Annotation of src/usr.bin/ssh/channels.c, Revision 1.37
1.1 deraadt 1: /*
1.26 deraadt 2: *
3: * channels.c
4: *
5: * Author: Tatu Ylonen <ylo@cs.hut.fi>
6: *
7: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: * All rights reserved
9: *
10: * Created: Fri Mar 24 16:35:24 1995 ylo
11: *
12: * This file contains functions for generic socket connection forwarding.
13: * There is also code for initiating connection forwarding for X11 connections,
14: * arbitrary tcp/ip connections, and the authentication agent connection.
15: *
16: */
1.1 deraadt 17:
18: #include "includes.h"
1.37 ! markus 19: RCSID("$Id: channels.c,v 1.36 2000/01/04 07:52:03 markus Exp $");
1.1 deraadt 20:
21: #include "ssh.h"
22: #include "packet.h"
23: #include "xmalloc.h"
24: #include "buffer.h"
25: #include "authfd.h"
26: #include "uidswap.h"
1.20 markus 27: #include "readconf.h"
1.3 deraadt 28: #include "servconf.h"
1.1 deraadt 29:
1.14 markus 30: #include "channels.h"
31: #include "nchan.h"
32: #include "compat.h"
33:
1.1 deraadt 34: /* Maximum number of fake X11 displays to try. */
35: #define MAX_DISPLAYS 1000
36:
1.12 markus 37: /* Max len of agent socket */
38: #define MAX_SOCKET_NAME 100
39:
1.27 markus 40: /*
41: * Pointer to an array containing all allocated channels. The array is
42: * dynamically extended as needed.
43: */
1.1 deraadt 44: static Channel *channels = NULL;
45:
1.27 markus 46: /*
47: * Size of the channel array. All slots of the array must always be
48: * initialized (at least the type field); unused slots are marked with type
49: * SSH_CHANNEL_FREE.
50: */
1.1 deraadt 51: static int channels_alloc = 0;
52:
1.27 markus 53: /*
54: * Maximum file descriptor value used in any of the channels. This is
55: * updated in channel_allocate.
56: */
1.1 deraadt 57: static int channel_max_fd_value = 0;
58:
1.12 markus 59: /* Name and directory of socket for authentication agent forwarding. */
1.1 deraadt 60: static char *channel_forwarded_auth_socket_name = NULL;
1.25 markus 61: static char *channel_forwarded_auth_socket_dir = NULL;
1.1 deraadt 62:
63: /* Saved X11 authentication protocol name. */
64: char *x11_saved_proto = NULL;
65:
66: /* Saved X11 authentication data. This is the real data. */
67: char *x11_saved_data = NULL;
68: unsigned int x11_saved_data_len = 0;
69:
1.27 markus 70: /*
71: * Fake X11 authentication data. This is what the server will be sending us;
72: * we should replace any occurrences of this by the real data.
73: */
1.1 deraadt 74: char *x11_fake_data = NULL;
75: unsigned int x11_fake_data_len;
76:
1.27 markus 77: /*
78: * Data structure for storing which hosts are permitted for forward requests.
79: * The local sides of any remote forwards are stored in this array to prevent
80: * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
81: * network (which might be behind a firewall).
82: */
1.25 markus 83: typedef struct {
84: char *host; /* Host name. */
1.31 markus 85: u_short port; /* Port number. */
1.1 deraadt 86: } ForwardPermission;
87:
88: /* List of all permitted host/port pairs to connect. */
89: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
90: /* Number of permitted host/port pairs in the array. */
91: static int num_permitted_opens = 0;
1.27 markus 92: /*
93: * If this is true, all opens are permitted. This is the case on the server
94: * on which we have to trust the client anyway, and the user could do
95: * anything after logging in anyway.
96: */
1.1 deraadt 97: static int all_opens_permitted = 0;
98:
99: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
100: static int have_hostname_in_open = 0;
101:
102: /* Sets specific protocol options. */
103:
1.25 markus 104: void
105: channel_set_options(int hostname_in_open)
1.1 deraadt 106: {
1.25 markus 107: have_hostname_in_open = hostname_in_open;
1.1 deraadt 108: }
109:
1.27 markus 110: /*
111: * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
112: * called by the server, because the user could connect to any port anyway,
113: * and the server has no way to know but to trust the client anyway.
114: */
1.1 deraadt 115:
1.25 markus 116: void
117: channel_permit_all_opens()
1.1 deraadt 118: {
1.25 markus 119: all_opens_permitted = 1;
1.1 deraadt 120: }
121:
1.27 markus 122: /*
123: * Allocate a new channel object and set its type and socket. This will cause
124: * remote_name to be freed.
125: */
1.1 deraadt 126:
1.25 markus 127: int
128: channel_allocate(int type, int sock, char *remote_name)
1.1 deraadt 129: {
1.25 markus 130: int i, found;
131: Channel *c;
1.1 deraadt 132:
1.25 markus 133: /* Update the maximum file descriptor value. */
134: if (sock > channel_max_fd_value)
135: channel_max_fd_value = sock;
1.27 markus 136: /* XXX set close-on-exec -markus */
1.25 markus 137:
138: /* Do initial allocation if this is the first call. */
139: if (channels_alloc == 0) {
140: channels_alloc = 10;
141: channels = xmalloc(channels_alloc * sizeof(Channel));
142: for (i = 0; i < channels_alloc; i++)
143: channels[i].type = SSH_CHANNEL_FREE;
1.27 markus 144: /*
145: * Kludge: arrange a call to channel_stop_listening if we
146: * terminate with fatal().
147: */
1.25 markus 148: fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL);
149: }
150: /* Try to find a free slot where to put the new channel. */
151: for (found = -1, i = 0; i < channels_alloc; i++)
152: if (channels[i].type == SSH_CHANNEL_FREE) {
153: /* Found a free slot. */
154: found = i;
155: break;
156: }
157: if (found == -1) {
1.27 markus 158: /* There are no free slots. Take last+1 slot and expand the array. */
1.25 markus 159: found = channels_alloc;
160: channels_alloc += 10;
161: debug("channel: expanding %d", channels_alloc);
162: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
163: for (i = found; i < channels_alloc; i++)
164: channels[i].type = SSH_CHANNEL_FREE;
165: }
166: /* Initialize and return new channel number. */
167: c = &channels[found];
168: buffer_init(&c->input);
169: buffer_init(&c->output);
170: chan_init_iostates(c);
171: c->self = found;
172: c->type = type;
173: c->sock = sock;
174: c->remote_id = -1;
175: c->remote_name = remote_name;
176: debug("channel %d: new [%s]", found, remote_name);
177: return found;
1.1 deraadt 178: }
179:
180: /* Free the channel and close its socket. */
181:
1.25 markus 182: void
183: channel_free(int channel)
1.1 deraadt 184: {
1.25 markus 185: if (channel < 0 || channel >= channels_alloc ||
186: channels[channel].type == SSH_CHANNEL_FREE)
187: packet_disconnect("channel free: bad local channel %d", channel);
188:
189: if (compat13)
190: shutdown(channels[channel].sock, SHUT_RDWR);
191: close(channels[channel].sock);
192: buffer_free(&channels[channel].input);
193: buffer_free(&channels[channel].output);
194: channels[channel].type = SSH_CHANNEL_FREE;
195: if (channels[channel].remote_name) {
196: xfree(channels[channel].remote_name);
197: channels[channel].remote_name = NULL;
198: }
1.1 deraadt 199: }
200:
1.27 markus 201: /*
202: * This is called just before select() to add any bits relevant to channels
203: * in the select bitmasks.
204: */
1.1 deraadt 205:
1.25 markus 206: void
207: channel_prepare_select(fd_set * readset, fd_set * writeset)
1.1 deraadt 208: {
1.25 markus 209: int i;
210: Channel *ch;
211: unsigned char *ucp;
212: unsigned int proto_len, data_len;
213:
214: for (i = 0; i < channels_alloc; i++) {
215: ch = &channels[i];
216: redo:
217: switch (ch->type) {
218: case SSH_CHANNEL_X11_LISTENER:
219: case SSH_CHANNEL_PORT_LISTENER:
220: case SSH_CHANNEL_AUTH_SOCKET:
221: FD_SET(ch->sock, readset);
222: break;
223:
224: case SSH_CHANNEL_OPEN:
225: if (compat13) {
226: if (buffer_len(&ch->input) < packet_get_maxsize())
227: FD_SET(ch->sock, readset);
228: if (buffer_len(&ch->output) > 0)
229: FD_SET(ch->sock, writeset);
230: break;
231: }
232: /* test whether sockets are 'alive' for read/write */
233: if (ch->istate == CHAN_INPUT_OPEN)
234: if (buffer_len(&ch->input) < packet_get_maxsize())
235: FD_SET(ch->sock, readset);
236: if (ch->ostate == CHAN_OUTPUT_OPEN ||
237: ch->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
238: if (buffer_len(&ch->output) > 0) {
239: FD_SET(ch->sock, writeset);
240: } else if (ch->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
241: chan_obuf_empty(ch);
242: }
243: }
244: break;
245:
246: case SSH_CHANNEL_INPUT_DRAINING:
247: if (!compat13)
248: fatal("cannot happen: IN_DRAIN");
249: if (buffer_len(&ch->input) == 0) {
250: packet_start(SSH_MSG_CHANNEL_CLOSE);
251: packet_put_int(ch->remote_id);
252: packet_send();
253: ch->type = SSH_CHANNEL_CLOSED;
1.34 markus 254: debug("Closing channel %d after input drain.", ch->self);
1.25 markus 255: break;
256: }
257: break;
258:
259: case SSH_CHANNEL_OUTPUT_DRAINING:
260: if (!compat13)
261: fatal("cannot happen: OUT_DRAIN");
262: if (buffer_len(&ch->output) == 0) {
263: channel_free(i);
264: break;
265: }
266: FD_SET(ch->sock, writeset);
267: break;
268:
269: case SSH_CHANNEL_X11_OPEN:
1.27 markus 270: /*
271: * This is a special state for X11 authentication
272: * spoofing. An opened X11 connection (when
273: * authentication spoofing is being done) remains in
274: * this state until the first packet has been
275: * completely read. The authentication data in that
276: * packet is then substituted by the real data if it
277: * matches the fake data, and the channel is put into
278: * normal mode.
279: */
1.25 markus 280: /* Check if the fixed size part of the packet is in buffer. */
281: if (buffer_len(&ch->output) < 12)
282: break;
283:
284: /* Parse the lengths of variable-length fields. */
285: ucp = (unsigned char *) buffer_ptr(&ch->output);
286: if (ucp[0] == 0x42) { /* Byte order MSB first. */
287: proto_len = 256 * ucp[6] + ucp[7];
288: data_len = 256 * ucp[8] + ucp[9];
289: } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
290: proto_len = ucp[6] + 256 * ucp[7];
291: data_len = ucp[8] + 256 * ucp[9];
292: } else {
293: debug("Initial X11 packet contains bad byte order byte: 0x%x",
294: ucp[0]);
295: ch->type = SSH_CHANNEL_OPEN;
296: goto reject;
297: }
298:
299: /* Check if the whole packet is in buffer. */
300: if (buffer_len(&ch->output) <
301: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
302: break;
303:
304: /* Check if authentication protocol matches. */
305: if (proto_len != strlen(x11_saved_proto) ||
306: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
307: debug("X11 connection uses different authentication protocol.");
308: ch->type = SSH_CHANNEL_OPEN;
309: goto reject;
310: }
311: /* Check if authentication data matches our fake data. */
312: if (data_len != x11_fake_data_len ||
313: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
314: x11_fake_data, x11_fake_data_len) != 0) {
315: debug("X11 auth data does not match fake data.");
316: ch->type = SSH_CHANNEL_OPEN;
317: goto reject;
318: }
319: /* Check fake data length */
320: if (x11_fake_data_len != x11_saved_data_len) {
321: error("X11 fake_data_len %d != saved_data_len %d",
322: x11_fake_data_len, x11_saved_data_len);
323: ch->type = SSH_CHANNEL_OPEN;
324: goto reject;
325: }
1.27 markus 326: /*
327: * Received authentication protocol and data match
328: * our fake data. Substitute the fake data with real
329: * data.
330: */
1.25 markus 331: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
332: x11_saved_data, x11_saved_data_len);
333:
334: /* Start normal processing for the channel. */
335: ch->type = SSH_CHANNEL_OPEN;
336: goto redo;
337:
1.1 deraadt 338: reject:
1.27 markus 339: /*
340: * We have received an X11 connection that has bad
341: * authentication information.
342: */
1.25 markus 343: log("X11 connection rejected because of wrong authentication.\r\n");
344: buffer_clear(&ch->input);
345: buffer_clear(&ch->output);
346: if (compat13) {
347: close(ch->sock);
348: ch->sock = -1;
349: ch->type = SSH_CHANNEL_CLOSED;
350: packet_start(SSH_MSG_CHANNEL_CLOSE);
351: packet_put_int(ch->remote_id);
352: packet_send();
353: } else {
354: debug("X11 rejected %d i%d/o%d", ch->self, ch->istate, ch->ostate);
355: chan_read_failed(ch);
356: chan_write_failed(ch);
357: debug("X11 rejected %d i%d/o%d", ch->self, ch->istate, ch->ostate);
358: }
359: break;
360:
361: case SSH_CHANNEL_FREE:
362: default:
363: continue;
364: }
1.1 deraadt 365: }
366: }
367:
1.27 markus 368: /*
369: * After select, perform any appropriate operations for channels which have
370: * events pending.
371: */
1.1 deraadt 372:
1.25 markus 373: void
374: channel_after_select(fd_set * readset, fd_set * writeset)
1.1 deraadt 375: {
1.25 markus 376: struct sockaddr addr;
1.35 markus 377: int newsock, i, newch, len;
378: socklen_t addrlen;
1.25 markus 379: Channel *ch;
380: char buf[16384], *remote_hostname;
381:
382: /* Loop over all channels... */
383: for (i = 0; i < channels_alloc; i++) {
384: ch = &channels[i];
385: switch (ch->type) {
386: case SSH_CHANNEL_X11_LISTENER:
387: /* This is our fake X11 server socket. */
388: if (FD_ISSET(ch->sock, readset)) {
389: debug("X11 connection requested.");
390: addrlen = sizeof(addr);
391: newsock = accept(ch->sock, &addr, &addrlen);
392: if (newsock < 0) {
393: error("accept: %.100s", strerror(errno));
394: break;
395: }
396: remote_hostname = get_remote_hostname(newsock);
397: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
398: remote_hostname, get_peer_port(newsock));
399: xfree(remote_hostname);
400: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
401: xstrdup(buf));
402: packet_start(SSH_SMSG_X11_OPEN);
403: packet_put_int(newch);
404: if (have_hostname_in_open)
405: packet_put_string(buf, strlen(buf));
406: packet_send();
407: }
408: break;
409:
410: case SSH_CHANNEL_PORT_LISTENER:
1.27 markus 411: /*
412: * This socket is listening for connections to a
413: * forwarded TCP/IP port.
414: */
1.25 markus 415: if (FD_ISSET(ch->sock, readset)) {
1.35 markus 416: debug("Connection to port %d forwarding to %.100s port %d requested.",
1.25 markus 417: ch->listening_port, ch->path, ch->host_port);
418: addrlen = sizeof(addr);
419: newsock = accept(ch->sock, &addr, &addrlen);
420: if (newsock < 0) {
421: error("accept: %.100s", strerror(errno));
422: break;
423: }
424: remote_hostname = get_remote_hostname(newsock);
1.35 markus 425: snprintf(buf, sizeof buf, "listen port %d for %.100s port %d, connect from %.200s port %d",
1.25 markus 426: ch->listening_port, ch->path, ch->host_port,
427: remote_hostname, get_peer_port(newsock));
428: xfree(remote_hostname);
429: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
430: xstrdup(buf));
431: packet_start(SSH_MSG_PORT_OPEN);
432: packet_put_int(newch);
433: packet_put_string(ch->path, strlen(ch->path));
434: packet_put_int(ch->host_port);
435: if (have_hostname_in_open)
436: packet_put_string(buf, strlen(buf));
437: packet_send();
438: }
439: break;
440:
441: case SSH_CHANNEL_AUTH_SOCKET:
1.27 markus 442: /*
443: * This is the authentication agent socket listening
444: * for connections from clients.
445: */
1.25 markus 446: if (FD_ISSET(ch->sock, readset)) {
1.34 markus 447: addrlen = sizeof(addr);
448: newsock = accept(ch->sock, &addr, &addrlen);
1.25 markus 449: if (newsock < 0) {
450: error("accept from auth socket: %.100s", strerror(errno));
451: break;
452: }
1.34 markus 453: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
1.25 markus 454: xstrdup("accepted auth socket"));
455: packet_start(SSH_SMSG_AGENT_OPEN);
1.34 markus 456: packet_put_int(newch);
1.25 markus 457: packet_send();
458: }
459: break;
460:
461: case SSH_CHANNEL_OPEN:
1.27 markus 462: /*
463: * This is an open two-way communication channel. It
464: * is not of interest to us at this point what kind
465: * of data is being transmitted.
466: */
467:
468: /*
469: * Read available incoming data and append it to
470: * buffer; shutdown socket, if read or write failes
471: */
1.25 markus 472: if (FD_ISSET(ch->sock, readset)) {
473: len = read(ch->sock, buf, sizeof(buf));
474: if (len <= 0) {
475: if (compat13) {
476: buffer_consume(&ch->output, buffer_len(&ch->output));
477: ch->type = SSH_CHANNEL_INPUT_DRAINING;
478: debug("Channel %d status set to input draining.", i);
479: } else {
480: chan_read_failed(ch);
481: }
482: break;
483: }
484: buffer_append(&ch->input, buf, len);
485: }
486: /* Send buffered output data to the socket. */
487: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0) {
488: len = write(ch->sock, buffer_ptr(&ch->output),
489: buffer_len(&ch->output));
490: if (len <= 0) {
491: if (compat13) {
492: buffer_consume(&ch->output, buffer_len(&ch->output));
493: debug("Channel %d status set to input draining.", i);
494: ch->type = SSH_CHANNEL_INPUT_DRAINING;
495: } else {
496: chan_write_failed(ch);
497: }
498: break;
499: }
500: buffer_consume(&ch->output, len);
501: }
502: break;
503:
504: case SSH_CHANNEL_OUTPUT_DRAINING:
505: if (!compat13)
506: fatal("cannot happen: OUT_DRAIN");
507: /* Send buffered output data to the socket. */
508: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0) {
509: len = write(ch->sock, buffer_ptr(&ch->output),
510: buffer_len(&ch->output));
511: if (len <= 0)
512: buffer_consume(&ch->output, buffer_len(&ch->output));
513: else
514: buffer_consume(&ch->output, len);
515: }
516: break;
517:
518: case SSH_CHANNEL_X11_OPEN:
519: case SSH_CHANNEL_FREE:
520: default:
521: continue;
1.1 deraadt 522: }
523: }
524: }
525:
526: /* If there is data to send to the connection, send some of it now. */
527:
1.25 markus 528: void
529: channel_output_poll()
1.1 deraadt 530: {
1.25 markus 531: int len, i;
532: Channel *ch;
1.1 deraadt 533:
1.25 markus 534: for (i = 0; i < channels_alloc; i++) {
535: ch = &channels[i];
1.37 ! markus 536:
1.27 markus 537: /* We are only interested in channels that can have buffered incoming data. */
1.37 ! markus 538: if (compat13) {
! 539: if (ch->type != SSH_CHANNEL_OPEN &&
! 540: ch->type != SSH_CHANNEL_INPUT_DRAINING)
! 541: continue;
! 542: } else {
! 543: if (ch->type != SSH_CHANNEL_OPEN)
! 544: continue;
! 545: if (ch->istate != CHAN_INPUT_OPEN &&
! 546: ch->istate != CHAN_INPUT_WAIT_DRAIN)
! 547: continue;
! 548: }
1.25 markus 549:
550: /* Get the amount of buffered data for this channel. */
551: len = buffer_len(&ch->input);
552: if (len > 0) {
1.27 markus 553: /* Send some data for the other side over the secure connection. */
1.25 markus 554: if (packet_is_interactive()) {
555: if (len > 1024)
556: len = 512;
557: } else {
558: /* Keep the packets at reasonable size. */
1.34 markus 559: if (len > packet_get_maxsize()/2)
560: len = packet_get_maxsize()/2;
1.25 markus 561: }
562: packet_start(SSH_MSG_CHANNEL_DATA);
563: packet_put_int(ch->remote_id);
564: packet_put_string(buffer_ptr(&ch->input), len);
565: packet_send();
566: buffer_consume(&ch->input, len);
567: } else if (ch->istate == CHAN_INPUT_WAIT_DRAIN) {
568: if (compat13)
569: fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
1.27 markus 570: /*
571: * input-buffer is empty and read-socket shutdown:
572: * tell peer, that we will not send more data: send IEOF
573: */
1.25 markus 574: chan_ibuf_empty(ch);
575: }
576: }
1.1 deraadt 577: }
578:
1.27 markus 579: /*
580: * This is called when a packet of type CHANNEL_DATA has just been received.
581: * The message type has already been consumed, but channel number and data is
582: * still there.
583: */
1.1 deraadt 584:
1.25 markus 585: void
586: channel_input_data(int payload_len)
1.1 deraadt 587: {
1.37 ! markus 588: int id;
1.25 markus 589: char *data;
590: unsigned int data_len;
1.37 ! markus 591: Channel *ch;
1.25 markus 592:
593: /* Get the channel number and verify it. */
1.37 ! markus 594: id = packet_get_int();
! 595: if (id < 0 || id >= channels_alloc)
! 596: packet_disconnect("Received data for nonexistent channel %d.", id);
! 597: ch = &channels[id];
! 598:
! 599: if (ch->type == SSH_CHANNEL_FREE)
! 600: packet_disconnect("Received data for free channel %d.", ch->self);
1.25 markus 601:
602: /* Ignore any data for non-open channels (might happen on close) */
1.37 ! markus 603: if (ch->type != SSH_CHANNEL_OPEN &&
! 604: ch->type != SSH_CHANNEL_X11_OPEN)
! 605: return;
! 606:
! 607: /* same for protocol 1.5 if output end is no longer open */
! 608: if (!compat13 && ch->ostate != CHAN_OUTPUT_OPEN)
1.25 markus 609: return;
610:
611: /* Get the data. */
612: data = packet_get_string(&data_len);
613: packet_integrity_check(payload_len, 4 + 4 + data_len, SSH_MSG_CHANNEL_DATA);
1.37 ! markus 614: buffer_append(&ch->output, data, data_len);
1.25 markus 615: xfree(data);
1.1 deraadt 616: }
617:
1.27 markus 618: /*
619: * Returns true if no channel has too much buffered data, and false if one or
620: * more channel is overfull.
621: */
1.1 deraadt 622:
1.25 markus 623: int
624: channel_not_very_much_buffered_data()
1.1 deraadt 625: {
1.25 markus 626: unsigned int i;
627: Channel *ch;
628:
629: for (i = 0; i < channels_alloc; i++) {
630: ch = &channels[i];
1.37 ! markus 631: if (ch->type == SSH_CHANNEL_OPEN) {
1.25 markus 632: if (buffer_len(&ch->input) > packet_get_maxsize())
633: return 0;
634: if (buffer_len(&ch->output) > packet_get_maxsize())
635: return 0;
636: }
1.1 deraadt 637: }
1.25 markus 638: return 1;
1.1 deraadt 639: }
640:
1.14 markus 641: /* This is called after receiving CHANNEL_CLOSE/IEOF. */
1.1 deraadt 642:
1.25 markus 643: void
644: channel_input_close()
1.1 deraadt 645: {
1.25 markus 646: int channel;
1.1 deraadt 647:
1.25 markus 648: /* Get the channel number and verify it. */
649: channel = packet_get_int();
650: if (channel < 0 || channel >= channels_alloc ||
651: channels[channel].type == SSH_CHANNEL_FREE)
652: packet_disconnect("Received data for nonexistent channel %d.", channel);
653:
654: if (!compat13) {
655: /* proto version 1.5 overloads CLOSE with IEOF */
656: chan_rcvd_ieof(&channels[channel]);
657: return;
658: }
1.27 markus 659:
660: /*
661: * Send a confirmation that we have closed the channel and no more
662: * data is coming for it.
663: */
1.25 markus 664: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
665: packet_put_int(channels[channel].remote_id);
666: packet_send();
667:
1.27 markus 668: /*
669: * If the channel is in closed state, we have sent a close request,
670: * and the other side will eventually respond with a confirmation.
671: * Thus, we cannot free the channel here, because then there would be
672: * no-one to receive the confirmation. The channel gets freed when
673: * the confirmation arrives.
674: */
1.25 markus 675: if (channels[channel].type != SSH_CHANNEL_CLOSED) {
1.27 markus 676: /*
677: * Not a closed channel - mark it as draining, which will
678: * cause it to be freed later.
679: */
1.25 markus 680: buffer_consume(&channels[channel].input,
681: buffer_len(&channels[channel].input));
682: channels[channel].type = SSH_CHANNEL_OUTPUT_DRAINING;
683: }
1.1 deraadt 684: }
685:
1.14 markus 686: /* This is called after receiving CHANNEL_CLOSE_CONFIRMATION/OCLOSE. */
1.1 deraadt 687:
1.25 markus 688: void
689: channel_input_close_confirmation()
1.1 deraadt 690: {
1.25 markus 691: int channel;
1.1 deraadt 692:
1.25 markus 693: /* Get the channel number and verify it. */
694: channel = packet_get_int();
695: if (channel < 0 || channel >= channels_alloc)
696: packet_disconnect("Received close confirmation for out-of-range channel %d.",
697: channel);
698:
699: if (!compat13) {
700: /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
701: chan_rcvd_oclose(&channels[channel]);
702: return;
703: }
704: if (channels[channel].type != SSH_CHANNEL_CLOSED)
705: packet_disconnect("Received close confirmation for non-closed channel %d (type %d).",
706: channel, channels[channel].type);
1.1 deraadt 707:
1.25 markus 708: /* Free the channel. */
709: channel_free(channel);
1.1 deraadt 710: }
711:
712: /* This is called after receiving CHANNEL_OPEN_CONFIRMATION. */
713:
1.25 markus 714: void
715: channel_input_open_confirmation()
1.1 deraadt 716: {
1.25 markus 717: int channel, remote_channel;
1.1 deraadt 718:
1.25 markus 719: /* Get the channel number and verify it. */
720: channel = packet_get_int();
721: if (channel < 0 || channel >= channels_alloc ||
722: channels[channel].type != SSH_CHANNEL_OPENING)
723: packet_disconnect("Received open confirmation for non-opening channel %d.",
724: channel);
725:
726: /* Get remote side's id for this channel. */
727: remote_channel = packet_get_int();
728:
1.27 markus 729: /* Record the remote channel number and mark that the channel is now open. */
1.25 markus 730: channels[channel].remote_id = remote_channel;
731: channels[channel].type = SSH_CHANNEL_OPEN;
1.1 deraadt 732: }
733:
734: /* This is called after receiving CHANNEL_OPEN_FAILURE from the other side. */
735:
1.25 markus 736: void
737: channel_input_open_failure()
1.1 deraadt 738: {
1.25 markus 739: int channel;
740:
741: /* Get the channel number and verify it. */
742: channel = packet_get_int();
743: if (channel < 0 || channel >= channels_alloc ||
744: channels[channel].type != SSH_CHANNEL_OPENING)
745: packet_disconnect("Received open failure for non-opening channel %d.",
746: channel);
1.1 deraadt 747:
1.25 markus 748: /* Free the channel. This will also close the socket. */
749: channel_free(channel);
1.1 deraadt 750: }
751:
1.27 markus 752: /*
753: * Stops listening for channels, and removes any unix domain sockets that we
754: * might have.
755: */
1.1 deraadt 756:
1.25 markus 757: void
758: channel_stop_listening()
1.1 deraadt 759: {
1.25 markus 760: int i;
761: for (i = 0; i < channels_alloc; i++) {
762: switch (channels[i].type) {
763: case SSH_CHANNEL_AUTH_SOCKET:
764: close(channels[i].sock);
765: remove(channels[i].path);
766: channel_free(i);
767: break;
768: case SSH_CHANNEL_PORT_LISTENER:
769: case SSH_CHANNEL_X11_LISTENER:
770: close(channels[i].sock);
771: channel_free(i);
772: break;
773: default:
774: break;
775: }
1.1 deraadt 776: }
777: }
778:
1.27 markus 779: /*
780: * Closes the sockets of all channels. This is used to close extra file
781: * descriptors after a fork.
782: */
1.1 deraadt 783:
1.25 markus 784: void
785: channel_close_all()
1.1 deraadt 786: {
1.25 markus 787: int i;
788: for (i = 0; i < channels_alloc; i++) {
789: if (channels[i].type != SSH_CHANNEL_FREE)
790: close(channels[i].sock);
791: }
1.1 deraadt 792: }
793:
794: /* Returns the maximum file descriptor number used by the channels. */
795:
1.25 markus 796: int
797: channel_max_fd()
1.1 deraadt 798: {
1.25 markus 799: return channel_max_fd_value;
1.1 deraadt 800: }
801:
802: /* Returns true if any channel is still open. */
803:
1.25 markus 804: int
805: channel_still_open()
1.1 deraadt 806: {
1.25 markus 807: unsigned int i;
808: for (i = 0; i < channels_alloc; i++)
809: switch (channels[i].type) {
810: case SSH_CHANNEL_FREE:
811: case SSH_CHANNEL_X11_LISTENER:
812: case SSH_CHANNEL_PORT_LISTENER:
813: case SSH_CHANNEL_CLOSED:
814: case SSH_CHANNEL_AUTH_SOCKET:
815: continue;
816: case SSH_CHANNEL_OPENING:
817: case SSH_CHANNEL_OPEN:
818: case SSH_CHANNEL_X11_OPEN:
819: return 1;
820: case SSH_CHANNEL_INPUT_DRAINING:
821: case SSH_CHANNEL_OUTPUT_DRAINING:
822: if (!compat13)
823: fatal("cannot happen: OUT_DRAIN");
824: return 1;
825: default:
826: fatal("channel_still_open: bad channel type %d", channels[i].type);
827: /* NOTREACHED */
828: }
829: return 0;
1.1 deraadt 830: }
831:
1.27 markus 832: /*
833: * Returns a message describing the currently open forwarded connections,
834: * suitable for sending to the client. The message contains crlf pairs for
835: * newlines.
836: */
1.1 deraadt 837:
1.25 markus 838: char *
839: channel_open_message()
1.1 deraadt 840: {
1.25 markus 841: Buffer buffer;
842: int i;
843: char buf[512], *cp;
844:
845: buffer_init(&buffer);
846: snprintf(buf, sizeof buf, "The following connections are open:\r\n");
1.1 deraadt 847: buffer_append(&buffer, buf, strlen(buf));
1.25 markus 848: for (i = 0; i < channels_alloc; i++) {
849: Channel *c = &channels[i];
850: switch (c->type) {
851: case SSH_CHANNEL_FREE:
852: case SSH_CHANNEL_X11_LISTENER:
853: case SSH_CHANNEL_PORT_LISTENER:
854: case SSH_CHANNEL_CLOSED:
855: case SSH_CHANNEL_AUTH_SOCKET:
856: continue;
857: case SSH_CHANNEL_OPENING:
858: case SSH_CHANNEL_OPEN:
859: case SSH_CHANNEL_X11_OPEN:
860: case SSH_CHANNEL_INPUT_DRAINING:
861: case SSH_CHANNEL_OUTPUT_DRAINING:
1.37 ! markus 862: snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d)\r\n",
! 863: c->self, c->remote_name,
! 864: c->type, c->remote_id,
! 865: c->istate, buffer_len(&c->input),
! 866: c->ostate, buffer_len(&c->output));
1.25 markus 867: buffer_append(&buffer, buf, strlen(buf));
868: continue;
869: default:
870: fatal("channel_still_open: bad channel type %d", c->type);
871: /* NOTREACHED */
872: }
873: }
874: buffer_append(&buffer, "\0", 1);
875: cp = xstrdup(buffer_ptr(&buffer));
876: buffer_free(&buffer);
877: return cp;
1.1 deraadt 878: }
879:
1.27 markus 880: /*
881: * Initiate forwarding of connections to local port "port" through the secure
882: * channel to host:port from remote side.
883: */
1.1 deraadt 884:
1.25 markus 885: void
1.31 markus 886: channel_request_local_forwarding(u_short port, const char *host,
1.33 markus 887: u_short host_port, int gateway_ports)
1.25 markus 888: {
1.35 markus 889: int success, ch, sock, on = 1;
890: struct addrinfo hints, *ai, *aitop;
891: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1.28 markus 892: struct linger linger;
1.25 markus 893:
894: if (strlen(host) > sizeof(channels[0].path) - 1)
895: packet_disconnect("Forward host name too long.");
896:
1.28 markus 897: /*
1.35 markus 898: * getaddrinfo returns a loopback address if the hostname is
899: * set to NULL and hints.ai_flags is not AI_PASSIVE
1.28 markus 900: */
1.35 markus 901: memset(&hints, 0, sizeof(hints));
902: hints.ai_family = IPv4or6;
903: hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
904: hints.ai_socktype = SOCK_STREAM;
905: snprintf(strport, sizeof strport, "%d", port);
906: if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
907: packet_disconnect("getaddrinfo: fatal error");
908:
909: success = 0;
910: for (ai = aitop; ai; ai = ai->ai_next) {
911: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
912: continue;
913: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
914: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
915: error("channel_request_local_forwarding: getnameinfo failed");
916: continue;
917: }
918: /* Create a port to listen for the host. */
919: sock = socket(ai->ai_family, SOCK_STREAM, 0);
920: if (sock < 0) {
921: /* this is no error since kernel may not support ipv6 */
922: verbose("socket: %.100s", strerror(errno));
923: continue;
924: }
925: /*
926: * Set socket options. We would like the socket to disappear
927: * as soon as it has been closed for whatever reason.
928: */
929: setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on));
930: linger.l_onoff = 1;
931: linger.l_linger = 5;
932: setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
933: debug("Local forwarding listening on %s port %s.", ntop, strport);
934:
935: /* Bind the socket to the address. */
936: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
937: /* address can be in use ipv6 address is already bound */
938: verbose("bind: %.100s", strerror(errno));
939: close(sock);
940: continue;
941: }
942: /* Start listening for connections on the socket. */
943: if (listen(sock, 5) < 0) {
944: error("listen: %.100s", strerror(errno));
945: close(sock);
946: continue;
947: }
948: /* Allocate a channel number for the socket. */
949: ch = channel_allocate(SSH_CHANNEL_PORT_LISTENER, sock,
950: xstrdup("port listener"));
951: strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
952: channels[ch].host_port = host_port;
953: channels[ch].listening_port = port;
954: success = 1;
955: }
956: if (success == 0)
957: packet_disconnect("cannot listen port: %d", port);
958: freeaddrinfo(aitop);
1.25 markus 959: }
1.1 deraadt 960:
1.27 markus 961: /*
962: * Initiate forwarding of connections to port "port" on remote host through
963: * the secure channel to host:port from local side.
964: */
1.1 deraadt 965:
1.25 markus 966: void
1.31 markus 967: channel_request_remote_forwarding(u_short port, const char *host,
968: u_short remote_port)
1.25 markus 969: {
970: int payload_len;
971: /* Record locally that connection to this host/port is permitted. */
972: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
973: fatal("channel_request_remote_forwarding: too many forwards");
974:
975: permitted_opens[num_permitted_opens].host = xstrdup(host);
976: permitted_opens[num_permitted_opens].port = remote_port;
977: num_permitted_opens++;
978:
979: /* Send the forward request to the remote side. */
980: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
981: packet_put_int(port);
982: packet_put_string(host, strlen(host));
983: packet_put_int(remote_port);
984: packet_send();
985: packet_write_wait();
986:
1.27 markus 987: /*
988: * Wait for response from the remote side. It will send a disconnect
989: * message on failure, and we will never see it here.
990: */
1.25 markus 991: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
1.1 deraadt 992: }
993:
1.27 markus 994: /*
995: * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
996: * listening for the port, and sends back a success reply (or disconnect
997: * message if there was an error). This never returns if there was an error.
998: */
1.1 deraadt 999:
1.25 markus 1000: void
1001: channel_input_port_forward_request(int is_root)
1.1 deraadt 1002: {
1.31 markus 1003: u_short port, host_port;
1.25 markus 1004: char *hostname;
1.1 deraadt 1005:
1.25 markus 1006: /* Get arguments from the packet. */
1007: port = packet_get_int();
1008: hostname = packet_get_string(NULL);
1009: host_port = packet_get_int();
1010:
1.27 markus 1011: /*
1012: * Check that an unprivileged user is not trying to forward a
1013: * privileged port.
1014: */
1.25 markus 1015: if (port < IPPORT_RESERVED && !is_root)
1016: packet_disconnect("Requested forwarding of port %d but user is not root.",
1017: port);
1.33 markus 1018: /*
1019: * Initiate forwarding,
1020: * bind port to localhost only (gateway ports == 0).
1021: */
1022: channel_request_local_forwarding(port, hostname, host_port, 0);
1.25 markus 1023:
1024: /* Free the argument string. */
1025: xfree(hostname);
1.1 deraadt 1026: }
1027:
1.27 markus 1028: /*
1029: * This is called after receiving PORT_OPEN message. This attempts to
1030: * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
1031: * or CHANNEL_OPEN_FAILURE.
1032: */
1.1 deraadt 1033:
1.25 markus 1034: void
1035: channel_input_port_open(int payload_len)
1.1 deraadt 1036: {
1.35 markus 1037: int remote_channel, sock = 0, newch, i;
1.31 markus 1038: u_short host_port;
1.25 markus 1039: char *host, *originator_string;
1040: int host_len, originator_len;
1.35 markus 1041: struct addrinfo hints, *ai, *aitop;
1042: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1043: int gaierr;
1.25 markus 1044:
1045: /* Get remote channel number. */
1046: remote_channel = packet_get_int();
1047:
1048: /* Get host name to connect to. */
1049: host = packet_get_string(&host_len);
1050:
1051: /* Get port to connect to. */
1052: host_port = packet_get_int();
1053:
1054: /* Get remote originator name. */
1.29 markus 1055: if (have_hostname_in_open) {
1.25 markus 1056: originator_string = packet_get_string(&originator_len);
1.29 markus 1057: originator_len += 4; /* size of packet_int */
1058: } else {
1.25 markus 1059: originator_string = xstrdup("unknown (remote did not supply name)");
1.29 markus 1060: originator_len = 0; /* no originator supplied */
1061: }
1.25 markus 1062:
1063: packet_integrity_check(payload_len,
1.29 markus 1064: 4 + 4 + host_len + 4 + originator_len,
1.25 markus 1065: SSH_MSG_PORT_OPEN);
1066:
1067: /* Check if opening that port is permitted. */
1068: if (!all_opens_permitted) {
1069: /* Go trough all permitted ports. */
1070: for (i = 0; i < num_permitted_opens; i++)
1071: if (permitted_opens[i].port == host_port &&
1072: strcmp(permitted_opens[i].host, host) == 0)
1073: break;
1074:
1075: /* Check if we found the requested port among those permitted. */
1076: if (i >= num_permitted_opens) {
1077: /* The port is not permitted. */
1078: log("Received request to connect to %.100s:%d, but the request was denied.",
1079: host, host_port);
1080: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1081: packet_put_int(remote_channel);
1082: packet_send();
1083: }
1084: }
1.35 markus 1085:
1086: memset(&hints, 0, sizeof(hints));
1087: hints.ai_family = IPv4or6;
1088: hints.ai_socktype = SOCK_STREAM;
1089: snprintf(strport, sizeof strport, "%d", host_port);
1090: if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
1091: error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
1092: goto fail;
1093: }
1094:
1095: for (ai = aitop; ai; ai = ai->ai_next) {
1096: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1097: continue;
1098: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1099: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1100: error("channel_input_port_open: getnameinfo failed");
1101: continue;
1102: }
1103: /* Create the socket. */
1104: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1105: if (sock < 0) {
1106: error("socket: %.100s", strerror(errno));
1107: continue;
1.25 markus 1108: }
1.35 markus 1109: /* Connect to the host/port. */
1110: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1111: error("connect %.100s port %s: %.100s", ntop, strport,
1112: strerror(errno));
1113: close(sock);
1114: continue; /* fail -- try next */
1.25 markus 1115: }
1.35 markus 1116: break; /* success */
1117:
1.25 markus 1118: }
1.35 markus 1119: freeaddrinfo(aitop);
1120:
1121: if (!ai) {
1122: error("connect %.100s port %d: failed.", host, host_port);
1.25 markus 1123: goto fail;
1124: }
1.35 markus 1125:
1.25 markus 1126: /* Successful connection. */
1127:
1128: /* Allocate a channel for this connection. */
1129: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1130: channels[newch].remote_id = remote_channel;
1131:
1132: /* Send a confirmation to the remote host. */
1133: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1134: packet_put_int(remote_channel);
1135: packet_put_int(newch);
1136: packet_send();
1137:
1138: /* Free the argument string. */
1139: xfree(host);
1140:
1141: return;
1142:
1143: fail:
1144: /* Free the argument string. */
1145: xfree(host);
1146:
1147: /* Send refusal to the remote host. */
1148: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1149: packet_put_int(remote_channel);
1150: packet_send();
1.1 deraadt 1151: }
1152:
1.27 markus 1153: /*
1154: * Creates an internet domain socket for listening for X11 connections.
1155: * Returns a suitable value for the DISPLAY variable, or NULL if an error
1156: * occurs.
1157: */
1.1 deraadt 1158:
1.35 markus 1159: #define NUM_SOCKS 10
1160:
1.25 markus 1161: char *
1.33 markus 1162: x11_create_display_inet(int screen_number, int x11_display_offset)
1.1 deraadt 1163: {
1.31 markus 1164: int display_number, sock;
1165: u_short port;
1.35 markus 1166: struct addrinfo hints, *ai, *aitop;
1167: char strport[NI_MAXSERV];
1168: int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
1169: char display[512];
1.25 markus 1170: char hostname[MAXHOSTNAMELEN];
1171:
1.33 markus 1172: for (display_number = x11_display_offset;
1.25 markus 1173: display_number < MAX_DISPLAYS;
1174: display_number++) {
1175: port = 6000 + display_number;
1.35 markus 1176: memset(&hints, 0, sizeof(hints));
1177: hints.ai_family = IPv4or6;
1.36 markus 1178: hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */
1.35 markus 1179: hints.ai_socktype = SOCK_STREAM;
1180: snprintf(strport, sizeof strport, "%d", port);
1181: if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
1182: error("getaddrinfo: %.100s", gai_strerror(gaierr));
1.25 markus 1183: return NULL;
1184: }
1.35 markus 1185: for (ai = aitop; ai; ai = ai->ai_next) {
1186: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1187: continue;
1188: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1189: if (sock < 0) {
1190: error("socket: %.100s", strerror(errno));
1191: return NULL;
1192: }
1193: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1194: debug("bind port %d: %.100s", port, strerror(errno));
1195: shutdown(sock, SHUT_RDWR);
1196: close(sock);
1197: for (n = 0; n < num_socks; n++) {
1198: shutdown(socks[n], SHUT_RDWR);
1199: close(socks[n]);
1200: }
1201: num_socks = 0;
1202: break;
1203: }
1204: socks[num_socks++] = sock;
1205: if (num_socks == NUM_SOCKS)
1206: break;
1.25 markus 1207: }
1.35 markus 1208: if (num_socks > 0)
1209: break;
1.25 markus 1210: }
1211: if (display_number >= MAX_DISPLAYS) {
1212: error("Failed to allocate internet-domain X11 display socket.");
1213: return NULL;
1214: }
1215: /* Start listening for connections on the socket. */
1.35 markus 1216: for (n = 0; n < num_socks; n++) {
1217: sock = socks[n];
1218: if (listen(sock, 5) < 0) {
1219: error("listen: %.100s", strerror(errno));
1220: shutdown(sock, SHUT_RDWR);
1221: close(sock);
1222: return NULL;
1223: }
1.25 markus 1224: }
1.35 markus 1225:
1.25 markus 1226: /* Set up a suitable value for the DISPLAY variable. */
1227: if (gethostname(hostname, sizeof(hostname)) < 0)
1228: fatal("gethostname: %.100s", strerror(errno));
1.35 markus 1229: snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
1.25 markus 1230: display_number, screen_number);
1231:
1.35 markus 1232: /* Allocate a channel for each socket. */
1233: for (n = 0; n < num_socks; n++) {
1234: sock = socks[n];
1235: (void) channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
1236: xstrdup("X11 inet listener"));
1237: }
1.1 deraadt 1238:
1.25 markus 1239: /* Return a suitable value for the DISPLAY environment variable. */
1.35 markus 1240: return xstrdup(display);
1.1 deraadt 1241: }
1242:
1243: #ifndef X_UNIX_PATH
1244: #define X_UNIX_PATH "/tmp/.X11-unix/X"
1245: #endif
1246:
1247: static
1248: int
1.30 deraadt 1249: connect_local_xsocket(unsigned int dnr)
1.1 deraadt 1250: {
1.25 markus 1251: static const char *const x_sockets[] = {
1252: X_UNIX_PATH "%u",
1253: "/var/X/.X11-unix/X" "%u",
1254: "/usr/spool/sockets/X11/" "%u",
1255: NULL
1256: };
1257: int sock;
1258: struct sockaddr_un addr;
1259: const char *const * path;
1260:
1261: for (path = x_sockets; *path; ++path) {
1262: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1263: if (sock < 0)
1264: error("socket: %.100s", strerror(errno));
1265: memset(&addr, 0, sizeof(addr));
1266: addr.sun_family = AF_UNIX;
1267: snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
1268: if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
1269: return sock;
1270: close(sock);
1271: }
1272: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1273: return -1;
1.1 deraadt 1274: }
1275:
1276:
1.27 markus 1277: /*
1278: * This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1279: * the remote channel number. We should do whatever we want, and respond
1280: * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
1281: */
1.1 deraadt 1282:
1.25 markus 1283: void
1284: x11_input_open(int payload_len)
1.1 deraadt 1285: {
1.35 markus 1286: int remote_channel, display_number, sock = 0, newch;
1.25 markus 1287: const char *display;
1288: char buf[1024], *cp, *remote_host;
1289: int remote_len;
1.35 markus 1290: struct addrinfo hints, *ai, *aitop;
1291: char strport[NI_MAXSERV];
1292: int gaierr;
1.25 markus 1293:
1294: /* Get remote channel number. */
1295: remote_channel = packet_get_int();
1296:
1297: /* Get remote originator name. */
1.29 markus 1298: if (have_hostname_in_open) {
1.25 markus 1299: remote_host = packet_get_string(&remote_len);
1.29 markus 1300: remote_len += 4;
1301: } else {
1.25 markus 1302: remote_host = xstrdup("unknown (remote did not supply name)");
1.29 markus 1303: remote_len = 0;
1304: }
1.25 markus 1305:
1306: debug("Received X11 open request.");
1.29 markus 1307: packet_integrity_check(payload_len, 4 + remote_len, SSH_SMSG_X11_OPEN);
1.25 markus 1308:
1309: /* Try to open a socket for the local X server. */
1310: display = getenv("DISPLAY");
1311: if (!display) {
1312: error("DISPLAY not set.");
1313: goto fail;
1314: }
1.27 markus 1315: /*
1316: * Now we decode the value of the DISPLAY variable and make a
1317: * connection to the real X server.
1318: */
1319:
1320: /*
1321: * Check if it is a unix domain socket. Unix domain displays are in
1322: * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
1323: */
1.25 markus 1324: if (strncmp(display, "unix:", 5) == 0 ||
1325: display[0] == ':') {
1326: /* Connect to the unix domain socket. */
1327: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
1328: error("Could not parse display number from DISPLAY: %.100s",
1329: display);
1330: goto fail;
1331: }
1332: /* Create a socket. */
1333: sock = connect_local_xsocket(display_number);
1334: if (sock < 0)
1335: goto fail;
1336:
1337: /* OK, we now have a connection to the display. */
1338: goto success;
1339: }
1.27 markus 1340: /*
1341: * Connect to an inet socket. The DISPLAY value is supposedly
1342: * hostname:d[.s], where hostname may also be numeric IP address.
1343: */
1.25 markus 1344: strncpy(buf, display, sizeof(buf));
1345: buf[sizeof(buf) - 1] = 0;
1346: cp = strchr(buf, ':');
1347: if (!cp) {
1348: error("Could not find ':' in DISPLAY: %.100s", display);
1349: goto fail;
1350: }
1351: *cp = 0;
1.27 markus 1352: /* buf now contains the host name. But first we parse the display number. */
1.25 markus 1353: if (sscanf(cp + 1, "%d", &display_number) != 1) {
1354: error("Could not parse display number from DISPLAY: %.100s",
1355: display);
1356: goto fail;
1357: }
1.35 markus 1358:
1359: /* Look up the host address */
1360: memset(&hints, 0, sizeof(hints));
1361: hints.ai_family = IPv4or6;
1362: hints.ai_socktype = SOCK_STREAM;
1363: snprintf(strport, sizeof strport, "%d", 6000 + display_number);
1364: if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
1365: error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
1.25 markus 1366: goto fail;
1367: }
1.35 markus 1368: for (ai = aitop; ai; ai = ai->ai_next) {
1369: /* Create a socket. */
1370: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1371: if (sock < 0) {
1372: debug("socket: %.100s", strerror(errno));
1373: continue;
1374: }
1.25 markus 1375: /* Connect it to the display. */
1.35 markus 1376: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1377: debug("connect %.100s port %d: %.100s", buf, 6000 + display_number,
1378: strerror(errno));
1.25 markus 1379: close(sock);
1.35 markus 1380: continue;
1381: }
1382: /* Success */
1383: break;
1384:
1385: } /* (ai = aitop, ai; ai = ai->ai_next) */
1386: freeaddrinfo(aitop);
1387: if (!ai) {
1388: error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
1389: strerror(errno));
1.25 markus 1390: goto fail;
1391: }
1392: success:
1393: /* We have successfully obtained a connection to the real X display. */
1394:
1395: /* Allocate a channel for this connection. */
1396: if (x11_saved_proto == NULL)
1397: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, remote_host);
1398: else
1399: newch = channel_allocate(SSH_CHANNEL_X11_OPEN, sock, remote_host);
1400: channels[newch].remote_id = remote_channel;
1401:
1402: /* Send a confirmation to the remote host. */
1403: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1404: packet_put_int(remote_channel);
1405: packet_put_int(newch);
1406: packet_send();
1407:
1408: return;
1409:
1410: fail:
1411: /* Send refusal to the remote host. */
1412: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1413: packet_put_int(remote_channel);
1414: packet_send();
1.1 deraadt 1415: }
1416:
1.27 markus 1417: /*
1418: * Requests forwarding of X11 connections, generates fake authentication
1419: * data, and enables authentication spoofing.
1420: */
1.1 deraadt 1421:
1.25 markus 1422: void
1423: x11_request_forwarding_with_spoofing(const char *proto, const char *data)
1.1 deraadt 1424: {
1.25 markus 1425: unsigned int data_len = (unsigned int) strlen(data) / 2;
1426: unsigned int i, value;
1427: char *new_data;
1428: int screen_number;
1429: const char *cp;
1430: u_int32_t rand = 0;
1431:
1432: cp = getenv("DISPLAY");
1433: if (cp)
1434: cp = strchr(cp, ':');
1435: if (cp)
1436: cp = strchr(cp, '.');
1437: if (cp)
1438: screen_number = atoi(cp + 1);
1439: else
1440: screen_number = 0;
1441:
1442: /* Save protocol name. */
1443: x11_saved_proto = xstrdup(proto);
1444:
1.27 markus 1445: /*
1446: * Extract real authentication data and generate fake data of the
1447: * same length.
1448: */
1.25 markus 1449: x11_saved_data = xmalloc(data_len);
1450: x11_fake_data = xmalloc(data_len);
1451: for (i = 0; i < data_len; i++) {
1452: if (sscanf(data + 2 * i, "%2x", &value) != 1)
1453: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
1454: if (i % 4 == 0)
1455: rand = arc4random();
1456: x11_saved_data[i] = value;
1457: x11_fake_data[i] = rand & 0xff;
1458: rand >>= 8;
1459: }
1460: x11_saved_data_len = data_len;
1461: x11_fake_data_len = data_len;
1462:
1463: /* Convert the fake data into hex. */
1464: new_data = xmalloc(2 * data_len + 1);
1465: for (i = 0; i < data_len; i++)
1466: sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]);
1467:
1468: /* Send the request packet. */
1469: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
1470: packet_put_string(proto, strlen(proto));
1471: packet_put_string(new_data, strlen(new_data));
1472: packet_put_int(screen_number);
1473: packet_send();
1474: packet_write_wait();
1475: xfree(new_data);
1.1 deraadt 1476: }
1477:
1478: /* Sends a message to the server to request authentication fd forwarding. */
1479:
1.25 markus 1480: void
1481: auth_request_forwarding()
1.1 deraadt 1482: {
1.25 markus 1483: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
1484: packet_send();
1485: packet_write_wait();
1.1 deraadt 1486: }
1487:
1.27 markus 1488: /*
1489: * Returns the name of the forwarded authentication socket. Returns NULL if
1490: * there is no forwarded authentication socket. The returned value points to
1491: * a static buffer.
1492: */
1.1 deraadt 1493:
1.25 markus 1494: char *
1495: auth_get_socket_name()
1.1 deraadt 1496: {
1.25 markus 1497: return channel_forwarded_auth_socket_name;
1.1 deraadt 1498: }
1499:
1.12 markus 1500: /* removes the agent forwarding socket */
1501:
1.25 markus 1502: void
1503: cleanup_socket(void)
1504: {
1505: remove(channel_forwarded_auth_socket_name);
1506: rmdir(channel_forwarded_auth_socket_dir);
1.12 markus 1507: }
1508:
1.27 markus 1509: /*
1510: * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1511: * This starts forwarding authentication requests.
1512: */
1.1 deraadt 1513:
1.25 markus 1514: void
1515: auth_input_request_forwarding(struct passwd * pw)
1.1 deraadt 1516: {
1.25 markus 1517: int sock, newch;
1518: struct sockaddr_un sunaddr;
1519:
1520: if (auth_get_socket_name() != NULL)
1521: fatal("Protocol error: authentication forwarding requested twice.");
1522:
1523: /* Temporarily drop privileged uid for mkdir/bind. */
1524: temporarily_use_uid(pw->pw_uid);
1525:
1526: /* Allocate a buffer for the socket name, and format the name. */
1527: channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
1528: channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
1529: strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
1530:
1531: /* Create private directory for socket */
1532: if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL)
1533: packet_disconnect("mkdtemp: %.100s", strerror(errno));
1534: snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
1535: channel_forwarded_auth_socket_dir, (int) getpid());
1536:
1537: if (atexit(cleanup_socket) < 0) {
1538: int saved = errno;
1539: cleanup_socket();
1540: packet_disconnect("socket: %.100s", strerror(saved));
1541: }
1542: /* Create the socket. */
1543: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1544: if (sock < 0)
1545: packet_disconnect("socket: %.100s", strerror(errno));
1546:
1547: /* Bind it to the name. */
1548: memset(&sunaddr, 0, sizeof(sunaddr));
1549: sunaddr.sun_family = AF_UNIX;
1550: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
1551: sizeof(sunaddr.sun_path));
1552:
1553: if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
1554: packet_disconnect("bind: %.100s", strerror(errno));
1555:
1556: /* Restore the privileged uid. */
1557: restore_uid();
1558:
1559: /* Start listening on the socket. */
1560: if (listen(sock, 5) < 0)
1561: packet_disconnect("listen: %.100s", strerror(errno));
1562:
1563: /* Allocate a channel for the authentication agent socket. */
1564: newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
1565: xstrdup("auth socket"));
1.32 deraadt 1566: strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
1567: sizeof(channels[newch].path));
1.1 deraadt 1568: }
1569:
1570: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
1571:
1.25 markus 1572: void
1573: auth_input_open_request()
1.1 deraadt 1574: {
1.25 markus 1575: int remch, sock, newch;
1576: char *dummyname;
1577:
1578: /* Read the remote channel number from the message. */
1579: remch = packet_get_int();
1580:
1.27 markus 1581: /*
1582: * Get a connection to the local authentication agent (this may again
1583: * get forwarded).
1584: */
1.25 markus 1585: sock = ssh_get_authentication_socket();
1586:
1.27 markus 1587: /*
1588: * If we could not connect the agent, send an error message back to
1589: * the server. This should never happen unless the agent dies,
1590: * because authentication forwarding is only enabled if we have an
1591: * agent.
1592: */
1.25 markus 1593: if (sock < 0) {
1594: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1595: packet_put_int(remch);
1596: packet_send();
1597: return;
1598: }
1599: debug("Forwarding authentication connection.");
1.1 deraadt 1600:
1.27 markus 1601: /*
1602: * Dummy host name. This will be freed when the channel is freed; it
1603: * will still be valid in the packet_put_string below since the
1604: * channel cannot yet be freed at that point.
1605: */
1.25 markus 1606: dummyname = xstrdup("authentication agent connection");
1607:
1608: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
1609: channels[newch].remote_id = remch;
1610:
1611: /* Send a confirmation to the remote host. */
1612: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1613: packet_put_int(remch);
1614: packet_put_int(newch);
1615: packet_send();
1.1 deraadt 1616: }