte order MSB first. */
287: proto_len = 256 * ucp[6] + ucp[7];
288: data_len = 256 * ucp[8] + ucp[9];
289: } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
290: proto_len = ucp[6] + 256 * ucp[7];
291: data_len = ucp[8] + 256 * ucp[9];
292: } else {
293: debug("Initial X11 packet contains bad byte order byte: 0x%x",
294: ucp[0]);
295: ch->type = SSH_CHANNEL_OPEN;
296: goto reject;
297: }
298:
299: /* Check if the whole packet is in buffer. */
300: if (buffer_len(&ch->output) <
301: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
302: break;
303:
304: /* Check if authentication protocol matches. */
305: if (proto_len != strlen(x11_saved_proto) ||
306: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
307: debug("X11 connection uses different authentication protocol.");
308: ch->type = SSH_CHANNEL_OPEN;
309: goto reject;
310: }
311: /* Check if authentication data matches our fake data. */
312: if (data_len != x11_fake_data_len ||
313: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
314: x11_fake_data, x11_fake_data_len) != 0) {
315: debug("X11 auth data does not match fake data.");
316: ch->type = SSH_CHANNEL_OPEN;
317: goto reject;
318: }
319: /* Check fake data length */
320: if (x11_fake_data_len != x11_saved_data_len) {
321: error("X11 fake_data_len %d != saved_data_len %d",
322: x11_fake_data_len, x11_saved_data_len);
323: ch->type = SSH_CHANNEL_OPEN;
324: goto reject;
325: }
1.27 markus 326: /*
327: * Received authentication protocol and data match
328: * our fake data. Substitute the fake data with real
329: * data.
330: */
1.25 markus 331: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
332: x11_saved_data, x11_saved_data_len);
333:
334: /* Start normal processing for the channel. */
335: ch->type = SSH_CHANNEL_OPEN;
336: goto redo;
337:
1.1 deraadt 338: reject:
1.27 markus 339: /*
340: * We have received an X11 connection that has bad
341: * authentication information.
342: */
1.25 markus 343: log("X11 connection rejected because of wrong authentication.\r\n");
344: buffer_clear(&ch->input);
345: buffer_clear(&ch->output);
346: if (compat13) {
347: close(ch->sock);
348: ch->sock = -1;
349: ch->type = SSH_CHANNEL_CLOSED;
350: packet_start(SSH_MSG_CHANNEL_CLOSE);
351: packet_put_int(ch->remote_id);
352: packet_send();
353: } else {
354: debug("X11 rejected %d i%d/o%d", ch->self, ch->istate, ch->ostate);
355: chan_read_failed(ch);
356: chan_write_failed(ch);
357: debug("X11 rejected %d i%d/o%d", ch->self, ch->istate, ch->ostate);
358: }
359: break;
360:
361: case SSH_CHANNEL_FREE:
362: default:
363: continue;
364: }
1.1 deraadt 365: }
366: }
367:
1.27 markus 368: /*
369: * After select, perform any appropriate operations for channels which have
370: * events pending.
371: */
1.1 deraadt 372:
1.25 markus 373: void
374: channel_after_select(fd_set * readset, fd_set * writeset)
1.1 deraadt 375: {
1.25 markus 376: struct sockaddr addr;
377: int addrlen, newsock, i, newch, len;
378: Channel *ch;
379: char buf[16384], *remote_hostname;
380:
381: /* Loop over all channels... */
382: for (i = 0; i < channels_alloc; i++) {
383: ch = &channels[i];
384: switch (ch->type) {
385: case SSH_CHANNEL_X11_LISTENER:
386: /* This is our fake X11 server socket. */
387: if (FD_ISSET(ch->sock, readset)) {
388: debug("X11 connection requested.");
389: addrlen = sizeof(addr);
390: newsock = accept(ch->sock, &addr, &addrlen);
391: if (newsock < 0) {
392: error("accept: %.100s", strerror(errno));
393: break;
394: }
395: remote_hostname = get_remote_hostname(newsock);
396: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
397: remote_hostname, get_peer_port(newsock));
398: xfree(remote_hostname);
399: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
400: xstrdup(buf));
401: packet_start(SSH_SMSG_X11_OPEN);
402: packet_put_int(newch);
403: if (have_hostname_in_open)
404: packet_put_string(buf, strlen(buf));
405: packet_send();
406: }
407: break;
408:
409: case SSH_CHANNEL_PORT_LISTENER:
1.27 markus 410: /*
411: * This socket is listening for connections to a
412: * forwarded TCP/IP port.
413: */
1.25 markus 414: if (FD_ISSET(ch->sock, readset)) {
415: debug("Connection to port %d forwarding to %.100s:%d requested.",
416: ch->listening_port, ch->path, ch->host_port);
417: addrlen = sizeof(addr);
418: newsock = accept(ch->sock, &addr, &addrlen);
419: if (newsock < 0) {
420: error("accept: %.100s", strerror(errno));
421: break;
422: }
423: remote_hostname = get_remote_hostname(newsock);
424: snprintf(buf, sizeof buf, "listen port %d:%.100s:%d, connect from %.200s:%d",
425: ch->listening_port, ch->path, ch->host_port,
426: remote_hostname, get_peer_port(newsock));
427: xfree(remote_hostname);
428: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
429: xstrdup(buf));
430: packet_start(SSH_MSG_PORT_OPEN);
431: packet_put_int(newch);
432: packet_put_string(ch->path, strlen(ch->path));
433: packet_put_int(ch->host_port);
434: if (have_hostname_in_open)
435: packet_put_string(buf, strlen(buf));
436: packet_send();
437: }
438: break;
439:
440: case SSH_CHANNEL_AUTH_SOCKET:
1.27 markus 441: /*
442: * This is the authentication agent socket listening
443: * for connections from clients.
444: */
1.25 markus 445: if (FD_ISSET(ch->sock, readset)) {
1.34 ! markus 446: addrlen = sizeof(addr);
! 447: newsock = accept(ch->sock, &addr, &addrlen);
1.25 markus 448: if (newsock < 0) {
449: error("accept from auth socket: %.100s", strerror(errno));
450: break;
451: }
1.34 ! markus 452: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
1.25 markus 453: xstrdup("accepted auth socket"));
454: packet_start(SSH_SMSG_AGENT_OPEN);
1.34 ! markus 455: packet_put_int(newch);
1.25 markus 456: packet_send();
457: }
458: break;
459:
460: case SSH_CHANNEL_OPEN:
1.27 markus 461: /*
462: * This is an open two-way communication channel. It
463: * is not of interest to us at this point what kind
464: * of data is being transmitted.
465: */
466:
467: /*
468: * Read available incoming data and append it to
469: * buffer; shutdown socket, if read or write failes
470: */
1.25 markus 471: if (FD_ISSET(ch->sock, readset)) {
472: len = read(ch->sock, buf, sizeof(buf));
473: if (len <= 0) {
474: if (compat13) {
475: buffer_consume(&ch->output, buffer_len(&ch->output));
476: ch->type = SSH_CHANNEL_INPUT_DRAINING;
477: debug("Channel %d status set to input draining.", i);
478: } else {
479: chan_read_failed(ch);
480: }
481: break;
482: }
483: buffer_append(&ch->input, buf, len);
484: }
485: /* Send buffered output data to the socket. */
486: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0) {
487: len = write(ch->sock, buffer_ptr(&ch->output),
488: buffer_len(&ch->output));
489: if (len <= 0) {
490: if (compat13) {
491: buffer_consume(&ch->output, buffer_len(&ch->output));
492: debug("Channel %d status set to input draining.", i);
493: ch->type = SSH_CHANNEL_INPUT_DRAINING;
494: } else {
495: chan_write_failed(ch);
496: }
497: break;
498: }
499: buffer_consume(&ch->output, len);
500: }
501: break;
502:
503: case SSH_CHANNEL_OUTPUT_DRAINING:
504: if (!compat13)
505: fatal("cannot happen: OUT_DRAIN");
506: /* Send buffered output data to the socket. */
507: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0) {
508: len = write(ch->sock, buffer_ptr(&ch->output),
509: buffer_len(&ch->output));
510: if (len <= 0)
511: buffer_consume(&ch->output, buffer_len(&ch->output));
512: else
513: buffer_consume(&ch->output, len);
514: }
515: break;
516:
517: case SSH_CHANNEL_X11_OPEN:
518: case SSH_CHANNEL_FREE:
519: default:
520: continue;
1.1 deraadt 521: }
522: }
523: }
524:
525: /* If there is data to send to the connection, send some of it now. */
526:
1.25 markus 527: void
528: channel_output_poll()
1.1 deraadt 529: {
1.25 markus 530: int len, i;
531: Channel *ch;
1.1 deraadt 532:
1.25 markus 533: for (i = 0; i < channels_alloc; i++) {
534: ch = &channels[i];
1.27 markus 535: /* We are only interested in channels that can have buffered incoming data. */
1.25 markus 536: if (ch->type != SSH_CHANNEL_OPEN &&
537: ch->type != SSH_CHANNEL_INPUT_DRAINING)
538: continue;
539:
540: /* Get the amount of buffered data for this channel. */
541: len = buffer_len(&ch->input);
542: if (len > 0) {
1.27 markus 543: /* Send some data for the other side over the secure connection. */
1.25 markus 544: if (packet_is_interactive()) {
545: if (len > 1024)
546: len = 512;
547: } else {
548: /* Keep the packets at reasonable size. */
1.34 ! markus 549: if (len > packet_get_maxsize()/2)
! 550: len = packet_get_maxsize()/2;
1.25 markus 551: }
552: packet_start(SSH_MSG_CHANNEL_DATA);
553: packet_put_int(ch->remote_id);
554: packet_put_string(buffer_ptr(&ch->input), len);
555: packet_send();
556: buffer_consume(&ch->input, len);
557: } else if (ch->istate == CHAN_INPUT_WAIT_DRAIN) {
558: if (compat13)
559: fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
1.27 markus 560: /*
561: * input-buffer is empty and read-socket shutdown:
562: * tell peer, that we will not send more data: send IEOF
563: */
1.25 markus 564: chan_ibuf_empty(ch);
565: }
566: }
1.1 deraadt 567: }
568:
1.27 markus 569: /*
570: * This is called when a packet of type CHANNEL_DATA has just been received.
571: * The message type has already been consumed, but channel number and data is
572: * still there.
573: */
1.1 deraadt 574:
1.25 markus 575: void
576: channel_input_data(int payload_len)
1.1 deraadt 577: {
1.25 markus 578: int channel;
579: char *data;
580: unsigned int data_len;
581:
582: /* Get the channel number and verify it. */
583: channel = packet_get_int();
584: if (channel < 0 || channel >= channels_alloc ||
585: channels[channel].type == SSH_CHANNEL_FREE)
586: packet_disconnect("Received data for nonexistent channel %d.", channel);
587:
588: /* Ignore any data for non-open channels (might happen on close) */
589: if (channels[channel].type != SSH_CHANNEL_OPEN &&
590: channels[channel].type != SSH_CHANNEL_X11_OPEN)
591: return;
592:
593: /* Get the data. */
594: data = packet_get_string(&data_len);
595: packet_integrity_check(payload_len, 4 + 4 + data_len, SSH_MSG_CHANNEL_DATA);
596: buffer_append(&channels[channel].output, data, data_len);
597: xfree(data);
1.1 deraadt 598: }
599:
1.27 markus 600: /*
601: * Returns true if no channel has too much buffered data, and false if one or
602: * more channel is overfull.
603: */
1.1 deraadt 604:
1.25 markus 605: int
606: channel_not_very_much_buffered_data()
1.1 deraadt 607: {
1.25 markus 608: unsigned int i;
609: Channel *ch;
610:
611: for (i = 0; i < channels_alloc; i++) {
612: ch = &channels[i];
613: switch (ch->type) {
614: case SSH_CHANNEL_X11_LISTENER:
615: case SSH_CHANNEL_PORT_LISTENER:
616: case SSH_CHANNEL_AUTH_SOCKET:
617: continue;
618: case SSH_CHANNEL_OPEN:
619: if (buffer_len(&ch->input) > packet_get_maxsize())
620: return 0;
621: if (buffer_len(&ch->output) > packet_get_maxsize())
622: return 0;
623: continue;
624: case SSH_CHANNEL_INPUT_DRAINING:
625: case SSH_CHANNEL_OUTPUT_DRAINING:
626: case SSH_CHANNEL_X11_OPEN:
627: case SSH_CHANNEL_FREE:
628: default:
629: continue;
630: }
1.1 deraadt 631: }
1.25 markus 632: return 1;
1.1 deraadt 633: }
634:
1.14 markus 635: /* This is called after receiving CHANNEL_CLOSE/IEOF. */
1.1 deraadt 636:
1.25 markus 637: void
638: channel_input_close()
1.1 deraadt 639: {
1.25 markus 640: int channel;
1.1 deraadt 641:
1.25 markus 642: /* Get the channel number and verify it. */
643: channel = packet_get_int();
644: if (channel < 0 || channel >= channels_alloc ||
645: channels[channel].type == SSH_CHANNEL_FREE)
646: packet_disconnect("Received data for nonexistent channel %d.", channel);
647:
648: if (!compat13) {
649: /* proto version 1.5 overloads CLOSE with IEOF */
650: chan_rcvd_ieof(&channels[channel]);
651: return;
652: }
1.27 markus 653:
654: /*
655: * Send a confirmation that we have closed the channel and no more
656: * data is coming for it.
657: */
1.25 markus 658: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
659: packet_put_int(channels[channel].remote_id);
660: packet_send();
661:
1.27 markus 662: /*
663: * If the channel is in closed state, we have sent a close request,
664: * and the other side will eventually respond with a confirmation.
665: * Thus, we cannot free the channel here, because then there would be
666: * no-one to receive the confirmation. The channel gets freed when
667: * the confirmation arrives.
668: */
1.25 markus 669: if (channels[channel].type != SSH_CHANNEL_CLOSED) {
1.27 markus 670: /*
671: * Not a closed channel - mark it as draining, which will
672: * cause it to be freed later.
673: */
1.25 markus 674: buffer_consume(&channels[channel].input,
675: buffer_len(&channels[channel].input));
676: channels[channel].type = SSH_CHANNEL_OUTPUT_DRAINING;
677: }
1.1 deraadt 678: }
679:
1.14 markus 680: /* This is called after receiving CHANNEL_CLOSE_CONFIRMATION/OCLOSE. */
1.1 deraadt 681:
1.25 markus 682: void
683: channel_input_close_confirmation()
1.1 deraadt 684: {
1.25 markus 685: int channel;
1.1 deraadt 686:
1.25 markus 687: /* Get the channel number and verify it. */
688: channel = packet_get_int();
689: if (channel < 0 || channel >= channels_alloc)
690: packet_disconnect("Received close confirmation for out-of-range channel %d.",
691: channel);
692:
693: if (!compat13) {
694: /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
695: chan_rcvd_oclose(&channels[channel]);
696: return;
697: }
698: if (channels[channel].type != SSH_CHANNEL_CLOSED)
699: packet_disconnect("Received close confirmation for non-closed channel %d (type %d).",
700: channel, channels[channel].type);
1.1 deraadt 701:
1.25 markus 702: /* Free the channel. */
703: channel_free(channel);
1.1 deraadt 704: }
705:
706: /* This is called after receiving CHANNEL_OPEN_CONFIRMATION. */
707:
1.25 markus 708: void
709: channel_input_open_confirmation()
1.1 deraadt 710: {
1.25 markus 711: int channel, remote_channel;
1.1 deraadt 712:
1.25 markus 713: /* Get the channel number and verify it. */
714: channel = packet_get_int();
715: if (channel < 0 || channel >= channels_alloc ||
716: channels[channel].type != SSH_CHANNEL_OPENING)
717: packet_disconnect("Received open confirmation for non-opening channel %d.",
718: channel);
719:
720: /* Get remote side's id for this channel. */
721: remote_channel = packet_get_int();
722:
1.27 markus 723: /* Record the remote channel number and mark that the channel is now open. */
1.25 markus 724: channels[channel].remote_id = remote_channel;
725: channels[channel].type = SSH_CHANNEL_OPEN;
1.1 deraadt 726: }
727:
728: /* This is called after receiving CHANNEL_OPEN_FAILURE from the other side. */
729:
1.25 markus 730: void
731: channel_input_open_failure()
1.1 deraadt 732: {
1.25 markus 733: int channel;
734:
735: /* Get the channel number and verify it. */
736: channel = packet_get_int();
737: if (channel < 0 || channel >= channels_alloc ||
738: channels[channel].type != SSH_CHANNEL_OPENING)
739: packet_disconnect("Received open failure for non-opening channel %d.",
740: channel);
1.1 deraadt 741:
1.25 markus 742: /* Free the channel. This will also close the socket. */
743: channel_free(channel);
1.1 deraadt 744: }
745:
1.27 markus 746: /*
747: * Stops listening for channels, and removes any unix domain sockets that we
748: * might have.
749: */
1.1 deraadt 750:
1.25 markus 751: void
752: channel_stop_listening()
1.1 deraadt 753: {
1.25 markus 754: int i;
755: for (i = 0; i < channels_alloc; i++) {
756: switch (channels[i].type) {
757: case SSH_CHANNEL_AUTH_SOCKET:
758: close(channels[i].sock);
759: remove(channels[i].path);
760: channel_free(i);
761: break;
762: case SSH_CHANNEL_PORT_LISTENER:
763: case SSH_CHANNEL_X11_LISTENER:
764: close(channels[i].sock);
765: channel_free(i);
766: break;
767: default:
768: break;
769: }
1.1 deraadt 770: }
771: }
772:
1.27 markus 773: /*
774: * Closes the sockets of all channels. This is used to close extra file
775: * descriptors after a fork.
776: */
1.1 deraadt 777:
1.25 markus 778: void
779: channel_close_all()
1.1 deraadt 780: {
1.25 markus 781: int i;
782: for (i = 0; i < channels_alloc; i++) {
783: if (channels[i].type != SSH_CHANNEL_FREE)
784: close(channels[i].sock);
785: }
1.1 deraadt 786: }
787:
788: /* Returns the maximum file descriptor number used by the channels. */
789:
1.25 markus 790: int
791: channel_max_fd()
1.1 deraadt 792: {
1.25 markus 793: return channel_max_fd_value;
1.1 deraadt 794: }
795:
796: /* Returns true if any channel is still open. */
797:
1.25 markus 798: int
799: channel_still_open()
1.1 deraadt 800: {
1.25 markus 801: unsigned int i;
802: for (i = 0; i < channels_alloc; i++)
803: switch (channels[i].type) {
804: case SSH_CHANNEL_FREE:
805: case SSH_CHANNEL_X11_LISTENER:
806: case SSH_CHANNEL_PORT_LISTENER:
807: case SSH_CHANNEL_CLOSED:
808: case SSH_CHANNEL_AUTH_SOCKET:
809: continue;
810: case SSH_CHANNEL_OPENING:
811: case SSH_CHANNEL_OPEN:
812: case SSH_CHANNEL_X11_OPEN:
813: return 1;
814: case SSH_CHANNEL_INPUT_DRAINING:
815: case SSH_CHANNEL_OUTPUT_DRAINING:
816: if (!compat13)
817: fatal("cannot happen: OUT_DRAIN");
818: return 1;
819: default:
820: fatal("channel_still_open: bad channel type %d", channels[i].type);
821: /* NOTREACHED */
822: }
823: return 0;
1.1 deraadt 824: }
825:
1.27 markus 826: /*
827: * Returns a message describing the currently open forwarded connections,
828: * suitable for sending to the client. The message contains crlf pairs for
829: * newlines.
830: */
1.1 deraadt 831:
1.25 markus 832: char *
833: channel_open_message()
1.1 deraadt 834: {
1.25 markus 835: Buffer buffer;
836: int i;
837: char buf[512], *cp;
838:
839: buffer_init(&buffer);
840: snprintf(buf, sizeof buf, "The following connections are open:\r\n");
1.1 deraadt 841: buffer_append(&buffer, buf, strlen(buf));
1.25 markus 842: for (i = 0; i < channels_alloc; i++) {
843: Channel *c = &channels[i];
844: switch (c->type) {
845: case SSH_CHANNEL_FREE:
846: case SSH_CHANNEL_X11_LISTENER:
847: case SSH_CHANNEL_PORT_LISTENER:
848: case SSH_CHANNEL_CLOSED:
849: case SSH_CHANNEL_AUTH_SOCKET:
850: continue;
851: case SSH_CHANNEL_OPENING:
852: case SSH_CHANNEL_OPEN:
853: case SSH_CHANNEL_X11_OPEN:
854: case SSH_CHANNEL_INPUT_DRAINING:
855: case SSH_CHANNEL_OUTPUT_DRAINING:
856: snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d o%d)\r\n",
857: c->self, c->remote_name,
858: c->type, c->remote_id, c->istate, c->ostate);
859: buffer_append(&buffer, buf, strlen(buf));
860: continue;
861: default:
862: fatal("channel_still_open: bad channel type %d", c->type);
863: /* NOTREACHED */
864: }
865: }
866: buffer_append(&buffer, "\0", 1);
867: cp = xstrdup(buffer_ptr(&buffer));
868: buffer_free(&buffer);
869: return cp;
1.1 deraadt 870: }
871:
1.27 markus 872: /*
873: * Initiate forwarding of connections to local port "port" through the secure
874: * channel to host:port from remote side.
875: */
1.1 deraadt 876:
1.25 markus 877: void
1.31 markus 878: channel_request_local_forwarding(u_short port, const char *host,
1.33 markus 879: u_short host_port, int gateway_ports)
1.25 markus 880: {
1.28 markus 881: int ch, sock, on = 1;
1.25 markus 882: struct sockaddr_in sin;
1.28 markus 883: struct linger linger;
1.25 markus 884:
885: if (strlen(host) > sizeof(channels[0].path) - 1)
886: packet_disconnect("Forward host name too long.");
887:
888: /* Create a port to listen for the host. */
889: sock = socket(AF_INET, SOCK_STREAM, 0);
890: if (sock < 0)
891: packet_disconnect("socket: %.100s", strerror(errno));
892:
893: /* Initialize socket address. */
894: memset(&sin, 0, sizeof(sin));
895: sin.sin_family = AF_INET;
1.33 markus 896: if (gateway_ports == 1)
1.25 markus 897: sin.sin_addr.s_addr = htonl(INADDR_ANY);
898: else
899: sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
900: sin.sin_port = htons(port);
1.28 markus 901:
902: /*
903: * Set socket options. We would like the socket to disappear as soon
904: * as it has been closed for whatever reason.
905: */
906: setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on));
907: linger.l_onoff = 1;
908: linger.l_linger = 5;
909: setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger));
1.25 markus 910:
911: /* Bind the socket to the address. */
912: if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
913: packet_disconnect("bind: %.100s", strerror(errno));
914:
915: /* Start listening for connections on the socket. */
916: if (listen(sock, 5) < 0)
917: packet_disconnect("listen: %.100s", strerror(errno));
918:
919: /* Allocate a channel number for the socket. */
920: ch = channel_allocate(SSH_CHANNEL_PORT_LISTENER, sock,
921: xstrdup("port listener"));
1.32 deraadt 922: strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
1.25 markus 923: channels[ch].host_port = host_port;
924: channels[ch].listening_port = port;
925: }
1.1 deraadt 926:
1.27 markus 927: /*
928: * Initiate forwarding of connections to port "port" on remote host through
929: * the secure channel to host:port from local side.
930: */
1.1 deraadt 931:
1.25 markus 932: void
1.31 markus 933: channel_request_remote_forwarding(u_short port, const char *host,
934: u_short remote_port)
1.25 markus 935: {
936: int payload_len;
937: /* Record locally that connection to this host/port is permitted. */
938: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
939: fatal("channel_request_remote_forwarding: too many forwards");
940:
941: permitted_opens[num_permitted_opens].host = xstrdup(host);
942: permitted_opens[num_permitted_opens].port = remote_port;
943: num_permitted_opens++;
944:
945: /* Send the forward request to the remote side. */
946: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
947: packet_put_int(port);
948: packet_put_string(host, strlen(host));
949: packet_put_int(remote_port);
950: packet_send();
951: packet_write_wait();
952:
1.27 markus 953: /*
954: * Wait for response from the remote side. It will send a disconnect
955: * message on failure, and we will never see it here.
956: */
1.25 markus 957: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
1.1 deraadt 958: }
959:
1.27 markus 960: /*
961: * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
962: * listening for the port, and sends back a success reply (or disconnect
963: * message if there was an error). This never returns if there was an error.
964: */
1.1 deraadt 965:
1.25 markus 966: void
967: channel_input_port_forward_request(int is_root)
1.1 deraadt 968: {
1.31 markus 969: u_short port, host_port;
1.25 markus 970: char *hostname;
1.1 deraadt 971:
1.25 markus 972: /* Get arguments from the packet. */
973: port = packet_get_int();
974: hostname = packet_get_string(NULL);
975: host_port = packet_get_int();
976:
1.27 markus 977: /*
978: * Check that an unprivileged user is not trying to forward a
979: * privileged port.
980: */
1.25 markus 981: if (port < IPPORT_RESERVED && !is_root)
982: packet_disconnect("Requested forwarding of port %d but user is not root.",
983: port);
1.33 markus 984: /*
985: * Initiate forwarding,
986: * bind port to localhost only (gateway ports == 0).
987: */
988: channel_request_local_forwarding(port, hostname, host_port, 0);
1.25 markus 989:
990: /* Free the argument string. */
991: xfree(hostname);
1.1 deraadt 992: }
993:
1.27 markus 994: /*
995: * This is called after receiving PORT_OPEN message. This attempts to
996: * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
997: * or CHANNEL_OPEN_FAILURE.
998: */
1.1 deraadt 999:
1.25 markus 1000: void
1001: channel_input_port_open(int payload_len)
1.1 deraadt 1002: {
1.31 markus 1003: int remote_channel, sock, newch, i;
1004: u_short host_port;
1.25 markus 1005: struct sockaddr_in sin;
1006: char *host, *originator_string;
1007: struct hostent *hp;
1008: int host_len, originator_len;
1009:
1010: /* Get remote channel number. */
1011: remote_channel = packet_get_int();
1012:
1013: /* Get host name to connect to. */
1014: host = packet_get_string(&host_len);
1015:
1016: /* Get port to connect to. */
1017: host_port = packet_get_int();
1018:
1019: /* Get remote originator name. */
1.29 markus 1020: if (have_hostname_in_open) {
1.25 markus 1021: originator_string = packet_get_string(&originator_len);
1.29 markus 1022: originator_len += 4; /* size of packet_int */
1023: } else {
1.25 markus 1024: originator_string = xstrdup("unknown (remote did not supply name)");
1.29 markus 1025: originator_len = 0; /* no originator supplied */
1026: }
1.25 markus 1027:
1028: packet_integrity_check(payload_len,
1.29 markus 1029: 4 + 4 + host_len + 4 + originator_len,
1.25 markus 1030: SSH_MSG_PORT_OPEN);
1031:
1032: /* Check if opening that port is permitted. */
1033: if (!all_opens_permitted) {
1034: /* Go trough all permitted ports. */
1035: for (i = 0; i < num_permitted_opens; i++)
1036: if (permitted_opens[i].port == host_port &&
1037: strcmp(permitted_opens[i].host, host) == 0)
1038: break;
1039:
1040: /* Check if we found the requested port among those permitted. */
1041: if (i >= num_permitted_opens) {
1042: /* The port is not permitted. */
1043: log("Received request to connect to %.100s:%d, but the request was denied.",
1044: host, host_port);
1045: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1046: packet_put_int(remote_channel);
1047: packet_send();
1048: }
1049: }
1050: memset(&sin, 0, sizeof(sin));
1051: sin.sin_addr.s_addr = inet_addr(host);
1052: if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff) {
1053: /* It was a valid numeric host address. */
1054: sin.sin_family = AF_INET;
1055: } else {
1056: /* Look up the host address from the name servers. */
1057: hp = gethostbyname(host);
1058: if (!hp) {
1059: error("%.100s: unknown host.", host);
1060: goto fail;
1061: }
1062: if (!hp->h_addr_list[0]) {
1063: error("%.100s: host has no IP address.", host);
1064: goto fail;
1065: }
1066: sin.sin_family = hp->h_addrtype;
1067: memcpy(&sin.sin_addr, hp->h_addr_list[0],
1068: sizeof(sin.sin_addr));
1069: }
1070: sin.sin_port = htons(host_port);
1071:
1072: /* Create the socket. */
1073: sock = socket(sin.sin_family, SOCK_STREAM, 0);
1074: if (sock < 0) {
1075: error("socket: %.100s", strerror(errno));
1076: goto fail;
1077: }
1078: /* Connect to the host/port. */
1079: if (connect(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0) {
1080: error("connect %.100s:%d: %.100s", host, host_port,
1081: strerror(errno));
1082: close(sock);
1083: goto fail;
1084: }
1085: /* Successful connection. */
1086:
1087: /* Allocate a channel for this connection. */
1088: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1089: channels[newch].remote_id = remote_channel;
1090:
1091: /* Send a confirmation to the remote host. */
1092: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1093: packet_put_int(remote_channel);
1094: packet_put_int(newch);
1095: packet_send();
1096:
1097: /* Free the argument string. */
1098: xfree(host);
1099:
1100: return;
1101:
1102: fail:
1103: /* Free the argument string. */
1104: xfree(host);
1105:
1106: /* Send refusal to the remote host. */
1107: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1108: packet_put_int(remote_channel);
1109: packet_send();
1.1 deraadt 1110: }
1111:
1.27 markus 1112: /*
1113: * Creates an internet domain socket for listening for X11 connections.
1114: * Returns a suitable value for the DISPLAY variable, or NULL if an error
1115: * occurs.
1116: */
1.1 deraadt 1117:
1.25 markus 1118: char *
1.33 markus 1119: x11_create_display_inet(int screen_number, int x11_display_offset)
1.1 deraadt 1120: {
1.31 markus 1121: int display_number, sock;
1122: u_short port;
1.25 markus 1123: struct sockaddr_in sin;
1124: char buf[512];
1125: char hostname[MAXHOSTNAMELEN];
1126:
1.33 markus 1127: for (display_number = x11_display_offset;
1.25 markus 1128: display_number < MAX_DISPLAYS;
1129: display_number++) {
1130: port = 6000 + display_number;
1131: memset(&sin, 0, sizeof(sin));
1132: sin.sin_family = AF_INET;
1133: sin.sin_addr.s_addr = htonl(INADDR_ANY);
1134: sin.sin_port = htons(port);
1135:
1136: sock = socket(AF_INET, SOCK_STREAM, 0);
1137: if (sock < 0) {
1138: error("socket: %.100s", strerror(errno));
1139: return NULL;
1140: }
1141: if (bind(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0) {
1142: debug("bind port %d: %.100s", port, strerror(errno));
1143: shutdown(sock, SHUT_RDWR);
1144: close(sock);
1145: continue;
1146: }
1147: break;
1148: }
1149: if (display_number >= MAX_DISPLAYS) {
1150: error("Failed to allocate internet-domain X11 display socket.");
1151: return NULL;
1152: }
1153: /* Start listening for connections on the socket. */
1154: if (listen(sock, 5) < 0) {
1155: error("listen: %.100s", strerror(errno));
1156: shutdown(sock, SHUT_RDWR);
1157: close(sock);
1158: return NULL;
1159: }
1160: /* Set up a suitable value for the DISPLAY variable. */
1161: if (gethostname(hostname, sizeof(hostname)) < 0)
1162: fatal("gethostname: %.100s", strerror(errno));
1163: snprintf(buf, sizeof buf, "%.400s:%d.%d", hostname,
1164: display_number, screen_number);
1165:
1166: /* Allocate a channel for the socket. */
1167: (void) channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
1168: xstrdup("X11 inet listener"));
1.1 deraadt 1169:
1.25 markus 1170: /* Return a suitable value for the DISPLAY environment variable. */
1171: return xstrdup(buf);
1.1 deraadt 1172: }
1173:
1174: #ifndef X_UNIX_PATH
1175: #define X_UNIX_PATH "/tmp/.X11-unix/X"
1176: #endif
1177:
1178: static
1179: int
1.30 deraadt 1180: connect_local_xsocket(unsigned int dnr)
1.1 deraadt 1181: {
1.25 markus 1182: static const char *const x_sockets[] = {
1183: X_UNIX_PATH "%u",
1184: "/var/X/.X11-unix/X" "%u",
1185: "/usr/spool/sockets/X11/" "%u",
1186: NULL
1187: };
1188: int sock;
1189: struct sockaddr_un addr;
1190: const char *const * path;
1191:
1192: for (path = x_sockets; *path; ++path) {
1193: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1194: if (sock < 0)
1195: error("socket: %.100s", strerror(errno));
1196: memset(&addr, 0, sizeof(addr));
1197: addr.sun_family = AF_UNIX;
1198: snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
1199: if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
1200: return sock;
1201: close(sock);
1202: }
1203: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1204: return -1;
1.1 deraadt 1205: }
1206:
1207:
1.27 markus 1208: /*
1209: * This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1210: * the remote channel number. We should do whatever we want, and respond
1211: * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
1212: */
1.1 deraadt 1213:
1.25 markus 1214: void
1215: x11_input_open(int payload_len)
1.1 deraadt 1216: {
1.25 markus 1217: int remote_channel, display_number, sock, newch;
1218: const char *display;
1219: struct sockaddr_in sin;
1220: char buf[1024], *cp, *remote_host;
1221: struct hostent *hp;
1222: int remote_len;
1223:
1224: /* Get remote channel number. */
1225: remote_channel = packet_get_int();
1226:
1227: /* Get remote originator name. */
1.29 markus 1228: if (have_hostname_in_open) {
1.25 markus 1229: remote_host = packet_get_string(&remote_len);
1.29 markus 1230: remote_len += 4;
1231: } else {
1.25 markus 1232: remote_host = xstrdup("unknown (remote did not supply name)");
1.29 markus 1233: remote_len = 0;
1234: }
1.25 markus 1235:
1236: debug("Received X11 open request.");
1.29 markus 1237: packet_integrity_check(payload_len, 4 + remote_len, SSH_SMSG_X11_OPEN);
1.25 markus 1238:
1239: /* Try to open a socket for the local X server. */
1240: display = getenv("DISPLAY");
1241: if (!display) {
1242: error("DISPLAY not set.");
1243: goto fail;
1244: }
1.27 markus 1245: /*
1246: * Now we decode the value of the DISPLAY variable and make a
1247: * connection to the real X server.
1248: */
1249:
1250: /*
1251: * Check if it is a unix domain socket. Unix domain displays are in
1252: * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
1253: */
1.25 markus 1254: if (strncmp(display, "unix:", 5) == 0 ||
1255: display[0] == ':') {
1256: /* Connect to the unix domain socket. */
1257: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
1258: error("Could not parse display number from DISPLAY: %.100s",
1259: display);
1260: goto fail;
1261: }
1262: /* Create a socket. */
1263: sock = connect_local_xsocket(display_number);
1264: if (sock < 0)
1265: goto fail;
1266:
1267: /* OK, we now have a connection to the display. */
1268: goto success;
1269: }
1.27 markus 1270: /*
1271: * Connect to an inet socket. The DISPLAY value is supposedly
1272: * hostname:d[.s], where hostname may also be numeric IP address.
1273: */
1.25 markus 1274: strncpy(buf, display, sizeof(buf));
1275: buf[sizeof(buf) - 1] = 0;
1276: cp = strchr(buf, ':');
1277: if (!cp) {
1278: error("Could not find ':' in DISPLAY: %.100s", display);
1279: goto fail;
1280: }
1281: *cp = 0;
1.27 markus 1282: /* buf now contains the host name. But first we parse the display number. */
1.25 markus 1283: if (sscanf(cp + 1, "%d", &display_number) != 1) {
1284: error("Could not parse display number from DISPLAY: %.100s",
1285: display);
1286: goto fail;
1287: }
1288: /* Try to parse the host name as a numeric IP address. */
1289: memset(&sin, 0, sizeof(sin));
1290: sin.sin_addr.s_addr = inet_addr(buf);
1291: if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff) {
1292: /* It was a valid numeric host address. */
1293: sin.sin_family = AF_INET;
1294: } else {
1295: /* Not a numeric IP address. */
1296: /* Look up the host address from the name servers. */
1297: hp = gethostbyname(buf);
1298: if (!hp) {
1299: error("%.100s: unknown host.", buf);
1300: goto fail;
1301: }
1302: if (!hp->h_addr_list[0]) {
1303: error("%.100s: host has no IP address.", buf);
1304: goto fail;
1305: }
1306: sin.sin_family = hp->h_addrtype;
1307: memcpy(&sin.sin_addr, hp->h_addr_list[0],
1308: sizeof(sin.sin_addr));
1309: }
1310: /* Set port number. */
1311: sin.sin_port = htons(6000 + display_number);
1312:
1313: /* Create a socket. */
1314: sock = socket(sin.sin_family, SOCK_STREAM, 0);
1315: if (sock < 0) {
1316: error("socket: %.100s", strerror(errno));
1317: goto fail;
1318: }
1319: /* Connect it to the display. */
1320: if (connect(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0) {
1321: error("connect %.100s:%d: %.100s", buf, 6000 + display_number,
1322: strerror(errno));
1323: close(sock);
1324: goto fail;
1325: }
1326: success:
1327: /* We have successfully obtained a connection to the real X display. */
1328:
1329: /* Allocate a channel for this connection. */
1330: if (x11_saved_proto == NULL)
1331: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, remote_host);
1332: else
1333: newch = channel_allocate(SSH_CHANNEL_X11_OPEN, sock, remote_host);
1334: channels[newch].remote_id = remote_channel;
1335:
1336: /* Send a confirmation to the remote host. */
1337: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1338: packet_put_int(remote_channel);
1339: packet_put_int(newch);
1340: packet_send();
1341:
1342: return;
1343:
1344: fail:
1345: /* Send refusal to the remote host. */
1346: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1347: packet_put_int(remote_channel);
1348: packet_send();
1.1 deraadt 1349: }
1350:
1.27 markus 1351: /*
1352: * Requests forwarding of X11 connections, generates fake authentication
1353: * data, and enables authentication spoofing.
1354: */
1.1 deraadt 1355:
1.25 markus 1356: void
1357: x11_request_forwarding_with_spoofing(const char *proto, const char *data)
1.1 deraadt 1358: {
1.25 markus 1359: unsigned int data_len = (unsigned int) strlen(data) / 2;
1360: unsigned int i, value;
1361: char *new_data;
1362: int screen_number;
1363: const char *cp;
1364: u_int32_t rand = 0;
1365:
1366: cp = getenv("DISPLAY");
1367: if (cp)
1368: cp = strchr(cp, ':');
1369: if (cp)
1370: cp = strchr(cp, '.');
1371: if (cp)
1372: screen_number = atoi(cp + 1);
1373: else
1374: screen_number = 0;
1375:
1376: /* Save protocol name. */
1377: x11_saved_proto = xstrdup(proto);
1378:
1.27 markus 1379: /*
1380: * Extract real authentication data and generate fake data of the
1381: * same length.
1382: */
1.25 markus 1383: x11_saved_data = xmalloc(data_len);
1384: x11_fake_data = xmalloc(data_len);
1385: for (i = 0; i < data_len; i++) {
1386: if (sscanf(data + 2 * i, "%2x", &value) != 1)
1387: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
1388: if (i % 4 == 0)
1389: rand = arc4random();
1390: x11_saved_data[i] = value;
1391: x11_fake_data[i] = rand & 0xff;
1392: rand >>= 8;
1393: }
1394: x11_saved_data_len = data_len;
1395: x11_fake_data_len = data_len;
1396:
1397: /* Convert the fake data into hex. */
1398: new_data = xmalloc(2 * data_len + 1);
1399: for (i = 0; i < data_len; i++)
1400: sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]);
1401:
1402: /* Send the request packet. */
1403: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
1404: packet_put_string(proto, strlen(proto));
1405: packet_put_string(new_data, strlen(new_data));
1406: packet_put_int(screen_number);
1407: packet_send();
1408: packet_write_wait();
1409: xfree(new_data);
1.1 deraadt 1410: }
1411:
1412: /* Sends a message to the server to request authentication fd forwarding. */
1413:
1.25 markus 1414: void
1415: auth_request_forwarding()
1.1 deraadt 1416: {
1.25 markus 1417: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
1418: packet_send();
1419: packet_write_wait();
1.1 deraadt 1420: }
1421:
1.27 markus 1422: /*
1423: * Returns the name of the forwarded authentication socket. Returns NULL if
1424: * there is no forwarded authentication socket. The returned value points to
1425: * a static buffer.
1426: */
1.1 deraadt 1427:
1.25 markus 1428: char *
1429: auth_get_socket_name()
1.1 deraadt 1430: {
1.25 markus 1431: return channel_forwarded_auth_socket_name;
1.1 deraadt 1432: }
1433:
1.12 markus 1434: /* removes the agent forwarding socket */
1435:
1.25 markus 1436: void
1437: cleanup_socket(void)
1438: {
1439: remove(channel_forwarded_auth_socket_name);
1440: rmdir(channel_forwarded_auth_socket_dir);
1.12 markus 1441: }
1442:
1.27 markus 1443: /*
1444: * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1445: * This starts forwarding authentication requests.
1446: */
1.1 deraadt 1447:
1.25 markus 1448: void
1449: auth_input_request_forwarding(struct passwd * pw)
1.1 deraadt 1450: {
1.25 markus 1451: int sock, newch;
1452: struct sockaddr_un sunaddr;
1453:
1454: if (auth_get_socket_name() != NULL)
1455: fatal("Protocol error: authentication forwarding requested twice.");
1456:
1457: /* Temporarily drop privileged uid for mkdir/bind. */
1458: temporarily_use_uid(pw->pw_uid);
1459:
1460: /* Allocate a buffer for the socket name, and format the name. */
1461: channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
1462: channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
1463: strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
1464:
1465: /* Create private directory for socket */
1466: if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL)
1467: packet_disconnect("mkdtemp: %.100s", strerror(errno));
1468: snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
1469: channel_forwarded_auth_socket_dir, (int) getpid());
1470:
1471: if (atexit(cleanup_socket) < 0) {
1472: int saved = errno;
1473: cleanup_socket();
1474: packet_disconnect("socket: %.100s", strerror(saved));
1475: }
1476: /* Create the socket. */
1477: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1478: if (sock < 0)
1479: packet_disconnect("socket: %.100s", strerror(errno));
1480:
1481: /* Bind it to the name. */
1482: memset(&sunaddr, 0, sizeof(sunaddr));
1483: sunaddr.sun_family = AF_UNIX;
1484: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
1485: sizeof(sunaddr.sun_path));
1486:
1487: if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
1488: packet_disconnect("bind: %.100s", strerror(errno));
1489:
1490: /* Restore the privileged uid. */
1491: restore_uid();
1492:
1493: /* Start listening on the socket. */
1494: if (listen(sock, 5) < 0)
1495: packet_disconnect("listen: %.100s", strerror(errno));
1496:
1497: /* Allocate a channel for the authentication agent socket. */
1498: newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
1499: xstrdup("auth socket"));
1.32 deraadt 1500: strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
1501: sizeof(channels[newch].path));
1.1 deraadt 1502: }
1503:
1504: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
1505:
1.25 markus 1506: void
1507: auth_input_open_request()
1.1 deraadt 1508: {
1.25 markus 1509: int remch, sock, newch;
1510: char *dummyname;
1511:
1512: /* Read the remote channel number from the message. */
1513: remch = packet_get_int();
1514:
1.27 markus 1515: /*
1516: * Get a connection to the local authentication agent (this may again
1517: * get forwarded).
1518: */
1.25 markus 1519: sock = ssh_get_authentication_socket();
1520:
1.27 markus 1521: /*
1522: * If we could not connect the agent, send an error message back to
1523: * the server. This should never happen unless the agent dies,
1524: * because authentication forwarding is only enabled if we have an
1525: * agent.
1526: */
1.25 markus 1527: if (sock < 0) {
1528: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1529: packet_put_int(remch);
1530: packet_send();
1531: return;
1532: }
1533: debug("Forwarding authentication connection.");
1.1 deraadt 1534:
1.27 markus 1535: /*
1536: * Dummy host name. This will be freed when the channel is freed; it
1537: * will still be valid in the packet_put_string below since the
1538: * channel cannot yet be freed at that point.
1539: */
1.25 markus 1540: dummyname = xstrdup("authentication agent connection");
1541:
1542: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
1543: channels[newch].remote_id = remch;
1544:
1545: /* Send a confirmation to the remote host. */
1546: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1547: packet_put_int(remch);
1548: packet_put_int(newch);
1549: packet_send();
1.1 deraadt 1550: }