Annotation of src/usr.bin/ssh/channels.c, Revision 1.398
1.398 ! dtucker 1: /* $OpenBSD: channels.c,v 1.397 2020/03/06 18:19:21 markus Exp $ */
1.1 deraadt 2: /*
1.26 deraadt 3: * Author: Tatu Ylonen <ylo@cs.hut.fi>
4: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: * All rights reserved
6: * This file contains functions for generic socket connection forwarding.
7: * There is also code for initiating connection forwarding for X11 connections,
8: * arbitrary tcp/ip connections, and the authentication agent connection.
1.49 markus 9: *
1.67 deraadt 10: * As far as I am concerned, the code I have written for this software
11: * can be used freely for any purpose. Any derived versions of this
12: * software must be clearly marked as such, and if the derived work is
13: * incompatible with the protocol description in the RFC file, it must be
14: * called by a name other than "ssh" or "Secure Shell".
15: *
1.44 markus 16: * SSH2 support added by Markus Friedl.
1.156 markus 17: * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
1.67 deraadt 18: * Copyright (c) 1999 Dug Song. All rights reserved.
19: * Copyright (c) 1999 Theo de Raadt. All rights reserved.
20: *
21: * Redistribution and use in source and binary forms, with or without
22: * modification, are permitted provided that the following conditions
23: * are met:
24: * 1. Redistributions of source code must retain the above copyright
25: * notice, this list of conditions and the following disclaimer.
26: * 2. Redistributions in binary form must reproduce the above copyright
27: * notice, this list of conditions and the following disclaimer in the
28: * documentation and/or other materials provided with the distribution.
29: *
30: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
31: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
33: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
34: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
35: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
36: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
37: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
38: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
39: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.26 deraadt 40: */
1.1 deraadt 41:
1.265 deraadt 42: #include <sys/types.h>
1.336 millert 43: #include <sys/stat.h>
1.234 stevesk 44: #include <sys/ioctl.h>
1.235 stevesk 45: #include <sys/un.h>
1.251 stevesk 46: #include <sys/socket.h>
1.261 stevesk 47: #include <sys/time.h>
1.275 djm 48: #include <sys/queue.h>
1.251 stevesk 49:
50: #include <netinet/in.h>
51: #include <arpa/inet.h>
1.233 stevesk 52:
1.254 stevesk 53: #include <errno.h>
1.298 dtucker 54: #include <fcntl.h>
1.367 djm 55: #include <limits.h>
1.255 stevesk 56: #include <netdb.h>
1.367 djm 57: #include <stdarg.h>
1.341 millert 58: #include <stdint.h>
1.263 stevesk 59: #include <stdio.h>
1.262 stevesk 60: #include <stdlib.h>
1.260 stevesk 61: #include <string.h>
1.233 stevesk 62: #include <termios.h>
1.256 stevesk 63: #include <unistd.h>
1.1 deraadt 64:
1.265 deraadt 65: #include "xmalloc.h"
1.1 deraadt 66: #include "ssh.h"
1.82 markus 67: #include "ssh2.h"
1.354 markus 68: #include "ssherr.h"
1.367 djm 69: #include "sshbuf.h"
1.1 deraadt 70: #include "packet.h"
1.82 markus 71: #include "log.h"
72: #include "misc.h"
1.14 markus 73: #include "channels.h"
74: #include "compat.h"
1.82 markus 75: #include "canohost.h"
1.383 markus 76: #include "sshkey.h"
1.64 markus 77: #include "authfd.h"
1.147 stevesk 78: #include "pathnames.h"
1.381 djm 79: #include "match.h"
1.388 djm 80:
1.367 djm 81: /* -- agent forwarding */
82: #define NUM_SOCKS 10
1.12 markus 83:
1.367 djm 84: /* -- tcp forwarding */
85: /* special-case port number meaning allow any port */
86: #define FWD_PERMIT_ANY_PORT 0
1.1 deraadt 87:
1.367 djm 88: /* special-case wildcard meaning allow any host */
89: #define FWD_PERMIT_ANY_HOST "*"
1.1 deraadt 90:
1.367 djm 91: /* -- X11 forwarding */
92: /* Maximum number of fake X11 displays to try. */
93: #define MAX_DISPLAYS 1000
1.1 deraadt 94:
1.381 djm 95: /* Per-channel callback for pre/post select() actions */
96: typedef void chan_fn(struct ssh *, Channel *c,
97: fd_set *readset, fd_set *writeset);
98:
1.27 markus 99: /*
100: * Data structure for storing which hosts are permitted for forward requests.
101: * The local sides of any remote forwards are stored in this array to prevent
102: * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
103: * network (which might be behind a firewall).
104: */
1.336 millert 105: /* XXX: streamlocal wants a path instead of host:port */
106: /* Overload host_to_connect; we could just make this match Forward */
107: /* XXX - can we use listen_host instead of listen_path? */
1.381 djm 108: struct permission {
1.41 markus 109: char *host_to_connect; /* Connect to 'host'. */
1.336 millert 110: int port_to_connect; /* Connect to 'port'. */
1.333 markus 111: char *listen_host; /* Remote side should listen address. */
1.336 millert 112: char *listen_path; /* Remote side should listen path. */
113: int listen_port; /* Remote side should listen port. */
1.354 markus 114: Channel *downstream; /* Downstream mux*/
1.381 djm 115: };
116:
117: /*
118: * Stores the forwarding permission state for a single direction (local or
119: * remote).
120: */
121: struct permission_set {
122: /*
123: * List of all local permitted host/port pairs to allow for the
124: * user.
125: */
126: u_int num_permitted_user;
127: struct permission *permitted_user;
1.1 deraadt 128:
1.381 djm 129: /*
130: * List of all permitted host/port pairs to allow for the admin.
131: */
132: u_int num_permitted_admin;
133: struct permission *permitted_admin;
134:
135: /*
136: * If this is true, all opens/listens are permitted. This is the
137: * case on the server on which we have to trust the client anyway,
138: * and the user could do anything after logging in.
139: */
140: int all_permitted;
141: };
1.121 markus 142:
1.367 djm 143: /* Master structure for channels state */
144: struct ssh_channels {
145: /*
146: * Pointer to an array containing all allocated channels. The array
147: * is dynamically extended as needed.
148: */
149: Channel **channels;
1.257 dtucker 150:
1.367 djm 151: /*
152: * Size of the channel array. All slots of the array must always be
153: * initialized (at least the type field); unused slots set to NULL
154: */
155: u_int channels_alloc;
1.257 dtucker 156:
1.367 djm 157: /*
158: * Maximum file descriptor value used in any of the channels. This is
159: * updated in channel_new.
160: */
161: int channel_max_fd;
1.257 dtucker 162:
1.367 djm 163: /*
164: * 'channel_pre*' are called just before select() to add any bits
165: * relevant to channels in the select bitmasks.
166: *
167: * 'channel_post*': perform any appropriate operations for
168: * channels which have events pending.
169: */
170: chan_fn **channel_pre;
171: chan_fn **channel_post;
1.314 dtucker 172:
1.367 djm 173: /* -- tcp forwarding */
1.381 djm 174: struct permission_set local_perms;
175: struct permission_set remote_perms;
1.219 djm 176:
1.367 djm 177: /* -- X11 forwarding */
1.121 markus 178:
1.367 djm 179: /* Saved X11 local (client) display. */
180: char *x11_saved_display;
1.121 markus 181:
1.367 djm 182: /* Saved X11 authentication protocol name. */
183: char *x11_saved_proto;
1.347 djm 184:
1.367 djm 185: /* Saved X11 authentication data. This is the real data. */
186: char *x11_saved_data;
187: u_int x11_saved_data_len;
1.121 markus 188:
1.367 djm 189: /* Deadline after which all X11 connections are refused */
190: u_int x11_refuse_time;
1.121 markus 191:
1.367 djm 192: /*
193: * Fake X11 authentication data. This is what the server will be
194: * sending us; we should replace any occurrences of this by the
195: * real data.
196: */
197: u_char *x11_fake_data;
198: u_int x11_fake_data_len;
1.121 markus 199:
1.367 djm 200: /* AF_UNSPEC or AF_INET or AF_INET6 */
201: int IPv4or6;
202: };
1.1 deraadt 203:
1.121 markus 204: /* helper */
1.367 djm 205: static void port_open_helper(struct ssh *ssh, Channel *c, char *rtype);
1.354 markus 206: static const char *channel_rfwd_bind_host(const char *listen_host);
1.103 markus 207:
1.276 djm 208: /* non-blocking connect helpers */
209: static int connect_next(struct channel_connect *);
210: static void channel_connect_ctx_free(struct channel_connect *);
1.372 markus 211: static Channel *rdynamic_connect_prepare(struct ssh *, char *, char *);
212: static int rdynamic_connect_finish(struct ssh *, Channel *);
1.276 djm 213:
1.367 djm 214: /* Setup helper */
215: static void channel_handler_init(struct ssh_channels *sc);
216:
1.121 markus 217: /* -- channel core */
1.41 markus 218:
1.367 djm 219: void
220: channel_init_channels(struct ssh *ssh)
221: {
222: struct ssh_channels *sc;
223:
1.387 djm 224: if ((sc = calloc(1, sizeof(*sc))) == NULL)
1.367 djm 225: fatal("%s: allocation failed", __func__);
226: sc->channels_alloc = 10;
227: sc->channels = xcalloc(sc->channels_alloc, sizeof(*sc->channels));
228: sc->IPv4or6 = AF_UNSPEC;
229: channel_handler_init(sc);
230:
231: ssh->chanctxt = sc;
232: }
233:
1.41 markus 234: Channel *
1.367 djm 235: channel_by_id(struct ssh *ssh, int id)
1.41 markus 236: {
237: Channel *c;
1.113 markus 238:
1.367 djm 239: if (id < 0 || (u_int)id >= ssh->chanctxt->channels_alloc) {
240: logit("%s: %d: bad id", __func__, id);
1.41 markus 241: return NULL;
242: }
1.367 djm 243: c = ssh->chanctxt->channels[id];
1.113 markus 244: if (c == NULL) {
1.367 djm 245: logit("%s: %d: bad id: channel free", __func__, id);
1.41 markus 246: return NULL;
247: }
248: return c;
1.55 markus 249: }
250:
1.354 markus 251: Channel *
1.368 djm 252: channel_by_remote_id(struct ssh *ssh, u_int remote_id)
1.354 markus 253: {
254: Channel *c;
255: u_int i;
256:
1.367 djm 257: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
258: c = ssh->chanctxt->channels[i];
1.368 djm 259: if (c != NULL && c->have_remote_id && c->remote_id == remote_id)
1.354 markus 260: return c;
261: }
262: return NULL;
263: }
264:
1.27 markus 265: /*
1.229 markus 266: * Returns the channel if it is allowed to receive protocol messages.
267: * Private channels, like listening sockets, may not receive messages.
268: */
269: Channel *
1.367 djm 270: channel_lookup(struct ssh *ssh, int id)
1.229 markus 271: {
272: Channel *c;
273:
1.367 djm 274: if ((c = channel_by_id(ssh, id)) == NULL)
275: return NULL;
1.229 markus 276:
1.237 deraadt 277: switch (c->type) {
1.229 markus 278: case SSH_CHANNEL_X11_OPEN:
279: case SSH_CHANNEL_LARVAL:
280: case SSH_CHANNEL_CONNECTING:
281: case SSH_CHANNEL_DYNAMIC:
1.372 markus 282: case SSH_CHANNEL_RDYNAMIC_OPEN:
283: case SSH_CHANNEL_RDYNAMIC_FINISH:
1.229 markus 284: case SSH_CHANNEL_OPENING:
285: case SSH_CHANNEL_OPEN:
1.323 dtucker 286: case SSH_CHANNEL_ABANDONED:
1.354 markus 287: case SSH_CHANNEL_MUX_PROXY:
1.367 djm 288: return c;
1.229 markus 289: }
290: logit("Non-public channel %d, type %d.", id, c->type);
1.367 djm 291: return NULL;
1.229 markus 292: }
293:
294: /*
1.55 markus 295: * Register filedescriptors for a channel, used when allocating a channel or
1.52 markus 296: * when the channel consumer/producer is ready, e.g. shell exec'd
1.27 markus 297: */
1.127 itojun 298: static void
1.367 djm 299: channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd,
1.282 dtucker 300: int extusage, int nonblock, int is_tty)
1.1 deraadt 301: {
1.367 djm 302: struct ssh_channels *sc = ssh->chanctxt;
303:
1.25 markus 304: /* Update the maximum file descriptor value. */
1.367 djm 305: sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, rfd);
306: sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, wfd);
307: sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, efd);
1.84 markus 308:
1.298 dtucker 309: if (rfd != -1)
310: fcntl(rfd, F_SETFD, FD_CLOEXEC);
311: if (wfd != -1 && wfd != rfd)
312: fcntl(wfd, F_SETFD, FD_CLOEXEC);
313: if (efd != -1 && efd != rfd && efd != wfd)
314: fcntl(efd, F_SETFD, FD_CLOEXEC);
1.55 markus 315:
1.52 markus 316: c->rfd = rfd;
317: c->wfd = wfd;
318: c->sock = (rfd == wfd) ? rfd : -1;
319: c->efd = efd;
320: c->extended_usage = extusage;
1.71 markus 321:
1.282 dtucker 322: if ((c->isatty = is_tty) != 0)
1.194 markus 323: debug2("channel %d: rfd %d isatty", c->self, c->rfd);
1.91 markus 324:
1.71 markus 325: /* enable nonblocking mode */
326: if (nonblock) {
327: if (rfd != -1)
328: set_nonblock(rfd);
329: if (wfd != -1)
330: set_nonblock(wfd);
331: if (efd != -1)
332: set_nonblock(efd);
333: }
1.52 markus 334: }
335:
336: /*
337: * Allocate a new channel object and set its type and socket. This will cause
338: * remote_name to be freed.
339: */
1.113 markus 340: Channel *
1.367 djm 341: channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd,
1.178 markus 342: u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock)
1.52 markus 343: {
1.367 djm 344: struct ssh_channels *sc = ssh->chanctxt;
345: u_int i, found;
1.52 markus 346: Channel *c;
1.25 markus 347:
348: /* Try to find a free slot where to put the new channel. */
1.367 djm 349: for (i = 0; i < sc->channels_alloc; i++) {
350: if (sc->channels[i] == NULL) {
1.25 markus 351: /* Found a free slot. */
1.367 djm 352: found = i;
1.25 markus 353: break;
354: }
1.367 djm 355: }
356: if (i >= sc->channels_alloc) {
357: /*
358: * There are no free slots. Take last+1 slot and expand
359: * the array.
360: */
361: found = sc->channels_alloc;
362: if (sc->channels_alloc > CHANNELS_MAX_CHANNELS)
363: fatal("%s: internal error: channels_alloc %d too big",
364: __func__, sc->channels_alloc);
365: sc->channels = xrecallocarray(sc->channels, sc->channels_alloc,
366: sc->channels_alloc + 10, sizeof(*sc->channels));
367: sc->channels_alloc += 10;
368: debug2("channel: expanding %d", sc->channels_alloc);
1.25 markus 369: }
1.113 markus 370: /* Initialize and return new channel. */
1.367 djm 371: c = sc->channels[found] = xcalloc(1, sizeof(Channel));
372: if ((c->input = sshbuf_new()) == NULL ||
373: (c->output = sshbuf_new()) == NULL ||
374: (c->extended = sshbuf_new()) == NULL)
375: fatal("%s: sshbuf_new failed", __func__);
1.159 markus 376: c->ostate = CHAN_OUTPUT_OPEN;
377: c->istate = CHAN_INPUT_OPEN;
1.367 djm 378: channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0);
1.25 markus 379: c->self = found;
380: c->type = type;
1.41 markus 381: c->ctype = ctype;
1.51 markus 382: c->local_window = window;
383: c->local_window_max = window;
384: c->local_maxpacket = maxpack;
1.190 markus 385: c->remote_name = xstrdup(remote_name);
1.302 djm 386: c->ctl_chan = -1;
1.299 markus 387: c->delayed = 1; /* prevent call to channel_post handler */
1.275 djm 388: TAILQ_INIT(&c->status_confirms);
1.25 markus 389: debug("channel %d: new [%s]", found, remote_name);
1.113 markus 390: return c;
1.1 deraadt 391: }
1.52 markus 392:
1.367 djm 393: static void
394: channel_find_maxfd(struct ssh_channels *sc)
1.132 markus 395: {
1.209 avsm 396: u_int i;
397: int max = 0;
1.132 markus 398: Channel *c;
399:
1.367 djm 400: for (i = 0; i < sc->channels_alloc; i++) {
401: c = sc->channels[i];
1.132 markus 402: if (c != NULL) {
1.352 deraadt 403: max = MAXIMUM(max, c->rfd);
404: max = MAXIMUM(max, c->wfd);
405: max = MAXIMUM(max, c->efd);
1.132 markus 406: }
407: }
1.367 djm 408: sc->channel_max_fd = max;
1.132 markus 409: }
410:
411: int
1.367 djm 412: channel_close_fd(struct ssh *ssh, int *fdp)
1.132 markus 413: {
1.367 djm 414: struct ssh_channels *sc = ssh->chanctxt;
1.132 markus 415: int ret = 0, fd = *fdp;
416:
417: if (fd != -1) {
418: ret = close(fd);
419: *fdp = -1;
1.367 djm 420: if (fd == sc->channel_max_fd)
421: channel_find_maxfd(sc);
1.132 markus 422: }
423: return ret;
424: }
425:
1.52 markus 426: /* Close all channel fd/socket. */
1.127 itojun 427: static void
1.367 djm 428: channel_close_fds(struct ssh *ssh, Channel *c)
429: {
1.379 tb 430: int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
431:
1.367 djm 432: channel_close_fd(ssh, &c->sock);
1.379 tb 433: if (rfd != sock)
434: channel_close_fd(ssh, &c->rfd);
435: if (wfd != sock && wfd != rfd)
436: channel_close_fd(ssh, &c->wfd);
437: if (efd != sock && efd != rfd && efd != wfd)
438: channel_close_fd(ssh, &c->efd);
1.367 djm 439: }
440:
441: static void
1.381 djm 442: fwd_perm_clear(struct permission *perm)
1.52 markus 443: {
1.381 djm 444: free(perm->host_to_connect);
445: free(perm->listen_host);
446: free(perm->listen_path);
1.398 ! dtucker 447: memset(perm, 0, sizeof(*perm));
1.367 djm 448: }
449:
1.381 djm 450: /* Returns an printable name for the specified forwarding permission list */
451: static const char *
452: fwd_ident(int who, int where)
453: {
454: if (who == FORWARD_ADM) {
455: if (where == FORWARD_LOCAL)
456: return "admin local";
457: else if (where == FORWARD_REMOTE)
458: return "admin remote";
459: } else if (who == FORWARD_USER) {
460: if (where == FORWARD_LOCAL)
461: return "user local";
462: else if (where == FORWARD_REMOTE)
463: return "user remote";
464: }
465: fatal("Unknown forward permission list %d/%d", who, where);
466: }
467:
468: /* Returns the forwarding permission list for the specified direction */
469: static struct permission_set *
470: permission_set_get(struct ssh *ssh, int where)
471: {
472: struct ssh_channels *sc = ssh->chanctxt;
1.367 djm 473:
1.381 djm 474: switch (where) {
475: case FORWARD_LOCAL:
476: return &sc->local_perms;
477: break;
478: case FORWARD_REMOTE:
479: return &sc->remote_perms;
480: break;
481: default:
482: fatal("%s: invalid forwarding direction %d", __func__, where);
483: }
484: }
485:
1.392 dtucker 486: /* Returns pointers to the specified forwarding list and its element count */
1.381 djm 487: static void
488: permission_set_get_array(struct ssh *ssh, int who, int where,
489: struct permission ***permpp, u_int **npermpp)
490: {
491: struct permission_set *pset = permission_set_get(ssh, where);
492:
493: switch (who) {
494: case FORWARD_USER:
495: *permpp = &pset->permitted_user;
496: *npermpp = &pset->num_permitted_user;
497: break;
498: case FORWARD_ADM:
499: *permpp = &pset->permitted_admin;
500: *npermpp = &pset->num_permitted_admin;
501: break;
502: default:
503: fatal("%s: invalid forwarding client %d", __func__, who);
504: }
505: }
506:
507: /* Adds an entry to the spcified forwarding list */
1.367 djm 508: static int
1.381 djm 509: permission_set_add(struct ssh *ssh, int who, int where,
1.367 djm 510: const char *host_to_connect, int port_to_connect,
511: const char *listen_host, const char *listen_path, int listen_port,
512: Channel *downstream)
513: {
1.381 djm 514: struct permission **permp;
515: u_int n, *npermp;
1.367 djm 516:
1.381 djm 517: permission_set_get_array(ssh, who, where, &permp, &npermp);
1.367 djm 518:
1.381 djm 519: if (*npermp >= INT_MAX)
520: fatal("%s: %s overflow", __func__, fwd_ident(who, where));
1.367 djm 521:
1.381 djm 522: *permp = xrecallocarray(*permp, *npermp, *npermp + 1, sizeof(**permp));
523: n = (*npermp)++;
1.367 djm 524: #define MAYBE_DUP(s) ((s == NULL) ? NULL : xstrdup(s))
1.381 djm 525: (*permp)[n].host_to_connect = MAYBE_DUP(host_to_connect);
526: (*permp)[n].port_to_connect = port_to_connect;
527: (*permp)[n].listen_host = MAYBE_DUP(listen_host);
528: (*permp)[n].listen_path = MAYBE_DUP(listen_path);
529: (*permp)[n].listen_port = listen_port;
530: (*permp)[n].downstream = downstream;
1.367 djm 531: #undef MAYBE_DUP
532: return (int)n;
533: }
534:
535: static void
536: mux_remove_remote_forwardings(struct ssh *ssh, Channel *c)
537: {
538: struct ssh_channels *sc = ssh->chanctxt;
1.381 djm 539: struct permission_set *pset = &sc->local_perms;
540: struct permission *perm;
1.367 djm 541: int r;
542: u_int i;
543:
1.381 djm 544: for (i = 0; i < pset->num_permitted_user; i++) {
545: perm = &pset->permitted_user[i];
546: if (perm->downstream != c)
1.367 djm 547: continue;
548:
549: /* cancel on the server, since mux client is gone */
550: debug("channel %d: cleanup remote forward for %s:%u",
1.381 djm 551: c->self, perm->listen_host, perm->listen_port);
1.367 djm 552: if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
553: (r = sshpkt_put_cstring(ssh,
554: "cancel-tcpip-forward")) != 0 ||
555: (r = sshpkt_put_u8(ssh, 0)) != 0 ||
556: (r = sshpkt_put_cstring(ssh,
1.381 djm 557: channel_rfwd_bind_host(perm->listen_host))) != 0 ||
558: (r = sshpkt_put_u32(ssh, perm->listen_port)) != 0 ||
1.367 djm 559: (r = sshpkt_send(ssh)) != 0) {
560: fatal("%s: channel %i: %s", __func__,
561: c->self, ssh_err(r));
562: }
1.381 djm 563: fwd_perm_clear(perm); /* unregister */
1.367 djm 564: }
1.121 markus 565: }
566:
567: /* Free the channel and close its fd/socket. */
568: void
1.367 djm 569: channel_free(struct ssh *ssh, Channel *c)
1.121 markus 570: {
1.367 djm 571: struct ssh_channels *sc = ssh->chanctxt;
1.121 markus 572: char *s;
1.209 avsm 573: u_int i, n;
1.354 markus 574: Channel *other;
1.275 djm 575: struct channel_confirm *cc;
1.121 markus 576:
1.367 djm 577: for (n = 0, i = 0; i < sc->channels_alloc; i++) {
578: if ((other = sc->channels[i]) == NULL)
579: continue;
580: n++;
581: /* detach from mux client and prepare for closing */
582: if (c->type == SSH_CHANNEL_MUX_CLIENT &&
583: other->type == SSH_CHANNEL_MUX_PROXY &&
584: other->mux_ctx == c) {
585: other->mux_ctx = NULL;
586: other->type = SSH_CHANNEL_OPEN;
587: other->istate = CHAN_INPUT_CLOSED;
588: other->ostate = CHAN_OUTPUT_CLOSED;
1.354 markus 589: }
590: }
1.209 avsm 591: debug("channel %d: free: %s, nchannels %u", c->self,
1.121 markus 592: c->remote_name ? c->remote_name : "???", n);
593:
1.367 djm 594: if (c->type == SSH_CHANNEL_MUX_CLIENT)
595: mux_remove_remote_forwardings(ssh, c);
1.354 markus 596:
1.384 markus 597: if (log_level_get() >= SYSLOG_LEVEL_DEBUG3) {
598: s = channel_open_message(ssh);
599: debug3("channel %d: status: %s", c->self, s);
600: free(s);
601: }
1.121 markus 602:
1.367 djm 603: channel_close_fds(ssh, c);
604: sshbuf_free(c->input);
605: sshbuf_free(c->output);
606: sshbuf_free(c->extended);
607: c->input = c->output = c->extended = NULL;
1.321 djm 608: free(c->remote_name);
609: c->remote_name = NULL;
610: free(c->path);
611: c->path = NULL;
612: free(c->listening_addr);
613: c->listening_addr = NULL;
1.275 djm 614: while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
615: if (cc->abandon_cb != NULL)
1.367 djm 616: cc->abandon_cb(ssh, c, cc->ctx);
1.275 djm 617: TAILQ_REMOVE(&c->status_confirms, cc, entry);
1.396 jsg 618: freezero(cc, sizeof(*cc));
1.275 djm 619: }
1.280 djm 620: if (c->filter_cleanup != NULL && c->filter_ctx != NULL)
1.367 djm 621: c->filter_cleanup(ssh, c->self, c->filter_ctx);
622: sc->channels[c->self] = NULL;
1.396 jsg 623: freezero(c, sizeof(*c));
1.121 markus 624: }
625:
626: void
1.367 djm 627: channel_free_all(struct ssh *ssh)
1.121 markus 628: {
1.209 avsm 629: u_int i;
1.390 dtucker 630: struct ssh_channels *sc = ssh->chanctxt;
1.121 markus 631:
1.390 dtucker 632: for (i = 0; i < sc->channels_alloc; i++)
633: if (sc->channels[i] != NULL)
634: channel_free(ssh, sc->channels[i]);
635:
636: free(sc->channels);
637: sc->channels = NULL;
638: sc->channels_alloc = 0;
639: sc->channel_max_fd = 0;
640:
641: free(sc->x11_saved_display);
642: sc->x11_saved_display = NULL;
643:
644: free(sc->x11_saved_proto);
645: sc->x11_saved_proto = NULL;
646:
647: free(sc->x11_saved_data);
648: sc->x11_saved_data = NULL;
649: sc->x11_saved_data_len = 0;
650:
651: free(sc->x11_fake_data);
652: sc->x11_fake_data = NULL;
653: sc->x11_fake_data_len = 0;
1.131 markus 654: }
655:
1.121 markus 656: /*
657: * Closes the sockets/fds of all channels. This is used to close extra file
658: * descriptors after a fork.
659: */
660: void
1.367 djm 661: channel_close_all(struct ssh *ssh)
1.121 markus 662: {
1.209 avsm 663: u_int i;
1.121 markus 664:
1.367 djm 665: for (i = 0; i < ssh->chanctxt->channels_alloc; i++)
666: if (ssh->chanctxt->channels[i] != NULL)
667: channel_close_fds(ssh, ssh->chanctxt->channels[i]);
1.121 markus 668: }
669:
670: /*
1.131 markus 671: * Stop listening to channels.
672: */
673: void
1.367 djm 674: channel_stop_listening(struct ssh *ssh)
1.131 markus 675: {
1.209 avsm 676: u_int i;
1.131 markus 677: Channel *c;
678:
1.367 djm 679: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
680: c = ssh->chanctxt->channels[i];
1.131 markus 681: if (c != NULL) {
682: switch (c->type) {
683: case SSH_CHANNEL_AUTH_SOCKET:
684: case SSH_CHANNEL_PORT_LISTENER:
685: case SSH_CHANNEL_RPORT_LISTENER:
686: case SSH_CHANNEL_X11_LISTENER:
1.336 millert 687: case SSH_CHANNEL_UNIX_LISTENER:
688: case SSH_CHANNEL_RUNIX_LISTENER:
1.367 djm 689: channel_close_fd(ssh, &c->sock);
690: channel_free(ssh, c);
1.131 markus 691: break;
692: }
693: }
694: }
695: }
696:
697: /*
1.121 markus 698: * Returns true if no channel has too much buffered data, and false if one or
699: * more channel is overfull.
700: */
701: int
1.367 djm 702: channel_not_very_much_buffered_data(struct ssh *ssh)
1.121 markus 703: {
704: u_int i;
1.367 djm 705: u_int maxsize = ssh_packet_get_maxsize(ssh);
1.121 markus 706: Channel *c;
707:
1.367 djm 708: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
709: c = ssh->chanctxt->channels[i];
710: if (c == NULL || c->type != SSH_CHANNEL_OPEN)
711: continue;
712: if (sshbuf_len(c->output) > maxsize) {
713: debug2("channel %d: big output buffer %zu > %u",
714: c->self, sshbuf_len(c->output), maxsize);
715: return 0;
1.121 markus 716: }
717: }
718: return 1;
719: }
720:
721: /* Returns true if any channel is still open. */
722: int
1.367 djm 723: channel_still_open(struct ssh *ssh)
1.121 markus 724: {
1.209 avsm 725: u_int i;
1.121 markus 726: Channel *c;
727:
1.367 djm 728: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
729: c = ssh->chanctxt->channels[i];
1.121 markus 730: if (c == NULL)
731: continue;
732: switch (c->type) {
733: case SSH_CHANNEL_X11_LISTENER:
734: case SSH_CHANNEL_PORT_LISTENER:
735: case SSH_CHANNEL_RPORT_LISTENER:
1.302 djm 736: case SSH_CHANNEL_MUX_LISTENER:
1.121 markus 737: case SSH_CHANNEL_CLOSED:
738: case SSH_CHANNEL_AUTH_SOCKET:
739: case SSH_CHANNEL_DYNAMIC:
1.372 markus 740: case SSH_CHANNEL_RDYNAMIC_OPEN:
1.121 markus 741: case SSH_CHANNEL_CONNECTING:
742: case SSH_CHANNEL_ZOMBIE:
1.323 dtucker 743: case SSH_CHANNEL_ABANDONED:
1.336 millert 744: case SSH_CHANNEL_UNIX_LISTENER:
745: case SSH_CHANNEL_RUNIX_LISTENER:
1.121 markus 746: continue;
747: case SSH_CHANNEL_LARVAL:
748: continue;
749: case SSH_CHANNEL_OPENING:
750: case SSH_CHANNEL_OPEN:
1.372 markus 751: case SSH_CHANNEL_RDYNAMIC_FINISH:
1.121 markus 752: case SSH_CHANNEL_X11_OPEN:
1.302 djm 753: case SSH_CHANNEL_MUX_CLIENT:
1.354 markus 754: case SSH_CHANNEL_MUX_PROXY:
1.121 markus 755: return 1;
756: default:
1.358 djm 757: fatal("%s: bad channel type %d", __func__, c->type);
1.121 markus 758: /* NOTREACHED */
759: }
760: }
761: return 0;
762: }
763:
764: /* Returns the id of an open channel suitable for keepaliving */
765: int
1.367 djm 766: channel_find_open(struct ssh *ssh)
1.121 markus 767: {
1.209 avsm 768: u_int i;
1.121 markus 769: Channel *c;
770:
1.367 djm 771: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
772: c = ssh->chanctxt->channels[i];
1.368 djm 773: if (c == NULL || !c->have_remote_id)
1.121 markus 774: continue;
775: switch (c->type) {
776: case SSH_CHANNEL_CLOSED:
777: case SSH_CHANNEL_DYNAMIC:
1.372 markus 778: case SSH_CHANNEL_RDYNAMIC_OPEN:
779: case SSH_CHANNEL_RDYNAMIC_FINISH:
1.121 markus 780: case SSH_CHANNEL_X11_LISTENER:
781: case SSH_CHANNEL_PORT_LISTENER:
782: case SSH_CHANNEL_RPORT_LISTENER:
1.302 djm 783: case SSH_CHANNEL_MUX_LISTENER:
784: case SSH_CHANNEL_MUX_CLIENT:
1.354 markus 785: case SSH_CHANNEL_MUX_PROXY:
1.121 markus 786: case SSH_CHANNEL_OPENING:
787: case SSH_CHANNEL_CONNECTING:
788: case SSH_CHANNEL_ZOMBIE:
1.323 dtucker 789: case SSH_CHANNEL_ABANDONED:
1.336 millert 790: case SSH_CHANNEL_UNIX_LISTENER:
791: case SSH_CHANNEL_RUNIX_LISTENER:
1.121 markus 792: continue;
793: case SSH_CHANNEL_LARVAL:
794: case SSH_CHANNEL_AUTH_SOCKET:
795: case SSH_CHANNEL_OPEN:
796: case SSH_CHANNEL_X11_OPEN:
797: return i;
798: default:
1.358 djm 799: fatal("%s: bad channel type %d", __func__, c->type);
1.121 markus 800: /* NOTREACHED */
801: }
802: }
803: return -1;
804: }
805:
1.385 djm 806: /* Returns the state of the channel's extended usage flag */
807: const char *
808: channel_format_extended_usage(const Channel *c)
809: {
810: if (c->efd == -1)
811: return "closed";
812:
813: switch (c->extended_usage) {
814: case CHAN_EXTENDED_WRITE:
815: return "write";
816: case CHAN_EXTENDED_READ:
817: return "read";
818: case CHAN_EXTENDED_IGNORE:
819: return "ignore";
820: default:
821: return "UNKNOWN";
822: }
823: }
824:
1.386 djm 825: static char *
826: channel_format_status(const Channel *c)
827: {
828: char *ret = NULL;
829:
830: xasprintf(&ret, "t%d %s%u i%u/%zu o%u/%zu e[%s]/%zu "
831: "fd %d/%d/%d sock %d cc %d",
832: c->type,
833: c->have_remote_id ? "r" : "nr", c->remote_id,
834: c->istate, sshbuf_len(c->input),
835: c->ostate, sshbuf_len(c->output),
836: channel_format_extended_usage(c), sshbuf_len(c->extended),
837: c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan);
838: return ret;
839: }
840:
1.121 markus 841: /*
842: * Returns a message describing the currently open forwarded connections,
843: * suitable for sending to the client. The message contains crlf pairs for
844: * newlines.
845: */
846: char *
1.367 djm 847: channel_open_message(struct ssh *ssh)
1.121 markus 848: {
1.367 djm 849: struct sshbuf *buf;
1.121 markus 850: Channel *c;
1.209 avsm 851: u_int i;
1.367 djm 852: int r;
1.386 djm 853: char *cp, *ret;
1.121 markus 854:
1.367 djm 855: if ((buf = sshbuf_new()) == NULL)
856: fatal("%s: sshbuf_new", __func__);
857: if ((r = sshbuf_putf(buf,
858: "The following connections are open:\r\n")) != 0)
859: fatal("%s: sshbuf_putf: %s", __func__, ssh_err(r));
860: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
861: c = ssh->chanctxt->channels[i];
1.121 markus 862: if (c == NULL)
863: continue;
864: switch (c->type) {
865: case SSH_CHANNEL_X11_LISTENER:
866: case SSH_CHANNEL_PORT_LISTENER:
867: case SSH_CHANNEL_RPORT_LISTENER:
868: case SSH_CHANNEL_CLOSED:
869: case SSH_CHANNEL_AUTH_SOCKET:
870: case SSH_CHANNEL_ZOMBIE:
1.323 dtucker 871: case SSH_CHANNEL_ABANDONED:
1.302 djm 872: case SSH_CHANNEL_MUX_LISTENER:
1.336 millert 873: case SSH_CHANNEL_UNIX_LISTENER:
874: case SSH_CHANNEL_RUNIX_LISTENER:
1.121 markus 875: continue;
876: case SSH_CHANNEL_LARVAL:
877: case SSH_CHANNEL_OPENING:
878: case SSH_CHANNEL_CONNECTING:
879: case SSH_CHANNEL_DYNAMIC:
1.372 markus 880: case SSH_CHANNEL_RDYNAMIC_OPEN:
881: case SSH_CHANNEL_RDYNAMIC_FINISH:
1.121 markus 882: case SSH_CHANNEL_OPEN:
883: case SSH_CHANNEL_X11_OPEN:
1.354 markus 884: case SSH_CHANNEL_MUX_PROXY:
885: case SSH_CHANNEL_MUX_CLIENT:
1.386 djm 886: cp = channel_format_status(c);
887: if ((r = sshbuf_putf(buf, " #%d %.300s (%s)\r\n",
888: c->self, c->remote_name, cp)) != 0) {
889: free(cp);
1.367 djm 890: fatal("%s: sshbuf_putf: %s",
891: __func__, ssh_err(r));
1.386 djm 892: }
893: free(cp);
1.121 markus 894: continue;
895: default:
1.367 djm 896: fatal("%s: bad channel type %d", __func__, c->type);
1.121 markus 897: /* NOTREACHED */
898: }
899: }
1.367 djm 900: if ((ret = sshbuf_dup_string(buf)) == NULL)
901: fatal("%s: sshbuf_dup_string", __func__);
902: sshbuf_free(buf);
903: return ret;
904: }
905:
906: static void
907: open_preamble(struct ssh *ssh, const char *where, Channel *c, const char *type)
908: {
909: int r;
910:
911: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN)) != 0 ||
912: (r = sshpkt_put_cstring(ssh, type)) != 0 ||
913: (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
914: (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
915: (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) {
916: fatal("%s: channel %i: open: %s", where, c->self, ssh_err(r));
917: }
1.121 markus 918: }
919:
920: void
1.367 djm 921: channel_send_open(struct ssh *ssh, int id)
1.121 markus 922: {
1.367 djm 923: Channel *c = channel_lookup(ssh, id);
924: int r;
1.180 deraadt 925:
1.121 markus 926: if (c == NULL) {
1.188 itojun 927: logit("channel_send_open: %d: bad id", id);
1.121 markus 928: return;
929: }
1.184 markus 930: debug2("channel %d: send open", id);
1.367 djm 931: open_preamble(ssh, __func__, c, c->ctype);
932: if ((r = sshpkt_send(ssh)) != 0)
933: fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r));
1.121 markus 934: }
935:
936: void
1.367 djm 937: channel_request_start(struct ssh *ssh, int id, char *service, int wantconfirm)
1.121 markus 938: {
1.367 djm 939: Channel *c = channel_lookup(ssh, id);
940: int r;
1.180 deraadt 941:
1.121 markus 942: if (c == NULL) {
1.367 djm 943: logit("%s: %d: unknown channel id", __func__, id);
1.121 markus 944: return;
945: }
1.368 djm 946: if (!c->have_remote_id)
947: fatal(":%s: channel %d: no remote id", __func__, c->self);
948:
1.204 djm 949: debug2("channel %d: request %s confirm %d", id, service, wantconfirm);
1.367 djm 950: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_REQUEST)) != 0 ||
951: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
952: (r = sshpkt_put_cstring(ssh, service)) != 0 ||
953: (r = sshpkt_put_u8(ssh, wantconfirm)) != 0) {
954: fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r));
955: }
1.121 markus 956: }
1.241 deraadt 957:
1.121 markus 958: void
1.367 djm 959: channel_register_status_confirm(struct ssh *ssh, int id,
960: channel_confirm_cb *cb, channel_confirm_abandon_cb *abandon_cb, void *ctx)
1.275 djm 961: {
962: struct channel_confirm *cc;
963: Channel *c;
964:
1.367 djm 965: if ((c = channel_lookup(ssh, id)) == NULL)
966: fatal("%s: %d: bad id", __func__, id);
1.275 djm 967:
1.327 djm 968: cc = xcalloc(1, sizeof(*cc));
1.275 djm 969: cc->cb = cb;
970: cc->abandon_cb = abandon_cb;
971: cc->ctx = ctx;
972: TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry);
973: }
974:
975: void
1.367 djm 976: channel_register_open_confirm(struct ssh *ssh, int id,
977: channel_open_fn *fn, void *ctx)
1.121 markus 978: {
1.367 djm 979: Channel *c = channel_lookup(ssh, id);
1.180 deraadt 980:
1.121 markus 981: if (c == NULL) {
1.367 djm 982: logit("%s: %d: bad id", __func__, id);
1.121 markus 983: return;
984: }
1.275 djm 985: c->open_confirm = fn;
986: c->open_confirm_ctx = ctx;
1.121 markus 987: }
1.241 deraadt 988:
1.121 markus 989: void
1.367 djm 990: channel_register_cleanup(struct ssh *ssh, int id,
991: channel_callback_fn *fn, int do_close)
1.121 markus 992: {
1.367 djm 993: Channel *c = channel_by_id(ssh, id);
1.180 deraadt 994:
1.121 markus 995: if (c == NULL) {
1.367 djm 996: logit("%s: %d: bad id", __func__, id);
1.121 markus 997: return;
998: }
1.131 markus 999: c->detach_user = fn;
1.225 djm 1000: c->detach_close = do_close;
1.121 markus 1001: }
1.241 deraadt 1002:
1.121 markus 1003: void
1.367 djm 1004: channel_cancel_cleanup(struct ssh *ssh, int id)
1.121 markus 1005: {
1.367 djm 1006: Channel *c = channel_by_id(ssh, id);
1.180 deraadt 1007:
1.121 markus 1008: if (c == NULL) {
1.367 djm 1009: logit("%s: %d: bad id", __func__, id);
1.121 markus 1010: return;
1.52 markus 1011: }
1.131 markus 1012: c->detach_user = NULL;
1.225 djm 1013: c->detach_close = 0;
1.121 markus 1014: }
1.241 deraadt 1015:
1.121 markus 1016: void
1.367 djm 1017: channel_register_filter(struct ssh *ssh, int id, channel_infilter_fn *ifn,
1.280 djm 1018: channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx)
1.121 markus 1019: {
1.367 djm 1020: Channel *c = channel_lookup(ssh, id);
1.180 deraadt 1021:
1.121 markus 1022: if (c == NULL) {
1.367 djm 1023: logit("%s: %d: bad id", __func__, id);
1.121 markus 1024: return;
1.52 markus 1025: }
1.231 reyk 1026: c->input_filter = ifn;
1027: c->output_filter = ofn;
1.279 djm 1028: c->filter_ctx = ctx;
1.280 djm 1029: c->filter_cleanup = cfn;
1.52 markus 1030: }
1031:
1.49 markus 1032: void
1.367 djm 1033: channel_set_fds(struct ssh *ssh, int id, int rfd, int wfd, int efd,
1.282 dtucker 1034: int extusage, int nonblock, int is_tty, u_int window_max)
1.1 deraadt 1035: {
1.367 djm 1036: Channel *c = channel_lookup(ssh, id);
1037: int r;
1.180 deraadt 1038:
1.121 markus 1039: if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
1040: fatal("channel_activate for non-larval channel %d.", id);
1.368 djm 1041: if (!c->have_remote_id)
1042: fatal(":%s: channel %d: no remote id", __func__, c->self);
1043:
1.367 djm 1044: channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, is_tty);
1.121 markus 1045: c->type = SSH_CHANNEL_OPEN;
1.168 markus 1046: c->local_window = c->local_window_max = window_max;
1.367 djm 1047:
1048: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
1049: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1050: (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
1051: (r = sshpkt_send(ssh)) != 0)
1052: fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r));
1.1 deraadt 1053: }
1054:
1.127 itojun 1055: static void
1.367 djm 1056: channel_pre_listener(struct ssh *ssh, Channel *c,
1057: fd_set *readset, fd_set *writeset)
1.41 markus 1058: {
1059: FD_SET(c->sock, readset);
1060: }
1061:
1.127 itojun 1062: static void
1.367 djm 1063: channel_pre_connecting(struct ssh *ssh, Channel *c,
1064: fd_set *readset, fd_set *writeset)
1.75 markus 1065: {
1066: debug3("channel %d: waiting for connection", c->self);
1067: FD_SET(c->sock, writeset);
1068: }
1069:
1.127 itojun 1070: static void
1.367 djm 1071: channel_pre_open(struct ssh *ssh, Channel *c,
1072: fd_set *readset, fd_set *writeset)
1.41 markus 1073: {
1.44 markus 1074: if (c->istate == CHAN_INPUT_OPEN &&
1.358 djm 1075: c->remote_window > 0 &&
1.367 djm 1076: sshbuf_len(c->input) < c->remote_window &&
1077: sshbuf_check_reserve(c->input, CHAN_RBUF) == 0)
1.44 markus 1078: FD_SET(c->rfd, readset);
1079: if (c->ostate == CHAN_OUTPUT_OPEN ||
1080: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1.367 djm 1081: if (sshbuf_len(c->output) > 0) {
1.44 markus 1082: FD_SET(c->wfd, writeset);
1083: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1.172 markus 1084: if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
1.367 djm 1085: debug2("channel %d: "
1086: "obuf_empty delayed efd %d/(%zu)", c->self,
1087: c->efd, sshbuf_len(c->extended));
1.172 markus 1088: else
1.367 djm 1089: chan_obuf_empty(ssh, c);
1.44 markus 1090: }
1091: }
1092: /** XXX check close conditions, too */
1.358 djm 1093: if (c->efd != -1 && !(c->istate == CHAN_INPUT_CLOSED &&
1094: c->ostate == CHAN_OUTPUT_CLOSED)) {
1.44 markus 1095: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
1.367 djm 1096: sshbuf_len(c->extended) > 0)
1.44 markus 1097: FD_SET(c->efd, writeset);
1.306 djm 1098: else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) &&
1099: (c->extended_usage == CHAN_EXTENDED_READ ||
1100: c->extended_usage == CHAN_EXTENDED_IGNORE) &&
1.367 djm 1101: sshbuf_len(c->extended) < c->remote_window)
1.44 markus 1102: FD_SET(c->efd, readset);
1103: }
1.204 djm 1104: /* XXX: What about efd? races? */
1.44 markus 1105: }
1106:
1.41 markus 1107: /*
1108: * This is a special state for X11 authentication spoofing. An opened X11
1109: * connection (when authentication spoofing is being done) remains in this
1110: * state until the first packet has been completely read. The authentication
1111: * data in that packet is then substituted by the real data if it matches the
1112: * fake data, and the channel is put into normal mode.
1.51 markus 1113: * XXX All this happens at the client side.
1.121 markus 1114: * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok
1.41 markus 1115: */
1.127 itojun 1116: static int
1.367 djm 1117: x11_open_helper(struct ssh *ssh, struct sshbuf *b)
1.1 deraadt 1118: {
1.367 djm 1119: struct ssh_channels *sc = ssh->chanctxt;
1.77 markus 1120: u_char *ucp;
1121: u_int proto_len, data_len;
1.25 markus 1122:
1.347 djm 1123: /* Is this being called after the refusal deadline? */
1.367 djm 1124: if (sc->x11_refuse_time != 0 &&
1125: (u_int)monotime() >= sc->x11_refuse_time) {
1.347 djm 1126: verbose("Rejected X11 connection after ForwardX11Timeout "
1127: "expired");
1128: return -1;
1129: }
1130:
1.41 markus 1131: /* Check if the fixed size part of the packet is in buffer. */
1.367 djm 1132: if (sshbuf_len(b) < 12)
1.41 markus 1133: return 0;
1134:
1135: /* Parse the lengths of variable-length fields. */
1.367 djm 1136: ucp = sshbuf_mutable_ptr(b);
1.41 markus 1137: if (ucp[0] == 0x42) { /* Byte order MSB first. */
1138: proto_len = 256 * ucp[6] + ucp[7];
1139: data_len = 256 * ucp[8] + ucp[9];
1140: } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
1141: proto_len = ucp[6] + 256 * ucp[7];
1142: data_len = ucp[8] + 256 * ucp[9];
1143: } else {
1.194 markus 1144: debug2("Initial X11 packet contains bad byte order byte: 0x%x",
1.148 deraadt 1145: ucp[0]);
1.41 markus 1146: return -1;
1147: }
1148:
1149: /* Check if the whole packet is in buffer. */
1.367 djm 1150: if (sshbuf_len(b) <
1.41 markus 1151: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
1152: return 0;
1153:
1154: /* Check if authentication protocol matches. */
1.367 djm 1155: if (proto_len != strlen(sc->x11_saved_proto) ||
1156: memcmp(ucp + 12, sc->x11_saved_proto, proto_len) != 0) {
1.194 markus 1157: debug2("X11 connection uses different authentication protocol.");
1.41 markus 1158: return -1;
1159: }
1160: /* Check if authentication data matches our fake data. */
1.367 djm 1161: if (data_len != sc->x11_fake_data_len ||
1.308 djm 1162: timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3),
1.367 djm 1163: sc->x11_fake_data, sc->x11_fake_data_len) != 0) {
1.194 markus 1164: debug2("X11 auth data does not match fake data.");
1.41 markus 1165: return -1;
1166: }
1167: /* Check fake data length */
1.367 djm 1168: if (sc->x11_fake_data_len != sc->x11_saved_data_len) {
1.41 markus 1169: error("X11 fake_data_len %d != saved_data_len %d",
1.367 djm 1170: sc->x11_fake_data_len, sc->x11_saved_data_len);
1.41 markus 1171: return -1;
1172: }
1173: /*
1174: * Received authentication protocol and data match
1175: * our fake data. Substitute the fake data with real
1176: * data.
1177: */
1178: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
1.367 djm 1179: sc->x11_saved_data, sc->x11_saved_data_len);
1.41 markus 1180: return 1;
1181: }
1182:
1.127 itojun 1183: static void
1.367 djm 1184: channel_pre_x11_open(struct ssh *ssh, Channel *c,
1185: fd_set *readset, fd_set *writeset)
1.41 markus 1186: {
1.367 djm 1187: int ret = x11_open_helper(ssh, c->output);
1.133 markus 1188:
1189: /* c->force_drain = 1; */
1190:
1.41 markus 1191: if (ret == 1) {
1192: c->type = SSH_CHANNEL_OPEN;
1.367 djm 1193: channel_pre_open(ssh, c, readset, writeset);
1.41 markus 1194: } else if (ret == -1) {
1.188 itojun 1195: logit("X11 connection rejected because of wrong authentication.");
1.367 djm 1196: debug2("X11 rejected %d i%d/o%d",
1197: c->self, c->istate, c->ostate);
1198: chan_read_failed(ssh, c);
1199: sshbuf_reset(c->input);
1200: chan_ibuf_empty(ssh, c);
1201: sshbuf_reset(c->output);
1202: chan_write_failed(ssh, c);
1.194 markus 1203: debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
1.41 markus 1204: }
1205: }
1.25 markus 1206:
1.302 djm 1207: static void
1.367 djm 1208: channel_pre_mux_client(struct ssh *ssh,
1209: Channel *c, fd_set *readset, fd_set *writeset)
1.302 djm 1210: {
1.304 djm 1211: if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause &&
1.367 djm 1212: sshbuf_check_reserve(c->input, CHAN_RBUF) == 0)
1.302 djm 1213: FD_SET(c->rfd, readset);
1214: if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
1215: /* clear buffer immediately (discard any partial packet) */
1.367 djm 1216: sshbuf_reset(c->input);
1217: chan_ibuf_empty(ssh, c);
1.302 djm 1218: /* Start output drain. XXX just kill chan? */
1.367 djm 1219: chan_rcvd_oclose(ssh, c);
1.302 djm 1220: }
1221: if (c->ostate == CHAN_OUTPUT_OPEN ||
1222: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1.367 djm 1223: if (sshbuf_len(c->output) > 0)
1.302 djm 1224: FD_SET(c->wfd, writeset);
1225: else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN)
1.367 djm 1226: chan_obuf_empty(ssh, c);
1.302 djm 1227: }
1228: }
1229:
1.104 markus 1230: /* try to decode a socks4 header */
1.127 itojun 1231: static int
1.372 markus 1232: channel_decode_socks4(Channel *c, struct sshbuf *input, struct sshbuf *output)
1.103 markus 1233: {
1.367 djm 1234: const u_char *p;
1235: char *host;
1.292 djm 1236: u_int len, have, i, found, need;
1.148 deraadt 1237: char username[256];
1.103 markus 1238: struct {
1239: u_int8_t version;
1240: u_int8_t command;
1241: u_int16_t dest_port;
1.104 markus 1242: struct in_addr dest_addr;
1.103 markus 1243: } s4_req, s4_rsp;
1.367 djm 1244: int r;
1.103 markus 1245:
1.104 markus 1246: debug2("channel %d: decode socks4", c->self);
1.109 markus 1247:
1.372 markus 1248: have = sshbuf_len(input);
1.109 markus 1249: len = sizeof(s4_req);
1250: if (have < len)
1251: return 0;
1.372 markus 1252: p = sshbuf_ptr(input);
1.292 djm 1253:
1254: need = 1;
1255: /* SOCKS4A uses an invalid IP address 0.0.0.x */
1256: if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) {
1257: debug2("channel %d: socks4a request", c->self);
1258: /* ... and needs an extra string (the hostname) */
1259: need = 2;
1260: }
1261: /* Check for terminating NUL on the string(s) */
1.109 markus 1262: for (found = 0, i = len; i < have; i++) {
1263: if (p[i] == '\0') {
1.292 djm 1264: found++;
1265: if (found == need)
1266: break;
1.109 markus 1267: }
1268: if (i > 1024) {
1269: /* the peer is probably sending garbage */
1270: debug("channel %d: decode socks4: too long",
1271: c->self);
1272: return -1;
1273: }
1274: }
1.292 djm 1275: if (found < need)
1.109 markus 1276: return 0;
1.372 markus 1277: if ((r = sshbuf_get(input, &s4_req.version, 1)) != 0 ||
1278: (r = sshbuf_get(input, &s4_req.command, 1)) != 0 ||
1279: (r = sshbuf_get(input, &s4_req.dest_port, 2)) != 0 ||
1280: (r = sshbuf_get(input, &s4_req.dest_addr, 4)) != 0) {
1.367 djm 1281: debug("channels %d: decode socks4: %s", c->self, ssh_err(r));
1282: return -1;
1283: }
1.372 markus 1284: have = sshbuf_len(input);
1285: p = sshbuf_ptr(input);
1.364 djm 1286: if (memchr(p, '\0', have) == NULL) {
1287: error("channel %d: decode socks4: user not nul terminated",
1.331 djm 1288: c->self);
1.364 djm 1289: return -1;
1290: }
1.103 markus 1291: len = strlen(p);
1.106 markus 1292: debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);
1.367 djm 1293: len++; /* trailing '\0' */
1.103 markus 1294: strlcpy(username, p, sizeof(username));
1.372 markus 1295: if ((r = sshbuf_consume(input, len)) != 0) {
1.367 djm 1296: fatal("%s: channel %d: consume: %s", __func__,
1297: c->self, ssh_err(r));
1298: }
1.321 djm 1299: free(c->path);
1300: c->path = NULL;
1.292 djm 1301: if (need == 1) { /* SOCKS4: one string */
1302: host = inet_ntoa(s4_req.dest_addr);
1.293 djm 1303: c->path = xstrdup(host);
1.292 djm 1304: } else { /* SOCKS4A: two strings */
1.372 markus 1305: have = sshbuf_len(input);
1306: p = sshbuf_ptr(input);
1.364 djm 1307: if (memchr(p, '\0', have) == NULL) {
1308: error("channel %d: decode socks4a: host not nul "
1309: "terminated", c->self);
1310: return -1;
1311: }
1.292 djm 1312: len = strlen(p);
1313: debug2("channel %d: decode socks4a: host %s/%d",
1314: c->self, p, len);
1315: len++; /* trailing '\0' */
1.293 djm 1316: if (len > NI_MAXHOST) {
1.292 djm 1317: error("channel %d: hostname \"%.100s\" too long",
1318: c->self, p);
1319: return -1;
1320: }
1.293 djm 1321: c->path = xstrdup(p);
1.372 markus 1322: if ((r = sshbuf_consume(input, len)) != 0) {
1.367 djm 1323: fatal("%s: channel %d: consume: %s", __func__,
1324: c->self, ssh_err(r));
1325: }
1.292 djm 1326: }
1.103 markus 1327: c->host_port = ntohs(s4_req.dest_port);
1.148 deraadt 1328:
1.194 markus 1329: debug2("channel %d: dynamic request: socks4 host %s port %u command %u",
1.292 djm 1330: c->self, c->path, c->host_port, s4_req.command);
1.103 markus 1331:
1.104 markus 1332: if (s4_req.command != 1) {
1.292 djm 1333: debug("channel %d: cannot handle: %s cn %d",
1334: c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command);
1.104 markus 1335: return -1;
1.103 markus 1336: }
1.104 markus 1337: s4_rsp.version = 0; /* vn: 0 for reply */
1338: s4_rsp.command = 90; /* cd: req granted */
1.103 markus 1339: s4_rsp.dest_port = 0; /* ignored */
1.104 markus 1340: s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */
1.372 markus 1341: if ((r = sshbuf_put(output, &s4_rsp, sizeof(s4_rsp))) != 0) {
1.367 djm 1342: fatal("%s: channel %d: append reply: %s", __func__,
1343: c->self, ssh_err(r));
1344: }
1.104 markus 1345: return 1;
1346: }
1347:
1.193 markus 1348: /* try to decode a socks5 header */
1349: #define SSH_SOCKS5_AUTHDONE 0x1000
1350: #define SSH_SOCKS5_NOAUTH 0x00
1351: #define SSH_SOCKS5_IPV4 0x01
1352: #define SSH_SOCKS5_DOMAIN 0x03
1353: #define SSH_SOCKS5_IPV6 0x04
1354: #define SSH_SOCKS5_CONNECT 0x01
1355: #define SSH_SOCKS5_SUCCESS 0x00
1356:
1357: static int
1.372 markus 1358: channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output)
1.193 markus 1359: {
1.367 djm 1360: /* XXX use get/put_u8 instead of trusting struct padding */
1.193 markus 1361: struct {
1362: u_int8_t version;
1363: u_int8_t command;
1364: u_int8_t reserved;
1365: u_int8_t atyp;
1366: } s5_req, s5_rsp;
1367: u_int16_t dest_port;
1.324 djm 1368: char dest_addr[255+1], ntop[INET6_ADDRSTRLEN];
1.367 djm 1369: const u_char *p;
1.252 djm 1370: u_int have, need, i, found, nmethods, addrlen, af;
1.367 djm 1371: int r;
1.193 markus 1372:
1373: debug2("channel %d: decode socks5", c->self);
1.372 markus 1374: p = sshbuf_ptr(input);
1.193 markus 1375: if (p[0] != 0x05)
1376: return -1;
1.372 markus 1377: have = sshbuf_len(input);
1.193 markus 1378: if (!(c->flags & SSH_SOCKS5_AUTHDONE)) {
1379: /* format: ver | nmethods | methods */
1.198 djm 1380: if (have < 2)
1.193 markus 1381: return 0;
1382: nmethods = p[1];
1383: if (have < nmethods + 2)
1384: return 0;
1385: /* look for method: "NO AUTHENTICATION REQUIRED" */
1.268 stevesk 1386: for (found = 0, i = 2; i < nmethods + 2; i++) {
1.264 stevesk 1387: if (p[i] == SSH_SOCKS5_NOAUTH) {
1.193 markus 1388: found = 1;
1389: break;
1390: }
1391: }
1392: if (!found) {
1393: debug("channel %d: method SSH_SOCKS5_NOAUTH not found",
1394: c->self);
1395: return -1;
1396: }
1.372 markus 1397: if ((r = sshbuf_consume(input, nmethods + 2)) != 0) {
1.367 djm 1398: fatal("%s: channel %d: consume: %s", __func__,
1399: c->self, ssh_err(r));
1400: }
1401: /* version, method */
1.372 markus 1402: if ((r = sshbuf_put_u8(output, 0x05)) != 0 ||
1403: (r = sshbuf_put_u8(output, SSH_SOCKS5_NOAUTH)) != 0) {
1.367 djm 1404: fatal("%s: channel %d: append reply: %s", __func__,
1405: c->self, ssh_err(r));
1406: }
1.193 markus 1407: c->flags |= SSH_SOCKS5_AUTHDONE;
1408: debug2("channel %d: socks5 auth done", c->self);
1409: return 0; /* need more */
1410: }
1411: debug2("channel %d: socks5 post auth", c->self);
1412: if (have < sizeof(s5_req)+1)
1413: return 0; /* need more */
1.247 deraadt 1414: memcpy(&s5_req, p, sizeof(s5_req));
1.193 markus 1415: if (s5_req.version != 0x05 ||
1416: s5_req.command != SSH_SOCKS5_CONNECT ||
1417: s5_req.reserved != 0x00) {
1.194 markus 1418: debug2("channel %d: only socks5 connect supported", c->self);
1.193 markus 1419: return -1;
1420: }
1.213 deraadt 1421: switch (s5_req.atyp){
1.193 markus 1422: case SSH_SOCKS5_IPV4:
1423: addrlen = 4;
1424: af = AF_INET;
1425: break;
1426: case SSH_SOCKS5_DOMAIN:
1427: addrlen = p[sizeof(s5_req)];
1428: af = -1;
1429: break;
1430: case SSH_SOCKS5_IPV6:
1431: addrlen = 16;
1432: af = AF_INET6;
1433: break;
1434: default:
1.194 markus 1435: debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp);
1.193 markus 1436: return -1;
1437: }
1.252 djm 1438: need = sizeof(s5_req) + addrlen + 2;
1439: if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
1440: need++;
1441: if (have < need)
1.193 markus 1442: return 0;
1.372 markus 1443: if ((r = sshbuf_consume(input, sizeof(s5_req))) != 0) {
1.367 djm 1444: fatal("%s: channel %d: consume: %s", __func__,
1445: c->self, ssh_err(r));
1446: }
1447: if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1448: /* host string length */
1.372 markus 1449: if ((r = sshbuf_consume(input, 1)) != 0) {
1.367 djm 1450: fatal("%s: channel %d: consume: %s", __func__,
1451: c->self, ssh_err(r));
1452: }
1453: }
1.372 markus 1454: if ((r = sshbuf_get(input, &dest_addr, addrlen)) != 0 ||
1455: (r = sshbuf_get(input, &dest_port, 2)) != 0) {
1.367 djm 1456: debug("channel %d: parse addr/port: %s", c->self, ssh_err(r));
1457: return -1;
1458: }
1.193 markus 1459: dest_addr[addrlen] = '\0';
1.321 djm 1460: free(c->path);
1461: c->path = NULL;
1.293 djm 1462: if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1.294 djm 1463: if (addrlen >= NI_MAXHOST) {
1.293 djm 1464: error("channel %d: dynamic request: socks5 hostname "
1465: "\"%.100s\" too long", c->self, dest_addr);
1466: return -1;
1467: }
1468: c->path = xstrdup(dest_addr);
1469: } else {
1470: if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL)
1471: return -1;
1472: c->path = xstrdup(ntop);
1473: }
1.193 markus 1474: c->host_port = ntohs(dest_port);
1.198 djm 1475:
1.194 markus 1476: debug2("channel %d: dynamic request: socks5 host %s port %u command %u",
1.193 markus 1477: c->self, c->path, c->host_port, s5_req.command);
1478:
1479: s5_rsp.version = 0x05;
1480: s5_rsp.command = SSH_SOCKS5_SUCCESS;
1481: s5_rsp.reserved = 0; /* ignored */
1482: s5_rsp.atyp = SSH_SOCKS5_IPV4;
1483: dest_port = 0; /* ignored */
1484:
1.372 markus 1485: if ((r = sshbuf_put(output, &s5_rsp, sizeof(s5_rsp))) != 0 ||
1486: (r = sshbuf_put_u32(output, ntohl(INADDR_ANY))) != 0 ||
1487: (r = sshbuf_put(output, &dest_port, sizeof(dest_port))) != 0)
1.367 djm 1488: fatal("%s: channel %d: append reply: %s", __func__,
1489: c->self, ssh_err(r));
1.193 markus 1490: return 1;
1.301 dtucker 1491: }
1492:
1493: Channel *
1.367 djm 1494: channel_connect_stdio_fwd(struct ssh *ssh,
1495: const char *host_to_connect, u_short port_to_connect, int in, int out)
1.301 dtucker 1496: {
1497: Channel *c;
1498:
1.367 djm 1499: debug("%s %s:%d", __func__, host_to_connect, port_to_connect);
1.301 dtucker 1500:
1.367 djm 1501: c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out,
1.301 dtucker 1502: -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1503: 0, "stdio-forward", /*nonblock*/0);
1504:
1505: c->path = xstrdup(host_to_connect);
1506: c->host_port = port_to_connect;
1507: c->listening_port = 0;
1508: c->force_drain = 1;
1509:
1.367 djm 1510: channel_register_fds(ssh, c, in, out, -1, 0, 1, 0);
1511: port_open_helper(ssh, c, "direct-tcpip");
1.301 dtucker 1512:
1513: return c;
1.193 markus 1514: }
1515:
1.104 markus 1516: /* dynamic port forwarding */
1.127 itojun 1517: static void
1.367 djm 1518: channel_pre_dynamic(struct ssh *ssh, Channel *c,
1519: fd_set *readset, fd_set *writeset)
1.104 markus 1520: {
1.367 djm 1521: const u_char *p;
1.217 djm 1522: u_int have;
1523: int ret;
1.103 markus 1524:
1.367 djm 1525: have = sshbuf_len(c->input);
1.104 markus 1526: debug2("channel %d: pre_dynamic: have %d", c->self, have);
1.367 djm 1527: /* sshbuf_dump(c->input, stderr); */
1.104 markus 1528: /* check if the fixed size part of the packet is in buffer. */
1.193 markus 1529: if (have < 3) {
1.104 markus 1530: /* need more */
1531: FD_SET(c->sock, readset);
1532: return;
1533: }
1534: /* try to guess the protocol */
1.367 djm 1535: p = sshbuf_ptr(c->input);
1536: /* XXX sshbuf_peek_u8? */
1.104 markus 1537: switch (p[0]) {
1538: case 0x04:
1.372 markus 1539: ret = channel_decode_socks4(c, c->input, c->output);
1.193 markus 1540: break;
1541: case 0x05:
1.372 markus 1542: ret = channel_decode_socks5(c, c->input, c->output);
1.104 markus 1543: break;
1544: default:
1545: ret = -1;
1546: break;
1547: }
1548: if (ret < 0) {
1.367 djm 1549: chan_mark_dead(ssh, c);
1.104 markus 1550: } else if (ret == 0) {
1551: debug2("channel %d: pre_dynamic: need more", c->self);
1552: /* need more */
1553: FD_SET(c->sock, readset);
1.372 markus 1554: if (sshbuf_len(c->output))
1555: FD_SET(c->sock, writeset);
1.104 markus 1556: } else {
1557: /* switch to the next state */
1558: c->type = SSH_CHANNEL_OPENING;
1.367 djm 1559: port_open_helper(ssh, c, "direct-tcpip");
1.104 markus 1560: }
1.103 markus 1561: }
1562:
1.372 markus 1563: /* simulate read-error */
1564: static void
1565: rdynamic_close(struct ssh *ssh, Channel *c)
1566: {
1567: c->type = SSH_CHANNEL_OPEN;
1568: chan_read_failed(ssh, c);
1569: sshbuf_reset(c->input);
1570: chan_ibuf_empty(ssh, c);
1571: sshbuf_reset(c->output);
1572: chan_write_failed(ssh, c);
1573: }
1574:
1575: /* reverse dynamic port forwarding */
1576: static void
1577: channel_before_prepare_select_rdynamic(struct ssh *ssh, Channel *c)
1578: {
1579: const u_char *p;
1580: u_int have, len;
1581: int r, ret;
1582:
1583: have = sshbuf_len(c->output);
1584: debug2("channel %d: pre_rdynamic: have %d", c->self, have);
1585: /* sshbuf_dump(c->output, stderr); */
1586: /* EOF received */
1587: if (c->flags & CHAN_EOF_RCVD) {
1588: if ((r = sshbuf_consume(c->output, have)) != 0) {
1589: fatal("%s: channel %d: consume: %s",
1590: __func__, c->self, ssh_err(r));
1591: }
1592: rdynamic_close(ssh, c);
1593: return;
1594: }
1595: /* check if the fixed size part of the packet is in buffer. */
1596: if (have < 3)
1597: return;
1598: /* try to guess the protocol */
1599: p = sshbuf_ptr(c->output);
1600: switch (p[0]) {
1601: case 0x04:
1602: /* switch input/output for reverse forwarding */
1603: ret = channel_decode_socks4(c, c->output, c->input);
1604: break;
1605: case 0x05:
1606: ret = channel_decode_socks5(c, c->output, c->input);
1607: break;
1608: default:
1609: ret = -1;
1610: break;
1611: }
1612: if (ret < 0) {
1613: rdynamic_close(ssh, c);
1614: } else if (ret == 0) {
1615: debug2("channel %d: pre_rdynamic: need more", c->self);
1616: /* send socks request to peer */
1617: len = sshbuf_len(c->input);
1618: if (len > 0 && len < c->remote_window) {
1619: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
1620: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1621: (r = sshpkt_put_stringb(ssh, c->input)) != 0 ||
1622: (r = sshpkt_send(ssh)) != 0) {
1623: fatal("%s: channel %i: rdynamic: %s", __func__,
1624: c->self, ssh_err(r));
1625: }
1626: if ((r = sshbuf_consume(c->input, len)) != 0) {
1627: fatal("%s: channel %d: consume: %s",
1628: __func__, c->self, ssh_err(r));
1629: }
1630: c->remote_window -= len;
1631: }
1632: } else if (rdynamic_connect_finish(ssh, c) < 0) {
1633: /* the connect failed */
1634: rdynamic_close(ssh, c);
1635: }
1636: }
1637:
1.41 markus 1638: /* This is our fake X11 server socket. */
1.127 itojun 1639: static void
1.367 djm 1640: channel_post_x11_listener(struct ssh *ssh, Channel *c,
1641: fd_set *readset, fd_set *writeset)
1.41 markus 1642: {
1.113 markus 1643: Channel *nc;
1.285 djm 1644: struct sockaddr_storage addr;
1.367 djm 1645: int r, newsock, oerrno, remote_port;
1.41 markus 1646: socklen_t addrlen;
1.85 markus 1647: char buf[16384], *remote_ipaddr;
1.25 markus 1648:
1.367 djm 1649: if (!FD_ISSET(c->sock, readset))
1650: return;
1651:
1652: debug("X11 connection requested.");
1653: addrlen = sizeof(addr);
1654: newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1655: if (c->single_connection) {
1656: oerrno = errno;
1657: debug2("single_connection: closing X11 listener.");
1658: channel_close_fd(ssh, &c->sock);
1659: chan_mark_dead(ssh, c);
1660: errno = oerrno;
1661: }
1.393 deraadt 1662: if (newsock == -1) {
1.367 djm 1663: if (errno != EINTR && errno != EWOULDBLOCK &&
1664: errno != ECONNABORTED)
1665: error("accept: %.100s", strerror(errno));
1666: if (errno == EMFILE || errno == ENFILE)
1667: c->notbefore = monotime() + 1;
1668: return;
1669: }
1670: set_nodelay(newsock);
1671: remote_ipaddr = get_peer_ipaddr(newsock);
1672: remote_port = get_peer_port(newsock);
1673: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1674: remote_ipaddr, remote_port);
1675:
1676: nc = channel_new(ssh, "accepted x11 socket",
1677: SSH_CHANNEL_OPENING, newsock, newsock, -1,
1678: c->local_window_max, c->local_maxpacket, 0, buf, 1);
1679: open_preamble(ssh, __func__, nc, "x11");
1.378 djm 1680: if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 ||
1681: (r = sshpkt_put_u32(ssh, remote_port)) != 0) {
1.367 djm 1682: fatal("%s: channel %i: reply %s", __func__,
1683: c->self, ssh_err(r));
1.41 markus 1684: }
1.367 djm 1685: if ((r = sshpkt_send(ssh)) != 0)
1686: fatal("%s: channel %i: send %s", __func__, c->self, ssh_err(r));
1687: free(remote_ipaddr);
1.41 markus 1688: }
1.25 markus 1689:
1.127 itojun 1690: static void
1.367 djm 1691: port_open_helper(struct ssh *ssh, Channel *c, char *rtype)
1.103 markus 1692: {
1.328 djm 1693: char *local_ipaddr = get_local_ipaddr(c->sock);
1.350 djm 1694: int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock);
1.103 markus 1695: char *remote_ipaddr = get_peer_ipaddr(c->sock);
1.216 markus 1696: int remote_port = get_peer_port(c->sock);
1.367 djm 1697: int r;
1.303 djm 1698:
1699: if (remote_port == -1) {
1700: /* Fake addr/port to appease peers that validate it (Tectia) */
1.321 djm 1701: free(remote_ipaddr);
1.303 djm 1702: remote_ipaddr = xstrdup("127.0.0.1");
1703: remote_port = 65535;
1704: }
1.103 markus 1705:
1.367 djm 1706: free(c->remote_name);
1707: xasprintf(&c->remote_name,
1.103 markus 1708: "%s: listening port %d for %.100s port %d, "
1.328 djm 1709: "connect from %.200s port %d to %.100s port %d",
1.103 markus 1710: rtype, c->listening_port, c->path, c->host_port,
1.328 djm 1711: remote_ipaddr, remote_port, local_ipaddr, local_port);
1.103 markus 1712:
1.367 djm 1713: open_preamble(ssh, __func__, c, rtype);
1.358 djm 1714: if (strcmp(rtype, "direct-tcpip") == 0) {
1715: /* target host, port */
1.367 djm 1716: if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 ||
1717: (r = sshpkt_put_u32(ssh, c->host_port)) != 0) {
1718: fatal("%s: channel %i: reply %s", __func__,
1719: c->self, ssh_err(r));
1720: }
1.358 djm 1721: } else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) {
1722: /* target path */
1.367 djm 1723: if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) {
1724: fatal("%s: channel %i: reply %s", __func__,
1725: c->self, ssh_err(r));
1726: }
1.358 djm 1727: } else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
1728: /* listen path */
1.367 djm 1729: if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) {
1730: fatal("%s: channel %i: reply %s", __func__,
1731: c->self, ssh_err(r));
1732: }
1.103 markus 1733: } else {
1.358 djm 1734: /* listen address, port */
1.367 djm 1735: if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 ||
1736: (r = sshpkt_put_u32(ssh, local_port)) != 0) {
1737: fatal("%s: channel %i: reply %s", __func__,
1738: c->self, ssh_err(r));
1739: }
1.358 djm 1740: }
1741: if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
1742: /* reserved for future owner/mode info */
1.367 djm 1743: if ((r = sshpkt_put_cstring(ssh, "")) != 0) {
1744: fatal("%s: channel %i: reply %s", __func__,
1745: c->self, ssh_err(r));
1746: }
1.358 djm 1747: } else {
1748: /* originator host and port */
1.367 djm 1749: if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 ||
1750: (r = sshpkt_put_u32(ssh, (u_int)remote_port)) != 0) {
1751: fatal("%s: channel %i: reply %s", __func__,
1752: c->self, ssh_err(r));
1753: }
1.103 markus 1754: }
1.367 djm 1755: if ((r = sshpkt_send(ssh)) != 0)
1756: fatal("%s: channel %i: send %s", __func__, c->self, ssh_err(r));
1.321 djm 1757: free(remote_ipaddr);
1.328 djm 1758: free(local_ipaddr);
1.103 markus 1759: }
1760:
1.347 djm 1761: void
1.367 djm 1762: channel_set_x11_refuse_time(struct ssh *ssh, u_int refuse_time)
1.347 djm 1763: {
1.367 djm 1764: ssh->chanctxt->x11_refuse_time = refuse_time;
1.226 djm 1765: }
1766:
1.41 markus 1767: /*
1768: * This socket is listening for connections to a forwarded TCP/IP port.
1769: */
1.127 itojun 1770: static void
1.367 djm 1771: channel_post_port_listener(struct ssh *ssh, Channel *c,
1772: fd_set *readset, fd_set *writeset)
1.41 markus 1773: {
1.103 markus 1774: Channel *nc;
1.285 djm 1775: struct sockaddr_storage addr;
1.113 markus 1776: int newsock, nextstate;
1.41 markus 1777: socklen_t addrlen;
1.103 markus 1778: char *rtype;
1.73 markus 1779:
1.367 djm 1780: if (!FD_ISSET(c->sock, readset))
1781: return;
1782:
1783: debug("Connection to port %d forwarding to %.100s port %d requested.",
1784: c->listening_port, c->path, c->host_port);
1.103 markus 1785:
1.367 djm 1786: if (c->type == SSH_CHANNEL_RPORT_LISTENER) {
1787: nextstate = SSH_CHANNEL_OPENING;
1788: rtype = "forwarded-tcpip";
1789: } else if (c->type == SSH_CHANNEL_RUNIX_LISTENER) {
1790: nextstate = SSH_CHANNEL_OPENING;
1791: rtype = "forwarded-streamlocal@openssh.com";
1792: } else if (c->host_port == PORT_STREAMLOCAL) {
1793: nextstate = SSH_CHANNEL_OPENING;
1794: rtype = "direct-streamlocal@openssh.com";
1795: } else if (c->host_port == 0) {
1796: nextstate = SSH_CHANNEL_DYNAMIC;
1797: rtype = "dynamic-tcpip";
1798: } else {
1799: nextstate = SSH_CHANNEL_OPENING;
1800: rtype = "direct-tcpip";
1801: }
1.103 markus 1802:
1.367 djm 1803: addrlen = sizeof(addr);
1804: newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1.393 deraadt 1805: if (newsock == -1) {
1.367 djm 1806: if (errno != EINTR && errno != EWOULDBLOCK &&
1807: errno != ECONNABORTED)
1808: error("accept: %.100s", strerror(errno));
1809: if (errno == EMFILE || errno == ENFILE)
1810: c->notbefore = monotime() + 1;
1811: return;
1.41 markus 1812: }
1.367 djm 1813: if (c->host_port != PORT_STREAMLOCAL)
1814: set_nodelay(newsock);
1815: nc = channel_new(ssh, rtype, nextstate, newsock, newsock, -1,
1816: c->local_window_max, c->local_maxpacket, 0, rtype, 1);
1817: nc->listening_port = c->listening_port;
1818: nc->host_port = c->host_port;
1819: if (c->path != NULL)
1820: nc->path = xstrdup(c->path);
1821:
1822: if (nextstate != SSH_CHANNEL_DYNAMIC)
1823: port_open_helper(ssh, nc, rtype);
1.41 markus 1824: }
1.25 markus 1825:
1.41 markus 1826: /*
1827: * This is the authentication agent socket listening for connections from
1828: * clients.
1829: */
1.127 itojun 1830: static void
1.367 djm 1831: channel_post_auth_listener(struct ssh *ssh, Channel *c,
1832: fd_set *readset, fd_set *writeset)
1.41 markus 1833: {
1.113 markus 1834: Channel *nc;
1.367 djm 1835: int r, newsock;
1.285 djm 1836: struct sockaddr_storage addr;
1.41 markus 1837: socklen_t addrlen;
1.25 markus 1838:
1.367 djm 1839: if (!FD_ISSET(c->sock, readset))
1840: return;
1841:
1842: addrlen = sizeof(addr);
1843: newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1.393 deraadt 1844: if (newsock == -1) {
1.367 djm 1845: error("accept from auth socket: %.100s", strerror(errno));
1846: if (errno == EMFILE || errno == ENFILE)
1847: c->notbefore = monotime() + 1;
1848: return;
1.41 markus 1849: }
1.367 djm 1850: nc = channel_new(ssh, "accepted auth socket",
1851: SSH_CHANNEL_OPENING, newsock, newsock, -1,
1852: c->local_window_max, c->local_maxpacket,
1853: 0, "accepted auth socket", 1);
1854: open_preamble(ssh, __func__, nc, "auth-agent@openssh.com");
1855: if ((r = sshpkt_send(ssh)) != 0)
1856: fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r));
1.41 markus 1857: }
1.25 markus 1858:
1.127 itojun 1859: static void
1.367 djm 1860: channel_post_connecting(struct ssh *ssh, Channel *c,
1861: fd_set *readset, fd_set *writeset)
1.75 markus 1862: {
1.372 markus 1863: int err = 0, sock, isopen, r;
1.129 stevesk 1864: socklen_t sz = sizeof(err);
1.114 markus 1865:
1.367 djm 1866: if (!FD_ISSET(c->sock, writeset))
1867: return;
1.368 djm 1868: if (!c->have_remote_id)
1869: fatal(":%s: channel %d: no remote id", __func__, c->self);
1.372 markus 1870: /* for rdynamic the OPEN_CONFIRMATION has been sent already */
1871: isopen = (c->type == SSH_CHANNEL_RDYNAMIC_FINISH);
1.393 deraadt 1872: if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) == -1) {
1.367 djm 1873: err = errno;
1874: error("getsockopt SO_ERROR failed");
1875: }
1876: if (err == 0) {
1877: debug("channel %d: connected to %s port %d",
1878: c->self, c->connect_ctx.host, c->connect_ctx.port);
1879: channel_connect_ctx_free(&c->connect_ctx);
1880: c->type = SSH_CHANNEL_OPEN;
1.372 markus 1881: if (isopen) {
1882: /* no message necessary */
1883: } else {
1884: if ((r = sshpkt_start(ssh,
1885: SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||
1886: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1887: (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
1888: (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
1889: (r = sshpkt_put_u32(ssh, c->local_maxpacket))
1890: != 0)
1891: fatal("%s: channel %i: confirm: %s", __func__,
1892: c->self, ssh_err(r));
1893: if ((r = sshpkt_send(ssh)) != 0)
1894: fatal("%s: channel %i: %s", __func__, c->self,
1895: ssh_err(r));
1.367 djm 1896: }
1897: } else {
1898: debug("channel %d: connection failed: %s",
1899: c->self, strerror(err));
1900: /* Try next address, if any */
1901: if ((sock = connect_next(&c->connect_ctx)) > 0) {
1902: close(c->sock);
1903: c->sock = c->rfd = c->wfd = sock;
1904: channel_find_maxfd(ssh->chanctxt);
1905: return;
1906: }
1907: /* Exhausted all addresses */
1908: error("connect_to %.100s port %d: failed.",
1909: c->connect_ctx.host, c->connect_ctx.port);
1910: channel_connect_ctx_free(&c->connect_ctx);
1.372 markus 1911: if (isopen) {
1912: rdynamic_close(ssh, c);
1913: } else {
1914: if ((r = sshpkt_start(ssh,
1915: SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 ||
1916: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1.378 djm 1917: (r = sshpkt_put_u32(ssh,
1918: SSH2_OPEN_CONNECT_FAILED)) != 0 ||
1919: (r = sshpkt_put_cstring(ssh, strerror(err))) != 0 ||
1920: (r = sshpkt_put_cstring(ssh, "")) != 0) {
1.372 markus 1921: fatal("%s: channel %i: failure: %s", __func__,
1922: c->self, ssh_err(r));
1.378 djm 1923: }
1.372 markus 1924: if ((r = sshpkt_send(ssh)) != 0)
1925: fatal("%s: channel %i: %s", __func__, c->self,
1926: ssh_err(r));
1927: chan_mark_dead(ssh, c);
1.75 markus 1928: }
1929: }
1930: }
1931:
1.127 itojun 1932: static int
1.367 djm 1933: channel_handle_rfd(struct ssh *ssh, Channel *c,
1934: fd_set *readset, fd_set *writeset)
1.41 markus 1935: {
1.214 markus 1936: char buf[CHAN_RBUF];
1.367 djm 1937: ssize_t len;
1938: int r;
1.25 markus 1939:
1.367 djm 1940: if (c->rfd == -1 || !FD_ISSET(c->rfd, readset))
1941: return 1;
1942:
1943: len = read(c->rfd, buf, sizeof(buf));
1.393 deraadt 1944: if (len == -1 && (errno == EINTR || errno == EAGAIN))
1.367 djm 1945: return 1;
1946: if (len <= 0) {
1947: debug2("channel %d: read<=0 rfd %d len %zd",
1948: c->self, c->rfd, len);
1949: if (c->type != SSH_CHANNEL_OPEN) {
1950: debug2("channel %d: not open", c->self);
1951: chan_mark_dead(ssh, c);
1.41 markus 1952: return -1;
1.65 markus 1953: } else {
1.367 djm 1954: chan_read_failed(ssh, c);
1.65 markus 1955: }
1.367 djm 1956: return -1;
1957: }
1958: if (c->input_filter != NULL) {
1959: if (c->input_filter(ssh, c, buf, len) == -1) {
1960: debug2("channel %d: filter stops", c->self);
1961: chan_read_failed(ssh, c);
1962: }
1963: } else if (c->datagram) {
1964: if ((r = sshbuf_put_string(c->input, buf, len)) != 0)
1965: fatal("%s: channel %d: put datagram: %s", __func__,
1966: c->self, ssh_err(r));
1967: } else if ((r = sshbuf_put(c->input, buf, len)) != 0) {
1968: fatal("%s: channel %d: put data: %s", __func__,
1969: c->self, ssh_err(r));
1.41 markus 1970: }
1971: return 1;
1972: }
1.241 deraadt 1973:
1.127 itojun 1974: static int
1.367 djm 1975: channel_handle_wfd(struct ssh *ssh, Channel *c,
1976: fd_set *readset, fd_set *writeset)
1.41 markus 1977: {
1.95 markus 1978: struct termios tio;
1.367 djm 1979: u_char *data = NULL, *buf; /* XXX const; need filter API change */
1980: size_t dlen, olen = 0;
1981: int r, len;
1982:
1983: if (c->wfd == -1 || !FD_ISSET(c->wfd, writeset) ||
1984: sshbuf_len(c->output) == 0)
1985: return 1;
1.25 markus 1986:
1.41 markus 1987: /* Send buffered output data to the socket. */
1.367 djm 1988: olen = sshbuf_len(c->output);
1989: if (c->output_filter != NULL) {
1990: if ((buf = c->output_filter(ssh, c, &data, &dlen)) == NULL) {
1991: debug2("channel %d: filter stops", c->self);
1992: if (c->type != SSH_CHANNEL_OPEN)
1993: chan_mark_dead(ssh, c);
1994: else
1995: chan_write_failed(ssh, c);
1996: return -1;
1.231 reyk 1997: }
1.367 djm 1998: } else if (c->datagram) {
1999: if ((r = sshbuf_get_string(c->output, &data, &dlen)) != 0)
2000: fatal("%s: channel %d: get datagram: %s", __func__,
2001: c->self, ssh_err(r));
1.369 djm 2002: buf = data;
1.367 djm 2003: } else {
2004: buf = data = sshbuf_mutable_ptr(c->output);
2005: dlen = sshbuf_len(c->output);
2006: }
1.231 reyk 2007:
1.367 djm 2008: if (c->datagram) {
2009: /* ignore truncated writes, datagrams might get lost */
1.374 djm 2010: len = write(c->wfd, buf, dlen);
1.367 djm 2011: free(data);
1.393 deraadt 2012: if (len == -1 && (errno == EINTR || errno == EAGAIN))
1.53 markus 2013: return 1;
1.367 djm 2014: if (len <= 0)
2015: goto write_fail;
2016: goto out;
2017: }
2018:
2019: len = write(c->wfd, buf, dlen);
1.393 deraadt 2020: if (len == -1 && (errno == EINTR || errno == EAGAIN))
1.367 djm 2021: return 1;
2022: if (len <= 0) {
2023: write_fail:
2024: if (c->type != SSH_CHANNEL_OPEN) {
2025: debug2("channel %d: not open", c->self);
2026: chan_mark_dead(ssh, c);
1.41 markus 2027: return -1;
1.367 djm 2028: } else {
2029: chan_write_failed(ssh, c);
1.91 markus 2030: }
1.367 djm 2031: return -1;
2032: }
2033: if (c->isatty && dlen >= 1 && buf[0] != '\r') {
2034: if (tcgetattr(c->wfd, &tio) == 0 &&
2035: !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
2036: /*
2037: * Simulate echo to reduce the impact of
2038: * traffic analysis. We need to match the
2039: * size of a SSH2_MSG_CHANNEL_DATA message
2040: * (4 byte channel id + buf)
2041: */
2042: if ((r = sshpkt_msg_ignore(ssh, 4+len)) != 0 ||
2043: (r = sshpkt_send(ssh)) != 0)
2044: fatal("%s: channel %d: ignore: %s",
2045: __func__, c->self, ssh_err(r));
1.25 markus 2046: }
1.367 djm 2047: }
2048: if ((r = sshbuf_consume(c->output, len)) != 0) {
2049: fatal("%s: channel %d: consume: %s",
2050: __func__, c->self, ssh_err(r));
1.44 markus 2051: }
1.309 djm 2052: out:
1.367 djm 2053: c->local_consumed += olen - sshbuf_len(c->output);
2054:
2055: return 1;
2056: }
2057:
2058: static int
2059: channel_handle_efd_write(struct ssh *ssh, Channel *c,
2060: fd_set *readset, fd_set *writeset)
2061: {
2062: int r;
2063: ssize_t len;
2064:
2065: if (!FD_ISSET(c->efd, writeset) || sshbuf_len(c->extended) == 0)
2066: return 1;
2067:
2068: len = write(c->efd, sshbuf_ptr(c->extended),
2069: sshbuf_len(c->extended));
2070: debug2("channel %d: written %zd to efd %d", c->self, len, c->efd);
1.393 deraadt 2071: if (len == -1 && (errno == EINTR || errno == EAGAIN))
1.367 djm 2072: return 1;
2073: if (len <= 0) {
2074: debug2("channel %d: closing write-efd %d", c->self, c->efd);
2075: channel_close_fd(ssh, &c->efd);
2076: } else {
2077: if ((r = sshbuf_consume(c->extended, len)) != 0) {
2078: fatal("%s: channel %d: consume: %s",
2079: __func__, c->self, ssh_err(r));
2080: }
2081: c->local_consumed += len;
2082: }
1.44 markus 2083: return 1;
2084: }
1.241 deraadt 2085:
1.127 itojun 2086: static int
1.367 djm 2087: channel_handle_efd_read(struct ssh *ssh, Channel *c,
2088: fd_set *readset, fd_set *writeset)
1.44 markus 2089: {
1.214 markus 2090: char buf[CHAN_RBUF];
1.367 djm 2091: int r;
2092: ssize_t len;
2093:
2094: if (!FD_ISSET(c->efd, readset))
2095: return 1;
1.44 markus 2096:
1.367 djm 2097: len = read(c->efd, buf, sizeof(buf));
2098: debug2("channel %d: read %zd from efd %d", c->self, len, c->efd);
1.393 deraadt 2099: if (len == -1 && (errno == EINTR || errno == EAGAIN))
1.367 djm 2100: return 1;
2101: if (len <= 0) {
2102: debug2("channel %d: closing read-efd %d",
2103: c->self, c->efd);
2104: channel_close_fd(ssh, &c->efd);
2105: } else {
2106: if (c->extended_usage == CHAN_EXTENDED_IGNORE) {
2107: debug3("channel %d: discard efd",
2108: c->self);
2109: } else if ((r = sshbuf_put(c->extended, buf, len)) != 0) {
2110: fatal("%s: channel %d: append: %s",
2111: __func__, c->self, ssh_err(r));
1.44 markus 2112: }
2113: }
2114: return 1;
2115: }
1.241 deraadt 2116:
1.127 itojun 2117: static int
1.367 djm 2118: channel_handle_efd(struct ssh *ssh, Channel *c,
2119: fd_set *readset, fd_set *writeset)
1.44 markus 2120: {
1.367 djm 2121: if (c->efd == -1)
2122: return 1;
2123:
2124: /** XXX handle drain efd, too */
2125:
2126: if (c->extended_usage == CHAN_EXTENDED_WRITE)
2127: return channel_handle_efd_write(ssh, c, readset, writeset);
2128: else if (c->extended_usage == CHAN_EXTENDED_READ ||
2129: c->extended_usage == CHAN_EXTENDED_IGNORE)
2130: return channel_handle_efd_read(ssh, c, readset, writeset);
2131:
2132: return 1;
2133: }
2134:
2135: static int
2136: channel_check_window(struct ssh *ssh, Channel *c)
2137: {
2138: int r;
2139:
1.104 markus 2140: if (c->type == SSH_CHANNEL_OPEN &&
2141: !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
1.270 dtucker 2142: ((c->local_window_max - c->local_window >
1.269 markus 2143: c->local_maxpacket*3) ||
2144: c->local_window < c->local_window_max/2) &&
1.44 markus 2145: c->local_consumed > 0) {
1.368 djm 2146: if (!c->have_remote_id)
2147: fatal(":%s: channel %d: no remote id",
2148: __func__, c->self);
1.367 djm 2149: if ((r = sshpkt_start(ssh,
2150: SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
2151: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2152: (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
2153: (r = sshpkt_send(ssh)) != 0) {
2154: fatal("%s: channel %i: %s", __func__,
2155: c->self, ssh_err(r));
2156: }
1.70 markus 2157: debug2("channel %d: window %d sent adjust %d",
1.44 markus 2158: c->self, c->local_window,
2159: c->local_consumed);
2160: c->local_window += c->local_consumed;
2161: c->local_consumed = 0;
1.1 deraadt 2162: }
1.41 markus 2163: return 1;
1.1 deraadt 2164: }
2165:
1.127 itojun 2166: static void
1.367 djm 2167: channel_post_open(struct ssh *ssh, Channel *c,
2168: fd_set *readset, fd_set *writeset)
1.41 markus 2169: {
1.367 djm 2170: channel_handle_rfd(ssh, c, readset, writeset);
2171: channel_handle_wfd(ssh, c, readset, writeset);
2172: channel_handle_efd(ssh, c, readset, writeset);
2173: channel_check_window(ssh, c);
1.44 markus 2174: }
2175:
1.302 djm 2176: static u_int
1.367 djm 2177: read_mux(struct ssh *ssh, Channel *c, u_int need)
1.302 djm 2178: {
2179: char buf[CHAN_RBUF];
1.367 djm 2180: ssize_t len;
1.302 djm 2181: u_int rlen;
1.367 djm 2182: int r;
1.302 djm 2183:
1.367 djm 2184: if (sshbuf_len(c->input) < need) {
2185: rlen = need - sshbuf_len(c->input);
1.352 deraadt 2186: len = read(c->rfd, buf, MINIMUM(rlen, CHAN_RBUF));
1.393 deraadt 2187: if (len == -1 && (errno == EINTR || errno == EAGAIN))
1.367 djm 2188: return sshbuf_len(c->input);
1.302 djm 2189: if (len <= 0) {
1.367 djm 2190: debug2("channel %d: ctl read<=0 rfd %d len %zd",
1.349 naddy 2191: c->self, c->rfd, len);
1.367 djm 2192: chan_read_failed(ssh, c);
1.349 naddy 2193: return 0;
1.367 djm 2194: } else if ((r = sshbuf_put(c->input, buf, len)) != 0) {
2195: fatal("%s: channel %d: append: %s",
2196: __func__, c->self, ssh_err(r));
2197: }
1.302 djm 2198: }
1.367 djm 2199: return sshbuf_len(c->input);
1.302 djm 2200: }
2201:
2202: static void
1.367 djm 2203: channel_post_mux_client_read(struct ssh *ssh, Channel *c,
2204: fd_set *readset, fd_set *writeset)
1.302 djm 2205: {
2206: u_int need;
2207:
1.367 djm 2208: if (c->rfd == -1 || !FD_ISSET(c->rfd, readset))
2209: return;
2210: if (c->istate != CHAN_INPUT_OPEN && c->istate != CHAN_INPUT_WAIT_DRAIN)
2211: return;
2212: if (c->mux_pause)
2213: return;
2214:
2215: /*
2216: * Don't not read past the precise end of packets to
2217: * avoid disrupting fd passing.
2218: */
2219: if (read_mux(ssh, c, 4) < 4) /* read header */
2220: return;
2221: /* XXX sshbuf_peek_u32 */
2222: need = PEEK_U32(sshbuf_ptr(c->input));
1.302 djm 2223: #define CHANNEL_MUX_MAX_PACKET (256 * 1024)
1.367 djm 2224: if (need > CHANNEL_MUX_MAX_PACKET) {
2225: debug2("channel %d: packet too big %u > %u",
2226: c->self, CHANNEL_MUX_MAX_PACKET, need);
2227: chan_rcvd_oclose(ssh, c);
2228: return;
2229: }
2230: if (read_mux(ssh, c, need + 4) < need + 4) /* read body */
2231: return;
2232: if (c->mux_rcb(ssh, c) != 0) {
2233: debug("channel %d: mux_rcb failed", c->self);
2234: chan_mark_dead(ssh, c);
2235: return;
1.302 djm 2236: }
1.367 djm 2237: }
2238:
2239: static void
2240: channel_post_mux_client_write(struct ssh *ssh, Channel *c,
2241: fd_set *readset, fd_set *writeset)
2242: {
2243: ssize_t len;
2244: int r;
1.302 djm 2245:
1.367 djm 2246: if (c->wfd == -1 || !FD_ISSET(c->wfd, writeset) ||
2247: sshbuf_len(c->output) == 0)
2248: return;
2249:
2250: len = write(c->wfd, sshbuf_ptr(c->output), sshbuf_len(c->output));
1.393 deraadt 2251: if (len == -1 && (errno == EINTR || errno == EAGAIN))
1.367 djm 2252: return;
2253: if (len <= 0) {
2254: chan_mark_dead(ssh, c);
2255: return;
1.302 djm 2256: }
1.367 djm 2257: if ((r = sshbuf_consume(c->output, len)) != 0)
2258: fatal("%s: channel %d: consume: %s", __func__,
2259: c->self, ssh_err(r));
2260: }
2261:
2262: static void
2263: channel_post_mux_client(struct ssh *ssh, Channel *c,
2264: fd_set *readset, fd_set *writeset)
2265: {
2266: channel_post_mux_client_read(ssh, c, readset, writeset);
2267: channel_post_mux_client_write(ssh, c, readset, writeset);
1.302 djm 2268: }
2269:
2270: static void
1.367 djm 2271: channel_post_mux_listener(struct ssh *ssh, Channel *c,
2272: fd_set *readset, fd_set *writeset)
1.302 djm 2273: {
2274: Channel *nc;
2275: struct sockaddr_storage addr;
2276: socklen_t addrlen;
2277: int newsock;
2278: uid_t euid;
2279: gid_t egid;
2280:
2281: if (!FD_ISSET(c->sock, readset))
2282: return;
2283:
2284: debug("multiplexing control connection");
2285:
2286: /*
2287: * Accept connection on control socket
2288: */
2289: memset(&addr, 0, sizeof(addr));
2290: addrlen = sizeof(addr);
2291: if ((newsock = accept(c->sock, (struct sockaddr*)&addr,
2292: &addrlen)) == -1) {
2293: error("%s accept: %s", __func__, strerror(errno));
1.317 djm 2294: if (errno == EMFILE || errno == ENFILE)
1.322 dtucker 2295: c->notbefore = monotime() + 1;
1.302 djm 2296: return;
2297: }
2298:
1.393 deraadt 2299: if (getpeereid(newsock, &euid, &egid) == -1) {
1.302 djm 2300: error("%s getpeereid failed: %s", __func__,
2301: strerror(errno));
2302: close(newsock);
2303: return;
2304: }
2305: if ((euid != 0) && (getuid() != euid)) {
2306: error("multiplex uid mismatch: peer euid %u != uid %u",
2307: (u_int)euid, (u_int)getuid());
2308: close(newsock);
2309: return;
2310: }
1.367 djm 2311: nc = channel_new(ssh, "multiplex client", SSH_CHANNEL_MUX_CLIENT,
1.302 djm 2312: newsock, newsock, -1, c->local_window_max,
2313: c->local_maxpacket, 0, "mux-control", 1);
2314: nc->mux_rcb = c->mux_rcb;
1.367 djm 2315: debug3("%s: new mux channel %d fd %d", __func__, nc->self, nc->sock);
1.302 djm 2316: /* establish state */
1.367 djm 2317: nc->mux_rcb(ssh, nc);
1.302 djm 2318: /* mux state transitions must not elicit protocol messages */
2319: nc->flags |= CHAN_LOCAL;
2320: }
2321:
1.127 itojun 2322: static void
1.367 djm 2323: channel_handler_init(struct ssh_channels *sc)
1.1 deraadt 2324: {
1.367 djm 2325: chan_fn **pre, **post;
2326:
2327: if ((pre = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*pre))) == NULL ||
2328: (post = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*post))) == NULL)
2329: fatal("%s: allocation failed", __func__);
2330:
2331: pre[SSH_CHANNEL_OPEN] = &channel_pre_open;
2332: pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
2333: pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
2334: pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener;
2335: pre[SSH_CHANNEL_UNIX_LISTENER] = &channel_pre_listener;
2336: pre[SSH_CHANNEL_RUNIX_LISTENER] = &channel_pre_listener;
2337: pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
2338: pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
2339: pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting;
2340: pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic;
1.372 markus 2341: pre[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_pre_connecting;
1.367 djm 2342: pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener;
2343: pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client;
2344:
2345: post[SSH_CHANNEL_OPEN] = &channel_post_open;
2346: post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
2347: post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener;
2348: post[SSH_CHANNEL_UNIX_LISTENER] = &channel_post_port_listener;
2349: post[SSH_CHANNEL_RUNIX_LISTENER] = &channel_post_port_listener;
2350: post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
2351: post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
2352: post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting;
2353: post[SSH_CHANNEL_DYNAMIC] = &channel_post_open;
1.372 markus 2354: post[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_post_connecting;
1.367 djm 2355: post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener;
2356: post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client;
1.180 deraadt 2357:
1.367 djm 2358: sc->channel_pre = pre;
2359: sc->channel_post = post;
1.44 markus 2360: }
2361:
1.140 markus 2362: /* gc dead channels */
2363: static void
1.367 djm 2364: channel_garbage_collect(struct ssh *ssh, Channel *c)
1.140 markus 2365: {
2366: if (c == NULL)
2367: return;
2368: if (c->detach_user != NULL) {
1.367 djm 2369: if (!chan_is_dead(ssh, c, c->detach_close))
1.140 markus 2370: return;
1.385 djm 2371:
1.194 markus 2372: debug2("channel %d: gc: notify user", c->self);
1.367 djm 2373: c->detach_user(ssh, c->self, NULL);
1.140 markus 2374: /* if we still have a callback */
2375: if (c->detach_user != NULL)
2376: return;
1.194 markus 2377: debug2("channel %d: gc: user detached", c->self);
1.140 markus 2378: }
1.367 djm 2379: if (!chan_is_dead(ssh, c, 1))
1.140 markus 2380: return;
1.194 markus 2381: debug2("channel %d: garbage collecting", c->self);
1.367 djm 2382: channel_free(ssh, c);
1.140 markus 2383: }
2384:
1.367 djm 2385: enum channel_table { CHAN_PRE, CHAN_POST };
2386:
1.127 itojun 2387: static void
1.367 djm 2388: channel_handler(struct ssh *ssh, int table,
1.366 djm 2389: fd_set *readset, fd_set *writeset, time_t *unpause_secs)
1.41 markus 2390: {
1.367 djm 2391: struct ssh_channels *sc = ssh->chanctxt;
2392: chan_fn **ftab = table == CHAN_PRE ? sc->channel_pre : sc->channel_post;
1.299 markus 2393: u_int i, oalloc;
1.41 markus 2394: Channel *c;
1.317 djm 2395: time_t now;
1.25 markus 2396:
1.322 dtucker 2397: now = monotime();
1.317 djm 2398: if (unpause_secs != NULL)
2399: *unpause_secs = 0;
1.367 djm 2400: for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) {
2401: c = sc->channels[i];
1.113 markus 2402: if (c == NULL)
1.41 markus 2403: continue;
1.299 markus 2404: if (c->delayed) {
1.367 djm 2405: if (table == CHAN_PRE)
1.299 markus 2406: c->delayed = 0;
2407: else
2408: continue;
2409: }
1.317 djm 2410: if (ftab[c->type] != NULL) {
2411: /*
2412: * Run handlers that are not paused.
2413: */
2414: if (c->notbefore <= now)
1.367 djm 2415: (*ftab[c->type])(ssh, c, readset, writeset);
1.317 djm 2416: else if (unpause_secs != NULL) {
2417: /*
2418: * Collect the time that the earliest
2419: * channel comes off pause.
2420: */
2421: debug3("%s: chan %d: skip for %d more seconds",
2422: __func__, c->self,
2423: (int)(c->notbefore - now));
2424: if (*unpause_secs == 0 ||
2425: (c->notbefore - now) < *unpause_secs)
2426: *unpause_secs = c->notbefore - now;
2427: }
2428: }
1.367 djm 2429: channel_garbage_collect(ssh, c);
1.1 deraadt 2430: }
1.317 djm 2431: if (unpause_secs != NULL && *unpause_secs != 0)
2432: debug3("%s: first channel unpauses in %d seconds",
2433: __func__, (int)*unpause_secs);
1.1 deraadt 2434: }
2435:
1.121 markus 2436: /*
1.372 markus 2437: * Create sockets before allocating the select bitmasks.
2438: * This is necessary for things that need to happen after reading
2439: * the network-input but before channel_prepare_select().
2440: */
2441: static void
2442: channel_before_prepare_select(struct ssh *ssh)
2443: {
2444: struct ssh_channels *sc = ssh->chanctxt;
2445: Channel *c;
2446: u_int i, oalloc;
2447:
2448: for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) {
2449: c = sc->channels[i];
2450: if (c == NULL)
2451: continue;
2452: if (c->type == SSH_CHANNEL_RDYNAMIC_OPEN)
2453: channel_before_prepare_select_rdynamic(ssh, c);
2454: }
2455: }
2456:
2457: /*
1.121 markus 2458: * Allocate/update select bitmasks and add any bits relevant to channels in
2459: * select bitmasks.
2460: */
1.49 markus 2461: void
1.366 djm 2462: channel_prepare_select(struct ssh *ssh, fd_set **readsetp, fd_set **writesetp,
2463: int *maxfdp, u_int *nallocp, time_t *minwait_secs)
1.41 markus 2464: {
1.243 djm 2465: u_int n, sz, nfdset;
1.84 markus 2466:
1.372 markus 2467: channel_before_prepare_select(ssh); /* might update channel_max_fd */
2468:
1.367 djm 2469: n = MAXIMUM(*maxfdp, ssh->chanctxt->channel_max_fd);
1.84 markus 2470:
1.243 djm 2471: nfdset = howmany(n+1, NFDBITS);
2472: /* Explicitly test here, because xrealloc isn't always called */
1.341 millert 2473: if (nfdset && SIZE_MAX / nfdset < sizeof(fd_mask))
1.243 djm 2474: fatal("channel_prepare_select: max_fd (%d) is too large", n);
2475: sz = nfdset * sizeof(fd_mask);
2476:
1.132 markus 2477: /* perhaps check sz < nalloc/2 and shrink? */
2478: if (*readsetp == NULL || sz > *nallocp) {
1.342 deraadt 2479: *readsetp = xreallocarray(*readsetp, nfdset, sizeof(fd_mask));
2480: *writesetp = xreallocarray(*writesetp, nfdset, sizeof(fd_mask));
1.132 markus 2481: *nallocp = sz;
1.84 markus 2482: }
1.132 markus 2483: *maxfdp = n;
1.84 markus 2484: memset(*readsetp, 0, sz);
2485: memset(*writesetp, 0, sz);
2486:
1.366 djm 2487: if (!ssh_packet_is_rekeying(ssh))
1.367 djm 2488: channel_handler(ssh, CHAN_PRE, *readsetp, *writesetp,
1.317 djm 2489: minwait_secs);
1.41 markus 2490: }
2491:
1.121 markus 2492: /*
2493: * After select, perform any appropriate operations for channels which have
2494: * events pending.
2495: */
1.49 markus 2496: void
1.366 djm 2497: channel_after_select(struct ssh *ssh, fd_set *readset, fd_set *writeset)
1.41 markus 2498: {
1.367 djm 2499: channel_handler(ssh, CHAN_POST, readset, writeset, NULL);
2500: }
2501:
2502: /*
2503: * Enqueue data for channels with open or draining c->input.
2504: */
2505: static void
2506: channel_output_poll_input_open(struct ssh *ssh, Channel *c)
2507: {
1.373 djm 2508: size_t len, plen;
2509: const u_char *pkt;
1.367 djm 2510: int r;
2511:
2512: if ((len = sshbuf_len(c->input)) == 0) {
2513: if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
2514: /*
2515: * input-buffer is empty and read-socket shutdown:
2516: * tell peer, that we will not send more data:
2517: * send IEOF.
2518: * hack for extended data: delay EOF if EFD still
2519: * in use.
2520: */
2521: if (CHANNEL_EFD_INPUT_ACTIVE(c))
2522: debug2("channel %d: "
2523: "ibuf_empty delayed efd %d/(%zu)",
2524: c->self, c->efd, sshbuf_len(c->extended));
2525: else
2526: chan_ibuf_empty(ssh, c);
2527: }
2528: return;
2529: }
2530:
1.368 djm 2531: if (!c->have_remote_id)
2532: fatal(":%s: channel %d: no remote id", __func__, c->self);
2533:
1.367 djm 2534: if (c->datagram) {
2535: /* Check datagram will fit; drop if not */
1.373 djm 2536: if ((r = sshbuf_get_string_direct(c->input, &pkt, &plen)) != 0)
2537: fatal("%s: channel %d: get datagram: %s", __func__,
1.367 djm 2538: c->self, ssh_err(r));
2539: /*
2540: * XXX this does tail-drop on the datagram queue which is
2541: * usually suboptimal compared to head-drop. Better to have
2542: * backpressure at read time? (i.e. read + discard)
2543: */
1.373 djm 2544: if (plen > c->remote_window || plen > c->remote_maxpacket) {
1.367 djm 2545: debug("channel %d: datagram too big", c->self);
2546: return;
2547: }
2548: /* Enqueue it */
2549: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
2550: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1.373 djm 2551: (r = sshpkt_put_string(ssh, pkt, plen)) != 0 ||
1.367 djm 2552: (r = sshpkt_send(ssh)) != 0) {
2553: fatal("%s: channel %i: datagram: %s", __func__,
2554: c->self, ssh_err(r));
2555: }
1.373 djm 2556: c->remote_window -= plen;
1.367 djm 2557: return;
2558: }
2559:
2560: /* Enqueue packet for buffered data. */
2561: if (len > c->remote_window)
2562: len = c->remote_window;
2563: if (len > c->remote_maxpacket)
2564: len = c->remote_maxpacket;
2565: if (len == 0)
2566: return;
2567: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
2568: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2569: (r = sshpkt_put_string(ssh, sshbuf_ptr(c->input), len)) != 0 ||
2570: (r = sshpkt_send(ssh)) != 0) {
2571: fatal("%s: channel %i: data: %s", __func__,
2572: c->self, ssh_err(r));
2573: }
2574: if ((r = sshbuf_consume(c->input, len)) != 0)
2575: fatal("%s: channel %i: consume: %s", __func__,
2576: c->self, ssh_err(r));
2577: c->remote_window -= len;
1.41 markus 2578: }
2579:
1.367 djm 2580: /*
2581: * Enqueue data for channels with open c->extended in read mode.
2582: */
2583: static void
2584: channel_output_poll_extended_read(struct ssh *ssh, Channel *c)
2585: {
2586: size_t len;
2587: int r;
2588:
2589: if ((len = sshbuf_len(c->extended)) == 0)
2590: return;
2591:
2592: debug2("channel %d: rwin %u elen %zu euse %d", c->self,
2593: c->remote_window, sshbuf_len(c->extended), c->extended_usage);
2594: if (len > c->remote_window)
2595: len = c->remote_window;
2596: if (len > c->remote_maxpacket)
2597: len = c->remote_maxpacket;
2598: if (len == 0)
2599: return;
1.368 djm 2600: if (!c->have_remote_id)
2601: fatal(":%s: channel %d: no remote id", __func__, c->self);
1.367 djm 2602: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA)) != 0 ||
2603: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2604: (r = sshpkt_put_u32(ssh, SSH2_EXTENDED_DATA_STDERR)) != 0 ||
2605: (r = sshpkt_put_string(ssh, sshbuf_ptr(c->extended), len)) != 0 ||
2606: (r = sshpkt_send(ssh)) != 0) {
2607: fatal("%s: channel %i: data: %s", __func__,
2608: c->self, ssh_err(r));
2609: }
2610: if ((r = sshbuf_consume(c->extended, len)) != 0)
2611: fatal("%s: channel %i: consume: %s", __func__,
2612: c->self, ssh_err(r));
2613: c->remote_window -= len;
2614: debug2("channel %d: sent ext data %zu", c->self, len);
2615: }
1.121 markus 2616:
1.84 markus 2617: /* If there is data to send to the connection, enqueue some of it now. */
1.49 markus 2618: void
1.367 djm 2619: channel_output_poll(struct ssh *ssh)
1.1 deraadt 2620: {
1.367 djm 2621: struct ssh_channels *sc = ssh->chanctxt;
1.41 markus 2622: Channel *c;
1.367 djm 2623: u_int i;
1.1 deraadt 2624:
1.367 djm 2625: for (i = 0; i < sc->channels_alloc; i++) {
2626: c = sc->channels[i];
1.113 markus 2627: if (c == NULL)
2628: continue;
1.37 markus 2629:
1.121 markus 2630: /*
2631: * We are only interested in channels that can have buffered
2632: * incoming data.
2633: */
1.358 djm 2634: if (c->type != SSH_CHANNEL_OPEN)
2635: continue;
2636: if ((c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
1.93 markus 2637: /* XXX is this true? */
1.367 djm 2638: debug3("channel %d: will not send data after close",
2639: c->self);
1.44 markus 2640: continue;
2641: }
1.25 markus 2642:
2643: /* Get the amount of buffered data for this channel. */
1.367 djm 2644: if (c->istate == CHAN_INPUT_OPEN ||
2645: c->istate == CHAN_INPUT_WAIT_DRAIN)
2646: channel_output_poll_input_open(ssh, c);
1.44 markus 2647: /* Send extended data, i.e. stderr */
1.358 djm 2648: if (!(c->flags & CHAN_EOF_SENT) &&
1.367 djm 2649: c->extended_usage == CHAN_EXTENDED_READ)
2650: channel_output_poll_extended_read(ssh, c);
1.25 markus 2651: }
1.1 deraadt 2652: }
2653:
1.354 markus 2654: /* -- mux proxy support */
2655:
2656: /*
2657: * When multiplexing channel messages for mux clients we have to deal
2658: * with downstream messages from the mux client and upstream messages
2659: * from the ssh server:
2660: * 1) Handling downstream messages is straightforward and happens
2661: * in channel_proxy_downstream():
2662: * - We forward all messages (mostly) unmodified to the server.
2663: * - However, in order to route messages from upstream to the correct
2664: * downstream client, we have to replace the channel IDs used by the
2665: * mux clients with a unique channel ID because the mux clients might
2666: * use conflicting channel IDs.
2667: * - so we inspect and change both SSH2_MSG_CHANNEL_OPEN and
2668: * SSH2_MSG_CHANNEL_OPEN_CONFIRMATION messages, create a local
2669: * SSH_CHANNEL_MUX_PROXY channel and replace the mux clients ID
2670: * with the newly allocated channel ID.
2671: * 2) Upstream messages are received by matching SSH_CHANNEL_MUX_PROXY
1.380 djm 2672: * channels and processed by channel_proxy_upstream(). The local channel ID
1.354 markus 2673: * is then translated back to the original mux client ID.
2674: * 3) In both cases we need to keep track of matching SSH2_MSG_CHANNEL_CLOSE
2675: * messages so we can clean up SSH_CHANNEL_MUX_PROXY channels.
2676: * 4) The SSH_CHANNEL_MUX_PROXY channels also need to closed when the
2677: * downstream mux client are removed.
2678: * 5) Handling SSH2_MSG_CHANNEL_OPEN messages from the upstream server
2679: * requires more work, because they are not addressed to a specific
2680: * channel. E.g. client_request_forwarded_tcpip() needs to figure
2681: * out whether the request is addressed to the local client or a
2682: * specific downstream client based on the listen-address/port.
1.380 djm 2683: * 6) Agent and X11-Forwarding have a similar problem and are currently
1.354 markus 2684: * not supported as the matching session/channel cannot be identified
2685: * easily.
2686: */
2687:
2688: /*
2689: * receive packets from downstream mux clients:
2690: * channel callback fired on read from mux client, creates
2691: * SSH_CHANNEL_MUX_PROXY channels and translates channel IDs
2692: * on channel creation.
2693: */
2694: int
1.367 djm 2695: channel_proxy_downstream(struct ssh *ssh, Channel *downstream)
1.354 markus 2696: {
2697: Channel *c = NULL;
2698: struct sshbuf *original = NULL, *modified = NULL;
2699: const u_char *cp;
2700: char *ctype = NULL, *listen_host = NULL;
2701: u_char type;
2702: size_t have;
1.370 djm 2703: int ret = -1, r;
1.355 djm 2704: u_int id, remote_id, listen_port;
1.354 markus 2705:
1.367 djm 2706: /* sshbuf_dump(downstream->input, stderr); */
2707: if ((r = sshbuf_get_string_direct(downstream->input, &cp, &have))
1.354 markus 2708: != 0) {
2709: error("%s: malformed message: %s", __func__, ssh_err(r));
2710: return -1;
2711: }
2712: if (have < 2) {
2713: error("%s: short message", __func__);
2714: return -1;
2715: }
2716: type = cp[1];
2717: /* skip padlen + type */
2718: cp += 2;
2719: have -= 2;
2720: if (ssh_packet_log_type(type))
2721: debug3("%s: channel %u: down->up: type %u", __func__,
2722: downstream->self, type);
2723:
2724: switch (type) {
2725: case SSH2_MSG_CHANNEL_OPEN:
2726: if ((original = sshbuf_from(cp, have)) == NULL ||
2727: (modified = sshbuf_new()) == NULL) {
2728: error("%s: alloc", __func__);
2729: goto out;
2730: }
2731: if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0 ||
2732: (r = sshbuf_get_u32(original, &id)) != 0) {
2733: error("%s: parse error %s", __func__, ssh_err(r));
2734: goto out;
2735: }
1.367 djm 2736: c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY,
1.354 markus 2737: -1, -1, -1, 0, 0, 0, ctype, 1);
2738: c->mux_ctx = downstream; /* point to mux client */
2739: c->mux_downstream_id = id; /* original downstream id */
2740: if ((r = sshbuf_put_cstring(modified, ctype)) != 0 ||
2741: (r = sshbuf_put_u32(modified, c->self)) != 0 ||
2742: (r = sshbuf_putb(modified, original)) != 0) {
2743: error("%s: compose error %s", __func__, ssh_err(r));
1.367 djm 2744: channel_free(ssh, c);
1.354 markus 2745: goto out;
2746: }
2747: break;
2748: case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
2749: /*
2750: * Almost the same as SSH2_MSG_CHANNEL_OPEN, except then we
2751: * need to parse 'remote_id' instead of 'ctype'.
2752: */
2753: if ((original = sshbuf_from(cp, have)) == NULL ||
2754: (modified = sshbuf_new()) == NULL) {
2755: error("%s: alloc", __func__);
2756: goto out;
2757: }
2758: if ((r = sshbuf_get_u32(original, &remote_id)) != 0 ||
2759: (r = sshbuf_get_u32(original, &id)) != 0) {
2760: error("%s: parse error %s", __func__, ssh_err(r));
2761: goto out;
2762: }
1.367 djm 2763: c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY,
1.354 markus 2764: -1, -1, -1, 0, 0, 0, "mux-down-connect", 1);
2765: c->mux_ctx = downstream; /* point to mux client */
2766: c->mux_downstream_id = id;
2767: c->remote_id = remote_id;
1.368 djm 2768: c->have_remote_id = 1;
1.354 markus 2769: if ((r = sshbuf_put_u32(modified, remote_id)) != 0 ||
2770: (r = sshbuf_put_u32(modified, c->self)) != 0 ||
2771: (r = sshbuf_putb(modified, original)) != 0) {
2772: error("%s: compose error %s", __func__, ssh_err(r));
1.367 djm 2773: channel_free(ssh, c);
1.354 markus 2774: goto out;
2775: }
2776: break;
2777: case SSH2_MSG_GLOBAL_REQUEST:
2778: if ((original = sshbuf_from(cp, have)) == NULL) {
2779: error("%s: alloc", __func__);
2780: goto out;
2781: }
2782: if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0) {
2783: error("%s: parse error %s", __func__, ssh_err(r));
2784: goto out;
2785: }
2786: if (strcmp(ctype, "tcpip-forward") != 0) {
2787: error("%s: unsupported request %s", __func__, ctype);
2788: goto out;
2789: }
2790: if ((r = sshbuf_get_u8(original, NULL)) != 0 ||
2791: (r = sshbuf_get_cstring(original, &listen_host, NULL)) != 0 ||
2792: (r = sshbuf_get_u32(original, &listen_port)) != 0) {
2793: error("%s: parse error %s", __func__, ssh_err(r));
2794: goto out;
2795: }
1.355 djm 2796: if (listen_port > 65535) {
2797: error("%s: tcpip-forward for %s: bad port %u",
2798: __func__, listen_host, listen_port);
2799: goto out;
2800: }
1.354 markus 2801: /* Record that connection to this host/port is permitted. */
1.381 djm 2802: permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "<mux>", -1,
1.367 djm 2803: listen_host, NULL, (int)listen_port, downstream);
1.354 markus 2804: listen_host = NULL;
2805: break;
2806: case SSH2_MSG_CHANNEL_CLOSE:
2807: if (have < 4)
2808: break;
2809: remote_id = PEEK_U32(cp);
1.367 djm 2810: if ((c = channel_by_remote_id(ssh, remote_id)) != NULL) {
1.354 markus 2811: if (c->flags & CHAN_CLOSE_RCVD)
1.367 djm 2812: channel_free(ssh, c);
1.354 markus 2813: else
2814: c->flags |= CHAN_CLOSE_SENT;
2815: }
2816: break;
2817: }
2818: if (modified) {
2819: if ((r = sshpkt_start(ssh, type)) != 0 ||
2820: (r = sshpkt_putb(ssh, modified)) != 0 ||
2821: (r = sshpkt_send(ssh)) != 0) {
2822: error("%s: send %s", __func__, ssh_err(r));
2823: goto out;
2824: }
2825: } else {
2826: if ((r = sshpkt_start(ssh, type)) != 0 ||
2827: (r = sshpkt_put(ssh, cp, have)) != 0 ||
2828: (r = sshpkt_send(ssh)) != 0) {
2829: error("%s: send %s", __func__, ssh_err(r));
2830: goto out;
2831: }
2832: }
2833: ret = 0;
2834: out:
2835: free(ctype);
2836: free(listen_host);
2837: sshbuf_free(original);
2838: sshbuf_free(modified);
2839: return ret;
2840: }
2841:
2842: /*
2843: * receive packets from upstream server and de-multiplex packets
2844: * to correct downstream:
2845: * implemented as a helper for channel input handlers,
2846: * replaces local (proxy) channel ID with downstream channel ID.
2847: */
2848: int
1.363 markus 2849: channel_proxy_upstream(Channel *c, int type, u_int32_t seq, struct ssh *ssh)
1.354 markus 2850: {
2851: struct sshbuf *b = NULL;
2852: Channel *downstream;
2853: const u_char *cp = NULL;
2854: size_t len;
2855: int r;
2856:
2857: /*
2858: * When receiving packets from the peer we need to check whether we
2859: * need to forward the packets to the mux client. In this case we
1.380 djm 2860: * restore the original channel id and keep track of CLOSE messages,
1.354 markus 2861: * so we can cleanup the channel.
2862: */
2863: if (c == NULL || c->type != SSH_CHANNEL_MUX_PROXY)
2864: return 0;
2865: if ((downstream = c->mux_ctx) == NULL)
2866: return 0;
2867: switch (type) {
2868: case SSH2_MSG_CHANNEL_CLOSE:
2869: case SSH2_MSG_CHANNEL_DATA:
2870: case SSH2_MSG_CHANNEL_EOF:
2871: case SSH2_MSG_CHANNEL_EXTENDED_DATA:
2872: case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
2873: case SSH2_MSG_CHANNEL_OPEN_FAILURE:
2874: case SSH2_MSG_CHANNEL_WINDOW_ADJUST:
2875: case SSH2_MSG_CHANNEL_SUCCESS:
2876: case SSH2_MSG_CHANNEL_FAILURE:
2877: case SSH2_MSG_CHANNEL_REQUEST:
2878: break;
2879: default:
2880: debug2("%s: channel %u: unsupported type %u", __func__,
2881: c->self, type);
2882: return 0;
2883: }
2884: if ((b = sshbuf_new()) == NULL) {
2885: error("%s: alloc reply", __func__);
2886: goto out;
2887: }
2888: /* get remaining payload (after id) */
2889: cp = sshpkt_ptr(ssh, &len);
2890: if (cp == NULL) {
2891: error("%s: no packet", __func__);
2892: goto out;
2893: }
2894: /* translate id and send to muxclient */
2895: if ((r = sshbuf_put_u8(b, 0)) != 0 || /* padlen */
2896: (r = sshbuf_put_u8(b, type)) != 0 ||
2897: (r = sshbuf_put_u32(b, c->mux_downstream_id)) != 0 ||
2898: (r = sshbuf_put(b, cp, len)) != 0 ||
1.367 djm 2899: (r = sshbuf_put_stringb(downstream->output, b)) != 0) {
1.354 markus 2900: error("%s: compose for muxclient %s", __func__, ssh_err(r));
2901: goto out;
2902: }
2903: /* sshbuf_dump(b, stderr); */
2904: if (ssh_packet_log_type(type))
2905: debug3("%s: channel %u: up->down: type %u", __func__, c->self,
2906: type);
2907: out:
2908: /* update state */
2909: switch (type) {
2910: case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
2911: /* record remote_id for SSH2_MSG_CHANNEL_CLOSE */
1.368 djm 2912: if (cp && len > 4) {
1.354 markus 2913: c->remote_id = PEEK_U32(cp);
1.368 djm 2914: c->have_remote_id = 1;
2915: }
1.354 markus 2916: break;
2917: case SSH2_MSG_CHANNEL_CLOSE:
2918: if (c->flags & CHAN_CLOSE_SENT)
1.367 djm 2919: channel_free(ssh, c);
1.354 markus 2920: else
2921: c->flags |= CHAN_CLOSE_RCVD;
2922: break;
2923: }
2924: sshbuf_free(b);
2925: return 1;
2926: }
1.121 markus 2927:
2928: /* -- protocol input */
1.249 djm 2929:
1.367 djm 2930: /* Parse a channel ID from the current packet */
2931: static int
2932: channel_parse_id(struct ssh *ssh, const char *where, const char *what)
2933: {
2934: u_int32_t id;
2935: int r;
2936:
2937: if ((r = sshpkt_get_u32(ssh, &id)) != 0) {
2938: error("%s: parse id: %s", where, ssh_err(r));
2939: ssh_packet_disconnect(ssh, "Invalid %s message", what);
2940: }
2941: if (id > INT_MAX) {
2942: error("%s: bad channel id %u: %s", where, id, ssh_err(r));
2943: ssh_packet_disconnect(ssh, "Invalid %s channel id", what);
2944: }
2945: return (int)id;
2946: }
2947:
2948: /* Lookup a channel from an ID in the current packet */
2949: static Channel *
2950: channel_from_packet_id(struct ssh *ssh, const char *where, const char *what)
2951: {
2952: int id = channel_parse_id(ssh, where, what);
2953: Channel *c;
2954:
2955: if ((c = channel_lookup(ssh, id)) == NULL) {
2956: ssh_packet_disconnect(ssh,
2957: "%s packet referred to nonexistent channel %d", what, id);
2958: }
2959: return c;
2960: }
2961:
1.339 markus 2962: int
1.363 markus 2963: channel_input_data(int type, u_int32_t seq, struct ssh *ssh)
1.1 deraadt 2964: {
1.332 djm 2965: const u_char *data;
1.367 djm 2966: size_t data_len, win_len;
2967: Channel *c = channel_from_packet_id(ssh, __func__, "data");
2968: int r;
1.25 markus 2969:
1.363 markus 2970: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 2971: return 0;
1.25 markus 2972:
2973: /* Ignore any data for non-open channels (might happen on close) */
1.41 markus 2974: if (c->type != SSH_CHANNEL_OPEN &&
1.372 markus 2975: c->type != SSH_CHANNEL_RDYNAMIC_OPEN &&
2976: c->type != SSH_CHANNEL_RDYNAMIC_FINISH &&
1.41 markus 2977: c->type != SSH_CHANNEL_X11_OPEN)
1.339 markus 2978: return 0;
1.37 markus 2979:
1.25 markus 2980: /* Get the data. */
1.389 djm 2981: if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 ||
2982: (r = sshpkt_get_end(ssh)) != 0)
1.367 djm 2983: fatal("%s: channel %d: get data: %s", __func__,
2984: c->self, ssh_err(r));
2985:
1.309 djm 2986: win_len = data_len;
2987: if (c->datagram)
2988: win_len += 4; /* string length header */
1.200 markus 2989:
2990: /*
1.367 djm 2991: * The sending side reduces its window as it sends data, so we
2992: * must 'fake' consumption of the data in order to ensure that window
2993: * updates are sent back. Otherwise the connection might deadlock.
1.200 markus 2994: */
1.358 djm 2995: if (c->ostate != CHAN_OUTPUT_OPEN) {
2996: c->local_window -= win_len;
2997: c->local_consumed += win_len;
1.339 markus 2998: return 0;
1.200 markus 2999: }
1.41 markus 3000:
1.358 djm 3001: if (win_len > c->local_maxpacket) {
1.367 djm 3002: logit("channel %d: rcvd big packet %zu, maxpack %u",
1.358 djm 3003: c->self, win_len, c->local_maxpacket);
1.367 djm 3004: return 0;
1.358 djm 3005: }
3006: if (win_len > c->local_window) {
1.367 djm 3007: logit("channel %d: rcvd too much data %zu, win %u",
1.358 djm 3008: c->self, win_len, c->local_window);
3009: return 0;
1.44 markus 3010: }
1.358 djm 3011: c->local_window -= win_len;
3012:
1.367 djm 3013: if (c->datagram) {
3014: if ((r = sshbuf_put_string(c->output, data, data_len)) != 0)
3015: fatal("%s: channel %d: append datagram: %s",
3016: __func__, c->self, ssh_err(r));
3017: } else if ((r = sshbuf_put(c->output, data, data_len)) != 0)
3018: fatal("%s: channel %d: append data: %s",
3019: __func__, c->self, ssh_err(r));
3020:
1.339 markus 3021: return 0;
1.1 deraadt 3022: }
1.121 markus 3023:
1.339 markus 3024: int
1.363 markus 3025: channel_input_extended_data(int type, u_int32_t seq, struct ssh *ssh)
1.44 markus 3026: {
1.367 djm 3027: const u_char *data;
3028: size_t data_len;
3029: u_int32_t tcode;
3030: Channel *c = channel_from_packet_id(ssh, __func__, "extended data");
3031: int r;
1.44 markus 3032:
1.363 markus 3033: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 3034: return 0;
1.44 markus 3035: if (c->type != SSH_CHANNEL_OPEN) {
1.367 djm 3036: logit("channel %d: ext data for non open", c->self);
1.339 markus 3037: return 0;
1.172 markus 3038: }
3039: if (c->flags & CHAN_EOF_RCVD) {
3040: if (datafellows & SSH_BUG_EXTEOF)
1.367 djm 3041: debug("channel %d: accepting ext data after eof",
3042: c->self);
1.172 markus 3043: else
1.367 djm 3044: ssh_packet_disconnect(ssh, "Received extended_data "
3045: "after EOF on channel %d.", c->self);
3046: }
3047:
3048: if ((r = sshpkt_get_u32(ssh, &tcode)) != 0) {
3049: error("%s: parse tcode: %s", __func__, ssh_err(r));
3050: ssh_packet_disconnect(ssh, "Invalid extended_data message");
1.44 markus 3051: }
3052: if (c->efd == -1 ||
3053: c->extended_usage != CHAN_EXTENDED_WRITE ||
3054: tcode != SSH2_EXTENDED_DATA_STDERR) {
1.188 itojun 3055: logit("channel %d: bad ext data", c->self);
1.339 markus 3056: return 0;
1.44 markus 3057: }
1.389 djm 3058: if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 ||
3059: (r = sshpkt_get_end(ssh)) != 0) {
1.367 djm 3060: error("%s: parse data: %s", __func__, ssh_err(r));
3061: ssh_packet_disconnect(ssh, "Invalid extended_data message");
3062: }
3063:
1.44 markus 3064: if (data_len > c->local_window) {
1.367 djm 3065: logit("channel %d: rcvd too much extended_data %zu, win %u",
1.44 markus 3066: c->self, data_len, c->local_window);
1.339 markus 3067: return 0;
1.44 markus 3068: }
1.367 djm 3069: debug2("channel %d: rcvd ext data %zu", c->self, data_len);
3070: /* XXX sshpkt_getb? */
3071: if ((r = sshbuf_put(c->extended, data, data_len)) != 0)
3072: error("%s: append: %s", __func__, ssh_err(r));
1.44 markus 3073: c->local_window -= data_len;
1.339 markus 3074: return 0;
1.44 markus 3075: }
3076:
1.339 markus 3077: int
1.363 markus 3078: channel_input_ieof(int type, u_int32_t seq, struct ssh *ssh)
1.41 markus 3079: {
1.367 djm 3080: Channel *c = channel_from_packet_id(ssh, __func__, "ieof");
1.389 djm 3081: int r;
1.367 djm 3082:
1.389 djm 3083: if ((r = sshpkt_get_end(ssh)) != 0) {
3084: error("%s: parse data: %s", __func__, ssh_err(r));
3085: ssh_packet_disconnect(ssh, "Invalid ieof message");
3086: }
1.41 markus 3087:
1.363 markus 3088: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 3089: return 0;
1.367 djm 3090: chan_rcvd_ieof(ssh, c);
1.133 markus 3091:
3092: /* XXX force input close */
1.156 markus 3093: if (c->force_drain && c->istate == CHAN_INPUT_OPEN) {
1.133 markus 3094: debug("channel %d: FORCE input drain", c->self);
3095: c->istate = CHAN_INPUT_WAIT_DRAIN;
1.367 djm 3096: if (sshbuf_len(c->input) == 0)
3097: chan_ibuf_empty(ssh, c);
1.133 markus 3098: }
1.339 markus 3099: return 0;
1.41 markus 3100: }
1.1 deraadt 3101:
1.339 markus 3102: int
1.363 markus 3103: channel_input_oclose(int type, u_int32_t seq, struct ssh *ssh)
1.41 markus 3104: {
1.367 djm 3105: Channel *c = channel_from_packet_id(ssh, __func__, "oclose");
1.389 djm 3106: int r;
1.151 markus 3107:
1.363 markus 3108: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 3109: return 0;
1.389 djm 3110: if ((r = sshpkt_get_end(ssh)) != 0) {
3111: error("%s: parse data: %s", __func__, ssh_err(r));
3112: ssh_packet_disconnect(ssh, "Invalid oclose message");
3113: }
1.367 djm 3114: chan_rcvd_oclose(ssh, c);
1.339 markus 3115: return 0;
1.1 deraadt 3116: }
3117:
1.339 markus 3118: int
1.363 markus 3119: channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh)
1.1 deraadt 3120: {
1.367 djm 3121: Channel *c = channel_from_packet_id(ssh, __func__, "open confirmation");
3122: u_int32_t remote_window, remote_maxpacket;
3123: int r;
1.25 markus 3124:
1.363 markus 3125: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 3126: return 0;
3127: if (c->type != SSH_CHANNEL_OPENING)
1.389 djm 3128: ssh_packet_disconnect(ssh, "Received open confirmation for "
1.367 djm 3129: "non-opening channel %d.", c->self);
3130: /*
3131: * Record the remote channel number and mark that the channel
3132: * is now open.
3133: */
1.368 djm 3134: if ((r = sshpkt_get_u32(ssh, &c->remote_id)) != 0 ||
3135: (r = sshpkt_get_u32(ssh, &remote_window)) != 0 ||
1.389 djm 3136: (r = sshpkt_get_u32(ssh, &remote_maxpacket)) != 0 ||
3137: (r = sshpkt_get_end(ssh)) != 0) {
1.367 djm 3138: error("%s: window/maxpacket: %s", __func__, ssh_err(r));
1.389 djm 3139: ssh_packet_disconnect(ssh, "Invalid open confirmation message");
1.367 djm 3140: }
3141:
1.368 djm 3142: c->have_remote_id = 1;
1.367 djm 3143: c->remote_window = remote_window;
3144: c->remote_maxpacket = remote_maxpacket;
1.41 markus 3145: c->type = SSH_CHANNEL_OPEN;
1.358 djm 3146: if (c->open_confirm) {
1.367 djm 3147: debug2("%s: channel %d: callback start", __func__, c->self);
3148: c->open_confirm(ssh, c->self, 1, c->open_confirm_ctx);
3149: debug2("%s: channel %d: callback done", __func__, c->self);
1.44 markus 3150: }
1.358 djm 3151: debug2("channel %d: open confirm rwindow %u rmax %u", c->self,
3152: c->remote_window, c->remote_maxpacket);
1.339 markus 3153: return 0;
1.1 deraadt 3154: }
3155:
1.127 itojun 3156: static char *
1.114 markus 3157: reason2txt(int reason)
3158: {
1.143 deraadt 3159: switch (reason) {
1.114 markus 3160: case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED:
3161: return "administratively prohibited";
3162: case SSH2_OPEN_CONNECT_FAILED:
3163: return "connect failed";
3164: case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE:
3165: return "unknown channel type";
3166: case SSH2_OPEN_RESOURCE_SHORTAGE:
3167: return "resource shortage";
3168: }
1.117 stevesk 3169: return "unknown reason";
1.114 markus 3170: }
3171:
1.339 markus 3172: int
1.363 markus 3173: channel_input_open_failure(int type, u_int32_t seq, struct ssh *ssh)
1.1 deraadt 3174: {
1.367 djm 3175: Channel *c = channel_from_packet_id(ssh, __func__, "open failure");
3176: u_int32_t reason;
3177: char *msg = NULL;
3178: int r;
1.25 markus 3179:
1.363 markus 3180: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 3181: return 0;
3182: if (c->type != SSH_CHANNEL_OPENING)
1.389 djm 3183: ssh_packet_disconnect(ssh, "Received open failure for "
1.367 djm 3184: "non-opening channel %d.", c->self);
3185: if ((r = sshpkt_get_u32(ssh, &reason)) != 0) {
3186: error("%s: reason: %s", __func__, ssh_err(r));
1.389 djm 3187: ssh_packet_disconnect(ssh, "Invalid open failure message");
1.367 djm 3188: }
1.378 djm 3189: /* skip language */
3190: if ((r = sshpkt_get_cstring(ssh, &msg, NULL)) != 0 ||
1.389 djm 3191: (r = sshpkt_get_string_direct(ssh, NULL, NULL)) != 0 ||
3192: (r = sshpkt_get_end(ssh)) != 0) {
1.378 djm 3193: error("%s: message/lang: %s", __func__, ssh_err(r));
1.389 djm 3194: ssh_packet_disconnect(ssh, "Invalid open failure message");
1.358 djm 3195: }
1.367 djm 3196: logit("channel %d: open failed: %s%s%s", c->self,
1.358 djm 3197: reason2txt(reason), msg ? ": ": "", msg ? msg : "");
3198: free(msg);
3199: if (c->open_confirm) {
1.367 djm 3200: debug2("%s: channel %d: callback start", __func__, c->self);
3201: c->open_confirm(ssh, c->self, 0, c->open_confirm_ctx);
3202: debug2("%s: channel %d: callback done", __func__, c->self);
1.44 markus 3203: }
1.291 djm 3204: /* Schedule the channel for cleanup/deletion. */
1.367 djm 3205: chan_mark_dead(ssh, c);
1.339 markus 3206: return 0;
1.44 markus 3207: }
3208:
1.339 markus 3209: int
1.363 markus 3210: channel_input_window_adjust(int type, u_int32_t seq, struct ssh *ssh)
1.121 markus 3211: {
1.367 djm 3212: int id = channel_parse_id(ssh, __func__, "window adjust");
1.121 markus 3213: Channel *c;
1.367 djm 3214: u_int32_t adjust;
3215: u_int new_rwin;
3216: int r;
1.1 deraadt 3217:
1.367 djm 3218: if ((c = channel_lookup(ssh, id)) == NULL) {
1.229 markus 3219: logit("Received window adjust for non-open channel %d.", id);
1.339 markus 3220: return 0;
1.372 markus 3221: }
1.367 djm 3222:
1.363 markus 3223: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 3224: return 0;
1.389 djm 3225: if ((r = sshpkt_get_u32(ssh, &adjust)) != 0 ||
3226: (r = sshpkt_get_end(ssh)) != 0) {
1.367 djm 3227: error("%s: adjust: %s", __func__, ssh_err(r));
1.389 djm 3228: ssh_packet_disconnect(ssh, "Invalid window adjust message");
1.367 djm 3229: }
3230: debug2("channel %d: rcvd adjust %u", c->self, adjust);
3231: if ((new_rwin = c->remote_window + adjust) < c->remote_window) {
1.346 djm 3232: fatal("channel %d: adjust %u overflows remote window %u",
1.367 djm 3233: c->self, adjust, c->remote_window);
3234: }
3235: c->remote_window = new_rwin;
1.339 markus 3236: return 0;
1.121 markus 3237: }
1.1 deraadt 3238:
1.339 markus 3239: int
1.363 markus 3240: channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh)
1.275 djm 3241: {
1.367 djm 3242: int id = channel_parse_id(ssh, __func__, "status confirm");
1.275 djm 3243: Channel *c;
3244: struct channel_confirm *cc;
3245:
3246: /* Reset keepalive timeout */
1.389 djm 3247: ssh_packet_set_alive_timeouts(ssh, 0);
1.275 djm 3248:
1.367 djm 3249: debug2("%s: type %d id %d", __func__, type, id);
1.275 djm 3250:
1.367 djm 3251: if ((c = channel_lookup(ssh, id)) == NULL) {
3252: logit("%s: %d: unknown", __func__, id);
1.339 markus 3253: return 0;
1.367 djm 3254: }
1.363 markus 3255: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 3256: return 0;
1.394 dtucker 3257: if (sshpkt_get_end(ssh) != 0)
1.389 djm 3258: ssh_packet_disconnect(ssh, "Invalid status confirm message");
1.275 djm 3259: if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL)
1.339 markus 3260: return 0;
1.367 djm 3261: cc->cb(ssh, type, c, cc->ctx);
1.275 djm 3262: TAILQ_REMOVE(&c->status_confirms, cc, entry);
1.396 jsg 3263: freezero(cc, sizeof(*cc));
1.339 markus 3264: return 0;
1.275 djm 3265: }
1.121 markus 3266:
3267: /* -- tcp forwarding */
1.135 markus 3268:
3269: void
1.367 djm 3270: channel_set_af(struct ssh *ssh, int af)
1.135 markus 3271: {
1.367 djm 3272: ssh->chanctxt->IPv4or6 = af;
1.135 markus 3273: }
1.121 markus 3274:
1.312 djm 3275:
3276: /*
3277: * Determine whether or not a port forward listens to loopback, the
3278: * specified address or wildcard. On the client, a specified bind
3279: * address will always override gateway_ports. On the server, a
3280: * gateway_ports of 1 (``yes'') will override the client's specification
3281: * and force a wildcard bind, whereas a value of 2 (``clientspecified'')
3282: * will bind to whatever address the client asked for.
3283: *
3284: * Special-case listen_addrs are:
3285: *
3286: * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
3287: * "" (empty string), "*" -> wildcard v4/v6
3288: * "localhost" -> loopback v4/v6
1.334 djm 3289: * "127.0.0.1" / "::1" -> accepted even if gateway_ports isn't set
1.312 djm 3290: */
3291: static const char *
1.389 djm 3292: channel_fwd_bind_addr(struct ssh *ssh, const char *listen_addr, int *wildcardp,
1.336 millert 3293: int is_client, struct ForwardOptions *fwd_opts)
1.312 djm 3294: {
3295: const char *addr = NULL;
3296: int wildcard = 0;
3297:
3298: if (listen_addr == NULL) {
3299: /* No address specified: default to gateway_ports setting */
1.336 millert 3300: if (fwd_opts->gateway_ports)
1.312 djm 3301: wildcard = 1;
1.336 millert 3302: } else if (fwd_opts->gateway_ports || is_client) {
1.312 djm 3303: if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
3304: strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
3305: *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
1.336 millert 3306: (!is_client && fwd_opts->gateway_ports == 1)) {
1.312 djm 3307: wildcard = 1;
1.326 djm 3308: /*
3309: * Notify client if they requested a specific listen
3310: * address and it was overridden.
3311: */
3312: if (*listen_addr != '\0' &&
3313: strcmp(listen_addr, "0.0.0.0") != 0 &&
3314: strcmp(listen_addr, "*") != 0) {
1.389 djm 3315: ssh_packet_send_debug(ssh,
3316: "Forwarding listen address "
1.326 djm 3317: "\"%s\" overridden by server "
3318: "GatewayPorts", listen_addr);
3319: }
1.334 djm 3320: } else if (strcmp(listen_addr, "localhost") != 0 ||
3321: strcmp(listen_addr, "127.0.0.1") == 0 ||
3322: strcmp(listen_addr, "::1") == 0) {
1.395 djm 3323: /*
3324: * Accept explicit localhost address when
3325: * GatewayPorts=yes. The "localhost" hostname is
3326: * deliberately skipped here so it will listen on all
3327: * available local address families.
3328: */
1.334 djm 3329: addr = listen_addr;
1.326 djm 3330: }
1.334 djm 3331: } else if (strcmp(listen_addr, "127.0.0.1") == 0 ||
3332: strcmp(listen_addr, "::1") == 0) {
3333: /*
3334: * If a specific IPv4/IPv6 localhost address has been
3335: * requested then accept it even if gateway_ports is in
3336: * effect. This allows the client to prefer IPv4 or IPv6.
3337: */
3338: addr = listen_addr;
1.312 djm 3339: }
3340: if (wildcardp != NULL)
3341: *wildcardp = wildcard;
3342: return addr;
3343: }
3344:
1.160 markus 3345: static int
1.367 djm 3346: channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
3347: struct Forward *fwd, int *allocated_listen_port,
3348: struct ForwardOptions *fwd_opts)
1.25 markus 3349: {
1.113 markus 3350: Channel *c;
1.226 djm 3351: int sock, r, success = 0, wildcard = 0, is_client;
1.35 markus 3352: struct addrinfo hints, *ai, *aitop;
1.212 djm 3353: const char *host, *addr;
1.35 markus 3354: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1.295 djm 3355: in_port_t *lport_p;
1.25 markus 3356:
1.212 djm 3357: is_client = (type == SSH_CHANNEL_PORT_LISTENER);
1.87 markus 3358:
1.344 millert 3359: if (is_client && fwd->connect_path != NULL) {
3360: host = fwd->connect_path;
3361: } else {
3362: host = (type == SSH_CHANNEL_RPORT_LISTENER) ?
3363: fwd->listen_host : fwd->connect_host;
3364: if (host == NULL) {
3365: error("No forward host name.");
3366: return 0;
3367: }
3368: if (strlen(host) >= NI_MAXHOST) {
3369: error("Forward host name too long.");
3370: return 0;
3371: }
1.87 markus 3372: }
1.25 markus 3373:
1.312 djm 3374: /* Determine the bind address, cf. channel_fwd_bind_addr() comment */
1.389 djm 3375: addr = channel_fwd_bind_addr(ssh, fwd->listen_host, &wildcard,
1.336 millert 3376: is_client, fwd_opts);
3377: debug3("%s: type %d wildcard %d addr %s", __func__,
1.212 djm 3378: type, wildcard, (addr == NULL) ? "NULL" : addr);
3379:
3380: /*
1.35 markus 3381: * getaddrinfo returns a loopback address if the hostname is
3382: * set to NULL and hints.ai_flags is not AI_PASSIVE
1.28 markus 3383: */
1.35 markus 3384: memset(&hints, 0, sizeof(hints));
1.367 djm 3385: hints.ai_family = ssh->chanctxt->IPv4or6;
1.212 djm 3386: hints.ai_flags = wildcard ? AI_PASSIVE : 0;
1.35 markus 3387: hints.ai_socktype = SOCK_STREAM;
1.336 millert 3388: snprintf(strport, sizeof strport, "%d", fwd->listen_port);
1.212 djm 3389: if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
3390: if (addr == NULL) {
3391: /* This really shouldn't happen */
1.389 djm 3392: ssh_packet_disconnect(ssh, "getaddrinfo: fatal error: %s",
1.271 dtucker 3393: ssh_gai_strerror(r));
1.212 djm 3394: } else {
1.336 millert 3395: error("%s: getaddrinfo(%.64s): %s", __func__, addr,
1.271 dtucker 3396: ssh_gai_strerror(r));
1.212 djm 3397: }
1.218 markus 3398: return 0;
1.212 djm 3399: }
1.295 djm 3400: if (allocated_listen_port != NULL)
3401: *allocated_listen_port = 0;
1.35 markus 3402: for (ai = aitop; ai; ai = ai->ai_next) {
1.295 djm 3403: switch (ai->ai_family) {
3404: case AF_INET:
3405: lport_p = &((struct sockaddr_in *)ai->ai_addr)->
3406: sin_port;
3407: break;
3408: case AF_INET6:
3409: lport_p = &((struct sockaddr_in6 *)ai->ai_addr)->
3410: sin6_port;
3411: break;
3412: default:
1.35 markus 3413: continue;
1.295 djm 3414: }
3415: /*
3416: * If allocating a port for -R forwards, then use the
3417: * same port for all address families.
3418: */
1.367 djm 3419: if (type == SSH_CHANNEL_RPORT_LISTENER &&
3420: fwd->listen_port == 0 && allocated_listen_port != NULL &&
3421: *allocated_listen_port > 0)
1.295 djm 3422: *lport_p = htons(*allocated_listen_port);
3423:
1.35 markus 3424: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1.367 djm 3425: strport, sizeof(strport),
3426: NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1.336 millert 3427: error("%s: getnameinfo failed", __func__);
1.35 markus 3428: continue;
3429: }
3430: /* Create a port to listen for the host. */
1.300 dtucker 3431: sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
1.393 deraadt 3432: if (sock == -1) {
1.35 markus 3433: /* this is no error since kernel may not support ipv6 */
1.377 djm 3434: verbose("socket [%s]:%s: %.100s", ntop, strport,
3435: strerror(errno));
1.35 markus 3436: continue;
3437: }
1.226 djm 3438:
1.376 djm 3439: set_reuseaddr(sock);
1.182 stevesk 3440:
1.295 djm 3441: debug("Local forwarding listening on %s port %s.",
3442: ntop, strport);
1.35 markus 3443:
3444: /* Bind the socket to the address. */
1.393 deraadt 3445: if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
1.367 djm 3446: /*
3447: * address can be in if use ipv6 address is
3448: * already bound
3449: */
1.377 djm 3450: verbose("bind [%s]:%s: %.100s",
3451: ntop, strport, strerror(errno));
1.35 markus 3452: close(sock);
3453: continue;
3454: }
3455: /* Start listening for connections on the socket. */
1.393 deraadt 3456: if (listen(sock, SSH_LISTEN_BACKLOG) == -1) {
1.377 djm 3457: error("listen [%s]:%s: %.100s", ntop, strport,
3458: strerror(errno));
1.35 markus 3459: close(sock);
3460: continue;
3461: }
1.295 djm 3462:
3463: /*
1.336 millert 3464: * fwd->listen_port == 0 requests a dynamically allocated port -
1.295 djm 3465: * record what we got.
3466: */
1.367 djm 3467: if (type == SSH_CHANNEL_RPORT_LISTENER &&
3468: fwd->listen_port == 0 &&
1.295 djm 3469: allocated_listen_port != NULL &&
3470: *allocated_listen_port == 0) {
1.350 djm 3471: *allocated_listen_port = get_local_port(sock);
1.295 djm 3472: debug("Allocated listen port %d",
3473: *allocated_listen_port);
3474: }
3475:
1.35 markus 3476: /* Allocate a channel number for the socket. */
1.367 djm 3477: c = channel_new(ssh, "port listener", type, sock, sock, -1,
1.51 markus 3478: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1.190 markus 3479: 0, "port listener", 1);
1.293 djm 3480: c->path = xstrdup(host);
1.336 millert 3481: c->host_port = fwd->connect_port;
1.312 djm 3482: c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
1.336 millert 3483: if (fwd->listen_port == 0 && allocated_listen_port != NULL &&
1.315 markus 3484: !(datafellows & SSH_BUG_DYNAMIC_RPORT))
3485: c->listening_port = *allocated_listen_port;
3486: else
1.336 millert 3487: c->listening_port = fwd->listen_port;
1.35 markus 3488: success = 1;
3489: }
3490: if (success == 0)
1.336 millert 3491: error("%s: cannot listen to port: %d", __func__,
3492: fwd->listen_port);
1.35 markus 3493: freeaddrinfo(aitop);
1.87 markus 3494: return success;
1.25 markus 3495: }
1.1 deraadt 3496:
1.336 millert 3497: static int
1.367 djm 3498: channel_setup_fwd_listener_streamlocal(struct ssh *ssh, int type,
3499: struct Forward *fwd, struct ForwardOptions *fwd_opts)
1.336 millert 3500: {
3501: struct sockaddr_un sunaddr;
3502: const char *path;
3503: Channel *c;
3504: int port, sock;
3505: mode_t omask;
3506:
3507: switch (type) {
3508: case SSH_CHANNEL_UNIX_LISTENER:
3509: if (fwd->connect_path != NULL) {
3510: if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) {
3511: error("Local connecting path too long: %s",
3512: fwd->connect_path);
3513: return 0;
3514: }
3515: path = fwd->connect_path;
3516: port = PORT_STREAMLOCAL;
3517: } else {
3518: if (fwd->connect_host == NULL) {
3519: error("No forward host name.");
3520: return 0;
3521: }
3522: if (strlen(fwd->connect_host) >= NI_MAXHOST) {
3523: error("Forward host name too long.");
3524: return 0;
3525: }
3526: path = fwd->connect_host;
3527: port = fwd->connect_port;
3528: }
3529: break;
3530: case SSH_CHANNEL_RUNIX_LISTENER:
3531: path = fwd->listen_path;
3532: port = PORT_STREAMLOCAL;
3533: break;
3534: default:
3535: error("%s: unexpected channel type %d", __func__, type);
3536: return 0;
3537: }
3538:
3539: if (fwd->listen_path == NULL) {
3540: error("No forward path name.");
3541: return 0;
3542: }
3543: if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) {
3544: error("Local listening path too long: %s", fwd->listen_path);
3545: return 0;
3546: }
3547:
3548: debug3("%s: type %d path %s", __func__, type, fwd->listen_path);
3549:
3550: /* Start a Unix domain listener. */
3551: omask = umask(fwd_opts->streamlocal_bind_mask);
3552: sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG,
3553: fwd_opts->streamlocal_bind_unlink);
3554: umask(omask);
3555: if (sock < 0)
3556: return 0;
3557:
3558: debug("Local forwarding listening on path %s.", fwd->listen_path);
3559:
3560: /* Allocate a channel number for the socket. */
1.367 djm 3561: c = channel_new(ssh, "unix listener", type, sock, sock, -1,
1.336 millert 3562: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
3563: 0, "unix listener", 1);
3564: c->path = xstrdup(path);
3565: c->host_port = port;
3566: c->listening_port = PORT_STREAMLOCAL;
3567: c->listening_addr = xstrdup(fwd->listen_path);
3568: return 1;
3569: }
3570:
3571: static int
1.367 djm 3572: channel_cancel_rport_listener_tcpip(struct ssh *ssh,
3573: const char *host, u_short port)
1.202 djm 3574: {
1.209 avsm 3575: u_int i;
3576: int found = 0;
1.202 djm 3577:
1.367 djm 3578: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3579: Channel *c = ssh->chanctxt->channels[i];
1.312 djm 3580: if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER)
3581: continue;
3582: if (strcmp(c->path, host) == 0 && c->listening_port == port) {
3583: debug2("%s: close channel %d", __func__, i);
1.367 djm 3584: channel_free(ssh, c);
1.312 djm 3585: found = 1;
3586: }
3587: }
3588:
1.367 djm 3589: return found;
1.312 djm 3590: }
3591:
1.336 millert 3592: static int
1.367 djm 3593: channel_cancel_rport_listener_streamlocal(struct ssh *ssh, const char *path)
1.336 millert 3594: {
3595: u_int i;
3596: int found = 0;
3597:
1.367 djm 3598: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3599: Channel *c = ssh->chanctxt->channels[i];
1.336 millert 3600: if (c == NULL || c->type != SSH_CHANNEL_RUNIX_LISTENER)
3601: continue;
3602: if (c->path == NULL)
3603: continue;
3604: if (strcmp(c->path, path) == 0) {
3605: debug2("%s: close channel %d", __func__, i);
1.367 djm 3606: channel_free(ssh, c);
1.336 millert 3607: found = 1;
3608: }
3609: }
3610:
1.367 djm 3611: return found;
1.336 millert 3612: }
3613:
1.312 djm 3614: int
1.367 djm 3615: channel_cancel_rport_listener(struct ssh *ssh, struct Forward *fwd)
1.336 millert 3616: {
1.367 djm 3617: if (fwd->listen_path != NULL) {
3618: return channel_cancel_rport_listener_streamlocal(ssh,
3619: fwd->listen_path);
3620: } else {
3621: return channel_cancel_rport_listener_tcpip(ssh,
3622: fwd->listen_host, fwd->listen_port);
3623: }
1.336 millert 3624: }
3625:
3626: static int
1.367 djm 3627: channel_cancel_lport_listener_tcpip(struct ssh *ssh,
3628: const char *lhost, u_short lport, int cport,
3629: struct ForwardOptions *fwd_opts)
1.312 djm 3630: {
3631: u_int i;
3632: int found = 0;
1.389 djm 3633: const char *addr = channel_fwd_bind_addr(ssh, lhost, NULL, 1, fwd_opts);
1.202 djm 3634:
1.367 djm 3635: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3636: Channel *c = ssh->chanctxt->channels[i];
1.312 djm 3637: if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER)
3638: continue;
1.313 markus 3639: if (c->listening_port != lport)
1.312 djm 3640: continue;
1.313 markus 3641: if (cport == CHANNEL_CANCEL_PORT_STATIC) {
3642: /* skip dynamic forwardings */
3643: if (c->host_port == 0)
3644: continue;
3645: } else {
3646: if (c->host_port != cport)
3647: continue;
3648: }
1.312 djm 3649: if ((c->listening_addr == NULL && addr != NULL) ||
3650: (c->listening_addr != NULL && addr == NULL))
3651: continue;
3652: if (addr == NULL || strcmp(c->listening_addr, addr) == 0) {
1.210 djm 3653: debug2("%s: close channel %d", __func__, i);
1.367 djm 3654: channel_free(ssh, c);
1.202 djm 3655: found = 1;
3656: }
3657: }
3658:
1.367 djm 3659: return found;
1.202 djm 3660: }
3661:
1.336 millert 3662: static int
1.367 djm 3663: channel_cancel_lport_listener_streamlocal(struct ssh *ssh, const char *path)
1.336 millert 3664: {
3665: u_int i;
3666: int found = 0;
3667:
3668: if (path == NULL) {
3669: error("%s: no path specified.", __func__);
3670: return 0;
3671: }
3672:
1.367 djm 3673: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3674: Channel *c = ssh->chanctxt->channels[i];
1.336 millert 3675: if (c == NULL || c->type != SSH_CHANNEL_UNIX_LISTENER)
3676: continue;
3677: if (c->listening_addr == NULL)
3678: continue;
3679: if (strcmp(c->listening_addr, path) == 0) {
3680: debug2("%s: close channel %d", __func__, i);
1.367 djm 3681: channel_free(ssh, c);
1.336 millert 3682: found = 1;
3683: }
3684: }
3685:
1.367 djm 3686: return found;
1.336 millert 3687: }
3688:
3689: int
1.367 djm 3690: channel_cancel_lport_listener(struct ssh *ssh,
3691: struct Forward *fwd, int cport, struct ForwardOptions *fwd_opts)
1.336 millert 3692: {
1.367 djm 3693: if (fwd->listen_path != NULL) {
3694: return channel_cancel_lport_listener_streamlocal(ssh,
3695: fwd->listen_path);
3696: } else {
3697: return channel_cancel_lport_listener_tcpip(ssh,
3698: fwd->listen_host, fwd->listen_port, cport, fwd_opts);
3699: }
1.336 millert 3700: }
3701:
1.362 markus 3702: /* protocol local port fwd, used by ssh */
1.160 markus 3703: int
1.367 djm 3704: channel_setup_local_fwd_listener(struct ssh *ssh,
3705: struct Forward *fwd, struct ForwardOptions *fwd_opts)
1.160 markus 3706: {
1.336 millert 3707: if (fwd->listen_path != NULL) {
1.367 djm 3708: return channel_setup_fwd_listener_streamlocal(ssh,
1.336 millert 3709: SSH_CHANNEL_UNIX_LISTENER, fwd, fwd_opts);
3710: } else {
1.367 djm 3711: return channel_setup_fwd_listener_tcpip(ssh,
3712: SSH_CHANNEL_PORT_LISTENER, fwd, NULL, fwd_opts);
1.336 millert 3713: }
1.160 markus 3714: }
3715:
1.381 djm 3716: /* Matches a remote forwarding permission against a requested forwarding */
3717: static int
3718: remote_open_match(struct permission *allowed_open, struct Forward *fwd)
3719: {
3720: int ret;
3721: char *lhost;
3722:
3723: /* XXX add ACLs for streamlocal */
3724: if (fwd->listen_path != NULL)
3725: return 1;
3726:
3727: if (fwd->listen_host == NULL || allowed_open->listen_host == NULL)
3728: return 0;
3729:
3730: if (allowed_open->listen_port != FWD_PERMIT_ANY_PORT &&
3731: allowed_open->listen_port != fwd->listen_port)
3732: return 0;
3733:
3734: /* Match hostnames case-insensitively */
3735: lhost = xstrdup(fwd->listen_host);
3736: lowercase(lhost);
3737: ret = match_pattern(lhost, allowed_open->listen_host);
3738: free(lhost);
3739:
3740: return ret;
3741: }
3742:
3743: /* Checks whether a requested remote forwarding is permitted */
3744: static int
3745: check_rfwd_permission(struct ssh *ssh, struct Forward *fwd)
3746: {
3747: struct ssh_channels *sc = ssh->chanctxt;
3748: struct permission_set *pset = &sc->remote_perms;
3749: u_int i, permit, permit_adm = 1;
3750: struct permission *perm;
3751:
3752: /* XXX apply GatewayPorts override before checking? */
3753:
3754: permit = pset->all_permitted;
3755: if (!permit) {
3756: for (i = 0; i < pset->num_permitted_user; i++) {
3757: perm = &pset->permitted_user[i];
3758: if (remote_open_match(perm, fwd)) {
3759: permit = 1;
3760: break;
3761: }
3762: }
3763: }
3764:
3765: if (pset->num_permitted_admin > 0) {
3766: permit_adm = 0;
3767: for (i = 0; i < pset->num_permitted_admin; i++) {
3768: perm = &pset->permitted_admin[i];
3769: if (remote_open_match(perm, fwd)) {
3770: permit_adm = 1;
3771: break;
3772: }
3773: }
3774: }
3775:
3776: return permit && permit_adm;
3777: }
3778:
1.160 markus 3779: /* protocol v2 remote port fwd, used by sshd */
3780: int
1.367 djm 3781: channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd,
1.336 millert 3782: int *allocated_listen_port, struct ForwardOptions *fwd_opts)
1.160 markus 3783: {
1.381 djm 3784: if (!check_rfwd_permission(ssh, fwd)) {
1.389 djm 3785: ssh_packet_send_debug(ssh, "port forwarding refused");
1.391 florian 3786: if (fwd->listen_path != NULL)
3787: /* XXX always allowed, see remote_open_match() */
3788: logit("Received request from %.100s port %d to "
3789: "remote forward to path \"%.100s\", "
3790: "but the request was denied.",
3791: ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
3792: fwd->listen_path);
3793: else if(fwd->listen_host != NULL)
3794: logit("Received request from %.100s port %d to "
3795: "remote forward to host %.100s port %d, "
3796: "but the request was denied.",
3797: ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
3798: fwd->listen_host, fwd->listen_port );
3799: else
3800: logit("Received request from %.100s port %d to remote "
3801: "forward, but the request was denied.",
3802: ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
1.381 djm 3803: return 0;
3804: }
1.336 millert 3805: if (fwd->listen_path != NULL) {
1.367 djm 3806: return channel_setup_fwd_listener_streamlocal(ssh,
1.336 millert 3807: SSH_CHANNEL_RUNIX_LISTENER, fwd, fwd_opts);
3808: } else {
1.367 djm 3809: return channel_setup_fwd_listener_tcpip(ssh,
1.336 millert 3810: SSH_CHANNEL_RPORT_LISTENER, fwd, allocated_listen_port,
3811: fwd_opts);
3812: }
1.160 markus 3813: }
3814:
1.27 markus 3815: /*
1.312 djm 3816: * Translate the requested rfwd listen host to something usable for
3817: * this server.
3818: */
3819: static const char *
3820: channel_rfwd_bind_host(const char *listen_host)
3821: {
3822: if (listen_host == NULL) {
1.378 djm 3823: return "localhost";
1.312 djm 3824: } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) {
1.378 djm 3825: return "";
1.312 djm 3826: } else
3827: return listen_host;
3828: }
3829:
3830: /*
1.27 markus 3831: * Initiate forwarding of connections to port "port" on remote host through
3832: * the secure channel to host:port from local side.
1.315 markus 3833: * Returns handle (index) for updating the dynamic listen port with
1.381 djm 3834: * channel_update_permission().
1.27 markus 3835: */
1.253 markus 3836: int
1.367 djm 3837: channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
1.25 markus 3838: {
1.367 djm 3839: int r, success = 0, idx = -1;
3840: char *host_to_connect, *listen_host, *listen_path;
3841: int port_to_connect, listen_port;
1.73 markus 3842:
1.25 markus 3843: /* Send the forward request to the remote side. */
1.358 djm 3844: if (fwd->listen_path != NULL) {
1.367 djm 3845: if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
3846: (r = sshpkt_put_cstring(ssh,
3847: "streamlocal-forward@openssh.com")) != 0 ||
3848: (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */
3849: (r = sshpkt_put_cstring(ssh, fwd->listen_path)) != 0 ||
3850: (r = sshpkt_send(ssh)) != 0 ||
3851: (r = ssh_packet_write_wait(ssh)) != 0)
3852: fatal("%s: request streamlocal: %s",
3853: __func__, ssh_err(r));
1.336 millert 3854: } else {
1.367 djm 3855: if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
3856: (r = sshpkt_put_cstring(ssh, "tcpip-forward")) != 0 ||
3857: (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */
3858: (r = sshpkt_put_cstring(ssh,
3859: channel_rfwd_bind_host(fwd->listen_host))) != 0 ||
3860: (r = sshpkt_put_u32(ssh, fwd->listen_port)) != 0 ||
3861: (r = sshpkt_send(ssh)) != 0 ||
3862: (r = ssh_packet_write_wait(ssh)) != 0)
3863: fatal("%s: request tcpip-forward: %s",
3864: __func__, ssh_err(r));
1.73 markus 3865: }
1.358 djm 3866: /* Assume that server accepts the request */
3867: success = 1;
1.73 markus 3868: if (success) {
1.305 djm 3869: /* Record that connection to this host/port is permitted. */
1.367 djm 3870: host_to_connect = listen_host = listen_path = NULL;
3871: port_to_connect = listen_port = 0;
1.336 millert 3872: if (fwd->connect_path != NULL) {
1.367 djm 3873: host_to_connect = xstrdup(fwd->connect_path);
3874: port_to_connect = PORT_STREAMLOCAL;
1.336 millert 3875: } else {
1.367 djm 3876: host_to_connect = xstrdup(fwd->connect_host);
3877: port_to_connect = fwd->connect_port;
1.336 millert 3878: }
3879: if (fwd->listen_path != NULL) {
1.367 djm 3880: listen_path = xstrdup(fwd->listen_path);
3881: listen_port = PORT_STREAMLOCAL;
1.336 millert 3882: } else {
1.367 djm 3883: if (fwd->listen_host != NULL)
3884: listen_host = xstrdup(fwd->listen_host);
3885: listen_port = fwd->listen_port;
3886: }
1.381 djm 3887: idx = permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL,
1.367 djm 3888: host_to_connect, port_to_connect,
3889: listen_host, listen_path, listen_port, NULL);
1.44 markus 3890: }
1.367 djm 3891: return idx;
1.1 deraadt 3892: }
3893:
1.333 markus 3894: static int
1.381 djm 3895: open_match(struct permission *allowed_open, const char *requestedhost,
1.336 millert 3896: int requestedport)
1.333 markus 3897: {
3898: if (allowed_open->host_to_connect == NULL)
3899: return 0;
3900: if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT &&
3901: allowed_open->port_to_connect != requestedport)
3902: return 0;
1.351 dtucker 3903: if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 &&
3904: strcmp(allowed_open->host_to_connect, requestedhost) != 0)
1.333 markus 3905: return 0;
3906: return 1;
3907: }
3908:
3909: /*
1.336 millert 3910: * Note that in the listen host/port case
1.333 markus 3911: * we don't support FWD_PERMIT_ANY_PORT and
3912: * need to translate between the configured-host (listen_host)
3913: * and what we've sent to the remote server (channel_rfwd_bind_host)
3914: */
3915: static int
1.381 djm 3916: open_listen_match_tcpip(struct permission *allowed_open,
1.336 millert 3917: const char *requestedhost, u_short requestedport, int translate)
1.333 markus 3918: {
3919: const char *allowed_host;
3920:
3921: if (allowed_open->host_to_connect == NULL)
3922: return 0;
3923: if (allowed_open->listen_port != requestedport)
3924: return 0;
1.335 djm 3925: if (!translate && allowed_open->listen_host == NULL &&
3926: requestedhost == NULL)
3927: return 1;
1.333 markus 3928: allowed_host = translate ?
3929: channel_rfwd_bind_host(allowed_open->listen_host) :
3930: allowed_open->listen_host;
1.382 djm 3931: if (allowed_host == NULL || requestedhost == NULL ||
1.333 markus 3932: strcmp(allowed_host, requestedhost) != 0)
3933: return 0;
3934: return 1;
3935: }
3936:
1.336 millert 3937: static int
1.381 djm 3938: open_listen_match_streamlocal(struct permission *allowed_open,
1.336 millert 3939: const char *requestedpath)
3940: {
3941: if (allowed_open->host_to_connect == NULL)
3942: return 0;
3943: if (allowed_open->listen_port != PORT_STREAMLOCAL)
3944: return 0;
3945: if (allowed_open->listen_path == NULL ||
3946: strcmp(allowed_open->listen_path, requestedpath) != 0)
3947: return 0;
3948: return 1;
3949: }
3950:
1.27 markus 3951: /*
1.208 deraadt 3952: * Request cancellation of remote forwarding of connection host:port from
1.202 djm 3953: * local side.
3954: */
1.336 millert 3955: static int
1.367 djm 3956: channel_request_rforward_cancel_tcpip(struct ssh *ssh,
3957: const char *host, u_short port)
1.202 djm 3958: {
1.367 djm 3959: struct ssh_channels *sc = ssh->chanctxt;
1.381 djm 3960: struct permission_set *pset = &sc->local_perms;
1.367 djm 3961: int r;
3962: u_int i;
1.397 markus 3963: struct permission *perm = NULL;
1.202 djm 3964:
1.381 djm 3965: for (i = 0; i < pset->num_permitted_user; i++) {
3966: perm = &pset->permitted_user[i];
3967: if (open_listen_match_tcpip(perm, host, port, 0))
1.202 djm 3968: break;
1.381 djm 3969: perm = NULL;
1.202 djm 3970: }
1.381 djm 3971: if (perm == NULL) {
1.202 djm 3972: debug("%s: requested forward not found", __func__);
1.312 djm 3973: return -1;
1.202 djm 3974: }
1.367 djm 3975: if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
3976: (r = sshpkt_put_cstring(ssh, "cancel-tcpip-forward")) != 0 ||
3977: (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */
3978: (r = sshpkt_put_cstring(ssh, channel_rfwd_bind_host(host))) != 0 ||
3979: (r = sshpkt_put_u32(ssh, port)) != 0 ||
3980: (r = sshpkt_send(ssh)) != 0)
3981: fatal("%s: send cancel: %s", __func__, ssh_err(r));
3982:
1.381 djm 3983: fwd_perm_clear(perm); /* unregister */
1.336 millert 3984:
3985: return 0;
3986: }
3987:
3988: /*
3989: * Request cancellation of remote forwarding of Unix domain socket
3990: * path from local side.
3991: */
3992: static int
1.367 djm 3993: channel_request_rforward_cancel_streamlocal(struct ssh *ssh, const char *path)
1.336 millert 3994: {
1.367 djm 3995: struct ssh_channels *sc = ssh->chanctxt;
1.381 djm 3996: struct permission_set *pset = &sc->local_perms;
1.367 djm 3997: int r;
3998: u_int i;
1.397 markus 3999: struct permission *perm = NULL;
1.336 millert 4000:
1.381 djm 4001: for (i = 0; i < pset->num_permitted_user; i++) {
4002: perm = &pset->permitted_user[i];
4003: if (open_listen_match_streamlocal(perm, path))
1.336 millert 4004: break;
1.381 djm 4005: perm = NULL;
1.336 millert 4006: }
1.381 djm 4007: if (perm == NULL) {
1.336 millert 4008: debug("%s: requested forward not found", __func__);
4009: return -1;
4010: }
1.367 djm 4011: if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
4012: (r = sshpkt_put_cstring(ssh,
4013: "cancel-streamlocal-forward@openssh.com")) != 0 ||
4014: (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */
4015: (r = sshpkt_put_cstring(ssh, path)) != 0 ||
4016: (r = sshpkt_send(ssh)) != 0)
4017: fatal("%s: send cancel: %s", __func__, ssh_err(r));
4018:
1.381 djm 4019: fwd_perm_clear(perm); /* unregister */
1.312 djm 4020:
4021: return 0;
1.202 djm 4022: }
4023:
4024: /*
1.336 millert 4025: * Request cancellation of remote forwarding of a connection from local side.
4026: */
4027: int
1.367 djm 4028: channel_request_rforward_cancel(struct ssh *ssh, struct Forward *fwd)
1.336 millert 4029: {
4030: if (fwd->listen_path != NULL) {
1.367 djm 4031: return channel_request_rforward_cancel_streamlocal(ssh,
4032: fwd->listen_path);
1.336 millert 4033: } else {
1.367 djm 4034: return channel_request_rforward_cancel_tcpip(ssh,
4035: fwd->listen_host,
4036: fwd->listen_port ? fwd->listen_port : fwd->allocated_port);
1.336 millert 4037: }
1.1 deraadt 4038: }
4039:
1.99 markus 4040: /*
1.381 djm 4041: * Permits opening to any host/port if permitted_user[] is empty. This is
1.99 markus 4042: * usually called by the server, because the user could connect to any port
4043: * anyway, and the server has no way to know but to trust the client anyway.
4044: */
4045: void
1.381 djm 4046: channel_permit_all(struct ssh *ssh, int where)
4047: {
4048: struct permission_set *pset = permission_set_get(ssh, where);
4049:
4050: if (pset->num_permitted_user == 0)
4051: pset->all_permitted = 1;
4052: }
4053:
4054: /*
4055: * Permit the specified host/port for forwarding.
4056: */
4057: void
4058: channel_add_permission(struct ssh *ssh, int who, int where,
4059: char *host, int port)
4060: {
4061: int local = where == FORWARD_LOCAL;
4062: struct permission_set *pset = permission_set_get(ssh, where);
4063:
4064: debug("allow %s forwarding to host %s port %d",
4065: fwd_ident(who, where), host, port);
4066: /*
4067: * Remote forwards set listen_host/port, local forwards set
4068: * host/port_to_connect.
4069: */
4070: permission_set_add(ssh, who, where,
4071: local ? host : 0, local ? port : 0,
4072: local ? NULL : host, NULL, local ? 0 : port, NULL);
4073: pset->all_permitted = 0;
4074: }
4075:
4076: /*
4077: * Administratively disable forwarding.
4078: */
4079: void
4080: channel_disable_admin(struct ssh *ssh, int where)
1.99 markus 4081: {
1.381 djm 4082: channel_clear_permission(ssh, FORWARD_ADM, where);
4083: permission_set_add(ssh, FORWARD_ADM, where,
4084: NULL, 0, NULL, NULL, 0, NULL);
1.99 markus 4085: }
4086:
1.381 djm 4087: /*
4088: * Clear a list of permitted opens.
4089: */
1.101 markus 4090: void
1.381 djm 4091: channel_clear_permission(struct ssh *ssh, int who, int where)
1.99 markus 4092: {
1.381 djm 4093: struct permission **permp;
4094: u_int *npermp;
1.367 djm 4095:
1.381 djm 4096: permission_set_get_array(ssh, who, where, &permp, &npermp);
4097: *permp = xrecallocarray(*permp, *npermp, 0, sizeof(**permp));
4098: *npermp = 0;
1.315 markus 4099: }
4100:
4101: /*
4102: * Update the listen port for a dynamic remote forward, after
4103: * the actual 'newport' has been allocated. If 'newport' < 0 is
4104: * passed then they entry will be invalidated.
4105: */
4106: void
1.381 djm 4107: channel_update_permission(struct ssh *ssh, int idx, int newport)
1.315 markus 4108: {
1.381 djm 4109: struct permission_set *pset = &ssh->chanctxt->local_perms;
1.367 djm 4110:
1.381 djm 4111: if (idx < 0 || (u_int)idx >= pset->num_permitted_user) {
4112: debug("%s: index out of range: %d num_permitted_user %d",
4113: __func__, idx, pset->num_permitted_user);
1.315 markus 4114: return;
4115: }
4116: debug("%s allowed port %d for forwarding to host %s port %d",
4117: newport > 0 ? "Updating" : "Removing",
4118: newport,
1.381 djm 4119: pset->permitted_user[idx].host_to_connect,
4120: pset->permitted_user[idx].port_to_connect);
1.367 djm 4121: if (newport <= 0)
1.381 djm 4122: fwd_perm_clear(&pset->permitted_user[idx]);
1.367 djm 4123: else {
1.381 djm 4124: pset->permitted_user[idx].listen_port =
1.315 markus 4125: (datafellows & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport;
4126: }
1.99 markus 4127: }
4128:
1.314 dtucker 4129: /* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
4130: int
4131: permitopen_port(const char *p)
4132: {
4133: int port;
4134:
4135: if (strcmp(p, "*") == 0)
4136: return FWD_PERMIT_ANY_PORT;
4137: if ((port = a2port(p)) > 0)
4138: return port;
4139: return -1;
4140: }
4141:
1.276 djm 4142: /* Try to start non-blocking connect to next host in cctx list */
1.127 itojun 4143: static int
1.276 djm 4144: connect_next(struct channel_connect *cctx)
1.41 markus 4145: {
1.276 djm 4146: int sock, saved_errno;
1.336 millert 4147: struct sockaddr_un *sunaddr;
1.367 djm 4148: char ntop[NI_MAXHOST];
4149: char strport[MAXIMUM(NI_MAXSERV, sizeof(sunaddr->sun_path))];
1.41 markus 4150:
1.276 djm 4151: for (; cctx->ai; cctx->ai = cctx->ai->ai_next) {
1.336 millert 4152: switch (cctx->ai->ai_family) {
4153: case AF_UNIX:
4154: /* unix:pathname instead of host:port */
4155: sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr;
4156: strlcpy(ntop, "unix", sizeof(ntop));
4157: strlcpy(strport, sunaddr->sun_path, sizeof(strport));
4158: break;
4159: case AF_INET:
4160: case AF_INET6:
4161: if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen,
4162: ntop, sizeof(ntop), strport, sizeof(strport),
4163: NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
4164: error("connect_next: getnameinfo failed");
4165: continue;
4166: }
4167: break;
4168: default:
1.41 markus 4169: continue;
4170: }
1.300 dtucker 4171: if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype,
4172: cctx->ai->ai_protocol)) == -1) {
1.276 djm 4173: if (cctx->ai->ai_next == NULL)
1.186 djm 4174: error("socket: %.100s", strerror(errno));
4175: else
4176: verbose("socket: %.100s", strerror(errno));
1.41 markus 4177: continue;
4178: }
1.205 djm 4179: if (set_nonblock(sock) == -1)
4180: fatal("%s: set_nonblock(%d)", __func__, sock);
1.276 djm 4181: if (connect(sock, cctx->ai->ai_addr,
4182: cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) {
4183: debug("connect_next: host %.100s ([%.100s]:%s): "
4184: "%.100s", cctx->host, ntop, strport,
1.41 markus 4185: strerror(errno));
1.276 djm 4186: saved_errno = errno;
1.41 markus 4187: close(sock);
1.276 djm 4188: errno = saved_errno;
1.89 stevesk 4189: continue; /* fail -- try next */
1.41 markus 4190: }
1.336 millert 4191: if (cctx->ai->ai_family != AF_UNIX)
4192: set_nodelay(sock);
1.276 djm 4193: debug("connect_next: host %.100s ([%.100s]:%s) "
4194: "in progress, fd=%d", cctx->host, ntop, strport, sock);
4195: cctx->ai = cctx->ai->ai_next;
4196: return sock;
4197: }
4198: return -1;
4199: }
1.41 markus 4200:
1.276 djm 4201: static void
4202: channel_connect_ctx_free(struct channel_connect *cctx)
4203: {
1.321 djm 4204: free(cctx->host);
1.336 millert 4205: if (cctx->aitop) {
4206: if (cctx->aitop->ai_family == AF_UNIX)
4207: free(cctx->aitop);
4208: else
4209: freeaddrinfo(cctx->aitop);
4210: }
1.329 tedu 4211: memset(cctx, 0, sizeof(*cctx));
1.276 djm 4212: }
4213:
1.357 dtucker 4214: /*
1.372 markus 4215: * Return connecting socket to remote host:port or local socket path,
1.357 dtucker 4216: * passing back the failure reason if appropriate.
4217: */
1.372 markus 4218: static int
4219: connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype,
4220: char *ctype, char *rname, struct channel_connect *cctx,
4221: int *reason, const char **errmsg)
1.276 djm 4222: {
4223: struct addrinfo hints;
4224: int gaierr;
4225: int sock = -1;
4226: char strport[NI_MAXSERV];
1.336 millert 4227:
4228: if (port == PORT_STREAMLOCAL) {
4229: struct sockaddr_un *sunaddr;
4230: struct addrinfo *ai;
4231:
4232: if (strlen(name) > sizeof(sunaddr->sun_path)) {
4233: error("%.100s: %.100s", name, strerror(ENAMETOOLONG));
1.372 markus 4234: return -1;
1.336 millert 4235: }
4236:
4237: /*
4238: * Fake up a struct addrinfo for AF_UNIX connections.
4239: * channel_connect_ctx_free() must check ai_family
4240: * and use free() not freeaddirinfo() for AF_UNIX.
4241: */
4242: ai = xmalloc(sizeof(*ai) + sizeof(*sunaddr));
4243: memset(ai, 0, sizeof(*ai) + sizeof(*sunaddr));
4244: ai->ai_addr = (struct sockaddr *)(ai + 1);
4245: ai->ai_addrlen = sizeof(*sunaddr);
4246: ai->ai_family = AF_UNIX;
1.372 markus 4247: ai->ai_socktype = socktype;
1.336 millert 4248: ai->ai_protocol = PF_UNSPEC;
4249: sunaddr = (struct sockaddr_un *)ai->ai_addr;
4250: sunaddr->sun_family = AF_UNIX;
4251: strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path));
1.372 markus 4252: cctx->aitop = ai;
1.336 millert 4253: } else {
4254: memset(&hints, 0, sizeof(hints));
1.367 djm 4255: hints.ai_family = ssh->chanctxt->IPv4or6;
1.372 markus 4256: hints.ai_socktype = socktype;
1.336 millert 4257: snprintf(strport, sizeof strport, "%d", port);
1.372 markus 4258: if ((gaierr = getaddrinfo(name, strport, &hints, &cctx->aitop))
1.357 dtucker 4259: != 0) {
4260: if (errmsg != NULL)
4261: *errmsg = ssh_gai_strerror(gaierr);
4262: if (reason != NULL)
4263: *reason = SSH2_OPEN_CONNECT_FAILED;
1.336 millert 4264: error("connect_to %.100s: unknown host (%s)", name,
4265: ssh_gai_strerror(gaierr));
1.372 markus 4266: return -1;
1.336 millert 4267: }
1.41 markus 4268: }
1.276 djm 4269:
1.372 markus 4270: cctx->host = xstrdup(name);
4271: cctx->port = port;
4272: cctx->ai = cctx->aitop;
1.276 djm 4273:
1.372 markus 4274: if ((sock = connect_next(cctx)) == -1) {
1.276 djm 4275: error("connect to %.100s port %d failed: %s",
1.336 millert 4276: name, port, strerror(errno));
1.372 markus 4277: return -1;
4278: }
4279:
4280: return sock;
4281: }
4282:
4283: /* Return CONNECTING channel to remote host:port or local socket path */
4284: static Channel *
4285: connect_to(struct ssh *ssh, const char *host, int port,
4286: char *ctype, char *rname)
4287: {
4288: struct channel_connect cctx;
4289: Channel *c;
4290: int sock;
4291:
4292: memset(&cctx, 0, sizeof(cctx));
4293: sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname,
4294: &cctx, NULL, NULL);
4295: if (sock == -1) {
1.276 djm 4296: channel_connect_ctx_free(&cctx);
4297: return NULL;
1.41 markus 4298: }
1.367 djm 4299: c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1,
1.276 djm 4300: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
1.372 markus 4301: c->host_port = port;
4302: c->path = xstrdup(host);
1.276 djm 4303: c->connect_ctx = cctx;
1.372 markus 4304:
1.276 djm 4305: return c;
1.41 markus 4306: }
1.99 markus 4307:
1.354 markus 4308: /*
4309: * returns either the newly connected channel or the downstream channel
4310: * that needs to deal with this connection.
4311: */
1.276 djm 4312: Channel *
1.367 djm 4313: channel_connect_by_listen_address(struct ssh *ssh, const char *listen_host,
1.333 markus 4314: u_short listen_port, char *ctype, char *rname)
1.73 markus 4315: {
1.367 djm 4316: struct ssh_channels *sc = ssh->chanctxt;
1.381 djm 4317: struct permission_set *pset = &sc->local_perms;
1.367 djm 4318: u_int i;
1.381 djm 4319: struct permission *perm;
1.99 markus 4320:
1.381 djm 4321: for (i = 0; i < pset->num_permitted_user; i++) {
4322: perm = &pset->permitted_user[i];
4323: if (open_listen_match_tcpip(perm,
4324: listen_host, listen_port, 1)) {
4325: if (perm->downstream)
4326: return perm->downstream;
4327: if (perm->port_to_connect == 0)
1.372 markus 4328: return rdynamic_connect_prepare(ssh,
4329: ctype, rname);
1.367 djm 4330: return connect_to(ssh,
1.381 djm 4331: perm->host_to_connect, perm->port_to_connect,
1.367 djm 4332: ctype, rname);
1.276 djm 4333: }
4334: }
1.74 markus 4335: error("WARNING: Server requests forwarding for unknown listen_port %d",
4336: listen_port);
1.276 djm 4337: return NULL;
1.73 markus 4338: }
4339:
1.336 millert 4340: Channel *
1.367 djm 4341: channel_connect_by_listen_path(struct ssh *ssh, const char *path,
4342: char *ctype, char *rname)
1.336 millert 4343: {
1.367 djm 4344: struct ssh_channels *sc = ssh->chanctxt;
1.381 djm 4345: struct permission_set *pset = &sc->local_perms;
1.367 djm 4346: u_int i;
1.381 djm 4347: struct permission *perm;
1.336 millert 4348:
1.381 djm 4349: for (i = 0; i < pset->num_permitted_user; i++) {
4350: perm = &pset->permitted_user[i];
4351: if (open_listen_match_streamlocal(perm, path)) {
1.367 djm 4352: return connect_to(ssh,
1.381 djm 4353: perm->host_to_connect, perm->port_to_connect,
1.367 djm 4354: ctype, rname);
1.336 millert 4355: }
4356: }
4357: error("WARNING: Server requests forwarding for unknown path %.100s",
4358: path);
4359: return NULL;
4360: }
4361:
1.99 markus 4362: /* Check if connecting to that port is permitted and connect. */
1.276 djm 4363: Channel *
1.367 djm 4364: channel_connect_to_port(struct ssh *ssh, const char *host, u_short port,
4365: char *ctype, char *rname, int *reason, const char **errmsg)
1.99 markus 4366: {
1.367 djm 4367: struct ssh_channels *sc = ssh->chanctxt;
1.381 djm 4368: struct permission_set *pset = &sc->local_perms;
1.372 markus 4369: struct channel_connect cctx;
4370: Channel *c;
1.367 djm 4371: u_int i, permit, permit_adm = 1;
1.372 markus 4372: int sock;
1.381 djm 4373: struct permission *perm;
1.99 markus 4374:
1.381 djm 4375: permit = pset->all_permitted;
1.99 markus 4376: if (!permit) {
1.381 djm 4377: for (i = 0; i < pset->num_permitted_user; i++) {
4378: perm = &pset->permitted_user[i];
4379: if (open_match(perm, host, port)) {
1.99 markus 4380: permit = 1;
1.333 markus 4381: break;
4382: }
1.367 djm 4383: }
1.257 dtucker 4384: }
1.99 markus 4385:
1.381 djm 4386: if (pset->num_permitted_admin > 0) {
1.257 dtucker 4387: permit_adm = 0;
1.381 djm 4388: for (i = 0; i < pset->num_permitted_admin; i++) {
4389: perm = &pset->permitted_admin[i];
4390: if (open_match(perm, host, port)) {
1.257 dtucker 4391: permit_adm = 1;
1.333 markus 4392: break;
4393: }
1.367 djm 4394: }
1.99 markus 4395: }
1.257 dtucker 4396:
4397: if (!permit || !permit_adm) {
1.391 florian 4398: logit("Received request from %.100s port %d to connect to "
4399: "host %.100s port %d, but the request was denied.",
4400: ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), host, port);
1.357 dtucker 4401: if (reason != NULL)
4402: *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
1.276 djm 4403: return NULL;
1.99 markus 4404: }
1.372 markus 4405:
4406: memset(&cctx, 0, sizeof(cctx));
4407: sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname,
4408: &cctx, reason, errmsg);
4409: if (sock == -1) {
4410: channel_connect_ctx_free(&cctx);
4411: return NULL;
4412: }
4413:
4414: c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1,
4415: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4416: c->host_port = port;
4417: c->path = xstrdup(host);
4418: c->connect_ctx = cctx;
4419:
4420: return c;
1.336 millert 4421: }
4422:
4423: /* Check if connecting to that path is permitted and connect. */
4424: Channel *
1.367 djm 4425: channel_connect_to_path(struct ssh *ssh, const char *path,
4426: char *ctype, char *rname)
1.336 millert 4427: {
1.367 djm 4428: struct ssh_channels *sc = ssh->chanctxt;
1.381 djm 4429: struct permission_set *pset = &sc->local_perms;
1.367 djm 4430: u_int i, permit, permit_adm = 1;
1.381 djm 4431: struct permission *perm;
1.336 millert 4432:
1.381 djm 4433: permit = pset->all_permitted;
1.336 millert 4434: if (!permit) {
1.381 djm 4435: for (i = 0; i < pset->num_permitted_user; i++) {
4436: perm = &pset->permitted_user[i];
4437: if (open_match(perm, path, PORT_STREAMLOCAL)) {
1.336 millert 4438: permit = 1;
4439: break;
4440: }
1.367 djm 4441: }
1.336 millert 4442: }
4443:
1.381 djm 4444: if (pset->num_permitted_admin > 0) {
1.336 millert 4445: permit_adm = 0;
1.381 djm 4446: for (i = 0; i < pset->num_permitted_admin; i++) {
4447: perm = &pset->permitted_admin[i];
4448: if (open_match(perm, path, PORT_STREAMLOCAL)) {
1.336 millert 4449: permit_adm = 1;
4450: break;
4451: }
1.367 djm 4452: }
1.336 millert 4453: }
4454:
4455: if (!permit || !permit_adm) {
4456: logit("Received request to connect to path %.100s, "
4457: "but the request was denied.", path);
4458: return NULL;
4459: }
1.367 djm 4460: return connect_to(ssh, path, PORT_STREAMLOCAL, ctype, rname);
1.204 djm 4461: }
4462:
4463: void
1.367 djm 4464: channel_send_window_changes(struct ssh *ssh)
1.204 djm 4465: {
1.367 djm 4466: struct ssh_channels *sc = ssh->chanctxt;
4467: struct winsize ws;
4468: int r;
1.209 avsm 4469: u_int i;
1.204 djm 4470:
1.367 djm 4471: for (i = 0; i < sc->channels_alloc; i++) {
4472: if (sc->channels[i] == NULL || !sc->channels[i]->client_tty ||
4473: sc->channels[i]->type != SSH_CHANNEL_OPEN)
1.204 djm 4474: continue;
1.393 deraadt 4475: if (ioctl(sc->channels[i]->rfd, TIOCGWINSZ, &ws) == -1)
1.204 djm 4476: continue;
1.367 djm 4477: channel_request_start(ssh, i, "window-change", 0);
4478: if ((r = sshpkt_put_u32(ssh, (u_int)ws.ws_col)) != 0 ||
4479: (r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 ||
4480: (r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 ||
4481: (r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0 ||
4482: (r = sshpkt_send(ssh)) != 0)
4483: fatal("%s: channel %u: send window-change: %s",
4484: __func__, i, ssh_err(r));
1.204 djm 4485: }
1.372 markus 4486: }
4487:
4488: /* Return RDYNAMIC_OPEN channel: channel allows SOCKS, but is not connected */
4489: static Channel *
4490: rdynamic_connect_prepare(struct ssh *ssh, char *ctype, char *rname)
4491: {
4492: Channel *c;
4493: int r;
4494:
4495: c = channel_new(ssh, ctype, SSH_CHANNEL_RDYNAMIC_OPEN, -1, -1, -1,
4496: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4497: c->host_port = 0;
4498: c->path = NULL;
4499:
4500: /*
4501: * We need to open the channel before we have a FD,
4502: * so that we can get SOCKS header from peer.
4503: */
4504: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||
4505: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
4506: (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
4507: (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
4508: (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) {
4509: fatal("%s: channel %i: confirm: %s", __func__,
4510: c->self, ssh_err(r));
4511: }
4512: return c;
4513: }
4514:
4515: /* Return CONNECTING socket to remote host:port or local socket path */
4516: static int
4517: rdynamic_connect_finish(struct ssh *ssh, Channel *c)
4518: {
4519: struct channel_connect cctx;
4520: int sock;
4521:
4522: memset(&cctx, 0, sizeof(cctx));
4523: sock = connect_to_helper(ssh, c->path, c->host_port, SOCK_STREAM, NULL,
4524: NULL, &cctx, NULL, NULL);
4525: if (sock == -1)
4526: channel_connect_ctx_free(&cctx);
4527: else {
4528: /* similar to SSH_CHANNEL_CONNECTING but we've already sent the open */
4529: c->type = SSH_CHANNEL_RDYNAMIC_FINISH;
4530: c->connect_ctx = cctx;
4531: channel_register_fds(ssh, c, sock, sock, -1, 0, 1, 0);
4532: }
4533: return sock;
1.99 markus 4534: }
4535:
1.121 markus 4536: /* -- X11 forwarding */
1.1 deraadt 4537:
1.27 markus 4538: /*
4539: * Creates an internet domain socket for listening for X11 connections.
1.176 deraadt 4540: * Returns 0 and a suitable display number for the DISPLAY variable
4541: * stored in display_numberp , or -1 if an error occurs.
1.27 markus 4542: */
1.141 stevesk 4543: int
1.367 djm 4544: x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
4545: int x11_use_localhost, int single_connection,
4546: u_int *display_numberp, int **chanids)
1.1 deraadt 4547: {
1.149 markus 4548: Channel *nc = NULL;
1.31 markus 4549: int display_number, sock;
4550: u_short port;
1.35 markus 4551: struct addrinfo hints, *ai, *aitop;
4552: char strport[NI_MAXSERV];
4553: int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
1.25 markus 4554:
1.224 markus 4555: if (chanids == NULL)
4556: return -1;
4557:
1.33 markus 4558: for (display_number = x11_display_offset;
1.148 deraadt 4559: display_number < MAX_DISPLAYS;
4560: display_number++) {
1.25 markus 4561: port = 6000 + display_number;
1.35 markus 4562: memset(&hints, 0, sizeof(hints));
1.367 djm 4563: hints.ai_family = ssh->chanctxt->IPv4or6;
1.163 stevesk 4564: hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
1.35 markus 4565: hints.ai_socktype = SOCK_STREAM;
4566: snprintf(strport, sizeof strport, "%d", port);
1.367 djm 4567: if ((gaierr = getaddrinfo(NULL, strport,
4568: &hints, &aitop)) != 0) {
1.271 dtucker 4569: error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr));
1.141 stevesk 4570: return -1;
1.25 markus 4571: }
1.35 markus 4572: for (ai = aitop; ai; ai = ai->ai_next) {
1.367 djm 4573: if (ai->ai_family != AF_INET &&
4574: ai->ai_family != AF_INET6)
1.35 markus 4575: continue;
1.300 dtucker 4576: sock = socket(ai->ai_family, ai->ai_socktype,
4577: ai->ai_protocol);
1.393 deraadt 4578: if (sock == -1) {
1.35 markus 4579: error("socket: %.100s", strerror(errno));
1.203 markus 4580: freeaddrinfo(aitop);
1.141 stevesk 4581: return -1;
1.35 markus 4582: }
1.376 djm 4583: set_reuseaddr(sock);
1.393 deraadt 4584: if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
1.367 djm 4585: debug2("%s: bind port %d: %.100s", __func__,
4586: port, strerror(errno));
1.35 markus 4587: close(sock);
1.367 djm 4588: for (n = 0; n < num_socks; n++)
1.35 markus 4589: close(socks[n]);
4590: num_socks = 0;
4591: break;
4592: }
4593: socks[num_socks++] = sock;
4594: if (num_socks == NUM_SOCKS)
4595: break;
1.25 markus 4596: }
1.83 stevesk 4597: freeaddrinfo(aitop);
1.35 markus 4598: if (num_socks > 0)
4599: break;
1.25 markus 4600: }
4601: if (display_number >= MAX_DISPLAYS) {
4602: error("Failed to allocate internet-domain X11 display socket.");
1.141 stevesk 4603: return -1;
1.25 markus 4604: }
4605: /* Start listening for connections on the socket. */
1.35 markus 4606: for (n = 0; n < num_socks; n++) {
4607: sock = socks[n];
1.393 deraadt 4608: if (listen(sock, SSH_LISTEN_BACKLOG) == -1) {
1.35 markus 4609: error("listen: %.100s", strerror(errno));
4610: close(sock);
1.141 stevesk 4611: return -1;
1.35 markus 4612: }
1.25 markus 4613: }
1.35 markus 4614:
4615: /* Allocate a channel for each socket. */
1.242 djm 4616: *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
1.35 markus 4617: for (n = 0; n < num_socks; n++) {
4618: sock = socks[n];
1.367 djm 4619: nc = channel_new(ssh, "x11 listener",
1.51 markus 4620: SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
4621: CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
1.190 markus 4622: 0, "X11 inet listener", 1);
1.167 markus 4623: nc->single_connection = single_connection;
1.224 markus 4624: (*chanids)[n] = nc->self;
1.35 markus 4625: }
1.224 markus 4626: (*chanids)[n] = -1;
1.1 deraadt 4627:
1.141 stevesk 4628: /* Return the display number for the DISPLAY environment variable. */
1.176 deraadt 4629: *display_numberp = display_number;
1.367 djm 4630: return 0;
1.1 deraadt 4631: }
4632:
1.127 itojun 4633: static int
1.77 markus 4634: connect_local_xsocket(u_int dnr)
1.1 deraadt 4635: {
1.25 markus 4636: int sock;
4637: struct sockaddr_un addr;
4638:
1.147 stevesk 4639: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1.393 deraadt 4640: if (sock == -1)
1.147 stevesk 4641: error("socket: %.100s", strerror(errno));
4642: memset(&addr, 0, sizeof(addr));
4643: addr.sun_family = AF_UNIX;
4644: snprintf(addr.sun_path, sizeof addr.sun_path, _PATH_UNIX_X, dnr);
1.239 deraadt 4645: if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
1.147 stevesk 4646: return sock;
4647: close(sock);
1.25 markus 4648: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
4649: return -1;
1.1 deraadt 4650: }
4651:
1.51 markus 4652: int
1.367 djm 4653: x11_connect_display(struct ssh *ssh)
1.1 deraadt 4654: {
1.248 deraadt 4655: u_int display_number;
1.25 markus 4656: const char *display;
1.51 markus 4657: char buf[1024], *cp;
1.35 markus 4658: struct addrinfo hints, *ai, *aitop;
4659: char strport[NI_MAXSERV];
1.248 deraadt 4660: int gaierr, sock = 0;
1.25 markus 4661:
4662: /* Try to open a socket for the local X server. */
4663: display = getenv("DISPLAY");
4664: if (!display) {
4665: error("DISPLAY not set.");
1.51 markus 4666: return -1;
1.25 markus 4667: }
1.27 markus 4668: /*
4669: * Now we decode the value of the DISPLAY variable and make a
4670: * connection to the real X server.
4671: */
4672:
4673: /*
4674: * Check if it is a unix domain socket. Unix domain displays are in
4675: * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
4676: */
1.25 markus 4677: if (strncmp(display, "unix:", 5) == 0 ||
4678: display[0] == ':') {
4679: /* Connect to the unix domain socket. */
1.367 djm 4680: if (sscanf(strrchr(display, ':') + 1, "%u",
4681: &display_number) != 1) {
4682: error("Could not parse display number from DISPLAY: "
4683: "%.100s", display);
1.51 markus 4684: return -1;
1.25 markus 4685: }
4686: /* Create a socket. */
4687: sock = connect_local_xsocket(display_number);
4688: if (sock < 0)
1.51 markus 4689: return -1;
1.25 markus 4690:
4691: /* OK, we now have a connection to the display. */
1.51 markus 4692: return sock;
1.25 markus 4693: }
1.27 markus 4694: /*
4695: * Connect to an inet socket. The DISPLAY value is supposedly
4696: * hostname:d[.s], where hostname may also be numeric IP address.
4697: */
1.145 stevesk 4698: strlcpy(buf, display, sizeof(buf));
1.25 markus 4699: cp = strchr(buf, ':');
4700: if (!cp) {
4701: error("Could not find ':' in DISPLAY: %.100s", display);
1.51 markus 4702: return -1;
1.25 markus 4703: }
4704: *cp = 0;
1.367 djm 4705: /*
4706: * buf now contains the host name. But first we parse the
4707: * display number.
4708: */
1.248 deraadt 4709: if (sscanf(cp + 1, "%u", &display_number) != 1) {
1.25 markus 4710: error("Could not parse display number from DISPLAY: %.100s",
1.148 deraadt 4711: display);
1.51 markus 4712: return -1;
1.25 markus 4713: }
1.35 markus 4714:
4715: /* Look up the host address */
4716: memset(&hints, 0, sizeof(hints));
1.367 djm 4717: hints.ai_family = ssh->chanctxt->IPv4or6;
1.35 markus 4718: hints.ai_socktype = SOCK_STREAM;
1.248 deraadt 4719: snprintf(strport, sizeof strport, "%u", 6000 + display_number);
1.35 markus 4720: if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
1.271 dtucker 4721: error("%.100s: unknown host. (%s)", buf,
4722: ssh_gai_strerror(gaierr));
1.51 markus 4723: return -1;
1.25 markus 4724: }
1.35 markus 4725: for (ai = aitop; ai; ai = ai->ai_next) {
4726: /* Create a socket. */
1.300 dtucker 4727: sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
1.393 deraadt 4728: if (sock == -1) {
1.194 markus 4729: debug2("socket: %.100s", strerror(errno));
1.41 markus 4730: continue;
4731: }
4732: /* Connect it to the display. */
1.393 deraadt 4733: if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
1.248 deraadt 4734: debug2("connect %.100s port %u: %.100s", buf,
1.41 markus 4735: 6000 + display_number, strerror(errno));
4736: close(sock);
4737: continue;
4738: }
4739: /* Success */
4740: break;
1.35 markus 4741: }
4742: freeaddrinfo(aitop);
4743: if (!ai) {
1.367 djm 4744: error("connect %.100s port %u: %.100s", buf,
4745: 6000 + display_number, strerror(errno));
1.51 markus 4746: return -1;
1.25 markus 4747: }
1.162 stevesk 4748: set_nodelay(sock);
1.51 markus 4749: return sock;
4750: }
4751:
4752: /*
1.27 markus 4753: * Requests forwarding of X11 connections, generates fake authentication
4754: * data, and enables authentication spoofing.
1.121 markus 4755: * This should be called in the client only.
1.27 markus 4756: */
1.49 markus 4757: void
1.367 djm 4758: x11_request_forwarding_with_spoofing(struct ssh *ssh, int client_session_id,
4759: const char *disp, const char *proto, const char *data, int want_reply)
1.1 deraadt 4760: {
1.367 djm 4761: struct ssh_channels *sc = ssh->chanctxt;
1.77 markus 4762: u_int data_len = (u_int) strlen(data) / 2;
1.219 djm 4763: u_int i, value;
1.367 djm 4764: const char *cp;
1.25 markus 4765: char *new_data;
1.367 djm 4766: int r, screen_number;
1.25 markus 4767:
1.367 djm 4768: if (sc->x11_saved_display == NULL)
4769: sc->x11_saved_display = xstrdup(disp);
4770: else if (strcmp(disp, sc->x11_saved_display) != 0) {
1.219 djm 4771: error("x11_request_forwarding_with_spoofing: different "
4772: "$DISPLAY already forwarded");
4773: return;
4774: }
4775:
1.266 djm 4776: cp = strchr(disp, ':');
1.25 markus 4777: if (cp)
4778: cp = strchr(cp, '.');
4779: if (cp)
1.245 deraadt 4780: screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL);
1.25 markus 4781: else
4782: screen_number = 0;
4783:
1.367 djm 4784: if (sc->x11_saved_proto == NULL) {
1.219 djm 4785: /* Save protocol name. */
1.367 djm 4786: sc->x11_saved_proto = xstrdup(proto);
1.353 natano 4787:
4788: /* Extract real authentication data. */
1.367 djm 4789: sc->x11_saved_data = xmalloc(data_len);
1.219 djm 4790: for (i = 0; i < data_len; i++) {
4791: if (sscanf(data + 2 * i, "%2x", &value) != 1)
4792: fatal("x11_request_forwarding: bad "
4793: "authentication data: %.100s", data);
1.367 djm 4794: sc->x11_saved_data[i] = value;
1.219 djm 4795: }
1.367 djm 4796: sc->x11_saved_data_len = data_len;
1.353 natano 4797:
4798: /* Generate fake data of the same length. */
1.367 djm 4799: sc->x11_fake_data = xmalloc(data_len);
4800: arc4random_buf(sc->x11_fake_data, data_len);
4801: sc->x11_fake_data_len = data_len;
1.25 markus 4802: }
4803:
4804: /* Convert the fake data into hex. */
1.367 djm 4805: new_data = tohex(sc->x11_fake_data, data_len);
1.25 markus 4806:
4807: /* Send the request packet. */
1.367 djm 4808: channel_request_start(ssh, client_session_id, "x11-req", want_reply);
4809: if ((r = sshpkt_put_u8(ssh, 0)) != 0 || /* bool: single connection */
4810: (r = sshpkt_put_cstring(ssh, proto)) != 0 ||
4811: (r = sshpkt_put_cstring(ssh, new_data)) != 0 ||
4812: (r = sshpkt_put_u32(ssh, screen_number)) != 0 ||
4813: (r = sshpkt_send(ssh)) != 0 ||
4814: (r = ssh_packet_write_wait(ssh)) != 0)
4815: fatal("%s: send x11-req: %s", __func__, ssh_err(r));
1.321 djm 4816: free(new_data);
1.1 deraadt 4817: }